Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Announcement: Try the Ask AI chatbot for answers to your technical questions about Juniper products and solutions.

Juniper Security Director® is the next generation on-premises security management product for SRX Series Firewalls and vSRX. For more details, visit Juniper Security Director documentation page or contact your sales team.

close
header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions discuss ongoing efforts to support digital transformation on campus.
Watch now
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Retail experts Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; Jack Stratten of Insider Trends; and Christian Gilby, Senior Director of Product Marketing at Juniper Networks, discuss customer experiences.
See the future

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Explore events
AINN AI Innovation Impact Virtual Event

AI-Native NOW: AI Innovation and Impact

Register NOW
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Home Documentation Junos Space Security Director Junos Space Security Director User Guide Configure IPS Policy-Policies

Junos Space Security Director User Guide

keyboard_arrow_up
close
keyboard_arrow_left
Junos Space Security Director User Guide
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
keyboard_arrow_right

Creating IPS Policy Rules

date_range 08-Jul-23
arrow_backward
arrow_forward

Before You Begin

Use this page to create intrusion prevention system (IPS) rules that define actions to be taken when the matching traffic pattern is found. You can add, edit, or delete rules to an IPS policy.

You can use the predefined IPS templates while creating an IPS policy. These templates contain rules that use default actions associated with attack objects. You can customize these templates to work on your network by selecting your own source and destination addresses and choosing IPS actions that reflect your security needs.

IPS rules protect your network from attacks by using attack objects to detect known and unknown attacks based on stateful signature and protocol anomalies. IPS exempt rules prevent unnecessary alarms from being generated.

To configure an IPS policy rule:

  1. Select Configure > IPS Policy > Policies > or Templates.
  2. Click the Add Rules link in the created policy.
  3. Click Create and then select IPS Rule or Exempt Rule.
  4. Complete the configuration according to the guidelines provided in Table 1 and Table 2.
  5. Click Publish.

A new IPS rule with your configuration is created. You can use this rule in an IPS policy or an IPS policy template.

Table 1: IPS Policy Rule Settings

Settings

Guidelines

Name

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 255 characters.

IPS Type

Display the rule of the specified type. For example, IPS, Exempt.

Src. Zone

Click the Source Zone field and configure the source zone editor settings.

Source Zone Editor

Zone

Select any zone for the source. You can also use zone exceptions to specify unique to zones for each device. Specify any to monitor network traffic originating from any zone. The default value is any.

Src. Address

Click the Source Address field and configure the source address settings.

Source Address

Address Selection

Include or exclude addresses from the selected address list for the rule. You can also select to include any of the IP addresses of the source objects.

Addresses

Select one or more available IP addresses from the Available column to include in the selected list for the rule.

Add New Source Address

Click the button to add a new source address.

Dest. Zone

Click the Destination Zone field and configure the destination zone editor settings.

Destination Zone Editor

Zone

Select any zone for the destination. You can also use zone exceptions to specify unique from zones for each device. Specify any to monitor network traffic to any zone. The default value is any.

Dest. Address

Click the Destination Address field and configure the destination address settings.

Destination Address

Address Selection

Include or exclude addresses from the selected address list for the rule. You can also select to include any of the IP addresses of the source objects.

Addresses

Select one or more available IP addresses from the Available column to include in the selected list for the policy rule.

Add New Destination Address

Click the button to add a new destination address.

Service

Click the Service field and configure the service editor settings.

Service Editor

Services

Select an available services for the policy rule. For example:

  • ftp—FTP allows the sending and receiving of files between machines.

  • ssh—SSH is a program to log into another computer over a network through strong authentication and secure communications on a channel that is not secure.

  • Web—Policy allows access to users who have previously been authenticated by Web authentication.

  • User Firewall—Uses the username and role information to determine whether to permit or deny a user's session or traffic.

  • Infranet—Pushes the user and role information for all authenticated users from the Access Control Service.

The default value is Default.A service in Security Director refers to an application on a device, such as Domain Name System (DNS). Services are based on protocols and ports and when added to a policy can be applied across all devices managed by Security Director.

Add New Service

Click the button to add a new service.

IPS Signature

Click the IPS Signature field and configure the IPS signature settings.

IPS Signature

IPS Signatures

Select one or more available IPS signatures from the Available column to include in the selected list for the policy rule.

Add New IPS Signature

Click the button to add a new IPS signature.

Action

Click the Action field and configure the action settings.

Action

Action

Select an option for the action you want IPS to take when the monitored traffic matches the attack objects specified in the rules:

  • No Action—Does not take action. Use this action when you only want to generate logs for some traffic.

  • Ignore—Stops scanning traffic for the rest of the connection if an attack match is found. IPS disables the rulebase for the specific connection.

    Note:

    This action does not mean ignore an attack.

  • Drop Packet—Drops a matching packet before it can reach its destination but does not close the connection. Use this action to drop packets for attacks in traffic that is prone to spoofing, such as UDP traffic. Dropping a connection for such traffic could result in a denial of service that prevents you from receiving traffic from a legitimate source IP address.

  • Drop Connection—Drops all packets associated with the connection, preventing traffic for the connection from reaching its destination. Use this action to drop connections for traffic that is not prone to spoofing.

  • Close Client—Closes the connection and sends an RST packet to the client but not to the server.

  • Close Server—Closes the connection and sends an RST packet to the server but not to the client.

  • Close Client and Server—Closes the connection and sends an RST packet to both the client and the server.

  • Recommended—Gives a list of all attack objects that Juniper Networks considers to be serious threats, organized into categories. For example, severity groups attack objects by the severity assigned to the attack.

  • Diffserv Marking—Assigns the indicated Differentiated Services code point (DSCP) value to the packet in an attack, then passes the packet on normally.

    When you select Diffserv Marking, you need to enter code value.

    • Code Point for Diffserv Marking—Enter a code point value. Based on the DSCP value, behavior aggregate classifiers set the forwarding class and loss priority for the traffic deciding the forwarding treatment the traffic receives.

Note:

The DSCP value is not applied to the first packet that is detected as an attack, but is applied to subsequent packets.

Notification Opt.

Click the Notification field and configure the notification settings.

Notification Opt.

Attack Logging

Enable this option to log attacks.

Alert Flag

Enable this option to add an alert flag to an attack log.

Log Packets

Enable this option to log packet capture when a rule matches.

Packets Before

Enter the number of packets processed before the attack is captured.

Packets After

Enter the number of packets processed after the attack is captured.

Post Window Timeout

Enter the time limit for capturing post-attack packets for a session.

No packet capture is conducted after the timeout has expired. Range is from 0 through 1800 seconds.

IP Action Opt.

Click the IP Action field and configure the IP action settings.

IP Action Opt.

IP Action

Select an option to apply actions on future connections that use the same IP action attributes:

  • None—Does not take any action against future traffic.

  • IP Notify—Does not take any action against future traffic but logs the event. This is the default.

  • IP Close—Closes any new sessions matching this IP action rule by sending RST packets to the client and server.

  • IP Block—All packets of any session matching the IP action rule are dropped silently.

    When traffic matches multiple rules, the most severe IP action of all matched rules is applied. The most severe IP action is the Close Session action, the next in severity is the Drop/Block Session action, and then the Notify action.

IP Target

Select an option to block future connections:

  • None—Does not match any traffic.

  • Destination Address—Matches traffic based on the destination address of the attack traffic.

  • Service—For TCP and UDP, matches traffic based on the source address, source port, destination address, and destination port of the attack traffic. This is the default.

  • Source Address—Matches traffic based on the source address of the attack traffic.

  • Source Zone—Matches traffic based on the source zone of the attack traffic.

  • Source Zone Address—Matches traffic based on the source zone and source address of the attack traffic.

  • Zone Service—Matches traffic based on the source zone, destination address, destination port, and protocol of the attack traffic.

Refresh Timeout

Enable this option to refresh the IP action timeout so it does not expire when future connections match the IP action filter.

Timeout Value

Enter the number of seconds that you want the IP action to remain in effect after a traffic match.

Default value is 0 seconds and the range is from 0 through 64,800 seconds.

Log Taken

Enable this option to log information about the IP action against the traffic that matches a rule.

Log Creation

Enable this option to generate a log event on the IP action filter.

Additional Opt.

Click the Additional field and configure the additional settings.

Additional Opt.

Severity

Select a severity level to override the inherited attack severity in the rules. Levels, in order of increasing severity, are info, warning, minor, major, and critical. The most dangerous level is critical, which attempts to crash your server or gain control of your network. Informational is the least dangerous level and is used by network administrators to discover holes in their security systems.

Terminal

Enable this option to set a terminal rule flag. The device stops matching rules for a session when a terminal rule is matched.

Description

Enter a description for the IPS policy rule; maximum length is 4096 characters.

Table 2: IPS Policy Templates Rule Settings

Settings

Guidelines

Name

Enter a unique string of alphanumeric characters, colons, periods, dashes, and underscores. No spaces are allowed and the maximum length is 63 characters.

IPS Type

Display the rule of the specified type. For example, IPS, Exempt.

IPS Signature

Click the IPS Signature field and configure the IPS signature settings.

IPS Signature

IPS Signatures

Select one or more available IPS signatures from the Available column to include in the selected list for the policy rule.

Add New IPS Signature

Click the button to add a new IPS signature.

Action

Click the Action field and configure the action settings.

Action

Action

Select an option for the action you want IPS to take when the monitored traffic matches the attack objects specified in the rules:

  • No Action—Does not take action. Use this action when you only want to generate logs for some traffic.

  • Ignore—Stops scanning traffic for the rest of the connection if an attack match is found. IPS disables the rulebase for the specific connection.

    Note:

    This action does not mean ignore an attack.

  • Drop Packet—Drops a matching packet before it can reach its destination but does not close the connection. Use this action to drop packets for attacks in traffic that is prone to spoofing, such as UDP traffic. Dropping a connection for such traffic could result in a denial of service that prevents you from receiving traffic from a legitimate source IP address.

  • Drop Connection—Drops all packets associated with the connection, preventing traffic for the connection from reaching its destination. Use this action to drop connections for traffic that is not prone to spoofing.

  • Close Client—Closes the connection and sends an RST packet to the client but not to the server.

  • Close Server—Closes the connection and sends an RST packet to the server but not to the client.

  • Close Client and Server—Closes the connection and sends an RST packet to both the client and the server.

  • Recommended—Gives a list of all attack objects that Juniper Networks considers to be serious threats, organized into categories. For example, severity groups attack objects by the severity assigned to the attack.

  • Diffserv Marking—Assigns the indicated Differentiated Services code point (DSCP) value to the packet in an attack, then passes the packet on normally.

    When you select Diffserv Marking, you need to enter code value.

    • Code Point for Diffserv Marking—Enter a code point value. Based on the DSCP value, behavior aggregate classifiers set the forwarding class and loss priority for the traffic deciding the forwarding treatment the traffic receives.

Note:

The DSCP value is not applied to the first packet that is detected as an attack, but is applied to subsequent packets.

Notification Opt.

Click the Notification field and configure the notification settings.

Notification Opt.

Attack Logging

Enable this option to log attacks.

Alert Flag

Enable this option to add an alert flag to an attack log.

Log Packets

Enable this option to log packet capture when a rule matches.

Packets Before

Enter the number of packets processed before the attack is captured.

Packets After

Enter the number of packets processed after the attack is captured.

Post Window Timeout

Enter the time limit for capturing post-attack packets for a session.

No packet capture is conducted after the timeout has expired. Range is from 0 through 1800 seconds.

IP Action Opt.

Click the IP Action field and configure the IP action settings.

IP Action Opt.

IP Action

Select an option to apply actions on future connections that use the same IP action attributes:

  • None—Does not take any action against future traffic.

  • IP Notify—Does not take any action against future traffic but logs the event. This is the default.

  • IP Close—Closes any new sessions matching this IP action rule by sending RST packets to the client and server.

  • IP Block—All packets of any session matching the IP action rule are dropped silently.

    When traffic matches multiple rules, the most severe IP action of all matched rules is applied. The most severe IP action is the Close Session action, the next in severity is the Drop/Block Session action, and then the Notify action.

IP Target

Select an option to block future connections:

  • None—Does not match any traffic.

  • Destination Address—Matches traffic based on the destination address of the attack traffic.

  • Service—For TCP and UDP, matches traffic based on the source address, source port, destination address, and destination port of the attack traffic. This is the default.

  • Source Address—Matches traffic based on the source address of the attack traffic.

  • Source Zone—Matches traffic based on the source zone of the attack traffic.

  • Source Zone Address—Matches traffic based on the source zone and source address of the attack traffic.

  • Zone Service—Matches traffic based on the source zone, destination address, destination port, and protocol of the attack traffic.

Refresh Timeout

Enable this option to refresh the IP action timeout so it does not expire when future connections match the IP action filter.

Timeout Value

Enter the number of seconds that you want the IP action to remain in effect after a traffic match.

Default value is 0 seconds and the range is from 0 through 64,800 seconds.

Log Taken

Enable this option to log information about the IP action against the traffic that matches a rule.

Log Creation

Enable this option to generate a log event on the IP action filter.

Additional Opt.

Click the Additional field and configure the additional settings.

Additional Opt.

Severity

Select a severity level to override the inherited attack severity in the rules. Levels, in order of increasing severity, are info, warning, minor, major, and critical. The most dangerous level is critical, which attempts to crash your server or gain control of your network. Informational is the least dangerous level and is used by network administrators to discover holes in their security systems.

Terminal

Enable this option to set a terminal rule flag. The device stops matching rules for a session when a terminal rule is matched.

Description

Enter a description for the IPS policy rule; maximum length is 1024 characters.

Related Documentation

arrow_backward PREVIOUS Creating IPS Policies
NEXT arrow_forward Publishing Policies
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top