Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Add Rules to an IPS Policy

You are here: Security Services > IPS > Policies.

To add rules to an IPS policy:

Note:

You can only add rules for the custom IPS policies.

  1. Click Add Rules or on the rule number available next to the column of your IPS policy name.
    The IPS Rules page appears.
  2. Click the add icon (+) on the upper right side of the IPS Rules or Exempt Rules page.
    The IPS Rules or Exempt Rules page with the inline editable fields will appear.
  3. Complete the configuration according to the guidelines provided in Table 1.
  4. Click the tick icon on the right-side of the row once done with the configuration.
    Once you configure the IPS policy rules, you can associate the IPS policy with the security policy.
Table 1: Fields on the IPS Rules or Exempt Rules Page

Field

Action

Rule Name

Enter the rule name for the IPS policy.

Description

Enter the description for the rule.

Network Criteria
Sources

Source zone

Select a source zone to be associated with the IPS policy:

  • Not configured—Matches the configured source zone from firewall policy.

  • Any—Matches any source zone from firewall policy.

  • Specific—Select a source zone from the list where network traffic originates.

Source addresses

Select a source address to be associated with the IPS policy:

  • Not configured—Matches the configured source IP address from firewall policy.

  • Any—Matches any source IP address from firewall policy.

  • Specific—A source IP address from which network traffic originates.

    Select the addresses from the Available column and then click the right arrow to move it to the Selected column. You can select Exclude Selected to exclude only the selected address from the list.

Destinations

Destination zone

Select a destination zone to be associated with the IPS policy:

  • Not configured—Matches the configured destination zone from firewall policy.

  • Any—Matches any destination zone from firewall policy.

  • Specific—Select a destination zone from the list to which network traffic is sent.

Destination addresses

Select a destination address to be associated with the IPS policy:

  • Not configured—Matches the configured destination IP address from firewall policy.

  • Any—Matches any destination IP address from firewall policy.

  • Specific—A destination IP address to which the network traffic is sent.

    Select the addresses from the Available column and then click the right arrow to move it to the Selected column. You can select Exclude Selected to exclude only the selected address from the list.

IPS Signatures

Add

Select predefined or custom signatures from the list to add it to the IPS policy rules.

Delete

Select the IPS signatures you do not want to add to the IPS policy rules and click the delete icon.

Name

Displays name of the IPS predefined or custom signatures.

Category

Displays the predefined attack or attack groups categories. For example, App, HTTP, and LDAP.

Severity

Displays the attack severity level that the signature reports.

Attack Type

Displays the attack type (signature or anomaly).

Recommended Action

Displays the specified action taken from the device when it detects an attack. For example, ignore and drop.

Type

Displays if the IPS signature type is predefined or custom.

Add Predefined Signatures

View by

View and select the desired predefined attacks or attack groups and click OK to add it to the selected IPS policy.

Show or Hide Columns

Use the Show Hide Columns icon in the top right corner of the page and select the options you want to show or deselect to hide options on the page.

Name

Displays name of the predefined attack objects or attack object group.

Category

Displays the predefined attack or attack groups categories. For example, App, HTTP, and LDAP.

Severity

Displays the attack severity level that the signature reports.

Type Attack

Displays the attack type (signature or anomaly).

Recommended

Displays the added predefined attacks recommended by Juniper Networks to the dynamic attack group.

Recommended Action

Displays the specified action taken from the device when it detects an attack. For example, ignore and drop.

Performance

Displays a performance filter (fast, normal, slow, and unknown) to add attack objects based on the performance level that is vulnerable to the attack.

Direction

Displays the connection direction (any, client-to-server, or server-to-client) of the attack.

Add Custom Signatures

View by

View and select the desired custom attacks, static groups, or dynamic groups and click OK to add it to the selected IPS policy.

Custom Signatures—Custom Attacks

Name

Displays the custom attack object name.

Severity

Displays the attack severity level that the signature reports.

Attack Type

Displays the attack type (signature or anomaly).

Recommended Action

Displays the specified action taken from the device when it detects an attack. For example, ignore and drop.

Custom Signatures—Static Group

Name

Displays static group name for the custom signatures.

Group Members

Displays the name of the attack object or group attack object. The members can be predefined attacks, predefined attack groups, custom attacks, or custom dynamic groups.

Custom Signatures—Dynamic Groups

Name

Displays dynamic group name for the custom signatures.

Attack Prefix

Displays prefix match for attack names. For example: HTTP:*

Severity

Displays the attack severity level that the signature reports.

Attack Type

Displays the attack type (signature or anomaly).

Category

Displays the dynamic attack groups categories. For example, App, HTTP, and LDAP.

Direction

Displays the connection direction (any, client-to-server, or server-to-client) of the attack.

Action

Note:

This option is not available for exempt rules.

Select any one of the actions from the list:

  • Recommended (default)—All predefined attack objects have a default action associated with them. This is the action that we recommend when that attack is detected.

  • No Action—No action is taken. Use this action when you want to only generate logs for some traffic.

  • Drop Connection—Drops all packets associated with the connection, preventing traffic for the connection from reaching its destination. Use this action to drop connections for traffic that is not prone to spoofing.

  • Drop Packet—Drops a matching packet before it can reach its destination but does not close the connection. Use this action to drop packets for attacks in traffic that is prone to spoofing, such as UDP traffic. Dropping a connection for such traffic could result in a denial of service that prevents you from receiving traffic from a legitimate source-IP address.

  • Close Client—Closes the connection and sends an RST packet to the client but not to the server.

  • Close Server—Closes the connection and sends an RST packet to the server but not to the client.

  • Close Client & Server—Closes the connection and sends an RST packet to both the client and the server.

  • Ignore Connection—Stops scanning traffic for the rest of the connection if an attack match is found. IPS disables the rulebase for the specific connection.

  • Mark DiffServ—Assigns the indicated service-differentiation value to the packet in an attack, then passes them on normally.

Options

Note:

This option is not available for exempt rules.

Log Attacks

Enable the log attacks to create a log record that appears in the log viewer.

Log Packets

Enable the log packets to capture the packets received before and after the attack for further offline analysis of attacker behavior.

Advanced
Note:

This option is not available for exempt rules.

Threat Profiling

Note:

Feeds are only displayed if you have enrolled to Juniper ATP Cloud. You can also download the feeds using the command, request services security-intelligence download.

Add attacker to feed

Select from the list to add the attackers IP addresses to the feed to configure IPS rule with threat profiles.

Add target to feed

Select from the list to add the target IP addresses to the feed to configure IPS rule with threat profiles.

Notifications

Packets before

Enter the number of packets processed before the attack is captured.

Range: 1 through 255. Default is 1.

Note:

This option is available when you enable Log Packets.

Packets after

Enter the number of packets processed after the attack is captured.

Range: 0 through 255. Default is 1.

Note:

This option is available when you enable Log Packets.

Post window timeout

Enter the time limit for capturing post-attack packets for a session. No packet capture is conducted after the timeout has expired.

Range: 0 through 1800 seconds. Default is 1 second.

Note:

This option is available when you enable Log Packets.

Alert Flag

Enable this option to set an alert flag in the Alert column of the Log Viewer for the matching log record.

Note:

This option is available when you enable Log Attacks.

IP Actions

Action

Specifies the action that IPS takes against future connections that use the same IP address.

Select an IP action from the list:

  • None—Do not take any action, which is the default setting.

  • Notify—Don't take any action on future traffic but log the event.

  • Close—Close future connections of new sessions that match the IP address by sending RST packets to the client and server.

  • Block—Block future connections of any session that matches the IP address.

IP Target

Configure how the traffic should be matched to the configured IP actions.

Select an IP target from the list:

  • None—Do not match any traffic.

  • Destination address—Match traffic based on the destination IP address of the attack traffic.

  • Service—For TCP and UDP, match traffic based on the source IP address, source port, destination IP address, and destination port of the attack traffic.

  • Source address—Match traffic based on the source IP address of the attack traffic.

  • Source zone—Match traffic based on the source zone of the attack traffic.

  • Source zone address—Match traffic based on the source zone and source IP address of the attack traffic.

  • Zone service—Match traffic based on the source zone, destination IP address, destination port, and protocol of the attack traffic.

Refresh timeout

Enable refresh of the IP action timeout (that you specify in the Timeout field) if future traffic matches the configured IP actions.

Timeout

Specifies the number of seconds the IP action should remain effective before new sessions are initiated within that specified timeout value.

Enter the timeout value, in seconds. The maximum value is 65,535 seconds. Default is 300 seconds.

Log IP-Action hits

Enable to log information about the IP action against the traffic that matches a rule. By default, this setting is disabled.

Log IP-Action rule creation

Enable to generate an event when the IP action filter is triggered. By default, this setting is disabled.

Rule Modifiers

Severity override

Severity level (None, Critical, Info, Major, Minor, Warning) to override the inherited attack severity in the rules. The most dangerous level is critical, which attempts to crash your server or gain control of your network. Informational level is least dangerous and is used by network administrators to find flaws in their security systems.

Terminal matching

Enable to mark an IPS rule as terminal. When a terminal rule is matched, the device stops matching for the remaining rules in that IPS policy.