Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to completely shutdown IDP on an SRX device

0

0

Article ID: KB25057 KB Last Updated: 03 Aug 2019Version: 6.0
Summary:

Administrators may have to shut down IDP and are unsure about how to exactly do this. This article will demonstrate how to shut down IDP, so that the IDPD process is not running, and IDP is disabled everywhere in the configuration.

Solution:
The administrator can verify if the IDPD process is running via the show system processes | match idpd command:
root@srx3400-172.22.151.112> show system processes | match idpd
1234 ?? S 0:47.20 /usr/sbin/idpd -N

Also, to see if traffic is being forwarded to the IDPD process, check the traffic being seen by IDPD via the "show security idp status" command:


root> show security idp status
State of IDP: Default, Up since: 2014-10-29 02:53:54 UTC (2w6d 23:08 ago)

Packets/second: 69 Peak: 802 @ 2014-11-18 03:22:19 UTC
KBits/second : 455 Peak: 6057 @ 2014-11-18 03:22:19 UTC

Latency (microseconds): [min: 0] [max: 0] [avg: 0]

Packet Statistics:
[ICMP: 0] [TCP: 149628] [UDP: 0] [Other: 0]

Flow Statistics:
ICMP: [Current: 0] [Max: 0 @ 2014-11-06 23:09:05 UTC]
TCP: [Current: 0] [Max: 44 @ 2014-11-18 02:56:15 UTC]
UDP: [Current: 0] [Max: 0 @ 2014-11-06 23:09:05 UTC]
Other: [Current: 0] [Max: 0 @ 2014-11-06 23:09:05 UTC]

Session Statistics:
[ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
Policy Name : Server-Protection
Running Detector Version : 12.6.160140822

Here we can see in BOLD that the IDP process is being handed traffic by the SRX configuration.
The IDP configuration can be deleted or de-activated. To delete the IDP configuration, after backing up the configuration, go to edit mode, and then issue the following command:
delete security idp
To disable it in the configuration, without deleting, issue the following command:
deactivate security idp
Then remove the IDP configuration from the proper firewall rule(s). For example:
show configuration | display set | match "application-services idp"
set security policies from-zone MGMT to-zone trust policy mgmttotrust then permit application-services idp

[edit security policies from-zone MGMT to-zone trust policy mgmttotrust]
delete then permit application-services idp
This will prevent any IDP policy from being loaded and any data from being forwarded to the IDPD process. If the administrator wants to also kill the IDPD process, use the set system processes idp-policy disable command. After the desired configuration change, use the commit command to apply the changes.

root# set system processes idp-policy disable

[edit]
root# show | compare
[edit system]
+ processes {
+ idp-policy disable;
+ }

[edit]
root# commit


 

Confirm if the IDPD process is not running via the show system processes | match idpd command.

root> show system processes | match idpd
root>

 

To re-enable the IDPD process, use the delete system processes idp-policy disable command. To enable the IDP configuration, either load the backed up configuration (if deleted) or activate the security IDP. Also, edit the firewall policy and add then permit application-services idp.


In a scenario where you want to completely strip off IDP/signature-files from the device, the IDP related files are located here:

root@juniper% rm -rf /cf/var/db/idpd/db/*
root@juniper% rm -rf /cf/var/db/idpd/sec-download/*
root@juniper% rm -rf /cf/var/db/idpd/nsm-download/*
root@juniper% rm -rf /cf/var/db/idpd/sec-repository/*

Do note, after removing these files, re-enabling IDP involved beginning from scratch. Use this guide as a starting point KB23424 - Resolution Guide - SRX - Troubleshooting IDP.

 

Modification History:
2019-08-03: Added additional information on removing IDP from the SRX device.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search