Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Use Case 2: Import a Firewall Policy that Has IPS Policy Configured

SUMMARY An intrusion prevention system (IPS) policy enables you to selectively enforce various attack detection and prevention techniques on the network traffic passing through an IPS-enabled device. In this section, you’ll learn how to import a device running Junos OS Release 18.2 (that has a firewall policy with an IPS policy configured) to Junos Space Security Director. You’ll see that the assigned IPS policy is imported along with the firewall policy.

What's Next

To learn more about IPS features, see Junos Space Security Director User Guide.

Benefits

  • Each imported firewall policy rule can have a different IPS policy assigned.

  • Simplifies application-based security policy management at Layer 7.

  • Provides greater control and extensibility to manage dynamic applications traffic.

Before You Begin

Note:

  • Although this use case has been specifically validated against Junos Space Security Director Release 19.3 and an SRX Series device running Junos OS Release 18.2, you can use Junos OS Release 18.2 or later.

  • Only mandatory fields and other required fields are included in the procedures in this use case.

Overview

Starting in Junos Space Security Director Release 19.3, when you import a firewall policy from an SRX Series device running Junos OS Release 18.2 or later, the IPS policy that is assigned to the firewall policy is also imported. The imported device is assigned to the firewall policy, and is displayed on the firewall policies page. The imported device is not displayed on the IPS Policies page.

In the following topology, we have an enterprise local area network behind a Layer 2 switch. The switch is connected to an SRX Series firewall that has IPS enabled and inspects all the traffic traveling in and out of the network. The SRX Series device can be in any form: hardware, virtual, or containerized.

Simple network topology with an internet cloud, SRX Series firewall, Layer 2 switch, and three connected hosts.

Import a Firewall Policy

Let’s import a firewall policy from an SRX Series device running Junos OS Release 18.2:

  1. Select Devices > Security Devices.

    The Security Devices page is displayed.

  2. Select the vsrx-18.2 device, and click Import.

    The Import Configuration page is displayed.Import Configuration screen for Juniper Networks managing firewall and NAT policies, displaying policy list, selection checkboxes, and navigation buttons.

  3. Select the firewall policy vsrx-18.2 (the IPS policy is assigned to this firewall policy).
  4. Click Next.

    A summary of the configuration changes to be imported is displayed.Import Configuration screen showing summary: Firewall Policy Rules 1, IPS Policy Rules 1, Error Summary 0, Object Conflicts 0, Object Creation List 1, Object Modification List 0. Downloadable SummaryReport.zip file. Back and OK buttons for navigation.

  5. Click OK to import the device configuration.

    The Job Details page is displayed. The IPS policy (IPS-Policy-1) is imported along with the firewall policy (vsrx-18.2).Job Details window displaying Import job ID 1600390 by user super, status Success, 100 percent complete. Tasks: Importing IPS Policy, Importing Firewall Policy, Generating Report, all successful. Download Summary and OK buttons are present.

  6. Click OK.

    The imported policies are displayed on the IPS Policies page and also in the firewall policy rule.

CLI Configuration

Here is the CLI configuration from the vSRX Virtual Firewall-18.2 device:

set security idp idp-policy IPS-Policy-1 rulebase-ips rule rule1 match from-zone any

set security idp idp-policy IPS-Policy-1 rulebase-ips rule rule1 match to-zone any

set security idp idp-policy IPS-Policy-1 rulebase-ips rule rule1 match application default

set security idp idp-policy IPS-Policy-1 rulebase-ips rule rule1 match attacks predefined-attacks

ICMP:INFO:ECHO-REPLY

set security idp idp-policy IPS-Policy-1 rulebase-ips rule rule1 then action recommended

set security policies global policy rule-one match source-address any

set security policies global policy rule-one match destination-address any

set security policies global policy rule-one match application any

set security policies global policy rule-one then permit application-services idp-policy IPS-Policy-1

Verify the Imported Configuration in Security Director

Purpose

Let's verify that the device is assigned to the imported firewall policy. You’ll see that the device is not assigned to the imported IPS policy on the IPS Policies page.

Action

  1. Select Configure > IPS Policy > Policies.

    The device is not displayed for the imported IPS policy on the IPS Policies page.User interface for managing IPS policies with sections for pre and post device-specific policies, one listed device-specific policy, and options for publishing, updating, and filtering.

  2. Select Configure > Firewall Policy > Standard Policies.

    The imported firewall policy (vsrx-18.2) and the assigned device (vsrx-18.2) are displayed on the Standard Policies page.

    Standard Policies section in Firewall Policy interface listing policies before and after device-specific settings with options for managing them.

  3. Click the rules for the vsrx-18.2 firewall policy.

    On the firewall policy rules (vsrx-18.2/Rules) page, you’ll see the imported IPS policy (IPS-Policy-1) in the Advanced Security column.

    Juniper Networks vSRX firewall policy configuration screen with navigation panel, rule details, and toolbar for saving and publishing changes.

Note:

If a device runs Junos OS Release 18.2 or later and has deprecated active-idp policy CLI, Junos Space Security Director imports the IPS policy and assigns it to all firewall policy rules with IPS ON.