SRX

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  SRX300 IDP setup "Either configure idp or idp-policy and not both"

    Posted 04-07-2020 06:02

    Hi,

    i am a bit lost trying to setup IDP on my srx300. i have read all the resources online here  and here to activate the license, download & install signature package, download & install templates and also copy/modify template to our needs. the problem I am running into is activating a template. i don't have

    set security idp default-policy Recommended

    as an option.

     

    when I try: 

    set security policies from-zone Internet to-zone Internal policy Allow_1-3-SMTP then permit application-services idp-policy Recommended 

    or 

    set security policies from-zone Internet to-zone Internal policy Allow_1-3-SMTP then permit application-services idp idp-policy Recommended

    I get the error: "configuration check-out failed" when I try to commit.

     

    when I run: 

    show security idp status

    I get this:

    State of IDP: Default,  Up since: 2020-04-06 07:21:27 CEST (1d 07:37 ago)
    
    Packets/second: 0               Peak: 0 @ 2020-04-07 14:35:55 CEST
    KBits/second  : 0               Peak: 0 @ 2020-04-07 14:35:55 CEST
    Latency (microseconds): [min: 0] [max: 0] [avg: 0]
    
    Packet Statistics:
     [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
    
    Flow Statistics:
      ICMP: [Current: 0] [Max: 0 @ 2020-04-07 14:35:55 CEST]
      TCP: [Current: 0] [Max: 0 @ 2020-04-07 14:35:55 CEST]
      UDP: [Current: 0] [Max: 0 @ 2020-04-07 14:35:55 CEST]
      Other: [Current: 0] [Max: 0 @ 2020-04-07 14:35:55 CEST]
    
    Session Statistics:
     [ICMP: 0] [TCP: 0] [UDP: 0] [Other: 0]
      Policy Name : none
    

    in short, how to I apply an idp policy (template) to a security rule OR set a template as the default active?

    i appreciate any help 


    #IDP
    #SRX


  • 2.  RE: SRX300 IDP setup "Either configure idp or idp-policy and not both"

    Posted 04-07-2020 06:27

    Looks like you missed to enable the IDP policy template using the command "set system scripts commit file templates.xsl" like mentioned in the first link. If it is applied properly you should have the option "Recommended" idp-policy. Please re-check.

     

     



  • 3.  RE: SRX300 IDP setup "Either configure idp or idp-policy and not both"

    Posted 04-07-2020 06:49

    Hi, thanks for the quick reply. although I was pretty sure I had done this I tried it again. unfortunately, I still cannot do: 

    set security idp default-policy 

    as stated on the site of the first link. I simply do not have that command available.

    image.png

    What am I missing here? prob something small and stupid but I have tried everything I can think of

     

     

     



  • 4.  RE: SRX300 IDP setup "Either configure idp or idp-policy and not both"

    Posted 04-07-2020 07:15
    It's strange. What is the JunOS version you are using?



  • 5.  RE: SRX300 IDP setup "Either configure idp or idp-policy and not both"

    Posted 04-07-2020 07:22

    JUNOS 18.2R3-S2.9



  • 6.  RE: SRX300 IDP setup "Either configure idp or idp-policy and not both"

    Posted 04-07-2020 08:06

    Also for clarification i did see this in the documentation:

    Release Information

    Statement introduced in Junos OS Release 9.2.

    Starting with Junos OS Release 18.2R1, IDP policy is directly assigned in the security policy rule. This is to simplify IDP policy usage and to provide flexibility to have multiple policies active at the same time. As a part of session interest check IDP will enabled if IDP policy is present in any of the matched rules. IDP policy is activated in security policies, by permitting the IDP policy within the application services using the set security policies from-zone zone-name to-zone zone-name policy policy-name then permit application-services idp-policy idp-policy-name command. Since IDP policy name is directly use in the security policy rule, the [edit security idp active-policy policy-name] statement is deprecated.

     

    that is why I tried the command:

    set security policies from-zone zone-name to-zone zone-name policy policy-name then permit application-services idp-policy idp-policy-name

    but as stated in my original post this gives me an error when trying to commit

     



  • 7.  RE: SRX300 IDP setup "Either configure idp or idp-policy and not both"

    Posted 04-07-2020 08:42

    Looks like "active-policy" command is hidden but still supported. Please type complete command mentioned below and use "idp" in security policy instead of "idp-policy"

     

    set security idp active-policy Recommended

    set security policies from-zone Internet to-zone Internal policy Allow_1-3-SMTP then permit application-services idp

     

     

     



  • 8.  RE: SRX300 IDP setup "Either configure idp or idp-policy and not both"
    Best Answer

    Posted 04-07-2020 08:49

    Ok, so i found this:

    Traditional Policy and Unified Policy Details for IDP Policy
    The following details are to be noted when you want to configure IDP policy after you have upgraded your devices for implementing unified policies:
    
    All existing (traditional) IDP policies are treated the same way as a unified policy with dynamic application configured as none.
    
    Configuring a traditional IDP policy and a unified policy with IDP policy as one of the potential policy with dynamic application as matching condition on the same security policy is not supported.
    
    If you are downgrading from Junos OS Release 18.2R1 to any earlier versions of Junos OS Release, you must delete all unified policies to avoid commit check failure after the downgrade.

    since I get the error "Either configure idp or idp-policy and not both" this got me thinking. my security policies have IDP enabled what if I remove all the idp config on all the security policies can I then execute and commit the command... well yes and also after removing all IDP config from the policies I also got this option in the web interface:

    image.png

     

     

     

     

     

    so as the error message stated you can either do IPS on/off (although I still don't know/understand how to configure this) or select IPS policy.

     

    one more thing, I still get an error when I try to enable different idp policies/templates on different security policies. don't know if that is a license or srx300 specific thing but for now just happy I got something working.



  • 9.  RE: SRX300 IDP setup "Either configure idp or idp-policy and not both"

    Posted 10-09-2023 19:37
    Edited by spuluka 10-09-2023 20:08

    Before Junos 18.2R1 , only one IDP policy could be enabled for the whole SRX system, after the aforementioned releases Junos
    lets you configure more than one active policy . 


    How to enable IDP: 


    Before 18.2R1: 

    1-From the available IDP policy list (either from the templates or custom ) choose one as an active policy, in this example
    i am setting up "Recommended" which is part of the IDP policy templates: 

    set security idp active-policy Recommended

    2-Configure a security policy and set advanced permit "application-services idp", this action in the sec policy will make the SRX send 
    traffic for inspection to the active IDP policy "Recommended" configured as active policy in the previous step:  

    set security policies from-zone trust to-zone untrust policy SEC_POL_1 match source-address 
    set security policies from-zone trust to-zone untrust policy SEC_POL_1 match destination-address any
    set security policies from-zone trust to-zone untrust policy SEC_POL_1 match application any
    set security policies from-zone trust to-zone untrust policy SEC_POL_1 then permit application-services idp  >>>>>>>>>>>>>


    Note: Any other security policy with configured advanced permit action "application-services idp" would send traffic to the same active policy, 
    in this case "Recommended"

    After 18.2R1: 


    1-Configure multiple active policies (either from templates or custom list) by calling them out in different security policy configuration. 
    For the example i am setting up two IDP policies (Recommended and Client-Portection) for two different security policies (SEC_POL_1 and SEC_POL_2)


    set security policies from-zone trust to-zone untrust policy SEC_POL_1 match source-address any
    set security policies from-zone trust to-zone untrust policy SEC_POL_1 match destination-address any
    set security policies from-zone trust to-zone untrust policy SEC_POL_1 match application any
    set security policies from-zone trust to-zone untrust policy SEC_POL_1 then permit application-services idp-policy Recommended >>>>>>>>>>>>>

    set security policies from-zone trust to-zone untrust policy SEC_POL_2 match source-address any
    set security policies from-zone trust to-zone untrust policy SEC_POL_2 match destination-address any
    set security policies from-zone trust to-zone untrust policy SEC_POL_2 match application any
    set security policies from-zone trust to-zone untrust policy SEC_POL_2 then permit application-services idp-policy Client-Protection >>>>>>>>>>>>>

    Both configurations can't coexist because that generates a conflict, you either set an active policy for the whole system or configure different 
    IDP active policies in your security policies.


    Finally, there is another configuration, the IDP default policy. This IDP default policy is configured when you have multiple unified policies with IDP enabled that are possible matches for your traffic (unified policies were introduced in Junos 18 releases). 

     Let's take our previous example, where SEC_POL_1 and SEC_POL_2 are configure with different advanced permit IDP active policies Recommended and 
    Client-Protect respectively, but this time we are adding dynamic application junos:MS-TEAMS and junos:OUTLOOK which make these two security policies unified type. Here there is a conflict, since the security policies context (from zone trust to zone untrust) and match criteria (source=any, destination=any, application=any) in both sec policies are the same, Junos would not know which security policy and hence which IDP policy to apply to the traffic until the dynamic application is identified by the AppID module, so it can't apply either security yet while application is identified.

    set security policies from-zone trust to-zone untrust policy SEC_POL_1 match source-address any
    set security policies from-zone trust to-zone untrust policy SEC_POL_1 match destination-address any
    set security policies from-zone trust to-zone untrust policy SEC_POL_1 match application any
    set security policies from-zone trust to-zone untrust policy SEC_POL_1 match dynamic-application junos:MS-TEAMS  >>>>>>>>>>>>>>>>>>>>>
    set security policies from-zone trust to-zone untrust policy SEC_POL_1 then permit application-services idp-policy Recommended >>>>>>>>>>>>>>>>>>>>>


    set security policies from-zone trust to-zone untrust policy SEC_POL_2 match source-address any
    set security policies from-zone trust to-zone untrust policy SEC_POL_2 match destination-address any
    set security policies from-zone trust to-zone untrust policy SEC_POL_2 match application any
    set security policies from-zone trust to-zone untrust policy SEC_POL_2 match dynamic-application junos:OUTLOOK >>>>>>>>>>>>>>>>>>>>>
    set security policies from-zone trust to-zone untrust policy SEC_POL_2 then permit application-services idp-policy Client-Protect >>>>>>>>>>>>>>>>>>>>>

    set security idp default-policy IDP_Default  >>>>>>>>>You can use any IDP policy as the default policy, i just liked this one. 

    How does Junos solve this conflict?. 

    1-In our example while AppID module identifies if the traffic is either junos:MS-TEAMS or junos:OUTLOOK, Junos applies something called the 
    Pre ID default policy which is a system policy (can't be modified) with the action to permit flows until they are identified, once flow is identified a more specific unified policy is applied and hence the corresponding IDP policy is applied, during this time whatever you set as the default IDP policy is inspecting the traffic. 

    root@SRX> show security policies
    Default policy: deny-all
    Pre ID default policy: permit-all   >>>>>>>>>>>>>>>>>>>>>


    2-Once a flow is identified, lets assume it was identified as junos:MS-TEAMS, Junos would transition from using the Pre ID default sec policy and default IDP policy "IDP_Default" to SEC_POL_1 and IDP policy Recommended.

    I hope the explanation helps.
     

    regards,

    Emmanuel Solano  



    ------------------------------
    Emanuel Solano
    ------------------------------