From zone/To zone

Not applicable for standalone IDP appliances.

Source

Requires one of the specified source IP addresses to match the session for the rule to be applied. You can add address objects for hosts, groups, or network address ranges.

You must choose between source IP address or user role as match criteria for a rule. You cannot configure both for one rule.

Specify Any to not use source as a key to your match.

Note: If a value for user role matches, the source parameter is not used.

User Role

Requires one of the specified user roles to match the session for the rule to be applied.

You must choose to configure either source IP address or user role as match criteria for a rule. User role-based rules are evaluated before IP address-based rules. If a user-role based rule matches, the rule is applied and IP address-based rules are not consulted.

Matching based on user role depends on integration with a Juniper Networks IC Series Unified Access Control appliance.

Destination

Requires one of the specified destination IP addresses to match the session for the rule to be applied. You can add address objects for hosts, groups, or network address ranges.

Specify Any to not use destination as a key to your match.

Service

Requires one of the specified services to match the session for the rule to be applied. Services are Application Layer protocols that define how data is structured as it travels across the network. The IDP engine can inspect services that use TCP, UDP, RPC, and ICMP Transport Layer protocols. If the application running on the destination server uses standard ports, you can select from predefined services. If the application running on the destination server uses nonstandard ports, you must create a custom service object.

If you specify named values for both service and application, only the application value is used.

We recommend you specify Default for the service parameter and configure the application parameter instead.

Specify Any to not use service as a key to your match.

Note: To apply an APE action to all traffic matching source and destination parameters, set both the service parameter and the application parameter to Any.

Application

Requires one of the specified applications to match the session for the rule to be applied. The predefined list of applications is populated by the application identification feature. The application identification feature identifies the application regardless of port. Port-independent application identification simplifies rule configuration and ensures you do not miss applications running on nonstandard ports. For this reason, we recommend you use the application parameter instead of the service parameter whenever possible.

If you specify named values for both service and application, only the application value is used.

Specify Any to not use application as a key to your match.

Note: To apply an APE action to all traffic matching source and destination parameters, set both the service parameter and the application parameter to Any.

VLAN

Requires one of the specified VLAN tags to match the session for the rule to be applied.

Specify Any to not use VLAN tag as a key to your match.

Tip: You can use Profiler to identify the destination servers and services that are included in your network. In NSM, you can create address objects and service objects to facilitate configuration. One benefit of using objects is that you can configure them once and then use them in multiple rules. For details, see the NSM online Help.