Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

TAP Mode for IDP

The Terminal Access Point (TAP) mode for Intrusion Detection and Prevention (IDP) allows you to passively monitor traffic flows across a network by way of a switch SPAN or mirror port.

Understanding TAP Mode Support for IDP

In TAP mode, an SRX Series Firewall will be connected to a mirror port of the switch, which provides a copy of the traffic traversing the switch. An SRX Series Firewall in TAP mode processes the incoming traffic from TAP interface and generates security log to display the information on threats detected, application usage, and user details.

When you enable TAP mode on IDP module, the IDP will passively monitor traffic flows across the network in IDS (Intrusion Detection System) mode. TAP mode on IDP module inspects the incoming and outgoing traffic that matches a firewall policy or policies with the enabled IDP service. TAP mode can’t block traffic but generates security logs, reports, and statistics to show the number of threats detected, application usage, and user details.

In TAP mode, when the SRX Series Firewall is overloaded, the mirrored packets may be dropped and the IDP may not receive all the traffic, then the TAP mode do not generate any security logs, reports, and statistics for this connection.

Starting in Junos OS Release 20.3R1, the Terminal Access Point (TAP) mode for IDP support is available for pass-through GRE and IP over IP (IP-IP) tunnel traffic. The TAP mode for IDP allows you to passively monitor traffic flows inside the IP-IP tunnel.

Example: Configuring IDP Policy in TAP mode

This example shows how to configure IDP policies when the SRX Series Firewall is configured in TAP (Terminal Access Point) mode.

Requirements

This example uses the following hardware and software components:

  • An SRX Series Firewall

  • Junos OS Release 19.1R1

Overview

In this example, you configure the SRX Series Firewall to operate in TAP mode. The TAP mode feature provides passive, detection of Application Layer threats for traffic matching security policies that have the IDP application service enabled.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Procedure

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure IDP policies in TAP mode:

  1. Configure IDP policies.

  2. Enable IDP in firewall policies.

Results

From configuration mode, confirm your configuration by entering the show security idp and show security policies commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying the IDP Configuration in TAP Mode

Purpose

Verify that the IDP configuration is working properly.

Action

From operational mode, enter the show security idp status command.

Meaning

The sample output displays the status of the current IDP policy.