This article provides information on how to configure IDP services in MX series routers using MSDPC card.
The procedure mentioned in this article was verified using releases 11.4R1.14 and other 11.4 releases.
MX router IDP feature is not enabled, failed to start or the IDP feature is not configured
In MX routers IDP feature is enabled by default, no license is required
Before we start configuring the IDP services, we need to download the IDP signature database from the Netscreen server.
The signature database is one of the major components of Intrusion Detection and
Prevention (IDP). It contains definitions of different objects—such as attack objects,
application signatures objects, and service objects—that are used in defining IDP policy
rules.
1. "request security idp security-package download full-update re0
"
By default, this command tries to download the delta set attack signature table. It also downloads IDP, IPS, and application package signatures. 2. To request status for a package download:
user@host> request security idp security-package download status
--------------------------------------------------------------------------
Done;Successfully downloaded
from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:2014(Thu Oct 20 12:07:01 2011, Detector=11.6.140110920)
3. Once the package is downloaded we need to install it with below command.
lab> request security idp security-package install re0
re0:
--------------------------------------------------------------------------
Will be processed in async mode. Check the status using the status checking CLI
4. To request status on a package installation:
user@host> request security idp security-package install status
--------------------------------------------------------------------------
Done;Attack DB update : successful - [UpdateNumber=1152,ExportDate=Thu Apr 24
14:37:44 2008]
Updating data-plane with new attack or detector : not performed
due to no existing active policy found.
5. To Display information of the currently installed security package version and detector version.
lab> show security idp security-package-version
re0:
--------------------------------------------------------------------------
Attack database version:2249(Wed Mar 27 18:26:00 2013 UTC)
Detector version :12.6.150121210
Policy template version :N/A
Configuration: Below is the configuration to enable IDP services for MX routers with MSDPC
set chassis fpc 0 pic 0 adaptive-services service-package extension-provider control-cores 1
set chassis fpc 0 pic 0 adaptive-services service-package extension-provider data-cores 7
set chassis fpc 0 pic 0 adaptive-services service-package extension-provider object-cache-size 1280
set chassis fpc 0 pic 0 adaptive-services service-package extension-provider policy-db-size 200
set chassis fpc 0 pic 0 adaptive-services service-package extension-provider package jservices-appid
set chassis fpc 0 pic 0 adaptive-services service-package extension-provider package jservices-idp
set security idp idp-policy idpengine rulebase-ips rule 1 match attacks predefined-attacks TELNET:USER:ROOT
set security idp idp-policy idpengine rulebase-ips rule 1 match attacks predefined-attack-groups FTP
set security idp idp-policy idpengine rulebase-ips rule 1 then action drop-packet
set security idp idp-policy idpengine rulebase-ips rule 1 then notification log-attacks alert
set security idp idp-policy idpengine rulebase-ips rule 1 then severity info
set services application-identification profile nulprofile
set services service-set appid-1 syslog host local services info
set services service-set appid-1 application-identification-profile nulprofile
set services service-set appid-1 idp-profile idpengine
set services service-set appid-1 interface-service service-interface ms-0/0/0
set interfaces ms-0/0/0 unit 0 family inet
Verification :
lab# run show security idp status
State of IDP: Default, Up since: 2013-04-02 09:07:21 UTC (20:24:39 ago)
Packets/second: 0 Peak: 0 @ 2013-04-02 09:07:21 UTC
KBits/second : 0 Peak: 0 @ 2013-04-02 09:07:21 UTC
Latency (microseconds): [min: 0] [max: 0] [avg: 0]
Packet Statistics:
[ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
Flow Statistics:
ICMP: [Current: 0] [Max: 0 @ 2013-04-02 09:07:21 UTC]
TCP: [Current: 0] [Max: 0 @ 2013-04-02 09:07:21 UTC]
UDP: [Current: 0] [Max: 0 @ 2013-04-02 09:07:21 UTC]
Other: [Current: 0] [Max: 0 @ 2013-04-02 09:07:21 UTC]
Session Statistics:
[ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
Policy Name : idp-policy-combined
Running Detector Version : 12.6.150121210
[edit]
lab# run show security idp policy-commit-status
re0:
--------------------------------------------------------------------------
IDP policy[/var/db/idpd/bins/idp-policy-combined.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully.
The loaded policy size is:366554 Bytes
lab# run show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis JN11F2CFBAFC MX240
Midplane REV 07 760-021404 ACAB3875 MX240 Backplane
FPM Board REV 05 760-021392 CAAA3335 Front Panel Display
PEM 0 Rev 07 740-029970 QCS1151U080 PS 1.4-2.52kW; 90-264V AC in
PEM 1 Rev 06 740-029970 QCS1111U0Y2 PS 1.4-2.52kW; 90-264V AC in
PEM 2 Rev 01 740-022697 QCS0906C041 PS 1.2-1.7kW; 100-240V AC in
PEM 3 Rev 01 740-022697 QCS0906C02Z PS 1.2-1.7kW; 100-240V AC in
Routing Engine 0 REV 14 740-013063 9009063921 RE-S-2000
CB 0 REV 09 710-021523 YS5823 MX SCB
FPC 0 REV 19 750-024064 CAAP5717 MS-DPC <<<< [ms-0/0/0]
CPU REV 09 710-013713 CAAP5251 DPC PMB
PIC 0 BUILTIN BUILTIN MS-DPC PIC
PIC 1 BUILTIN BUILTIN MS-DPC PIC
FPC 1 REV 14 750-031088 YF1396 MPC Type 2 3D Q
CPU REV 06 711-030884 YE6713 MPC PMB 2G
MIC 0 REV 26 750-028387 ZB1909 3D 4x 10GE XFP
PIC 0 BUILTIN BUILTIN 2x 10GE XFP
PIC 1 BUILTIN BUILTIN 2x 10GE XFP
QXM 0 REV 05 711-028408 YE5888 MPC QXM
QXM 1 REV 05 711-028408 YE5959 MPC QXM
FPC 2 REV 22 750-031089 ZN5936 MPC Type 2 3D
CPU REV 06 711-030884 ZM1567 MPC PMB 2G
MIC 0 REV 26 750-028392 CAAM4734 3D 20x 1GE(LAN) SFP
PIC 0 BUILTIN BUILTIN 10x 1GE(LAN) SFP
Xcvr 3 REV 02 740-011613 PJH273W SFP-SX
Xcvr 6 REV 02 740-011613 PJH26VH SFP-SX
Xcvr 8 REV 01 740-031851 PM75SMZ SFP-SX
Xcvr 9 REV 01 740-031851 PM75VVC SFP-SX
PIC 1 BUILTIN BUILTIN 10x 1GE(LAN) SFP
Xcvr 2 REV 02 740-011613 PJH25YT SFP-SX
Xcvr 3 REV 01 740-038291 C386447 SFP-T
Xcvr 9 REV 01 740-031851 PM75WPK SFP-SX
MIC 1 REV 27 750-028387 CAAL0951 3D 4x 10GE XFP
PIC 2 BUILTIN BUILTIN 2x 10GE XFP
Xcvr 0 REV 03 740-014289 CA42BQ01C XFP-10G-SR
PIC 3 BUILTIN BUILTIN 2x 10GE XFP
Fan Tray 0 REV 01 710-030216 CAAA8162 Enhanced Fan Tray