Before Junos 18.2R1 , only one IDP policy could be enabled for the whole SRX system, after the aforementioned releases Junos
lets you configure more than one active policy .
How to enable IDP:
Before 18.2R1:
1-From the available IDP policy list (either from the templates or custom ) choose one as an active policy, in this example
i am setting up "Recommended" which is part of the IDP policy templates:
set security idp active-policy Recommended
2-Configure a security policy and set advanced permit "application-services idp", this action in the sec policy will make the SRX send
traffic for inspection to the active IDP policy "Recommended" configured as active policy in the previous step:
set security policies from-zone trust to-zone untrust policy SEC_POL_1 match source-address
set security policies from-zone trust to-zone untrust policy SEC_POL_1 match destination-address any
set security policies from-zone trust to-zone untrust policy SEC_POL_1 match application any
set security policies from-zone trust to-zone untrust policy SEC_POL_1 then permit application-services idp >>>>>>>>>>>>>
Note: Any other security policy with configured advanced permit action "application-services idp" would send traffic to the same active policy,
in this case "Recommended"
After 18.2R1:
1-Configure multiple active policies (either from templates or custom list) by calling them out in different security policy configuration.
For the example i am setting up two IDP policies (Recommended and Client-Portection) for two different security policies (SEC_POL_1 and SEC_POL_2)
set security policies from-zone trust to-zone untrust policy SEC_POL_1 match source-address any
set security policies from-zone trust to-zone untrust policy SEC_POL_1 match destination-address any
set security policies from-zone trust to-zone untrust policy SEC_POL_1 match application any
set security policies from-zone trust to-zone untrust policy SEC_POL_1 then permit application-services idp-policy Recommended >>>>>>>>>>>>>
set security policies from-zone trust to-zone untrust policy SEC_POL_2 match source-address any
set security policies from-zone trust to-zone untrust policy SEC_POL_2 match destination-address any
set security policies from-zone trust to-zone untrust policy SEC_POL_2 match application any
set security policies from-zone trust to-zone untrust policy SEC_POL_2 then permit application-services idp-policy Client-Protection >>>>>>>>>>>>>
Both configurations can't coexist because that generates a conflict, you either set an active policy for the whole system or configure different
IDP active policies in your security policies.
Finally, there is another configuration, the IDP default policy. This IDP default policy is configured when you have multiple unified policies with IDP enabled that are possible matches for your traffic (unified policies were introduced in Junos 18 releases).
Let's take our previous example, where SEC_POL_1 and SEC_POL_2 are configure with different advanced permit IDP active policies Recommended and
Client-Protect respectively, but this time we are adding dynamic application junos:MS-TEAMS and junos:OUTLOOK which make these two security policies unified type. Here there is a conflict, since the security policies context (from zone trust to zone untrust) and match criteria (source=any, destination=any, application=any) in both sec policies are the same, Junos would not know which security policy and hence which IDP policy to apply to the traffic until the dynamic application is identified by the AppID module, so it can't apply either security yet while application is identified.
set security policies from-zone trust to-zone untrust policy SEC_POL_1 match source-address any
set security policies from-zone trust to-zone untrust policy SEC_POL_1 match destination-address any
set security policies from-zone trust to-zone untrust policy SEC_POL_1 match application any
set security policies from-zone trust to-zone untrust policy SEC_POL_1 match dynamic-application junos:MS-TEAMS >>>>>>>>>>>>>>>>>>>>>
set security policies from-zone trust to-zone untrust policy SEC_POL_1 then permit application-services idp-policy Recommended >>>>>>>>>>>>>>>>>>>>>
set security policies from-zone trust to-zone untrust policy SEC_POL_2 match source-address any
set security policies from-zone trust to-zone untrust policy SEC_POL_2 match destination-address any
set security policies from-zone trust to-zone untrust policy SEC_POL_2 match application any
set security policies from-zone trust to-zone untrust policy SEC_POL_2 match dynamic-application junos:OUTLOOK >>>>>>>>>>>>>>>>>>>>>
set security policies from-zone trust to-zone untrust policy SEC_POL_2 then permit application-services idp-policy Client-Protect >>>>>>>>>>>>>>>>>>>>>
set security idp default-policy IDP_Default >>>>>>>>>You can use any IDP policy as the default policy, i just liked this one.
How does Junos solve this conflict?.
1-In our example while AppID module identifies if the traffic is either junos:MS-TEAMS or junos:OUTLOOK, Junos applies something called the
Pre ID default policy which is a system policy (can't be modified) with the action to permit flows until they are identified, once flow is identified a more specific unified policy is applied and hence the corresponding IDP policy is applied, during this time whatever you set as the default IDP policy is inspecting the traffic.
root@SRX> show security policies
Default policy: deny-all
Pre ID default policy: permit-all >>>>>>>>>>>>>>>>>>>>>
2-Once a flow is identified, lets assume it was identified as junos:MS-TEAMS, Junos would transition from using the Pre ID default sec policy and default IDP policy "IDP_Default" to SEC_POL_1 and IDP policy Recommended.
I hope the explanation helps.
regards,
Emmanuel Solano
------------------------------
Emanuel Solano
------------------------------
Original Message:
Sent: 04-07-2020 06:01
From: P.Leone
Subject: SRX300 IDP setup "Either configure idp or idp-policy and not both"
Hi,
i am a bit lost trying to setup IDP on my srx300. i have read all the resources online here and here to activate the license, download & install signature package, download & install templates and also copy/modify template to our needs. the problem I am running into is activating a template. i don't have
set security idp default-policy Recommended
as an option.
when I try:
set security policies from-zone Internet to-zone Internal policy Allow_1-3-SMTP then permit application-services idp-policy Recommended
or
set security policies from-zone Internet to-zone Internal policy Allow_1-3-SMTP then permit application-services idp idp-policy Recommended
I get the error: "configuration check-out failed" when I try to commit.
when I run:
show security idp status
I get this:
State of IDP: Default, Up since: 2020-04-06 07:21:27 CEST (1d 07:37 ago)Packets/second: 0 Peak: 0 @ 2020-04-07 14:35:55 CESTKBits/second : 0 Peak: 0 @ 2020-04-07 14:35:55 CESTLatency (microseconds): [min: 0] [max: 0] [avg: 0]Packet Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]Flow Statistics: ICMP: [Current: 0] [Max: 0 @ 2020-04-07 14:35:55 CEST] TCP: [Current: 0] [Max: 0 @ 2020-04-07 14:35:55 CEST] UDP: [Current: 0] [Max: 0 @ 2020-04-07 14:35:55 CEST] Other: [Current: 0] [Max: 0 @ 2020-04-07 14:35:55 CEST]Session Statistics: [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0] Policy Name : none
in short, how to I apply an idp policy (template) to a security rule OR set a template as the default active?
i appreciate any help
#IDP
#SRX