An Intrusion Detection and Prevention (IDP) policy lets you selectively enforce various attack detection and prevention techniques on the network traffic passing through your SRX Series. The SRX Series offer the same set of IDP signatures that are available on Juniper Networks IDP Series Intrusion Detection and Prevention Appliances to secure networks against attacks. The basic IDP configuration involves the following tasks:
- Download and install the IDP license.
- Download and install the signature database—You must download and install the IDP signature database. The signature databases are available as a security package on the Juniper Networks website. This database includes attack object and attack object groups that you can use in IDP policies to match traffic against known attacks.
- Configure recommended policy as the IDP policy—Juniper Networks provides predefined policy templates to use as a starting point for creating your own policies. Each template is a set of rules of a specific rulebase type that you can copy and then update according to your requirements.
- To get started, we recommend you use the predefined policy named “Recommended”.
- Enable a security policy for IDP inspection—For transit traffic to pass through IDP inspection, you configure a security policy and enable IDP application services on all traffic that you want to inspect.
1. License
Juniper Support has some License Management Online Tools available on their website:
- Manage Product Licenses – Generate License Keys
- Generate Subscriptions
- Manage Product Licenses – Find License Keys
- Generate Licenses for RMA Devices
Click https://lms.juniper.net/lcrs/license.do should get you the classic Generate Licenses, but for newer hardware, it has been moved to new site: https://license.juniper.net/licensemanage
After got the license file, you will just need to add it SRX device from command line:
{primary:node0} [email protected]> request system license add terminal [Type ^D at a new line to end input, enter blank line between each license key] JUNOS203733092 aeaqia qminnd enrrgz aummbt gayqqb qcdxb7 vrlhbq ouoskf kncugs 2febms arcfkz jesrko kqqeir jajvcv qskdj4 dsqfg7 zrjdch 3ukncd v5gtiw 4fscvx f5viuj r27srj dvr2oy 4s4fau vupqed uevifz agl5 ^D JUNOS203733092: successfully added add license complete (no errors) {primary:node0} [email protected]> show system license License usage: Licenses Licenses Licenses Expiry Feature name used installed needed idp-sig 0 1 0 2018-08-24 00:00:00 UTC Licenses installed: License identifier: JUNOS203733092 License version: 4 Valid for device: CZ1616AF0301 Customer ID: Net Sec Inc. Features: idp-sig - IDP Signature date-based, 2017-08-24 00:00:00 UTC - 2018-08-24 00:00:00 UTC {primary:node0} {primary:node0} [email protected]> show chassis cluster status Monitor Failure codes: CS Cold Sync monitoring FL Fabric Connection monitoring GR GRES monitoring HW Hardware monitoring IF Interface monitoring IP IP monitoring LB Loopback monitoring MB Mbuf monitoring NH Nexthop monitoring NP NPC monitoring SP SPU monitoring SM Schedule monitoring CF Config Sync monitoring Cluster ID: 9 Node Priority Status Preempt Manual Monitor-failures Redundancy group: 0 , Failover count: 1 node0 200 primary no no None node1 100 secondary no no None Redundancy group: 1 , Failover count: 1 node0 200 primary no no None node1 100 secondary no no None {primary:node0}
2. Install Signature Database
Make sure you have download latest signature database in your Juniper Space Security Director.
You may need to probe the SRX devices to find out the one you just installed license.
{primary:node0} [email protected]> show security idp security-package-version node0: -------------------------------------------------------------------------- Attack database version:3027(Thu Jan 18 13:53:07 2018 UTC) Detector version :12.6.160171124 Policy template version :N/A node1: -------------------------------------------------------------------------- Attack database version:3027(Thu Jan 18 13:53:07 2018 UTC) Detector version :12.6.160171124 Policy template version :N/A
3. Create and Install Policy
3.1 You can use Juniper Space Security Director to create your first IPS policy. There are different type of templates to be used as an example.
3.2 Publish IPS policy and Update it to device
{primary:node0} [email protected]> show security idp policies node0: -------------------------------------------------------------------------- ID Name Sessions Memory Detector 0 Space-IPS-Policy 0 5667667 12.6.160171124 node1: -------------------------------------------------------------------------- ID Name Sessions Memory Detector 0 Space-IPS-Policy 0 5667667 12.6.160171124
4. Enable IPS option on Firewall Rules
This is the last step, for each firewall rule, there is column ‘advanced security’ to allow you to enable IPS on this rule.