Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

IDP for Tenant Systems

Learn about the overview, features, and how to configure Intrusion Detection and Prevention (IDP) policy in the tenant system.

An Intrusion Detection and Prevention (IDP) policy in tenant systems enables you to selectively enforce various attack detection and prevention techniques on the network traffic passing through a security device. The security devices offer the same set of IDP signatures that are available on Juniper Networks IDP Series IDP Appliances to secure networks against attacks.

IDP for Tenant Systems Overview

An IDP policy enables you to selectively enforce various attack detection and prevention techniques on network traffic passing through a tenant system.

This topic includes the following sections:

IDP Policies

Configuring IDP policies at the root and tenant system levels is similar. Root level IDP policy templates are visible and used by all tenant systems. The primary administrator specifies an IDP policy in the security profile that is bound to a tenant system. To enable IDP in a tenant system, the primary administrator or tenant system administrator configures a security policy that defines the traffic to be inspected and specifies at the permit application-services idp-policy idp-policy-name hierarchy level.

The primary administrator can configure multiple IDP policies and a tenant system can have multiple IDP policies at a time. For tenant systems, the primary administrator can either bind the same IDP policy to multiple tenant systems or bind the necessary IDP policies to each tenant system. If you configure more than one IDP policy, then configuring a default IDP policy is mandatory.

The primary administrator configures the number of maximum IDP sessions reservation for a primary logical system and tenant systems. To define the number of IDP sessions allowed:

  • For primary logical system, use set security idp max-sessions max-sessions

  • For tenant system, use set security idp tenant-system tenant-system max-sessions max-sessions.

The tenant system administrator performs the following actions:

  • Configure multiple IDP policies and attach to the firewall policies for use by tenant systems. If an IDP policy is not configured for a tenant system, the default IDP policy set by the primary administrator is used. The IDP policy binds to the tenant systems through a tenant systems security policy.

  • Create or modify IDP policies for tenant system. The IDP policies are bound to tenant systems. When an IDP policy is changed, and commit fails, only the tenant system that has initiated the commit change is notified about the commit failure.

  • The tenant system administrator can create security zones in the tenant system and assign interfaces to each security zone. Zones that are specific to tenant systems cannot be referenced in IDP policies configured by the primary administrator. The primary administrator can reference zones in the primary logical system in an IDP policy configured for the primary logical system.

  • View the attack statistics, IDP counters, attack table, and policy commit status by the individual tenant system using the following commands:

    • show security idp counters

    • show security idp attack table

    • show security idp policies

    • show security idp policy-commit-status

    • show security idp security-package-version.

  • View the attack statistics, IDP counters, attack table, and policy commit status from the root using the following commands:

    • show security idp counters counters tenant tenant-name

    • show security idp attack table tenant tenant-name

    • show security idp policies tenant tenant-name

    • show security idp policy-commit-status tenant tenant-name

    • show security idp security-package-version tenant tenant-name.

Limitation

  • IDP policy compilation in Packet Forwarding Engine is done at the global level. Any changes in policy made for a logical system or a tenant system result in the compilation of logical systems or tenant systems policy.

  • Any changes in policy made for a logical system or a tenant system clear the attack table of all logical systems and tenant systems.

IDP Installation and Licensing for Tenant Systems

An idp-sig license must be installed at the root level. Once you enable IDP at the root level, you can apply it to any tenant system on the device.

A single IDP security package is installed for all tenant systems on the device at the root level. The download and install options can only be executed at the root level. The same version of the IDP attack database is shared by all tenant systems.

IDP Features in Tenant Systems

This topic includes the following sections:

Rulebases

A single IDP policy can contain only one instance of any type of rulebase. The IPS rulebase uses attack objects to detect known and unknown attacks. It detects attacks based on stateful signature and protocol anomalies.

Status monitoring for IPS is global to the device and not on a per tenant system basis.

Multi-Detectors

When a new IDP security package is received, it contains attack definitions and a detector. Each policy is associated with a detector when it is loaded. If the new policy's detector matches the detector used by the current policy, the system doesn't load another detector and both policies use the same detector. If the detectors don't match the system loads the new detector with the new policy. ach policy then uses its own detector for attack detection.

The version of the detector is common to all tenant systems.

Logging and Monitoring

Status monitoring options are available to the primary administrator only. All status monitoring options under the commands, show security idp and clear security idp provide global information rather than tenant system details.

SNMP monitoring for IDP is not supported on tenant systems.

The tenant systems supports only the stream mode for syslog and does not support the event mode.

IDP generates event logs when an event matches an IDP policy rule with logging enabled.

The tenant systems identification is added to the following types of IDP traffic processing logs:

  • Attack logs. The following example shows an attack log for the TSYS1 tenant system:

  • IP action logs. The following example shows an IP action log for the TSYS1 tenant system:

Example: Configure IDP Policies and Attacks for Tenant Systems

This example shows how to configure IDP policies and attacks for tenant systems.

Requirements

This example uses the following hardware and software components:

  • Any supported firewall configured with the tenant systems.

  • Junos OS Release 19.2R1 and later releases.

Before you configure IDP policies and attacks for tenant systems:

Overview

In this example you configure IDP custom attacks, policies, custom attack group, pre-defined attack and attack-group, and dynamic attack group in the tenant system TSYS1.

Configuration

Configure a Custom Attack

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure a custom attack object:

  1. Create the custom attack object and set the severity level.

  2. Configure stateful signature parameters.

Results

From configuration mode, confirm your configuration by entering the show security idp custom-attack my-http command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configure an IDP Policy

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure an IDP policy:

  1. Create the IDP policy and configure match conditions.

  2. Configure actions for the IDP policy.

Results

From configuration mode, confirm your configuration by entering the show security idp idp-policy idpengine command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configure Multiple IDP Policies with a Default IDP Policy

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure multiple IDP policies:

  1. Create multiple IDP policies and configure match conditions.

  2. Configure security policies and attach IDP policies to them.

  3. Configure a default IDP policy.

    If you configure more than one IDP policy, then configuring a default IDP policy is mandatory.

Results

From configuration mode, confirm your configuration by entering the show security idp idp-policy idpengine, show security idp idp-policy idpengine1, show security policies, and show security policies commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configure IDP Custom Attack Group

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure IDP custom attack group:

  1. Create the IDP policy.

  2. Configure match condition of IDP policy.

  3. Configure stateful signature parameters.

Results

From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configure Pre-Defined Attack and Attack Group

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure the pre-defined attack and attack group:

  1. Configure the pre-defined attack.

  2. Configure the pre-defined attack group.

Results

From configuration mode, confirm your configuration by entering the show security idp idp-policy idpengine command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configure IDP Dynamic Attack Group

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure IDP dynamic attack group:

  1. Configure dynamic attack group parameter.

Results

From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Verify IDP Policies and Commit Status

Purpose

Verify that the IDP policies and commit status is displayed after policy compilation for the tenant system TSYS1.

Action

From operational mode, enter the show security idp policies command.

From operational mode, enter the show security idp policy-commit-status command.

Meaning

The output displays the IDP policy configured in the tenant system TSYS1 and the commit status information.

Verify IDP Attack Detection

Purpose

Verify that the IDP attack detection is successful for the tenant system TSYS1 and displayed in the attack table.

Action

From operational mode, enter the show security idp attack table command.

Meaning

The output displays the attacks detected for the custom attack that is configured in the tenant system TSYS1.

Verify IDP Counters

Purpose

Verify one of the IDP counter status is displayed for the tenant system TSYS1.

Action

From operational mode, enter the show security idp counters flow command.

Meaning

The output displays the IDP counter flow status is displayed properly for the tenant system TSYS1.