Thursday, July 23, 2015

How to enable IDP on SRX



If you want to enable IDP on an SRX device, you have to issue certain number of commands which I list step by step from scratch;
1) Install license first if it hasn’t been installed yet. You can see if it is installed or not via “show system license installed” if this command doesn’t give any ouput, get your license from Juniper and follow the steps below. (Bold italic text is my sample license)
[email protected]> request system license add terminal
[Type ^D at a new line to end input,
 enter blank line between each license key]
JUNOS111111 sdsdsd ssssss sdfsdf sdfsdf sdfsdf sdfsdf
 sdfsdf sdfsdf sdfdsf sdfdsf sdfsdf sdfsdf
 sdfsdf sdfsdf sdfsdf sdfsdf sdfsdf sdfsdf
 sdf
JUNOS111111: successfully added
add license complete (no errors)
2) Check if the server we will fetch IDP files are reachable;
[email protected]> request security idp security-package download check-server
error: fetching for("https://services.netscreen.com/cgi-bin/index.cgi?device=jsrx210&feature=idp&os=10.4&detector=10.4.160100525&from=&to=latest&type=manifest") failed
We can’t reach. Ensure https://services.netscreen.com is reachable i.e hostname is resolvable by SRX and it can establish TCP connections to 443 port of this remote host.
After fixing connectivity issue here is the result;
[email protected]> request security idp security-package download check-server
Successfully retrieved from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:1996(Detector=11.6.160110809, Templates=1996)

3) Download attack table
[email protected]> request security idp security-package download full-update
Will be processed in async mode. Check the status using the status checking CLI
Check status of the download.
[email protected]> request security idp security-package download status
Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:1996(Tue Sep 20 12:12:23 2011, Detector=11.6.160110809)
It looks great.
4) Install attack table
[email protected]> request security idp security-package install
Will be processed in async mode. Check the status using the status checking CLI
Check status;
[email protected]> request security idp security-package install status
In progress:performing DB update for an xml (SignatureUpdate.xml)
Check once again;
[email protected]> request security idp security-package install status
In progress:Compiling AI signatures ...
Check again;
[email protected]> request security idp security-package install status
Done;Attack DB update : successful - [UpdateNumber=1996,ExportDate=Tue Sep 20 12:12:23 2011,Detector=11.6.160110809]
     Updating control-plane with new detector : successful
     Updating data-plane with new attack or detector : not performed
      due to no existing running policy found.
Heyy, completed!
5) Get policy templates;
[email protected]> request security idp security-package download policy-templates
Will be processed in async mode. Check the status using the status checking CLI
Check status;
[email protected]> request security idp security-package download status
Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:1996
6) Install policy templates
[email protected]> request security idp security-package install policy-templates
Will be processed in async mode. Check the status using the status checking CLI
[email protected]> request security idp security-package install status
Done;policy-templates has been successfully updated into internal repository
     (=>/var/db/scripts/commit/templates.xsl)!
7) Check downloaded files;
[email protected]> start shell
[email protected]% ls /var/db/idpd/sec-download/
SignatureUpdate.xml             libidp-detector.so.tgz.v
applications.xml                platforms.xml
detector-capabilities.xml       sub-download
groups.xml
[email protected]% exit
exit
[email protected]>
8)  Apply templates and commit the configuration to get template policies in CLI
[edit]
[email protected]# set system scripts commit file templates.xsl
[edit]
[email protected]# commit
Then delete templates commit script right after the first commit;
[edit]
[email protected]# delete system scripts commit file templates.xsl
9) Here is the results. Policies are now accessible after which you can set your active policy and start using it or customize it. Enjoy!
[email protected]# set security idp idp-policy ?
Possible completions:
  <policy-name>        IDP policy name
  DMZ_Services         IDP policy name
  DNS_Service          IDP policy name
  File_Server          IDP policy name
  Getting_Started      IDP policy name
  IDP_Default          IDP policy name
  Recommended          IDP policy name
  Web_Server           IDP policy name

2 THOUGHTS ON “HOW TO ENABLE IDP ON SRX

No comments: