Example: Setting Terminal Rules in Rulebases (CLI)

By default, rules in the Intrusion Detection and Prevention (IDP) rulebase are not terminal. That means that IDP examines all rules in the rulebase and executes all matches. You can specify that a rule is terminal; if IDP encounters a match for the source, destination, and service specified in a terminal rule, it does not examine any subsequent rules for that connection.

Before you begin:

1. Configure network interfaces. See the JUNOS Software Interfaces Configuration Guide for Security Devices.
2. Enable IDP application services in a security policy. See Example: Enabling IDP in a Security Policy (CLI).
3. Create security zones. See Example: Creating Security Zones.
4. Define rules. See Example: Inserting a Rule in the IDP Rulebase (CLI) .

The configuration statements in this topic describe how to define terminal rules. You define a rule R2 to terminate the match algorithm if the source IP of the traffic originates from a known trusted network in your company. If this rule is matched, IDP disregards traffic from the trusted network and does not monitor the session for malicious data.

To configure terminal rules:

1. Define a rule and add it to a rulebase in a policy. The following statement creates a policy P1, associates an intrusion prevention system (IPS) rulebase with the policy, and adds rules R2 to the rulebase:
   user@host# set security idp idp-policy P1 rulebase-ips rule R2
2. Define the match criteria for the rule. The following tasks specify source address internal and destination address any as the match criteria for rule R2:
   user@host# set security idp idp-policy P1 rulebase-ips rule R2 match source-address internal destination-address any
3. Set the terminal flag for the rule. The following statement specifies R2 as a terminal rule:
   user@host# set security idp idp-policy P1 rulebase-ips rule R2 terminal
4. If you are finished configuring the device, commit the configuration.
5. From configuration mode in the CLI, enter the show security idp command to verify the configuration. For more information, see the JUNOS Software CLI Reference.

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Understanding IDP Terminal Rules
• Example: Defining Rules for an IDP IPS Rulebase (CLI)
• Example: Enabling IDP in a Security Policy (CLI)