security idp policy

8/20/2019 Security Idp Policy

1/373

Junos OS

IDP Policies for Security Devices

Release

12.1

Published: 2014-06-30

Copyright © 2014, Juniper Networks, Inc.


2/373

Juniper Networks, Inc.1194North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc.in the United

States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc.All other

trademarks, service marks, registered trademarks, or registered service marks are the property of theirrespective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,

transfer, or otherwise revise this publication without notice.

Junos OS IDP Policies for SecurityDevices

12.1

Copyright © 2014, Juniper Networks, Inc.

All rights reserved.

The informationin this document is currentas of thedateon thetitlepage.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the

year 2038. However,the NTPapplicationis known to have some difficulty in theyear2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is thesubject of this technical documentationconsists of (or is intended for usewith)Juniper Networks

software. Useof such software is subject to theterms and conditions of theEnd User License Agreement (“EULA”) posted at

http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to theterms and conditions of

that EULA.

Copyright © 2014, Juniper Networks, Inc.ii

http://www.juniper.net/support/eula.htmlhttp://www.juniper.net/support/eula.html


3/373

Table of Contents

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Using the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Merging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiv

Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

Part 1 Overview

Chapter 1 Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Intrusion Detection and Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

IPv6 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Junos OS Feature Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 2 Policy Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

IDP Policies Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Understanding IDP Inline Tap Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Chapter 3 Rules and Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Understanding IDP Policy Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Understanding IDP Rule Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Understanding IDP Rule Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Zone Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Address or Network Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Application or Service Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Attack Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Attack Object Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Understanding IDP Rule Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Understanding IDP Rule IP Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21Understanding IDP Rule Notifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Understanding IDP Policy Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Understanding Predefined IDP Policy Templates . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Understanding IDP Application-Level DDoS Rulebases . . . . . . . . . . . . . . . . . . . . . 25

Understanding IDP IPS Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Understanding IDP Exempt Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Understanding IDP Terminal Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Understanding DSCP Rules in IDP Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

iiiCopyright © 2014, Juniper Networks, Inc.


4/373

Chapter 4 Applications and Application Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Understanding IDP Application Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Chapter 5 Attacks and Attack Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Understanding Custom Attack Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Attack Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Severity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Service and Application Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Protocol and Port Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Time Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Attack Properties (Signature Attacks) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Attack Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Attack Direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Attack Pattern . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Protocol-Specific Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42Sample Signature Attack Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Attack Properties (Protocol Anomaly Attacks) . . . . . . . . . . . . . . . . . . . . . . . . 46

Attack Direction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Test Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Sample Protocol Anomaly Attack Definition . . . . . . . . . . . . . . . . . . . . . . 46

Attack Properties (Compound or Chain Attacks) . . . . . . . . . . . . . . . . . . . . . . 47

Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Expression (Boolean expression) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Member Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Sample Compound Attack Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Understanding IDP Protocol Decoders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Understanding Multiple IDP Detector Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Understanding Content Decompression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Understanding IDP Signature-Based Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Understanding IDP Protocol Anomaly-Based Attacks . . . . . . . . . . . . . . . . . . . . . . 53

Part 2 Configuration

Chapter 6 Policy Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Example: Enabling IDP in a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Example: Configuring IDP Inline Tap Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Chapter 7 Rules and Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Example: Inserting a Rule in the IDP Rulebase . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Example: Deactivating and Activating Rules in an IDP Rulebase . . . . . . . . . . . . . . 64

Example: Defining Rules for an IDP IPS Rulebase . . . . . . . . . . . . . . . . . . . . . . . . . 65

Example: Defining Rules for an IDP Exempt Rulebase . . . . . . . . . . . . . . . . . . . . . . 68

Example: Setting Terminal Rules in Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Example: Configuring DSCP Rules in an IDP Policy . . . . . . . . . . . . . . . . . . . . . . . . . 73

Copyright © 2014, Juniper Networks, Inc.iv



5/373

Chapter 8 Applications and Application Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Example: Configuring IDP Applications and Services . . . . . . . . . . . . . . . . . . . . . . . 77

Example: Configuring IDP Applications Sets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Chapter 9 Attacks and Attack Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Example: Configuring IDP Protocol Decoders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Example: Configuring IDP Content Decompression . . . . . . . . . . . . . . . . . . . . . . . . 84

Example: Configuring IDP Signature-Based Attacks . . . . . . . . . . . . . . . . . . . . . . . 85

Example: Configuring IDP Protocol Anomaly-Based Attacks . . . . . . . . . . . . . . . . 88

Listing IDP Test Conditions for a Specific Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 91

Example: Configuring Compound or Chain Attacks . . . . . . . . . . . . . . . . . . . . . . . . 91

Example: Configuring Attack Groups with Dynamic Attack Groups and Custom

Attack Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Chapter 10 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

[edit security forwarding-process] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . 108

[edit security idp] Hierarchy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

application-services (Security Forwarding Process) . . . . . . . . . . . . . . . . . . . . . . . 119

ack-number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

action (Security Application-Level DDoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

action (Security Rulebase IPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

active-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

alert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

allow-icmp-without-flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

anomaly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

application (Security Custom Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

application (Security Application-Level DDoS) . . . . . . . . . . . . . . . . . . . . . . . . . . 125

application (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

application-ddos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

application-identification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

attack-type (Security Anomaly) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

attack-type (Security Chain) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

attack-type (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

attack-type (Security Signature) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

attacks (Security Exempt Rulebase) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

attacks (Security IPS Rulebase) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

automatic (Security) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

cache-size (Security) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

category (Security Dynamic Attack Group) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

chain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

context (Security Custom Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142content-decompression-max-memory-kb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

content-decompression-max-ratio . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

count (Security Custom Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

custom-attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

custom-attack-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

custom-attack-groups (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

custom-attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

vCopyright © 2014, Juniper Networks, Inc.

Table of Contents


6/373

data-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

description (Security IDP Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

destination (Security IP Headers Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

destination-address (Security IDP Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

destination-except . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

destination-port (Security Signature Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

detect-shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

detector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

direction (Security Custom Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

direction (Security Dynamic Attack Group) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

download-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

dynamic-attack-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

dynamic-attack-groups (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

enable-all-qmodules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

enable-packet-pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

false-positives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161fifo-max-size (IPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

fifo-max-size (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

flow (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

from-zone (Security IDP Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

forwarding-process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

global (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

group-members . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

hash-table-size (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

header-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

high-availability (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

icmp (Security IDP Custom Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168icmp (Security IDP Signature Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

icmpv6 (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

identification (Security ICMP Headers) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

identification (Security IP Headers) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

idp-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

idp-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

ignore-memory-overflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

ignore-reassembly-overflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

ignore-regular-expression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

include-destination-address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

inline-tap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

interval (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

ip-action (Security Application-Level DDoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

ip-action (Security IDP Rulebase IPS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

ip-block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

ip-close . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

ip-connection-rate-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

ip-flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

ip-notify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

ips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Copyright © 2014, Juniper Networks, Inc.vi



7/373

ipv4 (Security IDP Signature Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

ipv6 (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

log (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

log (Security IDP Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

log-attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

log-create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

log-errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

log-supercede-min . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

match (Security IDP Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

match (Security Rulebase DDoS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

max-flow-mem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

max-logs-operate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

max-packet-mem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

max-packet-memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

max-sessions (Security Packet Log) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

max-tcp-session-packet-memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

max-time-report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191max-timers-poll-ticks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

max-udp-session-packet-memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

maximize-idp-sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

member (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

mss (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

negate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

nested-application (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

option (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

order (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

packet-log (Security IDP Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

packet-log (Security IDP Sensor Configuration) . . . . . . . . . . . . . . . . . . . . . . . . . . 199pattern (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

policy-lookup-cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

post-attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

post-attack-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

pre-attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

pre-filter-shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

predefined-attack-groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

predefined-attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

process-ignore-s2c . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

process-override . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

process-port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

protocol-binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

protocol-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

protocol (Security IDP IP Headers) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

protocol (Security IDP Signature Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

re-assembler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

recommended-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

refresh-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

viiCopyright © 2014, Juniper Networks, Inc.

Table of Contents


8/373

regexp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

reject-timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

reset (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

reset-on-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

rpc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

rule (Security Exempt Rulebase) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

rule (Security DDoS Rulebase) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

rule (Security IPS Rulebase) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

rulebase-ddos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

rulebase-exempt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

rulebase-ips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

scope (Security IDP Chain Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

scope (Security IDP Custom Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

security-package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

sensor-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

sequence-number (Security IDP ICMP Headers) . . . . . . . . . . . . . . . . . . . . . . . . . 228

sequence-number (Security IDP TCP Headers) . . . . . . . . . . . . . . . . . . . . . . . . . . 228service (Security IDP Anomaly Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

service (Security IDP Dynamic Attack Group) . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

severity (Security IDP Custom Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

severity (Security IDP Dynamic Attack Group) . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

severity (Security IDP IPS Rulebase) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

shellcode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

signature (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

source (Security IDP IP Headers) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

source-address (Security IDP Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

source-address (Security IDP Sensor Configuration) . . . . . . . . . . . . . . . . . . . . . 240

source-except . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240source-port (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

ssl-inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

start-log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

start-time (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

statistics (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

target (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

tcp (Security IDP Protocol Binding) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

tcp (Security IDP Signature Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

tcp-flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

test (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

then (Security IDP Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

then (Security Rulebase DDos) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

time-binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

timeout (Security IDP Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

to-zone (Security IDP Policy) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

tos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

total-length . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

total-memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

Copyright © 2014, Juniper Networks, Inc.viii



9/373

traceoptions (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

ttl (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

tunable-name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

tunable-value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

type (Security IDP Dynamic Attack Group) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

type (Security IDP ICMP Headers) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

udp (Security IDP Protocol Binding) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

udp (Security IDP Signature Attack) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

udp-anticipated-timeout (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

urgent-pointer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

url (Security IDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

weight . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

window-scale . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

window-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

traceoptions (Security Datapath Debug) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Part 3 AdministrationChapter 11 Clear Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

clear security idp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

clear security idp application-ddos cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

clear security idp attack table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

clear security idp counters application-identification . . . . . . . . . . . . . . . . . . . . . . 275

clear security idp counters dfa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

clear security idp counters flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

clear security idp counters http-decoder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

clear security idp counters ips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

clear security idp counters log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

clear security idp counters packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

clear security idp counters policy-manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282

clear security idp counters tcp-reassembler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

clear security idp ssl-inspection session-id-cache . . . . . . . . . . . . . . . . . . . . . . . . 284

Chapter 12 Request Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

request security idp security-package download . . . . . . . . . . . . . . . . . . . . . . . . . 286

request security idp security-package install . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

request security idp ssl-inspection key add . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

request security idp ssl-inspection key delete . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

request security idp storage-cleanup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Chapter 13 Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

show security flow session idp summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

show security idp active-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

show security idp application-ddos application . . . . . . . . . . . . . . . . . . . . . . . . . 300

show security idp attack description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

show security idp attack detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

show security idp attack table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

show security idp counters application-ddos . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

show security idp counters application-identification . . . . . . . . . . . . . . . . . . . . . 309

show security idp counters dfa . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

ixCopyright © 2014, Juniper Networks, Inc.

Table of Contents


10/373

show security idp counters flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

show security idp counters http-decoder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

show security idp counters ips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

show security idp counters log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

show security idp counters packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

show security idp counters packet-log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

show security idp counters policy-manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

show security idp counters tcp-reassembler . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

show security idp logical-system policy-association . . . . . . . . . . . . . . . . . . . . . . 331

show security idp memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

show security idp policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

show security idp policy-commit-status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

show security idp policy-commit-status clear . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

show security idp policy-templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

show security idp predefined-attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

show security idp security-package-version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

show security idp ssl-inspection key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340show security idp ssl-inspection session-id-cache . . . . . . . . . . . . . . . . . . . . . . . . 341

show security idp status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

show security idp status detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Part 4 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

Copyright © 2014, Juniper Networks, Inc.x



11/373

List of Tables

About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiii

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Part 1 Overview

Chapter 1 Supported Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Table 3: IDP Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Table 4: IPv6 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Table 5: Junos OS Feature Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 3 Rules and Rulebases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Table 6: IDP Attack Objects Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Table 7: IDP Rule Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Table 8: IDP Rule IP Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Table 9: Predefined IDP Policy Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Table 10: Application-Level DDoS Rulebase Components . . . . . . . . . . . . . . . . . . . 25

Table 11: IPS Rulebase Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Table 12: Exempt Rulebase Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Chapter 5 Attacks and Attack Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Table 13: Supported Services for Service Bindings . . . . . . . . . . . . . . . . . . . . . . . . . 34

Table 14: Supported Protocols and Protocol Numbers . . . . . . . . . . . . . . . . . . . . . 38

Table 15: Sample Formats for Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Table 16: IP Protocol Fields and Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Table 17: TCP Header Fields and Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Table 18: UDP Header Fields and Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Table 19: ICMP Header Fields and Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Part 2 Configuration

Chapter 10 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Table 20: Session Capacity and Resulting Throughput . . . . . . . . . . . . . . . . . . . . 264

Part 3 Administration

Chapter 13 Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Table 21: show security flow session idp summary Output Fields . . . . . . . . . . . . 297

Table 22: show security idp active-policy Output Fields . . . . . . . . . . . . . . . . . . . 299

Table 23: show security idp application-ddos Output Fields . . . . . . . . . . . . . . . . 300

Table 24: show security idp attack description Output Fields . . . . . . . . . . . . . . . 302

Table 25: show security idp attack detail Output Fields . . . . . . . . . . . . . . . . . . . . 303

xiCopyright © 2014, Juniper Networks, Inc.


12/373

Table 26: show security idp attack table Output Fields . . . . . . . . . . . . . . . . . . . . 305

Table 27: show security idp counters application-ddos Output Fields . . . . . . . . 306

Table 28: showsecurity idp counters application-identification Output Fields . . 309

Table 29: show security idp counters dfa Output Fields . . . . . . . . . . . . . . . . . . . . 311

Table 30: show security idp counters flow Output Fields . . . . . . . . . . . . . . . . . . . 312

Table 31: show security idp counters http-decoder Output Fields . . . . . . . . . . . . 315

Table 32: show security idp counters ips Output Fields . . . . . . . . . . . . . . . . . . . . 316

Table 33: show security idp counters log Output Fields . . . . . . . . . . . . . . . . . . . . 319

Table 34: show security idp counters packet Output Fields . . . . . . . . . . . . . . . . . 322

Table 35: show security idp counters policy-manager Output Fields . . . . . . . . . 327

Table 36: show security idp counters tcp-reassembler Output Fields . . . . . . . . . 328

Table 37: show security idp logical-system policy-association Output Fields . . . 331

Table 38: show security idp memory Output Fields . . . . . . . . . . . . . . . . . . . . . . . 332

Table 39: show security idp security-package-version Output Fields . . . . . . . . . 339

Table 40: show security idp ssl-inspection key Output Fields . . . . . . . . . . . . . . . 340

Table 41: show security idp ssl-inspection session-id-cache Output Fields . . . . 341

Table 42: show security idp status Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 342

Copyright © 2014, Juniper Networks, Inc.xii



13/373

About the Documentation

• Documentation and Release Notes on page xiii

• Supported Platforms on page xiii

• Using the Examples in This Manual on page xiii

• Documentation Conventions on page xv

• Documentation Feedback on page xvii

• Requesting Technical Support on page xvii

Documentation and Release Notes

To obtain the most current version of all Juniper Networks®

technical documentation,

see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/.

If the information in the latest release notes differs from the information in the

documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject

matter experts. These books go beyond the technical documentation to explore thenuances of network architecture, deployment, and administration. The current list can

be viewed at http://www.juniper.net/books.

Supported Platforms

For the features described in this document, the following platforms are supported:

• J Series

• SRX Series

Using the Examples in This Manual

If you want touse the examples in this manual, you can use the load merge or the load

merge relative command. These commands cause the software to merge the incoming

configuration into the current candidate configuration. The example does not become

active until you commit the candidate configuration.

If the example configuration contains the top level of the hierarchy (or multiple

hierarchies), the example is a full example. In this case, use the load merge command.

xiiiCopyright © 2014, Juniper Networks, Inc.

http://www.juniper.net/techpubs/http://www.juniper.net/bookshttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/junos-jseries/product/index.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/srx-series/product/index.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/srx-series/product/index.htmlhttp://www.juniper.net/techpubs/en_US/release-independent/junos/information-products/pathway-pages/junos-jseries/product/index.htmlhttp://www.juniper.net/bookshttp://www.juniper.net/techpubs/


14/373

If the example configuration does not start at the top level of the hierarchy, the example

is a snippet. In this case, use the load merge relative command. These procedures are

described in the following sections.

Merging a Full Example

To merge a full example, follow these steps:

1. From the HTML or PDF version of the manual, copy a configuration example into a

text file, save the file with a name, and copy the file to a directory on your routing

platform.

Forexample, copy thefollowingconfiguration toa file andname thefile ex-script.conf.

Copy the ex-script.conf file to the /var/tmp directory on your routing platform.

system {

scripts {

commit {

file ex-script.xsl;}

}

}

interfaces {

fxp0 {

disable;

unit 0 {

family inet {

address 10.0.0.1/24;

}

}

}

}

2. Merge the contents of the file into your routing platform configuration by issuing the

load merge configuration mode command:

[edit]

user@host# load merge /var/tmp/ex-script.conf

load complete

Merging a Snippet

To merge a snippet, follow these steps:

1. From the HTML or PDF version of the manual, copya configuration snippet into a text

file, savethe filewith a name, and copythe fileto a directory on your routing platform.

For example, copy the following snippet to a file and name the file

ex-script-snippet.conf . Copy the ex-script-snippet.conf file to the /var/tmp directory

on your routing platform.

commit {

file ex-script-snippet.xsl; }

2. Move to the hierarchy level that is relevant for this snippet by issuing the following

configuration mode command:

Copyright © 2014, Juniper Networks, Inc.xiv



15/373

[edit]

user@host# edit system scripts

[edit system scripts]

3. Merge the contents of the file into your routing platform configuration by issuing the

load merge relative configuration mode command:

[edit system scripts]

user@host# load merge relative /var/tmp/ex-script-snippet.conf

load complete

For more information about the load command, see theCLI UserGuide.

Documentation Conventions

Table 1 on page xv defines notice icons used in this guide.

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might resultin loss of data or hardware damage.Caution

Alerts you tothe risk of personal injury or death.Warning

Alerts you tothe risk of personal injury from a laser.Laser warning

Indicates helpful information.Tip

Alerts you to a recommended use or implementation.Best practice

Table 2 on page xv defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, type the

configure command:

user@host> configure

Represents text that you type.Bold text like this

xvCopyright © 2014, Juniper Networks, Inc.



16/373

Table 2: Text and Syntax Conventions (continued)


user@host> show chassis alarms

No alarms currently active

Represents output that appears on theterminal screen.

Fixed-width text like this

• A policy term is a named structure

that defines match conditions and

actions.

• Junos OSCLI User Guide

• RFC 1997,BGPCommunities Attribute

• Introduces or emphasizes important

new terms.

• Identifies guide names.

• Identifies RFC and Internet draft titles.

Italic text like this

Configure the machine’s domain name:

[edit]

root@# set system domain-name

domain-name

Represents variables (options for which

you substitute a value) in commands or

configuration statements.

Italic text like this

• To configure a stub area, include the

stub statement at the [edit protocols

ospf areaarea-id] hierarchy level.

• Theconsole portis labeledCONSOLE.

Represents names of configuration

statements, commands, files, and

directories;configuration hierarchylevels;

or labels on routing platform

components.

Text like this

stub ;Encloses optional keywordsor variables.< > (angle brackets)

broadcast | multicast

( string1 | string2 | string3)

Indicates a choicebetween the mutually

exclusive keywordsor variables on either

side of the symbol. The set of choices is

often enclosed in parentheses for clarity.

| (pipe symbol)

rsvp { # Required fordynamic MPLS onlyIndicates a comment specified on thesameline asthe configuration statement

to which it applies.

# (pound sign)

communityname members[

community-ids]

Encloses a variable for which you can

substitute one or more values.

[ ] (square brackets)

[edit]

routing-options {

static {

route default {

nexthop address;

retain;

}

}}

Identifies a level in the configuration

hierarchy.

Indention and braces( { } )

Identifies a leaf statement at a

configuration hierarchy level.

; (semicolon)

GUI Conventions

• In the Logical Interfaces box, select

All Interfaces.

• To cancel the configuration, click

Cancel.

Representsgraphical user interface(GUI)

items you click or select.

Bold text like this

Copyright © 2014, Juniper Networks, Inc.xvi



17/373

Table 2: Text and Syntax Conventions (continued)


In the configuration editor hierarchy,select Protocols>Ospf.

Separates levels in a hierarchy of menuselections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation. You can provide feedback by using either of the following

methods:

• Online feedback rating system—On any page at the Juniper Networks Technical

Documentation site at http://www.juniper.net/techpubs/index.html , simply click the

stars torate thecontent,and usethe pop-upformto provideus with information about

your experience. Alternately, you can use the online feedback form athttps://www.juniper.net/cgi-bin/docbugreport/.

• E-mail—Sendyour commentsto [email protected]. Include thedocument

or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical productsupport is availablethrough the Juniper Networks TechnicalAssistance

Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,

or are covered under warranty, and need post-sales technical support, you can access

our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTACUser Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,

7 daysa week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides you with thefollowing features:

• Find CSC offerings: http://www.juniper.net/customers/support/

• Search for known bugs: http://www2.juniper.net/kb/

• Find product documentation: http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

xviiCopyright © 2014, Juniper Networks, Inc.


http://www.juniper.net/techpubs/index.htmlhttps://www.juniper.net/cgi-bin/docbugreport/mailto:[email protected]?subject=http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdfhttp://www.juniper.net/support/warranty/http://www.juniper.net/customers/support/http://www2.juniper.net/kb/http://www.juniper.net/techpubs/http://kb.juniper.net/http://kb.juniper.net/http://www.juniper.net/techpubs/http://www2.juniper.net/kb/http://www.juniper.net/customers/support/http://www.juniper.net/support/warranty/http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdfmailto:[email protected]?subject=https://www.juniper.net/cgi-bin/docbugreport/http://www.juniper.net/techpubs/index.html


18/373

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

http://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlementby productserial number, use our Serial NumberEntitlement

(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html .

Copyright © 2014, Juniper Networks, Inc.xviii


http://www.juniper.net/customers/csc/software/http://kb.juniper.net/InfoCenter/http://www.juniper.net/company/communities/http://www.juniper.net/cm/https://tools.juniper.net/SerialNumberEntitlementSearch/http://www.juniper.net/cm/http://www.juniper.net/support/requesting-support.htmlhttp://www.juniper.net/support/requesting-support.htmlhttp://www.juniper.net/cm/https://tools.juniper.net/SerialNumberEntitlementSearch/http://www.juniper.net/cm/http://www.juniper.net/company/communities/http://kb.juniper.net/InfoCenter/http://www.juniper.net/customers/csc/software/


19/373

PART 1

Overview

• Supported Features on page 3

• Policy Basics on page 11

• Rules and Rulebases on page 15

• Applications and Application Sets on page 31

• Attacks and Attack Objects on page 33

1Copyright © 2014, Juniper Networks, Inc.


20/373

Copyright © 2014, Juniper Networks, Inc.2



21/373

CHAPTER 1

Supported Features

• Intrusion Detection and Prevention on page 3

• IPv6 Support on page 5

• Junos OS Feature Licenses on page 8

Intrusion Detection and Prevention

The Junos OS Intrusion Detection and Prevention (IDP) policy enables you to selectively

enforce various attack detection and prevention techniques on network traffic passing

through an IDP-enabled device. It allows you to define policy rules to match traffic based

on a zone, network, and application, and then take active or passive preventive actions

on that traffic.

Table 3 on page 3 lists IDP features that are supported on SRX Series and J Series

devices.

Table 3: IDP Support

J Series

SRX1400

SRX3400

SRX3600

SRX5600

SRX5800

SRX550

SRX650

SRX100

SRX110

SRX210

SRX220

SRX240Feature

NoNoYesYesAccess control on IDP

audit logs

NoYesYesYesAlarms and auditing

YesYesYesYesApplication

identification

See Application

Identification (Junos

OS) for the Junos OS

version of application

identification.

NoYesNoNoApplication-levelDDoS

rule base



22/373

Table 3: IDP Support (continued)

J Series

SRX1400

SRX3400

SRX3600

SRX5600

SRX5800

SRX550

SRX650

SRX100

SRX110

SRX210

SRX220

SRX240Feature

NoYesNoNoCryptographic key

handling

NoYesNoNoDSCP marking

NoYesYesYesIDP and UAC

coordinated threat

control

NoYesNoNoIDP class-of-service

action

NoYesYesSRX210, SRX220, and

SRX240 only

IDP in an active/active

chassis cluster

NoYesNoNoIDP inline tap mode

YesYesYesYesIDP logging

YesYesYesYesIDP monitoring and

debugging

YesYesYesYesIDP policy

NoYesNoNoIDP security packet

capture

YesYesYesYesIDP signature database

NoYesNoNoIDP SSLinspection

YesYesYesYesIPS rule base

Yes (9010 bytes)Yes (9192 bytes)YesYesJumbo frames

NoYesYesYesNested application

identification(Extended application

identification)

NoYesNoNoPerformance and

capacity tuning for IDP

YesYesYesYesSNMP MIB for IDP

monitoring




23/373

Related

Documentation

Junos OS Security ConfigurationGuide•

IPv6 Support

IPv6 is the successor to IPv4. IPv6 builds upon the functionality of IPv4, providing

improvements to addressing, configuration and maintenance, and security. These

improvements include:

• Expanded addressingcapabilities—IPv6providesa larger addressspace. IPv6addresses

consist of 128 bits, whereas IPv4 addresses consist of 32 bits.

• Headerformat simplification—TheIPv6 packetheader formatis designed to beefficient.

IPv6 standardizes the size of the packet header to 40 bytes, divided into 8 fields.

• Improved support for extensions and options—Extension headers carry Internet-layer

information and have a standard size and structure.

• Improved privacy and security—IPv6 supports extensions for authentication and data

integrity, which enhance privacy and security.

Table 4 on page 5 lists the SRX Series and J Series device features that support IPv6.

Table 4: IPv6 Support

J Series

SRX1400

SRX3400

SRX3600

SRX5600

SRX5800

SRX550

SRX650

SRX100

SRX110

SRX210

SRX220

SRX240Feature

Chassis clusterYesYesYesSRX100, SRX210,

SRX220, and SRX240

only

Active-active

YesYesYesSRX100, SRX210,

SRX220, and SRX240

only

Active-passive

YesYesYesSRX100, SRX210,

SRX220, and SRX240

only

Multicast flow

Flow-based forwarding and security features

YesYesYesYesAdvanced flow

NoYesYesNoDS-Lite concentrator

(aka AFTR)

NoNoNoNoDS-Lite initiator (aka

B4)


Chapter 1: Supported Features


24/373

Table 4: IPv6 Support (continued)

J Series

SRX1400

SRX3400

SRX3600

SRX5600

SRX5800

SRX550

SRX650

SRX100

SRX110

SRX210

SRX220

SRX240Feature

YesYesYesYesFirewall filters

YesYesYesYesForwarding option:

flow mode

YesYesYesYesMulticast flow

YesYesYesYesScreens

YesYesYesYesSecurity policy

(firewall)

NoYesNoNoSecurity policy (IDP)

NoNoNoNoSecurity policy (user

role firewall)

YesYesYesYesZones

YesYesYesYesIPv6 ALG Support for

FTP

Routing, NAT, NAT-PT

support

YesYesYesYesIPv6 ALG Support for

ICMP

Routing, NAT, NAT-PT

support

YesYesYesYesIPv6 NAT

NAT-PT, NAT support

YesYesYesYesIPv6 NAT64

YesYesYesYesIPv6–related

protocols

BFD, BGP, ECMPv6,

ICMPv6, ND, OSPFv3,

RIPng

YesYesYesYesIPv6 ALG support for

TFTP




25/373


J Series

SRX1400

SRX3400

SRX3600

SRX5600

SRX5800

SRX550

SRX650

SRX100

SRX110

SRX210

SRX220

SRX240Feature

YesYesYesYesSystem services

DHCPv6, DNS, FTP,

HTTP, ping, SNMP,

SSH, syslog, Telnet,

traceroute

IPv6 IDP/AppSecure

NoNoNoNoApplication DDoS

(AppDoS)

NoYesYesYesApplication Firewall

(AppFW)

NoYesNoNoApplication QoS

(AppQoS)

NoNoNoNoApplication Tracking

(AppTrack)

NoYesNoNoIDP

Logical systems

NoYesNoNoAdmin operations

(Telnet, SSH, HTTPS,

andso on.)

NoYesNoNoChassis clusters

NoYesNoNoFirewallauthentication

NoYesNoNoFlows

NoYesNoNoInterfaces

NoYesNoNoIPv6 dual-stack lite

(DS-Lite)

NoYesNoNoNAT (except interface

NAT)

NoYesNoNoRouting (BGP only)

NoYesNoNoScreen options




26/373


J Series

SRX1400

SRX3400

SRX3600

SRX5600

SRX5800

SRX550

SRX650

SRX100

SRX110

SRX210

SRX220

SRX240Feature

NoYesNoNoZones and security

policies

Packet-based forwarding and security features

YesYesYesYesClass of service

YesYesYesYesFirewall filters

YesNoYesYesForwarding option:

packet mode

Related

Documentation

Junos OS Security ConfigurationGuide•

Junos OS Feature Licenses

Each feature license is tied to exactly one software feature, and that license is valid for

exactly one device. Table 5 on page 8 describes the Junos OS features that require

licenses.

Table 5: Junos OS Feature Licenses

DeviceJunos OS LicenseRequirements

SRX

5000

line

SRX

3000

line

SRX

1000

line

SRX

650

SRX

550

SRX

240

SRX

220

SRX

210

SRX

110

SRX

100

J

SeriesFeature

XXXXXXXAccess Manager

XXBGP Route

Reflectors

XXXXXXXDynamic VPN

XXXXXX *X *X *XX *XIDP Signature

Update

XXXXXXXXXXXApplication

Signature Update

(Application

Identification)

XXXXXXXXJuniper-Kaspersky

Anti-Virus




27/373

Table 5: Junos OS Feature Licenses (continued)

Device

Junos OS License

Requirements

SRX

5000

line

SRX

3000

line

SRX

1000

line

SRX

650

SRX

550

SRX

240

SRX

220

SRX

210

SRX

110

SRX

100

J

SeriesFeature

XXXXXXXXJuniper-Sophos

Anti-Spam

XXXXXXXXJuniper-Websense

Integrated Web

Filtering

XSRX100 Memory

Upgrade

XXX *XX *XX*XUTM

* Indicates support on high-memory devices only

Related

Documentation

• JunosOSSecurityConfiguration Guide

• JunosOS Initial Configuration Guide for Security Devices




28/373




29/373

CHAPTER 2

Policy Basics

• IDP Policies Overview on page 11

• Understanding IDP Inline Tap Mode on page 12

IDP Policies Overview

The Junos OS Intrusion Detection and Prevention (IDP) policy enables you to selectively

enforce various attack detection and prevention techniques on network traffic passing

through an IDP-enabled device. It allows you to define policy rules to match a section of

traffic based on a zone, network, and application, and then take active or passive

preventive actions on that traffic.

An IDPpolicy defines how your devicehandles thenetwork traffic.It allows you toenforce

various attack detection and prevention techniques on traffic traversing your network.

A policy is made up of rulebasesand each rulebase contains a set of rules. You define

rule parameters, such as traffic match conditions, action, and logging requirements, then

add the rules to rule bases. After you create an IDP Policy by adding rules in one or morerulebases, you can select that policy to be the active policy on your device.

Junos OS allows you to configure multiple IDP policies, but a device can have only one

active IDP policy at a time. You can install the same IDP policy on multiple devices, or

you can install a unique IDP policy on each device in your network. A single policy can

contain only one instance of any type of rulebase.

NOTE: IDP feature is enabled by default, no license is required. Custom

attacksand custom attack groups in IDP policiescan also be configuredand

installed even when a valid license and signature database are not installed

on the device.

You can perform the following tasks to manage IDP policies:

• Create new IDP policies starting from scratch. See “Example: Defining Rules for an IDP

IPS Rulebase” on page 65.

• Create an IDP policy starting with one of the predefined templates provided by Juniper

Networks (see “Understanding Predefined IDP Policy Templates” on page 23).



30/373

• Add or delete rules within a rulebase. You can use any of the following IDP objects to

create rules:

• Zone and network objects available in the base system

• Predefined service objects provided by Juniper Networks

• Custom application objects

• Predefined attack objects provided by Juniper Networks

• Create custom attackobjects(see “Example: Configuring IDP Signature-BasedAttacks”

on page 85).

• Update the signature database provided by Juniper Networks. This database contains

all predefined objects.

• Maintain multiple IDP policies. Any one of the policies can be applied to the device.

RelatedDocumentation

Junos OS FeatureSupport Reference for SRX Series and J Series Devices•

• Understanding IDP Policy Rules on page 15

• Understanding IDP Terminal Rules on page 28

• Understanding IDP Application Sets on page 31

• Understanding Custom Attack Objects on page 33

• Example: Enabling IDP in a Security Policy on page 57

Understanding IDP Inline Tap Mode

The main purpose of inline tap mode is to provide best case deep inspection analysis oftraffic while maintaining over all performance and stability of the device. The inline tap

feature provides passive, inline detection of application layer threats for traffic matching

security policies which have theIDP applicationservice enabled.When a deviceis in inline

tapmode,packetspass through firewall inspectionand arealso copiedto theindependent

IDP module. This allows the packets to get to the next service module without waiting

for IDP processing results. By doing this, when the traffic input is beyond the IDP

throughput limit, the device can still sustain processing as long as it does not go beyond

the modules limits, such as with the firewall. If the IDP process fails, all other features of

the device willcontinueto functionnormally. Oncethe IDP processrecovers, it will resume

processing packets for inspection. Since inline tap mode puts IDP in a passive mode for

monitoring, preventative actions such as session close, drop, and mark diffserv are

deferred. The action drop packet is ignored.

Inlinetap mode canonly be configured if the forwarding process mode is setto maximize

IDP sessions, which ensures stability and resiliency for firewall services. You also do not

need a separate tap or span port to use inline tap mode.

NOTE: You must restart the device when switching to inline tap mode or

back to regular mode.




31/373

Related

Documentation

• JunosOS Feature SupportReference for SRXSeriesand J SeriesDevices

• Example: Configuring IDP Inline Tap Mode on page 60

• IDP Policies Overview on page 11


• Understanding IDP Policy Rulebases on page 22


Chapter2: Policy Basics


32/373




33/373

CHAPTER 3

Rules and Rulebases


• Understanding IDP Policy Rulebases on page 22

• Understanding Predefined IDP Policy Templates on page 23

• Understanding IDP Application-Level DDoS Rulebases on page 25

• Understanding IDP IPS Rulebases on page 26

• Understanding IDP Exempt Rulebases on page 27

• Understanding IDP Terminal Rules on page 28

• Understanding DSCP Rules in IDP Policies on page 29

Understanding IDP Policy Rules

Each instruction in an Intrusion Detection and Prevention (IDP) policy is called a rule.

Rules are created in rulebases.

Rulebases are a set of rules that combine to define an IDP policy. Rules provide contextto detection mechanisms by specifying which part of the network traffic the IDP system

should look in to find attacks. When a rule is matched, it means that an attack has been

detected in the networktraffic,triggering the action forthat rule. TheIDP systemperforms

the specified action and protects your network from that attack.

IDP policy rules are made up of the following components:

• Understanding IDP Rule Match Conditions on page 15

• Understanding IDP Rule Objects on page 16

• Understanding IDP Rule Actions on page 19

• Understanding IDP Rule IP Actions on page 21

• Understanding IDP Rule Notifications on page 21

Understanding IDP Rule Match Conditions

Match conditions specify the type of network traffic you want IDP to monitor for attacks.



34/373

Match conditions use the following characteristics to specify the type of network traffic

to be monitored:

• From-zone and to-zone—All traffic flows from a source to a destination zone. You can

select any zone for the source or destination. You can also use zone exceptions tospecify unique toand from zonesfor each device. Specifyany to monitor networktraffic

originating from and to any zone. The default value is any.

• Source IP Address—Specify the source IP address from which the network traffic

originates. You can specify any to monitor network traffic originating from any IP

address. You can also specify source-except to specify all sources except the specified

addresses. The default value is any.

• Destination IP address—Specify the destination IP address to which the network traffic

is sent. You can set this to any to monitor network traffic sent to any IP address. You

can also specify destination-except to specify all destinations except the specified

addresses. The default value is any.

• Application—Specify the Application Layer protocols supported by the destination IP

address. You can specify any for all applications and default for the application

configured in the attack object for the rule.

Understanding IDP Rule Objects

Objects are reusable logical entities that you can apply to rules. Each object that you

create is added to a database for the object type.

You can configure the following types of objects for IDP rules.

Zone Objects

A zone or security zone is a collection of one or more network interfaces. IDP uses zoneobjects configured in the base system.

Address or Network Objects

Address objects represent components of your network, such as host machines, servers,

and subnets. You use address objects in IDP policy rules to specify the network

components that you want to protect.

Application or Service Objects

Service objects represent network services that use Transport Layer protocols such as

TCP, UDP, RPC, and ICMP. You use service objects in rules to specifythe service an attack

uses to access your network. Juniper Networks provides predefined service objects, a

database of service objects that are based on industry-standard services. If you need to

addservice objects that arenot included in the predefined service objects, youcan create

custom service objects. IDP supports the following types of service objects:

• Any—Allows IDP to match all Transport Layer protocols.

• TCP—Specifies a TCP port or a port range to match network services for specified TCP

ports. You can specify junos-tcp-any to match services for all TCP ports.




35/373

• UDP—Specifies a UDP port or a port range to match network services for specified

UDP ports. You can specify junos-udp-any to match services for all UDP ports.

• RPC—Specifiesa remoteprocedure call(RPC from SunMicrosystems) program number

or a program number range. IDP uses this information to identify RPC sessions.

• ICMP—Specifies a type and code that is a part of an ICMP packet. You can specify

junos-icmp-all to match all ICMP services.

• default—Allows IDP to match default and automatically detected protocols to the

applications implied in the attack objects.

Attack Objects

IDP attack objects represent known and unknown attacks. IDP includes a predefined

attack object database that is periodically updated by Juniper Networks. Attack objects

are specified in rules to identify malicious activity. Each attack is defined as an attack

object, which represents a known pattern of attack. Whenever this known pattern of

attack is encountered in the monitored network traffic, the attack object is matched. The

three main types of attack objects are described in Table 6 on page 17:

Table 6: IDP Attack Objects Description

DescriptionAttack Objects

Signature attack objects detect known attacks using

stateful attack signatures. An attack signatureis a pattern

that alwaysexists withinan attack;if theattackis present,

so is the attack signature. With stateful signatures, IDP

can look for the specific protocol or service used to

perpetrate the attack, the directionand flowof the attack,

and the context in which the attack occurs. Stateful

signaturesproduce fewfalse positives because the contextof the attack is defined, eliminating huge sections of

network traffic in which the attack would not occur.

Signature Attack Objects

Protocol anomaly attack objects identify unusual activity

on the network. They detectabnormal or ambiguous

messages within a connection according tothe setof rules

for the particular protocol being used. Protocol anomaly

detection works by finding deviations from protocol

standards, most often defined byRFCs andcommon RFC

extensions. Mostlegitimate traffic adheres to established

protocols. Traffic that does not, produces an anomaly,

which may be created by attackers for specific purposes,

such as evading an intrusion prevention system (IPS).

Protocol Anomaly Attack Objects


Chapter 3: Rules and Rulebases


36/373

Table 6: IDP Attack Objects Description (continued)

DescriptionAttack Objects

A compound attack object combines multiple signaturesand/or protocol anomalies into a single object. Traffic

must match all of the combined signatures and/or

protocol anomaliesto match thecompound attackobject;

youcanspecifythe orderin whichsignaturesor anomalies

must match. Use compound attack objects to refineyour

IDP policy rules, reduce false positives, and increase

detection accuracy. A compound attack object enables

youto beveryspecificabouttheevents that need tooccur

beforeIDP identifies traffic as an attack. You canuse And,

Or, and Ordered and operations to define the relationship

amongdifferentattack objects within a compound attack

and the order in which events occur.

Compound Attack Objects

Attack Object GroupsIDP contains a large number of predefined attack objects. To help keep IDP policies

organized and manageable, attack objects can be grouped. An attack object group can

contain one or more attack objects of different types. Junos OS supports the following

two types of attack groups:

• Pre defined attack object groups—Contain objects present in the signature database.

The Pre defined attack object groups are dynamic in nature. For example, FTP: Minor

group selects all attacks of application- FTP and severity- Minor. If a new FTP attack

of minor severity is introduced in the security database, it is added to the FTP: Minor

group by default.

• Dynamic attack groups—Contain attack objects based on a certain matching criteria.

For example, a dynamic group can contain all attacks related to an application. During

signature update, the dynamic group membership is automatically updated based on

the matching criteria for that group.

On SRX Series devices, for a dynamic attack group using the direction filter, the

expression 'and'shouldbe used in theexclude values. As is thecase with allfilters, the

default expression is 'or'. However, there is a choice of 'and' in the case of the direction

filter.

For example, if you want to choose all attacks with the direction client-to-server,

security idp policy

Documents