Knowledge Search


×
 

[SRX] How to completely shutdown IDP on an SRX device

  [KB25057] Show Article Properties


Summary:

Administrators may have to shut down IDP and are unsure about how to exactly do this. This article will demonstrate how to shut down IDP, so that the IDPD process is not running, and IDP is disabled everywhere in the configuration.

Solution:
The administrator can verify if the IDPD process is running via the show system processes | match idpd command:
root@srx3400-172.22.151.112> show system processes | match idpd
1234 ?? S 0:47.20 /usr/sbin/idpd -N

Also, to see if traffic is being forwarded to the IDPD process, check the traffic being seen by IDPD via the "show security idp status" command:


root> show security idp status
State of IDP: Default, Up since: 2014-10-29 02:53:54 UTC (2w6d 23:08 ago)

Packets/second: 69 Peak: 802 @ 2014-11-18 03:22:19 UTC
KBits/second : 455 Peak: 6057 @ 2014-11-18 03:22:19 UTC

Latency (microseconds): [min: 0] [max: 0] [avg: 0]

Packet Statistics:
[ICMP: 0] [TCP: 149628] [UDP: 0] [Other: 0]

Flow Statistics:
ICMP: [Current: 0] [Max: 0 @ 2014-11-06 23:09:05 UTC]
TCP: [Current: 0] [Max: 44 @ 2014-11-18 02:56:15 UTC]
UDP: [Current: 0] [Max: 0 @ 2014-11-06 23:09:05 UTC]
Other: [Current: 0] [Max: 0 @ 2014-11-06 23:09:05 UTC]

Session Statistics:
[ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
Policy Name : Server-Protection
Running Detector Version : 12.6.160140822

Here we can see in BOLD that the IDP process is being handed traffic by the SRX configuration.
The IDP configuration can be deleted or de-activated. To delete the IDP configuration, after backing up the configuration, go to edit mode, and then issue the following command:
delete security idp
To disable it in the configuration, without deleting, issue the following command:
deactivate security idp
Then remove the IDP configuration from the proper firewall rule(s). For example:
show configuration | display set | match "application-services idp"
set security policies from-zone MGMT to-zone trust policy mgmttotrust then permit application-services idp

[edit security policies from-zone MGMT to-zone trust policy mgmttotrust]
delete then permit application-services idp
This will prevent any IDP policy from being loaded and any data from being forwarded to the IDPD process. If the administrator wants to also kill the IDPD process, use the set system processes idp-policy disable command. After the desired configuration change, use the commit command to apply the changes.

root# set system processes idp-policy disable

[edit]
root# show | compare
[edit system]
+ processes {
+ idp-policy disable;
+ }

[edit]
root# commit


 

Confirm if the IDPD process is not running via the show system processes | match idpd command.

root> show system processes | match idpd
root>

 

To re-enable the IDPD process, use the delete system processes idp-policy disable command. To enable the IDP configuration, either load the backed up configuration (if deleted) or activate the security IDP. Also, edit the firewall policy and add then permit application-services idp.


In a scenario where you want to completely strip off IDP/signature-files from the device, the IDP related files are located here:

root@juniper% rm -rf /cf/var/db/idpd/db/*
root@juniper% rm -rf /cf/var/db/idpd/sec-download/*
root@juniper% rm -rf /cf/var/db/idpd/nsm-download/*
root@juniper% rm -rf /cf/var/db/idpd/sec-repository/*

Do note, after removing these files, re-enabling IDP involved beginning from scratch. Use this guide as a starting point KB23424 - Resolution Guide - SRX - Troubleshooting IDP.

 

Modification History:
2019-08-03: Added additional information on removing IDP from the SRX device.
Related Links: