Add Rules to an IPS Policy
You are here: Security Services > IPS > Policies.
To add rules to an IPS policy:
You can only add rules for the custom IPS policies.
Field |
Action |
---|---|
Rule Name |
Enter the rule name for the IPS policy. |
Description |
Enter the description for the rule. |
Network Criteria | |
Sources | |
Source zone |
Select a source zone to be associated with the IPS policy:
|
Source addresses |
Select a source address to be associated with the IPS policy:
|
Destinations | |
Destination zone |
Select a destination zone to be associated with the IPS policy:
|
Destination addresses |
Select a destination address to be associated with the IPS policy:
|
IPS Signatures | |
Add |
Select predefined or custom signatures from the list to add it to the IPS policy rules. |
Delete |
Select the IPS signatures you do not want to add to the IPS policy rules and click the delete icon. |
Name |
Displays name of the IPS predefined or custom signatures. |
Category |
Displays the predefined attack or attack groups categories. For example, App, HTTP, and LDAP. |
Severity |
Displays the attack severity level that the signature reports. |
Attack Type |
Displays the attack type (signature or anomaly). |
Recommended Action |
Displays the specified action taken from the device when it detects an attack. For example, ignore and drop. |
Type |
Displays if the IPS signature type is predefined or custom. |
Add Predefined Signatures |
|
View by |
View and select the desired predefined attacks or attack groups and click OK to add it to the selected IPS policy. |
Show or Hide Columns |
Use the Show Hide Columns icon in the top right corner of the page and select the options you want to show or deselect to hide options on the page. |
Name |
Displays name of the predefined attack objects or attack object group. |
Category |
Displays the predefined attack or attack groups categories. For example, App, HTTP, and LDAP. |
Severity |
Displays the attack severity level that the signature reports. |
Type Attack |
Displays the attack type (signature or anomaly). |
Recommended |
Displays the added predefined attacks recommended by Juniper Networks to the dynamic attack group. |
Recommended Action |
Displays the specified action taken from the device when it detects an attack. For example, ignore and drop. |
Performance |
Displays a performance filter (fast, normal, slow, and unknown) to add attack objects based on the performance level that is vulnerable to the attack. |
Direction |
Displays the connection direction (any, client-to-server, or server-to-client) of the attack. |
Add Custom Signatures |
|
View by |
View and select the desired custom attacks, static groups, or dynamic groups and click OK to add it to the selected IPS policy. |
Custom Signatures—Custom Attacks |
|
Name |
Displays the custom attack object name. |
Severity |
Displays the attack severity level that the signature reports. |
Attack Type |
Displays the attack type (signature or anomaly). |
Recommended Action |
Displays the specified action taken from the device when it detects an attack. For example, ignore and drop. |
Custom Signatures—Static Group |
|
Name |
Displays static group name for the custom signatures. |
Group Members |
Displays the name of the attack object or group attack object. The members can be predefined attacks, predefined attack groups, custom attacks, or custom dynamic groups. |
Custom Signatures—Dynamic Groups |
|
Name |
Displays dynamic group name for the custom signatures. |
Attack Prefix |
Displays prefix match for attack names. For example: HTTP:* |
Severity |
Displays the attack severity level that the signature reports. |
Attack Type |
Displays the attack type (signature or anomaly). |
Category |
Displays the dynamic attack groups categories. For example, App, HTTP, and LDAP. |
Direction |
Displays the connection direction (any, client-to-server, or server-to-client) of the attack. |
Action |
Note:
This option is not available for exempt rules. Select any one of the actions from the list:
|
Options Note:
This option is not available for exempt rules. |
|
Log Attacks |
Enable the log attacks to create a log record that appears in the log viewer. |
Log Packets |
Enable the log packets to capture the packets received before and after the attack for further offline analysis of attacker behavior. |
Advanced Note:
This option is not available for exempt rules. |
|
Threat Profiling Note:
Feeds are only displayed if you have enrolled to Juniper ATP
Cloud. You can also download the feeds using the command,
|
|
Add attacker to feed |
Select from the list to add the attackers IP addresses to the feed to configure IPS rule with threat profiles. |
Add target to feed |
Select from the list to add the target IP addresses to the feed to configure IPS rule with threat profiles. |
Notifications |
|
Packets before |
Enter the number of packets processed before the attack is captured. Range: 1 through 255. Default is 1. Note:
This option is available when you enable Log Packets. |
Packets after |
Enter the number of packets processed after the attack is captured. Range: 0 through 255. Default is 1. Note:
This option is available when you enable Log Packets. |
Post window timeout |
Enter the time limit for capturing post-attack packets for a session. No packet capture is conducted after the timeout has expired. Range: 0 through 1800 seconds. Default is 1 second. Note:
This option is available when you enable Log Packets. |
Alert Flag |
Enable this option to set an alert flag in the Alert column of the Log Viewer for the matching log record. Note:
This option is available when you enable Log Attacks. |
IP Actions |
|
Action |
Specifies the action that IPS takes against future connections that use the same IP address. Select an IP action from the list:
|
IP Target |
Configure how the traffic should be matched to the configured IP actions. Select an IP target from the list:
|
Refresh timeout |
Enable refresh of the IP action timeout (that you specify in the Timeout field) if future traffic matches the configured IP actions. |
Timeout |
Specifies the number of seconds the IP action should remain effective before new sessions are initiated within that specified timeout value. Enter the timeout value, in seconds. The maximum value is 65,535 seconds. Default is 300 seconds. |
Log IP-Action hits |
Enable to log information about the IP action against the traffic that matches a rule. By default, this setting is disabled. |
Log IP-Action rule creation |
Enable to generate an event when the IP action filter is triggered. By default, this setting is disabled. |
Rule Modifiers |
|
Severity override |
Severity level (None, Critical, Info, Major, Minor, Warning) to override the inherited attack severity in the rules. The most dangerous level is critical, which attempts to crash your server or gain control of your network. Informational level is least dangerous and is used by network administrators to find flaws in their security systems. |
Terminal matching |
Enable to mark an IPS rule as terminal. When a terminal rule is matched, the device stops matching for the remaining rules in that IPS policy. |