Configure IPFilter Category
IP filters allow you to create rules to control traffic coming into your network.
To configure IPFilter category:
-
Configure the IPFilter profile.
In this example, the profile name is
ipf_profile. The rules areipf_rule,ipf_rule1andipf_rule2.user@host# set services security-intelligence profile ipf_profile category IPFilter user@host# set services security-intelligence profile ipf_profile rule ipf_rule match threat-level [8 9 10] user@host# set services security-intelligence profile ipf_profile rule ipf_rule then action block drop user@host# set services security-intelligence profile ipf_profile rule ipf_rule then log user@host# set services security-intelligence profile ipf_profile rule ipf_rule1 match threat-level 4 user@host# set services security-intelligence profile ipf_profile rule ipf_rule1 then action block close http message "SecIntel Redirect Message" user@host# set services security-intelligence profile ipf_profile rule ipf_rule1 then log user@host# set services security-intelligence profile ipf_profile rule ipf_rule2 match feed-name fd1 user@host# set services security-intelligence profile ipf_profile rule ipf_rule2 then action permit user@host# set services security-intelligence profile ipf_profile rule ipf_rule then log user@host# set services security-intelligence profile ipf_profile rule ipf_rule2 match threat-level 5 user@host# set services security-intelligence profile ipf_profile rule ipf_rule2 then action block close http file secintel_redirect.txt user@host# set services security-intelligence profile ipf_profile rule ipf_rule2 match threat-level 6 user@host# set services security-intelligence profile ipf_profile rule ipf_rule2 then action block close http redirect-url http://www.yahoo.com/redirect.html user@host# set services security-intelligence profile ipf_profile rule ipf_rule2 then log user@host# set services security-intelligence profile ipf_profile default-rule then action recommended user@host# set services security-intelligence profile ipf_profile default-rule then log
-
Use the
show services security-intelligenceCLI command to verify your profile. Your output should look similar to the following:user@host# show services security-intelligence ... } profile ipf_profile { category IPFilter; rule ipf_rule { match { feed-name fd1; threat-level [ 8 9 10 ]; } then { action { block { drop; } } log; } } rule ipf_rule2 { match { feed-name fd1; threat-level [ 5 6 ]; } then { action { block { close { http { redirect-url http://www.yahoo.com/redirect.html; } } } } log; } } rule ipf_rule1 { match { threat-level 4; } then { action { block { close { http { message "Secintel Redirect Message"; } } } } log; } } default-rule { then { action { recommended; } log; } } } -
Configure your IPFilter policy to point to the profile created in Step 1. In this
example, the IPFilter policy name is
ipf_policy.user@host# set services security-intelligence policy ipf_policy IPFilter ipf_profile
-
Use the
show services security-intelligenceCLI command to verify your policy. Your output should look similar to the following:user@host# show services security-intelligence policy ipf_policy IPFilter { ipf_profile; } -
Configure the firewall policy to include the IPFilter policy. This example sets the
trust-to-untrust zone.
user@host# set security policies from-zone trust to-zone untrust policy p1 match source-address any destination-address any application any user@host# set security policies from-zone trust to-zone untrust policy p1 then permit application-services security-intelligence-policy ipf_policy
-
Use the
show security policiesCLI command to verify your settings. Your output should look similar to the following:user@host# show security policies ... } policy p1 { match { source-address any; destination-address any; application any; dynamic-application any; } then { permit { application-services { security-intelligence-policy ipf_policy; } } } } } from-zone untrust to-zone trust { policy p1 { match { source-address [ sda-1 any ]; destination-address any; application any; } then { permit; } } } default-policy { permit-all; } - Commit your changes.