Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All
Related Documentation
- Junos OS Feature Support Reference for SRX Series and J Series Devices
[edit security idp] Hierarchy Level
security {idp {active-policy policy-name;application-ddos application-name {connection-rate-threshold number;context context-name {exclude-context-values [value];hit-rate-threshold number;max-context-values number;time-binding-count number;time-binding-period seconds;value-hit-rate-threshold number;}service service-name;}custom-attack attack-name {attack-type {anomaly {direction (any | client-to-server
| server-to-client);service service-name;shellcode (all | intel |
no-shellcode | sparc);test test-condition;}chain {expression boolean-expression;member member-name {attack-type {(anomaly ...same statements
as in [edit security idp custom-attack attack-name attack-type anomaly] hierarchy level | signature ...same statements
as in [edit security idp custom-attack attack-name attack-type signature] hierarchy level);}}order;protocol-binding {application application-name;icmp;icmpv6;ip {protocol-number transport-layer-protocol-number;}ipv6 {protocol-number transport-layer-protocol-number;}nested-application nested-application-name;rpc {program-number rpc-program-number;}tcp {minimum-port port-number <maximum-port port-number>;}udp {minimum-port port-number <maximum-port port-number>;}}reset;scope (session | transaction);}signature {context context-name;direction (any | client-to-server
| server-to-client);negate;pattern signature-pattern;protocol {icmp {code {match (equal | greater-than
| less-than | not-equal);value code-value;}data-length {match (equal | greater-than
| less-than | not-equal);value data-length;}identification {match (equal | greater-than
| less-than | not-equal);value identification-value;}sequence-number {match (equal | greater-than
| less-than | not-equal);value sequence-number;}type {match (equal | greater-than
| less-than | not-equal);value type-value;}}ipv4 {destination {match (equal | greater-than
| less-than | not-equal);value ip-address-or-hostname;}identification {match (equal | greater-than
| less-than | not-equal);value identification-value;}ip-flags {(df | no-df);(mf | no-mf);(rb | no-rb);}protocol {match (equal | greater-than
| less-than | not-equal);value transport-layer-protocol-id;}source {match (equal | greater-than
| less-than | not-equal);value ip-address-or-hostname;}tos {match (equal | greater-than
| less-than | not-equal);value type-of-service-in-decimal;}total-length {match (equal | greater-than
| less-than | not-equal);value total-length-of-ip-datagram;}ttl {match (equal | greater-than
| less-than | not-equal);value time-to-live;}}ipv6 {destination {match (equal | greater-than
| less-than | not-equal);value ip-address-or-hostname;}flow-label {match (equal | greater-than
| less-than | not-equal);value flow-label-value;}hop-limit {match (equal | greater-than
| less-than | not-equal);value hop-limit-value;}next-header {match (equal | greater-than
| less-than | not-equal);value next-header-value;}payload-length {match (equal | greater-than
| less-than | not-equal);value payload-length-value;}source {match (equal | greater-than
| less-than | not-equal);value ip-address-or-hostname;}traffic-class {match (equal | greater-than
| less-than | not-equal);value traffic-class-value;}tcp {ack-number {match (equal | greater-than
| less-than | not-equal);value acknowledgement-number;}data-length {match (equal | greater-than
| less-than | not-equal);value tcp-data-length;}destination-port {match (equal | greater-than
| less-than | not-equal);value destination-port;}header-length {match (equal | greater-than
| less-than | not-equal);value header-length;}mss {match (equal | greater-than
| less-than | not-equal);value maximum-segment-size;}option {match (equal | greater-than
| less-than | not-equal);value tcp-option;}sequence-number {match (equal | greater-than
| less-than | not-equal);value sequence-number;}source-port {match (equal | greater-than
| less-than | not-equal);value source-port;}tcp-flags {(ack | no-ack);(fin | no-fin);(psh | no-psh);(r1 | no-r1);(r2 | no-r2);(rst | no-rst);(syn | no-syn);(urg | no-urg);}urgent-pointer {match (equal | greater-than
| less-than | not-equal);value urgent-pointer;}window-scale {match (equal | greater-than
| less-than | not-equal);value window-scale-factor;}window-size {match (equal | greater-than
| less-than | not-equal);value window-size;}}udp {data-length {match (equal | greater-than
| less-than | not-equal);value data-length;}destination-port {match (equal | greater-than
| less-than | not-equal);value destination-port;}source-port {match (equal | greater-than
| less-than | not-equal);value source-port;}}}protocol-binding {application application-name;icmp;icmpv6;ip {protocol-number transport-layer-protocol-number;}ipv6 {protocol-number transport-layer-protocol-number;}nested-application nested-application-name;rpc {program-number rpc-program-number;}tcp {minimum-port port-number <maximum-port port-number>;}udp {minimum-port port-number <maximum-port port-number>;}}regexp regular-expression;shellcode (all | intel |
no-shellcode | sparc);}}recommended-action (close
| close-client | close-server | drop | drop-packet | ignore | none);severity (critical | info
| major | minor | warning);time-binding {count count-value;scope (destination | peer
| source);}}custom-attack-group custom-attack-group-name {group-members [attack-or-attack-group-name];}dynamic-attack-group dynamic-attack-group-name {filters {category {values [category-value];}direction {expression (and | or);values [any client-to-server
exclude-any exclude-client-to-server exclude-server-to-client server-to-client];}false-positives {values [frequently occasionally
rarely unknown];}performance {values [fast normal slow
unknown];}products {values [product-value];}recommended;service {values [service-value];}severity {values [critical info major
minor warning];}type {values [anomaly signature];}}}idp-policy policy-name {rulebase-ddos {rule rule-name {description text;match {application (application-name |
any | default);application-ddos <application-name>;destination-address ([address-name] | any | any-ipv4 | any-ipv6);destination-except [address-name];from-zone (zone-name | any);source-address ([address-name] | any | any-ipv4 | any-ipv6);source-except [address-name];to-zone (zone-name | any);}then {action {(close-server | drop-connection | drop-packet |
no-action);}ip-action {(ip-block | ip-close | ip-connection-rate-limit connections-per-second | ip-notify);log;log-create;refresh-timeout;timeout seconds;}notification {log-attacks {alert;}}}}}rulebase-exempt {rule rule-name {description text;match {attacks {custom-attack-groups [attack-group-name];custom-attacks [attack-name];dynamic-attack-groups [attack-group-name];predefined-attack-groups
[attack-group-name];predefined-attacks [attack-name];}destination-address ([address-name] | any | any-ipv4 | any-ipv6);destination-except [address-name];from-zone (zone-name | any );source-address ([address-name] | any | any-ipv4 | any-ipv6);source-except [address-name];to-zone (zone-name | any);}}}rulebase-ips {rule rule-name {description text;match {application (application-name | any | default);attacks {custom-attack-groups [attack-group-name];custom-attacks [attack-name];dynamic-attack-groups [attack-group-name];predefined-attack-groups
[attack-group-name];predefined-attacks [attack-name];}destination-address ([address-name] | any | any-ipv4 | any-ipv6);destination-except [address-name];from-zone (zone-name | any );source-address ([address-name] | any | any-ipv4 | any-ipv6);source-except [address-name];to-zone (zone-name | any);}terminal;then {action {class-of-service {dscp-code-point number; forwarding-class forwarding-class;}(close-client | close-client-and-server
| close-server |drop-connection | drop-packet | ignore-connection
| mark-diffserv value | no-action | recommended);}ip-action {(ip-block | ip-close | ip-notify);log;log-create;refresh-timeout;target (destination-address
| service | source-address | source-zone | source-zone-address | zone-service);timeout seconds;}notification {log-attacks {alert;}packet-log {post-attack number;post-attack-timeout seconds;pre-attack number;}}severity (critical | info
| major | minor | warning);}}}}security-package {automatic {download-timeout minutes;enable;interval hours;start-time start-time;}install {ignore-version-check;}source-address address;url url-name;}sensor-configuration {application-ddos {statistics {interval minutes;}}application-identification
{max-packet-memory value;max-tcp-session-packet-memory value;max-udp-session-packet-memory value;}detector {protocol-name protocol-name {tunable-name tunable-name {tunable-value protocol-value;}}}flow {(allow-icmp-without-flow
| no-allow-icmp-without-flow);fifo-max-size value;hash-table-size value;(log-errors | no-log-errors);max-timers-poll-ticks value;reject-timeout value;(reset-on-policy | no-reset-on-policy);udp-anticipated-timeout value;}global {(enable-all-qmodules | no-enable-all-qmodules);(enable-packet-pool | no-enable-packet-pool);gtp (decapsulation | no-decapsulation);memory-limit-percent value;(policy-lookup-cache | no-policy-lookup-cache);}high-availability {no-policy-cold-synchronization;}ips {content-decompression-max-memory-kb value;content-decompression-max-ratio value;(detect-shellcode | no-detect-shellcode);fifo-max-size value;(ignore-regular-expression
| no-ignore-regular-expression);log-supercede-min minimum-value;pre-filter-shellcode;(process-ignore-s2c | no-process-ignore-s2c);(process-override | no-process-override);process-port port-number;}log {cache-size size;suppression {disable;(include-destination-address
| no-include-destination-address);max-logs-operate value;max-time-report value;start-log value;}}packet-log {host ip-address <port number>;max-sessions percentage;source-address ip-address;total-memory percentage;}re-assembler {(ignore-memory-overflow
| no-ignore-memory-overflow);(ignore-reassembly-memory-overflow | no-ignore-reassembly-memory-overflow);ignore-reassembly-overflow;max-flow-mem value;max-packet-mem value;}ssl-inspection {cache-prune-chunk-size number;key-protection;maximum-cache-size number;session-id-cache-timeout seconds;sessions number;}}traceoptions {file {filename;files number;match regular-expression;size maximum-file-size;(world-readable | no-world-readable);}flag all;level (all | error | info
| notice | verbose | warning);no-remote-trace;}}}
Related Documentation
- Junos OS Feature Support Reference for SRX Series and J Series Devices
