Juniper is introducing new predefined policy templates as a guide to help design efficient policies that will improve coverage. The new templates, which will include Client-Protection, Server-Protection, and Client-And-Server-protection templates, have been added to the existing templates.
Each of the new templates has two versions that are platform specific, a one-gigabyte (1 GB) version and a two-gigabyte (2 GB) version. The one-gigabyte versions labeled (1G) should only be used for branch platforms that are limited to one gigabyte of memory. If a one-gigabyte branch SRX platform loads any templates that are not labeled (1GB), it might experience policy compilation errors due to limited memory or limited coverage. If a two-gigabyte platform loads anything other than a two-gigabyte policy, it will experience limited coverage. The high end SRX platforms (SRX 1400 - 5800) can load any policy regardless of routing engine memory, as the routing engine memory and packet forwarding engine memory are not shared.
Previous policy templates versions from the CLI:
root@R1# set security idp active-policy ?
Possible completions:
<active-policy> Set active policy
DMZ_Services
DNS_Service
File_Server
Getting_Started
IDP_Default
Recommended
Web_Server
Updated policy templates versions from the CLI:
root@R1# set security idp active-policy ?
Possible completions:
<active-policy> Set active policy
Client-And-Server-Protection
Client-And-Server-Protection-1G
Client-Protection
Client-Protection-1G
DMZ_Services
DNS_Service
File_Server
Getting_Started
IDP_Default
Recommended
Server-Protection
Server-Protection-1G
Web_Server
Description of the new policy templates: | Template | Description |
|---|
| Client-And-Server-Protection | Designed to protect both clients and servers. To be used on high memory devices with 2 GB or more of memory. |
| Client-And-Server-Protection-1G | Designed to protect both clients and servers. To be used on all devices, including branch devices with reduced memory. |
| Client-Protection | Designed to protect clients. To be used on high memory devices with 2 GB or more of memory. |
| Client-Protection-1G | Designed to protect clients. To be used on all devices, including branch devices with reduced memory. |
| Server-Protection | Designed to protect servers. To be used on high memory devices with 2 GB or more of memory. |
| Server-Protection-1G | Designed to protect servers. To be used on all devices, including branch devices with reduced memory. |
We recommend using the new policy templates as a guideline for creating policies. Ideally the templates should be copied, and the copy used for the policy. This will allow for changes to be made to the policy and avoid future issues due to changes in the policy templates.
Delete or deactivate the commit script file. By deleting the commit script file, you avoid the risk of overwriting modifications to the template when you commit the configuration. Run one of the following commands:
user@host# delete system scripts commit file templates.xsl
user@host# deactivate system scripts commit file templates.xsl
For instructions for copying a template, see: KB28005 - [SRX/IDP] How to copy or change recommended policy.
For instructions for installing templates, see: Downloading and Using Predefined IDP Policy Templates (CLI Procedure).
Additional information on the policy template changes and how they will affect NSM and Space can be found in the following Technical Bulletin link:
TSB16412 - Juniper updated built-in IDP policy templates in attackDB update