Understanding IDP Migration

 

This topic provides details on installing and configuring IDP.

For more information, see the following topics:

Initial Configuration Overview

Enabling a fully functional IPS service on SRX Series Services Gateways includes the following basic configuration steps:

Basic Configurations

  1. Configure basic networking, security, and access components (in most cases this will already be configured).
  2. Configure and activate IPS policy.
  3. Configure firewall policy to associate specific rules with IPS.
  4. Download attack objects including sensor updates.
  5. Configure logging.
  6. Update security-package.
  7. Verify configuration and test functionality.

Initial Configuration Assumptions

Before starting the IPS policy configuration, this document assumes that an initial networking configuration exists and that an admin user has full access to the SRX Series. Initial device configuration on our sample system is as follows:

Note

Throughout this document we provide commands required to configure specific features; however, in order to activate associated functionality, configuration changes need to be successfully committed (using the commit command).

This feature requires a license. To understand more about IPS License, see, Installing the IPS License (CLI). Please refer to the Juniper Licensing Guide for general information about License Management. Please refer to the product Data Sheets at SRX Series Services Gateways for details, or contact your Juniper Account Team or Juniper Partner.

IPS Configuration (CLI)

Configuring Interfaces

  1. Display current interfaces (assumption is interfaces have been properly cabled)
  2. Configure forwarding interfaces.
  3. Verify the configuration.

Configuring Security Zones

  1. Configure security zones.
    1. Display existing zones:

    2. Configure zones abc-trust and abc-untrust and assign interfaces accordingly.

  2. Verify the configuration.

Configuring IPS Security Policy

  1. Configure IPS policy abc-idp-policy.

    The simple configuration in this section involves setting up one rule looking for all critical attacks and, in case a match is found, dropping the associated connection, setting that event as critical and logging it with an alert. The second rule is configured to look for major attacks and to perform a recommended action upon detecting a severe attack, as well as logging the event.

    Note

    Logging means sending a system log (syslog) message to an appropriate, preconfigured syslog server. Logging configuration steps are provided in subsequent sections.

  2. Verify IPS policy abc-idp-policy.
  3. Set trace options.
    1. To provide detailed IPS process event information (policy compilation result, policy loading results, dfa matches, and so on) which allows for further system analysis, tuning, and easier troubleshooting, it is highly recommended to enable trace options. The following is an example setting that configures trace to write all security events encompassing all debug levels (error, info, notice, verbose, and warning). The trace filename is not specified trace if it is not written into the file named after the process being traced, which is the case with IDP/var/log/idpd:
    2. For this example, we limit the file size to 100 MB. This means that the process will write this file and once it reaches 100 MB, it will rename it to idpd.0 and continue with a new idpd. The default number of files is 3 and if file numbers are exhausted, the oldest file (idpd.2) gets overwritten.
  4. Verify trace options settings.
  5. Activate IPS Series policy.
  6. Verify active IPS policy.
Note

To deploy IPS policy on the SRX Series devices, one more step is required—configuring firewall security policy to identify which traffic is to be processed by the IPS service. This is described in the following section.

Configuring Firewall Security Policy

For traffic entering the SRX Series device to be processed by IPS security policy firewall, the security policy needs to be configured accordingly.

Following are steps required to configure firewall security policy and finalize Intrusion Prevention System configuration on the SRX Series gateway. This will result in traffic between security zones abc-untrust and abc-trust being inspected by IPS security policy abc-idp-policy.

  1. Ensure that the system is configured with the default policy denying all traffic. This basically means traffic will 1. be denied throughout the gateway unless specifically allowed to by firewall security policy.
  2. Configure policy.
  3. Verify configuration.

IPS Logging

IPS generates event logs when an event matches an IPS policy rule in which logging is enabled. When you configure a rule for logging, the device creates a log entry for each event that matches that rule.

When configured to do so, an IPS service will send events that match policy entry to the logging server directly from the data plane via emulated IP address, encapsulated in 514/udp.

Configure logging:

  1. Configure interface data plane to send syslog messages from:
  2. Choose the format (standard or structured format).
  3. Set the emulated source IP address (interface cannot be fxp0).
  4. Set severity.
  5. Indicate the syslog server IP address (to which logs are sent via 514/udp).
  6. Verify log configuration.

Related Documentation