SRX

last person joined: 23 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  {edit security idp} stanza not available on SRX210BE

    Posted 09-16-2013 10:34

    Hello all,

     

    I have a new SRX210BE for a lab usage and have tried to test IDP but it seems that feature is "missing?" on the box. My SRX doesn't have IDP license which I think should not be a problem as all I want to run are custom policies.

     

    root@SRX210> show security idp status
    ^
    syntax error, expecting <command>.

     

    // edit security idp - option is missing

     

    [edit]
    root@SRX210# edit security ?
    Possible completions:
    <[Enter]> Execute this command
    > address-book Security address book
    > alarms Configure security alarms
    > alg Configure ALG security options
    > analysis Configure security analysis
    > certificates X.509 certificate configuration
    > dynamic-vpn Configure dynamic VPN
    > firewall-authentication Firewall authentication parameters
    > flow FLOW configuration
    > forwarding-options Security-forwarding-options configuration
    > group-vpn Group VPN configuration
    > ike IKE configuration
    > ipsec IPSec configuration
    > log Configure security log
    > nat Configure Network Address Translation
    > pki PKI service configuration
    > policies Configure Network Security Policies
    > resource-manager Configure resource manager security options
    > screen Configure screen feature
    > softwires Configure softwire feature
    > ssh-known-hosts SSH known host list
    > traceoptions Network security daemon tracing options
    > zones Zone configuration
    | Pipe through a command
    [edit]

     

     

    // If I manually type "edit security idp" CLI accept that but I don't see any option to continue setting rulebase, etc. ...


    [edit]
    root@SRX210# edit security idp

    [edit security idp]
    root@SRX210# set ?
    Possible completions:
    + apply-groups Groups from which to inherit configuration data
    + apply-groups-except Don't inherit configuration data from these groups



    I've read through KB http://kb.juniper.net/InfoCenter/index?page=content&id=KB16489 but it didn't shed much light into this and confirmed my assumption that "If you are using only custom signatures, you do not need an IDP license."

     

     

    Could you point me in right direction how to resolve it? Am I missing something here?

     

     

    Thanks for your feedback.

     

    Tomas



  • 2.  RE: {edit security idp} stanza not available on SRX210BE
    Best Answer

    Posted 09-16-2013 15:18

    Hi Tomas,

     

    I don't think the IDP software is supported on the low-memory SRX210 eg: the "B" model.  You'll need to purchase the memory upgrade license from your reseller before the IDP software can be activated.



  • 3.  RE: {edit security idp} stanza not available on SRX210BE

    Posted 09-17-2013 01:41

    Hello Ben,

     

    thank you for your reply. It sounds right eventhough I was not able to confirm that anywhere in SRX docs.

     

    Only document regarding IDP which I've found is for J-series https://kb.juniper.net/InfoCenter/index?page=content&id=KB16122&cat=J6350_1&actp=LIST

     

    This one says that UTM/IDP needs 1 GB of RAM and 1 GB of CF disk space.

     

     

    Tomas



  • 4.  RE: {edit security idp} stanza not available on SRX210BE

     
    Posted 09-17-2013 21:49

    You need the high memory models to support UTM.

    Was the same with the ScreenOS boxes.

     

    If you are going to buy a new unit, you should be aware that there are now models with twice the memory to be able to better support all UTM features.