Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX Series] Updated IDP policy templates

0

0

Article ID: KB29111 KB Last Updated: 11 Apr 2016Version: 3.0
Summary:

Juniper is introducing new predefined policy templates as a guide to help design efficient policies that will improve coverage. The new templates, which will include Client-Protection, Server-Protection, and Client-And-Server-protection templates, have been added to the existing templates.

Symptoms:

Each of the new templates has two versions that are platform specific, a one-gigabyte (1 GB) version and a two-gigabyte (2 GB) version. The one-gigabyte versions labeled (1G) should only be used for branch platforms that are limited to one gigabyte of memory. If a one-gigabyte branch SRX platform loads any templates that are not labeled (1GB), it might experience policy compilation errors due to limited memory or limited coverage. If a two-gigabyte platform loads anything other than a two-gigabyte policy, it will experience limited coverage. The high end SRX platforms (SRX 1400 - 5800) can load any policy regardless of routing engine memory, as the routing engine memory and packet forwarding engine memory are not shared.

Previous policy templates versions from the CLI:

root@R1# set security idp active-policy ?
Possible completions:
<active-policy> Set active policy
DMZ_Services
DNS_Service
File_Server
Getting_Started
IDP_Default
Recommended
Web_Server

Updated policy templates versions from the CLI:

root@R1# set security idp active-policy ?
Possible completions:
<active-policy> Set active policy
Client-And-Server-Protection
Client-And-Server-Protection-1G
Client-Protection
Client-Protection-1G
DMZ_Services
DNS_Service
File_Server
Getting_Started
IDP_Default
Recommended
Server-Protection
Server-Protection-1G
Web_Server

Description of the new policy templates:

TemplateDescription
Client-And-Server-ProtectionDesigned to protect both clients and servers. To be used on high memory devices with 2 GB or more of memory.
Client-And-Server-Protection-1GDesigned to protect both clients and servers. To be used on all devices, including branch devices with reduced memory.
Client-ProtectionDesigned to protect clients. To be used on high memory devices with 2 GB or more of memory.
Client-Protection-1GDesigned to protect clients. To be used on all devices, including branch devices with reduced memory.
Server-ProtectionDesigned to protect servers. To be used on high memory devices with 2 GB or more of memory.
Server-Protection-1GDesigned to protect servers. To be used on all devices, including branch devices with reduced memory.
Solution:

We recommend using the new policy templates as a guideline for creating policies. Ideally the templates should be copied, and the copy used for the policy. This will allow for changes to be made to the policy and avoid future issues due to changes in the policy templates.

Delete or deactivate the commit script file. By deleting the commit script file, you avoid the risk of overwriting modifications to the template when you commit the configuration. Run one of the following commands:

user@host# delete system scripts commit file templates.xsl
user@host# deactivate system scripts commit file templates.xsl

For instructions for copying a template, see: KB28005 - [SRX/IDP] How to copy or change recommended policy.

For instructions for installing templates, see: Downloading and Using Predefined IDP Policy Templates (CLI Procedure).

Additional information on the policy template changes and how they will affect NSM and Space can be found in the following Technical Bulletin link:
TSB16412 - Juniper updated built-in IDP policy templates in attackDB update

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search