How to enable IDP on SRX

If you want to enable IDP on an SRX device, you have to issue certain number of commands which I list step by step from scratch;

1) Install license first if it hasn’t been installed yet. You can see if it is installed or not via “show system license installed” if this command doesn’t give any ouput, get your license from Juniper and follow the steps below. (Bold italic text is my sample license)

2) Check if the server we will fetch IDP files are reachable;

We can’t reach. Ensure https://services.netscreen.com is reachable i.e hostname is resolvable by SRX and it can establish TCP connections to 443 port of this remote host.

After fixing connectivity issue here is the result;

3) Download attack table

Check status of the download.

It looks great.

4) Install attack table

Check status;

Check once again;

Check again;

Heyy, completed!

5) Get policy templates;

Check status;

6) Install policy templates

7) Check downloaded files;

8) Apply templates and commit the configuration to get template policies in CLI

Then delete templates commit script configuration right after the first commit;

9) Here is the results. Policies are now accessible after which you can set your active policy and start using it or customize it. Enjoy!

15 thoughts on “How to enable IDP on SRX

  1. dan

    Great article, any idea on how to cleanly uninstall the IDP module once installed? I was reading around and people mentioned the IDP module should be removed prior to upgrade/downgrade firmware due to space limitations.

    Reply
  2. burak

    i did everything with succesfully but until here;

    Done;AI installation failed! Attack DB update failed!
    Install application package version 2259 failed.
    AI compilation has failed.

    and i dont know why any idea ?

    Reply
    1. rtoodtoo Post author

      Burak,
      With this output it isn’t easy to say what the problem is. You can check the logs under /var/log folder or enable traceoptions under [security idp] to see what the problem is.

      Reply
    2. Tomek

      I know it’s a bit old, but I just came across this problem yesterday

      root@srx240# run request security idp security-package install update-attack-database-only

      has fixed the “Done;AI installation failed! Attack DB update failed!” problem for me

      Tom

      Reply
  3. Abhishek

    Hello All,
    Do you all mean that by enabling IDP feature on SRX650, we don’t require additional IDP appliance like (8200 series) in our network ?

    Reply
    1. rtoodtoo Post author

      SRX650 has IDP feature yes but you can’t get the same throughput as you get on standalone IDP like 8200.

      Reply
  4. MAdness

    Nice, was a great help. Doing it from the Juniper guide did not get me this far. Valid even now, except for step 1, you can now also have the license loaded from the internet with “request system license update”

    Thanks again.

    Reply
    1. rtoodtoo Post author

      You’re welcome Madness! Yes update option is also a method of installing the license without manually copying and pasting.

      Reply

You have a feedback?