Help Center User GuideGetting StartedFAQRelease Notes
 
X
User Guide
Getting Started
FAQ
Release Notes
Contents  

Understanding IPS Policies

An Intrusion prevention system (IPS) policy enables you to selectively enforce various attack detection and prevention techniques on network traffic passing through an IPS-enabled device. There are two types of policy options:

  • Group Policy—select this option, when you want to push a configuration to a group of devices. You can create rules for a group policy.

    During a device assignment for a group policy, only devices from the current and child domains (with view parent enabled) are listed. Devices in the child domain with view parent disabled are not listed. Not all the group policies of the Global domain are visible in the child domain. Group policies of the Global domain (including All device policy) are not visible to the child domain, if the view parent of that child domain is disabled. Only the group policies of the Global domain, which has devices from the child domain assigned to it, are visible in the child domain. If there is a group policy in global domain with devices from both D1 and the Global domains assigned to it, only this group policy of the Global domain is visible in the D1 domain along with only the D1 domain devices. No other devices, that is the Device-Exception policy, of the Global domain is visible in the D1 domain.

    You cannot edit a group policy of the Global domain from the child domain. This is true for All Devices policy as well. Modifying the policy, deletion of the policy, managing a snapshot, snapshot policy and acquiring the policy lock is also not allowed. Similarly, you cannot perform these actions on the Device-Exception policy of the D1 domain from the Global domain. You can prioritize group policies from the current domain. Group policies from the other domains are not listed.

  • Device Policy—Select this option, when you want to push a unique IPS policy configuration per device. You can create device rules for a device IPS policy.

    Security Director views a logical system like it does any other security device, and it takes ownership of the security configuration of the logical system. In Security Director, each logical system is managed as a unique security device.

    During a device assignment for a device policy, only devices from the current domain are listed.

Note If Security Director discovers the root logical system, the root lsys discovers all other user lsys inside the device.

An IPS policy consists of rulebases and each rulebase contains a set of rules. It allows you to define policy rules to match a section of traffic based on a zone, network, and application, and then take active or passive preventive actions on that traffic.

An IPS rulebase protects your network from attacks by using attack objects to detect known and unknown attacks. It detects attacks based on stateful signature and protocol anomalies.

An exempt rulebase works in conjunction with the IPS rulebase. You must have rules in the IPS rulebase before you can create exempt rules. If traffic matches a rule in the IPS rulebase, the IPS policy attempts to match the traffic against the exempt rulebase before performing the specified action or creating a log record for the event. If the IPS policy detects traffic that matches the source or destination pair and the attack objects specified in the exempt rulebase, it automatically exempts that traffic from attack detection.

Configure an exempt rulebase in the following conditions:

After you create an IPS policy by adding rules in one or more rulebases, you can publish or update the policy. You can also view a list of security devices with IPS policies assigned to them. This list assists you in viewing the details of all the IPS policies and rules assigned per device.

IPS Policy Support for Unified and Standard Firewall Policy

Starting in Junos Space Security Director Release 19.3, you can assign IPS policy to the standard and unified firewall policies. With the support of IPS policy within firewall policy:

Note For devices with Junos OS Release 18.2, single IPS policy is supported in the firewall policy rules. For devices with Junos OS Release 18.3 onward, multiple IPS policies are supported in the firewall policy rules.

If you have configured a traditional firewall policy (with 5-tuples matching condition or dynamic-application configured as none) and an unified policy (with 6-tuple matching condition), the traditional firewall policy matches the traffic first, prior to the unified policy.

When you configure a unified policy with a dynamic application as one of the matching condition, the configuration eliminates the additional steps involved in IPS policy configuration. All the IPS policy configurations are handled within the unified firewall policy and simplifies the task of configuring IPS policy to detect any attack or intrusions for a given session.

From Junos OS Release 18.2 onward, the CLI configuration for IPS policy is generated along with the standard or unified firewall policy, to which the IPS policy is attached.

Multiple IPS Policies for Unified and Standard Firewall Policies

When an SRX Series device is configured with standard and unified firewall policies, you can configure multiple IPS policies and set one of those policies as the default policy. If multiple IPS policies are configured for a session and when policy conflict occurs, the device applies the default IPS policy for that session and thus resolves any policy conflicts.

Note If you have configured two or more IPS policies in a firewall policy, then you must configure the default IPS policy.

The initial security policy lookup phase, which occurs prior to a dynamic application being identified, might result in multiple potential policy matches. IPS is enabled on the session if at least one of the matched security policies have an IPS policy configured.

If only one IPS policy is configured in the potential policy list, then that IPS policy is applied for the session. If there are multiple IPS policies configured for a session in the potential policy list, then the SRX Series device applies the IPS policy that is configured as the default IPS policy.

Example: Assign an IPS Policy to a Firewall Policy for Devices Running Junos OS Release 18.2 and Later

In this example, we’ll show you how to create an IPS policy and attach the IPS policy to a standard firewall policy rule assigned to a device running Junos OS Release 18.2.

Note Starting in Junos Space Security Director Release 19.3, you cannot assign devices running Junos OS Release 18.2 and later to an IPS policy from the IPS Policies page. You’ll need to attach an IPS policy to a firewall policy rule for devices running Junos OS Release 18.2 and later. The CLI configuration for IPS policy is generated along with the standard or unified firewall policy, to which the IPS policy is attached.

Create an IPS Policy

Procedure

  1. Select Configure > IPS Policy> Policies.

    The IPS Policies page is displayed.

  2. Click the + icon.

    The Create IPS Policy page is displayed.

  3. Enter the IPS policy name as IPS_Policy.

    A policy name can be a maximum of 255 characters and can include alphanumeric characters, spaces, and periods.

  4. Select the Policy Type as Device Policy.

    Note Do not select the group policy option since the group IPS policy cannot be attached to a firewall policy.

  5. Do not select any device from the drop-down list.

    Note The devices running Junos OS Release 18.1 and below are listed and 18.2 and above are not listed. To configure IPS policy on devices running Junos OS Release 18.2 and above, you’ll need to assign an IPS policy (without device assignment) to firewall policy rule. The IPS policy is updated along with firewall policy update.

  6. Click OK.

    The created IPS Policy (IPS_Policy) is displayed on the IPS Policy page.

Assign the IPS Policy to the Firewall Policy

Procedure

  1. Select Configure > Firewall Policy > Standard Policies.

    The Standard Policies page is displayed.

  2. Click the + icon.

    The Create Firewall Policy page is displayed.

  3. Enter the firewall policy name as Firewall_Policy.
  4. Select the Policy Type as Device Policy.

    In device policy, the firewall policy is created per device. In group policy, the firewall policy is shared with multiple devices.

  5. Select the device as vsrx-18.2.

    To discover devices in Security Director, see Creating Device Discovery Profiles in Security Director.

    Note The selected device must be running Junos OS Release 18.2 or later.

  6. Click OK to create the firewall policy.

    The created firewall policy (Firewall_Policy) is displayed on the Standard Policies page.

  7. Click the Add Rule link for the Firewall_Policy to add rules.

    The Create Rule page is displayed.

  8. On the General tab, enter the rule name as Firewall_Policy_Rule.

  9. Click Next until you reach the Advanced Security tab.
  10. On the Advanced Security tab:

    Procedure

    1. Select the Action Permit.
    2. Select the IPS Policy value IPS_Policy from the drop-down list.

      Note Only device-specific IPS policies are listed.

  11. Click Next until you reach the Rule Placement tab and click Finish.

    You can view the IPS policy details in the firewall policy configuration summary.

  12. Click OK to create the rule.

    The rule is displayed on the Firewall_Policy/Rules page.

  13. Click Save to save the rule.

Verify the IPS Policy Assignment to Firewall Policy

Purpose

Verify that the created firewall policy rule includes the IPS Policy (IPS_Policy). Similar to Firewall_Policy_Rule, we’ve created another rule Firewall_Policy_Rule2.

Action

Procedure

  1. Select Configure > Firewall Policy > Standard Policies.

    The Standard Policies page is displayed.

  2. Click the rules for the firewall policy (Firewall_Policy).

    The Firewall_Policy/Rules page is displayed. Under the Advanced Security column, the IPS policy (IPS_Policy) is displayed for both the rules Firewall_Policy_Rule and Firewall_Policy_Rule2.

CLI Configuration

You can see the IPS policy (IPS_Policy) is attached to the firewall policy rules (Firewall_Policy_Rule and Firewall_Policy_Rule2).

##Security Firewall Policy: global ##

set security policies global policy Firewall_Policy_Rule match application any

set security policies global policy Firewall_Policy_Rule match destination-address any

set security policies global policy Firewall_Policy_Rule match source-address any

set security policies global policy Firewall_Policy_Rule then permit application-services idp-policy IPS_Policy

set security policies global policy Firewall_Policy_Rule2 match application any

set security policies global policy Firewall_Policy_Rule2 match destination-address any

set security policies global policy Firewall_Policy_Rule2 match source-address any

set security policies global policy Firewall_Policy_Rule2 then permit application-services idp-policy IPS_Policy

##IDP Configurations##

set security idp idp-policy IPS_Policy rulebase-ips rule Device-1 match application default

set security idp idp-policy IPS_Policy rulebase-ips rule Device-1 match attacks predefined-attack-groups "Additional Web Services - Info"

set security idp idp-policy IPS_Policy rulebase-ips rule Device-1 match from-zone any

set security idp idp-policy IPS_Policy rulebase-ips rule Device-1 match to-zone any

set security idp idp-policy IPS_Policy rulebase-ips rule Device-1 then action recommended

Example: Import an IPS Policy from a Device Running Junos OS Release 18.2 and Later

In this example, we’ll show how to import a device running Junos OS Release 18.2 to Security Director. You’ll see that the attached IPS policy is also imported along with the firewall policy.

Note Starting in Junos Space Security Director Release 19.3, when you import a firewall policy, the IPS policy is also imported since the IPS policy is attached to the firewall policy.

Import an IPS Policy

Procedure

  1. Select Devices > Security Devices.

    The Security Devices page is displayed.

  2. Select the vsrx-18.2 device and click Import.

    The Import Configuration page is displayed.

  3. Select the firewall policy vsrx-18.2 to be imported (IPS policy is attached to the firewall policy).
  4. Click Next.

    A summary of configuration changes to be imported is displayed.

  5. Click OK to import the device configurations.

    The Job Details page is displayed. The IPS policy (IPS-Policy-1) is also imported along with the firewall policy (vsrx-18.2).

    Click OK.

    The imported policies are displayed on the IPS Policies page and also in the firewall policy rule.

CLI Configuration in the Device (vsrx-18.2)

set security idp idp-policy IPS-Policy-1 rulebase-ips rule rule1 match from-zone any

set security idp idp-policy IPS-Policy-1 rulebase-ips rule rule1 match to-zone any

set security idp idp-policy IPS-Policy-1 rulebase-ips rule rule1 match application default

set security idp idp-policy IPS-Policy-1 rulebase-ips rule rule1 match attacks predefined-attacks

ICMP:INFO:ECHO-REPLY

set security idp idp-policy IPS-Policy-1 rulebase-ips rule rule1 then action recommended

set security policies global policy rule-one match source-address any

set security policies global policy rule-one match destination-address any

set security policies global policy rule-one match application any

set security policies global policy rule-one then permit application-services idp-policy IPS-Policy-1

Verify the Imported Configurations in Security Director

Purpose

Verify that the device is not assigned to the imported IPS policy on the IPS Policies page. You’ll see that the device is assigned to the imported firewall policy.

Action

Procedure

  1. Select Configure > IPS Policy > Policies.

    The device is not displayed for the imported IPS policy on the IPS Policies page.

  2. Select Configure > Firewall Policy > Standard Policies.

    The imported firewall policy (vsrx-18.2) and the assigned device (vsrx-18.2) are displayed on the Standard Policies page.

  3. Click the rules for the firewall policy (vsrx-18.2).

    On the firewall policy rules (vsrx-18.2/Rules) page, you can see the imported IPS policy (IPS-Policy-1) in the Advanced Security column.

Related Documentation

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit