TechLibrary

Navigation

Table of Contents

Guide That Contains This Content

[+] Expand All

[-] Collapse All

Example: Configuring IDP Applications Sets

This example shows how to create an application set and associate it with an IDP policy.

Requirements

Before you begin:

Configure network interfaces. See the Junos OS Interfaces Configuration Guide for Security Devices .
Enable IDP application services in a security policy. See Example: Enabling IDP in a Security Policy.
Define applications. See Example: Configuring Applications and Application Sets.

Overview

To configure an application set, you add predefined or custom applications separately to an application set and assign a meaningful name to the application set. Once you name the application set you specify the name as part of the policy. For this policy to apply on a packet, the packet must match any one of the applications included in this set.

This example describes how to create an application set called SrvAccessAppSet and associate it with IDP policy ABC. The application set SrvAccessAppSet combines three applications. Instead of specifying three applications in the policy rule, you specify one application set. If all of the other criteria match, any one of the applications in the application set serves as valid matching criteria.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

set applications application-set SrvAccessAppSet application junos-ssh set applications application-set SrvAccessAppSet application junos-telnet set applications application-set SrvAccessAppSet application cust-appset security idp idp-policy ABC rulebase-ips rule ABC match application SrvAccessAppSetset security idp idp-policy ABC rulebase-ips rule ABC then action no-actionset security idp active-policy ABC

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide .

To create an application set and associate it with an IDP policy:

Create an application set and include three applications in the set.
[edit applications application-set SrvAccessAppSet]user@host# set application junos-sshuser@host# set application junos-telnetuser@host# set application cust-app
Create an IDP policy.
[edit]user@host# edit security idp idp-policy ABC
Associate the application set with an IDP policy.
[edit security idp idp-policy ABC]user@host# set rulebase-ips rule ABC match application SrvAccessAppSet
Specify an action for the policy.
[edit security idp idp-policy ABC]user@host# set rulebase-ips rule ABC then action no-action
Activate the policy.
[edit]user@host# set security idp active-policy ABC

Results

From configuration mode, confirm your configuration by entering the show security idp and show applications commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]user@host# show security idpidp-policy ABC {rulebase-ips {rule R1 {match {application SrvAccessAppSet;}then {action {no-action;}}}}}active-policy ABC;

[edit]user@host# show applicationsapplication-set SrvAccessAppSet {application ssh; application telnet;application custApp; }

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verifying the Configuration

Verifying the Configuration

Purpose

Verify that the application set was associated with the IDP policy.

Action

From operational mode, enter the show security idp status command.