Understanding IDP Exempt Rulebases
The exempt rulebase works in conjunction with the intrusion prevention system (IPS) rulebase to prevent unnecessary alarms from being generated. You configure rules in this rulebase to exclude known false positives or to exclude a specific source, destination, or source/destination pair from matching an IPS rule. If traffic matches a rule in the IPS rulebase, the system attempts to match the traffic against the exempt rulebase before performing the action specified. Carefully written rules in an exempt rulebase can significantly reduce the number of false positives generated by an IPS rulebase.
Configure an exempt rulebase in the following conditions:
- When an IDP rule uses an attack object group that contains one or more attack objects that produce false positives or irrelevant log records.
- When you want to exclude a specific source, destination, or source/destination pair from matching an IDP rule. This prevents IDP from generating unnecessary alarms.
 | Note: Make sure to configure the IPS rulebase before configuring the exempt rulebase. |
Table 45 summarizes the options that you can configure in the exempt-rulebase rules.
Table 45: Exempt Rulebase Options
Term | Definition |
|---|---|
Match condition | Specify the type of network traffic you want the device to monitor for attacks in the same way as in the IPS rulebase. However, in the exempt rulebase, you cannot configure an application; it is always set to any. |
Attack objects/groups | Specify the attack objects that you do not want the device to match in the monitored network traffic. |
Related Topics
- JUNOS Software Feature Support Reference for SRX Series and J Series Devices
- IDP Policies Overview
- Understanding IDP Policy Rules
- Understanding IDP Policy Rulebases
- Understanding IDP IPS Rulebases
- Understanding Predefined IDP Policy Templates
- Example: Defining Rules for an IDP Exempt Rulebase (CLI)