Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Create IPS Rule

You can create intrusion prevention system (IPS) rules only for customized IPS profiles.

To create an IPS rule:

  1. Select Secure Edge > Security Subscriptions > IPS.

    The IPS Policy page appears.

  2. Click the add (+) icon on the IPS Rules tab.

    The parameters for an IPS rule are displayed inline at the top of the page.

  3. Complete the configuration according to the guidelines in Table 1.
  4. Click the check mark () to save your changes.

    The changes are saved and a confirmation message is displayed at the top of the page.

    You can use the IPS profile in a firewall policy intent. When you deploy the firewall policy on the device, the IPS and exempt rules associated with the profile are also deployed.

    Table 1: Create IPS Rule Settings

    Setting

    Guideline

    Name

    Juniper Security Edge generates a unique rule name by default. You can modify the name.

    The name must begin with an alphanumeric character and can contain maximum 63 characters, which includes alphanumeric characters and some special characters, such as colons, hyphens, forward slashes, periods, and underscores.

    Description

    Enter a description containing maximum 1024 characters for the rule.

    IPS Signatures

    Add one or more IPS signatures and IPS signature static and dynamic groups to be associated with the rule:

    1. Click the + icon inside the text box.

      A list of IPS signatures and IPS signature static and dynamic groups opens.

    2. (Optional) Click the add (+) icon to add signatures. The Add IPS Signatures popup window opens.

    3. (Optional) Enter a search term and press Enter to filter the list of items displayed.

    4. Click a list item to add it to the IPS signatures and IPS signature static or dynamic groups associated with the rule.

    5. (Optional) Repeat the preceding step to add more signatures, static groups, and dynamic groups.

    Action

    Select the action to be taken when the monitored traffic matches the attack objects specified in the rules:

    • Recommended (default)—Uses the action that Juniper Networks recommends when an attack is detected. All predefined attack objects have a default action associated with the objects.

    • No action—No action is taken. Use this action to only generate logs for some traffic.

    • Drop Connection—Drops all packets associated with the connection and prevents traffic for the connection from reaching its destination. Use this action to drop connections for traffic that is not prone to spoofing.

    • Drop Packet—Drops a matching packet before it can reach its destination but does not close the connection. Use this action to drop packets for attacks in traffic that is prone to spoofing, such as UDP traffic. Dropping a connection for such traffic could result in a denial of service that prevents traffic from a legitimate source IP address.

    • Close Client—Closes the connection and sends an RST packet to the client, but not to the server.

    • Close Server—Closes the connection and sends an RST packet to the server, but not to the client.

    • Close Client and Server—Closes the connection and sends a TCP reset (RST) packet to both the client and the server.

    • Ignore Connection—Stops scanning traffic for the rest of the connection if an attack match is found. IPS disables the rulebase for the specific connection.

    Options

    Enable Log attacks option to create a log.