Hide Navigation Pane
Show Navigation Pane
Feedback
Download
SHA1
IDP Overview
The Dynamic Application Awareness for Junos OS set of services adds support for Intrusion Detection and Prevention (IDP) functionality using Deep Packet Inspection (DPI) technology to Juniper Networks MX Series Ethernet Services Routers equipped with Multiservices DPCs and M120 or M320 Multiservice Edge Routers equipped with Multiservices 400 PICs. The IDP functionality is already supported on Juniper Networks J Series Services Routers and SRX Series Services Gateways running the Junos OS and is described in the Junos OS Security Configuration Guide. The same CLI statements and commands are used on all Junos platforms, but IDP is incorporated as a component of service sets only on the specified Juniper Networks M Series and MX Series routers.
 | Note: IDP depends on APPID for definition and detection of some Layer 7 applications. Therefore you must configure APPID along with IDP on the service set. Before configuring IDP policy, you must download the APPID application package. Only one service set can be applied to a single interface when APPID functionality is used. |
To configure IDP properties, include statements at the [edit security idp] hierarchy level. In general, you configure IDP processes by including the idp-policy statement at the [edit system processes] hierarchy level. For use in M Series and MX Series applications, you then reference this configuration by including the idp-profile statement at the [edit services service-set] hierarchy level. To configure SNMP IDP objects, include the idp statement at the [edit snmp health-monitor] hierarchy level. Operational commands for monitoring and regulating IDP activity use the clear/request/show security idp command syntax.
| Note: On M Series and MX Series routers, the IDP ip-action statement is supported on TCP, UDP, and ICMP flows. When the ip-action target is service, the ip-action flow is applied if the traffic matches the values specified for source port, destination port, source address, and destination address. However, for ICMP flows, the destination port is 0, so that any ICMP flow matching source port, source address, and destination address would be blocked. For more information on the ip-action statement, see the Junos OS CLI Reference. |
When the MultiServices PIC configured for a service set is either administratively taken offline or undergoes a failure, all the traffic entering the configured interface with an IDP service set would be dropped without notification. To avoid this traffic loss, include the bypass-traffic-on-pic-failure statement at the [edit services service-set service-set-name service-set-options] hierarchy level. When this statement is configured, the affected packets are forwarded in the event of a MultiServices PIC failure or offlining, as though interface-style services were not configured.
