Web_Server
idp-engine
13. Activate the predefined Recommended policy as the active policy.
[edit]
user@host# set security idp active-policy Recommended
14. Confirm the active policy enabled on your device.
[edit]
user@host>show security idp active-policy
active-policy Recommended;
15. Create a security policy for the traffic from the untrust zone to the DMZ zone. In this
step, you are creating an address set in the DMZ zone to group all HTTP server
addresses together. In this example, you are applying security policies that can be
used to inspect the traffic between the untrust zone and the DMZ zone.
NOTE: Keep in mind the following points:
• Security policy on order on SRX Series device is important because
Junos OS performs a policy lookup starting from the top of the list,
and when the device finds a match for the traffic received, it stops
policy lookup.
• The SRX Series device allows you to enable IDP processing on a
security policy on a rule-by-rule basis, instead of turning on IDP
inspection across the device.
• A security policy identifies what traffic is to be sent to the IDP engine,
and then the IDP engine applies inspection based on the contents of
that traffic. Traffic that matches a security policy in which IDP is not
enabled completely bypasses IDP processing. Traffic that matches
a security policy marked for IDP processing is handed off to the IDP
engine.
[edit]
user@host# set security zones security-zone DMZ address-book address
Server-HTTP-1 192.168.2.2/24
user@host# set security zones security-zone DMZ address-book address
Server-HTTP-2 192.168.2.3/24
user@host# set security zones security-zone DMZ address-book address-set
DMZ-address-set-http address Server-HTTP-1
user@host# set security zones security-zone DMZ address-book address-set
DMZ-address-set-http address Server-HTTP-2
user@host# set security policies from-zone untrust to-zone DMZ policy P1 match
source-address any
user@host# set security policies from-zone untrust to-zone DMZ policy P1 match
destination-address DMZ-address-set-http
user@host# set security policies from-zone untrust to-zone DMZ policy P1 match
application junos-http
67Copyright © 2016, Juniper Networks, Inc.
Chapter 9: Configuring Intrusion Detection and Prevention for SRX Series
To Next Page
Loading...
Need help?
General
