[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
Using Predefined Policy Templates
Juniper Networks provides predefined policy templates that you
can use as a starting point for creating your own policies. Each template
is set of rules of a specific rulebase type that you can copy and
then update according to your requirements. These templates are available
in the templates.xml file on a secured Juniper Networks Web
site. To start using a template, you run command from the CLI to download
and copy this file to a /var/db/scripts/commit directory.
|
Before You Begin
|
- For background information, read:
- Establish basic connectivity. For more information,
see the Getting Started Guide for your device.
- Configure network interfaces. See the JUNOS Software Interfaces and Routing Configuration Guide.
|
Each policy template contains rules that use the default actions
associated with the attack objects. You should customize these templates
to work on your network by selecting your own source and destination
addresses and choosing IDP actions that reflect your security needs.
Table 109 summarizes
the predefined IDP policy templates provided by Juniper Networks.
Table 109: Predefined IDP Policy Templates
|
Template Name
|
Description
|
|
All With Logging
|
Includes all Attack Objects and enables packet logging for all
rules.
|
|
All Without Logging
|
Includes all Attack Objects but does not enable packet logging.
|
|
DMZ Services
|
Protects a typical demilitarized zone (DMZ) environment.
|
|
DNS Server
|
Protects Domain Name System (DNS) services.
|
|
File Server
|
Protects file sharing services, such as Network File System
(NFS), FTP, and others.
|
|
Getting Started
|
Contains very open rules. Useful in controlled lab environments,
but should not be deployed on heavy traffic live networks.
|
|
IDP Default
|
Contains a good blend of security and performance.
|
|
Recommended
|
Contains only the attack objects tagged as recommended by Juniper Networks. All rules have their Actions column set to
take the recommended action for each attack object.
|
|
Web Server
|
Protects HTTP servers from remote attacks.
|
To use predefined policy templates:
- Download the policy templates from the Juniper Networks
Web site.
- Install the policy templates.
- Enable the templates.xml script file. Commit
scripts in the /var/db/scripts/commit directory are ignored
if they are not enabled.
- Choose a policy template that is appropriate for you and
customize it if you need to.
- Activate the policy that you want to run on the system.
Activating the policy might take a few minutes. Even after a commit
complete message is displayed in the CLI, the system might continue
to compile and push the policy to the dataplane.
 |
Note:
Occasionally, the compilation process might fail for a policy.
In this case, the active policy showing in your configuration might
not match the actual policy running on your device. Run the show
security idp status command to verify the running policy. Additionally,
you can view the IDP log files to verify the policy load and compilation
status (see Verifying the Signature Database).
|
- Delete or deactivate the commit script file. By deleting
the commit script file, you avoid the risk of overwriting modifications
to the template when you commit the configuration. Deactivating the
statement adds an inactive tag to the statement, effectively commenting
out the statement from the configuration. Statements marked inactive
do not take effect when you issue the commit command.
You can use either J-Web or the CLI configuration editor to
configure an application set.
This topic contains:
[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
