Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring the IPS Policy on SRX Series Devices Using NSM

    This topic covers a basic SRX Series device IPS security policy configuration using NSM.

    Note: This example uses the same network setup, same IPS, and same firewall security policies as described in IPS Configuration (CLI).

    Before you configure an IPS deployment, make sure you have:

    • Identified the recommended release.
    • Selected the management platform. IPS on SRX Series devices can be fully managed through the CLI, Junos Space Security Director, NSM, or J-Web. This example focuses on configuring IPS using NSM.
    • Before starting the IPS policy configuration, ensure that an initial networking configuration exists and that an administrator has full access to the SRX Series device.

    There are two possible approaches for configuring an SRX Series device IPS security policy with NSM.

    • Configure basic setup through the CLI and import the device with the policy into NSM.
    • Configure both the firewall and the IPS security policy from NSM entirely from within one of the following device policy management modes:
      • Central Policy Mode (Policy at NSM level applicable to any selected device. This is the default mode.)
      • In-Device Policy Mode (Policy at device level and applicable to the actual device that is accessed and edited through the configuration details.)

    Note: When you update the SRX Series device in Central Policy Mode, the security policy from the Policy Manager is pushed.

    When you update the SRX Series device in In-Device Policy Mode, the security policy as configured under the hierarchy security->idp->idp policy is pushed.

    The SRX Series device is imported into NSM with a CLI-based configuration.

    Figure 1: SRX Series Device Deployment

    SRX Series Device Deployment

    Configuring the IPS Policy by Importing the SRX Series Device into NSM

    The following steps show how to configure an IPS policy using the CLI to set up a basic policy and import the SRX Series device with the policy into NSM:

    1. Add the new device. Select Existing and Not Reachable for the device.
    2. Select device specifications such as:
      • Device Name
      • Color
      • OS Name
      • JUNOS OS Type
      • Platform
      • Managed OS Version
    3. Configure the SRX Series device to connect to NSM.
    4. From the console, configure the SRX Series device by entering the following commands:
      user@host# set system services outbound-ssh client nsm device-id EEC4B8user@host# set system services outbound-ssh client nsm secret <one-time-password>user@host# set system services outbound-ssh client nsm port 7804user@host# set system services outbound-ssh client nsm services netconf
    5. Import the device.

      Note: Importing the device by default imports it in the Central Policy Mode and, as a part of the process, imports the currently configured security policy on that device into the NSM policy tree.

      If a security policy with the same name already exists in the NSM database (from a previous import), a new, incrementally numbered policy will be created at each import (SRX-host-abc-idp-policy_1, SRX-host-abc-idp-policy_2, and so on).

      If there is no security policy configured on the SRX Series device, no policy will be imported and the administrator will have to configure a security policy either using the CLI or will need to configure it from NSM.

    6. Configure the security policy.

      After successfully importing the device, the administrator can create a new security policy, tune or change the existing policy and then deploy changes, updates, or both by using the following standard Update Device procedure.

      This procedure describes security policy configuration and deployment through Central Policy Mode. Policy SRX-Recommended will be created (based on the Recommended security policy template) and applied to the SRX Series device.

      Note: If the device being imported does not match the Detector Engine information in the NSM database, the security policy update will fail.

      1. Reconcile the inventory.

        When importing a new device or performing any changes to configuration that result in a hardware or software mismatch between information stored in NSM and in the device itself, you will have to reconcile inventory. Updating the policy on the device that is out of sync will result in inventory reconcile failure.

        To bring a device in sync from the NSM:

        • Right-click the device and select View/Reconcile Inventory.
        • Select Refresh, which opens a new window and displays any mismatched items (highlighted).
        • Select Reconcile to update the database information. Once successful, selecting Reconcile again will show the inventory without any highlighted items.
      2. Update the IDP Protocol Detector Engine.

        If the IDP Protocol Detector Engine on the SRX Series device does not match the Detector Engine on the NSM prior to pushing the policy, you will need to correct this situation as follows:

        • To check the Detector Engine version installed on NSM, select Attack Update Manager and select IDP-SRX Detector Engine version.
        • If the Detector Engine version does not match, a failure message is displayed when attempting to update the device.

          To fix this situation, you need to bring both NSM and the SRX Series device into sync. Although it is possible to roll back a couple of versions on the NSM, we recommend that you download and install the most recent security package from the SRX Series CLI. For more details on how to update security packages, see Managing the IPS Signature Database (CLI).

    Configuring the IPS Policy from Central Policy Mode

    To configure the IPS policy from the Central Management Policy Mode, follow these steps:

    1. Select Firewall/VPN Devices with IDP as the device model.
    2. Select Recommended (predefined) policy as the template.
    3. Assign the policy to the SRX Series device. A security policy with firewall and IPS rule bases is automatically created and gets associated with the SRX Series device.
    4. Configure firewall zones. You can configure the policy for traffic between existing zones on the device.

      Once you are satisfied with the configuration, push your policy by right-clicking the device and selecting Update Device.

    Configuring the IPS Policy from In-Device Policy Mode

    When the device is in In-Device Policy mode, an administrator is able to configure a device-level configuration as described in the IPS Configuration (CLI).

    Security policy and other configuration setting changes performed through the Device Manager apply to that device only and are applied only when the device is in In-Device Policy Mode. If the device is in Central Policy Mode, these changes are not applied.

    Switching from one mode to another imports the device configuration from the device into the NSM. The following steps provide an overview of how to set the security policy through the Device Manager in In-Device Policy Mode.

    1. Access configuration details.
    2. Configure interfaces.
    3. Configure security zones.
    4. Assign interfaces to security zones.
    5. Create a firewall policy and associate the IPS services.
    6. Select a default firewall policy.
    7. Configure the IPS policy.
    8. Set traceoptions.
    9. Set logging.
    10. Update the device.

    Modified: 2015-06-11