Step 1: Begin
Meet Juniper Networks Intrusion Detection and Prevention System
Juniper Network’s Intrusion Detection and Prevention (IDP) system, which is part of Junos OS, mitigates threats and protects against a wide range of attacks and vulnerabilities on your network. IDP constantly watches your network to identify and stop possible incidents, and then sends you a report of the actions it took.
The IDP signature database (also known as the attack database) is available as a security package on the Juniper Networks website. The attack database contains predefined IDP attack objects and IDP attack object groups that detect known attack patterns and protocol anomalies within network traffic. As new vulnerabilities are discovered, we periodically provide a file with updates to the attack database. With a valid license, you can download this file from the Juniper Networks website to protect your network from new threats.
The full IDP security package download includes policy templates that protect your network against the most common attacks. You can use the predefined IDP policy templates “as-is” or use them as a starting point to create new policies customized for your network.
In this guide, we walk you through how to install the IDP license, the IDP security package, and the IDP policy templates. Once you’re up and running, you’ll learn how to activate a policy template and enable an IDP action in a policy.
Let’s get started!
Create Your User Account
You need a Juniper user account to install the IDP security package. With a Juniper user account, you can view your company’s product information, participate in discussion forums with Juniper experts and networking peers, and open cases with our Customer Support team. If you don’t already have one, see Account Setup.
Set Up Your Device
First and foremost, install your Juniper device and verify you have network access. The quickest and easiest way to do this is to follow the three-step instructions in the Quick Start guide for your device model: Quick Start.
Juniper IDP runs on the following physical and virtual devices:
Juniper Networks® SRX Series Services Gateways
Juniper Networks® NFX150, NFX250, and NFX350 Network Services Gateways
Juniper Networks® vSRX on Virtual Firewall on the Google Cloud platform
Download and Install IDP Licenses
IDP is enabled by default on all Juniper security devices. If you’re using only custom attack signatures, you don’t need an IDP license. However, if you want to install updates to the attack database, you’ll need to subscribe to our separately licensed IDP subscription service and install the IDP license on your device. For details, see Install IDP License.
If your license key expires, you can continue to use the locally stored application security package content.
Check Your Connection to the Update Server
Let’s make sure your device can access the update server on the Internet:
Successfully retrieved from(https://signatures.juniper.net/cgi-bin/index.cgi). Version info:3222(Detector=12.6.180190722, Templates=3222)
In addition to verifying network connectivity, this command also shows the remote database version.
Download and Install the IDP Security Package
- Login to your device via CLI as the admin user.
- Download the IDP security package.user@host> request security idp security-package download
Will be processed in async mode. Check the status using the status checking CLI
user@host> request security idp security-package download statusDone;Successfully downloaded from(https://signatures.juniper.net/cgi-bin/index.cgi). Version info:3222(Tue Nov 5 14:09:35 2019 UTC, Detector=12.6.180190722)
- Install the IDP security package.user@host> request security idp security-package install
Will be processed in async mode. Check the status using the status checking CLI
user@host>request security idp security-package install statusDone;Attack DB update : successful - [UpdateNumber=3222,ExportDate=Tue Nov 5 14:09:35 2019 UTC,Detector=12.6.180190722] Updating control-plane with new detector : successful Updating data-plane with new attack or detector : successful
Download and Install IDP Policy Templates
The IDP security package includes predefined IDP policy templates that you can activate as-is or use as a starting point to create new policies customized for your network. For more details, see Predefined IDP Policy Templates.
- Download the predefined IDP policy templates.user@host> request security idp security-package download policy-templates
Will be processed in async mode. Check the status using the status checking CLI
- Check the download status.user@host> request security idp security-package download status
Done;Successfully downloaded from(https://signatures.juniper.net/cgi-bin/index.cgi). Version info:3222
- Install the IDP policy templates.user@host> request security idp security-package install policy-templates
Will be processed in async mode. Check the status using the status checking CLI
- Verify that the templates are installed.user@host> request security idp security-package install status
Done;policy-templates has been successfully updated into internal repository (=>/var/run/scripts/commit/templates.xsl)!
Activate the Policy Template Commit Script
The policy templates are included as a commit script in the IDP security package. Here’s how to activate the commit script:
- Enable the
templates.xsl
scripts file.[edit]user@host# set system scripts commit file templates.xslThis saves the policy templates to the Junos OS configuration database. You can access the policy templates through the CLI at the [edit security idp idp-policy] hierarchy level.
- Commit the configuration to activate the commit script.[edit]user@host# commit
Deactivate the Commit Script File
Once you’ve saved the commit script to the Junos OS configuration database, we recommend that you delete or deactivate it to avoid the risk of overwriting the predefined policies with your modifications.
Here’s how to delete or deactivate the commit script file:
Display the List of Predefined Policy Templates
The predefined policy templates in the attack database cover a wide range of network attack scenarios. You can view a list of the predefined policy templates using the set security idp default-policy ? command.
Possible completions: <default-policy> Set active policy Client-And-Server-Protection Client-And-Server-Protection-1G Client-Protection Client-Protection-1G DMZ_Services DNS_Service File_Server Getting_Started IDP_Default IPS Policy Recommended Server-Protection Server-Protection-1G Web_Server