TAP Mode for IDP
The Terminal Access Point (TAP) mode for Intrusion Detection and Prevention (IDP) allows you to passively monitor traffic flows across a network by way of a switch SPAN or mirror port.
Understanding TAP Mode Support for IDP
In TAP mode, an SRX Series device will be connected to a mirror port of the switch, which provides a copy of the traffic traversing the switch. An SRX Series device in TAP mode processes the incoming traffic from TAP interface and generates security log to display the information on threats detected, application usage, and user details.
When you enable TAP mode on IDP module, the IDP will passively monitor traffic flows across the network in IDS (Intrusion Detection System) mode. TAP mode on IDP module inspects the incoming and outgoing traffic that matches a firewall policy or policies with the enabled IDP service. TAP mode can’t block traffic but generates security logs, reports, and statistics to show the number of threats detected, application usage, and user details.
In TAP mode, when the SRX Series device is overloaded, the mirrored packets may be dropped and the IDP may not receive all the traffic, then the TAP mode do not generate any security logs, reports, and statistics for this connection.
Starting in Junos OS Release 20.3R1, the Terminal Access Point (TAP) mode for IDP support is available for pass-through GRE and IP over IP (IP-IP) tunnel traffic. The TAP mode for IDP allows you to passively monitor traffic flows inside the IP-IP tunnel.
Example: Configuring IDP Policy in TAP mode
This example shows how to configure IDP policies when the SRX device is configured in TAP (Terminal Access Point) mode.
Requirements
This example uses the following hardware and software components:
An SRX Series device
Junos OS Release 19.1R1
Before you begin:
Read the Understanding TAP Mode Support for IDP to understand how and where this procedure fits in the overall support for IDP policies.
Overview
In this example, you configure the SRX Series device to operate in TAP mode. The TAP mode feature provides passive, detection of Application Layer threats for traffic matching security policies that have the IDP application service enabled.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security idp idp-policy Enterprise-Recommended-log-only rulebase-ips rule enterprise match attacks predefined-attack-groups "Enterprise – Recommended” set security idp idp-policy Enterprise-Recommended-log-only rulebase-ips rule enterprise then action no-action set security idp idp-policy Enterprise-Recommended-log-only rulebase-ips rule enterprise then notification log-attacks set security policies from-zone any to-zone any policy tap-mode-policy match source-address any destination-address any set security policies from-zone any to-zone any policy tap-mode-policy then permit application-services idp-policy Enterprise-Recommended-log-only
Procedure
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure IDP policies in TAP mode:
Configure IDP policies.
user@host# set security idp idp-policy Enterprise-Recommended-log-only rulebase-ips rule enterprise match attacks predefined-attack-groups "Enterprise – Recommended” user@host# set security idp idp-policy Enterprise-Recommended-log-only rulebase-ips rule enterprise then action no-action user@host# set security idp idp-policy Enterprise-Recommended-log-only rulebase-ips rule enterprise then notification log-attacks
Enable IDP in firewall policies.
user@host# set security policies from-zone any to-zone any policy tap-mode-policy match source-address any destination-address any user@host# set security policies from-zone any to-zone any policy tap-mode-policy then permit application-services idp-policy Enterprise-Recommended-log-only
Results
From configuration mode, confirm your configuration
by entering the show security idp and show security
policies commands. If the output does not display the intended
configuration, repeat the instructions in this example to correct
the configuration.
[edit]
user@host# show security idp
idp-policy Enterprise-Recommended-log-only {
rulebase-ips {
rule enterprise {
match {
attacks {
predefined-attack-groups Enterprise-Recommended;
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
}
}
[edit]
user@host# show security policies
from-zone any to-zone any {
policy tap-mode-policy {
match {
source-address any;
destination-address any;
}
then {
permit {
application-services {
idp-policy Enterprise-Recommended-log-only;
}
}
}
}
}
default-policy {
permit-all;
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying the IDP Configuration in TAP Mode
Purpose
Verify that the IDP configuration is working properly.
Action
From operational mode, enter the show security
idp status command.
user@host> show security idp status node0: -------------------------------------------------------------------------- State of IDP: Default, Up since: 2019-01-16 18:10:34 PST (1w6d 07:05 ago) Packets/second: 0 Peak: 0 @ 2019-01-16 18:19:32 PST KBits/second : 0 Peak: 0 @ 2019-01-16 18:19:32 PST Latency (microseconds): [min: 0] [max: 0] [avg: 0] Packet Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0] Flow Statistics: ICMP: [Current: 0] [Max: 0 @ 2019-01-16 18:19:32 PST] TCP: [Current: 0] [Max: 0 @ 2019-01-16 18:19:32 PST] UDP: [Current: 0] [Max: 0 @ 2019-01-16 18:19:32 PST] Other: [Current: 0] [Max: 0 @ 2019-01-16 18:19:32 PST] Session Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0] Number of SSL Sessions : 0 Policy Name : none Forwarding process mode : regular
Meaning
The sample output displays the status of the current IDP policy.