ScreenOS Idp policy creation en

APPLICATION NOTE
Copyright © 2009, Juniper Networks, Inc.
IPS Security Policy Creation for Juniper
Networks SRX Series Services Gateways
Enabling Advanced Security on SRX Series Services Gateways

ii Copyright © 2009, Juniper Networks, Inc.
APPLICATION NOTE - IPS Security Policy Creation for Juniper Networks SRX Series Services Gateways
Table of Contents
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
FAQs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Basic Configuration Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
System Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
SRX Series and CLI Security Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Basic Network Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Initial Configuration Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Configure Networking and Basic Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
IPS Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Firewall Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
IPS Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
IPS Security-Package Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Verify Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Log Sample . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
SRX Series and NSM Security Policy Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Import SRX Series Device into NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Configuring Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Inventory Reconciliation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
IDP Detector Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Configuring from Central Management Policy Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Firewall Rule Base . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configure Firewall Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Configuring from In-Device Management Policy Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Access Configuration Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configure Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configure Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Assign Interfaces to Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Create Firewall Policy and Associate IPS Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Select Default Firewall Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Configure IPS Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Set Traceoptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Set Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Update Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Copyright © 2009, Juniper Networks, Inc. iii
SRX Series and J-Web Security Policy Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Configure Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Security Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Configure Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Set Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Activate Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Install and Configure Security Package Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Configure Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
About Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Copyright © 2009, Juniper Networks, Inc. 1
Introduction
Juniper Networks®
SRX Series Services Gateways are next-generation devices based on revolutionary new
architecture that provides market-leading scalability and service integration.
The SRX Series comes equipped with full security and networking capabilities and represents the highest performing
firewalls in the market with natively integrated full Intrusion Prevention System (IPS) technology from Juniper
Networks IDP Series Intrusion Detection and Prevention Appliances, providing inline protection against current and
emerging threats throughout the network.
IPS security policies can be configured either via Juniper Networks Network and Security Manager, Juniper
Networks J-Web Software, or the SRX Series command-line interface (CLI). NSM is the sole means for configuring
and managing the IDP security policy on Juniper Networks ISG Series Integrated Security Gateways with IDP
security module and standalone IDP Series sensors running IDP 4.x and above.
Scope
Although SRX Series IPS policy can be configured entirely from within J-Web, this document focuses primarily on
CLI and NSM configuration steps, to provide an easy transition and learning path for both system engineers new to
IPS policy creation as well as those already familiar with managing standalone IDP Series, and ISG Series with IDP
solutions. That said, brief J-Web configuration steps are also provided towards the end of this document.
This document is not intended to discuss particular hardware and software architectural details related to the
SRX Series Services Gateways. For more information on hardware and software details, please refer to the relevant
SRX Series Technical Documentation.
Also, the intention of this document is not to discuss best practices in terms of policy rules configuration. Its sole purpose
is to describe the different ways in which a security policy can be configured on the SRX Series Services Gateways.
FAQs
The following notes are listed here to immediately address some of the more frequently asked questions:
In comparison with Deep Inspection on ScreenOS, the fundamental IPS detection capabilities on the SRX Series do1.
not differ from that available on standalone IDP Series or ISG Series with IDP security module.
Although full feature parity is intended between different IPS platforms, not all features are available in the2.
current version of Juniper Networks JUNOS®
Software. Due to the significant engineering efforts required,
some features might not become available until future version releases later down the road. For this reason, we
recommend that you familiarize yourself with documentation that details those differences.
SRX Series is an inline device and, unlike standalone IDP Series or ISG Series with IDP (tap mode), it cannot be3.
configured in transparent mode.
IPS does not need a separate license to run as a service on the SRX Series, however a license is required for4.
IPS updates.
A base firewall policy is required and needs to include IPS application-service statement to enable5.
IPS inspection
Enabling all attacks is not supported. If policy does not load, check service log files for policy size and load results.6.
NSM 2008.2 requires 2 gigabytes of RAM7.
In order to push policy from NSM successfully, both NSM and the SRX Series have to be at the same detector8.
version level, and any device mismatch information has to be reconciled (more details in following sections).
A syslog server is required to collect security event-related messages as they get identified on the SRX Series9.
data plane.
Basic Configuration Steps
Enabling a fully functional IPS service on SRX Series Services Gateways includes the following basic
configuration steps:
Configure basic networking/security/access (in most cases this will already be configured).1.
Configure and activate IPS policy.2.

2 Copyright © 2009, Juniper Networks, Inc.
Configure firewall policy to associate specific rules with IPS3.
Configure logging.4.
Update security-package.5.
Verify configuration and test functionality.6.
System Licensing
Access the SRX Series Services Gateways console via either serial cable plugged into the console port on the device
or by using a terminal session such as SSH.
Check for an IPS license (required for IPS updates).
mxb@Perth> show system license
License usage: none
Licenses installed: none
If there is no license installed, obtain the chassis serial number by issuing the following command:
mxb@Perth> show chassis hardware
A serial number is needed to generate the IPS license. Once you obtain your license file, you can install it by adding it
from the file or simply by copying and pasting the license to the terminal by doing the following:
mxb@Perth> request system license add terminal
Paste the license string from the clipboard as in the following example:
mxb@Perth> request system license add terminal
[Type ^D at a new line to end input, enter blank line between each license key]
JUNOS204171 aeaqea qmifat injqhb auimbq ga4aqb qcdw3z
voika4 udefun hquffd l4lpx3 h3fc5p 5at7z4
v32i4f traifg fwhkop 4ymgbv 3r53mm ohelsq
fby
Press the Enter key and Ctrl-D in sequence which will return the following message when the license is valid:
JUNOS204171: successfully added
add license complete (no errors)
Verify the system licenses by doing the following:
mxb@Perth> show system license
License usage:
Feature Licenses Licenses Licenses Expiry
name used installed needed
idp-sig 0 1 0 2009-12-24
00:00:00 UTC
Licenses installed:
License identifier: JUNOS204171
Valid for device: AA4508AD0008
Features:
idp-sig - IDP Signature
date-based, 2008-12-21 00:00:00 UTC - 2009-12-24 00:00:00 UTC

SRX Series and CLI Security Policy Configuration
Basic Network Configuration
The following diagram depicts a logical configuration of the sample network which is used throughout this document
to demonstrate security policy configuration.
Figure 1: Demo network
Initial Configuration Assumptions
Before starting the IPS policy configuration, this document assumes that an initial networking configuration exists and
that an admin user has full access to the SRX Series. Initial device configuration on our sample system is as follows:
mxb@Perth> show configuration | display set
set system root-authentication encrypted-password “$1$9FpmDriB$HtuvrU5RXCC2SDaUQDY53/”
set system name-server 1.2.3.4
set system login user mxb uid 2000
set system login user mxb class super-user
set system login user mxb authentication encrypted-password “$1$nvmwu6vH$EGlHl06vrm.0sq3uhG6Eo1”
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set interfaces fxp0 unit 0 family inet address 192.168.1.221/24
set routing-options static route 0.0.0.0/0 next-hop 192.168.1.1
set security idp security-package url https://services.netscreen.com/cgi-bin/index.cgi
Note: Throughout this document we provide commands required to configure specific features; however, in order
to activate associated functionality, configuration changes need to be successfully committed (using the commit
command).
fxp0 ge-0/0/7
192.168.2.211192.168.1.211
33.3.3.1 44.4.4.1
33.3.3. 33 44.4.4. 44
abc-trust abc-untrust
SRX Series
Trafﬁc/Attack Generator
192.168.1.118
NSM
192.168.1.139
SYSLOG
192.168.2.212
GUI
192.168.1.240
ge-0/0/3ge-0/0/2

Configure Networking and Basic Security
Interfaces
Display current interfaces (assumption is interfaces have been properly cabled).1.
mxb@Perth# configure
mxb@Perth# show interfaces
fxp0 {
unit 0 {
family inet {
address 192.168.1.221/24;
}
}
}
[edit]
mxb@Perth# run show interfaces | match ge-0/0
Physical interface: ge-0/0/0, Enabled, Physical link is Down
Physical interface: ge-0/0/2, Enabled, Physical link is Up
Configure forwarding interfaces as per network diagram in Figure 1.2.
mxb@Perth# set interfaces ge-0/0/2 unit 0 family inet address 33.3.3.1/24
Verify configuration.3.
mxb@Perth# run show interfaces terse | match /24
ge-0/0/2.0 up up inet 33.3.3.1/24
ge-0/0/3.0 up up inet 44.4.4.1/24
ge-0/0/7.0 up up inet 192.168.2.222/24
fxp0.0 up up inet 192.168.1.221/24
Security Zones
Display existing zones.1.
mxb@Perth> show security zones
Security zone: junos-global
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 0
Interfaces:

Configure zones abc-trust and abc-untrust and assign interfaces accordingly.2.
mxb@Perth# set security zones security-zone abc-trust interfaces ge-0/0/2
mxb@Perth# set security zones security-zone abc-untrust interfaces ge-0/0/3
mxb@Perth# run show security zones
Security zone: abc-trust
Interfaces bound: 1
Interfaces:
ge-0/0/2.0
Security zone: abc-untrust
Interfaces bound: 1
Interfaces:
ge-0/0/3.0
Security zone: junos-global
Interfaces bound: 0
Interfaces:
Security Policies
IPS Security Policy
Configure IPS policy abc-idp-policy.1.
Simple configuration in this example involves setting up one rule looking for all “critical attacks” and, in case a
match is found, dropping the associated connection, setting that event as critical and logging it with an alert. The
second rule is configured to look for “major attacks” and to perform a “recommended action” upon detecting a
severe attack, as well as logging the event. (Note: Logging means sending a syslog message to an appropriate,
preconfigured syslog server. Logging configuration steps are provided in subsequent sections.)
Configuration steps are as follows:
mxb@Perth# set security idp idp-policy abc-idp-policy rulebase-ips rule 1 match from-zone any
to-zone any source-address any destination-address any application any attacks predefined-
attack-groups Critical
mxb@Perth# set security idp idp-policy abc-idp-policy rulebase-ips rule 1 then action drop-
connection
mxb@Perth# set security idp idp-policy abc-idp-policy rulebase-ips rule 1 then severity
critical notification log-attacks alert
mxb@Perth# set security idp idp-policy abc-idp-policy rulebase-ips rule 2 match from-zone any
to-zone any source-address any destination-address any application any attacks predefined-
attack-groups Major

mxb@Perth# set security idp idp-policy abc-idp-policy rulebase-ips rule 2 then action
recommended
mxb@Perth# set security idp idp-policy abc-idp-policy rulebase-ips rule 2 then severity major
notification log-attacks
Verify IPS policy2. abc-idp-policy.
mxb@Perth# show security idp idp-policy abc-idp-policy
rulebase-ips {
rule 1 {
match {
from-zone any;
source-address any;
to-zone any;
destination-address any;
attacks {
predefined-attack-groups Critical;
}
}
then {
action {
drop-connection;
}
notification {
log-attacks {
alert;
}
}
severity critical;
}
}
rule 2 {
match {
from-zone any;
source-address any;
to-zone any;
attacks {
predefined-attack-groups Major;
}
}
then {
action {
recommended;
}
notification {
log-attacks;
}
severity major;
}
}
}

Set trace options.3.
To provide detailed IPS process event information (policy compilation result, policy loading results, dfa matches,
and so on) which allows for further system analysis, tuning, and easier troubleshooting, it is highly recommended
to enable trace options. The following is an example setting which configures trace to write all security events
encompassing all debug levels (error, info, notice, verbose, and warning). The trace file name is not specified trace if
it is not written into the file named after the process being traced, which is the case with IDP/var/log/idpd):
mxb@Perth# set security idp traceoptions flag all
mxb@Perth# set security idp traceoptions level all
For this example, let’s also limit the file size to 100 MB. This means that the process will write this file and once it
reaches 100 MB, it will rename it to idpd.0 and continue with a new idpd. The default number of files is 3 and if file
numbers are exhausted, the oldest file (idpd.2) gets overwritten.
mxb@Perth# set security idp traceoptions file size 100M
Verify trace options settings.4.
mxb@Perth# show security idp traceoptions
file size 100m;
flag all;
level all;
Activate IPS Series policy.5.
mxb@Perth# set security idp active-policy abc-idp-policy
Verify active IPS policy.6.
mxb@Perth# show security idp active-policy
active-policy abc-idp-policy;
Note: In order to deploy IPS policy on the SRX Series Services Gateways, one more step is required—configuring
firewall security policy to identify which traffic is to be processed by the IPS service. This is described in the
following section.
Firewall Security Policy
For traffic entering the SRX Series gateway in order to be processed by IPS security policy firewall, the security policy
needs to be configured accordingly.
Following are steps required to configure firewall security policy and finalize Intrusion Prevention System
configuration on the SRX Series gateway. This will result in traffic between security zones abc-untrust and abc-trust
being inspected by IPS security policy abc-idp-policy.
Make sure that the system is configured with the default policy denying all traffic. This basically means traffic will1.
be denied throughout the gateway unless specifically allowed to by firewall security policy.
mxb@Perth> show security policies
Default policy: deny-all

Configure policy.2.
mxb@Perth# set security policies from-zone abc-untrust to-zone abc-trust policy abc match
source-address any destination-address any application any
mxb@Perth# set security policies from-zone abc-untrust to-zone abc-trust policy abc then permit
application-services idp
mxb@Perth# set security policies from-zone abc-trust to-zone abc-untrust policy abc match
source-address any destination-address any application any
mxb@Perth# set security policies from-zone abc-trust to-zone abc-untrust policy abc then permit
application-services idp
mxb@Perth# show security policies
from-zone abc-untrust to-zone abc-trust {
policy abc {
match {
source-address any;
application any;
}
then {
permit {
application-services {
idp;
}
}
}
}
}
from-zone abc-trust to-zone abc-untrust {
policy abc {
match {
source-address any;
application any;
}
then {
permit {
application-services {
idp;
}
}
}
}
}

IPS Logging
IPS generates event logs when an event matches an IPS policy rule in which logging is enabled. When you configure
a rule for logging, the device creates a log entry for each event that matches that rule.
When configured to do so, an IPS service will send events that match policy entry to the logging server directly from
the data plane via emulated IP address, encapsulated in 514/udp.
Configuration steps.1.
Configure interface data plane to send syslog messages from:a.
Format (standard or structured format).b.
mxb@Perth# set security log format syslog
Emulated source IP address (interface cannot be fxp0).c.
mxb@Perth# set security log source-address 192.168.2.211
Severity.d.
mxb@Perth# set security log stream jet severity debug
Syslog server IP address (to which logs are sent via 514/udp).e.
mxb@Perth# set security log stream jet host 192.168.2.212
Verify log configuration.2.
mxb@Perth# show security log
format syslog;
source-address 192.168.2.211;
stream jet {
severity debug;
host {
192.168.2.212;
}
IPS Security-Package Update
The following steps update SRX Series Services Gateways with the most recent security updates.
Note: In order to be able to push a policy from the Network and Security Manager detector to the SRX Series,
versions on the SRX Series device and NSM must match.
Make sure device is properly configured with download URL:1.
mxb@Perth> configure
Entering configuration mode
[edit]
mxb@Perth# show security idp security-package
url https://services.netscreen.com/cgi-bin/index.cgi;

Verify the current version installed on the device. The following example shows version of detector provided with2.
version of the installed JUNOS package with no attack database nor policy templates.
mxb@Perth> show security idp security-package-version
Attack database version:N/A(N/A)
Detector version :9.2.140080919
Policy template version :N/A
Compare results with the most recent versions available at the Juniper Networks download URL.3.
Note: DNS server and default gateway information must be configured in order to successfully resolve and access
the URL.
mxb@Perth> request security idp security-package download check-server
Successfully retrieved from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:1342(Detector=9.2.140081105, Templates=1)
Download the updates.4.
mxb@Perth> request security idp security-package download full-update
Will be processed in async mode. Check the status using the status checking CLI
mxb@Perth> request security idp security-package download status
Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:1342(Fri Jan 9 12:53:43 2008, Detector=9.2.140081105)
Install security-package.5.
mxb@Perth> request security idp security-package install
mxb@Perth> request security idp security-package install status
Done;Attack DB update : successful - [UpdateNumber=1342,ExportDate=Fri Jan 9 13:27:58
2009,Detector=9.2.140081105]
Updating control-plane with new detector : successful
Updating data-plane with new attack or detector : successful
Install policy templates.6.
mxb@Perth> request security idp security-package install policy-templates

mxb@Perth> request security idp security-package install status
Done;policy-templates has been successfully updated into internal repository
(=>/var/db/scripts/commit/templates.xsl)!
Attack database version:1342(Fri Jan 9 13:28:58 2009)
Policy template version :1

Verify Configuration
At this time, the basic configuration for our example network is complete. It is configured so that if traffic traversing
the SRX Series gateway is flowing between zones abc-trust and abc-untrust, it is inspected by the IPS service and
matched for:
Criticala. attacks: If match is found—connection is dropped and notification is sent to syslog server.
Majorb. attacks: If match is found—recommended action is applied and notification is sent to syslog server.
Log Sample
The following is a sample of some security events as identified by the SRX Series device and presented via syslog:
Jan 9 14:20:27 RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 552579626, SIG Attack log
<33.3.3.33:6312->44.4.4.44:80> for TCP protocol and service SERVICE_IDP by rule 1 of
rulebase IPS in policy abc-idp-policy. attack: repeat=0, action=DROP, severity=CRITICAL,
name=HTTP:PKG:CART32-ADM-PW-CHG, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0,
outbytes=0, inpackets=0, outpackets=0, intf:abc-trust:ge-0/0/2.0->abc-untrust:ge-0/0/3.0,
and misc-message
Jan 9 14:20:24 RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 552579624, SIG Attack log <33.3.3.33:3
0770->44.4.4.44:6080> for TCP protocol and service SERVICE_IDP by rule 1 of rulebase IPS in
policy abc-idp-policy. attack: repeat=0, action=DROP, severity=CRITICAL, name=HTTP:MISC:NOOP-
SLIDE-REQ-OF, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0,
outpackets=0, intf:abc-trust:ge-0/0/2.0->abc-untrust:ge-0/0/3.0, and misc-message –
Jan 9 14:20:24 RT_IDP: IDP_ATTACK_LOG_EVENT: IDP: at 552579624, SIG Attack log <33.3.3.33:30770
->44.4.4.44:6080> for TCP protocol and service SERVICE_IDP by rule 2 of rulebase IPS in policy
abc-idp-policy. attack: repeat=0, action=NONE, severity=HIGH, name=SHELLCODE:X86:NOOP-TCP,
NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0, inpackets=0, outpackets=0,
intf:abc-trust:ge-0/0/2.0->abc-untrust:ge-0/0/3.0, and misc-message
rulebase IPS in policy abc-idp-policy. attack: repeat=0, action=DROP, severity=HIGH,
name=HTTP:PHP:UPLOAD-LOCATION, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0,
and misc-message
name=HTTP:MISC:NOOP-SLIDE-REQ-OF, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0,
and misc-message
rulebase IPS in policy abc-idp-policy. attack: repeat=11, action=NONE, severity=HIGH,
name=SHELLCODE:X86:NOOP-TCP, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0, outbytes=0,
inpackets=0, outpackets=0, intf:abc-trust:ge-0/0/2.0->abc-untrust:ge-0/0/3.0, and misc-message
name=SCAN:METASPLOIT:APACHE-CHUNK-OF, NAT <0.0.0.0:0->0.0.0.0:0>, time-elapsed=0, inbytes=0,
and misc-message

SRX Series and NSM Security Policy Configuration
Overview
This section covers basic SRX Series with IPS policy configuration involving the same network setup, same IPS, and
same firewall security policies as described in the previous section.
There are two possible approaches for configuring SRX Series IPS security policy with NSM.
Configure basic setup through the CLI and import the device with policy into NSM.1.
Configure both firewall and IPS security policy from NSM entirely from within one of the following device policy2.
management modes:
Central Mode (Policy at NSM level applicable to any selected device. This is the default mode.)a.
In-Device Mode (Policy at device level and applicable to the actual device that is accessed and edited throughb.
the configuration details.)
For the purpose of this document, we will import the SRX Series device into NSM with a CLI-based configuration as
described in the previous section.
Note: When updating the SRX Series device in Central Mode, the security policy from Policy Manager is pushed.
When in In-Device Mode, the security policy as configured under the Security->idp->idp Policy is pushed.

Import SRX Series Device into NSM
Add new device: Device needs to be selected as1. Existing and Not Reachable.
Select device specifications.2.

Configure device to connect to NSM.3.
Console into the SRX Series device and enter the following commands:4.
mxb@Perth# set system services outbound-ssh client nsm device-id EEC4B8
mxb@Perth# set system services outbound-ssh client nsm secret <one-time-password>
mxb@Perth# set system services outbound-ssh client nsm 192.168.1.139 port 7804
mxb@Perth# set system services outbound-ssh client nsm services netconf
Import the device.5.
Note: Importing the device by default imports it in the Central Policy Mode and, as a part of the process, imports
currently configured security policy on that device into the NSM policy tree.

Note: If a security policy with the same name already exists in the NSM database (from a previous import), a new,
incrementally numbered policy will be created at each import (SRX-Perth-abc-idp-policy_1, SRX-Perth-abc-idp-
policy_2, and so on).
If there is no security policy configured on the SRX Series device, no policy will be imported and the administrator
will have to configure a security policy either using the CLI (importing it as described in the previous section), or will
need to configure it from NSM as described in the following sections.

Configuring Security Policy
After successfully importing the device, the administrator can create a new security policy or tune/change the
existing policy and then deploy changes and/or updates by the following standard Update Device procedures.
This section describes security policy configuration and deployment through Central Policy Mode. Policy
SRX-Recommended will be created (based on Recommended security policy template) and applied to the
SRX Series device.
Note: If the device being imported does not match the Inventory or Detector information in the NSM database,
security policy update will fail.
Inventory Reconciliation
When importing a new device or performing any changes to configuration which result in a hardware or software
mismatch between information stored in NSM and the device itself, you will have to reconcile inventory. Updating
policy on the device that is out of sync results in the following failure:
To bring a device in sync from the Device Manager, right-click on the device and select View/Reconcile Inventory.

The following window appears:
You can select Refresh which will open a new window and present any mismatched items (highlighted).
Or you can select Reconcile to update the database information. Once successful, selecting Reconcile again will show
the inventory without any highlighted items.

IDP Detector Update
If the SRX IDP Detector on the device does not match the detector on the NSM prior to pushing the policy, this will
need to be brought in line.
To check the Detector version installed on NSM, start Attack Update Manager and check the IDP-SRX Detector
Engine version.
If the Detector version does not match, a failure message similar to the following is reported when attempting to
update the device:
Attack database version:N/A(N/A)
Policy template version :N/A
In order to fix this, it is required to bring both NSM and SRX Series devices into sync. Although it is possible to roll
back a couple of versions on the NSM, it is recommended to download and install the most recent security package
from the SRX Series CLI. For more details on how to update security packages, please see “IPS Security-Package
Update” in previous Section describing the CLI-based policy configuration.

Configuring from Central Management Policy Mode
Select “Firewall/VPN Devices with IDP” as device model.1.
Select “Recommended (predefined)” policy as a template.2.
Assign policy to a device.3.
The following security policy with firewall and IPS rule bases is automatically created and associated with the SRX
Series device.

Firewall Rule Base
Configure Firewall Zones
You can configure policy for traffic between existing zones on the device.
Once satisfied with the configuration, push your policy by right-clicking the device and selecting Update Device.

Configuring from In-Device Management Policy Mode
When in In-Device Policy mode, an administrator is able to configure a device-level configuration as described in the
CLI Security Policy Configuration Section.
Security policy and other configuration setting changes performed through Device Manager apply to that device only
and are applied only when in In-Device Policy Mode. If the device is in Central Mode, these changes are not applied.
Note: Switching from one mode to another imports the device configuration from the device into the NSM.
The following section provides a quick overview of setting the security policy through the Device Manager in In-
Device Policy Management Mode.
Access Configuration Details
Configure Interfaces

Configure Security Zones
Assign Interfaces to Security Zones

Create Firewall Policy and Associate IPS Services
Select Default Firewall Policy

Configure IPS Policy
Set Traceoptions

Set Logging
Update Device

SRX Series and J-Web Security Policy Configuration
Overview
This section reviews Quick Configuration steps required to set up security policy on SRX Series Services Gateways
from within the J-Web interface.
Configure Device
Network Interfaces
Use the same steps to configure all other interfaces.

Security Zone
Use same steps to configure other security zones

Configure Security Policy
Firewall

IPS

Set Notification

Activate Policy

Install and Configure Security Package Update
Configure Logging
This step and any other more detailed tasks are done through Edit Configuration (not Quick Configuration)

32
Corporate and Sales Headquarters
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089 USA
Phone: 888.JUNIPER
(888.586.4737)
or 408.745.2000
Fax: 408.745.2100
APAC Headquarters
Juniper Networks (Hong Kong)
26/F, Cityplaza One
1111 King’s Road
Taikoo Shing, Hong Kong
Phone: 852.2332.3636
Fax: 852.2574.7803
EMEA Headquarters
Juniper Networks Ireland
Airside Business Park
Swords, County Dublin,
Ireland
Phone: 35.31.8903.600
Fax: 35.31.8903.601
Copyright 2009 Juniper Networks, Inc.
All rights reserved. Juniper Networks, the
Juniper Networks logo, JUNOS, NetScreen,
and ScreenOS are registered trademarks of
Juniper Networks, Inc. in the United States and
other countries. JUNOSe is a trademark of
Juniper Networks, Inc. All other trademarks,
service marks, registered marks, or registered
service marks are the property of their
respective owners. Juniper Networks assumes
no responsibility for any inaccuracies in this
document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise
this publication without notice.
3500146-001-EN Mar 2009 Printed on recycled paper.
To purchase Juniper Networks solutions, please
contact your Juniper Networks representative
at 1-866-298-6428 or authorized reseller.
About Juniper Networks
Juniper Networks, Inc. is the leader in high-performance networking. Juniper offers a high-performance network
infrastructure that creates a responsive and trusted environment for accelerating the deployment of services and
applications over a single network. This fuels high-performance businesses. Additional information can be found at
www.juniper.net.

ScreenOS Idp policy creation en

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Similar to ScreenOS Idp policy creation en

Similar to ScreenOS Idp policy creation en (20)

Recently uploaded

Recently uploaded (20)

ScreenOS Idp policy creation en