Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


idp-policy (Security)


Hierarchy Level


Configure a security IDP policy.


policy-name—Name of the IDP policy.

The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 9.2.

Starting with Junos OS Release 18.2R1, IDP policy is directly assigned in the security policy rule. This is to simplify IDP policy usage and to provide flexibility to have multiple policies active at the same time. As a part of the session interest check, IDP is enabled if an IDP policy is present in any of the matched rules. An IDP policy is activated in security policies by permitting the IDP policy within the application services using the set security policies from-zone zone-name to-zone zone-name policy policy-name then permit application-services idp-policy idp-policy-name command. Because the IDP policy name is directly used in the security policy rule, the [edit security idp active-policy policy-name] statement is deprecated.

Additional tags under filters of dynamic attack groups (CVSS score, age-of-attack, file-type, vulnerability-type) are added in Junos OS Release 18.2R1 for dynamic attacks grouping of IDP signatures. The Product and Vendor tags are already supported under existing filter products. The CLI interface for configuring these tags is now more user friendly, with more options available for configuration in Junos OS Release 18.2R1.

Starting in Junos OS Release 18.3R1, with unified policies configured on an SRX Series Firewall, you can configure multiple IDP policies and set one of those policies as the default IDP policy.


If you have configured two or more IDP policies in a unified security policy, then you must configure the default IDP policy.