[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Using Predefined Policy Templates

Juniper Networks provides predefined policy templates that you can use as a starting point for creating your own policies. Each template is set of rules of a specific rulebase type that you can copy and then update according to your requirements. These templates are available in the templates.xml file on a secured Juniper Networks Web site. To start using a template, you run command from the CLI to download and copy this file to a /var/db/scripts/commit directory.

Before You Begin
For background information, read: IDP Policies Overview Understanding IDP Policy Rulebases Understanding IDP Policy Rules Establish basic connectivity. For more information, see the Getting Started Guide for your device. Configure network interfaces. See the JUNOS Software Interfaces and Routing Configuration Guide.

Each policy template contains rules that use the default actions associated with the attack objects. You should customize these templates to work on your network by selecting your own source and destination addresses and choosing IDP actions that reflect your security needs.

Table 141 summarizes the predefined IDP policy templates provided by Juniper Networks.

Table 141: Predefined IDP Policy Templates

Template Name	Description
All With Logging	Includes all Attack Objects and enables packet logging for all rules.
All Without Logging	Includes all Attack Objects but does not enable packet logging.
DMZ Services	Protects a typical demilitarized zone (DMZ) environment.
DNS Server	Protects Domain Name System (DNS) services.
File Server	Protects file sharing services, such as Network File System (NFS), FTP, and others.
Getting Started	Contains very open rules. Useful in controlled lab environments, but should not be deployed on heavy traffic live networks.
IDP Default	Contains a good blend of security and performance.
Recommended	Contains only the attack objects tagged as recommended by Juniper Networks. All rules have their Actions column set to take the recommended action for each attack object.
Web Server	Protects HTTP servers from remote attacks.

To use predefined policy templates:

Download the policy templates from the Juniper Networks Web site.
Install the policy templates.
Enable the templates.xml script file. Commit scripts in the /var/db/scripts/commit directory are ignored if they are not enabled.
Choose a policy template that is appropriate for you and customize it if you need to.

Activate the policy that you want to run on the system. Activating the policy might take a few minutes. Even after a commit complete message is displayed in the CLI, the system might continue to compile and push the policy to the dataplane.

Note: Occasionally, the compilation process might fail for a policy. In this case, the active policy showing in your configuration might not match the actual policy running on your device. Run the show security idp status command to verify the running policy. Additionally, you can view the IDP log files to verify the policy load and compilation status (see Verifying the Signature Database).

Delete or deactivate the commit script file. By deleting the commit script file, you avoid the risk of overwriting modifications to the template when you commit the configuration. Deactivating the statement adds an inactive tag to the statement, effectively commenting out the statement from the configuration. Statements marked inactive do not take effect when you issue the commit command.

You can use either J-Web or the CLI configuration editor to configure an application set.

This topic contains:

CLI Configuration

To download and use a predefined policy template:

Download the script file templates.xml to the/var/db/idpd/sec-download/sub-download directory. This script file contains predefined IDP policy templates.
user@host> request security idp security-package download policy-templates
Copy the templates.xml file to the /var/db/scripts/commit directory and rename it to templates.xsl.
user@host> request security idp security-package install policy-templates
Enable the templates.xsl scripts file. At commit time, the JUNOS management process (mgd) looks in the /var/db/scripts/commit directory for scripts and runs the script against the candidate configuration database to ensure the configuration conforms to the rules dictated by the scripts.
user@host# set system scripts commit file templates.xsl
Commit the configuration. Committing the configuration saves the downloaded templates to the JUNOS configuration database and makes them available in the CLI at the [edit security idp idp-policy] hierarchy level.

Display the list of downloaded templates.

user@host#set security idp active-policy
                        ?

Possible completions:
 <active policy> Set active policy
All_With_Logging     
  All_Without_Logging  
  DMZ_Services         
  DNS_Service          
  File_Server          
  Getting_Started      
  IDP_Default          
  Recommended          
  Web_Server

Activate the predefined policy. The following statement specifies the Recommended predefined IDP policy as the active policy:
user@host# set security idp active-policy Recommended
Delete or deactivate the commit script file. By deleting the commit script file, you avoid the risk of overwriting modifications to the template when you commit the configuration. Run one of the following commands:
user@host# delete system scripts commit file templates.xsl user@host# deactivate system scripts commit file templates.xsl
If you are finished configuring the router, commit the configuration.
You can verify the configuration by using the show security idp status command. For more information, see the JUNOS Software CLI Reference.

Using Predefined Policy Templates

CLI Configuration

Related Topics