An Intrusion Detection and Prevention (IDP) policy lets you selectively enforce various attack detection and prevention techniques on the network traffic passing through your SRX Series. The SRX Series offer the same set of IDP signatures that are available on Juniper Networks IDP Series Intrusion Detection and Prevention Appliances to secure networks against attacks. The basic IDP configuration involves the following tasks:

  • Download and install the IDP license.
  • Download and install the signature database—You must download and install the IDP signature database. The signature databases are available as a security package on the Juniper Networks website. This database includes attack object and attack object groups that you can use in IDP policies to match traffic against known attacks.
  • Configure recommended policy as the IDP policy—Juniper Networks provides predefined policy templates to use as a starting point for creating your own policies. Each template is a set of rules of a specific rulebase type that you can copy and then update according to your requirements.
  • To get started, we recommend you use the predefined policy named “Recommended”.
  • Enable a security policy for IDP inspection—For transit traffic to pass through IDP inspection, you configure a security policy and enable IDP application services on all traffic that you want to inspect.

1. License

Juniper Support has some License Management Online Tools available on their website:

Click https://lms.juniper.net/lcrs/license.do should get you the classic Generate Licenses, but for newer hardware, it has been moved to new site: https://license.juniper.net/licensemanage


After got the license file, you will just need to add it SRX device from command line:


{primary:node0}
john@fw-ptest-1> request system license add terminal    
[Type ^D at a new line to end input,
 enter blank line between each license key]
JUNOS203733092 aeaqia qminnd enrrgz aummbt gayqqb qcdxb7
               vrlhbq ouoskf kncugs 2febms arcfkz jesrko
               kqqeir jajvcv qskdj4 dsqfg7 zrjdch 3ukncd
               v5gtiw 4fscvx f5viuj r27srj dvr2oy 4s4fau
               vupqed uevifz agl5
^D
JUNOS203733092: successfully added
add license complete (no errors)

{primary:node0}
john@fw-ptest-1> show system license 
License usage: 
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed 
  idp-sig                               0            1           0    2018-08-24 00:00:00 UTC

Licenses installed: 
  License identifier: JUNOS203733092
  License version: 4
  Valid for device: CZ1616AF0301
  Customer ID: Net Sec Inc.
  Features:
    idp-sig          - IDP Signature
      date-based, 2017-08-24 00:00:00 UTC - 2018-08-24 00:00:00 UTC

{primary:node0}

{primary:node0}
john@fw-ptest-1> show chassis cluster status 
Monitor Failure codes:
    CS  Cold Sync monitoring        FL  Fabric Connection monitoring
    GR  GRES monitoring             HW  Hardware monitoring
    IF  Interface monitoring        IP  IP monitoring
    LB  Loopback monitoring         MB  Mbuf monitoring
    NH  Nexthop monitoring          NP  NPC monitoring              
    SP  SPU monitoring              SM  Schedule monitoring
    CF  Config Sync monitoring
 
Cluster ID: 9
Node   Priority Status         Preempt Manual   Monitor-failures

Redundancy group: 0 , Failover count: 1
node0  200      primary        no      no       None           
node1  100      secondary      no      no       None           

Redundancy group: 1 , Failover count: 1
node0  200      primary        no      no       None           
node1  100      secondary      no      no       None           

{primary:node0}

2. Install Signature Database

Make sure you have download latest signature database in your Juniper Space Security Director.

You may need to probe the SRX devices to find out the one you just installed license.

{primary:node0}
john@fw-ptest-1> show security idp security-package-version 
node0:
--------------------------------------------------------------------------

  Attack database version:3027(Thu Jan 18 13:53:07 2018 UTC)
  Detector version :12.6.160171124
  Policy template version :N/A

node1:
--------------------------------------------------------------------------

  Attack database version:3027(Thu Jan 18 13:53:07 2018 UTC)
  Detector version :12.6.160171124
  Policy template version :N/A

3. Create and Install Policy

3.1 You can use Juniper Space Security Director to create your first IPS policy. There are different type of templates to be used as an example.

3.2 Publish IPS policy and Update it to device


{primary:node0}
john@fw-ptest-1> show security idp policies 
node0:
--------------------------------------------------------------------------
ID    Name                   Sessions    Memory      Detector       
 0     Space-IPS-Policy       0           5667667     12.6.160171124

node1:
--------------------------------------------------------------------------
ID    Name                   Sessions    Memory      Detector       
 0     Space-IPS-Policy       0           5667667     12.6.160171124



4. Enable IPS option on Firewall Rules
This is the last step, for each firewall rule, there is column ‘advanced security’ to allow you to enable IPS on this rule.

By Jon

Leave a Reply