STIGQter STIGQter: STIG Summary: Juniper SRX SG IDPS Security Technical Implementation Guide Version: 1 Release: 2 Benchmark Date: 28 Jul 2017:

The Juniper Networks SRX Series Gateway IDPS must provide audit record generation capability for detecting events based on implementation of policy filters, rules, and signatures.

DISA Rule

SV-80867r1_rule

Vulnerability Number

V-66377

Group Title

SRG-NET-000113-IDPS-00013

Rule Version

JUSX-IP-000001

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

A Routing Engine configuration option allows the enabling and disabling of IDP alarms.

By default, the IDP attack event triggers the current logs without raising any alarms. When the option is set and the system is configured appropriately, the IDP logs on the Packet Forwarding Engine will be forwarded to Routing Engine, which then parses the IDP attack logs and raises IDP alarms as necessary.

To enable an IDP alarm, use the set security alarms potential-violation idp command.

To turn on logging, you must first turn on notification to log attacks:
set security idp idp-policy recommended rulebase-ips rule-1 then notification log-attacks

Configure Syslog (adding to the firewall stanza).
syslog {
file IDP_Log {
any any;
match RT_IDP;

Check Contents

To verify that the configuration is working properly, use the following command:

[edit]
show security alarms

View the configured alarms to verify at least one option for potential-violation is set to “idp”.

If a potential-violation alarm is not defined for “idp”, this is a finding.

Vulnerability Number

V-66377

Documentable

False

Rule Version

JUSX-IP-000001

Severity Override Guidance

To verify that the configuration is working properly, use the following command:

[edit]
show security alarms

View the configured alarms to verify at least one option for potential-violation is set to “idp”.

If a potential-violation alarm is not defined for “idp”, this is a finding.

Check Content Reference

M

Target Key

3037

Comments