Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Includes video] SRX Getting Started - Quick Setup Guide for Configuring IDP on a SRX or J-Series device



Article ID: KB16489 KB Last Updated: 08 Jan 2016Version: 6.0

This article provides a video and text instructions for configuring IDP on a SRX device.

For other topics, go to the SRX Getting Started main page.

  1. Install IDP license
  2. Download and install the IDP Signature Database
  3. Configure IDP Policy
  4. Enable a security policy for IDP inspection


Go to the KBTV video or text instructions below:

Video format:

Text format:

The basic configuration of IDP involves the following four tasks:

I.  Install IDP license

The IDP signature update is a subscription service requiring a license. In order to download and use the predefined attack signatures in a policy, the IDP license must be installed. If you are using only custom signatures, you do not need an IDP license.

Please refer to KB16675 details on obtaining and installing an IDP license for your SRX device.

II.  Download and install the Signature Database

After the IDP license is installed, the IDP Signature Database can be downloaded and installed by performing the following steps: 
  1. Confirm the device has the necessary configuration for connectivity to the Internet.

  2. Check the version of the signature database in the sigdb server.  Look for 'Successfully retrieved' . In this example, the version in the server is 1577.

    root> request security idp security-package download check-server
    Successfully retrieved from(
    Version info:1577(Detector=10.2.160091104, Templates=2)

  3. Download the signature database:

    root> request security idp security-package download

  4. Verify the progress of the download:               

    root> request security idp security-package download status
    root> request security idp security-package download status
    In progress:downloading file ...platforms.xml.gz

    root> request security idp security-package download status
    Done;Successfully downloaded from(
    Version info:1586(Tue Jan 19 12:28:29 2010, Detector=10.2.160091104)

    Important:  When 'Successfully downloaded' is reported, proceed to the next step. If it is not successfully downloaded, the install will fail.

  5. Install the signature DB by running the command:

    root> request security idp security-package install  

    This command loads the security package into the IDPD embedded DB. If there is an existing running policy it re-compiles the existing running policy and pushes the compiled policy to the data plane. Therefore, the install might take a while depending on the platform and the size of the policy. Lower end Branch platforms might take a longer time for install.

  6. Monitor the status of the install with the command:

    root> request security idp security-package install status

    Done;Attack DB update : successful - [UpdateNumber=1581,ExportDate=Tue Jan 12 12:43:22 2010,Detector=10.2.160091104]
    Updating control-plane with new detector : successful
    Updating data-plane with new attack or detector : successful

    The 'UpdateNumber' field shows the version updated, the date when the signature db was released, and the detector version

  7. Verify the version of the sigdb installed:

    root> show security idp security-package-version
    Attack database version:1577(Tue Jan 5 13:27:18 2010)
    Detector version :10.2.160091104
    Policy template version :2

III.  Configure Recommended Policy as the IDP Policy

Juniper Networks provides predefined policy templates that can be used as a starting point for creating your own IDP policies.  For getting started, it is recommended to use the predefined policy named 'Recommended':
  1. Load the predefined templates, and select the Recommended template as the Active IDP policy.  Refer to KB16490 for step by step instructions.

  2. Verify that the Active IDP Policy is 'Recommended'.  The Policy Name in the output below refers to the Active IDP Policy.
    root> show security idp status

    Session Statistics:
     [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
      Policy Name : Recommended v0
    Running Detector Version : 10.2.160091104

  3. Perform the instructions below in the next section: 'IV.  Enable a Security Policy for IDP inspection'.

IV.  Enable a Security Policy for IDP inspection

Once the IDP Policy is configured, IDP needs to be enabled on a security policy so that IDP inspection is performed.  This is done by permitting application-services while configuring a security policy.
For example, the following command forwards all traffic from-zone trust to-zone untrust to IDP to be checked against the IDP rulebase:           
root# set security policies from-zone trust to-zone untrust policy idp-app-policy-1 match source-address any destination-address any application any
root# set security policies from-zone trust to-zone untrust policy idp-app-policy-1 then permit application-services idp

Once this is configured and traffic is flowing through the SRX, IDP inspection should be occurring. To verify, enter the command

root>show security idp status

The command output should show that the counters are non zero, verifying that the IDP engine is seeing traffic.


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search