SRX

last person joined: 4 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  IDP ip-block actions

    Posted 09-27-2012 12:42

    I have a simple IDP policy on an SRX 240 that will block the IP address of any Major and Critical attacks for an hour:

     

    set security idp idp-policy IDP rulebase-ips rule 3 match from-zone WAN
set security idp idp-policy IDP rulebase-ips rule 3 match source-address any
set security idp idp-policy IDP rulebase-ips rule 3 match to-zone any
set security idp idp-policy IDP rulebase-ips rule 3 match destination-address any
set security idp idp-policy IDP rulebase-ips rule 3 match application default
set security idp idp-policy IDP rulebase-ips rule 3 match attacks predefined-attack-groups "[Recommended]HTTP - Critical"
set security idp idp-policy IDP rulebase-ips rule 3 match attacks predefined-attack-groups "[Recommended]HTTP - Major"
set security idp idp-policy IDP rulebase-ips rule 3 then action recommended
set security idp idp-policy IDP rulebase-ips rule 3 then ip-action ip-block
set security idp idp-policy IDP rulebase-ips rule 3 then ip-action target source-address
set security idp idp-policy IDP rulebase-ips rule 3 then ip-action timeout 3600
set security idp idp-policy IDP rulebase-ips rule 3 then notification log-attacks

     

    This works fine, but I have 2 questions...  how can I show what is actively being blocked and how can I clear it if necessary without rebooting?

     



  • 2.  RE: IDP ip-block actions
    Best Answer

    Posted 09-27-2012 12:47

    Hi

     

    Use the following commands

     

    show security flow ip-action

    clear security flow ip-action



  • 3.  RE: IDP ip-block actions

    Posted 09-27-2012 12:55

    Thanks!!  I opened a ticket with Juniper and they literally told me this was impossible, figured I get a better answer here.