Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Predefined IDP Policy Templates

 

Juniper Networks provides predefined policy templates that you can use as a starting point for creating your own policies. Each template is set of rules of a specific rulebase type that you can copy and then update according to your requirements.

Understanding Predefined IDP Policy Templates

Predefined policy templates are available in the templates.xls file on a secured Juniper Networks website. To start using a template, you run a command from the CLI to download and copy this file to a /var/db/scripts/commit directory.

Each policy template contains rules that use the default actions associated with the attack objects. You should customize these templates to work on your network by selecting your own source and destination addresses and choosing IDP actions that reflect your security needs.

The client/server templates are designed for ease of use and provide balanced performance and coverage. The client/server templates include client protection, server protection, and client/server protection.

Each of the client/server templates has two versions that are device specific, a 1-gigabyte (GB) version and a 2-GB version.

Note

The 1-gigabyte versions labeled 1G should only be used for devices that are limited to 1 GB of memory. If a 1-GB device loads anything other than a 1-GB policy, the device might experience policy compilation errors due to limited memory or limited coverage. If a 2-GB device loads anything other than a 2-GB policy, the device might experience limited coverage.

Use these templates as a guideline for creating policies. We recommend that you make a copy of these templates and use the copy (not the original) for the policy. This approach allows you to make changes to the policy and to avoid future issues due to changes in the policy templates.

Table 1 summarizes the predefined IDP policy templates provided by Juniper Networks.

Table 1: Predefined IDP Policy Templates

Template Name

Description

Client-And-Server-Protection

Designed to protect both clients and servers. To be used on high memory devices with 2 GB or more of memory.

Client-And-Server-Protection-1G

Designed to protect both clients and servers. To be used on all devices, including low-memory branch devices.

Client-Protection

Designed to protect clients. To be used on high memory devices with 2 GB or more of memory.

Client-Protection-1G

Designed to protect clients. To be used on all devices, including low-memory branch devices.

DMZ Services

Protects a typical demilitarized zone (DMZ) environment.

DNS Server

Protects Domain Name System (DNS) services.

File Server

Protects file sharing services, such as Network File System (NFS), FTP, and others.

Getting Started

Contains very open rules. Useful in controlled lab environments, but should not be deployed on heavy traffic live networks.

IDP Default

Contains a good blend of security and performance.

Recommended

Contains only the attack objects tagged as recommended by Juniper Networks. All rules have their Actions column set to take the recommended action for each attack object.

Server-Protection

Designed to protect servers. To be used on high memory devices with 2 GB or more of memory.

Server-Protection-1G

Designed to protect servers. To be used on all devices, including low-memory branch devices.

Web Server

Protects HTTP servers from remote attacks.

To use predefined policy templates:

  1. Download the policy templates from the Juniper Networks website.

  2. Install the policy templates.

  3. Enable the templates.xls script file. Commit scripts in the /var/db/scripts/commit directory are ignored if they are not enabled.

  4. Choose a policy template that is appropriate for you and customize it if you need to.

  5. Activate the policy that you want to run on the system. Activating the policy might take a few minutes. Even after a commit complete message is displayed in the CLI, the system might continue to compile and push the policy to the data plane.

    Note

    Occasionally, the compilation process might fail for a policy. In this case, the active policy showing in your configuration might not match the actual policy running on your device. Run the show security idp status command to verify the running policy. Additionally, you can view the IDP log files to verify the policy load and compilation status.

  6. Delete or deactivate the commit script file. By deleting the commit script file, you avoid the risk of overwriting modifications to the template when you commit the configuration. Deactivating the statement adds an inactive tag to the statement, effectively commenting out the statement from the configuration. Statements marked inactive do not take effect when you issue the commit command.

For more information see https://kb.juniper.net/InfoCenter/index?page=content&id=KB16490.

Downloading and Using Predefined IDP Policy Templates (CLI Procedure)

Before you begin, configure network interfaces. See the Junos OS Interfaces Configuration Guide for Security Devices.

To download and use a predefined policy template:

  1. Download the script file templates.xls to the/var/db/idpd/sec-download/sub-download directory. This script file contains predefined IDP policy templates.
  2. Copy the templates.xls file to the /var/db/scripts/commit directory and rename it to templates.xsl.
  3. Enable the templates.xsl scripts file. At commit time, the Junos OS management process (mgd) looks in the /var/db/scripts/commit directory for scripts and runs the script against the candidate configuration database to ensure the configuration conforms to the rules dictated by the scripts.
  4. Commit the configuration. Committing the configuration saves the downloaded templates to the Junos OS configuration database and makes them available in the CLI at the [edit security idp idp-policy] hierarchy level.
  5. Display the list of downloaded templates.
    user@host#set security idp active-policy ?
  6. Activate the predefined policy. The following statement specifies the Recommended predefined IDP policy as the active policy:
  7. Delete or deactivate the commit script file. By deleting the commit script file, you avoid the risk of overwriting modifications to the template when you commit the configuration. Run one of the following commands:
  8. If you are finished configuring the device, commit the configuration.
  9. You can verify the configuration by using the show security idp status command. For more information, see the Junos OS CLI Reference.

Related Documentation