Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Update IDP Signature Database

Juniper Networks regularly updates the predefined attack database and makes it available on the Juniper Networks website. This database includes attack object groups that you can use in IDP policies to match traffic against known attacks. Although you cannot create, edit, or delete predefined attack objects, you can use the CLI to update the list of attack objects that you can use in IDP policies.

To update the signature database, you download a security package from the Juniper Networks website or through an explicit Web proxy server. The security package consists of the following IDP components:

Table 1: IDP Components
Components Description
Attack Objects Individual signatures that detect specific attack patterns.
Attack Object Groups Collections of related attack objects grouped for easier policy management.
Application Objects Specific applications used for traffic inspection and policy enforcement.
IDP Detector Engine Updates Enhancements that improve signature detection and accuracy.
IDP Policy Templates Predefined rule sets for quick policy configuration. See Understanding Predefined IDP Policy Templates

By default, downloading the security package includes components in a Staging folder on your device:

  • Latest version of the complete attack object groups table

  • Application objects table

  • Updates to the IDP Detector Engine

The system downloads only updates to the attack objects table due to its large size, but you can use the full-update configuration option to download the complete table. After downloading, install the package to update the security database with the new updates. Committing the configuration after installation checks all policies for syntax, similar to a commit check.

If an attack in any policy is removed from the new signature database, the commit check fails. Updating the IDP signature database does not automatically update attacks in policies. For example, if you configure a policy with attack FTP:USER:ROOT in version 1200 and download version 1201 without it, the commit check fails. Remove the missing attack from your policy to commit successfully. IDP signature updates might fail if a new IDP policy load fails, causing the system to load the last known good policy. Updates will work once the issue is resolved and a valid policy is active.

Example: Update the Signature Database Automatically

This example shows how to download signature database updates automatically.

Requirements

Before you begin, configure network interfaces.

Overview

You can configure your device to automatically download the signature database updates at specified intervals.

In this example, you download the security package with the complete table of attack objects and attack object groups every 48 hours, starting at 11:59 p.m. on December 10. You also enable an automatic download and update of the security package.

Configuration

Procedure

Step-by-Step Procedure

To download and update the predefined attack objects:

  1. Specify the URL for the security package.

    By default, the URL is https://signatures.juniper.net/cgi-bin/index.cgi.

  2. Specify the time and interval value for the download.

  3. Enable the automatic download and update of the security package.

  4. If you are done configuring the device, commit the configuration.

Verification

To confirm that the configuration is working properly, perform this task:

Verify the IDP Signature Database

Purpose

Display the IDP signature database.

Action

From operational mode, enter the show security idp command.

Example: Update the IDP Signature Database Manually

After downloading the security package, you must install the package to update the security database with the newly downloaded updates from the Staging folder in your device.

This example shows how to update the IDP signature database manually.

Requirements

Before you begin, configure network interfaces.

Overview

In this example, you download the security package with the complete table of attack objects and attack object groups. Once the installation is completed, the attack objects and attack object groups are available in the CLI under the predefined-attack-groups and predefined-attacks configuration statements at the [edit security idp idp-policy] hierarchy level. You create a policy and specify the new policy as the active policy. You also download only the updates that Juniper Networks has recently uploaded and then update the attack database, the running policy, and the detector with these new updates.

Configuration

Procedure

CLI Quick Configuration

CLI quick configuration is not available for this example because manual intervention is required during the configuration.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To manually download and update the signature database:

  1. Specify the URL for the security package.

    The default URL is https://signatures.juniper.net/cgi-bin/index.cgi.

  2. Commit the configuration.

  3. Switch to operational mode.

  4. Download the security package.

    You can perform an offline signature package download on your device. You can download the signature package and copy the package to any common location in the device and download the package offline using the request security idp security-package offline-download command.

    The signature package installation remains the same and will be a full-update always.

  5. Check the security package download status.

  6. Update the attack database using the install command.

  7. Check the attack database update status with the following command (the command output displays information about the downloaded and installed versions of the attack database versions):

  8. Switch to configuration mode.

  9. Create an IDP policy.

  10. Associate attack objects or attack object groups with the policy.

  11. Set if an action is required on the rule.

  12. Activate the policy.

  13. Commit the configuration.

  14. After a week, download only the updates that Juniper Networks has recently uploaded.

  15. Check the security package download status.

  16. Update the attack database, the active policy, and the detector with the new changes.

  17. Check the attack database, the active policy and the detector using install status.

    It is possible that an attack might be removed from the new version of an attack database. If this attack is used in an existing policy on your device, the installation of the new database will fail. An installation status message identifies the attack that is no longer valid. To update the database successfully, remove all references to the deleted attack from your existing policies and groups, and rerun the install command.

Results

From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verify the IDP Signature Database Manually

Purpose

Display the IDP signature database manually.

Action

From operational mode, enter the show security idp command.

See Also

Related Documentation