Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Create IPS or Exempt Rules

You can create intrusion prevention system (IPS) rules or exempt rules only for customized IPS profiles.

Create IPS Rules

To create an IPS rule:

  1. Select Configuration > IPS > IPS Profiles.

    The IPS Profiles page appears.

  2. Click IPS-Profile-Name for the profile for which you want to create a rule.

    The IPS-Profile-Name / Rules page appears.

  3. Select Create > IPS Rule.

    The parameters for an IPS rule appear inline at the top of the page.

  4. Complete the configuration according to the guidelines in Table 1.
    Note:

    Fields marked with an asterisk (*) are mandatory.

  5. Click Save to save your changes.

    The changes are saved and a confirmation message appears at the top of the page.

    You can use the IPS profile in a firewall policy intent and deploy the firewall policy on the device, which deploy the IPS and exempt rules associated with the profile.

Table 1: Create IPS Rule Settings

Setting

Guideline

Rule Name

CSO generates a unique rule name by default. You can modify the name if needed.

The name must begin with an alphanumeric character and can contain alphanumeric characters and some special characters (colons, hyphens, forward slashes, periods, and underscores); 63-character maximum.

Description

Enter a description for the rule; the maximum length is 1024 characters.

IPS Signatures

You can add one or more IPS signatures and IPS signature static and dynamic groups to be associated with the rule:

  1. Click inside the text box with the + icon.

    A list of IPS signatures and IPS signature static and dynamic groups appears.

  2. (Optional) Enter a search term and press Enter to filter the list of items displayed.

  3. Click a list item to add it to the IPS signatures and IPS signature static or dynamic groups associated with the rule.

  4. (Optional) Repeat the preceding step to add more signatures, static groups, and dynamic groups.

  5. Click the View more results link to view the full list of IPS signatures and IPS signature static and dynamic groups. The full list is displayed in the End Points panel on the right.

    To add one or more signatures, static groups, or dynamic groups:

    1. Mouse over a list item and select the check box that appears.

    2. Repeat the preceding step for the other signatures, static groups, or dynamic groups that you want to add.

    3. Click the check mark icon ( ✓ ) at the top of the End Points panel, and select Signatures.

      The signatures, static groups, or dynamic groups that you selected are added and displayed in the IPS Signatures field.

IPS Action

Select the action to be taken when the monitored traffic matches the attack objects specified in the rules:

  • None—No action is taken. Use this action to only generate logs for some traffic.

  • Ignore—Stops scanning traffic for the rest of the connection if an attack match is found. IPS disables the rulebase for the specific connection.

  • Close Client and Server—Closes the connection and sends a TCP reset (RST) packet to both the client and the server.

  • Close Client—Closes the connection and sends an RST packet to the client, but not to the server.

  • Close Server—Closes the connection and sends an RST packet to the server, but not to the client.

  • Drop Connection—Drops all packets associated with the connection, preventing traffic for the connection from reaching its destination. Use this action to drop connections for traffic that is not prone to spoofing.

  • Drop Packet—Drops a matching packet before it can reach its destination but does not close the connection. Use this action to drop packets for attacks in traffic that is prone to spoofing, such as UDP traffic. Dropping a connection for such traffic could result in a denial of service that prevents you from receiving traffic from a legitimate source-IP address.

  • Recommended (default)—Uses the action that Juniper Networks recommends when that attack is detected. All predefined attack objects have a default action associated with them.

  • Diffserv Marking—Assigns the specified differentiated services code point (DSCP) value to the packet in an attack and pass the packet on normally.

    When you select Diffserv Marking, you must enter a DSCP value:

    1. Click the Code Point: Vaule hyperlink.

      The Code point for Diffserve Marking action popup appears.

    2. In the Code Point field, enter a DSCP value from 0 through 63.

    3. Click OK.

      You are returned to the previous page; the value that you entered is displayed

Additional Actions

In addition to the IPS action, you can configure one or more of the following additional actions:

  • Notifications—When attacks are detected, you can choose to log the attack and create log records with attack information and send that information to the log server.

    To configure notifications:

    1. Click the Notification link.

      The Notification page appears.

    2. Complete the configuration according to the guidelines shown in Table 2.

    3. Click OK.

      You are returned to the previous page. A gear icon next to the Notification link indicates that you have configured notification settings.

  • IP actions—When attacks are detected, you can configure actions that you want IPS to take against future connections that use the same IP address.

    To configure IP actions:

    1. Click the IP Action link.

      The IP Action page appears.

    2. Complete the configuration according to the guidelines shown in Table 3.

    3. Click OK.

      You are returned to the previous page. A gear icon next to the IP Action link indicates that you have configured IP action settings.

  • Additional actions—When attacks are detected, you can configure additional actions that you want CSO to take.

    To configure additional actions:

    1. Click the Additional link.

      The Additional page appears.

    2. Complete the configuration according to the guidelines shown in Table 4.

    3. Click OK.

      You are returned to the previous page. A gear icon next to the Additional link indicates that you have configured additional settings.

Table 2: Notification Settings

Setting

Guideline

Attack Logging

Select the Enable check box to log an attack when it is detected.

Alert Flag

Select the Enable check box to set the alert flag in the attack log.

Log Packets

Select the Enable check box to log packets when an attack is detected.

In response to a rule match, you can capture the packets received before and after the attack for further offline analysis of attacker behavior. You can configure the number of pre-attack and post-attack packets to be captured for this attack, and limit the duration of post-attack packet capture by specifying a timeout value.

You must specify at least one of the Packets Before, Packets After, or Post Window Timeout fields.

Packets Before

Specify the number of packets received before an attack that should be captured for further analysis of the behavior of the attack.

Range: 1 through 255.

Packets After

Specify the number of packets received after an attack that should be captured for further analysis of attacker behavior.

Range: 1 through 255.

Post Window Timeout

Specify a time limit (in seconds) for capturing packets received after an attack. No packets are captured after the specified timeout has elapsed.

Range: 1 through 1800.

Table 3: IP Action Settings

Setting

Guideline

IP Action

Select the action to be taken on future connections that use the same IP address:

Note:

If there is an IP action match with more than one rule, then the most severe IP action of all the matched rules is applied. In decreasing order of severity, the actions are block, close, and notify.

  • None (default)—Do not take any action. This is similar to if you did not configure the IP action.

  • IP Notify—Don’t take any action on future traffic but log the event.

  • IP Close—Close future connections of new sessions that match the IP address by sending RST packets to the client and server.

  • IP Block—Block future connections of any session that matches the IP address.

IP Target

Specify how the traffic should be matched for the configured IP actions:

  • None—Do not match any traffic.

  • Destination Address—Match traffic based on the destination IP address of the attack traffic.

  • Service—For TCP and UDP, matches traffic based on the source IP address, source port, destination IP address, and destination port of the attack traffic.

  • Source Address—Matches traffic based on the source IP address of the attack traffic.

  • Source Zone—Matches traffic based on the source zone of the attack traffic.

  • Source Zone Address—Matches traffic based on the source zone and source IP address of the attack traffic.

  • Zone Service—Matches traffic based on the source zone, destination IP address, destination port, and protocol of the attack traffic.

Refresh Timeout

Select the Enable check box to refresh the IP action timeout (that you specify in the Timeout Value field) if future traffic matches the IP actions configured.

Timeout Value

Configure the number of seconds that you want the IP action to remain in effect. For example, if you configure a timeout of 3600 seconds (1 hour) and traffic matches the IP actions configured, the IP action remains in effect for 1 hour.

Range: 0 through 64,800 seconds.

Log Taken

Select the Enable check box to log the information about the IP action against the traffic that matches a rule.

Log Creation

Select the Enable check box generate an event when the IP action filter is triggered.

Table 4: Additional Settings

Setting

Guideline

Severity

Select a severity level to override the inherited attack severity in the rules.

The most dangerous level is critical, which attempts to crash your server or gain control of your network. Informational is the least dangerous level and is used by network administrators to discover holes in their security systems.

Terminal

Select the Enable check box to mark the IPS rule as terminal. When a terminal rule is matched, the device stops matching for the rest of the rules in that IPS profile.

Create Exempt Rules

To create an exempt rule:

  1. Select Configuration > IPS > IPS Profiles.

    The IPS Profiles page appears.

  2. Click IPS-Profile-Name for the profile for which you want to create a rule.

    The IPS-Profile-Name / Rules page appears.

  3. Select Create > Exempt Rule.

    The parameters for an exempt rule appear inline at the top of the page.

  4. You can configure only the following fields:
    • Rule Name

    • Description

    • IPS Signatures

    See Table 1 for an explanation of these fields.

  5. Click Save to save your changes.

    The changes are saved and a confirmation message appears at the top of the page.

    You can use the IPS profile in a firewall policy intent and deploy the firewall policy on the device, which deploy the IPS and exempt rules associated with the profile.