If you want to enable IDP on an SRX device, you have to issue certain number of commands which I list step by step from scratch;
1) Install license first if it hasn’t been installed yet. You can see if it is installed or not via “show system license installed” if this command doesn’t give any ouput, get your license from Juniper and follow the steps below. (Bold italic text is my sample license)
oot@srx1> request system license add terminal [Type ^D at a new line to end input, enter blank line between each license key] JUNOS111111 sdsdsd ssssss sdfsdf sdfsdf sdfsdf sdfsdf sdfsdf sdfsdf sdfdsf sdfdsf sdfsdf sdfsdf sdfsdf sdfsdf sdfsdf sdfsdf sdfsdf sdfsdf sdf JUNOS111111: successfully added add license complete (no errors)
2) Check if the server we will fetch IDP files are reachable;
root@srx1> request security idp security-package download check-server
error: fetching for("https://services.netscreen.com/cgi-bin/index.cgi?device=jsrx210&feature=idp&os=10.4&detector=10.4.160100525&from=&to=latest&type=manifest") failed
We can’t reach. Ensure https://services.netscreen.com is reachable i.e hostname is resolvable by SRX and it can establish TCP connections to 443 port of this remote host.
After fixing connectivity issue here is the result;
root@srx1> request security idp security-package download check-server Successfully retrieved from(https://services.netscreen.com/cgi-bin/index.cgi). Version info:1996(Detector=11.6.160110809, Templates=1996)
3) Download attack table
root@srx1> request security idp security-package download full-update Will be processed in async mode. Check the status using the status checking CLI
Check status of the download.
root@srx1> request security idp security-package download status Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi). Version info:1996(Tue Sep 20 12:12:23 2011, Detector=11.6.160110809)
It looks great.
4) Install attack table
root@srx1> request security idp security-package install Will be processed in async mode. Check the status using the status checking CLI
Check status;
root@srx1> request security idp security-package install status In progress:performing DB update for an xml (SignatureUpdate.xml)
Check once again;
root@srx1> request security idp security-package install status In progress:Compiling AI signatures ...
Check again;
root@srx1> request security idp security-package install status
Done;Attack DB update : successful - [UpdateNumber=1996,ExportDate=Tue Sep 20 12:12:23 2011,Detector=11.6.160110809]
Updating control-plane with new detector : successful
Updating data-plane with new attack or detector : not performed
due to no existing running policy found.
Heyy, completed!
5) Get policy templates;
root@srx1> request security idp security-package download policy-templates Will be processed in async mode. Check the status using the status checking CLI
Check status;
root@srx1> request security idp security-package download status Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi). Version info:1996
6) Install policy templates
root@srx1> request security idp security-package install policy-templates Will be processed in async mode. Check the status using the status checking CLI
root@srx1> request security idp security-package install status
Done;policy-templates has been successfully updated into internal repository
(=>/var/db/scripts/commit/templates.xsl)!
7) Check downloaded files;
root@srx1> start shell root@srx1% ls /var/db/idpd/sec-download/ SignatureUpdate.xml libidp-detector.so.tgz.v applications.xml platforms.xml detector-capabilities.xml sub-download groups.xml root@srx1% exit exit root@srx1>
8) Apply templates and commit the configuration to get template policies in CLI
[edit] root@srx1# set system scripts commit file templates.xsl [edit] root@srx1# commit
Then delete templates commit script right after the first commit;
[edit] root@srx1# delete system scripts commit file templates.xsl
9) Here is the results. Policies are now accessible after which you can set your active policy and start using it or customize it. Enjoy!
root@srx1# set security idp idp-policy ? Possible completions: <policy-name> IDP policy name DMZ_Services IDP policy name DNS_Service IDP policy name File_Server IDP policy name Getting_Started IDP policy name IDP_Default IDP policy name Recommended IDP policy name Web_Server IDP policy name
2 THOUGHTS ON “HOW TO ENABLE IDP ON SRX”