Related Documentation
- J Series
- IDP Policies Overview in the Junos OS Security Configuration Guide
- SRX Series
- Understanding IDP Features in Logical Systems
- Example: Configuring an IDP Policy for a User Logical System
- Example: Configuring an IDP Policy for the Master Logical System
- User Logical System Configuration Overview
- Understanding Logical Systems Security Profiles
- IDP Policies Overview in the Junos OS Security Configuration Guide
IDP in Logical Systems Overview
A Junos OS Intrusion Detection and Prevention (IDP) policy enables you to selectively enforce various attack detection and prevention techniques on network traffic passing through a logical system.
This topic includes the following sections:
IDP Policies
The master administrator configures IDP policies at the root level. Configuring an IDP policy for logical systems is similar to configuring an IDP policy on a device that is not configured for logical systems. This can include the configuration of custom attack objects.
 | Note: User logical system administrators cannot create or modify IDP policies for their user logical systems. Only the master administrator can create IDP policies and bind them to user logical systems through a logical systems security profile. |
| Note: The user logical system administrator can create security zones in the user logical system and assign interfaces to each security zone. Zones that are specific to user logical systems cannot be referenced in IDP policies configured by the master administrator. The master administrator can reference zones in the master logical system in an IDP policy configured for the master logical system. |
The master administrator then specifies an IDP policy in the security profile that is bound to a logical system. To enable IDP in a logical system, the master administrator or user logical system administrator configures a security policy that defines the traffic to be inspected and specifies the permit application-services idp action.
Although the master administrator can configure multiple IDP policies, a logical system can have only one active IDP policy at a time. For user logical systems, the master administrator can either bind the same IDP policy to multiple user logical systems or bind a unique IDP policy to each user logical system. To specify the active IDP policy for the master logical system, the master administrator can either reference the IDP policy in the security profile that is bound to the master logical system or use the active-policy configuration statement at the [edit security idp] hierarchy level.
| Note: A commit error is generated if an IDP policy is both configured in the security profile that is bound to the master logical system and specified with the active-policy configuration statement. Use only one method to specify the active IDP policy for the master logical system. |
IDP Installation and Licensing for Logical Systems
A single IDP security package is installed for all logical systems on the device. The download and install options can only be executed at the root level. The same version of the IDP attack database is shared by all logical systems.
An idp-sig license must be installed at the root level. Once IDP is enabled at the root level, it can be used with any logical system on the device.
| Note: IPv6 for IDP is not supported on logical systems. |
Related Documentation
- J Series
- IDP Policies Overview in the Junos OS Security Configuration Guide
- SRX Series
- Understanding IDP Features in Logical Systems
- Example: Configuring an IDP Policy for a User Logical System
- Example: Configuring an IDP Policy for the Master Logical System
- User Logical System Configuration Overview
- Understanding Logical Systems Security Profiles
- IDP Policies Overview in the Junos OS Security Configuration Guide
