Understanding IDP Terminal Rules

The Intrusion Detection and Prevention (IDP) rule-matching algorithm starts from the top of the rulebase and checks traffic against all rules in the rulebase that match the source, destination, and service. However, you can configure a rule to be terminal. A terminal rule is an exception to this algorithm. When a match is discovered in a terminal rule for the source, destination, zones, and application, IDP does not continue to check subsequent rules for the same source, destination, and application. It does not matter whether or not the traffic matches the attack objects in the matching rule.

You can use a terminal rule for the following purposes:

• To set different actions for different attacks for the same Source and Destination.
• To disregard traffic that originates from a known trusted source. Typically, the action is None for this type of terminal rule.
• To disregard traffic sent to a server that is vulnerable only to a specific set of attacks. Typically, the action is Drop Connection for this type of terminal rule.

Use caution when defining terminal rules. An inappropriate terminal rule can leave your network open to attacks. Remember that traffic matching the source, destination, and application of a terminal rule is not compared to subsequent rules, even if the traffic does not match an attack object in the terminal rule. Use a terminal rule only when you want to examine a certain type of traffic for one specific set of attack objects. Be particularly careful about terminal rules that use any for both the source and destination. Terminal rules should appear near the top of the rulebase before other rules that would match the same traffic.

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• IDP Policies Overview
• Understanding IDP Policy Rules
• Understanding IDP Policy Rulebases
• Understanding IDP IPS Rulebases
• Understanding IDP Exempt Rulebases
• Example: Setting Terminal Rules in Rulebases (CLI)