Related Documentation
- SRX Series
- Example: Configuring an IDP Policy for a User Logical System
- IDP in Logical Systems Overview
- User Logical System Configuration Overview
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices
Example: Enabling IDP in a User Logical System Security Policy
This example shows how to enable IDP in a security policy in a user logical system.
Requirements
Before you begin:
- Log in to the user logical system as the logical system administrator. See User Logical System Configuration Overview.
- Use the show system security-profiles idp-policy command to see the security policy resources allocated to the logical
system. See the Junos OS CLI Reference .
- Configure an IDP security policy for the user logical system as the master administrator. See Example: Configuring an IDP Policy for a User Logical System.
Overview
In this example, you configure the ls-product-design user logical system as shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.
You enable IDP in a security policy that matches any traffic from the ls-product-design-untrust zone to the ls-product-design-trust zone. Enabling IDP in a security policy directs matching traffic to be checked against the IDP rulebases.
 | Note: This example uses the IDP policy configured and assigned to the ls-product-design user logical system by the master administrator in Example: Configuring an IDP Policy for a User Logical System. |
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Step-by-Step Procedure
The following example requires you to navigate various levels
in the configuration hierarchy. For instructions on how to do that,
see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide .
To configure a security policy to enable IDP in a user logical system:
- Log in to the logical system as the user logical system
administrator and enter configuration mode.[edit]lsdesignadmin1@host:ls-product-design>configurelsdesignadmin1@host:ls-product-design#
- Configure a security policy that matches traffic from
the ls-product-design-untrust zone to the ls-product-design-trust
zone.[edit security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust]lsdesignadmin1@host:ls-product-design# set policy enable-idp match source-address anylsdesignadmin1@host:ls-product-design# set policy enable-idp match destination-address anylsdesignadmin1@host:ls-product-design# set policy enable-idp match application any
- Configure the security policy to enable IDP for matching
traffic.[edit security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust]lsdesignadmin1@host:ls-product-design# set policy enable-idp then permit application-services idp
Results
From configuration mode, confirm your configuration by entering the show security policies command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
For brevity, this show command output includes only the configuration that is relevant to this example. Any other configuration on the system has been replaced with ellipses (...).
If you are done configuring the device, enter commit from configuration mode.
Verification
Verifying Attack Matches
Purpose
Verify that attacks are being matched in network traffic.
Action
From operational mode, enter the show security idp attack table command.
IDP attack statistics: Attack name #Hits FTP:USER:ROOT 1
Related Documentation
- SRX Series
- Example: Configuring an IDP Policy for a User Logical System
- IDP in Logical Systems Overview
- User Logical System Configuration Overview
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices
