Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Enabling IDP in a Security Policy

    This example shows how to configure two security policies to enable IDP services on all traffic flowing in both directions on the device.

    Requirements

    Before you begin:

    Overview

    For transit traffic to pass through IDP inspection, you configure a security policy and enable IDP application services on all traffic that you want to inspect. Security policies contain rules defining the types of traffic permitted on the network and the way that the traffic is treated inside the network. Enabling IDP in a security policy directs traffic that matches the specified criteria to be checked against the IDP rulebases.

    Note: IDP feature is enabled by default, no license is required. Custom attacks and custom attack groups in IDP policies can also be configured and installed even when a valid license and signature database are not installed on the device.

    To allow transit traffic to pass through without IDP inspection, specify a permit action for the rule without enabling the IDP application services. Traffic matching the conditions in this rule passes through the device without IDP inspection.

    This example shows how to configure two policies, idp-app-policy-1 and idp-app-policy-2, to enable IDP services on all traffic flowing in both directions on the device. The idp-app-policy-1 policy directs all traffic flowing from previously configured Zone1 to Zone2 to be checked against IDP rulebases. The idp-app-policy-2 policy directs all traffic flowing from Zone2 to Zone1 to be checked against IDP rulebases.

    Note: The action set in the security policy action must be permit. You cannot enable IDP for traffic that the device denies or rejects.

    Configuration

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set security policies from-zone Zone1 to-zone Zone2 policy idp-app-policy-1 match source-address any destination-address any application any set security policies from-zone Zone1 to-zone Zone2 policy idp-app-policy-1 then permit application-services idpset security policies from-zone Zone2 to-zone Zone1 policy idp-app-policy-2 match source-address any destination-address any application anyset security policies from-zone Zone2 to-zone Zone1 policy idp-app-policy-2 then permit application-services idp

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    To enable IDP services on all traffic flowing in both directions on the device:

    1. Create a security policy for the traffic flowing in one direction.
      [edit security policies from-zone Zone1 to-zone Zone2 policy idp-app-policy-1]user@host# set match source-address any destination-address any application any
    2. Specify the action to be taken on traffic that matches conditions specified in the policy.
      [edit security policies from-zone Zone1 to-zone Zone2 policy idp-app-policy-1]user@host# set then permit application-services idp
    3. Create another security policy for the traffic flowing in the other direction.
      [edit security policies from-zone Zone2 to-zone Zone1 policy idp-app-policy-2]user@host# set match source-address any destination-address any application any
    4. Specify the action to be taken on traffic that matches the conditions specified in the policy.
      [edit security policies from-zone Zone2 to-zone Zone1 policy idp-app-policy-2]user@host# set then permit application-services idp

    Results

    From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]user@host# show security policiesfrom-zone Zone1 to-zone Zone2 {policy idp-app-policy-1 {match {source-address any;destination-address any;application any;}then {permit {application-services {idp;}}}}}from-zone Zone2 to-zone Zone1 {policy idp-app-policy-2 {match {source-address any;destination-address any;application any;}then {permit {application-services {idp;}}}}}

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    To confirm that the configuration is working properly, perform this task:

    Verifying the Configuration

    Purpose

    Verify that the security policy configuration is correct.

    Action

    From operational mode, enter the show security policies command.

    Published: 2012-06-29