Predefined IDP Policy Templates
Juniper Networks provides predefined policy templates that you can use as a starting point for creating your own policies. Each template is set of rules of a specific rulebase type that you can copy and then update according to your requirements.
Understanding Predefined IDP Policy Templates
Predefined policy templates are available in the templates.xls file on a secured Juniper Networks website. To start using a template, you run a command from the CLI to download and copy this file to a /var/db/scripts/commit directory.
Each policy template contains rules that use the default actions associated with the attack objects. You should customize these templates to work on your network by selecting your own source and destination addresses and choosing IDP actions that reflect your security needs.
The client/server templates are designed for ease of use and provide balanced performance and coverage. The client/server templates include client protection, server protection, and client/server protection.
Each of the client/server templates has two versions that are device specific, a 1-gigabyte (GB) version and a 2-GB version.
The 1-gigabyte versions labeled 1G should only be used for devices that are limited to 1 GB of memory. If a 1-GB device loads anything other than a 1-GB policy, the device might experience policy compilation errors due to limited memory or limited coverage. If a 2-GB device loads anything other than a 2-GB policy, the device might experience limited coverage.
Use these templates as a guideline for creating policies. We recommend that you make a copy of these templates and use the copy (not the original) for the policy. This approach allows you to make changes to the policy and to avoid future issues due to changes in the policy templates.
Table 1 summarizes the predefined IDP policy templates provided by Juniper Networks.
Table 1: Predefined IDP Policy Templates
Designed to protect both clients and servers. To be used on high memory devices with 2 GB or more of memory.
Designed to protect both clients and servers. To be used on all devices, including low-memory branch devices.
Designed to protect clients. To be used on high memory devices with 2 GB or more of memory.
Designed to protect clients. To be used on all devices, including low-memory branch devices.
Protects a typical demilitarized zone (DMZ) environment.
Protects Domain Name System (DNS) services.
Protects file sharing services, such as Network File System (NFS), FTP, and others.
Contains very open rules. Useful in controlled lab environments, but should not be deployed on heavy traffic live networks.
Contains a good blend of security and performance.
Contains only the attack objects tagged as recommended by Juniper Networks. All rules have their Actions column set to take the recommended action for each attack object.
Designed to protect servers. To be used on high memory devices with 2 GB or more of memory.
Designed to protect servers. To be used on all devices, including low-memory branch devices.
Protects HTTP servers from remote attacks.
To use predefined policy templates:
Download the policy templates from the Juniper Networks website.
Install the policy templates.
Enable the templates.xls script file. Commit scripts in the /var/db/scripts/commit directory are ignored if they are not enabled.
Choose a policy template that is appropriate for you and customize it if you need to.
Activate the policy that you want to run on the system. Activating the policy might take a few minutes. Even after a commit complete message is displayed in the CLI, the system might continue to compile and push the policy to the data plane.
Occasionally, the compilation process might fail for a policy. In this case, the active policy showing in your configuration might not match the actual policy running on your device. Run the show security idp status command to verify the running policy. Additionally, you can view the IDP log files to verify the policy load and compilation status.
Delete or deactivate the commit script file. By deleting the commit script file, you avoid the risk of overwriting modifications to the template when you commit the configuration. Deactivating the statement adds an inactive tag to the statement, effectively commenting out the statement from the configuration. Statements marked inactive do not take effect when you issue the commit command.
For more information see https://kb.juniper.net/InfoCenter/index?page=content&id=KB16490.
Downloading and Using Predefined IDP Policy Templates (CLI Procedure)
Before you begin, configure network interfaces. See the Junos OS Interfaces Configuration Guide for Security Devices.
To download and use a predefined policy template:
- Download the script file templates.xls to the/var/db/idpd/sec-download/sub-download directory. This script
file contains predefined IDP policy templates.user@host> request security idp security-package download policy-templates
- Copy the templates.xls file to the /var/db/scripts/commit directory and rename it to templates.xsl.user@host> request security idp security-package install policy-templates
- Enable the templates.xsl scripts file. At commit
time, the Junos OS management process (mgd) looks in the /var/db/scripts/commit directory for scripts and runs the script against the candidate
configuration database to ensure the configuration conforms to the
rules dictated by the scripts. user@host# set system scripts commit file templates.xsl
- Commit the configuration. Committing the configuration saves the downloaded templates to the Junos OS configuration database and makes them available in the CLI at the [edit security idp idp-policy] hierarchy level.
- Display the list of downloaded templates.
user@host#set security idp active-policy ?
Possible completions: <active policy> Set active policy DMZ_Services DNS_Service File_Server Getting_Started IDP_Default Recommended Web_Server
- Activate the predefined policy. The following statement
specifies the Recommended predefined IDP policy
as the active policy:user@host# set security idp active-policy Recommended
- Delete or deactivate the commit script file. By deleting
the commit script file, you avoid the risk of overwriting modifications
to the template when you commit the configuration. Run one of the
following commands: user@host# delete system scripts commit file templates.xsluser@host# deactivate system scripts commit file templates.xsl
- If you are finished configuring the device, commit the configuration.
- You can verify the configuration by using the show security idp status command. For more information, see the Junos OS CLI Reference.