Transcript
8/20/2019 Security Idp Policy
1/373
Junos OS
IDP Policies for Security Devices
Release
12.1
Published: 2014-06-30
Copyright © 2014, Juniper Networks, Inc.
8/20/2019 Security Idp Policy
2/373
Juniper Networks, Inc.1194North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc.in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc.All other
trademarks, service marks, registered trademarks, or registered service marks are the property of theirrespective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
Junos OS IDP Policies for SecurityDevices
12.1
Copyright © 2014, Juniper Networks, Inc.
All rights reserved.
The informationin this document is currentas of thedateon thetitlepage.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However,the NTPapplicationis known to have some difficulty in theyear2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is thesubject of this technical documentationconsists of (or is intended for usewith)Juniper Networks
software. Useof such software is subject to theterms and conditions of theEnd User License Agreement (“EULA”) posted at
http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to theterms and conditions of
that EULA.
Copyright © 2014, Juniper Networks, Inc.ii
http://www.juniper.net/support/eula.htmlhttp://www.juniper.net/support/eula.html
8/20/2019 Security Idp Policy
3/373
Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Using the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Merging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
Part 1 Overview
Chapter 1 Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Intrusion Detection and Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
IPv6 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Junos OS Feature Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Chapter 2 Policy Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
IDP Policies Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Understanding IDP Inline Tap Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Chapter 3 Rules and Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Understanding IDP Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Understanding IDP Rule Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Understanding IDP Rule Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Zone Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Address or Network Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Application or Service Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Attack Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Attack Object Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Understanding IDP Rule Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Understanding IDP Rule IP Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Understanding IDP Rule Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Understanding IDP Policy Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Understanding Predefined IDP Policy Templates . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Understanding IDP Application-Level DDoS Rulebases . . . . . . . . . . . . . . . . . . . . . 25
Understanding IDP IPS Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Understanding IDP Exempt Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Understanding IDP Terminal Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Understanding DSCP Rules in IDP Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
iiiCopyright © 2014, Juniper Networks, Inc.
8/20/2019 Security Idp Policy
4/373
Chapter 4 Applications and Application Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Understanding IDP Application Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Chapter 5 Attacks and Attack Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Understanding Custom Attack Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Attack Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Service and Application Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Protocol and Port Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Time Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Attack Properties (Signature Attacks) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Attack Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Attack Direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Attack Pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Protocol-Specific Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Sample Signature Attack Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Attack Properties (Protocol Anomaly Attacks) . . . . . . . . . . . . . . . . . . . . . . . . 46
Attack Direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Test Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Sample Protocol Anomaly Attack Definition . . . . . . . . . . . . . . . . . . . . . . 46
Attack Properties (Compound or Chain Attacks) . . . . . . . . . . . . . . . . . . . . . . 47
Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Expression (Boolean expression) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Member Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Sample Compound Attack Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Understanding IDP Protocol Decoders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Understanding Multiple IDP Detector Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Understanding Content Decompression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Understanding IDP Signature-Based Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Understanding IDP Protocol Anomaly-Based Attacks . . . . . . . . . . . . . . . . . . . . . . 53
Part 2 Configuration
Chapter 6 Policy Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Example: Enabling IDP in a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Example: Configuring IDP Inline Tap Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Chapter 7 Rules and Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Example: Inserting a Rule in the IDP Rulebase . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Example: Deactivating and Activating Rules in an IDP Rulebase . . . . . . . . . . . . . . 64
Example: Defining Rules for an IDP IPS Rulebase . . . . . . . . . . . . . . . . . . . . . . . . . 65
Example: Defining Rules for an IDP Exempt Rulebase . . . . . . . . . . . . . . . . . . . . . . 68
Example: Setting Terminal Rules in Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Example: Configuring DSCP Rules in an IDP Policy . . . . . . . . . . . . . . . . . . . . . . . . . 73
Copyright © 2014, Juniper Networks, Inc.iv
IDP Policies for Security Devices
8/20/2019 Security Idp Policy
5/373
Chapter 8 Applications and Application Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Example: Configuring IDP Applications and Services . . . . . . . . . . . . . . . . . . . . . . . 77
Example: Configuring IDP Applications Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Chapter 9 Attacks and Attack Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Example: Configuring IDP Protocol Decoders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Example: Configuring IDP Content Decompression . . . . . . . . . . . . . . . . . . . . . . . . 84
Example: Configuring IDP Signature-Based Attacks . . . . . . . . . . . . . . . . . . . . . . . 85
Example: Configuring IDP Protocol Anomaly-Based Attacks . . . . . . . . . . . . . . . . 88
Listing IDP Test Conditions for a Specific Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 91
Example: Configuring Compound or Chain Attacks . . . . . . . . . . . . . . . . . . . . . . . . 91
Example: Configuring Attack Groups with Dynamic Attack Groups and Custom
Attack Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Chapter 10 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
[edit security forwarding-process] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . 108
[edit security idp] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
application-services (Security Forwarding Process) . . . . . . . . . . . . . . . . . . . . . . . 119
ack-number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
action (Security Application-Level DDoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
action (Security Rulebase IPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
active-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
allow-icmp-without-flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
anomaly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
application (Security Custom Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
application (Security Application-Level DDoS) . . . . . . . . . . . . . . . . . . . . . . . . . . 125
application (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
application-ddos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
application-identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
attack-type (Security Anomaly) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
attack-type (Security Chain) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
attack-type (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
attack-type (Security Signature) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
attacks (Security Exempt Rulebase) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
attacks (Security IPS Rulebase) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
automatic (Security) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
cache-size (Security) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
category (Security Dynamic Attack Group) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
context (Security Custom Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142content-decompression-max-memory-kb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
content-decompression-max-ratio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
count (Security Custom Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
custom-attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
custom-attack-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
custom-attack-groups (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
custom-attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
vCopyright © 2014, Juniper Networks, Inc.
Table of Contents
8/20/2019 Security Idp Policy
6/373
data-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
description (Security IDP Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
destination (Security IP Headers Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
destination-address (Security IDP Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
destination-except . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
destination-port (Security Signature Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
detect-shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
detector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
direction (Security Custom Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
direction (Security Dynamic Attack Group) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
download-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
dynamic-attack-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158
dynamic-attack-groups (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
enable-all-qmodules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
enable-packet-pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
false-positives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161fifo-max-size (IPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
fifo-max-size (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
flow (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
from-zone (Security IDP Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
forwarding-process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
global (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
group-members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
hash-table-size (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
header-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
high-availability (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
icmp (Security IDP Custom Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168icmp (Security IDP Signature Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
icmpv6 (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
identification (Security ICMP Headers) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
identification (Security IP Headers) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
idp-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
idp-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
ignore-memory-overflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
ignore-reassembly-overflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
ignore-regular-expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
include-destination-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
inline-tap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
interval (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
ip-action (Security Application-Level DDoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
ip-action (Security IDP Rulebase IPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178
ip-block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
ip-close . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
ip-connection-rate-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
ip-flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
ip-notify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
ips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Copyright © 2014, Juniper Networks, Inc.vi
IDP Policies for Security Devices
8/20/2019 Security Idp Policy
7/373
ipv4 (Security IDP Signature Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
ipv6 (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
log (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
log (Security IDP Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
log-attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
log-create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
log-errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
log-supercede-min . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
match (Security IDP Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
match (Security Rulebase DDoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
max-flow-mem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
max-logs-operate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
max-packet-mem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
max-packet-memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
max-sessions (Security Packet Log) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
max-tcp-session-packet-memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
max-time-report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191max-timers-poll-ticks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
max-udp-session-packet-memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
maximize-idp-sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
member (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
mss (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
negate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
nested-application (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
option (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
order (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
packet-log (Security IDP Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
packet-log (Security IDP Sensor Configuration) . . . . . . . . . . . . . . . . . . . . . . . . . . 199pattern (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
policy-lookup-cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
post-attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
post-attack-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
pre-attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
pre-filter-shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
predefined-attack-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
predefined-attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
process-ignore-s2c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
process-override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
process-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
protocol-binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
protocol-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
protocol (Security IDP IP Headers) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
protocol (Security IDP Signature Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
re-assembler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
recommended-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
refresh-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
viiCopyright © 2014, Juniper Networks, Inc.
Table of Contents
8/20/2019 Security Idp Policy
8/373
regexp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
reject-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
reset (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
reset-on-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
rpc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215
rule (Security Exempt Rulebase) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
rule (Security DDoS Rulebase) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
rule (Security IPS Rulebase) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
rulebase-ddos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
rulebase-exempt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
rulebase-ips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
scope (Security IDP Chain Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
scope (Security IDP Custom Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
security-package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
sensor-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
sequence-number (Security IDP ICMP Headers) . . . . . . . . . . . . . . . . . . . . . . . . . 228
sequence-number (Security IDP TCP Headers) . . . . . . . . . . . . . . . . . . . . . . . . . . 228service (Security IDP Anomaly Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
service (Security IDP Dynamic Attack Group) . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
severity (Security IDP Custom Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
severity (Security IDP Dynamic Attack Group) . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
severity (Security IDP IPS Rulebase) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
signature (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
source (Security IDP IP Headers) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
source-address (Security IDP Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
source-address (Security IDP Sensor Configuration) . . . . . . . . . . . . . . . . . . . . . 240
source-except . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240source-port (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
ssl-inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
start-log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
start-time (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
statistics (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
target (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
tcp (Security IDP Protocol Binding) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
tcp (Security IDP Signature Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
tcp-flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
test (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
then (Security IDP Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
then (Security Rulebase DDos) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
time-binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
timeout (Security IDP Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
to-zone (Security IDP Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
tos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
total-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
total-memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Copyright © 2014, Juniper Networks, Inc.viii
IDP Policies for Security Devices
8/20/2019 Security Idp Policy
9/373
traceoptions (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
ttl (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
tunable-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
tunable-value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
type (Security IDP Dynamic Attack Group) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
type (Security IDP ICMP Headers) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
udp (Security IDP Protocol Binding) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
udp (Security IDP Signature Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
udp-anticipated-timeout (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
urgent-pointer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
url (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
weight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
window-scale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
window-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
traceoptions (Security Datapath Debug) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Part 3 AdministrationChapter 11 Clear Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
clear security idp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
clear security idp application-ddos cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
clear security idp attack table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
clear security idp counters application-identification . . . . . . . . . . . . . . . . . . . . . . 275
clear security idp counters dfa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
clear security idp counters flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
clear security idp counters http-decoder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
clear security idp counters ips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
clear security idp counters log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
clear security idp counters packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
clear security idp counters policy-manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
clear security idp counters tcp-reassembler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
clear security idp ssl-inspection session-id-cache . . . . . . . . . . . . . . . . . . . . . . . . 284
Chapter 12 Request Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
request security idp security-package download . . . . . . . . . . . . . . . . . . . . . . . . . 286
request security idp security-package install . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
request security idp ssl-inspection key add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
request security idp ssl-inspection key delete . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
request security idp storage-cleanup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Chapter 13 Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
show security flow session idp summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
show security idp active-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
show security idp application-ddos application . . . . . . . . . . . . . . . . . . . . . . . . . 300
show security idp attack description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
show security idp attack detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
show security idp attack table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
show security idp counters application-ddos . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
show security idp counters application-identification . . . . . . . . . . . . . . . . . . . . . 309
show security idp counters dfa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
ixCopyright © 2014, Juniper Networks, Inc.
Table of Contents
8/20/2019 Security Idp Policy
10/373
show security idp counters flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
show security idp counters http-decoder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
show security idp counters ips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
show security idp counters log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
show security idp counters packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
show security idp counters packet-log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
show security idp counters policy-manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
show security idp counters tcp-reassembler . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328
show security idp logical-system policy-association . . . . . . . . . . . . . . . . . . . . . . 331
show security idp memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
show security idp policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
show security idp policy-commit-status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
show security idp policy-commit-status clear . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
show security idp policy-templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336
show security idp predefined-attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
show security idp security-package-version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
show security idp ssl-inspection key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340show security idp ssl-inspection session-id-cache . . . . . . . . . . . . . . . . . . . . . . . . 341
show security idp status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
show security idp status detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Part 4 Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Copyright © 2014, Juniper Networks, Inc.x
IDP Policies for Security Devices
8/20/2019 Security Idp Policy
11/373
List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Part 1 Overview
Chapter 1 Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Table 3: IDP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Table 4: IPv6 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Table 5: Junos OS Feature Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Chapter 3 Rules and Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Table 6: IDP Attack Objects Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Table 7: IDP Rule Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Table 8: IDP Rule IP Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Table 9: Predefined IDP Policy Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Table 10: Application-Level DDoS Rulebase Components . . . . . . . . . . . . . . . . . . . 25
Table 11: IPS Rulebase Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Table 12: Exempt Rulebase Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Chapter 5 Attacks and Attack Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Table 13: Supported Services for Service Bindings . . . . . . . . . . . . . . . . . . . . . . . . . 34
Table 14: Supported Protocols and Protocol Numbers . . . . . . . . . . . . . . . . . . . . . 38
Table 15: Sample Formats for Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Table 16: IP Protocol Fields and Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Table 17: TCP Header Fields and Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Table 18: UDP Header Fields and Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Table 19: ICMP Header Fields and Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Part 2 Configuration
Chapter 10 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Table 20: Session Capacity and Resulting Throughput . . . . . . . . . . . . . . . . . . . . 264
Part 3 Administration
Chapter 13 Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Table 21: show security flow session idp summary Output Fields . . . . . . . . . . . . 297
Table 22: show security idp active-policy Output Fields . . . . . . . . . . . . . . . . . . . 299
Table 23: show security idp application-ddos Output Fields . . . . . . . . . . . . . . . . 300
Table 24: show security idp attack description Output Fields . . . . . . . . . . . . . . . 302
Table 25: show security idp attack detail Output Fields . . . . . . . . . . . . . . . . . . . . 303
xiCopyright © 2014, Juniper Networks, Inc.
8/20/2019 Security Idp Policy
12/373
Table 26: show security idp attack table Output Fields . . . . . . . . . . . . . . . . . . . . 305
Table 27: show security idp counters application-ddos Output Fields . . . . . . . . 306
Table 28: showsecurity idp counters application-identification Output Fields . . 309
Table 29: show security idp counters dfa Output Fields . . . . . . . . . . . . . . . . . . . . 311
Table 30: show security idp counters flow Output Fields . . . . . . . . . . . . . . . . . . . 312
Table 31: show security idp counters http-decoder Output Fields . . . . . . . . . . . . 315
Table 32: show security idp counters ips Output Fields . . . . . . . . . . . . . . . . . . . . 316
Table 33: show security idp counters log Output Fields . . . . . . . . . . . . . . . . . . . . 319
Table 34: show security idp counters packet Output Fields . . . . . . . . . . . . . . . . . 322
Table 35: show security idp counters policy-manager Output Fields . . . . . . . . . 327
Table 36: show security idp counters tcp-reassembler Output Fields . . . . . . . . . 328
Table 37: show security idp logical-system policy-association Output Fields . . . 331
Table 38: show security idp memory Output Fields . . . . . . . . . . . . . . . . . . . . . . . 332
Table 39: show security idp security-package-version Output Fields . . . . . . . . . 339
Table 40: show security idp ssl-inspection key Output Fields . . . . . . . . . . . . . . . 340
Table 41: show security idp ssl-inspection session-id-cache Output Fields . . . . 341
Table 42: show security idp status Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 342
Copyright © 2014, Juniper Networks, Inc.xii
IDP Policies for Security Devices
8/20/2019 Security Idp Policy
13/373
About the Documentation
• Documentation and Release Notes on page xiii
• Supported Platforms on page xiii
• Using the Examples in This Manual on page xiii
• Documentation Conventions on page xv
• Documentation Feedback on page xvii
• Requesting Technical Support on page xvii
Documentation and Release Notes
To obtain the most current version of all Juniper Networks®
technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.
If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.
Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore thenuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.
Supported Platforms
For the features described in this document, the following platforms are supported:
• J Series
• SRX Series
Using the Examples in This Manual
If you want touse the examples in this manual, you can use the load merge or the load
merge relative command. These commands cause the software to merge the incoming
configuration into the current candidate configuration. The example does not become
active until you commit the candidate configuration.
If the example configuration contains the top level of the hierarchy (or multiple
hierarchies), the example is a full example. In this case, use the load merge command.
xiiiCopyright © 2014, Juniper Networks, Inc.
http://www.juniper.net/techpubs/http://www.juniper.net/bookshttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/junos-jseries/product/index.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/srx-series/product/index.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/srx-series/product/index.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/junos-jseries/product/index.htmlhttp://www.juniper.net/bookshttp://www.juniper.net/techpubs/
8/20/2019 Security Idp Policy
14/373
If the example configuration does not start at the top level of the hierarchy, the example
is a snippet. In this case, use the load merge relative command. These procedures are
described in the following sections.
Merging a Full Example
To merge a full example, follow these steps:
1. From the HTML or PDF version of the manual, copy a configuration example into a
text file, save the file with a name, and copy the file to a directory on your routing
platform.
Forexample, copy thefollowingconfiguration toa file andname thefile ex-script.conf.
Copy the ex-script.conf file to the /var/tmp directory on your routing platform.
system {
scripts {
commit {
file ex-script.xsl;}
}
}
interfaces {
fxp0 {
disable;
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
}
}
2. Merge the contents of the file into your routing platform configuration by issuing the
load merge configuration mode command:
[edit]
user@host# load merge /var/tmp/ex-script.conf
load complete
Merging a Snippet
To merge a snippet, follow these steps:
1. From the HTML or PDF version of the manual, copya configuration snippet into a text
file, savethe filewith a name, and copythe fileto a directory on your routing platform.
For example, copy the following snippet to a file and name the file
ex-script-snippet.conf . Copy the ex-script-snippet.conf file to the /var/tmp directory
on your routing platform.
commit {
file ex-script-snippet.xsl; }
2. Move to the hierarchy level that is relevant for this snippet by issuing the following
configuration mode command:
Copyright © 2014, Juniper Networks, Inc.xiv
IDP Policies for Security Devices
8/20/2019 Security Idp Policy
15/373
[edit]
user@host# edit system scripts
[edit system scripts]
3. Merge the contents of the file into your routing platform configuration by issuing the
load merge relative configuration mode command:
[edit system scripts]
user@host# load merge relative /var/tmp/ex-script-snippet.conf
load complete
For more information about the load command, see theCLI UserGuide.
Documentation Conventions
Table 1 on page xv defines notice icons used in this guide.
Table 1: Notice Icons
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates a situation that might resultin loss of data or hardware damage.Caution
Alerts you tothe risk of personal injury or death.Warning
Alerts you tothe risk of personal injury from a laser.Laser warning
Indicates helpful information.Tip
Alerts you to a recommended use or implementation.Best practice
Table 2 on page xv defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
To enter configuration mode, type the
configure command:
user@host> configure
Represents text that you type.Bold text like this
xvCopyright © 2014, Juniper Networks, Inc.
About the Documentation
8/20/2019 Security Idp Policy
16/373
Table 2: Text and Syntax Conventions (continued)
ExamplesDescriptionConvention
user@host> show chassis alarms
No alarms currently active
Represents output that appears on theterminal screen.
Fixed-width text like this
• A policy term is a named structure
that defines match conditions and
actions.
• Junos OSCLI User Guide
• RFC 1997,BGPCommunities Attribute
• Introduces or emphasizes important
new terms.
• Identifies guide names.
• Identifies RFC and Internet draft titles.
Italic text like this
Configure the machine’s domain name:
[edit]
root@# set system domain-name
domain-name
Represents variables (options for which
you substitute a value) in commands or
configuration statements.
Italic text like this
• To configure a stub area, include the
stub statement at the [edit protocols
ospf areaarea-id] hierarchy level.
• Theconsole portis labeledCONSOLE.
Represents names of configuration
statements, commands, files, and
directories;configuration hierarchylevels;
or labels on routing platform
components.
Text like this
stub ;Encloses optional keywordsor variables.< > (angle brackets)
broadcast | multicast
( string1 | string2 | string3)
Indicates a choicebetween the mutually
exclusive keywordsor variables on either
side of the symbol. The set of choices is
often enclosed in parentheses for clarity.
| (pipe symbol)
rsvp { # Required fordynamic MPLS onlyIndicates a comment specified on thesameline asthe configuration statement
to which it applies.
# (pound sign)
communityname members[
community-ids]
Encloses a variable for which you can
substitute one or more values.
[ ] (square brackets)
[edit]
routing-options {
static {
route default {
nexthop address;
retain;
}
}}
Identifies a level in the configuration
hierarchy.
Indention and braces( { } )
Identifies a leaf statement at a
configuration hierarchy level.
; (semicolon)
GUI Conventions
• In the Logical Interfaces box, select
All Interfaces.
• To cancel the configuration, click
Cancel.
Representsgraphical user interface(GUI)
items you click or select.
Bold text like this
Copyright © 2014, Juniper Networks, Inc.xvi
IDP Policies for Security Devices
8/20/2019 Security Idp Policy
17/373
Table 2: Text and Syntax Conventions (continued)
ExamplesDescriptionConvention
In the configuration editor hierarchy,select Protocols>Ospf.
Separates levels in a hierarchy of menuselections.
> (bold right angle bracket)
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can provide feedback by using either of the following
methods:
• Online feedback rating system—On any page at the Juniper Networks Technical
Documentation site at http://www.juniper.net/techpubs/index.html , simply click the
stars torate thecontent,and usethe pop-upformto provideus with information about
your experience. Alternately, you can use the online feedback form athttps://www.juniper.net/cgi-bin/docbugreport/.
• E-mail—Sendyour commentsto techpubs-comments@juniper.net. Include thedocument
or topic name, URL or page number, and software version (if applicable).
Requesting Technical Support
Technical productsupport is availablethrough the Juniper Networks TechnicalAssistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
or are covered under warranty, and need post-sales technical support, you can access
our tools and resources online or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTACUser Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.
• Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/.
• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 daysa week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with thefollowing features:
• Find CSC offerings: http://www.juniper.net/customers/support/
• Search for known bugs: http://www2.juniper.net/kb/
• Find product documentation: http://www.juniper.net/techpubs/
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
xviiCopyright © 2014, Juniper Networks, Inc.
About the Documentation
http://www.juniper.net/techpubs/index.htmlhttps://www.juniper.net/cgi-bin/docbugreport/mailto:techpubs-comments@juniper.net?subject=http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdfhttp://www.juniper.net/support/warranty/http://www.juniper.net/customers/support/http://www2.juniper.net/kb/http://www.juniper.net/techpubs/http://kb.juniper.net/http://kb.juniper.net/http://www.juniper.net/techpubs/http://www2.juniper.net/kb/http://www.juniper.net/customers/support/http://www.juniper.net/support/warranty/http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdfmailto:techpubs-comments@juniper.net?subject=https://www.juniper.net/cgi-bin/docbugreport/http://www.juniper.net/techpubs/index.html
8/20/2019 Security Idp Policy
18/373
• Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications:
http://kb.juniper.net/InfoCenter/
• Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlementby productserial number, use our Serial NumberEntitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see
http://www.juniper.net/support/requesting-support.html .
Copyright © 2014, Juniper Networks, Inc.xviii
IDP Policies for Security Devices
http://www.juniper.net/customers/csc/software/http://kb.juniper.net/InfoCenter/http://www.juniper.net/company/communities/http://www.juniper.net/cm/https://tools.juniper.net/SerialNumberEntitlementSearch/http://www.juniper.net/cm/http://www.juniper.net/support/requesting-support.htmlhttp://www.juniper.net/support/requesting-support.htmlhttp://www.juniper.net/cm/https://tools.juniper.net/SerialNumberEntitlementSearch/http://www.juniper.net/cm/http://www.juniper.net/company/communities/http://kb.juniper.net/InfoCenter/http://www.juniper.net/customers/csc/software/
8/20/2019 Security Idp Policy
19/373
PART 1
Overview
• Supported Features on page 3
• Policy Basics on page 11
• Rules and Rulebases on page 15
• Applications and Application Sets on page 31
• Attacks and Attack Objects on page 33
1Copyright © 2014, Juniper Networks, Inc.
8/20/2019 Security Idp Policy
20/373
Copyright © 2014, Juniper Networks, Inc.2
IDP Policies for Security Devices
8/20/2019 Security Idp Policy
21/373
CHAPTER 1
Supported Features
• Intrusion Detection and Prevention on page 3
• IPv6 Support on page 5
• Junos OS Feature Licenses on page 8
Intrusion Detection and Prevention
The Junos OS Intrusion Detection and Prevention (IDP) policy enables you to selectively
enforce various attack detection and prevention techniques on network traffic passing
through an IDP-enabled device. It allows you to define policy rules to match traffic based
on a zone, network, and application, and then take active or passive preventive actions
on that traffic.
Table 3 on page 3 lists IDP features that are supported on SRX Series and J Series
devices.
Table 3: IDP Support
J Series
SRX1400
SRX3400
SRX3600
SRX5600
SRX5800
SRX550
SRX650
SRX100
SRX110
SRX210
SRX220
SRX240Feature
NoNoYesYesAccess control on IDP
audit logs
NoYesYesYesAlarms and auditing
YesYesYesYesApplication
identification
See Application
Identification (Junos
OS) for the Junos OS
version of application
identification.
NoYesNoNoApplication-levelDDoS
rule base
3Copyright © 2014, Juniper Networks, Inc.
8/20/2019 Security Idp Policy
22/373
Table 3: IDP Support (continued)
J Series
SRX1400
SRX3400
SRX3600
SRX5600
SRX5800
SRX550
SRX650
SRX100
SRX110
SRX210
SRX220
SRX240Feature
NoYesNoNoCryptographic key
handling
NoYesNoNoDSCP marking
NoYesYesYesIDP and UAC
coordinated threat
control
NoYesNoNoIDP class-of-service
action
NoYesYesSRX210, SRX220, and
SRX240 only
IDP in an active/active
chassis cluster
NoYesNoNoIDP inline tap mode
YesYesYesYesIDP logging
YesYesYesYesIDP monitoring and
debugging
YesYesYesYesIDP policy
NoYesNoNoIDP security packet
capture
YesYesYesYesIDP signature database
NoYesNoNoIDP SSLinspection
YesYesYesYesIPS rule base
Yes (9010 bytes)Yes (9192 bytes)YesYesJumbo frames
NoYesYesYesNested application
identification(Extended application
identification)
NoYesNoNoPerformance and
capacity tuning for IDP
YesYesYesYesSNMP MIB for IDP
monitoring
Copyright © 2014, Juniper Networks, Inc.4
IDP Policies for Security Devices
8/20/2019 Security Idp Policy
23/373
Related
Documentation
Junos OS Security ConfigurationGuide•
IPv6 Support
IPv6 is the successor to IPv4. IPv6 builds upon the functionality of IPv4, providing
improvements to addressing, configuration and maintenance, and security. These
improvements include:
• Expanded addressingcapabilities—IPv6providesa larger addressspace. IPv6addresses
consist of 128 bits, whereas IPv4 addresses consist of 32 bits.
• Headerformat simplification—TheIPv6 packetheader formatis designed to beefficient.
IPv6 standardizes the size of the packet header to 40 bytes, divided into 8 fields.
• Improved support for extensions and options—Extension headers carry Internet-layer
information and have a standard size and structure.
• Improved privacy and security—IPv6 supports extensions for authentication and data
integrity, which enhance privacy and security.
Table 4 on page 5 lists the SRX Series and J Series device features that support IPv6.
Table 4: IPv6 Support
J Series
SRX1400
SRX3400
SRX3600
SRX5600
SRX5800
SRX550
SRX650
SRX100
SRX110
SRX210
SRX220
SRX240Feature
Chassis clusterYesYesYesSRX100, SRX210,
SRX220, and SRX240
only
Active-active
YesYesYesSRX100, SRX210,
SRX220, and SRX240
only
Active-passive
YesYesYesSRX100, SRX210,
SRX220, and SRX240
only
Multicast flow
Flow-based forwarding and security features
YesYesYesYesAdvanced flow
NoYesYesNoDS-Lite concentrator
(aka AFTR)
NoNoNoNoDS-Lite initiator (aka
B4)
5Copyright © 2014, Juniper Networks, Inc.
Chapter 1: Supported Features
8/20/2019 Security Idp Policy
24/373
Table 4: IPv6 Support (continued)
J Series
SRX1400
SRX3400
SRX3600
SRX5600
SRX5800
SRX550
SRX650
SRX100
SRX110
SRX210
SRX220
SRX240Feature
YesYesYesYesFirewall filters
YesYesYesYesForwarding option:
flow mode
YesYesYesYesMulticast flow
YesYesYesYesScreens
YesYesYesYesSecurity policy
(firewall)
NoYesNoNoSecurity policy (IDP)
NoNoNoNoSecurity policy (user
role firewall)
YesYesYesYesZones
YesYesYesYesIPv6 ALG Support for
FTP
Routing, NAT, NAT-PT
support
YesYesYesYesIPv6 ALG Support for
ICMP
Routing, NAT, NAT-PT
support
YesYesYesYesIPv6 NAT
NAT-PT, NAT support
YesYesYesYesIPv6 NAT64
YesYesYesYesIPv6–related
protocols
BFD, BGP, ECMPv6,
ICMPv6, ND, OSPFv3,
RIPng
YesYesYesYesIPv6 ALG support for
TFTP
Copyright © 2014, Juniper Networks, Inc.6
IDP Policies for Security Devices
8/20/2019 Security Idp Policy
25/373
Table 4: IPv6 Support (continued)
J Series
SRX1400
SRX3400
SRX3600
SRX5600
SRX5800
SRX550
SRX650
SRX100
SRX110
SRX210
SRX220
SRX240Feature
YesYesYesYesSystem services
DHCPv6, DNS, FTP,
HTTP, ping, SNMP,
SSH, syslog, Telnet,
traceroute
IPv6 IDP/AppSecure
NoNoNoNoApplication DDoS
(AppDoS)
NoYesYesYesApplication Firewall
(AppFW)
NoYesNoNoApplication QoS
(AppQoS)
NoNoNoNoApplication Tracking
(AppTrack)
NoYesNoNoIDP
Logical systems
NoYesNoNoAdmin operations
(Telnet, SSH, HTTPS,
andso on.)
NoYesNoNoChassis clusters
NoYesNoNoFirewallauthentication
NoYesNoNoFlows
NoYesNoNoInterfaces
NoYesNoNoIPv6 dual-stack lite
(DS-Lite)
NoYesNoNoNAT (except interface
NAT)
NoYesNoNoRouting (BGP only)
NoYesNoNoScreen options
7Copyright © 2014, Juniper Networks, Inc.
Chapter 1: Supported Features
8/20/2019 Security Idp Policy
26/373
Table 4: IPv6 Support (continued)
J Series
SRX1400
SRX3400
SRX3600
SRX5600
SRX5800
SRX550
SRX650
SRX100
SRX110
SRX210
SRX220
SRX240Feature
NoYesNoNoZones and security
policies
Packet-based forwarding and security features
YesYesYesYesClass of service
YesYesYesYesFirewall filters
YesNoYesYesForwarding option:
packet mode
Related
Documentation
Junos OS Security ConfigurationGuide•
Junos OS Feature Licenses
Each feature license is tied to exactly one software feature, and that license is valid for
exactly one device. Table 5 on page 8 describes the Junos OS features that require
licenses.
Table 5: Junos OS Feature Licenses
DeviceJunos OS LicenseRequirements
SRX
5000
line
SRX
3000
line
SRX
1000
line
SRX
650
SRX
550
SRX
240
SRX
220
SRX
210
SRX
110
SRX
100
J
SeriesFeature
XXXXXXXAccess Manager
XXBGP Route
Reflectors
XXXXXXXDynamic VPN
XXXXXX *X *X *XX *XIDP Signature
Update
XXXXXXXXXXXApplication
Signature Update
(Application
Identification)
XXXXXXXXJuniper-Kaspersky
Anti-Virus
Copyright © 2014, Juniper Networks, Inc.8
IDP Policies for Security Devices
8/20/2019 Security Idp Policy
27/373
Table 5: Junos OS Feature Licenses (continued)
Device
Junos OS License
Requirements
SRX
5000
line
SRX
3000
line
SRX
1000
line
SRX
650
SRX
550
SRX
240
SRX
220
SRX
210
SRX
110
SRX
100
J
SeriesFeature
XXXXXXXXJuniper-Sophos
Anti-Spam
XXXXXXXXJuniper-Websense
Integrated Web
Filtering
XSRX100 Memory
Upgrade
XXX *XX *XX*XUTM
* Indicates support on high-memory devices only
Related
Documentation
• JunosOSSecurityConfiguration Guide
• JunosOS Initial Configuration Guide for Security Devices
9Copyright © 2014, Juniper Networks, Inc.
Chapter 1: Supported Features
8/20/2019 Security Idp Policy
28/373
Copyright © 2014, Juniper Networks, Inc.10
IDP Policies for Security Devices
8/20/2019 Security Idp Policy
29/373
CHAPTER 2
Policy Basics
• IDP Policies Overview on page 11
• Understanding IDP Inline Tap Mode on page 12
IDP Policies Overview
The Junos OS Intrusion Detection and Prevention (IDP) policy enables you to selectively
enforce various attack detection and prevention techniques on network traffic passing
through an IDP-enabled device. It allows you to define policy rules to match a section of
traffic based on a zone, network, and application, and then take active or passive
preventive actions on that traffic.
An IDPpolicy defines how your devicehandles thenetwork traffic.It allows you toenforce
various attack detection and prevention techniques on traffic traversing your network.
A policy is made up of rulebasesand each rulebase contains a set of rules. You define
rule parameters, such as traffic match conditions, action, and logging requirements, then
add the rules to rule bases. After you create an IDP Policy by adding rules in one or morerulebases, you can select that policy to be the active policy on your device.
Junos OS allows you to configure multiple IDP policies, but a device can have only one
active IDP policy at a time. You can install the same IDP policy on multiple devices, or
you can install a unique IDP policy on each device in your network. A single policy can
contain only one instance of any type of rulebase.
NOTE: IDP feature is enabled by default, no license is required. Custom
attacksand custom attack groups in IDP policiescan also be configuredand
installed even when a valid license and signature database are not installed
on the device.
You can perform the following tasks to manage IDP policies:
• Create new IDP policies starting from scratch. See “Example: Defining Rules for an IDP
IPS Rulebase” on page 65.
• Create an IDP policy starting with one of the predefined templates provided by Juniper
Networks (see “Understanding Predefined IDP Policy Templates” on page 23).
11Copyright © 2014, Juniper Networks, Inc.
8/20/2019 Security Idp Policy
30/373
• Add or delete rules within a rulebase. You can use any of the following IDP objects to
create rules:
• Zone and network objects available in the base system
• Predefined service objects provided by Juniper Networks
• Custom application objects
• Predefined attack objects provided by Juniper Networks
• Create custom attackobjects(see “Example: Configuring IDP Signature-BasedAttacks”
on page 85).
• Update the signature database provided by Juniper Networks. This database contains
all predefined objects.
• Maintain multiple IDP policies. Any one of the policies can be applied to the device.
RelatedDocumentation
Junos OS FeatureSupport Reference for SRX Series and J Series Devices•
• Understanding IDP Policy Rules on page 15
• Understanding IDP Terminal Rules on page 28
• Understanding IDP Application Sets on page 31
• Understanding Custom Attack Objects on page 33
• Example: Enabling IDP in a Security Policy on page 57
Understanding IDP Inline Tap Mode
The main purpose of inline tap mode is to provide best case deep inspection analysis oftraffic while maintaining over all performance and stability of the device. The inline tap
feature provides passive, inline detection of application layer threats for traffic matching
security policies which have theIDP applicationservice enabled.When a deviceis in inline
tapmode,packetspass through firewall inspectionand arealso copiedto theindependent
IDP module. This allows the packets to get to the next service module without waiting
for IDP processing results. By doing this, when the traffic input is beyond the IDP
throughput limit, the device can still sustain processing as long as it does not go beyond
the modules limits, such as with the firewall. If the IDP process fails, all other features of
the device willcontinueto functionnormally. Oncethe IDP processrecovers, it will resume
processing packets for inspection. Since inline tap mode puts IDP in a passive mode for
monitoring, preventative actions such as session close, drop, and mark diffserv are
deferred. The action drop packet is ignored.
Inlinetap mode canonly be configured if the forwarding process mode is setto maximize
IDP sessions, which ensures stability and resiliency for firewall services. You also do not
need a separate tap or span port to use inline tap mode.
NOTE: You must restart the device when switching to inline tap mode or
back to regular mode.
Copyright © 2014, Juniper Networks, Inc.12
IDP Policies for Security Devices
8/20/2019 Security Idp Policy
31/373
Related
Documentation
• JunosOS Feature SupportReference for SRXSeriesand J SeriesDevices
• Example: Configuring IDP Inline Tap Mode on page 60
• IDP Policies Overview on page 11
• Understanding IDP Policy Rules on page 15
• Understanding IDP Policy Rulebases on page 22
13Copyright © 2014, Juniper Networks, Inc.
Chapter2: Policy Basics
8/20/2019 Security Idp Policy
32/373
Copyright © 2014, Juniper Networks, Inc.14
IDP Policies for Security Devices
8/20/2019 Security Idp Policy
33/373
CHAPTER 3
Rules and Rulebases
• Understanding IDP Policy Rules on page 15
• Understanding IDP Policy Rulebases on page 22
• Understanding Predefined IDP Policy Templates on page 23
• Understanding IDP Application-Level DDoS Rulebases on page 25
• Understanding IDP IPS Rulebases on page 26
• Understanding IDP Exempt Rulebases on page 27
• Understanding IDP Terminal Rules on page 28
• Understanding DSCP Rules in IDP Policies on page 29
Understanding IDP Policy Rules
Each instruction in an Intrusion Detection and Prevention (IDP) policy is called a rule.
Rules are created in rulebases.
Rulebases are a set of rules that combine to define an IDP policy. Rules provide contextto detection mechanisms by specifying which part of the network traffic the IDP system
should look in to find attacks. When a rule is matched, it means that an attack has been
detected in the networktraffic,triggering the action forthat rule. TheIDP systemperforms
the specified action and protects your network from that attack.
IDP policy rules are made up of the following components:
• Understanding IDP Rule Match Conditions on page 15
• Understanding IDP Rule Objects on page 16
• Understanding IDP Rule Actions on page 19
• Understanding IDP Rule IP Actions on page 21
• Understanding IDP Rule Notifications on page 21
Understanding IDP Rule Match Conditions
Match conditions specify the type of network traffic you want IDP to monitor for attacks.
15Copyright © 2014, Juniper Networks, Inc.
8/20/2019 Security Idp Policy
34/373
Match conditions use the following characteristics to specify the type of network traffic
to be monitored:
• From-zone and to-zone—All traffic flows from a source to a destination zone. You can
select any zone for the source or destination. You can also use zone exceptions tospecify unique toand from zonesfor each device. Specifyany to monitor networktraffic
originating from and to any zone. The default value is any.
• Source IP Address—Specify the source IP address from which the network traffic
originates. You can specify any to monitor network traffic originating from any IP
address. You can also specify source-except to specify all sources except the specified
addresses. The default value is any.
• Destination IP address—Specify the destination IP address to which the network traffic
is sent. You can set this to any to monitor network traffic sent to any IP address. You
can also specify destination-except to specify all destinations except the specified
addresses. The default value is any.
• Application—Specify the Application Layer protocols supported by the destination IP
address. You can specify any for all applications and default for the application
configured in the attack object for the rule.
Understanding IDP Rule Objects
Objects are reusable logical entities that you can apply to rules. Each object that you
create is added to a database for the object type.
You can configure the following types of objects for IDP rules.
Zone Objects
A zone or security zone is a collection of one or more network interfaces. IDP uses zoneobjects configured in the base system.
Address or Network Objects
Address objects represent components of your network, such as host machines, servers,
and subnets. You use address objects in IDP policy rules to specify the network
components that you want to protect.
Application or Service Objects
Service objects represent network services that use Transport Layer protocols such as
TCP, UDP, RPC, and ICMP. You use service objects in rules to specifythe service an attack
uses to access your network. Juniper Networks provides predefined service objects, a
database of service objects that are based on industry-standard services. If you need to
addservice objects that arenot included in the predefined service objects, youcan create
custom service objects. IDP supports the following types of service objects:
• Any—Allows IDP to match all Transport Layer protocols.
• TCP—Specifies a TCP port or a port range to match network services for specified TCP
ports. You can specify junos-tcp-any to match services for all TCP ports.
Copyright © 2014, Juniper Networks, Inc.16
IDP Policies for Security Devices
8/20/2019 Security Idp Policy
35/373
• UDP—Specifies a UDP port or a port range to match network services for specified
UDP ports. You can specify junos-udp-any to match services for all UDP ports.
• RPC—Specifiesa remoteprocedure call(RPC from SunMicrosystems) program number
or a program number range. IDP uses this information to identify RPC sessions.
• ICMP—Specifies a type and code that is a part of an ICMP packet. You can specify
junos-icmp-all to match all ICMP services.
• default—Allows IDP to match default and automatically detected protocols to the
applications implied in the attack objects.
Attack Objects
IDP attack objects represent known and unknown attacks. IDP includes a predefined
attack object database that is periodically updated by Juniper Networks. Attack objects
are specified in rules to identify malicious activity. Each attack is defined as an attack
object, which represents a known pattern of attack. Whenever this known pattern of
attack is encountered in the monitored network traffic, the attack object is matched. The
three main types of attack objects are described in Table 6 on page 17:
Table 6: IDP Attack Objects Description
DescriptionAttack Objects
Signature attack objects detect known attacks using
stateful attack signatures. An attack signatureis a pattern
that alwaysexists withinan attack;if theattackis present,
so is the attack signature. With stateful signatures, IDP
can look for the specific protocol or service used to
perpetrate the attack, the directionand flowof the attack,
and the context in which the attack occurs. Stateful
signaturesproduce fewfalse positives because the contextof the attack is defined, eliminating huge sections of
network traffic in which the attack would not occur.
Signature Attack Objects
Protocol anomaly attack objects identify unusual activity
on the network. They detectabnormal or ambiguous
messages within a connection according tothe setof rules
for the particular protocol being used. Protocol anomaly
detection works by finding deviations from protocol
standards, most often defined byRFCs andcommon RFC
extensions. Mostlegitimate traffic adheres to established
protocols. Traffic that does not, produces an anomaly,
which may be created by attackers for specific purposes,
such as evading an intrusion prevention system (IPS).
Protocol Anomaly Attack Objects
17Copyright © 2014, Juniper Networks, Inc.
Chapter 3: Rules and Rulebases
8/20/2019 Security Idp Policy
36/373
Table 6: IDP Attack Objects Description (continued)
DescriptionAttack Objects
A compound attack object combines multiple signaturesand/or protocol anomalies into a single object. Traffic
must match all of the combined signatures and/or
protocol anomaliesto match thecompound attackobject;
youcanspecifythe orderin whichsignaturesor anomalies
must match. Use compound attack objects to refineyour
IDP policy rules, reduce false positives, and increase
detection accuracy. A compound attack object enables
youto beveryspecificabouttheevents that need tooccur
beforeIDP identifies traffic as an attack. You canuse And,
Or, and Ordered and operations to define the relationship
amongdifferentattack objects within a compound attack
and the order in which events occur.
Compound Attack Objects
Attack Object GroupsIDP contains a large number of predefined attack objects. To help keep IDP policies
organized and manageable, attack objects can be grouped. An attack object group can
contain one or more attack objects of different types. Junos OS supports the following
two types of attack groups:
• Pre defined attack object groups—Contain objects present in the signature database.
The Pre defined attack object groups are dynamic in nature. For example, FTP: Minor
group selects all attacks of application- FTP and severity- Minor. If a new FTP attack
of minor severity is introduced in the security database, it is added to the FTP: Minor
group by default.
• Dynamic attack groups—Contain attack objects based on a certain matching criteria.
For example, a dynamic group can contain all attacks related to an application. During
signature update, the dynamic group membership is automatically updated based on
the matching criteria for that group.
On SRX Series devices, for a dynamic attack group using the direction filter, the
expression 'and'shouldbe used in theexclude values. As is thecase with allfilters, the
default expression is 'or'. However, there is a choice of 'and' in the case of the direction
filter.
For example, if you want to choose all attacks with the direction client-to-server,
top related