An Intrusion Detection and Prevention (IDP) policy lets you selectively enforce various attack detection and prevention techniques on the network traffic passing through your SRX Series. The SRX Series offer the same set of IDP signatures that are available on Juniper Networks IDP Series Intrusion Detection and Prevention Appliances to secure networks against attacks. The basic IDP configuration involves the following tasks:
- Download and install the IDP license.
- Download and install the signature database—You must download and install the IDP signature database. The signature databases are available as a security package on the Juniper Networks website. This database includes attack object and attack object groups that you can use in IDP policies to match traffic against known attacks.
- Configure recommended policy as the IDP policy—Juniper Networks provides predefined policy templates to use as a starting point for creating your own policies. Each template is a set of rules of a specific rulebase type that you can copy and then update according to your requirements.
- To get started, we recommend you use the predefined policy named “Recommended”.
- Enable a security policy for IDP inspection—For transit traffic to pass through IDP inspection, you configure a security policy and enable IDP application services on all traffic that you want to inspect.
1. License
Juniper Support has some License Management Online Tools available on their website:
- Manage Product Licenses – Generate License Keys
- Generate Subscriptions
- Manage Product Licenses – Find License Keys
- Generate Licenses for RMA Devices
Click https://lms.juniper.net/lcrs/license.do should get you the classic Generate Licenses, but for newer hardware, it has been moved to new site: https://license.juniper.net/licensemanage
After got the license file, you will just need to add it SRX device from command line:
{primary:node0}
john@fw-ptest-1> request system license add terminal
[Type ^D at a new line to end input,
enter blank line between each license key]
JUNOS203733092 aeaqia qminnd enrrgz aummbt gayqqb qcdxb7
vrlhbq ouoskf kncugs 2febms arcfkz jesrko
kqqeir jajvcv qskdj4 dsqfg7 zrjdch 3ukncd
v5gtiw 4fscvx f5viuj r27srj dvr2oy 4s4fau
vupqed uevifz agl5
^D
JUNOS203733092: successfully added
add license complete (no errors)
{primary:node0}
john@fw-ptest-1> show system license
License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
idp-sig 0 1 0 2018-08-24 00:00:00 UTC
Licenses installed:
License identifier: JUNOS203733092
License version: 4
Valid for device: CZ1616AF0301
Customer ID: Net Sec Inc.
Features:
idp-sig - IDP Signature
date-based, 2017-08-24 00:00:00 UTC - 2018-08-24 00:00:00 UTC
{primary:node0}
{primary:node0}
john@fw-ptest-1> show chassis cluster status
Monitor Failure codes:
CS Cold Sync monitoring FL Fabric Connection monitoring
GR GRES monitoring HW Hardware monitoring
IF Interface monitoring IP IP monitoring
LB Loopback monitoring MB Mbuf monitoring
NH Nexthop monitoring NP NPC monitoring
SP SPU monitoring SM Schedule monitoring
CF Config Sync monitoring
Cluster ID: 9
Node Priority Status Preempt Manual Monitor-failures
Redundancy group: 0 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None
Redundancy group: 1 , Failover count: 1
node0 200 primary no no None
node1 100 secondary no no None
{primary:node0}
2. Install Signature Database
Make sure you have download latest signature database in your Juniper Space Security Director.
You may need to probe the SRX devices to find out the one you just installed license.
{primary:node0} john@fw-ptest-1> show security idp security-package-version node0: -------------------------------------------------------------------------- Attack database version:3027(Thu Jan 18 13:53:07 2018 UTC) Detector version :12.6.160171124 Policy template version :N/A node1: -------------------------------------------------------------------------- Attack database version:3027(Thu Jan 18 13:53:07 2018 UTC) Detector version :12.6.160171124 Policy template version :N/A
3. Create and Install Policy
3.1 You can use Juniper Space Security Director to create your first IPS policy. There are different type of templates to be used as an example.
3.2 Publish IPS policy and Update it to device
{primary:node0}
john@fw-ptest-1> show security idp policies
node0:
--------------------------------------------------------------------------
ID Name Sessions Memory Detector
0 Space-IPS-Policy 0 5667667 12.6.160171124
node1:
--------------------------------------------------------------------------
ID Name Sessions Memory Detector
0 Space-IPS-Policy 0 5667667 12.6.160171124
4. Enable IPS option on Firewall Rules
This is the last step, for each firewall rule, there is column ‘advanced security’ to allow you to enable IPS on this rule.