IDP导入license以及配置.docx
《IDP导入license以及配置.docx》由会员分享,可在线阅读,更多相关《IDP导入license以及配置.docx(14页珍藏版)》请在冰豆网上搜索。
IDP导入license以及配置
SRXGettingStarted-QuickSetupGuideforConfiguringIDPonaSRXorJ-Seriesdevice
SUMMARY:
ThisarticledescribesthestepsinvolvedinconfiguringIDPonaSRXdevice.
Forothertopics,gotothe SRXGettingStarted mainpage.
SOLUTION:
ThebasicconfigurationofIDPinvolvesthefollowingfourtasks:
I. InstallIDPlicense
TheIDPsignatureupdateisasubscriptionservicerequiringalicense.Inordertodownloadandusethepredefinedattacksignaturesinapolicy,theIDPlicensemustbeinstalled.Ifyouareusingonlycustomsignatures,youdonotneedanIDPlicense.
1.First,activateyoursubscriptionlicensebyenteringtheauthorizationcodeandchassisserialnumberintotheSubscriptionRegistration system.Referto KB9731 formoreinformation.Ifyoustillneedhelp,pleasecontact CustomerCare forsubscriptionandlicensingissues.
2.Then,installthelicenseontheSRXinoneoftwoways--automaticallyormanually:
a.Automatically:
ConfirmtheSRXdevicehasconnectivitytotheInternet. Thenrunthefollowingcommand:
root>requestsystemlicenseupdate
OR
b.Manually:
LicensescanalsobeloadedmanuallyviaJWeb,NSM,orusingtheCLI.TheCLIcommandisasfollows:
root>requestsystemlicenseaddterminal
[Type^Datanewlinetoendinput,
enterblanklinebetweeneachlicensekey]
Pastethelicensekeyandpressenter
TypeCtrl+D
TheLicensekeyshouldbeaddedsuccessfully.
3.Verifythelicenseisinstalledusingthecommand:
root>showsystemlicense
Checkforfeature'idp-sig'.
NOTE:
IfrunningaChassisCluster,thentheIDPlicenseneedstobeinstalledonbothnodes.
II. DownloadandinstalltheSignatureDatabase
AftertheIDPlicenseisinstalled,theIDPSignatureDatabasecanbedownloadedandinstalledbyperformingthefollowingsteps:
1.ConfirmthedevicehasthenecessaryconfigurationforconnectivitytotheInternet.
2.ConfigurethesignaturedatabaseURL:
root>edit
setsecurityidpsecurity-packageurl
root#commit
3.Checktheversionofthesignaturedatabaseinthesigdbserver. Lookfor'Successfullyretrieved'.Inthisexample,theversionintheserveris1577.
root>requestsecurityidpsecurity-packagedownloadcheck-server
Successfullyretrieved from(
Versioninfo:
1577(Detector=10.2.160091104,Templates=2)
4.Downloadthesignaturedatabase:
root>requestsecurityidpsecurity-packagedownloadfull-update
5.Verifytheprogressofthedownload:
root>requestsecurityidpsecurity-packagedownloadstatus
root>requestsecurityidpsecurity-packagedownloadstatus
Inprogress:
downloadingfile...platforms.xml.gz
root>requestsecurityidpsecurity-packagedownloadstatus
Done;Successfullydownloaded from(
Versioninfo:
1586(TueJan1912:
28:
292010,Detector=10.2.160091104)
Important:
When'Successfullydownloaded'isreported,proceedtothenextstep.Ifitisnotsuccessfullydownloaded,theinstallwillfail.
6.InstallthesignatureDBbyrunningthecommand:
root>requestsecurityidpsecurity-packageinstall
admin>requestsecurityidpsecurity-packageinstallpolicy-templates
ThiscommandloadsthesecuritypackageintotheIDPDembeddedDB.Ifthereisanexistingrunningpolicyitre-compilestheexistingrunningpolicyandpushesthecompiledpolicytothedataplane.Therefore,theinstallmighttakeawhiledependingontheplatformandthesizeofthepolicy.LowerendBranchplatformsmighttakealongertimeforinstall.
7.Monitorthestatusoftheinstallwiththecommand:
root>requestsecurityidpsecurity-packageinstallstatus
Done;AttackDBupdate:
successful-[UpdateNumber=1581,ExportDate=TueJan1212:
43:
222010,Detector=10.2.160091104]
Updatingcontrol-planewithnewdetector:
successful
Updatingdata-planewithnewattackordetector:
successful
The'UpdateNumber'fieldshowstheversionupdated,thedatewhenthesignaturedbwasreleased,andthedetectorversion
8.Verifytheversionofthesigdbinstalled:
root>o
Attackdatabaseversion:
1577(TueJan513:
27:
182010)
Detectorversion:
10.2.160091104
Policytemplateversion:
2
Tips:
∙Referto KB16491 forinstructionsonhowtoschedulethesignaturedatabasedownloadforautomaticupdates.
CLIConfiguration
1.SpecifytheURLforthesecuritypackage:
root#setsecurityidpsecurity-packageurl
IMPORTANT:
TheURLstatedaboveiscorrect. TheURL,i.e.http:
//sec-,specifiedinthesomeversionsofthedocumentationisnotcorrect. PleaseusetheURLabove.
2.Specifythetimeandintervalfortheautomaticdownload:
root#setsecurityidpsecurity-packageautomaticintervalstart-time
Forexample,tosetthedownloadtohappenafterthreedays,withthefirstautomaticdownloadingstartingon14thJulyat2:
00AM:
root#setsecurityidpsecurity-packageautomaticinterval72start-time2013-07-14.02:
00:
00
3.Enabletheautomaticdownload:
root#setsecurityidpsecurity-packageautomaticenable
NOTES:
IfyouhaveconfiguredthedeviceforautomaticsignatureDBdownload,thenewsignaturedatabaseisdownloadedandinstalled.
Ifthereisa runningIDPpolicyinthedevice,thepolicyisrecompiledwiththenewsignaturesandpushedtothedataplane.
Similarly,ifthereisanexistingrunningIDPpolicyandthepreviouslyinstalleddetector'sversionisdifferentfromthenewlydownloadedone,thenthenewlydownloadeddetectorispushedtothedataplane.
∙Referto TN83 forinstructionsonhowtoperformofflinesigdbdownload.
∙ForadditionalinformationontheIDPSignatureDatabase,refertotheSecurityConfigurationGuide--IDPSignatureDatabaseChapter:
III. ConfigureRecommendedPolicyastheIDPPolicy
JuniperNetworksprovidespredefinedpolicytemplatesthatcanbeusedasastartingpointforcreatingyourownIDPpolicies. Forgettingstarted,itisrecommendedtousethepredefinedpolicynamed'Recommended':
1.Loadthepredefinedtemplates,andselecttheRecommendedtemplateastheActiveIDPpolicy. Referto KB16490forstepbystepinstructions.
CLIConfiguration
DownloadthelatestIDPpolicytemplates(suchas‘Recommended’,‘AllwithLogging')fromtheJuniperWebsiteusingthefollowingcommand:
root>requestsecurityidpsecurity-packagedownloadpolicy-templates
Thepolicy-templatesaredownloadedtothedirectory:
/var/db/idpd/sec-download/sub-download
Checkthestatusofthedownloadwiththecommand:
root>requestsecurityidpsecurity-packagedownloadstatus
Done;Successfullydownloadedfrom(
Versioninfo:
2
Installthetemplatefile:
root>requestsecurityidpsecurity-packageinstallpolicy-templates
Itwillbeinstalledinto:
/var/db/scripts/commit/templates.xsl
Checkthestatusoftheinstallwiththecommand:
root@SRX210-HM>requestsecurityidpsecurity-packageinstallstatus
Done;policy-templateshasbeensuccessfullyupdatedintointernalrepository
(=>/var/db/scripts/commit/templates.xsl)!
ApplythetemplateintotheJunosconfig,andthencommit!
root>configure
root#setsystemscriptscommitfiletemplates.xsl
root#commit
commit之后要把源文件删除
deletesystemscriptscommitfiletemplates.xsl
Oncecommitted,thepredefinedtemplatescanbeused. Enterthefollowingcommandtoseethepossibletemplates. Youcansetoneofthepredefinedtemplatesastheactivepolicy,andalsomakechangestothepolicy.
root#setsecurityidpactive-policy?
Possiblecompletions:
Setactivepolicy
DMZ_Services
DNS_Service
File_Server
Getting_Started
IDP_Default
Recommended
Web_Server
Forexample,tomakeRecommendedtemplateastheactiveIDPpolicyusethecommand:
root#setsecurityidpactive-policyRecommended
root#commit
2.VerifythattheActiveIDPPolicyis'Recommended'. ThePolicyNameintheoutputbelowreferstotheActiveIDPPolicy.
root>showsecurityidpstatus
SessionStatistics:
[ICMP:
0][TCP:
0][UDP:
0][Other:
0]
PolicyName:
Recommendedv0
RunningDetectorVersion:
10.2.160091104
3.Performtheinstructionsbelowinthenextsection:
'IV. EnableaSecurityPolicyforIDPinspection'.
Tips:
∙ForadditionalinformationonconfiguringIDPpolicies,refertotheSecurityConfigurationGuide--IDPPoliciesChapter:
∙Referto KB15374 onhowtoverifyiftheIDPPolicywascompiledandloadedsuccessfullytothedataplane.
IV. EnableaSecurityPolicyforIDPinspection
OncetheIDPPolicyisconfigured,IDPneedstobeenabledonasecuritypolicysothatIDPinspectionisperformed. Thisisdonebypermittingapplication-serviceswhileconfiguringasecuritypolicy.
Forexample,thefollowingcommand forwardsalltrafficfrom-zonetrustto-zone untrusttoIDPtobe checkedagainsttheIDPrulebase:
root#setsecuritypoliciesfrom-zonetrustto-zoneuntrustpolicyidp-app-policy-1matchsource-addressanydestination-addressanyapplicationany
root#setsecuritypoliciesfrom-zone trustto-zone untrustpolicyidp-app-policy-1thenpermitapplication-servicesidp
Tips:
∙ForadditionalinformationonenablingIDPinaSecurityPolicy,refertothe SecurityConfigurationGuide--EnablingIDPinaSecurityPolicy:
∙