Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


TAP Mode for IDP

The Terminal Access Point (TAP) mode for Intrusion Detection and Prevention (IDP) allows you to passively monitor traffic flows across a network by way of a switch SPAN or mirror port.

Understanding TAP Mode Support for IDP

In TAP mode, an SRX Series device will be connected to a mirror port of the switch, which provides a copy of the traffic traversing the switch. An SRX Series device in TAP mode processes the incoming traffic from TAP interface and generates security log to display the information on threats detected, application usage, and user details.

When you enable TAP mode on IDP module, the IDP will passively monitor traffic flows across the network in IDS (Intrusion Detection System) mode. TAP mode on IDP module inspects the incoming and outgoing traffic that matches a firewall policy or policies with the enabled IDP service. TAP mode can’t block traffic but generates security logs, reports, and statistics to show the number of threats detected, application usage, and user details.

In TAP mode, when the SRX Series device is overloaded, the mirrored packets may be dropped and the IDP may not receive all the traffic, then the TAP mode do not generate any security logs, reports, and statistics for this connection.

Starting in Junos OS Release 20.3R1, the Terminal Access Point (TAP) mode for IDP support is available for pass-through GRE and IP over IP (IP-IP) tunnel traffic. The TAP mode for IDP allows you to passively monitor traffic flows inside the IP-IP tunnel.

Example: Configuring IDP Policy in TAP mode

This example shows how to configure IDP policies when the SRX device is configured in TAP (Terminal Access Point) mode.


This example uses the following hardware and software components:

  • An SRX Series device

  • Junos OS Release 19.1R1

Before you begin:


In this example, you configure the SRX Series device to operate in TAP mode. The TAP mode feature provides passive, detection of Application Layer threats for traffic matching security policies that have the IDP application service enabled.


CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.


Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure IDP policies in TAP mode:

  1. Configure IDP policies.

  2. Enable IDP in firewall policies.


From configuration mode, confirm your configuration by entering the show security idp and show security policies commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.


To confirm that the configuration is working properly, perform these tasks:

Verifying the IDP Configuration in TAP Mode


Verify that the IDP configuration is working properly.


From operational mode, enter the show security idp status command.


The sample output displays the status of the current IDP policy.