Enable IDP on Juniper SRX Devices Managed by Juniper Space

我只是一个虾纸丫 提交于 2019-11-26 16:27:51

An Intrusion Detection and Prevention (IDP) policy lets you selectively enforce various attack detection and prevention techniques on the network traffic passing through your SRX Series. The SRX Series offer the same set of IDP signatures that are available on Juniper Networks IDP Series Intrusion Detection and Prevention Appliances to secure networks against attacks. The basic IDP configuration involves the following tasks:

  • Download and install the IDP license.
  • Download and install the signature database—You must download and install the IDP signature database. The signature databases are available as a security package on the Juniper Networks website. This database includes attack object and attack object groups that you can use in IDP policies to match traffic against known attacks.
  • Configure recommended policy as the IDP policy—Juniper Networks provides predefined policy templates to use as a starting point for creating your own policies. Each template is a set of rules of a specific rulebase type that you can copy and then update according to your requirements.
  • To get started, we recommend you use the predefined policy named “Recommended”.
  • Enable a security policy for IDP inspection—For transit traffic to pass through IDP inspection, you configure a security policy and enable IDP application services on all traffic that you want to inspect.

1. License

Juniper Support has some License Management Online Tools available on their website:

Click https://lms.juniper.net/lcrs/license.do should get you the classic Generate Licenses, but for newer hardware, it has been moved to new site: https://license.juniper.net/licensemanage


After got the license file, you will just need to add it SRX device from command line:

 {primary:node0} [email protected]> request system license add terminal     [Type ^D at a new line to end input,  enter blank line between each license key] JUNOS203733092 aeaqia qminnd enrrgz aummbt gayqqb qcdxb7                vrlhbq ouoskf kncugs 2febms arcfkz jesrko                kqqeir jajvcv qskdj4 dsqfg7 zrjdch 3ukncd                v5gtiw 4fscvx f5viuj r27srj dvr2oy 4s4fau                vupqed uevifz agl5 ^D JUNOS203733092: successfully added add license complete (no errors)  {primary:node0} [email protected]> show system license  License usage:                                   Licenses     Licenses    Licenses    Expiry   Feature name                       used    installed      needed    idp-sig                               0            1           0    2018-08-24 00:00:00 UTC  Licenses installed:    License identifier: JUNOS203733092   License version: 4   Valid for device: CZ1616AF0301   Customer ID: Net Sec Inc.   Features:     idp-sig          - IDP Signature       date-based, 2017-08-24 00:00:00 UTC - 2018-08-24 00:00:00 UTC  {primary:node0}  {primary:node0} [email protected]> show chassis cluster status  Monitor Failure codes:     CS  Cold Sync monitoring        FL  Fabric Connection monitoring     GR  GRES monitoring             HW  Hardware monitoring     IF  Interface monitoring        IP  IP monitoring     LB  Loopback monitoring         MB  Mbuf monitoring     NH  Nexthop monitoring          NP  NPC monitoring                   SP  SPU monitoring              SM  Schedule monitoring     CF  Config Sync monitoring   Cluster ID: 9 Node   Priority Status         Preempt Manual   Monitor-failures  Redundancy group: 0 , Failover count: 1 node0  200      primary        no      no       None            node1  100      secondary      no      no       None             Redundancy group: 1 , Failover count: 1 node0  200      primary        no      no       None            node1  100      secondary      no      no       None             {primary:node0} 

2. Install Signature Database

Make sure you have download latest signature database in your Juniper Space Security Director.

You may need to probe the SRX devices to find out the one you just installed license.

{primary:node0} [email protected]> show security idp security-package-version  node0: --------------------------------------------------------------------------    Attack database version:3027(Thu Jan 18 13:53:07 2018 UTC)   Detector version :12.6.160171124   Policy template version :N/A  node1: --------------------------------------------------------------------------    Attack database version:3027(Thu Jan 18 13:53:07 2018 UTC)   Detector version :12.6.160171124   Policy template version :N/A 

3. Create and Install Policy

3.1 You can use Juniper Space Security Director to create your first IPS policy. There are different type of templates to be used as an example.

3.2 Publish IPS policy and Update it to device

 {primary:node0} [email protected]> show security idp policies  node0: -------------------------------------------------------------------------- ID    Name                   Sessions    Memory      Detector         0     Space-IPS-Policy       0           5667667     12.6.160171124  node1: -------------------------------------------------------------------------- ID    Name                   Sessions    Memory      Detector         0     Space-IPS-Policy       0           5667667     12.6.160171124  



4. Enable IPS option on Firewall Rules
This is the last step, for each firewall rule, there is column ‘advanced security’ to allow you to enable IPS on this rule.

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!