租户系统的 IDP
租户系统中的入侵检测和防御 (IDP) 策略使您能够选择性地对通过 SRX 系列防火墙的网络流量实施各种攻击检测和防御技术。SRX 系列防火墙提供与瞻博网络 IDP 系列入侵检测和防御设备相同的 IDP 签名集,以保护网络免受攻击。
了解租户系统的 IDP
借助 Junos OS 入侵检测和防御 (IDP) 策略,您可以选择性地对通过租户系统传输的网络流量实施各种攻击检测和防御技术。
本主题包含以下部分:
IDP 策略
在根级别和租户系统级别配置 IDP 策略是相似的。在根级别配置的 IDP 策略模板可见,供所有租户系统使用。主管理员在与租户系统绑定的安全配置文件中指定 IDP 策略。要启用租户系统中的 IDP,主要管理员或租户系统管理员配置一个安全策略,用于定义在层次结构级别上要检查和指定的 permit application-services idp-policy idp-policy-name
流量。
主管理员可以配置多个 IDP 策略,而租户系统一次可以有多个 IDP 策略。对于租户系统,主管理员可以将同一 IDP 策略绑定到多个租户系统,或将必需的 IDP 策略绑定到每个租户系统。如果配置多个 IDP 策略,则配置默认 IDP 策略是必须的。
主管理员配置主逻辑系统和租户系统的最大 IDP 会话预留数。使用命令 set security idp max-sessions max-sessions
定义主逻辑系统允许的 IDP 会话数,而租户系统允许的 IDP 会话数则使用命令 set security idp tenant-system tenant-system max-sessions max-sessions
定义。
租户系统管理员将执行以下操作:
配置多个 IDP 策略并连接到租户系统使用的防火墙策略。如果未为租户系统配置 IDP 策略,则使用由主管理员配置的默认 IDP 策略。IDP 策略通过租户系统安全策略绑定到租户系统。
为其租户系统创建或修改 IDP 策略。IDP 策略绑定到租户系统。当 IDP 策略更改且提交失败时,只有已启动提交更改的租户系统才会收到有关提交失败的通知。
租户系统管理员可以在租户系统中创建安全区域,并将接口分配给每个安全区域。租户系统特定的区域不能在主管理员配置的 IDP 策略中引用。主管理员可以在为主逻辑系统配置的 IDP 策略中引用主逻辑系统中的参考区域。
查看单个租户系统使用命令
show security idp counters
show security idp policy-commit-status
show security idp attack table
show security idp policies
、、 和等信息,查看检测到的攻击统计信息和 IDP 计数器、攻击表和show security idp security-package-version
策略提交状态。
使用命令show security idp counters counters tenant tenant-name
show security idp policy-commit-status tenant tenant-name
show security idp attack table tenant tenant-name
show security idp policies tenant tenant-name
、、和查看从根目录检测到的攻击统计信息和 IDP 计数器、攻击表和show security idp security-package-version tenant tenant-name
策略提交状态。
限制
数据包转发引擎中的 IDP 策略编译在全局级别完成。对逻辑系统或租户系统的策略所做的任何更改都会编译所有逻辑系统或租户系统的策略,因为 IDP 在内部将其视为单个全局策略。
对逻辑系统或租户系统的策略所做的任何更改都会清除所有逻辑系统或租户系统的攻击表。
租户系统的 IDP 安装和许可
idp-sig 许可证必须安装在根级别。在根级别启用 IDP 后,就可以与设备上的任何租户系统一起使用。
为设备上的根级别上所有租户系统安装一个 IDP 安全包。只能在根级别执行下载和安装选项。同一版本的 IDP 攻击数据库由所有租户系统共享。
了解租户系统中的 IDP 功能
本主题包含以下部分:
规则库
单个 IDP 策略只能包含任意类型规则库的一个实例。入侵防御系统 (IPS) 规则库使用攻击对象来检测已知和未知的攻击。它可以基于状态签名和协议异常检测攻击。
IPS 的状态监控对设备是全局的,而不是按租户系统监控。
多检测器
收到新的 IDP 安全包后,其中包含攻击定义和检测器。加载新策略后,它也与检测器相关联。如果正在加载的策略有一个关联的检测器,该检测器与现有策略已经使用的检测器匹配,则不会加载新检测器,并且两个策略都使用一个关联的检测器。但是,如果新探测器与当前探测器不匹配,则新探测器将随新策略一起加载。在这种情况下,每个加载的策略都将使用自己的关联检测器进行攻击检测。
探测器的版本是所有租户系统通用的。
日志记录和监控
状态监控选项仅对主管理员可用。和 clear security idp
CLI 操作命令下show security idp
的所有状态监控选项都会显示全局信息,但并非基于每个租户的系统。
租户系统不支持 IDP 的 SNMP 监控。
租户系统仅支持系统日志的流模式,不支持事件模式。
当事件与启用了日志记录的 IDP 策略规则匹配时,IDP 会生成事件日志。
租户系统标识会添加到以下类型的 IDP 流量处理日志中:
攻击日志。以下示例显示了租户系统的攻击日志
TSYS1
:"<14>1 2019-02-18T02:17:56+05:30 4.0.0.254 pamba RT_IDP - - IDP_ATTACK_LOG_EVENT_LS: Lsys TSYS1: IDP: At 1550485076, SIG Attack log <4.0.0.1/51480->5.0.0.1/21> for TCP protocol and service SERVICE_IDP application FTP by rule 1 of rulebase IPS in policy new. attack: id=4641, repeat=0, action=NONE, threat-severity=MEDIUM, name=FTP:USER:ROOT, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:l1z1:xe-4/0/0.0->l1z2:xe-4/0/1.0, packet-log-id: 0, alert=no, username=N/A, roles=N/A and misc-message -
IP 操作日志。以下示例显示了租户系统的 IP 操作日志
TSYS1
:"<14>1 2019-02-19T02:21:43+05:30 4.0.0.254 pamba RT_FLOW - - FLOW_IP_ACTION_LS: Lsys TSYS1: Flow IP action detected attack attempt:4.0.0.1/51492 --> 5.0.0.1/21 from interface xe -4/0/0.0, from zone l1z1, action close. "<14>1 2019-02-19T02:21:45+05:30 4.0.0.254 pamba RT_FLOW - - APPTRACK_SESSION_CLOSE_LS: Lsys TSYS1: AppTrack session closed Closed by junos-tcp-clt-emul: 4.0.0.1/51492->5.0.0.1/ 21 junos-ftp FTP UNKNOWN 4.0.0.1/51492->5.0.0.1/21 N/A N/A 6 l1z1-l1z2 l1z1 l1z2 50000058 6(287) 5(281) 6 N/A N/A No N/A N/A VR1 xe-4/0/1.0 0 0 Infrastructure File-Servers N/A N/A
示例:为租户系统配置 IDP 策略和攻击
此示例说明如何为租户系统配置 IDP 策略和攻击。
要求
此示例使用以下硬件和软件组件:
使用租户系统配置的 SRX 系列防火墙。
Junos OS 19.2R1 及更高版本。
为租户系统配置 IDP 策略和攻击之前,请确保您已:
阅读 租户系统概述 ,了解此任务如何适合整个配置过程。
创建租户系统
TSYS1
。请参阅 示例:创建租户系统、租户系统管理员和互连 VPLS 交换机。为租户系统
TSYS1
创建安全区域。请参阅 示例:在租户系统中配置区域。-
以租户系统管理员身份登录租户系统。请参阅 租户系统配置概述。
概述
在此示例中,您可以在租户系统中 TSYS1
配置 IDP 自定义攻击、策略、自定义攻击组、预定义攻击和攻击组以及动态攻击组。
配置
配置自定义攻击
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,将命令复制并粘贴到层级的 [edit]
CLI 中,然后从配置模式进入 commit
。
set security idp custom-attack my-http severity info set security idp custom-attack my-http attack-type signature protocol-binding application HTTP set security idp custom-attack my-http attack-type signature context http-get-url set security idp custom-attack my-http attack-type signature pattern .*testing.* set security idp custom-attack my-http attack-type signature direction any
逐步过程
以下示例要求您在配置层次结构中的各个级别上导航。有关如何操作的说明,请参阅 Junos OS CLI 用户指南 中的在配置模式下使用 CLI 编辑器 。
要配置自定义攻击对象:
创建自定义攻击对象并设置严重性级别。
[edit security idp] user@host:TSYS1# set custom-attack my-http severity info
配置有状态的签名参数。
[edit security idp] user@host:TSYS1# set custom-attack my-http attack-type signature protocol-binding application HTTP user@host:TSYS1# set custom-attack my-http attack-type signature context http-get-url user@host:TSYS1# set custom-attack my-http attack-type signature pattern .*testing.* user@host:TSYS1# set custom-attack my-http attack-type signature direction any
结果
在配置模式下,输入命令以确认 show security idp custom-attack my-http
您的配置。如果输出未显示预期的配置,请重复此示例中的配置说明,以便进行更正。
[edit] user@host:TSYS1# show security idp custom-attack my-http severity info; attack-type { signature { protocol-binding { application HTTP; } context http-get-url; pattern .*testing.*; direction any; } }
完成设备配置后,请从配置模式进入 commit
。
配置 IDP 策略
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,将命令复制并粘贴到层级的 [edit]
CLI 中,然后从配置模式进入 commit
。
set security idp idp-policy idpengine rulebase-ips rule 1 match from-zone any set security idp idp-policy idpengine rulebase-ips rule 1 match source-address any set security idp idp-policy idpengine rulebase-ips rule 1 match to-zone any set security idp idp-policy idpengine rulebase-ips rule 1 match destination-address any set security idp idp-policy idpengine rulebase-ips rule 1 match application default set security idp idp-policy idpengine rulebase-ips rule 1 match attacks custom-attacks my-http set security idp idp-policy idpengine rulebase-ips rule 1 then action no-action set security idp idp-policy idpengine rulebase-ips rule 1 then notification log-attacks
逐步过程
以下示例要求您在配置层次结构中的各个级别上导航。有关如何操作的说明,请参阅 Junos OS CLI 用户指南 中的在配置模式下使用 CLI 编辑器 。
要配置 IDP 策略:
创建 IDP 策略并配置匹配条件。
[edit security idp] user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match from-zone any user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match source-address any user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match to-zone any user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match destination-address any user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match application default user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match attacks custom-attacks my-http
为 IDP 策略配置操作。
[edit security idp] user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 then action no-action user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 then notification log-attacks
结果
在配置模式下,输入命令以确认 show security idp idp-policy idpengine
您的配置。如果输出未显示预期的配置,请重复此示例中的配置说明,以便进行更正。
[edit] user@host:TSYS1# show security idp idp-policy idpengine rulebase-ips { rule 1 { match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { custom-attacks my-http; } } then { action { no-action; } notification { log-attacks; } } } }
完成设备配置后,请从配置模式进入 commit
。
使用默认 IDP 策略配置多个 IDP 策略
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,将命令复制并粘贴到层级的 [edit]
CLI 中,然后从配置模式进入 commit
。
set security idp idp-policy idpengine rulebase-ips rule 1 match from-zone any set security idp idp-policy idpengine rulebase-ips rule 1 match source-address any set security idp idp-policy idpengine rulebase-ips rule 1 match to-zone any set security idp idp-policy idpengine rulebase-ips rule 1 match destination-address any set security idp idp-policy idpengine rulebase-ips rule 1 match application default set security idp idp-policy idpengine rulebase-ips rule 1 match attacks predefined-attacks HTTP:AUDIT:URL set security idp idp-policy idpengine rulebase-ips rule 1 then action no-action set security idp idp-policy idpengine rulebase-ips rule 1 then notification log-attacks set security idp idp-policy idpengine1 rulebase-ips rule 1 match from-zone any set security idp idp-policy idpengine1 rulebase-ips rule 1 match source-address any set security idp idp-policy idpengine1 rulebase-ips rule 1 match to-zone any set security idp idp-policy idpengine1 rulebase-ips rule 1 match destination-address any set security idp idp-policy idpengine1 rulebase-ips rule 1 match attacks predefined-attacks FTP:USER:ROOT set security idp idp-policy idpengine1 rulebase-ips rule 1 then action no-action set security idp idp-policy idpengine1 rulebase-ips rule 1 then notification log-attacks set security policies from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match source-address any set security policies from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match destination-address any set security policies from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match application any set security policies from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match dynamic-application junos:FTP set security policies from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 then permit application-services idp-policy idpengine1 set security policies from-zone l1z1 to-zone l1z2 policy 2 match source-address any set security policies from-zone l1z1 to-zone l1z2 policy 2 match destination-address any set security policies from-zone l1z1 to-zone l1z2 policy 2 match application any set security policies from-zone l1z1 to-zone l1z2 policy 2 match dynamic-application junos:HTTP set security policies from-zone l1z1 to-zone l1z2 policy 2 then permit application-services idp-policy idpengine set security idp default-policy idpengine1
逐步过程
以下示例要求您在配置层次结构中的各个级别上导航。有关如何操作的说明,请参阅 Junos OS CLI 用户指南 中的在配置模式下使用 CLI 编辑器 。
要配置多个 IDP 策略,
创建多个 IDP 策略并配置匹配条件。
[edit security idp] user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match from-zone any user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match source-address any user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match to-zone any user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match destination-address any user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match application default user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match attacks predefined-attacks HTTP:AUDIT:URL user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 then action no-action user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 then notification log-attacks user@host:TSYS1# set idp-policy idpengine1 rulebase-ips rule 1 match from-zone any user@host:TSYS1# set idp-policy idpengine1 rulebase-ips rule 1 match source-address any user@host:TSYS1# set idp-policy idpengine1 rulebase-ips rule 1 match to-zone any user@host:TSYS1# set idp-policy idpengine1 rulebase-ips rule 1 match destination-address any user@host:TSYS1# set idp-policy idpengine1 rulebase-ips rule 1 match attacks predefined-attacks FTP:USER:ROOT user@host:TSYS1# set idp-policy idpengine1 rulebase-ips rule 1 then action no-action user@host:TSYS1# set idp-policy idpengine1 rulebase-ips rule 1 then notification log-attacks
配置安全策略并将 IDP 策略附加至这些策略。
[edit security policies] user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match source-address any user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match destination-address any user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match application any user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 match dynamic-application junos:FTP user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy l1z1-l1z2 then permit application-services idp-policy idpengine1 user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy 2 match source-address any user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy 2 match destination-address any user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy 2 match application any user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy 2 match dynamic-application junos:HTTP user@host:TSYS1# set from-zone l1z1 to-zone l1z2 policy 2 then permit application-services idp-policy idpengine
配置默认 IDP 策略。
注意:如果配置多个 IDP 策略,则配置默认 IDP 策略是必须的。
[edit security idp] user@host:TSYS1# set default-policy idpengine1
结果
在配置模式下,输入 show security idp idp-policy idpengine
、 show security idp idp-policy idpengine1
、 show security policies
和 show security policies
命令,以确认您的配置。如果输出未显示预期的配置,请重复此示例中的配置说明,以便进行更正。
[edit] user@host:TSYS1# show security idp idp-policy idpengine rulebase-ips { rule 1 { match { from-zone any; source-address any; to-zone any; destination-address any; application default; attacks { predefined-attacks HTTP:AUDIT:URL; } } then { action { no-action; } notification { log-attacks; } } } }
[edit] user@host:TSYS1# show security idp idp-policy idpengine1 rulebase-ips { rule 1 { match { from-zone any; source-address any; to-zone any; destination-address any; attacks { predefined-attacks FTP:USER:ROOT; } } then { action { no-action; } notification { log-attacks; } } } }
[edit] user@host:TSYS1# show security policies from-zone l1z1 to-zone l1z2 { policy l1z1-l1z2 { match { source-address any; destination-address any; application any; dynamic-application junos:FTP; } then { permit { application-services { idp-policy idpengine1; } } } } policy 2 { match { source-address any; destination-address any; application any; dynamic-application junos:HTTP; } then { permit { application-services { idp-policy idpengine; } } } } }
完成设备配置后,请从配置模式进入 commit
。
配置 IDP 自定义攻击组
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,将命令复制并粘贴到层级的 [edit]
CLI 中,然后从配置模式进入 commit
。
set security idp idp-policy idpengine rulebase-ips rule 1 match attacks custom-attack-groups cust-group set security idp idp-policy idpengine rulebase-ips rule 1 then action no-action set security idp idp-policy idpengine rulebase-ips rule 1 then notification log-attacks set security idp custom-attack customftp severity warning set security idp custom-attack customftp attack-type signature context ftp-username set security idp custom-attack customftp attack-type signature pattern .*guest.* set security idp custom-attack customftp attack-type signature direction client-to-server set security idp custom-attack-group cust-group group-members customftp set security idp custom-attack-group cust-group group-members ICMP:INFO:TIMESTAMP set security idp custom-attack-group cust-group group-members "FTP - Minor" set security idp custom-attack-group cust-group group-members dyn1 set security idp dynamic-attack-group dyn1 filters category values HTTP
逐步过程
以下示例要求您在配置层次结构中的各个级别上导航。有关如何操作的说明,请参阅 Junos OS CLI 用户指南 中的在配置模式下使用 CLI 编辑器 。
要配置 IDP 自定义攻击组,
创建 IDP 策略。
[edit security idp] user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match attacks custom-attack-groups cust-group
配置 IDP 策略的匹配条件。
[edit security idp] user@host:TSYS1# set security idp idp-policy idpengine rulebase-ips rule 1 then action no-action user@host:TSYS1# set security idp idp-policy idpengine rulebase-ips rule 1 then notification log-attacks
配置有状态的签名参数。
[edit security idp] user@host:TSYS1# set security idp custom-attack customftp severity warning user@host:TSYS1# set custom-attack customftp attack-type signature context ftp-username user@host:TSYS1# set custom-attack customftp attack-type signature pattern .*guest.* user@host:TSYS1# set custom-attack customftp attack-type signature direction client-to-server user@host:TSYS1# set custom-attack-group cust-group group-members customftp user@host:TSYS1# set custom-attack-group cust-group group-members ICMP:INFO:TIMESTAMP user@host:TSYS1# set custom-attack-group cust-group group-members "FTP - Minor" user@host:TSYS1# set custom-attack-group cust-group group-members dyn1 user@host:TSYS1# set dynamic-attack-group dyn1 filters category values HTTP
结果
在配置模式下,输入命令以确认 show security idp
您的配置。如果输出未显示预期的配置,请重复此示例中的配置说明,以便进行更正。
[edit] user@host:TSYS1# show security idp idp-policy idpengine { rulebase-ips { rule 1 { match { attacks { custom-attack-groups cust-group; } } then { action { no-action; } notification { log-attacks; } } } } } custom-attack customftp { severity warning; attack-type { signature { context ftp-username; pattern .*guest.*; direction client-to-server; } } } custom-attack-group cust-group { group-members [ customftp ICMP:INFO:TIMESTAMP "FTP - Minor" dyn1 ]; } dynamic-attack-group dyn1 { filters { category { values HTTP; } } }
完成设备配置后,请从配置模式进入 commit
。
配置预定义攻击和攻击组
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,将命令复制并粘贴到层级的 [edit]
CLI 中,然后从配置模式进入 commit
。
set security idp idp-policy idpengine rulebase-ips rule 1 match attacks predefined-attacks FTP:USER:ROOT set security idp idp-policy idpengine rulebase-ips rule 1 match attacks predefined-attack-groups "HTTP - All"
逐步过程
以下示例要求您在配置层次结构中的各个级别上导航。有关如何操作的说明,请参阅 Junos OS CLI 用户指南 中的在配置模式下使用 CLI 编辑器 。
要配置预定义的攻击和攻击组:
配置预定义攻击。
[edit security idp] user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match attacks predefined-attacks FTP:USER:ROOT
配置预定义攻击组。
[edit security idp] user@host:TSYS1# set idp-policy idpengine rulebase-ips rule 1 match attacks predefined-attack-groups "HTTP - All"
结果
在配置模式下,输入命令以确认 show security idp idp-policy idpengine
您的配置。如果输出未显示预期的配置,请重复此示例中的配置说明,以便进行更正。
[edit] user@host:TSYS1# show security idp idp-policy idpengine rulebase-ips { rule 1 { match { attacks { predefined-attacks FTP:USER:ROOT; predefined-attack-groups "HTTP - All"; } } then { action { no-action; } notification { log-attacks; } } } }
完成设备配置后,请从配置模式进入 commit
。
配置 IDP 动态攻击组
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除所有换行符,更改详细信息,以便与网络配置匹配,将命令复制并粘贴到层级的 [edit]
CLI 中,然后从配置模式进入 commit
。
set security idp dynamic-attack-group dyn1 filters direction values server-to-client
逐步过程
以下示例要求您在配置层次结构中的各个级别上导航。有关如何操作的说明,请参阅 Junos OS CLI 用户指南 中的在配置模式下使用 CLI 编辑器 。
要配置 IDP 动态攻击组,
配置动态攻击组参数。
[edit security idp] user@host:TSYS1# set dynamic-attack-group dyn1 filters direction values server-to-client
结果
在配置模式下,输入命令以确认 show security idp
您的配置。如果输出未显示预期的配置,请重复此示例中的配置说明,以便进行更正。
[edit] user@host:TSYS1# show security idp dynamic-attack-group dyn1 { filters { direction { values server-to-client; } } }
完成设备配置后,请从配置模式进入 commit
。
验证
验证 IDP 策略和提交状态
目的
验证租户系统 TSYS1
的策略编译后是否显示 IDP 策略和提交状态。
行动
在操作模式下,输入 show security idp policies
命令。
user@host:TSYS1> show security idp policies ID Name Sessions Memory Detector 1 idpengine 0 186024 12.6.130180122
在操作模式下,输入 show security idp policy-commit-status
命令。
user@host:TSYS1> show security idp policy-commit-statusIDP policy[/var/db/idpd/bins//idp-policy-unified.bin.gz.v] and detector[/var/db/idpd/sec-repository/installed-detector/libidp-detector.so.tgz.v] loaded successfully. The loaded policy size is:2912 Bytes
意义
输出显示租户系统中 TSYS1
配置的 IDP 策略和提交状态信息。
验证 IDP 攻击检测
目的
验证租户系统的 TSYS1
IDP 攻击检测是否成功并在攻击表中显示。
行动
在操作模式下,输入 show security idp attack table
命令。
user@host:TSYS1> show security idp attack table IDP attack statistics: Attack name #Hits my-http 1
意义
输出显示为租户系统中 TSYS1
配置的自定义攻击检测到的攻击。
验证 IDP 计数器
目的
验证是否为租户系统 TSYS1
显示了其中一个 IDP 计数器状态。
行动
在操作模式下,输入 show security idp counters flow
命令。
user@host:TSYS1> show security idp counters flow IDP counters: IDP counter type Value Fast-path packets 38 Slow-path packets 1 Session construction failed 0 Session limit reached 0 Session inspection depth reached 0 Memory limit reached 0 Not a new session 0 Invalid index at ageout 0 Packet logging 0 Policy cache hits 0 Policy cache misses 1 Policy cache entries 0 Maximum flow hash collisions 0 Flow hash collisions 0 Gates added 0 Gate matches 0 Sessions deleted 1 Sessions aged-out 0 Sessions in-use while aged-out 0 TCP flows marked dead on RST/FIN 1 Policy init failed 0 Policy reinit failed 0 Number of times Sessions exceed high mark 0 Number of times Sessions drop below low mark 0 Memory of Sessions exceeds high mark 0 Memory of Sessions drops below low mark 0 SM Sessions encountered memory failures 0 SM Packets on sessions with memory failures 0 IDP session gate creation requests 0 IDP session gate creation acknowledgements 0 IDP session gate hits 0 IDP session gate timeouts 0 Number of times Sessions crossed the CPU threshold value that is set 0 Number of times Sessions crossed the CPU upper threshold 0 Sessions constructed 1 SM Sessions ignored 0 SM Sessions dropped 0 SM Sessions interested 2 SM Sessions not interested 0 SM Sessions interest error 0 Sessions destructed 1 SM Session Create 1 SM Packet Process 38 SM ftp data session ignored by idp 1 SM Session close 1 SM Client-to-server packets 15 SM Server-to-client packets 23 SM Client-to-server L7 bytes 99 SM Server-to-client L7 bytes 367 Client-to-server flows ignored 0 Server-to-client flows ignored 0 Server-to-client flows tcp optimized 0 Client-to-server flows tcp optimized 0 Both directions flows ignored 1 Fail-over sessions dropped 0 Sessions dropped due to no policy 0 IDP Stream Sessions dropped due to memory failure 0 IDP Stream Sessions ignored due to memory failure 0 IDP Stream Sessions closed due to memory failure 0 IDP Stream Sessions accepted 0 IDP Stream Sessions constructed 0 IDP Stream Sessions destructed 0 IDP Stream Move Data 0 IDP Stream Sessions ignored on JSF SSL Event 0 IDP Stream Sessions not processed for no matching rules 0 IDP Stream stbuf dropped 0 IDP Stream stbuf reinjected 0 Busy pkts from stream plugin 0 Busy pkts from pkt plugin 0 bad kpp 0 Lsys policy id lookup failed sessions 0 NGAppID Events with no L7 App 0 NGAppID Events with no active-policy 0 NGAppID Detector failed from event handler 0 NGAppID Detector failed from API 0 Busy packets 0 Busy packet Errors 0 Dropped queued packets (async mode) 0 Dropped queued packets failed(async mode) 0 Reinjected packets (async mode) 0 Reinjected packets failed(async mode) 0 AI saved processed packet 0 busy packet count incremented 0 busy packet count decremented 0 session destructed in pme 0 session destruct set in pme 0 kq op hold 0 kq op drop 0 kq op route 0 kq op continue 37 kq op error 0 kq op stop 0 PME wait not set 0 PME wait set 0 PME KQ run not called 0 IDP sessions ignored for content decompression in intel inspect mode 0 IDP sessions ignored for bytes depth limit in intel inspect mode 0 IDP sessions ignored for protocol decoding in intel inspect mode 0 IDP sessions detected CPU usage crossed intel inspect CPU threshold 0 IDP sessions detected mem drop below intel inspect low mem threshold 0
意义
输出显示租户系统的 TSYS1
IDP 计数器流状态。