i am a bit lost trying to setup IDP on my srx300. i have read all the resources online here and here to activate the license, download & install signature package, download & install templates and also copy/modify template to our needs. the problem I am running into is activating a template. i don't have
set security idp default-policy Recommended
as an option.
when I try:
set security policies from-zone Internet to-zone Internal policy Allow_1-3-SMTP then permit application-services idp-policy Recommended
set security policies from-zone Internet to-zone Internal policy Allow_1-3-SMTP then permit application-services idp idp-policy Recommended
I get the error: "configuration check-out failed" when I try to commit.
when I run:
show security idp status
I get this:
State of IDP: Default, Up since: 2020-04-06 07:21:27 CEST (1d 07:37 ago)
Packets/second: 0 Peak: 0 @ 2020-04-07 14:35:55 CEST
KBits/second : 0 Peak: 0 @ 2020-04-07 14:35:55 CEST
Latency (microseconds): [min: 0] [max: 0] [avg: 0]
[ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
ICMP: [Current: 0] [Max: 0 @ 2020-04-07 14:35:55 CEST]
TCP: [Current: 0] [Max: 0 @ 2020-04-07 14:35:55 CEST]
UDP: [Current: 0] [Max: 0 @ 2020-04-07 14:35:55 CEST]
Other: [Current: 0] [Max: 0 @ 2020-04-07 14:35:55 CEST]
[ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
Policy Name : none
in short, how to I apply an idp policy (template) to a security rule OR set a template as the default active?
i appreciate any help
Looks like you missed to enable the IDP policy template using the command "set system scripts commit file templates.xsl" like mentioned in the first link. If it is applied properly you should have the option "Recommended" idp-policy. Please re-check.
Hi, thanks for the quick reply. although I was pretty sure I had done this I tried it again. unfortunately, I still cannot do:
set security idp default-policy
as stated on the site of the first link. I simply do not have that command available.
What am I missing here? prob something small and stupid but I have tried everything I can think of
Also for clarification i did see this in the documentation:
Statement introduced in Junos OS Release 9.2.
Starting with Junos OS Release 18.2R1, IDP policy is directly assigned in the security policy rule. This is to simplify IDP policy usage and to provide flexibility to have multiple policies active at the same time. As a part of session interest check IDP will enabled if IDP policy is present in any of the matched rules. IDP policy is activated in security policies, by permitting the IDP policy within the application services using the set security policies from-zone zone-name to-zone zone-name policy policy-name then permit application-services idp-policy idp-policy-name command. Since IDP policy name is directly use in the security policy rule, the [edit security idp active-policy policy-name] statement is deprecated.
that is why I tried the command:
set security policies from-zone zone-name to-zone zone-name policy policy-name then permit application-services idp-policy idp-policy-name
but as stated in my original post this gives me an error when trying to commit
Looks like "active-policy" command is hidden but still supported. Please type complete command mentioned below and use "idp" in security policy instead of "idp-policy"
set security idp active-policy Recommended
set security policies from-zone Internet to-zone Internal policy Allow_1-3-SMTP then permit application-services idp
Ok, so i found this:
Traditional Policy and Unified Policy Details for IDP Policy
The following details are to be noted when you want to configure IDP policy after you have upgraded your devices for implementing unified policies:
All existing (traditional) IDP policies are treated the same way as a unified policy with dynamic application configured as none.
Configuring a traditional IDP policy and a unified policy with IDP policy as one of the potential policy with dynamic application as matching condition on the same security policy is not supported.
If you are downgrading from Junos OS Release 18.2R1 to any earlier versions of Junos OS Release, you must delete all unified policies to avoid commit check failure after the downgrade.
since I get the error "Either configure idp or idp-policy and not both" this got me thinking. my security policies have IDP enabled what if I remove all the idp config on all the security policies can I then execute and commit the command... well yes and also after removing all IDP config from the policies I also got this option in the web interface:
so as the error message stated you can either do IPS on/off (although I still don't know/understand how to configure this) or select IPS policy.
one more thing, I still get an error when I try to enable different idp policies/templates on different security policies. don't know if that is a license or srx300 specific thing but for now just happy I got something working.