Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Create and Manage IPS Rules

Create IPS Rules

You can create intrusion prevention system (IPS) rules only for customized IPS profiles.

  1. Select Secure Edge > Security Subscriptions > IPS.

    The IPS Policy page appears.

  2. Click the plus icon (Blue plus symbol suggesting an action like adding or expanding content.) on the IPS Rules tab.

    The parameters for an IPS rule are displayed inline at the top of the page.

  3. Complete the configuration according to the following guidelines:
    Table 1: Create IPS Rule Settings

    Setting

    Guideline

    Name

    Juniper Security Edge generates a unique rule name by default. You can modify the name.

    The name must begin with an alphanumeric character and can contain maximum 63 characters, which includes alphanumeric characters and some special characters, such as colons, hyphens, forward slashes, periods, and underscores.

    Description

    Enter a description containing maximum 1024 characters for the rule.

    IPS Signatures

    Add one or more IPS signatures and IPS signature static and dynamic groups to be associated with the rule:

    1. Click the plus icon (Blue plus symbol suggesting an action like adding or expanding content.) inside the text box.

      A list of IPS signatures and IPS signature static and dynamic groups opens.

    2. (Optional) Click the plus icon (Blue plus symbol suggesting an action like adding or expanding content.) to add signatures. The Add IPS Signatures popup window opens.

    3. (Optional) Enter a search term and press Enter to filter the list of items displayed.

    4. Click a list item to add it to the IPS signatures and IPS signature static or dynamic groups associated with the rule.

    5. (Optional) Repeat the preceding step to add more signatures, static groups, and dynamic groups.

    Action

    Select the action to be taken when the monitored traffic matches the attack objects specified in the rules:

    • Recommended (default)—Uses the action that Juniper Networks recommends when an attack is detected. All predefined attack objects have a default action associated with the objects.

    • No action—No action is taken. Use this action to only generate logs for some traffic.

    • Drop Connection—Drops all packets associated with the connection and prevents traffic for the connection from reaching its destination. Use this action to drop connections for traffic that is not prone to spoofing.

    • Drop Packet—Drops a matching packet before it can reach its destination but does not close the connection. Use this action to drop packets for attacks in traffic that is prone to spoofing, such as UDP traffic. Dropping a connection for such traffic could result in a denial of service that prevents traffic from a legitimate source IP address.

    • Close Client—Closes the connection and sends an RST packet to the client, but not to the server.

    • Close Server—Closes the connection and sends an RST packet to the server, but not to the client.

    • Close Client and Server—Closes the connection and sends a TCP reset (RST) packet to both the client and the server.

    • Ignore Connection—Stops scanning traffic for the rest of the connection if an attack match is found. IPS disables the rulebase for the specific connection.

    Options

    Enable Log attacks option to create a log.
  4. Click the check mark icon () to save your changes.

    The changes are saved and a confirmation message is displayed at the top of the page.

    You can use the IPS profile in a firewall policy intent. When you deploy the firewall policy on the device, the IPS and exempt rules associated with the profile are also deployed.

Manage IPS Rules

  • Edit—Select the rule, and then click the pencil icon (). You can edit IPS rules associated only with customized IPS profiles, and not the rules associated with predefined (system-generated) profiles. If the IPS belongs to an IPS profile that is referenced in a firewall policy intent, then the firewall policy is marked for deployment. You must deploy the firewall policy for the changes to take effect on the device.

  • Clone—Select the rule, and then click More > Clone. You can clone IPS rules associated only with customized IPS profiles, and not rules associated with predefined (system-generated) profiles.

  • Delete—Select the rule, and then click the trash can icon (). You can delete IPS rules associated only with customized IPS profiles, and not the rules associated with predefined (system-generated) profiles. If the deleted IPS rule belongs to an IPS profile that is referenced in a firewall policy intent, then the firewall policy is marked for deployment. You must deploy the firewall policy for the changes to take effect on the device.