IDP for Logical Systems
An Intrusion Detection and Prevention (IDP) policy in logical systems enables you to selectively enforce various attack detection and prevention techniques on the network traffic passing through your SRX Series. The SRX Series offer the same set of IDP signatures that are available on Juniper Networks IDP Series Intrusion Detection and Prevention Appliances to secure networks against attacks. For more information, see the following topics:
IDP in Logical Systems Overview
A Junos OS Intrusion Detection and Prevention (IDP) policy enables you to selectively enforce various attack detection and prevention techniques on network traffic passing through a logical system.
This topic includes the following sections:
IDP Policies
The primary administrator configures IDP policies at the root level. Configuring an IDP policy for logical systems is similar to configuring an IDP policy on a device that is not configured for logical systems. This can include the configuration of custom attack objects.
IDP policy templates installed in root logical system are visible and used by all logical systems.
The primary administrator then specifies an IDP policy in the
security profile that is bound to a logical system. To enable IDP
in a logical system, the primary administrator or user logical system
administrator configures a security policy that defines the traffic
to be inspected and specifies the permit application-services
idp action.
Although the primary administrator can configure multiple IDP
policies, a logical system can have only one active IDP policy at
a time. For user logical systems, the primary administrator can either
bind the same IDP policy to multiple user logical systems or bind
a unique IDP policy to each user logical system. To specify the active
IDP policy for the primary logical system, the primary administrator
can either reference the IDP policy in the security
profile that is bound to the primary logical system or use the active-policy configuration statement at the [edit security idp] hierarchy level.
The root administrator configures the number of maximum IDP
sessions reservation for a root and user logical system.
The number of IDP sessions that are allowed for a root logical system
are defined using the command set security idp max-sessions max-sessions and the number of IDP sessions that
are allowed for a user logical system are defined using
the command set security idp logical-system logical-system max-sessions max-sessions .
A commit error is generated if an IDP policy is both configured
in the security profile that is bound to the primary logical
system and specified with the active-policy configuration
statement. Use only one method to specify the active IDP
policy for the primary logical system.
If you have configured more than one IDP policy in a security policy, then configuring default IDP policy configuration is mandatory.
A default IDP policy configuration is supported when multiple IDP policies are available. The default IDP policy is one of the multiple IDP policies. For more information about configuring multiple IDP policies and default IDP policy, see the IDP Policy Selection for Unified Policies.
The logical system administrator performs the following actions:
Configure multiple IDP policies and attach to the firewall policies to be used by the user logical systems. If the IDP policy is not configured for a user logical system, the default IDP policy configured by the primary administrator is used. The IDP policy is bound to the user logical systems through a logical systems security policy.
Create or modify IDP policies for their user logical systems. The IDP policies are bound to user logical systems. When an IDP policy is changed, and commit succeeds, the existing sessions mapped to current active policy continue to use the old IDP combined policy. When an IDP policy is changed, and commit fails, only the logical system user that has initiated the commit change is notified about the commit failure.
The logical system can create security zones in the user logical system and assign interfaces to each security zone. Zones that are specific to user logical systems cannot be referenced in IDP policies configured by the primary administrator. The primary administrator can reference zones in the primary logical system in an IDP policy configured for the primary logical system.
View the attack statistics detected and IDP counters, attack table, and policy commit status by the individual logical system using the commands
show security idp counters,show security idp attack table,show security idp policies,show security idp policy-commit-status, andshow security idp security-package-version.
Limitation
When a IDP policy is changed and compiled in a specific user logical system, this change is considered as a single global policy change and compiled for all policies of all the logical systems.
IDP Installation and Licensing for Logical Systems
An idp-sig license must be installed at the root level. Once IDP is enabled at the root level, it can be used with any logical system on the device.
A single IDP security package is installed for all logical systems on the device at the root level. The download and install options can only be executed at the root level. The same version of the IDP attack database is shared by all logical systems.
See Also
Understanding IDP Features in Logical Systems
This topic includes the following sections:
Rulebases
A single IDP policy can contain only one instance of any type of rulebase. The following IDP rulebases are supported for logical systems:
The Intrusion prevention system (IPS) rulebase uses attack objects to detect known and unknown attacks. It detects attacks based on stateful signature and protocol anomalies.
The application-level distributed denial-of-service (DDoS) rulebase defines parameters to protect servers such as DNS or HTTP. The application-level DDoS rulebase defines the source match condition for traffic that should be monitored and takes an action, such as drop the connection, drop the packet, or no action. It can also perform actions against future connections that use the same IP address.
Status monitoring for IPS and application-level DDoS is global to the device and not on a per logical system basis.
Protocol Decoders
The Junos IDP module ships with a set of preconfigured protocol
decoders. These protocol decoders have default settings for various
protocol-specific contextual checks that they perform. The IDP protocol
decoder configuration is global and applies to all logical systems.
Only the primary administrator at the root level can modify the settings
at the [edit security idp sensor-configuration] hierarchy
level.
SSL Inspection
IDP SSL inspection uses the Secure Sockets Layer (SSL) protocol suite to enable inspection of HTTP traffic encrypted in SSL.
SSL inspection configuration is global and applies to all logical
systems on a device. SSL inspection can only be configured by the
primary administrator at the root level with the ssl-inspection configuration statement at the [edit security idp sensor-configuration] hierarchy level.
Inline Tap Mode
The inline tap mode feature provides passive, inline detection of Application Layer threats for traffic matching security policies that have the IDP application service enabled. When a device is in inline tap mode, packets pass through firewall inspection and are also copied to the independent IDP module. This allows the packets to get to the next service module without waiting for IDP processing results.
Inline tap mode is enabled or disabled for all logical systems
at the root level by the primary administrator. To enable inline tap
mode, use the inline-tap configuration statement at the
[edit security forwarding-process application-services maximize-idp-sessions] hierarchy level. Delete the inline tap mode configuration to switch
the device back to regular mode.
The device must be restarted when switching to inline tap mode or back to regular mode.
Multi-Detectors
When a new IDP security package is received, it contains attack definitions and a detector. After a new policy is loaded, it is also associated with a detector. If the policy being loaded has an associated detector that matches the detector already in use by the existing policy, the new detector is not loaded and both policies use a single associated detector. But if the new detector does not match the current detector, the new detector is loaded along with the new policy. In this case, each loaded policy will then use its own associated detector for attack detection.
The version of the detector is common to all logical systems.
Logging and Monitoring
Status monitoring options are available to the primary administrator
only. All status monitoring options under the show security idp and clear security idp CLI operational commands present
global information, but not on a per logical system basis.
SNMP monitoring for IDP is not supported on logical systems.
IDP generates event logs when an event matches an IDP policy rule in which logging is enabled.
The logical systems identification is added to the following types of IDP traffic processing logs:
Attack logs. The following example shows an attack log for the ls-product-design logical system:
Feb 22 14:06:00 aqgpo1ifw01 RT_IDP: %-IDP_ATTACK_LOG_EVENT_LS: Lsys A01: IDP: At 1329883555, ANOMALY Attack log <10.1.128.200/33699->192.168.22.84/80> for TCP protocol and service HTTP application NONE by rule 4 of rulebase IPS in policy Policy1. attack: repeat=3, action=NONE, threat-severity=INFO, name=HTTP:AUDIT:URL, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:NSS-Mgmt:reth0.55->SIEM-MGMT:reth0.60, packet-log-id: 0 and misc-message
Note:In the IDP attack detection event log message (IDP_ATTACK_LOG_EVENT_LS), the time-elapsed, inbytes, outbytes, inpackets, and outpackets fields are not populated.
IP action logs. The following example shows an IP action log for the ls-product-design logical system:
Oct 13 16:56:04 8.0.0.254 RT_IDP: IDP_ATTACK_LOG_EVENT_LS: IDP: In ls-product-design at 1287014163, TRAFFIC Attack log <25.0.0.1/34802->15.0.0.1/21> for TCP protocol and service SERVICE_NONE application NONE by rule 1 of rulebase IPS in policy Recommended. attack: repeat=0, action=TRAFFIC_IPACTION_NOTIFY, threat-severity=INFO, name=_, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0, intf:ls-product-design-trust:ge-0/0/1.0->ls-product-design-untrust:plt0.3, packet-log-id: 0 and misc-message -
Application DDoS logs. The following example shows an application DDoS log for the ls-product-design logical system:
Oct 11 16:29:57 8.0.0.254 RT_IDP: IDP_APPDDOS_APP_ATTACK_EVENT_LS: DDOS Attack in ls-product-design at 1286839797 on my-http, <ls-product-design-untrust:ge-0/0/0.0:4.0.0.1:33738->ls-product-design-trust:ge-0/0/1.0:5.0.0.1:80> for TCP protocol and service HTTP by rule 1 of rulebase DDOS in policy Recommended. attack: repeats 0 action DROP threat-severity INFO, connection-hit-rate 0, context-name http-url-parsed, hit-rate 6, value-hit-rate 6 time-scope PEER time-count 2 time-period 10 secs, context value: ascii: /abc.html hex: 2f 61 62 63 2e 68 74 6d 6c
See Also
Example: Configuring an IDP Policy for the Primary Logical Systems
This example shows how to configure an IDP policy in a primary logical system.
Requirements
Before you begin:
Log in to the primary logical system as the primary administrator. See Understanding the Primary Logical Systems and the Primary Administrator Role.
Use the
show system security-profilecommand to see the resources allocated to the primary logical system.
Overview
In this example you configure a custom attack that is used in an IDP policy. The IDP policy is specified in a security profile that is applied to the primary logical system. IDP is then enabled in a security policy configured in the primary logical system.
You configure the features described in Table 1.
Feature |
Name |
Configuration Parameters |
|---|---|---|
Custom attack |
http-bf |
|
IPS rulebase policy |
root-idp-policy |
Match:
Action:
|
Logical system security profile |
primary-profile (previously configured and applied to root-logical-system) |
Add IDP policy root-idp-policy. |
Security policy |
enable-idp |
Enable IDP in a security policy that matches any traffic from the lsys-root-untrust zone to the lsys-root-trust zone. |
A logical system can have only one active IDP policy at
a time. To specify the active IDP policy for the primary logical system,
the primary administrator can reference the IDP policy in the security
profile that is bound to the primary logical system as shown in this
example. Alternatively, the primary administrator can use the active-policy configuration statement at the [edit security
idp] hierarchy level.
A commit error is generated if an IDP policy is both configured
in the security profile that is bound to the primary logical system
and specified with the active-policy configuration statement.
Use only one method to specify the active IDP policy for the primary
logical system.
Configuration
- Configuring a Custom Attack
- Configuring an IDP Policy for the Primary Logical System
- Enabling IDP in a Security Policy
Configuring a Custom Attack
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security idp custom-attack http-bf severity critical set security idp custom-attack http-bf time-binding count 3 set security idp custom-attack http-bf time-binding scope peer set security idp custom-attack http-bf attack-type signature context http-url-parsed set security idp custom-attack http-bf attack-type signature pattern .*juniper.* set security idp custom-attack http-bf attack-type signature direction client-to-server
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure a custom attack object:
Log in to the primary logical system as the primary administrator and enter configuration mode.
[edit] admin@host> configure admin@host#
Create the custom attack object and set the severity level.
[edit security idp] admin@host# set custom-attack http-bf severity critical
Configure attack detection parameters.
[edit security idp] admin@host# set custom-attack http-bf time-binding count 3 admin@host# set custom-attack http-bf time-binding scope peer
Configure stateful signature parameters.
[edit security idp] admin@host# set custom-attack http-bf attack-type signature context http-url-parsed admin@host# set custom-attack http-bf attack-type signature pattern .*juniper.* admin@host# set custom-attack http-bf attack-type signature direction client-to-server
Results
From configuration mode, confirm your configuration
by entering the show security idp custom-attack http-bf command. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit]
admin@host# show security idp custom-attack http-bf
severity critical;
time-binding {
count 3;
scope peer;
}
attack-type {
signature {
context http-url-parsed;
pattern .*juniper.*;
direction client-to-server;
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring an IDP Policy for the Primary Logical System
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security idp idp-policy root-idp-policy rulebase-ips rule 1 match application default set security idp idp-policy root-idp-policy rulebase-ips rule 1 match attacks custom-attacks http-bf set security idp idp-policy root-idp-policy rulebase-ips rule 1 then action drop-connection set security idp idp-policy root-idp-policy rulebase-ips rule 1 then notification log-attacks set system security-profile master-profile idp-policy root-idp-policy
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure an IDP policy:
Create the IDP policy and configure match conditions.
[edit security idp] admin@host# set idp-policy root-idp-policy rulebase-ips rule 1 match application default admin@host# set idp-policy root-idp-policy rulebase-ips rule 1 match attacks custom-attacks http-bf
Configure actions for the IDP policy.
[edit security idp] admin@host# set idp-policy root-idp-policy rulebase-ips rule 1 then action drop-connection admin@host# set idp-policy root-idp-policy rulebase-ips rule 1 then notification log-attacks
Add the IDP policy to the security profile.
[edit system security-profile master-profile] admin@host# set idp-policy lsys1-idp-policy
Results
From configuration mode, confirm your configuration
by entering the show security idp idp-policy root-idp-policy and show system security-profile master-profile commands.
If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.
[edit]
admin@host# show security idp idp-policy root-idp-policy
rulebase-ips {
rule 1 {
match {
application default;
attacks {
custom-attacks http-bf;
}
}
then {
action {
drop-connection;
}
notification {
log-attacks;
}
}
}
}
admin@host# show system security-profile master-profile
...
idp-policy lsys1-idp-policy;
If you are done configuring the device, enter commit from configuration mode.
Enabling IDP in a Security Policy
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security policies from-zone lsys-root-untrust to-zone lsys-root-trust policy enable-idp match source-address any set security policies from-zone lsys-root-untrust to-zone lsys-root-trust policy enable-idp match destination-address any set security policies from-zone lsys-root-untrust to-zone lsys-root-trust policy enable-idp match application any set security policies from-zone lsys-root-untrust to-zone lsys-root-trust policy enable-idp then permit application-services idp
Step-by-Step Procedure
To enable IDP in a security policy:
Create the security policy and configure match conditions.
[edit security policies from-zone lsys-root-untrust to-zone lsys-root-trust] admin@host# set policy enable-idp match source-address any admin@host# set policy enable-idp match destination-address any admin@host# set policy enable-idp match application any
Enable IDP.
[edit security policies from-zone lsys-root-untrust to-zone lsys-root-trust] admin@host# set policy enable-idp then permit application-services idp
Results
From configuration mode, confirm your configuration
by entering the show security policies command. If the
output does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
For brevity, this show command output includes only
the configuration that is relevant to this example. Any other configuration
on the system has been replaced with ellipses (...).
[edit]
admin@host# show security policies
from-zone lsys-root-untrust to-zone lsys-root-trust {
policy enable-idp {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
idp;
}
}
}
}
}
...
If you are done configuring the device, enter commit from configuration mode.
Example: Configuring and Assigning a Predefined IDP Policy for a User Logical System
The primary administrator can either download predefined IDP policies to the device or configure custom IDP policies at the root level using custom or predefined attack objects. The primary administrator is responsible for assigning an IDP policy to a user logical system. This example shows how to assign a predefined IDP policy to a user logical system.
Requirements
Before you begin:
Log in to the primary logical system as the primary administrator. See Understanding the Primary Logical Systems and the Primary Administrator Role.
Read IDP Policies Overview.
Assign the ls-design-profile security policy to the ls-product-design user logical system. See Example: Configuring Logical Systems Security Profiles (Primary Administrators Only).
Download predefined IDP policy templates to the device. See Downloading and Using Predefined IDP Policy Templates (CLI Procedure).
Note:Activating a predefined IDP policy with the
active-policyconfiguration statement at the [edit security idp] hierarchy level only applies to the primary logical system. For a user logical system, the primary administrator specifies the active IDP policy in the security profile that is bound to the user logical system.
Overview
The predefined IDP policy named Recommended contains attack objects recommended by Juniper Networks. All rules in the policy have their actions set to take the recommended action for each attack object. You add the Recommended IDP policy to the ls-design-profile, which is bound to the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set system security-profile ls-design-profile idp-policy Recommended
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To add a predefined IDP policy to a security profile for a user logical system:
Log in to the primary logical system as the primary administrator and enter configuration mode.
[edit] admin@host> configure admin@host#
Add the IDP policy to the security profile.
[edit system security-profile] admin@host# set ls-design-profile idp-policy Recommended
Results
From configuration mode, confirm your configuration
by entering the show security idp and show system
security-profile ls-design-profile commands. If the output does
not display the intended configuration, repeat the configuration instructions
in this example to correct it.
[edit]
admin@host# show security idp
idp-policy Recommended {
...
}
[edit]
admin@host# show system security-profile ls-design-profile
policy {
...
}
idp-policy Recommended;
logical-system ls-product-design;
If you are done configuring the device, enter commit from configuration mode.
Verification
Verifying the Configuration
Purpose
Verify the IDP policy assigned to the logical system.
Action
From operational mode, enter the show security
idp logical-system policy-association command. Ensure that the
IDP policy in the security profile that is bound to the logical system
is correct.
admin@host> show security idp logical-system policy-association Logical system IDP policy ls-product-design Recommended
Example: Enabling IDP in a User Logical System Security Policy
This example shows how to enable IDP in a security policy in a user logical system.
Requirements
Before you begin:
Log in to the user logical system as the logical system administrator. See User Logical Systems Configuration Overview.
From configuration mode, use the
show system security-profile <profile-name> idp-policycommand to see the security policy resources allocated to the logical system.Configure an IDP security policy for the user logical system as the primary administrator. See Example: Configuring and Assigning a Predefined IDP Policy for a User Logical System.
Overview
In this example, you configure the ls-product-design user logical system as shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.
You enable IDP in a security policy that matches any traffic from the ls-product-design-untrust zone to the ls-product-design-trust zone. Enabling IDP in a security policy directs matching traffic to be checked against the IDP rulebases.
This example uses the IDP policy configured and assigned to the ls-product-design user logical system by the primary administrator in Example: Configuring and Assigning a Predefined IDP Policy for a User Logical System.
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy enable-idp match source-address any set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy enable-idp match destination-address any set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy enable-idp match application any set security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust policy enable-idp then permit application-services idp
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure a security policy to enable IDP in a user logical system:
Log in to the logical system as the user logical system administrator and enter configuration mode.
[edit] lsdesignadmin1@host:ls-product-design>configure lsdesignadmin1@host:ls-product-design#
Configure a security policy that matches traffic from the ls-product-design-untrust zone to the ls-product-design-trust zone.
[edit security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust] lsdesignadmin1@host:ls-product-design# set policy enable-idp match source-address any lsdesignadmin1@host:ls-product-design# set policy enable-idp match destination-address any lsdesignadmin1@host:ls-product-design# set policy enable-idp match application any
Configure the security policy to enable IDP for matching traffic.
[edit security policies from-zone ls-product-design-untrust to-zone ls-product-design-trust] lsdesignadmin1@host:ls-product-design# set policy enable-idp then permit application-services idp
Results
From configuration mode, confirm your configuration
by entering the show security policies command. If the
output does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
For brevity, this show command output includes only
the configuration that is relevant to this example. Any other configuration
on the system has been replaced with ellipses (...).
[edit]
lsdesignadmin1@host:ls-product-design# show security policies
from-zone ls-product-design-untrust to-zone ls-product-design-trust {
policy enable-idp {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
idp;
}
}
}
}
...
}
If you are done configuring the device, enter commit from configuration mode.
Example: Configuring an IDP Policy for a User Logical System
This example shows how to configure and assign an IDP policy to a user logical system. After assigning the IDP policy, the traffic is sent from client to check for the attack detection on the configured custom attack.
Requirements
This example uses the following hardware and software components:
Junos OS Release 18.3R1 and later
an SRX4200 device
Before you configure IDP policy on user logical system:
Configure security zones. See Example: Configuring Security Zones for a User Logical Systems.
Overview
In this example, you configure a custom attack that is used in an IDP policy. The IDP policy is specified and enabled using a security policy configured in the user logical system.
Configuration
To configure IDP in a user logical system:
- Configuring a user logical system
- Configuring a Custom Attack
- Configuring an IDP Policy for the User Logical System
- Enabling IDP in a Security Policy
Configuring a user logical system
CLI Quick Configuration
Step-by-Step Procedure
To configure a user logical system:
Configure a user logical system.
[edit] user@host# set logical-system LSYS1
Exit from the configuration mode and enter to the operational mode.
user@host# exit
Login as LSYS1 user to the user logical sytem and enter to configuration mode.
user@host> set cli logical-system LSYS1 user@host:LSYS1> edit user@host:LSYS1#
Results
From configuration mode, confirm your configuration
by entering the show logical-systems command. If the output
does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host# show logical-systems
LSYS1 {
}
Configuring a Custom Attack
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security idp custom-attack my-http severity info set security idp custom-attack my-http attack-type signature protocol-binding application HTTP set security idp custom-attack my-http attack-type signature context http-get-url set security idp custom-attack my-http attack-type signature pattern .*test.* set security idp custom-attack my-http attack-type signature direction any
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure a custom attack object:
Log in to the user logical system as LSYS1 and enter configuration mode.
[edit] user@host:LSYS1#
Create the custom attack object and set the severity level.
[edit security idp] user@host:LSYS1# set custom-attack my-http severity info
Configure stateful signature parameters.
[edit security idp] user@host:LSYS1# set custom-attack my-http attack-type signature protocol-binding application HTTP user@host:LSYS1# set custom-attack my-http attack-type signature context http-get-url user@host:LSYS1# set custom-attack my-http attack-type signature pattern .*test.* user@host:LSYS1# set custom-attack my-http attack-type signature direction any
Results
From configuration mode, confirm your configuration
by entering the show security idp custom-attack my-http command. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
[edit]
user@host:LSYS1# show security idp custom-attack my-http
severity info;
attack-type {
signature {
protocol-binding {
application HTTP;
}
context http-get-url;
pattern .*test.*;
direction any;
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring an IDP Policy for the User Logical System
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security idp idp-policy idpengine rulebase-ips rule 1 match from-zone any set security idp idp-policy idpengine rulebase-ips rule 1 match source-address any set security idp idp-policy idpengine rulebase-ips rule 1 match to-zone any set security idp idp-policy idpengine rulebase-ips rule 1 match destination-address any set security idp idp-policy idpengine rulebase-ips rule 1 match application default set security idp idp-policy idpengine rulebase-ips rule 1 match attacks custom-attacks my-http set security idp idp-policy idpengine rulebase-ips rule 1 then action no-action set security idp idp-policy idpengine rulebase-ips rule 1 then notification log-attacks
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure an IDP policy:
Create the IDP policy and configure match conditions.
[edit security idp] user@host:LSYS1# set idp-policy idpengine rulebase-ips rule 1 match from-zone any user@host:LSYS1# set idp-policy idpengine rulebase-ips rule 1 match source-address any user@host:LSYS1# set idp-policy idpengine rulebase-ips rule 1 match to-zone any user@host:LSYS1# set idp-policy idpengine rulebase-ips rule 1 match destination-address any user@host:LSYS1# set idp-policy idpengine rulebase-ips rule 1 match application default user@host:LSYS1# set idp-policy idpengine rulebase-ips rule 1 match attacks custom-attacks my-http
Configure actions for the IDP policy.
[edit security idp] user@host:LSYS1# set idp-policy idpengine rulebase-ips rule 1 then action no-action user@host:LSYS1# set idp-policy idpengine rulebase-ips rule 1 then notification log-attacks
Results
From configuration mode, confirm your configuration
by entering the show security idp idp-policy idpengine and show system security-profile master-profile commands. If the
output does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host:LSYS1# show security idp idp-policy idpengine
rulebase-ips {
rule 1 {
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
application default;
attacks {
custom-attacks my-http;
}
}
then {
action {
no-action;
}
notification {
log-attacks;
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Enabling IDP in a Security Policy
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security policies from-zone z1 to-zone z2 policy p1 match source-address any set security policies from-zone z1 to-zone z2 policy p1 match destination-address any set security policies from-zone z1 to-zone z2 policy p1 match application any set security policies from-zone z1 to-zone z2 policy p1 then permit application-services idp-policy idpengine
Step-by-Step Procedure
To enable IDP in a security policy:
Create the security policy and configure match conditions.
[edit security policies from-zone z1 to-zone z2] user@host:LSYS1# set policy p1 match source-address any user@host:LSYS1# set policy p1 match destination-address any user@host:LSYS1# set policy p1 match application any
Enable IDP.
[edit security policies from-zone z1 to-zone z2] user@host:LSYS1# set policy p1 then permit application-services idp-policy idpengine
Results
From configuration mode, confirm your configuration
by entering the show security policies command. If the
output does not display the intended configuration, repeat the configuration
instructions in this example to correct it.
[edit]
user@host:LSYS1# show security policies
from-zone z1 to-zone z2 {
policy p1{
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
idp-policy idpengine;
}
}
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To send traffic and check for attack detection from user logical system:
Verifying Attack Detection
Purpose
Verify that attack detection is happening for the custom attack.
Action
From operational mode, enter the show security
idp attack table command.
user@host:LSYS1> show security idp policies PIC : FPC 0 PIC 0: ID Name Sessions Memory Detector 1 idpengine 0 188584 12.6.130180509
user@host:LSYS1> show security idp attack table
IDP attack statistics:
Attack name #Hits
my-http 1
Meaning
The output displays the attacks detected for the custom attack that is configured in the IDP policy in the user logical system LSYS1.