SRX

Expand all | Collapse all

SRX300 IDP setup "Either configure idp or idp-policy and not both"

Jump to Best Answer
  • 1.  SRX300 IDP setup "Either configure idp or idp-policy and not both"

    Posted 04-07-2020 06:02

    Hi,

    i am a bit lost trying to setup IDP on my srx300. i have read all the resources online here  and here to activate the license, download & install signature package, download & install templates and also copy/modify template to our needs. the problem I am running into is activating a template. i don't have

    set security idp default-policy Recommended

    as an option.

     

    when I try: 

    set security policies from-zone Internet to-zone Internal policy Allow_1-3-SMTP then permit application-services idp-policy Recommended 

    or 

    set security policies from-zone Internet to-zone Internal policy Allow_1-3-SMTP then permit application-services idp idp-policy Recommended

    I get the error: "configuration check-out failed" when I try to commit.

     

    when I run: 

    show security idp status

    I get this:

    State of IDP: Default,  Up since: 2020-04-06 07:21:27 CEST (1d 07:37 ago)
    
    Packets/second: 0               Peak: 0 @ 2020-04-07 14:35:55 CEST
    KBits/second  : 0               Peak: 0 @ 2020-04-07 14:35:55 CEST
    Latency (microseconds): [min: 0] [max: 0] [avg: 0]
    
    Packet Statistics:
     [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
    
    Flow Statistics:
      ICMP: [Current: 0] [Max: 0 @ 2020-04-07 14:35:55 CEST]
      TCP: [Current: 0] [Max: 0 @ 2020-04-07 14:35:55 CEST]
      UDP: [Current: 0] [Max: 0 @ 2020-04-07 14:35:55 CEST]
      Other: [Current: 0] [Max: 0 @ 2020-04-07 14:35:55 CEST]
    
    Session Statistics:
     [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
      Policy Name : none
    

    in short, how to I apply an idp policy (template) to a security rule OR set a template as the default active?

    i appreciate any help 


    #IDP
    #SRX


  • 2.  RE: SRX300 IDP setup "Either configure idp or idp-policy and not both"

    Posted 04-07-2020 06:27

    Looks like you missed to enable the IDP policy template using the command "set system scripts commit file templates.xsl" like mentioned in the first link. If it is applied properly you should have the option "Recommended" idp-policy. Please re-check.

     

     



  • 3.  RE: SRX300 IDP setup "Either configure idp or idp-policy and not both"

    Posted 04-07-2020 06:49

    Hi, thanks for the quick reply. although I was pretty sure I had done this I tried it again. unfortunately, I still cannot do: 

    set security idp default-policy 

    as stated on the site of the first link. I simply do not have that command available.

    image.png

    What am I missing here? prob something small and stupid but I have tried everything I can think of

     

     

     



  • 4.  RE: SRX300 IDP setup "Either configure idp or idp-policy and not both"

    Posted 04-07-2020 07:15
    It's strange. What is the JunOS version you are using?



  • 5.  RE: SRX300 IDP setup "Either configure idp or idp-policy and not both"

    Posted 04-07-2020 07:22

    JUNOS 18.2R3-S2.9



  • 6.  RE: SRX300 IDP setup "Either configure idp or idp-policy and not both"

    Posted 04-07-2020 08:06

    Also for clarification i did see this in the documentation:

    Release Information

    Statement introduced in Junos OS Release 9.2.

    Starting with Junos OS Release 18.2R1, IDP policy is directly assigned in the security policy rule. This is to simplify IDP policy usage and to provide flexibility to have multiple policies active at the same time. As a part of session interest check IDP will enabled if IDP policy is present in any of the matched rules. IDP policy is activated in security policies, by permitting the IDP policy within the application services using the set security policies from-zone zone-name to-zone zone-name policy policy-name then permit application-services idp-policy idp-policy-name command. Since IDP policy name is directly use in the security policy rule, the [edit security idp active-policy policy-name] statement is deprecated.

     

    that is why I tried the command:

    set security policies from-zone zone-name to-zone zone-name policy policy-name then permit application-services idp-policy idp-policy-name

    but as stated in my original post this gives me an error when trying to commit

     



  • 7.  RE: SRX300 IDP setup "Either configure idp or idp-policy and not both"

    Posted 04-07-2020 08:42

    Looks like "active-policy" command is hidden but still supported. Please type complete command mentioned below and use "idp" in security policy instead of "idp-policy"

     

    set security idp active-policy Recommended

    set security policies from-zone Internet to-zone Internal policy Allow_1-3-SMTP then permit application-services idp

     

     

     



  • 8.  RE: SRX300 IDP setup "Either configure idp or idp-policy and not both"
    Best Answer

    Posted 04-07-2020 08:49

    Ok, so i found this:

    Traditional Policy and Unified Policy Details for IDP Policy
    The following details are to be noted when you want to configure IDP policy after you have upgraded your devices for implementing unified policies:
    
    All existing (traditional) IDP policies are treated the same way as a unified policy with dynamic application configured as none.
    
    Configuring a traditional IDP policy and a unified policy with IDP policy as one of the potential policy with dynamic application as matching condition on the same security policy is not supported.
    
    If you are downgrading from Junos OS Release 18.2R1 to any earlier versions of Junos OS Release, you must delete all unified policies to avoid commit check failure after the downgrade.

    since I get the error "Either configure idp or idp-policy and not both" this got me thinking. my security policies have IDP enabled what if I remove all the idp config on all the security policies can I then execute and commit the command... well yes and also after removing all IDP config from the policies I also got this option in the web interface:

    image.png

     

     

     

     

     

    so as the error message stated you can either do IPS on/off (although I still don't know/understand how to configure this) or select IPS policy.

     

    one more thing, I still get an error when I try to enable different idp policies/templates on different security policies. don't know if that is a license or srx300 specific thing but for now just happy I got something working.