How to enable IDP on SRX

Posted on 2011/09/21

If you want to enable IDP on an SRX device, you have to issue certain number of commands which I list step by step from scratch;

1) Install license first if it hasn’t been installed yet. You can see if it is installed or not via “show system license installed” if this command doesn’t give any ouput, get your license from Juniper and follow the steps below. (Bold italic text is my sample license)

oot@srx1> request system license add terminal
[Type ^D at a new line to end input,
 enter blank line between each license key]
JUNOS111111 sdsdsd ssssss sdfsdf sdfsdf sdfsdf sdfsdf
 sdfsdf sdfsdf sdfdsf sdfdsf sdfsdf sdfsdf
 sdfsdf sdfsdf sdfsdf sdfsdf sdfsdf sdfsdf
 sdf
JUNOS111111: successfully added
add license complete (no errors)

2) Check if the server we will fetch IDP files are reachable;

root@srx1> request security idp security-package download check-server
error: fetching for("https://services.netscreen.com/cgi-bin/index.cgi?device=jsrx210&feature=idp&os=10.4&detector=10.4.160100525&from=&to=latest&type=manifest") failed

We can’t reach. Ensure https://services.netscreen.com is reachable i.e hostname is resolvable by SRX and it can establish TCP connections to 443 port of this remote host.

After fixing connectivity issue here is the result;

root@srx1> request security idp security-package download check-server
Successfully retrieved from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:1996(Detector=11.6.160110809, Templates=1996)

3) Download attack table

root@srx1> request security idp security-package download full-update
Will be processed in async mode. Check the status using the status checking CLI

Check status of the download.

root@srx1> request security idp security-package download status
Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:1996(Tue Sep 20 12:12:23 2011, Detector=11.6.160110809)

It looks great.

4) Install attack table

root@srx1> request security idp security-package install
Will be processed in async mode. Check the status using the status checking CLI

Check status;

root@srx1> request security idp security-package install status
In progress:performing DB update for an xml (SignatureUpdate.xml)

Check once again;

root@srx1> request security idp security-package install status
In progress:Compiling AI signatures ...

Check again;

root@srx1> request security idp security-package install status
Done;Attack DB update : successful - [UpdateNumber=1996,ExportDate=Tue Sep 20 12:12:23 2011,Detector=11.6.160110809]
     Updating control-plane with new detector : successful
     Updating data-plane with new attack or detector : not performed
      due to no existing running policy found.

Heyy, completed!

5) Get policy templates;

root@srx1> request security idp security-package download policy-templates
Will be processed in async mode. Check the status using the status checking CLI

Check status;

root@srx1> request security idp security-package download status
Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:1996

6) Install policy templates

root@srx1> request security idp security-package install policy-templates
Will be processed in async mode. Check the status using the status checking CLI

root@srx1> request security idp security-package install status
Done;policy-templates has been successfully updated into internal repository
     (=>/var/db/scripts/commit/templates.xsl)!

7) Check downloaded files;

root@srx1> start shell
root@srx1% ls /var/db/idpd/sec-download/
SignatureUpdate.xml             libidp-detector.so.tgz.v
applications.xml                platforms.xml
detector-capabilities.xml       sub-download
groups.xml
root@srx1% exit
exit
root@srx1>

8)  Apply templates and commit the configuration to get template policies in CLI

[edit]
root@srx1# set system scripts commit file templates.xsl
[edit]
root@srx1# commit

Then delete templates commit script right after the first commit;

[edit]
root@srx1# delete system scripts commit file templates.xsl

9) Here is the results. Policies are now accessible after which you can set your active policy and start using it or customize it. Enjoy!

root@srx1# set security idp idp-policy ?
Possible completions:
  <policy-name>        IDP policy name
  DMZ_Services         IDP policy name
  DNS_Service          IDP policy name
  File_Server          IDP policy name
  Getting_Started      IDP policy name
  IDP_Default          IDP policy name
  Recommended          IDP policy name
  Web_Server           IDP policy name

This entry was posted in idp_ips by rtoodtoo. Bookmark the permalink.

Free OWASP (Open Web Application Security Project) Top 10 Course

Free OWASP Top 10 Course

http://securitycompass.com/computer-based-training/free-owasp-top-10/index.html

Thank you for choosing our free OWASP Top 10 CBT for your e-learning; all of which are ready for you below. If you enjoy them, consider upgrading to our full OWASP Top 10 course with some added features. We also have additional training courses that you may be interested in:

• Exploiting and Defending Web Applications
• Mobile Hacking and Securing
• Securing Web Applications in Java
• Threat Model Express
• Securing Web Applications in .NET

Click here for detailed information about our Training or contact us at[email protected]

To claim your CPE credits, apply and enter them through your own CPE association member website. 1 hour of video content = 1 CPE

SQL Injection

View Course

Cross-site Scripting

View Course

Session Hijacking

View Course

Parameter Manipulation

View Course

Cross-site Request Forgery

View Course

Insecure Configuration

View Course

Insecure Storage

View Course

Forcible Browsing

View Course

Clear-text Communication

View Course

Unchecked Redirects

View Course

Juniper Learning Portal and Free Day One Library - PDF Download

https://learningportal.juniper.net/juniper/user_training.aspx

http://www.juniper.net/us/en/training/jnbooks/day-one/

The Day One Library is available as free PDFs by clicking the links below. You will be taken to J-Net, Juniper's User Community.

If you are not a member, you will be asked to join and provide an email address and a password (it's a Juniper community). Then, in the future, you'll receive an occasional email notifying you of new books added to the library.

LEARN ABOUT BOOKS

• Secure VPNs

JUNOS LEARNING SPHERE

• vDay One: Mastering Junos Configuration
• vDay One: Introduction to BGP Multicast VPNs

JUNOS FUNDAMENTALS

• Junos QoS for IOS Engineers
• Junos for IOS Engineers
• This Week: Hardening Junos Devices
• Configuring Junos Policies and Firewall Filters
• Deploying Basic QoS
• Junos Tips, Techniques, and Templates 2011
• Securing the Routing Engine on M, MX, and T Series
• Exploring the Junos CLI
• Configuring Junos Basics
• Monitoring and Troubleshooting

JUNOS AUTOMATION

• This Week: Junos Automation Reference for SLAX 1.0
• This Week: Mastering Junos Automation
• This Week: Applying Junos Automation
• Navigating The Junos XML Hierarchy

JUNOS DYNAMIC SERVICES

• Deploying Junos WebApp Secure
• Deploying SRX Series Services Gateways
• Configuring SRX Series with J-Web

JUNOS FABRIC AND SWITCHING TECHNOLOGIES

• Configuring EX Series Ethernet Switches, Second Edition

JUNOS NETWORKING TECHNOLOGIES

• Understanding OpenContrail Architecture
• Juniper Ambassadors' Cookbook for Enterprise
• Advanced Junos CoS Troubleshooting Cookbook
• SBR Change of Authorization (CoA) and the MX Series
• This Week: A Packet Walkthrough on the M, MX, and T Series
• Scaling Beyond a Single Juniper SRX in the Data Center
• Advanced OSPF in the Enterprise
• Dynamic Subscriber Management
• This Week: Deploying MPLS
• This Week: Deploying BGP Multicast VPNs, Second Edition
• Advanced IPv6 Configuration
• Exploring IPv6
• Migrating EIGRP to OSPF

JUNIPER VALIDATED SOLUTIONS

• Integrated Content Delivery Handbook

JUNIPER WIRELESS

• Day One: Deploying a Secure Wireless LAN

JUNIPER MOBILE INFRASTRUCTURE

• Day One: Configuring the MobileNext Broadband Gateway

Authenticate the management users from Radius server, reachable via a routing-instance

[SRX] Authenticate the management users from Radius server, reachable via a routing-instance

[KB21085] Show KB Properties

---

SUMMARY:

Can I authenticate the management users from a Radius server, reachable via a routing-instance.

PROBLEM OR GOAL:

If the Radius server is reachable via a routing-instance, can I authenticate the management users from Radius?

SOLUTION:

Yes. The only requirement is that the inet.0 table should have at least one interface as its member. The default behavior of the device is that it uses the IP of the interface connected in inet.0 to use as its source. It cannot use the IP of the interface existing in VR as its source, even when you import the route of that interface.

root@juniper> show configuration interfaces ge-0/0/0 
unit 0 {
    family inet {
        address 10.10.10.10/24;
    }
}

Example:

All the interfaces are members of VR and Radius configuration is as follows: 

root@juniper>show system radius-server 
10.10.10.11 secret "$9$dkw4aUjHqfTdbJDkqzF9ApORSeK8db28LbY"; ## SECRET-DATA

If there is no IP as part of inet.0 then the device will display the following message:

sshd: sendmsg to 10.10.10.11(10.10.10.11).1812 failed: Can't assign requested address

These are the cases where the customer is running short of physical interfaces, and they do not want to assign any physical IP as part of inet.0 table; we need to have a minimum of one interface in inet.0

In such a scenario you can configure a Loopback IP in the inet.0. The SRX will take the IP of the lo0 interface to source the traffic. Make sure you import the interface route of inet.0 to the VR as well; otherwise, the device will drop the return traffic.

root@juniper# show interfaces lo0 
unit 1 {
    family inet {
        address 1.1.1.1/32;
    }
}

Example on how to import route: 

1. Configure the policy statement:
   
   
   policy-statement inettovr {
    from {
        instance master;
        route-filter 1.1.1.1/32 exact;
    }
    then accept;
}



2. Export this in inet.0:
   
   
   #set routing-options instance-export inettovr


3. Import this in VR testVR:
   
   
   set routing-instances testVR routing-options instance-import inettovr

To add more, if you use the lo0 IP just to initiate the traffic to Radius and you do not want to disclose this IP to the Radius server, then you can configure source-based NAT or interface-based NAT depending on requirement.

root@srx# show security nat source 
pool dummy {
    address {
        10.10.10.10/32;
    }
}
rule-set 1 {
    from routing-instance default;
    to interface <interface that connects to radius>;
    rule 2 {
        match {
            source-address 1.1.1.1/32;
            destination-address 10.10.10.11/32;
        }
        then {
            source-nat {
                pool {
                    dummy;
                }
            }
        } 
    }
}

Note: If you use the source as VR interface for UAC or sending syslog, you will encounter the same issue and you will have to resolve this by configuring a lo0 interface to initiate traffic.

Juniper SRX- identifying files to be deleted

Juniper SRX- identifying files to be deleted

Juniper SRX is notorious for not providing you enough disk space to use all software blades and hold multiple images for upgrades. As a result, you will find yourself on a mission to locate files to be deleted.


First identify disk space needs:
root@hasrx1> show system storage
node0:
--------------------------------------------------------------------------
Filesystem              Size       Used      Avail  Capacity   Mounted on
/dev/da0s1a             293M       203M        67M       75%  /
devfs                   1.0K       1.0K         0B      100%  /dev
/dev/md0                566M       566M         0B      100%  /junos
/cf                     293M       203M        67M       75%  /junos/cf
devfs                   1.0K       1.0K         0B      100%  /junos/dev/
procfs                  4.0K       4.0K         0B      100%  /proc
/dev/bo0s3e              24M       176K        22M        1%  /config
/dev/bo0s3f             342M       138M       177M       44%  /cf/var
/dev/md1                168M        18M       136M       12%  /mfs
/cf/var/jail            342M       138M       177M       44%  /jail/var
/cf/var/log             342M       138M       177M       44%  /jail/var/log
devfs                   1.0K       1.0K         0B      100%  /jail/dev
/dev/md2                 39M       4.0K        36M        0%  /mfs/var/run/utm
/dev/md3                1.8M       4.0K       1.7M        0%  /jail/mfs
/dev/altroot            293M       203M        67M       75%  /altroot


Next run a query to identify the largest files:
find -x /cf/var -type f -exec du -k {} \; | sort -n  


Files can be removed using the RM command from the shell.  

some other command


df


cli commands:
show system storage
request system storage cleanup
request system software delete-backup

Configure SRX for dual ISP without dynamic routing protocols

Configure SRX for dual ISP without dynamic routing protocols.

---

SUMMARY:

This article contains a sample configuration for J-Series and SRX Branch with dual ISP connection. This will allow for ISP failover without dynamic routing protocols such as OSPF or BGP.

PROBLEM OR GOAL:

Topology Assumptions 

Note that SRX210 running 9.6R2 was used for this example.

Trust zone network is 192.168.1.0/24 on ge-0/0/0
DMZ zone network is 10.10.10.0/24 on ge-0/0/1

ISP1 zone network is 1.1.1.0/29 on fe-0/0/6
ISP2 zone network is 2.2.2.0/29 on fe-0/0/7

Requirements

• Trust and DMZ zones should egress out ISP1 with source-nat.
• If ISP1 interface goes down, then Trust and DMZ zones should egress out ISP2 instead with source-nat.
• If ISP1 interface returns, then Trust and DMZ zones should revert back to using ISP1 again.
• ISP1 must allow destination NAT for web server in Trust zone and mail server in DMZ zone.
• ISP2 also has destination NAT for same web and mail servers.
• When both ISPs are up, destination NAT addresses should be available from both ISPs for both web and mail servers.

SOLUTION:

This is possible using a combination of multiple routing-instance with filter-based forwarding and qualified-next-hop on the default route. Below is a sample working configurations for above scenario.

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 192.168.1.254/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 10.10.10.254/24;
            }
        }
    }
    fe-0/0/6 {
        unit 0 {
            family inet {
                filter {
                    input isp1-in;
                }
                address 1.1.1.2/29;
            }
        }
    }
    fe-0/0/7 {
        unit 0 {
            family inet {
                filter {
                    input isp2-in;
                }
                address 2.2.2.2/29;
            }
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet inside;
    }
    static {
        route 0.0.0.0/0 {
            next-hop 1.1.1.1;
            qualified-next-hop 2.2.2.1 {
                preference 10;
            }
        }
    }
    rib-groups {
        inside {
            import-rib [ inet.0 TRUST-VRF.inet.0 INSIDE.inet.0 ISP2.inet.0 ];
        }
    }
}
security {
    nat {
        source {
            rule-set interface-nat-out {
                from routing-instance INSIDE;
                to routing-instance [ ISP2 default ];
                rule interface-nat-out {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool web-server-trust {
                address 192.168.1.5/32 port 80;
            }
            pool mail-server-dmz {
                address 10.10.10.5/32 port 25;
            }
            rule-set isp1-to-trust {
                from interface fe-0/0/6.0;
                rule isp1-http-in {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 1.1.1.5/32;
                        destination-port 80;
                    }
                    then {
                        destination-nat pool web-server-trust;
                    }
                }
                rule isp1-mail-in {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 1.1.1.5/32;
                        destination-port 25;
                    }
                    then {
                        destination-nat pool mail-server-dmz;
                    }
                }
            }
            rule-set isp2-to-dmz {
                from interface fe-0/0/7.0;
                rule isp2-http-in {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 2.2.2.5/32;
                        destination-port 80;
                    }
                    then {
                        destination-nat pool web-server-trust;
                    }
                }
                rule isp2-mail-in {
                    match {
                        source-address 0.0.0.0/0;
                        destination-address 2.2.2.5/32;
                        destination-port 25;
                    }
                    then {
                        destination-nat pool mail-server-dmz;
                    }
                }
            }
        }
        proxy-arp {
            interface fe-0/0/6.0 {
                address {
                    1.1.1.5/32;
                }
            }
            interface fe-0/0/7.0 {
                address {
                    2.2.2.5/32;
                }
            }
        }
    }
    zones {
        security-zone trust {
            address-book {
                address web-server 192.168.1.5/32;
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
        security-zone dmz {
            address-book {
                address mail-server 10.10.10.5/32;
            }
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                    }
                }
            }
        }
        security-zone isp1 {
            interfaces {
                fe-0/0/6.0 {
                    host-inbound-traffic {
                        system-services {
                            ssh;
                            https;
                            ping;
                        }
                    }
                }
            }
        }
        security-zone isp2 {
            interfaces {
                fe-0/0/7.0 {
                    host-inbound-traffic {
                        system-services {
                            ssh;
                            https;
                            ping;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone dmz {
            policy allow-trust-to-dmz {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone isp1 {
            policy allow-trust-out-isp1 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone isp2 {
            policy allow-trust-out-isp2 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone dmz to-zone trust {
            policy allow-dmz-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone dmz to-zone isp1 {
            policy allow-dmz-out-isp1 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone dmz to-zone isp2 {
            policy allow-dmz-out-isp2 {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone isp1 to-zone trust {
            policy isp1-http-incoming {
                match {
                    source-address any;
                    destination-address web-server;
                    application junos-http;
                }
                then {
                    permit;
                }
            }
        }
        from-zone isp1 to-zone dmz {
            policy isp1-mail-incoming {
                match {
                    source-address any;
                    destination-address mail-server;
                    application junos-mail;
                }
                then {
                    permit;
                }
            }
        }
        from-zone isp2 to-zone trust {
            policy isp2-http-incoming {
                match {
                    source-address any;
                    destination-address web-server;
                    application junos-http;
                }
                then {
                    permit;
                }
            }
        }
        from-zone isp2 to-zone dmz {
            policy isp2-mail-incoming {
                match {
                    source-address any;
                    destination-address mail-server;
                    application junos-mail;
                }
                then {
                    permit;
                }
            }
        }
    }
}
firewall {
    filter isp1-in {
        term 1 {
            from {
                destination-address {
                    1.1.1.0/29;
                }
            }
            then {
                routing-instance TRUST-VRF;
            }
        }
        term 2 {
            then {
                accept;
            }
        }
    }
    filter isp2-in {
        term 1 {
            from {
                destination-address {
                    2.2.2.0/29;
                }
            }
            then {
                routing-instance TRUST-VRF;
            }
        }
        term 2 {
            then {
                accept;
            }
        }
    }
}
routing-instances {
    TRUST-VRF {
        instance-type forwarding;
        routing-options {
            static {
                route 192.168.1.0/24 next-hop 192.168.1.1;
                route 10.10.10.0/24 next-hop 10.10.10.1;
            }
        }
    }
    INSIDE {
        instance-type virtual-router;
        interface ge-0/0/0.0;
        interface ge-0/0/1.0;
        routing-options {
            interface-routes {
                rib-group inet inside;
            }
            static {
                route 0.0.0.0/0 next-table inet.0;
            }
        }
    }
    ISP2 {
        instance-type virtual-router;
        interface fe-0/0/7.0;
        routing-options {
            interface-routes {
                rib-group inet inside;
            }
            static {
                route 0.0.0.0/0 {
                    next-hop 2.2.2.1;
                    qualified-next-hop 1.1.1.1 {
                        preference 10;
                    }
                }
            }
        }
    }
}

 [KB15545] Show KB Properties