Understanding IPS Policies
An Intrusion prevention system (IPS) policy enables you to selectively enforce various attack detection and prevention techniques on network traffic passing through an IPS-enabled device. There are two types of policy options:
Group Policy—select this option, when you want to push a configuration to a group of devices. You can create rules for a group policy.
During a device assignment for a group policy, only devices from the current and child domains (with view parent enabled) are listed. Devices in the child domain with view parent disabled are not listed. Not all the group policies of the Global domain are visible in the child domain. Group policies of the Global domain (including All device policy) are not visible to the child domain, if the view parent of that child domain is disabled. Only the group policies of the Global domain, which has devices from the child domain assigned to it, are visible in the child domain. If there is a group policy in global domain with devices from both D1 and the Global domains assigned to it, only this group policy of the Global domain is visible in the D1 domain along with only the D1 domain devices. No other devices, that is the Device-Exception policy, of the Global domain is visible in the D1 domain.
You cannot edit a group policy of the Global domain from the child domain. This is true for All Devices policy as well. Modifying the policy, deletion of the policy, managing a snapshot, snapshot policy and acquiring the policy lock is also not allowed. Similarly, you cannot perform these actions on the Device-Exception policy of the D1 domain from the Global domain. You can prioritize group policies from the current domain. Group policies from the other domains are not listed.
Device Policy—Select this option, when you want to push a unique IPS policy configuration per device. You can create device rules for a device IPS policy.
Security Director views a logical system or tenant system like it does any other security device, and it takes ownership of the security configuration of the logical system or tenant system. In Security Director, each logical system or tenant system is managed as a unique security device.
During a device assignment for a device policy, only devices from the current domain are listed.
If Security Director discovers the root logical system, the root LSYS discovers all other user LSYS and TSYS inside the device.
An IPS policy consists of rulebases and each rulebase contains a set of rules. It allows you to define policy rules to match a section of traffic based on a zone, network, and application, and then take active or passive preventive actions on that traffic.
An IPS rulebase protects your network from attacks by using attack objects to detect known and unknown attacks. It detects attacks based on stateful signature and protocol anomalies.
An exempt rulebase works in conjunction with the IPS rulebase. You must have rules in the IPS rulebase before you can create exempt rules. If traffic matches a rule in the IPS rulebase, the IPS policy attempts to match the traffic against the exempt rulebase before performing the specified action or creating a log record for the event. If the IPS policy detects traffic that matches the source or destination pair and the attack objects specified in the exempt rulebase, it automatically exempts that traffic from attack detection.
Configure an exempt rulebase in the following conditions:
When an IPS rule uses an attack object group that contains one or more attack objects that produce false positives or irrelevant log records.
When you want to exclude a specific source, destination, or source-destination pair from matching an IPS rule. This prevents IPS from generating unnecessary alarms.
After you create an IPS policy by adding rules in one or more rulebases, you can publish or update the policy. You can also view a list of security devices with IPS policies assigned to them. This list assists you in viewing the details of all the IPS policies and rules assigned per device.
IPS Policy Support for Unified and Standard Firewall Policy
Starting in Junos Space Security Director Release 19.3, you can assign IPS policy to the standard and unified firewall policies. With the support of IPS policy within firewall policy:
All the IPS matches will now be handled within the standard or unified firewall policies unless explicit source, destination, or application is defined in the IPS policy.
You need not configure source or destination address, source and destination-except, from and to zone, or application, as the match happens in the firewall policy. However, you can configure match conditions in IPS policy to achieve additional granularity.
Initial firewall policy match might result in single or multiple policy matches. As a part of session interest check, IPS will be enabled if IPS policy is present in any of the matched rules.
For devices with Junos OS Release 18.2, single IPS policy is supported in the firewall policy rules. For devices with Junos OS Release 18.3 onward, multiple IPS policies are supported in the firewall policy rules.
If you have configured a traditional firewall policy (with 5-tuples matching condition or dynamic-application configured as none) and an unified policy (with 6-tuple matching condition), the traditional firewall policy matches the traffic first, prior to the unified policy.
When you configure a unified policy with a dynamic application as one of the matching condition, the configuration eliminates the additional steps involved in IPS policy configuration. All the IPS policy configurations are handled within the unified firewall policy and simplifies the task of configuring IPS policy to detect any attack or intrusions for a given session.
From Junos OS Release 18.2 onward, the CLI configuration for IPS policy is generated along with the standard or unified firewall policy, to which the IPS policy is attached.
Multiple IPS Policies for Unified and Standard Firewall Policies
When an SRX Series device is configured with standard and unified firewall policies, you can configure multiple IPS policies and set one of those policies as the default policy. If multiple IPS policies are configured for a session and when policy conflict occurs, the device applies the default IPS policy for that session and thus resolves any policy conflicts.
If you have configured two or more IPS policies in a firewall policy, then you must configure the default IPS policy.
The initial security policy lookup phase, which occurs prior to a dynamic application being identified, might result in multiple potential policy matches. IPS is enabled on the session if at least one of the matched security policies have an IPS policy configured.
If only one IPS policy is configured in the potential policy list, then that IPS policy is applied for the session. If there are multiple IPS policies configured for a session in the potential policy list, then the SRX Series device applies the IPS policy that is configured as the default IPS policy.
IPS in Logical Systems
Starting in Junos Space Security Director Release 20.1R1, an IPS policy enables you to selectively enforce various attack detection and prevention techniques on network traffic passing through a logical system (LSYS).
You can configure IPS policies at the root level. Configuring an IPS policy for LSYS is similar to configuring an IPS policy on a device that is not configured for LSYS. This can include the configuration of custom attack objects. IPS policy templates installed in root LSYS are visible and used by all LSYS. Specify an IPS policy in the security profile that is bound to a LSYS. Although you can configure multiple IPS policies, a LSYS can have only one active IPS policy at a time. For user LSYS, you can either bind the same IPS policy to multiple user LSYS or bind a unique IPS policy to each user LSYS.
If you have configured more than one IPS policy in a security policy, then configuring default IPS policy configuration is mandatory. If the IPS policy is not configured for a user LSYS, the default IPS policy configured is used.
You must install the IPS signature license at the root level. Once IPS is enabled at the root level, it can be used with any LSYS on the device. A single IPS security package is installed for all LSYS on the device at the root level. The download and install options can only be executed at the root level. The same version of the IPS attack database is shared by all LSYS.
Devices running Junos OS Release 18.3 onward supports IPS for Logical System.
To configure IPS policy in a firewall policy and to import a
firewall policy that has IPS policy configured, see the In Focus Guide