[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

Setting Terminal Rules in Rulebases

By default, rules in the IDP rulebase are not terminal. That means that IDP examines all rules in the rulebase and executes all matches. You can specify that a rule is terminal; if IDP encounters a match for the source, destination, and service specified in a terminal rule, it does not examine any subsequent rules for that connection.

Before You Begin
  1. For background information, read:
  2. Establish basic connectivity. For more information, see the Getting Started Guide for your device.
  3. Configure network interfaces. See the JUNOS Software Interfaces and Routing Configuration Guide.
  4. Enable IDP application services in a security policy. See Enabling IDP in a Security Policy.
  5. Create security zones. See Creating Security Zones.
  6. Define rules. See Defining Rules for an IPS Rulebase.

The configuration statements in this topic describe how to define terminal rules. You define a rule R2 to terminate the match algorithm if the source IP of the traffic originates from a known trusted network in your company. If this rule is matched, IDP disregards traffic from the trusted network and does not monitor the session for malicious data.

You can use either J-Web or the CLI configuration editor to configure terminal rules.

This topic contains:

J-Web Configuration

To configure terminal rules:

  1. Create a policy by assigning a meaningful name to it. The following tasks specify P1 as the policy name:
    1. Select Configure>CLI Tools>Point and Click CLI.
    2. Next to Security, click Configure or Edit.
    3. Next to Idp, click Configure.
    4. Next to Idp policy, click Add new entry.
    5. In the Policy name box, type P1.
  2. Associate a rulebase with the policy and add rules to the rulebase. The following tasks associate an IPS rulebase with P1 and add rule R2 to the rulebase.
    1. Next to Rulebase ips, click Configure.
    2. Next to Rule, click Add new entry.
    3. In the Name box, type R2.
  3. Define the match criteria for the rule. The following tasks specify source address internal and destination address any as the match criteria for rule R2.
    1. Next to Match, click Configure.
    2. From the Source list, select Source address.
    3. Next to Source address, click Add new entry.
    4. From the Value list, select Enter Specific value.
    5. In the Address box, type internal.
    6. From the Destination list, select Destination address.
    7. Next to Destination address, click Add new entry.
    8. From the Value list, select Any and click OK.
  4. Set the terminal flag for the rule. The following tasks specify R2 as a terminal rule:
    1. On the Rule R2 page, next to Terminal, select the check box.
    2. Click OK.
  5. If you are finished configuring the router, commit the configuration.

CLI Configuration

To configure terminal rules:

  1. Define a rule and add it to a rulebase in a policy. The following statement creates a policy P1, associates an IPS rulebase with the policy, and adds rules R2 to the rulebase:
    user@host# set security idp idp-policy P1 rulebase-ips rule R2
  2. Define the match criteria for the rule. The following tasks specify source address internal and destination address any as the match criteria for rule R2:
    user@host# set security idp idp-policy P1 rulebase-ips rule R2 match source-address internal destination-address any
  3. Set the terminal flag for the rule. The following statement specifies R2 as a terminal rule:
    user@host# set security idp idp-policy P1 rulebase-ips rule R2 terminal
  4. If you are finished configuring the router, commit the configuration.
  5. From configuration mode in the CLI, enter the show security idp command to verify the configuration. For more information, see the JUNOS Software CLI Reference.

Related Topics

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

[an error occurred while processing this directive]