Related Documentation
- SRX Series
- Example: Enabling IDP in a User Logical System Security Policy
- IDP in Logical Systems Overview
- User Logical System Configuration Overview
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices
Example: Configuring an IDP Policy for a User Logical System
The master administrator can either download predefined IDP policies to the device or configure custom IDP policies at the root level using custom or predefined attack objects. The master administrator is responsible for assigning an IDP policy to a user logical system. This example shows how to assign a predefined IDP policy to a user logical system.
Requirements
Before you begin:
- Log in to the master logical system as the master administrator. See Understanding the Master Logical System and the Master Administrator Role.
- Read IDP Policies Overview in the Junos OS Security Configuration Guide .
- Assign the ls-design-profile security policy to the ls-product-design user logical system. See Example: Configuring Logical Systems Security Profiles.
- Download predefined IDP policy templates to the device.
See Downloading and Using Predefined IDP Policy Templates (CLI Procedure) in the Junos OS Security Configuration Guide .
Note: Activating a predefined IDP policy with the active-policy configuration statement at the [edit security idp] hierarchy level only applies to the master logical system. For a user logical system, the master administrator specifies the active IDP policy in the security profile that is bound to the user logical system.
Overview
The predefined IDP policy named Recommended contains attack objects recommended by Juniper Networks. All rules in the policy have their actions set to take the recommended action for each attack object. You add the Recommended IDP policy to the ls-design-profile, which is bound to the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Step-by-Step Procedure
The following example requires you to navigate various levels
in the configuration hierarchy. For instructions on how to do that,
see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide .
To add a predefined IDP policy to a security profile for a user logical system:
- Log in to the master logical system as the master administrator
and enter configuration mode.[edit]admin@host> configureadmin@host#
- Add the IDP policy to the security profile.[edit system security-profile]admin@host# set ls-design-profile idp-policy Recommended
Results
From configuration mode, confirm your configuration by entering the show security idp and show system security-profile ls-design-profile commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
Verifying the Configuration
Purpose
Verify the IDP policy assigned to the logical system.
Action
From operational mode, enter the show security idp logical-system policy-association command. Ensure that the IDP policy in the security profile that is bound to the logical system is correct.
Logical system IDP policy ls-product-design Recommended
Related Documentation
- SRX Series
- Example: Enabling IDP in a User Logical System Security Policy
- IDP in Logical Systems Overview
- User Logical System Configuration Overview
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices
