IDP导入license以及配置.docx

1、IDP导入license以及配置SRX Getting Started - Quick Setup Guide for Configuring IDP on a SRX or J-Series deviceSUMMARY:This article describes the steps involved in configuring IDP on a SRX device.For other topics, go to theSRX Getting Startedmain page.SOLUTION:The basic configuration of IDP involves the fol

2、lowing four tasks:I. Install IDP licenseThe IDP signature update is a subscription service requiring a license. In order to download and use the predefined attack signatures in a policy, the IDP license must be installed. If you are using only custom signatures, you do not need an IDP license.1. Fir

3、st, activate your subscription license by entering the authorization code and chassis serial number into theSubscription Registrationsystem. Refer toKB9731for more information. If you still need help, please contactCustomer Carefor subscription and licensing issues.2. Then, install the license on th

4、e SRX in one of two ways - automatically or manually:a. Automatically:Confirm the SRX device has connectivity to the Internet.Then run the following command:root request system license updateORb. Manually:Licenses can also be loaded manually via JWeb, NSM, or using the CLI. The CLI command is as fol

5、lows:root request system license add terminalType D at a new line to end input,enter blank line between each license keyPaste the license key and press enterType Ctrl+DThe License key should be added successfully.3. Verify the license is installed using the command:root show system licenseCheck for

6、feature idp-sig.NOTE: If running a Chassis Cluster, then the IDP license needs to be installed on both nodes.II. Download and install the Signature DatabaseAfter the IDP license is installed, the IDP Signature Database can be downloaded and installed by performing the following steps:1. Confirm the

7、device has the necessary configuration for connectivity to the Internet.2. Configure the signature database URL:root editset security idp security-package url root#commit3. Check the version of the signature database in the sigdb server. Look for Successfully retrieved . In this example, the version

8、 in the server is 1577.root request security idp security-package download check-serverSuccessfully retrievedfrom(Version info:1577(Detector=10.2.160091104, Templates=2)4. Download the signature database:root request security idp security-package download full-update5. Verify the progress of the dow

9、nload:root request security idp security-package download statusroot request security idp security-package download statusIn progress:downloading file .platforms.xml.gzroot request security idp security-package download statusDone;Successfully downloadedfrom(Version info:1586(Tue Jan 19 12:28:29 201

10、0, Detector=10.2.160091104)Important: When Successfully downloaded is reported, proceed to the next step. If it is not successfully downloaded, the install will fail.6. Install the signature DB by running the command:root request security idp security-package installadmin request security idp securi

11、ty-package install policy-templates This command loads the security package into the IDPD embedded DB. If there is an existing running policy it re-compiles the existing running policy and pushes the compiled policy to the data plane. Therefore, the install might take a while depending on the platfo

12、rm and the size of the policy. Lower end Branch platforms might take a longer time for install.7. Monitor the status of the install with the command:root request security idp security-package install statusDone;Attack DB update : successful - UpdateNumber=1581,ExportDate=Tue Jan 12 12:43:22 2010,Det

13、ector=10.2.160091104Updating control-plane with new detector : successfulUpdating data-plane with new attack or detector : successfulThe UpdateNumber field shows the version updated, the date when the signature db was released, and the detector version8. Verify the version of the sigdb installed:roo

14、t oAttack database version:1577(Tue Jan 5 13:27:18 2010)Detector version :10.2.160091104Policy template version :2Tips: Refer toKB16491for instructions on how to schedule the signature database download for automatic updates.CLI Configuration1. Specify the URL for the security package:root# set secu

15、rity idp security-package url IMPORTANT: The URL stated above is correct. The URL, i.e. http:/sec-, specified in the some versions of the documentation is not correct. Please use the URL above.2. Specify the time and interval for the automatic download:root# set security idp security-package automat

16、ic interval start-time For example, to set the download to happen after three days, with the first automatic downloading starting on 14th July at 2:00 AM:root# set security idp security-package automatic interval 72 start-time 2013-07-14.02:00:003. Enable the automatic download:root# set security id

17、p security-package automatic enableNOTES:If you have configured the device for automatic signature DB download, the new signature database is downloaded and installed.If there is arunning IDP policy in the device, the policy is recompiled with the new signatures and pushed to the data plane.Similarl

18、y, if there is an existing running IDP policy and the previously installed detectors version is different from the newly downloaded one, then the newly downloaded detector is pushed to the data plane. Refer toTN83for instructions on how to perform offline sigdb download. For additional information o

19、n the IDP Signature Database, refer to the Security Configuration Guide - IDP Signature Database Chapter:III. Configure Recommended Policy as the IDP PolicyJuniper Networks provides predefined policy templates that can be used as a starting point for creating your own IDP policies. For getting start

20、ed, it is recommended to use the predefined policy named Recommended:1. Load the predefined templates, and select the Recommended template as the Active IDP policy. Refer toKB16490for step by step instructions.CLI ConfigurationDownload the latest IDP policy templates (such as Recommended, All with L

21、ogging) from the Juniper Website using the following command:root request security idp security-package download policy-templatesThe policy-templates are downloaded to the directory:/var/db/idpd/sec-download/sub-downloadCheck the status of the download with the command:root request security idp secu

22、rity-package download statusDone;Successfully downloaded from(Version info:2Install the template file:root request security idp security-package install policy-templatesIt will be installed into:/var/db/scripts/commit/templates.xslCheck the status of the install with the command:rootSRX210-HM reques

23、t security idp security-package install statusDone;policy-templates has been successfully updated into internal repository(=/var/db/scripts/commit/templates.xsl)!Apply the template into the Junos config, and then commit!root configureroot# set system scripts commit file templates.xslroot# commitcomm

24、it之后要把源文件删除delete system scripts commit file templates.xslOnce committed, the predefined templates can be used. Enter the following command to see the possible templates. You can set one of the predefined templates as the active policy, and also make changes to the policy.root# set security idp acti

25、ve-policy ?Possible completions: Set active policyDMZ_ServicesDNS_ServiceFile_ServerGetting_StartedIDP_DefaultRecommendedWeb_ServerFor example, to make Recommended template as the active IDP policy use the command:root# set security idp active-policy Recommendedroot# commit2. Verify that the Active

26、IDP Policy is Recommended. The Policy Name in the output below refers to the Active IDP Policy.root show security idp statusSession Statistics:ICMP: 0 TCP: 0 UDP: 0 Other: 0 Policy Name : Recommended v0Running Detector Version : 10.2.1600911043. Perform the instructions below in the next section: IV

27、. Enable a Security Policy for IDP inspection.Tips: For additional information on configuring IDP policies, refer to the Security Configuration Guide - IDP Policies Chapter: Refer toKB15374on how to verify if the IDP Policy was compiled and loaded successfully to the dataplane.IV. Enable a Security

28、Policy for IDP inspectionOnce the IDP Policy is configured, IDP needs to be enabled on a security policy so that IDP inspection is performed. This is done by permitting application-services while configuring a security policy.For example, the following commandforwards all traffic from-zone trust to-

29、zoneuntrust to IDP to bechecked against the IDP rulebase: root# set security policies from-zone trust to-zone untrust policy idp-app-policy-1 match source-address any destination-address any application anyroot# set security policies from-zonetrust to-zoneuntrust policy idp-app-policy-1 then permit application-services idpTips: For additional information on enabling IDP in a Security Policy, refer to theSecurity Configuration Guide - Enabling IDP in a Security Policy: