Configuring the APE Rulebase (NSM Procedure)
The application policy enforcement (APE) rulebase enables you to limit bandwidth for specified users and applications.
Figure 1 shows the APE rulebase in the NSM security policy editor, where you can modify APE rules. Table 1 describes the rule settings you can configure.
Figure 1: NSM Security Policy Editor: APE Rulebase
To create APE rulebase rules:
- In the NSM navigation tree, select Policy Manager > Security Policies.
- Select the security policy to which you want to add APE rulebase rules.
- Add the APE rulebase by clicking the + icon in the upper right region of the Security Policy viewer and selecting Add Application Rulebase.
- Add a rule by clicking the + icon within the rules viewer.
- Modify rule settings by right-clicking the table cell for the setting and making your selection.
- Click OK to save your changes.
 | Tip: In NSM, you can jump from the Profiler > Application Profiler tab to the Security Policy Editor by right-clicking the application name in the Profiler log and selecting a new or existing security policy. For details, see the NSM online Help. |
Table 1: APE Rulebase Rule Properties
Setting | Function |
|---|---|
No. | Adds, deletes, copies, or reorders rules. Right-click the table cell for the rule number and make your selection. The APE rulebase is a terminal rulebase. Rules are evaluated in numerical order. The first rule to match is applied and subsequent rules are not processed. |
Match | Source–Requires one of the specified source IP addresses to match the session for the rule to be applied. You can add address objects for hosts, groups, or network address ranges. Specify Any to not use source as a key to your match. Note: If a value for User Role matches, the Source parameter is not used. |
User Role–Requires one of the specified user roles to match the session for the rule to be applied. If a value for User Role matches, the Source parameter is not consulted. Matching based on user role depends on integration with a compatible Juniper Networks IC Series Unified Access Control appliance. | |
Destination–Requires one of the specified destination IP addresses to match the session for the rule to be applied. You can add address objects for hosts, groups, or network address ranges. Specify Any to not use destination as a key to your match. | |
Service–Requires one of the specified services to match the session for the rule to be applied. Services are Application Layer protocols that define how data is structured as it travels across the network. The IDP engine can inspect services that use TCP, UDP, RPC, and ICMP transport layer protocols. If the application running on the destination server uses standard ports, you can select from predefined services. If the application running on the destination server uses nonstandard ports, you must create a custom service object. If you specify named values for both service and application, only the application value is used. We recommend you specify Default for the service parameter and configure the application parameter instead. Specify Any to not use service as a key to your match. Note: To apply an APE action to all traffic matching source and destination parameters, set both the service parameter and the application parameter to Any. | |
Application–Requires one of the specified applications to match the session for the rule to be applied. The predefined list of applications is populated by the application identification feature. The application identification feature identifies the application regardless of port. Port-independent application identification simplifies rule configuration and ensures you do not miss applications running on nonstandard ports. For this reason, we recommend you use the application parameter instead of the service parameter whenever possible. If you specify named values for both service and application, only the application value is used. Specify Any to not use application as a key to your match. Note: To apply an APE action to all traffic matching source and destination parameters, set both the service parameter and the application parameter to Any. | |
VLAN–Requires one of the specified VLAN tags to match the session for the rule to be applied. Specify Any to not use VLAN tag as a key to your match. | |
Action | Rate Limit–Enforces a rate limit for all current sessions that match the rule. If the limit has not been reached, the IDP appliance forwards the packets. If the limit has been reached, the IDP appliance behaves as if no bandwidth is available: it drops packets until the aggregate bandwidth falls below the limit. When the IDP appliance drops packets, the TCP or UDP endpoints identify the packet loss and slow down the transmission rate. The rate limits that make sense for your business case depend on the bandwidth for your links. If you have a 1-Gbps link, and want no more than 10% available to peer-to-peer traffic, the sum of the rate limits you specify for all peer-to-peer rules should be less than 102.4 Mbps (in each direction). You configure separate rate limits for client-to-server and server-to-client directions. For peer-to-peer traffic, we recommend you set the same rate for each direction. Note: For TFTP traffic, all traffic is counted as client-to-server traffic. A TFTP server responds to get requests by establishing an ephemeral port from which to send the reply. In this case, both directions appear to the IDP appliance as client-to-server flows. We recommend you set the same rate for each direction. |
None–Does not perform rate limiting. Logs generated for traffic that match this rule display Accepted. | |
Close Client and Server–Closes the connection and sends an RST packet to both the client and the server. If the IDP appliance is in sniffer mode, it sends an RST packet to both the client and server but does not close the connection. | |
Close Client–Closes the connection to the client but not to the server. | |
Close Server–Closes the connection to the server but not to the client. | |
DiffServ Marking–Assigns the DiffServ value you specify to the packet. Note: The marking has no effect in sniffer mode. | |
Drop Connection–Drops the connection without sending an RST packet to the sender, preventing the traffic from reaching its destination. Use this action to drop connections for traffic that is not prone to spoofing. | |
Notification | Specifies logging options. Right-click the table cell and select Configure to display a dialog box where you can configure logging options. Note: Packet capture is not applicable for APE rulebase rules. |
Severity | Specifies rule severity. This setting is optional. Right-click the table cell and select a severity rating to appear in logs generated when sessions match the rule. |
Install On | Specifies target IDP appliances for the rule. By default, IDP security policy rules can be applied to any IDP appliance. Right-click the table cell and select Select Target to display a dialog box where you can specify the IDP devices to which the rule can be installed. |
Comments | Adds notations about the rule. This setting is optional. Right-click the table cell and select Edit Comments to display a dialog box where you can make notations about the rule. Comments do not affect the functionality of the security policy rule. |
