SRX

Hi folks

I know how the push the pre-defined recommended policies from NSM to SRX. Can any one guide me how to enable the pre-defined recommended IDP policies through CLI on SRX?

Thanks in advance

Hi,

The necessary steps for activating IDP are as follows:

1. Install IDP license by issuing request system license add...
2. Download IDP package by issuing request security idp security-package download
3. Install IDP package by issuing request security idp security-package install
4. Install IDP policy templates by issuing request security idp security-package install policy-templates
5. Register the commit script that creates the IDP policies by issuing set system scripts commit file templates.xsl
6. Set your preferred IDP policy as active, for instance by issuing set security idp active-policy Getting_Started
7. Activate IDP on your policy by issuing set security policies from-zone trust to-zone untrust policy default-permit then permit application-services idp

Nevertheless, I recommend to use some policy that you can easily verify. One of my favorites is blocking skype. Write a new IDP policy:

set security idp idp-policy Block_Skype rulebase-ips rule 1 match source-address any
set security idp idp-policy Block_Skype rulebase-ips rule 1 match destination-address any
set security idp idp-policy Block_Skype rulebase-ips rule 1 match application default
set security idp idp-policy Block_Skype rulebase-ips rule 1 match attacks predefined-attacks VOIP:SKYPE:INSTALL
set security idp idp-policy Block_Skype rulebase-ips rule 1 match attacks predefined-attacks VOIP:SKYPE:LOGIN
set security idp idp-policy Block_Skype rulebase-ips rule 1 match attacks predefined-attacks VOIP:SKYPE:PROBE-1
set security idp idp-policy Block_Skype rulebase-ips rule 1 match attacks predefined-attacks VOIP:SKYPE:VERSION-CHECK
set security idp idp-policy Block_Skype rulebase-ips rule 1 then action close-client
set security idp idp-policy Block_Skype rulebase-ips rule 1 then notification log-attacks

Set this policy the active policy:

set security idp active-policy Block_Skype

and don't forget to commit. I like to see Skype being blocked from connecting. You can also create a log file like this:

set system syslog file idp_log any any
set system syslog file idp_log match RT_IDP

To see IDP logs.

Have fun with IDP! By the way: Upgrade to JUNOS 10.0 R3 if you use an older JUNOS version.

Regards,

Dominik

Thanks Dominik , This is perfect

You are welcome!

I also want to mention that SRX supports automatically IDP signature update. KB16491 explain how to setup this. http://kb.juniper.net/KB16491

Also with the command show security idp attack table you can view what attacks have been triggered. For instance when blocking skype you should see alarms for the VOIP:SKYPE:PROBE-1 attack being raised.

Not to mention the show security idp counters xxx command that can display you lots of internal counters that also help verifying the proper operation of IDP.

If you think my post was helpful, it would be sweet if you mark it as solution.

Kind regards,

Dominik

You are the man!!!  I really appreciated your great great help. You solved the problem in seconds :)........two questions:

1- Why we need to do this "Register the commit script that creates the IDP policies by issuing set system scripts commit file templates.xsl"

2- How to see the pre-defined policies through command lines?

Thanks

You are welcome!

The commit script is for the way JUNOS works. If you import the IDP base you get in fact a file with most of the IDP definitions. The commit script includes them in the config file - just if you would have typed it on your own :-).

You can enter

edit security idp

and then issue a show command. Then you see all the idp policies available and their definitions.

On this web site https://services.netscreen.com/restricted/sigupdates/nsm-updates/HTML/index.html you can see all attach objects available. Very nice.

Regards,

Dominik

Hi there,

Just a word of caution:

-- if You decide to apply "Recommended" IDP policy and then edit it a little e.g. by removing attack object You don't expect to see (like FTP server attacks when You are not running own FTP server)

-- then after each commit You will see that commit script re-installs full set of "Recommended" attack objects

-- to avoid that, remove commit script from config after step 7 using "delete system scripts commit file templates.xsl" then commit

HTH

Regards

Alex

Greet Information Alex

Hi Expert,

I have a problem when issuing set system script commit file template.xsl

it show me the below error:

admin# commit
/dev/null:687:(0) StartTag: invalid element name
/dev/null:748:(0) StartTag: invalid element name
error: error reading configuration: /dev/stdin
error: 3 errors reported by commit scripts
error: commit script failure

I am running in junos 10.0R4

Please advise me. =D

Thanks

Darren Koh

Hello,

I assume you copied the original file /var/db/idpd/sec-download/sub-download/templates.xml to /var/db/scripts/commit/templates.xsl

http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/junos-security-swconfig-security/using-predef-policy-temp-section.html

Copy the templates.xml file to the /var/db/scripts/commit directory and rename it to templates.xsl.

Then the correct commit script name is templates.xsl, not template.xsl (note extra S before dot)

Please retry with:

set system scripts commit file templates.xsl
commit

HTH

Rgds

Alex

Hi Dominik!

I have test your configuration with SRX100 to block Skype (skype 5.5), but it don't working. SRX100 running 10.2r3. Can you tell me what's version skype you can block ?

regards,

Phuong