SRX

Hello,

I am new to Junos and currently working with a SRX240 Demo unit. 

My goal with this device was to setup IDP and deploy in a test environment.  I have followed multiple configuration articles but have so far not successfully been able to get IDP to work.

In one document, I configured IDP to drop all ICMP traffic.  However, ping tests are still able to pass through the zones.  I am also not seeing any output from the show attack table command

root> show security idp attack table

I am wondering if this is a licensing issue.  Below is the current output:

root> show system license usage

                                 Licenses     Licenses    Licenses    Expiry

  Feature name                       used    installed      needed

  av_key_kaspersky_engine               0            1           0    2014-02-21 00:00:00 UTC

  anti_spam_key_sbl                     0            1           0    2014-02-21 00:00:00 UTC

  wf_key_surfcontrol_cpa                0            1           0    2014-02-21 00:00:00 UTC

  idp-sig                               0            1           0    2014-02-21 00:00:00 UTC

  dynamic-vpn                           0            2           0    permanent

  ax411-wlan-ap                         0            2           0    permanent

  appid-sig                             0            1           0    2014-02-21 00:00:00 UTC

  av_key_sophos_engine                  0            1           0    2014-02-21 00:00:00 UTC

  logical-system                        0            1           0    permanent

  wf_key_websense_ewf                   0            1           0    2014-02-21 00:00:00 UTC

For each feature the licenses used is listed as Zero.  Since I have configured IDP should not this feature appear as a used license?

Any information on IDP test deployments or sample configurations would be appreciated.  I have a feeling I am overlooking something simple, but cannot be certain due to my limited Junos experience.

Regards,

Dear 

it would be helpful if you can post your idp config section , and security policy where did you apply it , 

after defining the idp policy rulebase-ips rule(s) , you need to enable the idp policy using : set security idp active-policy idp_policy_name

and then enable idp processing in your desired security policy "then permit application-services idp"

Please read the below KB , it should give all necessary details about SRX IDP

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16561

Regards

Red1

Red1,

Thank you for your reply and assistance.  I have attached a copy of my demo config for your review.  I appreciate your feedback.

Regards,

Fen

Attachment(s)

demo cfg.docx   24 KB 1 version

I have browsed briefly through your config and it seems that the security policies block icmp traffic right away (before IDP gets involved). i.e. blocking policies (with action deny/reject) are inserted BEFORE policies that would inspect traffic using IDP. So the icmp does not get to the IDP at all. How are you testing this with ping? From wich zone/interface to where?

Another thing that startled me is ge-0/0/0 interface - it has not family inet attached.

Regards,

Pawel

Thank you Pawel,

This SRX is setup in a lab environment and is the first time I have worked with junos.  The ge-0/0/0 interface is not active.  The ICMP FW rules were added as a test to see if I could block the traffic.  I tested the IDP with and without these FW rules.

I created 2 active zones - comms and lan.

ge-0/0/7 is a member of comms.  This interface connects to another switch on a trunk port.

ge-0/0/8 is a member of lan.  This interface connects to another switch on the lan on an access port.  A test host is connected to this access switch.

I have been testing with ping from lan to comms, and from comms to lan

Because this is a test environment I have been trying out the different features. 

Dear 

he is right , you are blocking the traffic on the security policy , so it will never reach the IDP processing module because IDP processing happens at the end of flow processing!  in addition of that the active policy (ICMP-TEST) action is drop packet for any traffic!

1- You security policies new_pol1/new_pol2 should permit traffic

from-zone comms to-zone lan {

            policy new_pol1 {

                match {

                    source-address any;

                    destination-address any;

                    application junos-icmp-all;

                }

                then {

                    deny;

                    log {

                        session-init;

                        session-close;

                    }

                    count;

                }

            }

            policy pol1 {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit {

                        application-services {

                            idp;

                        }

                    }

                    log {

                        session-init;

                        session-close;

                    }

                    count;

                }

            }

        }

        from-zone lan to-zone comms {

            policy new_pol2 {

                match {

                    source-address any;

                    destination-address any;

                    application junos-icmp-all;

                }

                then {

                    deny;

                    log {

                        session-init;

                        session-close;

                    }

                    count;

                }

            }

            policy pol2 {

                match {

                    source-address any;

                    destination-address any;

                    application any;

                }

                then {

                    permit {

                        application-services {

                            idp;

                        }

                    }

                    log {

                        session-init;

                        session-close;

                    }

                    count;

                }

            }

        }

    }

2- I recommend to customize your idp policy to match only icmp traffic , from specific zone/source address  to specific zone/destination address , use 2 rules for each directely if you would like, this will help you to test the IDP correctely

        idp-policy ICMP-TEST {

            rulebase-ips {

                rule 2 {

                    match {

                        from-zone any;

                        source-address any;

                        to-zone any;

                        destination-address any;

                        application any;

                    }

                    then {

                        action {

                            drop-packet;

                        }

                        notification {

                            log-attacks {

                                alert;

                            }

                        }

                        severity critical;

                    }

                }

            }

        }

Regards

Thank you for the feedback,

I decided to wipe the config clean and start from the beginning.

Attached is a test configuration using the Recommended IDP template.  Upon reviewing this test configuration do you notice any elements that are missing or anything that may prevent IDP from functioning normally?

Regards,

Attachment(s)

demo cfg part 2.docx   16 KB 1 version

Hello 

You are using Recommended IDP policy , which covers most of attacks and also recommend to use it , unless you have specific attack to block or exempt , at that time , you can customize your idp policy rules to reflect your need.

your IDP / security policies configuration are OK 

Regards

Red1,

After starting with a fresh config and updating the IDP licensing, I switch to transparent mode and was able to get IDP functioning well..

Thank you for pointing me in the right direction. 

Great , you are welcome any time

Regards