Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Use Case 2: Import a Firewall Policy that Has IPS Policy Configured

SUMMARY An intrusion prevention system (IPS) policy enables you to selectively enforce various attack detection and prevention techniques on the network traffic passing through an IPS-enabled device. In this section, you’ll learn how to import a device running Junos OS Release 18.2 (that has a firewall policy with an IPS policy configured) to Junos Space Security Director. You’ll see that the assigned IPS policy is imported along with the firewall policy.

What's Next

To learn more about IPS features, see Junos Space Security Director User Guide.

Benefits

  • Each imported firewall policy rule can have a different IPS policy assigned.

  • Simplifies application-based security policy management at Layer 7.

  • Provides greater control and extensibility to manage dynamic applications traffic.

Before You Begin

Note:

  • Although this use case has been specifically validated against Junos Space Security Director Release 19.3 and an SRX Series device running Junos OS Release 18.2, you can use Junos OS Release 18.2 or later.

  • Only mandatory fields and other required fields are included in the procedures in this use case.

Overview

Starting in Junos Space Security Director Release 19.3, when you import a firewall policy from an SRX Series device running Junos OS Release 18.2 or later, the IPS policy that is assigned to the firewall policy is also imported. The imported device is assigned to the firewall policy, and is displayed on the firewall policies page. The imported device is not displayed on the IPS Policies page.

In the following topology, we have an enterprise local area network behind a Layer 2 switch. The switch is connected to an SRX Series firewall that has IPS enabled and inspects all the traffic traveling in and out of the network. The SRX Series device can be in any form: hardware, virtual, or containerized.

Import a Firewall Policy

Let’s import a firewall policy from an SRX Series device running Junos OS Release 18.2:

  1. Select Devices > Security Devices.

    The Security Devices page is displayed.

  2. Select the vsrx-18.2 device, and click Import.

    The Import Configuration page is displayed.

  3. Select the firewall policy vsrx-18.2 (the IPS policy is assigned to this firewall policy).
  4. Click Next.

    A summary of the configuration changes to be imported is displayed.

  5. Click OK to import the device configuration.

    The Job Details page is displayed. The IPS policy (IPS-Policy-1) is imported along with the firewall policy (vsrx-18.2).

  6. Click OK.

    The imported policies are displayed on the IPS Policies page and also in the firewall policy rule.

CLI Configuration

Here is the CLI configuration from the vSRX Virtual Firewall-18.2 device:

set security idp idp-policy IPS-Policy-1 rulebase-ips rule rule1 match from-zone any

set security idp idp-policy IPS-Policy-1 rulebase-ips rule rule1 match to-zone any

set security idp idp-policy IPS-Policy-1 rulebase-ips rule rule1 match application default

set security idp idp-policy IPS-Policy-1 rulebase-ips rule rule1 match attacks predefined-attacks

ICMP:INFO:ECHO-REPLY

set security idp idp-policy IPS-Policy-1 rulebase-ips rule rule1 then action recommended

set security policies global policy rule-one match source-address any

set security policies global policy rule-one match destination-address any

set security policies global policy rule-one match application any

set security policies global policy rule-one then permit application-services idp-policy IPS-Policy-1

Verify the Imported Configuration in Security Director

Purpose

Let's verify that the device is assigned to the imported firewall policy. You’ll see that the device is not assigned to the imported IPS policy on the IPS Policies page.

Action

  1. Select Configure > IPS Policy > Policies.

    The device is not displayed for the imported IPS policy on the IPS Policies page.

  2. Select Configure > Firewall Policy > Standard Policies.

    The imported firewall policy (vsrx-18.2) and the assigned device (vsrx-18.2) are displayed on the Standard Policies page.

  3. Click the rules for the vsrx-18.2 firewall policy.

    On the firewall policy rules (vsrx-18.2/Rules) page, you’ll see the imported IPS policy (IPS-Policy-1) in the Advanced Security column.

Note:

If a device runs Junos OS Release 18.2 or later and has deprecated active-idp policy CLI, Junos Space Security Director imports the IPS policy and assigns it to all firewall policy rules with IPS ON.