Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] The IDP policy change has been disappeared after commit.

0

0

Article ID: KB31859 KB Last Updated: 28 Jun 2017Version: 1.0
Summary:
This article explains why the IDP policy change has been disappeared after commit.
Symptoms:
‚ÄčCustomer want to add a signature under IDP policy, but the change will be disappeared after commit.

For example, in the configuration below, the predefined-attack-groups “Misc_DNS - Major” could not be added.

==================================================================
--- JUNOS 12.3X48-D45.6 built 2017-02-19 01:11:50 UTC
root@% cli
root> edit
Entering configuration mode
 
[edit]
root@SRX#edit security idp idp-policy DMZ_Services rulebase-ips rule 2 match attacks     

[edit security idp idp-policy DMZ_Services rulebase-ips rule 2 match attacks]
root@SRX# show 
predefined-attack-groups [ "DNS - Critical" "DNS - Major" ];

[edit security idp idp-policy DMZ_Services rulebase-ips rule 2 match attacks]
root@SRX# show 
predefined-attack-groups [ "DNS - Critical" "DNS - Major" "Misc_DNS - Major" ];

[edit security idp idp-policy DMZ_Services rulebase-ips rule 2 match attacks]
root@SRX# top  

[edit]
root@SRX# commit 
 
[edit]
root# commit
commit complete
 
[edit]
root#show security idp idp-policy DMZ_Services rulebase-ips rule 2 match attacks
predefined-attack-groups [ "DNS - Critical" "DNS - Major" ];
 
[edit]
root#
==================================================================
Cause:
This is because customer is editing the IDP policy in the policy template and did not deactivate the template commit script before change.
The policy template will be override by script after every commit.
Solution:
‚ÄčThere are two ways to address this issue. You can either use a custom IDP policy instead of editing the policy template or deactivate the commit script for the template file before change. 

1.Using custom IDP policy instead of policy template.

==================================================================
--- JUNOS 12.3X48-D45.6 built 2017-02-19 01:11:50 UTC
 
root@SRX> configure
Entering configuration mode

[edit]
root@SRX# show system scripts 
commit {
    file templates.xsl;
}

[edit]
root@SRX# show security idp idp-policy DMZ_Custom | display set 
set security idp idp-policy DMZ_Custom rulebase-ips rule 2 match from-zone any
set security idp idp-policy DMZ_Custom rulebase-ips rule 2 match source-address any
set security idp idp-policy DMZ_Custom rulebase-ips rule 2 match to-zone any
set security idp idp-policy DMZ_Custom rulebase-ips rule 2 match destination-address any
set security idp idp-policy DMZ_Custom rulebase-ips rule 2 match application default
set security idp idp-policy DMZ_Custom rulebase-ips rule 2 match attacks predefined-attack-groups "DNS - Critical"
set security idp idp-policy DMZ_Custom rulebase-ips rule 2 match attacks predefined-attack-groups "DNS - Major"
set security idp idp-policy DMZ_Custom rulebase-ips rule 2 then action drop-packet
set security idp idp-policy DMZ_Custom rulebase-ips rule 2 then notification log-attacks alert

[edit]
root@SRX# set security idp idp-policy DMZ_Custom rulebase-ips rule 2 match attacks predefined-attack-groups "Misc_DNS - Major"     

[edit]
root@SRX# show security idp idp-policy DMZ_Custom rulebase-ips rule 2 match attacks      
predefined-attack-groups [ "DNS - Critical" "DNS - Major" "Misc_DNS - Major" ];

[edit]
root@SRX# commit 
commit complete

[edit]
root@SRX# show security idp idp-policy DMZ_Custom rulebase-ips rule 2 match attacks   
predefined-attack-groups [ "DNS - Critical" "DNS - Major" "Misc_DNS - Major" ];

==================================================================

2.Deactivate the commit script before change.

==================================================================
--- JUNOS 12.3X48-D45.6 built 2017-02-19 01:11:50 UTC
 
root@SRX> configure
Entering configuration mode
 
[edit]
root@SRX# set system scripts commit file templates.xsl
 
[edit]
root@SRX# commit
commit complete
 
[edit]
root@SRX# deactivate system scripts
 
[edit]
root@SRX# commit
commit complete
 
[edit]
root@SRX# ...olicy DMZ_Services rulebase-ips rule 2 match attacks
 
[edit security idp idp-policy DMZ_Services rulebase-ips rule 2 match attacks]
root@SRX# show
predefined-attack-groups [ "DNS - Critical" "DNS - Major" ];
 
[edit security idp idp-policy DMZ_Services rulebase-ips rule 2 match attacks]
root@SRX# set predefined-attack-groups "Misc_DNS - Major"
 
[edit security idp idp-policy DMZ_Services rulebase-ips rule 2 match attacks]
root@SRX# show
predefined-attack-groups [ "DNS - Critical" "DNS - Major" "Misc_DNS - Major" ];
 
[edit security idp idp-policy DMZ_Services rulebase-ips rule 2 match attacks]
root@SRX# show
predefined-attack-groups [ "DNS - Critical" "DNS - Major" "Misc_DNS - Major" ];
 
[edit security idp idp-policy DMZ_Services rulebase-ips rule 2 match attacks]
root@SRX# top
 
[edit]
root@SRX# commit
commit complete
 
[edit]
root@SRX# edit security idp idp-policy DMZ_Services rulebase-ips rule 2 match attacks
 
[edit security idp idp-policy DMZ_Services rulebase-ips rule 2 match attacks]
root@SRX# show
predefined-attack-groups [ "DNS - Critical" "DNS - Major" "Misc_DNS - Major" ];
 
[edit security idp idp-policy DMZ_Services rulebase-ips rule 2 match attacks]
root@SRX# top

[edit]
root@SRX# commit
commit complete
 
[edit]
root@SRX# show security idp idp-policy DMZ_Services rulebase-ips rule 2 match attacks
predefined-attack-groups [ "DNS - Critical" "DNS - Major" "Misc_DNS - Major" ];

==================================================================

Note:

We recommend using the new policy templates as a guideline for creating policies. Ideally the templates should be copied, and the copy used for the policy. 
This will allow for changes to be made to the policy and avoid future issues due to changes in the policy templates.

Delete or deactivate the commit script file. By deleting the commit script file, you avoid the risk of overwriting modifications to the template when you commit the configuration. 
Run one of the following commands:

user@host# delete system scripts commit file templates.xsl
user@host# deactivate system scripts commit file templates.xsl

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search