Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to enable IDP services in MX routers using MX/MSDPC card

0

0

Article ID: KB27227 KB Last Updated: 30 Apr 2013Version: 1.0
Summary:
This article provides information on how to configure IDP services in MX series routers using MSDPC card.
The procedure mentioned in this article was verified using releases 11.4R1.14 and other 11.4 releases.

Symptoms:
MX router IDP feature is not enabled, failed to start or the IDP feature is not configured

Cause:

Solution:

In MX routers IDP feature is enabled by default, no license is required

Before we start configuring the IDP services, we need to download the IDP signature database from the Netscreen server.

The signature database is one of the major components of Intrusion Detection and
Prevention (IDP). It contains definitions of different objects—such as attack objects,
application signatures objects, and service objects—that are used in defining IDP policy
rules.

1.  "request security idp security-package download full-update re0"

By default, this command tries to download the delta set attack signature table. It also downloads IDP, IPS, and application package signatures. 2. To request status for a package download:
user@host> request security idp security-package download status
--------------------------------------------------------------------------
Done;Successfully downloaded
from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:2014(Thu Oct 20 12:07:01 2011, Detector=11.6.140110920)
3. Once the package is downloaded we need to install it with below command.
lab> request security idp security-package install re0    
re0:
--------------------------------------------------------------------------
Will be processed in async mode. Check the status using the status checking CLI
4. To request status on a package installation:
user@host> request security idp security-package install status
--------------------------------------------------------------------------
Done;Attack DB update : successful - [UpdateNumber=1152,ExportDate=Thu Apr 24
14:37:44 2008]
Updating data-plane with new attack or detector : not performed
due to no existing active policy found.
5. To Display information of the currently installed security package version and detector version.
lab> show security idp security-package-version                  
re0:
--------------------------------------------------------------------------

  Attack database version:2249(Wed Mar 27 18:26:00 2013 UTC)
  Detector version :12.6.150121210
  Policy template version :N/A
Configuration: Below is the configuration to enable IDP services for MX routers with MSDPC
set chassis fpc 0 pic 0 adaptive-services service-package extension-provider control-cores 1
set chassis fpc 0 pic 0 adaptive-services service-package extension-provider data-cores 7
set chassis fpc 0 pic 0 adaptive-services service-package extension-provider object-cache-size 1280
set chassis fpc 0 pic 0 adaptive-services service-package extension-provider policy-db-size 200
set chassis fpc 0 pic 0 adaptive-services service-package extension-provider package jservices-appid
set chassis fpc 0 pic 0 adaptive-services service-package extension-provider package jservices-idp

set security idp idp-policy idpengine rulebase-ips rule 1 match attacks predefined-attacks TELNET:USER:ROOT
set security idp idp-policy idpengine rulebase-ips rule 1 match attacks predefined-attack-groups FTP
set security idp idp-policy idpengine rulebase-ips rule 1 then action drop-packet
set security idp idp-policy idpengine rulebase-ips rule 1 then notification log-attacks alert
set security idp idp-policy idpengine rulebase-ips rule 1 then severity info

set services application-identification profile nulprofile
set services service-set appid-1 syslog host local services info
set services service-set appid-1 application-identification-profile nulprofile
set services service-set appid-1 idp-profile idpengine
set services service-set appid-1 interface-service service-interface ms-0/0/0

set interfaces ms-0/0/0 unit 0 family inet



Verification :

lab# run show security idp status 
State of IDP: Default,  Up since: 2013-04-02 09:07:21 UTC (20:24:39 ago)

Packets/second: 0               Peak: 0 @ 2013-04-02 09:07:21 UTC
KBits/second  : 0               Peak: 0 @ 2013-04-02 09:07:21 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]

Packet Statistics:
 [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]

Flow Statistics:
  ICMP: [Current: 0] [Max: 0 @ 2013-04-02 09:07:21 UTC]
  TCP: [Current: 0] [Max: 0 @ 2013-04-02 09:07:21 UTC]
  UDP: [Current: 0] [Max: 0 @ 2013-04-02 09:07:21 UTC]
  Other: [Current: 0] [Max: 0 @ 2013-04-02 09:07:21 UTC]

Session Statistics:
 [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
  Policy Name : idp-policy-combined
  Running Detector Version : 12.6.150121210



[edit]
lab# run show security idp policy-commit-status 
re0:
--------------------------------------------------------------------------
 IDP policy[/var/db/idpd/bins/idp-policy-combined.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully.
 The loaded policy size is:366554 Bytes


lab# run show chassis hardware 
Hardware inventory:
Item             Version  Part number  Serial number     Description
Chassis                                JN11F2CFBAFC      MX240
Midplane         REV 07   760-021404   ACAB3875          MX240 Backplane
FPM Board        REV 05   760-021392   CAAA3335          Front Panel Display
PEM 0            Rev 07   740-029970   QCS1151U080       PS 1.4-2.52kW; 90-264V AC in
PEM 1            Rev 06   740-029970   QCS1111U0Y2       PS 1.4-2.52kW; 90-264V AC in
PEM 2            Rev 01   740-022697   QCS0906C041       PS 1.2-1.7kW; 100-240V AC in
PEM 3            Rev 01   740-022697   QCS0906C02Z       PS 1.2-1.7kW; 100-240V AC in
Routing Engine 0 REV 14   740-013063   9009063921        RE-S-2000
CB 0             REV 09   710-021523   YS5823            MX SCB
FPC 0            REV 19   750-024064   CAAP5717          MS-DPC           <<<< [ms-0/0/0]
  CPU            REV 09   710-013713   CAAP5251          DPC PMB
  PIC 0                   BUILTIN      BUILTIN           MS-DPC PIC
  PIC 1                   BUILTIN      BUILTIN           MS-DPC PIC
FPC 1            REV 14   750-031088   YF1396            MPC Type 2 3D Q
  CPU            REV 06   711-030884   YE6713            MPC PMB 2G 
  MIC 0          REV 26   750-028387   ZB1909            3D 4x 10GE  XFP
    PIC 0                 BUILTIN      BUILTIN           2x 10GE  XFP
    PIC 1                 BUILTIN      BUILTIN           2x 10GE  XFP
  QXM 0          REV 05   711-028408   YE5888            MPC QXM
  QXM 1          REV 05   711-028408   YE5959            MPC QXM
FPC 2            REV 22   750-031089   ZN5936            MPC Type 2 3D
  CPU            REV 06   711-030884   ZM1567            MPC PMB 2G 
  MIC 0          REV 26   750-028392   CAAM4734          3D 20x 1GE(LAN) SFP
    PIC 0                 BUILTIN      BUILTIN           10x 1GE(LAN) SFP
      Xcvr 3     REV 02   740-011613   PJH273W           SFP-SX
      Xcvr 6     REV 02   740-011613   PJH26VH           SFP-SX
      Xcvr 8     REV 01   740-031851   PM75SMZ           SFP-SX
      Xcvr 9     REV 01   740-031851   PM75VVC           SFP-SX
    PIC 1                 BUILTIN      BUILTIN           10x 1GE(LAN) SFP
      Xcvr 2     REV 02   740-011613   PJH25YT           SFP-SX
      Xcvr 3     REV 01   740-038291   C386447           SFP-T
      Xcvr 9     REV 01   740-031851   PM75WPK           SFP-SX
  MIC 1          REV 27   750-028387   CAAL0951          3D 4x 10GE  XFP
    PIC 2                 BUILTIN      BUILTIN           2x 10GE  XFP
      Xcvr 0     REV 03   740-014289   CA42BQ01C         XFP-10G-SR
    PIC 3                 BUILTIN      BUILTIN           2x 10GE  XFP
Fan Tray 0       REV 01   710-030216   CAAA8162          Enhanced Fan Tray

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search