Example: Configuring DSCP Rules in an IDP Policy

This example shows how to configure DSCP values in an IDP policy.

Requirements

Before you begin:

Configure network interfaces. See the Junos OS Interfaces Configuration Guide for Security Devices.
Enable IDP application services in a security policy. See Example: Enabling IDP in a Security Policy.
Create security zones. See Example: Creating Security Zones.
Define rules. See Example: Inserting a Rule in the IDP Rulebase .

Overview

Configuring DSCP values in IDP policies provides a method of associating class-of-service (CoS) values—thus different levels of reliability—for different types of traffic on the network.

This example shows how to create a policy called policy1, specify a rulebase for this policy, and then add a rule R1 to this rulebase. In this example, rule R1:

Specifies the match condition to include any traffic from a previously configured zone called zone1 to another previously configured zone called zone2. The match condition also includes a predefined attack group called Critical - HTTP. The application setting in the match condition is specified as default and matches any application configured in the attack object.
Specifies an action to rewrite the CoS field in the IP header with the DSCP value 50 for any traffic that matches the criteria for rule R1,

Configuration

CLI Quick Configuration

To quickly configure DSCP values in an IDP policy, copy the following commands and paste them into the CLI.

[edit]set security idp idp-policy policy1 set security idp idp-policy policy1 rulebase-ips rule R1 set security idp idp-policy P1 rulebase-ips rule R1 match from-zone Zone-1 to-zone Zone-2 source-address any destination-address any application default set security idp idp-policy P1 rulebase-ips rule R1 match attacks predefined-attack-groups "Critical-HTTP" set security idp idp-policy P1 rulebase-ips rule R1 then action mark-diffserv 50

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure DSCP values in an IDP policy:

Create a policy by assigning a meaningful name to it.
[edit]user@host# set security idp idp-policy policy1
Associate a rulebase with the policy.
[edit security idp idp-policy policy1]user@host# set rulebase-ips
Add rules to the rulebase
[edit security idp idp-policy policy1 rulebase-ips]user@host# set rule R1
Define the match criteria for the rule. The default application setting matches any application configured in the attack object.
[edit security idp idp-policy policy1 rulebase-ips R1]user@host# set match from-zone zone1 to-zone zone2 source-address any destination-address any application default
user@host# set match attacks predefined-attack-group “Critical - HTTP”
Specify an action for the rule.
[edit security idp idp-policy policy1 rulebase-ips R1]user@host# set then action mark-diffserv 50
Continue to specify any notification or logging options for the rule, if required.
Activate the policy.
[edit]user@host# set security idp active-policy policy1

Results

From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

user@host# show security idpidp-policy policy1 {rulebase-ips {rule R1 {match {from-zone Zone-1;source-address any;to-zone Zone-2;destination-address any;application default;attacks {predefined-attack-groups Critical-HTTP;}}then {action {mark-diffserv {50;}}}}}}active-policy policy1;

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verifying the Configuration

Verifying the Configuration

Purpose

Verify if the DSCP values were configured in an IDP policy.

Action

From operational mode, enter the show security idp command.