Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring Security Packet Capture

    This example shows how to configure the security packet capture.

    Requirements

    Before you begin, configure network interfaces. See the Junos OS Interfaces Configuration Guide for Security Devices PDF Document.

    Overview

    In this example, you configure a packet capture for rule 1 of policy pol0. The rule specifies that, if an attack occurs, 10 packets before the attack and 3 packets after the attack will be captured, and that the post-attack capture should time out after 60 seconds. The sensor configuration is modified to allocate 5 percent of available memory and 15 percent of the IDP sessions to packet capture. When the packet capture object is prepared, it is transmitted from device 10.56.97.3 to port 5 on device 10.24.45.7.

    Configuration

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set security idp idp-policy pol0 rulebase-ips rule 1 then notification packet-log pre-attack 10 post-attack 3 post-attack-timeout 60 set security idp sensor-configuration packet-log total-memory 5 max-sessions 15 source-address 10.56.97.3 host 10.24.45.7 port 5

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    To configure the security packet capture:

    1. Navigate to the notification level for rule 1, policy pol0 in the configuration hierarchy.
      [edit]user@host# edit security idp idp-policy pol0 rulebase-ips rule 1 then notification
    2. Define the size and timing constraints for each packet capture.
      [edit security idp idp-policy pol0 rulebase-ips rule 1 then notification]user@host# set packet-log pre-attack 10 post-attack 3 post-attack-timeout 60
    3. Enable the security idp sensor-configuration.
      [edit]user@host# edit security idp sensor-configuration
    4. Allocate the device resources to be used for packet capture.
      [edit security idp sensor-configuration]user@host# set packet-log total-memory 5 max-sessions 15
    5. Identify the source and host devices for transmitting the packet-capture object.
      [edit security idp sensor-configuration]user@host# set packet-log source-address 10.56.97.3 host 10.24.45.7 port 5

    Results

    From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]user@host# show security idpidp-policy pol0 {rulebase-ips {rule 1 { then {notification {packet-log {pre-attack 10;post-attack 3;post-attack-timeout 60;}}}}}}sensor-configuration {packet-log {total-memory 5;max-sessions 15;source-address 10.56.97.3;host {10.24.45.7;port 5;}}}

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    To confirm that the configuration is working properly, perform this task:

    Verifying Security Packet Capture

    Purpose

    Verify security packet capture.

    Action

    From operational mode, enter the show security idp counters packet-log command.

    user@host> show security idp counters packet-log
    IDP counters:              					                                    Value
     Total packets captured since packet capture was activated               0
     Total sessions enabled since packet capture was activated               0
     Sessions currently enabled for packet capture                           0
     Packets currently captured for enabled sessions                         0
     Packet clone failures                                                   0
     Session log object failures                                             0
     Session packet log object failures                                      0
     Sessions skipped because session limit exceeded                         0
     Packets skipped because total memory limit exceeded                     0
    

    Published: 2012-06-29