SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  IDP/IPS configuration and issue

    Posted 02-18-2014 03:38
      |   view attached

    Hi,

     

    I am in the process of configuring IPS on the SRX.

     

    Can someone please take a look at my current IDP config and see if I need to add anything?

     

    I have static nat and security policies to internal web servers which I have applied the IDP policy to.  I haven't applied it for anything from trust to untrust, is this usually the way? 

     

    I have application default,  if I don't specifiy this what is the default action?  And finally is it good practice to specify the direction client-to-server, as I haven't what would the default action be?

     

    The issue I have:

     

    I had for RDP,  this has idividual attacks as I could not find a group for remote apps.  When I did an IDP update I could no longer commit the config until this RDP rule was removed, I get the error for each attack saying it could not be added to the complied policy.  I have done another update and it's still the same.  The attacks are still in the list. 

     

    After this happens when I run  'show security idp policy-commit-status'  I get the following message and it doesn't go away until I make changes:

    fwadmin@srx-node0> show security idp policy-commit-status
    node0:
    --------------------------------------------------------------------------
     Reading prereq sensor config...

     

    Please could someone assist, Junos version is 11.4R10.3

     

    Thanks

    Ross

     

     

    Attachment(s)

    txt
    IDPconfig.txt   1 KB 1 version


  • 2.  RE: IDP/IPS configuration and issue
    Best Answer

    Posted 03-10-2014 14:19
    From my experience you apply the idp rules bases on your perceived source of attacks. If you suspect malicious activity coming from trust to untrust, then use IDP , an example may be in the UTM context, checking for virus on outbound ftp or http traffic. It's really up to the environment

    In regards to default action please read the below, default actions are different for different attacks, defined by Juniper as the recommended course. You can change the default action to some other action - like drop the connection and ban ip if you see fit;


    http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-42453.html


    Regarding the rdp issue, I have personally had issues with the 11.x branch with IDP. I would recommend you go to 12.1 to resolve. Going to 12.1 fixed similar sounding idp compilation issues that I experienced



  • 3.  RE: IDP/IPS configuration and issue

    Posted 03-17-2014 01:02
    Ok thanks for the tips, I'll take a look. With regards to upgrading I may have to wait as the dynamic vpn doesn't work on 12.1 for us.

    Thanks
    Ross