How to enable IDP on SRX

If you want to enable IDP on an SRX device, you have to issue certain number of commands which I list step by step from scratch;

1) Install license first if it hasn’t been installed yet. You can see if it is installed or not via “show system license installed” if this command doesn’t give any ouput, get your license from Juniper and follow the steps below. (Bold italic text is my sample license)

root@srx1> request system license add terminal
[Type ^D at a new line to end input,
 enter blank line between each license key]
JUNOS111111 sdsdsd ssssss sdfsdf sdfsdf sdfsdf sdfsdf
 sdfsdf sdfsdf sdfdsf sdfdsf sdfsdf sdfsdf
 sdfsdf sdfsdf sdfsdf sdfsdf sdfsdf sdfsdf
 sdf
JUNOS111111: successfully added
add license complete (no errors)

2) Check if the server we will fetch IDP files are reachable;

root@srx1> request security idp security-package download check-server
error: fetching for("https://services.netscreen.com/cgi-bin/index.cgi?device=jsrx210&feature=idp&os=10.4&detector=10.4.160100525&from=&to=latest&type=manifest") failed

We can’t reach. Ensure https://services.netscreen.com is reachable i.e hostname is resolvable by SRX and it can establish TCP connections to 443 port of this remote host.

After fixing connectivity issue here is the result;

root@srx1> request security idp security-package download check-server
Successfully retrieved from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:1996(Detector=11.6.160110809, Templates=1996)

3) Download attack table

root@srx1> request security idp security-package download full-update
Will be processed in async mode. Check the status using the status checking CLI

Check status of the download.

root@srx1> request security idp security-package download status
Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:1996(Tue Sep 20 12:12:23 2011, Detector=11.6.160110809)

It looks great.

4) Install attack table

root@srx1> request security idp security-package install
Will be processed in async mode. Check the status using the status checking CLI

Check status;

root@srx1> request security idp security-package install status
In progress:performing DB update for an xml (SignatureUpdate.xml)

Check once again;

root@srx1> request security idp security-package install status
In progress:Compiling AI signatures ...

Check again;

root@srx1> request security idp security-package install status
Done;Attack DB update : successful - [UpdateNumber=1996,ExportDate=Tue Sep 20 12:12:23 2011,Detector=11.6.160110809]
Updating control-plane with new detector : successful
Updating data-plane with new attack or detector : not performed
due to no existing running policy found.

Heyy, completed!

5) Get policy templates;


root@srx1> request security idp security-package download policy-templates

Will be processed in async mode. Check the status using the status checking CLI

Check status;

root@srx1> request security idp security-package download status
Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi).
Version info:1996

6) Install policy templates

root@srx1> request security idp security-package install policy-templates
Will be processed in async mode. Check the status using the status checking CLI
root@srx1> request security idp security-package install status
Done;policy-templates has been successfully updated into internal repository
(=>/var/db/scripts/commit/templates.xsl)!

7) Check downloaded files;

root@srx1> start shell
root@srx1% ls /var/db/idpd/sec-download/
SignatureUpdate.xml             libidp-detector.so.tgz.v
applications.xml                platforms.xml
detector-capabilities.xml       sub-download
groups.xml
root@srx1% exit
exit
root@srx1>

8) Apply templates and commit the configuration to get template policies in CLI

root@srx1# set system scripts commit file templates.xsl
[edit]
root@srx1# commit

Then delete templates commit script configuration right after the first commit;

root@srx1# delete system scripts commit file templates.xsl

9) Here is the results. Policies are now accessible after which you can set your active policy and start using it or customize it. Enjoy!

root@srx1# set security idp idp-policy ?
Possible completions:
          IDP policy name
  DMZ_Services         IDP policy name
  DNS_Service          IDP policy name
  File_Server          IDP policy name
  Getting_Started      IDP policy name
  IDP_Default          IDP policy name
  Recommended          IDP policy name
  Web_Server           IDP policy name

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


15 thoughts on “How to enable IDP on SRX”

  1. Great article, any idea on how to cleanly uninstall the IDP module once installed? I was reading around and people mentioned the IDP module should be removed prior to upgrade/downgrade firmware due to space limitations.

  2. i did everything with succesfully but until here;

    Done;AI installation failed! Attack DB update failed!
    Install application package version 2259 failed.
    AI compilation has failed.

    and i dont know why any idea ?

    1. Burak,
      With this output it isn’t easy to say what the problem is. You can check the logs under /var/log folder or enable traceoptions under [security idp] to see what the problem is.

    2. I know it’s a bit old, but I just came across this problem yesterday

      root@srx240# run request security idp security-package install update-attack-database-only

      has fixed the “Done;AI installation failed! Attack DB update failed!” problem for me

      Tom

  3. Hello All,
    Do you all mean that by enabling IDP feature on SRX650, we don’t require additional IDP appliance like (8200 series) in our network ?

    1. SRX650 has IDP feature yes but you can’t get the same throughput as you get on standalone IDP like 8200.

  4. Nice, was a great help. Doing it from the Juniper guide did not get me this far. Valid even now, except for step 1, you can now also have the license loaded from the internet with “request system license update”

    Thanks again.

    1. You’re welcome Madness! Yes update option is also a method of installing the license without manually copying and pasting.

Leave a Reply to rtoodtooCancel reply

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading