How to enable IDP on SRX
If you want to enable IDP on an SRX device, you have to issue certain number of commands which I list step by step from scratch;
1) Install license first if it hasn’t been installed yet. You can see if it is installed or not via “show system license installed” if this command doesn’t give any ouput, get your license from Juniper and follow the steps below. (Bold italic text is my sample license)
root@srx1> request system license add terminal [Type ^D at a new line to end input, enter blank line between each license key] JUNOS111111 sdsdsd ssssss sdfsdf sdfsdf sdfsdf sdfsdf sdfsdf sdfsdf sdfdsf sdfdsf sdfsdf sdfsdf sdfsdf sdfsdf sdfsdf sdfsdf sdfsdf sdfsdf sdf JUNOS111111: successfully added add license complete (no errors)
2) Check if the server we will fetch IDP files are reachable;
root@srx1> request security idp security-package download check-server
error: fetching for("https://services.netscreen.com/cgi-bin/index.cgi?device=jsrx210&feature=idp&os=10.4&detector=10.4.160100525&from=&to=latest&type=manifest") failed
We can’t reach. Ensure https://services.netscreen.com is reachable i.e hostname is resolvable by SRX and it can establish TCP connections to 443 port of this remote host.
After fixing connectivity issue here is the result;
root@srx1> request security idp security-package download check-server Successfully retrieved from(https://services.netscreen.com/cgi-bin/index.cgi). Version info:1996(Detector=11.6.160110809, Templates=1996)
3) Download attack table
root@srx1> request security idp security-package download full-update Will be processed in async mode. Check the status using the status checking CLI
Check status of the download.
root@srx1> request security idp security-package download status Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi). Version info:1996(Tue Sep 20 12:12:23 2011, Detector=11.6.160110809)
It looks great.
4) Install attack table
root@srx1> request security idp security-package install Will be processed in async mode. Check the status using the status checking CLI
Check status;
root@srx1> request security idp security-package install status In progress:performing DB update for an xml (SignatureUpdate.xml)
Check once again;
root@srx1> request security idp security-package install status In progress:Compiling AI signatures ...
Check again;
root@srx1> request security idp security-package install status Done;Attack DB update : successful - [UpdateNumber=1996,ExportDate=Tue Sep 20 12:12:23 2011,Detector=11.6.160110809] Updating control-plane with new detector : successful Updating data-plane with new attack or detector : not performed due to no existing running policy found.
Heyy, completed!
5) Get policy templates;
root@srx1> request security idp security-package download policy-templates Will be processed in async mode. Check the status using the status checking CLI
Check status;
root@srx1> request security idp security-package download status Done;Successfully downloaded from(https://services.netscreen.com/cgi-bin/index.cgi). Version info:1996
6) Install policy templates
root@srx1> request security idp security-package install policy-templates Will be processed in async mode. Check the status using the status checking CLI
root@srx1> request security idp security-package install status Done;policy-templates has been successfully updated into internal repository (=>/var/db/scripts/commit/templates.xsl)!
7) Check downloaded files;
root@srx1> start shell root@srx1% ls /var/db/idpd/sec-download/ SignatureUpdate.xml libidp-detector.so.tgz.v applications.xml platforms.xml detector-capabilities.xml sub-download groups.xml root@srx1% exit exit root@srx1>
8) Apply templates and commit the configuration to get template policies in CLI
root@srx1# set system scripts commit file templates.xsl [edit] root@srx1# commit
Then delete templates commit script configuration right after the first commit;
root@srx1# delete system scripts commit file templates.xsl
9) Here is the results. Policies are now accessible after which you can set your active policy and start using it or customize it. Enjoy!
root@srx1# set security idp idp-policy ? Possible completions:IDP policy name DMZ_Services IDP policy name DNS_Service IDP policy name File_Server IDP policy name Getting_Started IDP policy name IDP_Default IDP policy name Recommended IDP policy name Web_Server IDP policy name
Great article, any idea on how to cleanly uninstall the IDP module once installed? I was reading around and people mentioned the IDP module should be removed prior to upgrade/downgrade firmware due to space limitations.
Hi Dan,
I haven’t tried myself but there is a nice discussion here http://forums.juniper.net/t5/SRX-Services-Gateway/Deleting-the-IDP-signature-database/td-p/107886 which you can find useful. It is about deleting DB this is what you want I suppose.
Genco.
Hi, are you know how install IDP in srx chassis cluster??
You can check the juniper KB http://kb.juniper.net/KB21052 for secondary node installation Hector.
Gracias. Saludos
i did everything with succesfully but until here;
Done;AI installation failed! Attack DB update failed!
Install application package version 2259 failed.
AI compilation has failed.
and i dont know why any idea ?
Burak,
With this output it isn’t easy to say what the problem is. You can check the logs under /var/log folder or enable traceoptions under [security idp] to see what the problem is.
I know it’s a bit old, but I just came across this problem yesterday
root@srx240# run request security idp security-package install update-attack-database-only
has fixed the “Done;AI installation failed! Attack DB update failed!” problem for me
Tom
Any feedback, any time is welcomed Tomek. Thanks!
Hello All,
Do you all mean that by enabling IDP feature on SRX650, we don’t require additional IDP appliance like (8200 series) in our network ?
SRX650 has IDP feature yes but you can’t get the same throughput as you get on standalone IDP like 8200.
Nice, was a great help. Doing it from the Juniper guide did not get me this far. Valid even now, except for step 1, you can now also have the license loaded from the internet with “request system license update”
Thanks again.
You’re welcome Madness! Yes update option is also a method of installing the license without manually copying and pasting.
nice instructions thank you, Space keeps undoing my CLI IDP Changes. Not very nice.
Does vSRX supports this feature? I am trying but no luck so far.