[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Enabling IDP in a Security Policy

For transit traffic to pass through IDP inspection, you configure a security policy and enable IDP application services on all traffic that you want to inspect. Security policies contain rules defining the types of traffic permitted on the network and the way that the traffic is treated inside the network. Enabling IDP in a security policy directs traffic that matches the specified criteria to be checked against the IDP rulebases.

To allow transit traffic to pass through without IDP inspection, specify a permit action for the rule without enabling the IDP application services. Traffic matching the conditions in this rule passes through the device without IDP inspection.

Before You Begin
For background information, read: IDP Policies Overview Understanding IDP Policy Rulebases Understanding IDP Policy Rules Establish basic connectivity. See the Getting Started Guide for your device. Configure network interfaces. See the JUNOS Software Interfaces and Routing Configuration Guide. Create security zones. See Creating Security Zones. Configure applications. See Configuring Applications or Services for IDP.

Before You Begin

For background information, read:
Establish basic connectivity. See the Getting Started Guide for your device.
Configure network interfaces. See the JUNOS Software Interfaces and Routing Configuration Guide.
Create security zones. See Creating Security Zones.
Configure applications. See Configuring Applications or Services for IDP.

In this example, you configure two policies—idp-app-policy-1 and idp-app-policy-2. You configure these policies to enable IDP services on all traffic flowing in both directions on the device. Policy idp-app-policy-1 directs all traffic flowing from previously configured zones Zone1 to Zone2 to be checked against IDP rulebases. The policy idp-app-policy-2 directs all traffic flowing from Zone2 to Zone1 to be checked against IDP rulebases.

Note: The action set in the security policy action must be permit. You cannot enable IDP for traffic that the device denies or rejects.

You can use either J-Web or the CLI configuration editor to configure the IDP application services.

This topic contains:

J-Web Configuration

To enable IDP in a security policy:

Create a security policy. The following tasks create a policy idp-app-policy-1 for traffic traversing from Zone1 to Zone2:
1. Select Configure>CLI Tools>Point and Click CLI.
2. Next to Security, click Configure or Edit.
3. Next to Policies, select the check box and click Edit.
4. Next to Policy, click Add new entry.
5. In the From zone name box, type Zone1.
6. In the To zone name box, type Zone2.
7. Next to Policy, click Add new entry.
8. In the Policy name box, type idp-app-policy-1.
Specify the match conditions for the traffic flowing in one direction. The following tasks specify that traffic from any source address, to any destination address and with any application type, matches the criteria for this policy:
1. Next to Match, select the check box and click Configure.
2. From the Source Address choice list, select Source address.
3. Next to Source address, click Add new entry.
4. From the Value keyword list, select Any and click OK.
5. From the Destination Address choice list, select Destination address.
6. Next to Destination address, click Add new entry.
7. From the Value keyword list, select Any and click OK.
8. From the Application choice list, select Application.
9. Next to Application, click Add new entry.
10. From the Value keyword list, select Any and click OK.
Specify the action to be taken on traffic that matches the specified conditions. The following tasks permit all traffic matching the specified criteria and direct it to be checked against IDP rulebases:
1. On the Policy name idp-app-policy-1 page, next to Then, select check box and click Configure.
2. From the Action list, select Permit.
3. Next to Permit, click Configure.
4. Next to Application services, click Configure.
5. Next to Idp, select the check box.
Create another security policy for traffic in the other direction. The following tasks create another policy idp-app-policy-2 for traffic from Zone2 to Zone1:
1. On the Policy page, next to Policy, click Add new entry.
2. In the From zone name box, type Zone2.
3. In the To zone name box, type Zone1.
4. Next to Policy, click Add new entry.
5. In the Policy name box, type idp-app-policy-2.
Specify the match conditions for the traffic flowing in the other direction. The following tasks specify that traffic from any source, to any destination with any application type, matches the criteria for this policy:
1. Next to Match, select the check box and click Configure.
2. From the Source Address choice list, select Source address.
3. Next to Source address, click Add new entry.
4. From the Value keyword list, select Any and click OK.
5. From the Destination Address choice list, select Destination address.
6. Next to Destination address, click Add new entry.
7. From the Value keyword list, select Any and click OK.
8. From the Application choice list, select Application.
9. Next to Application, click Add new entry.
10. From the Value keyword list, select Any and click OK.
Specify the action to be taken on traffic that matches the conditions specified in the policy. The following tasks permit all traffic matching the specified criteria and direct it to be checked against IDP rulebases:
1. On the Policy name idp-app-policy-2 page, next the Then, select check box and click Configure.
2. From the Action list, select Permit.
3. Next to Permit, click Configure.
4. Next to Application services, click Configure.
5. Next to Idp, select the check box.
If you are finished configuring the router, commit the configuration.

CLI Configuration

To enable IDP in a security policy:

Create a security policy. The following statement creates a policy idp-app-policy-1 for traffic traversing from Zone1 to Zone2:
user@host# set security policies from-zone Zone1 to-zone Zone2 policy idp-app-policy-1
Specify the match conditions for the traffic flowing in one direction. The following statement specifies that traffic from any source address, to any destination address and with any application type, matches the criteria for this policy:
user@host# set security policies from-zone Zone1 to-zone Zone2 policy idp-app-policy-1 match source-address any destination-address any application any
Specify the action to be taken on traffic that matches the specified conditions. The following statement permits all traffic matching the specified criteria and directs it to be checked against IDP rulebases:
user@host# set security policies from-zone Zone1 to-zone Zone2 policy idp-app-policy-1 then permit application-services idp
Create another security policy for traffic in the other direction. The following statement creates another policy idp-app-policy-2 for traffic from Zone2 to Zone1:
user@host# set security policies from-zone Zone2 to-zone Zone1 policy idp-app-policy-2
Specify the match conditions for the traffic flowing in the other direction. The following statement specifies that traffic from any source, to any destination with any application type, matches the criteria for this policy:
user@host# set security policies from-zone Zone2 to-zone Zone1 policy idp-app-policy-2 match source-address any destination-address any application any
Specify the action to be taken on traffic that matches the conditions specified in the policy. The following statement permits all traffic matching the specified criteria and directs it to be checked against IDP rulebases:
user@host# set security policies from-zone Zone2 to-zone Zone1 policy idp-app-policy-2 then permit application-services idp
If you are finished configuring the router, commit the configuration.
You can verify the configuration by using the show security policies command. For more information, see the JUNOS Software CLI Reference.

Enabling IDP in a Security Policy

J-Web Configuration

CLI Configuration

Related Topics