Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding APE Rulebase Match Conditions

    The APE rulebase is a terminal rulebase. Rules are evaluated in numerical order. The first rule to match is applied, and subsequent rules are not processed.

    If an APE rule matches but the action does not drop the connection, the IDP system also processes additional rulebases to inspect for attacks. If an attack rule identifies the connection to be closed or dropped, that action is taken and the rate-limiting action is not required.

    The matching tuple for APE rules includes the following elements:

    • Source or user role
    • Destination
    • Service or the combined list of applications and extended applications
    • VLAN tag

    The Boolean logic of the matching tuple is as follows:

    (src OR user role) AND destination AND vlan AND (service OR application list)

    Note: You can use the Any wildcard to “remove” a property from the tuple. For example, if you specify Any for source, destination, or VLAN tag, you are creating a “traffic lane” that treats all traffic matching the specified application the same. However, Any has a different significance when building the service or application list. When setting service or application guidelines, be sure to follow the guidelines below.

    Table 1 provides guidelines for setting IDP rulebase match conditions.

    Table 1: APE Rulebase Match Condition Guidelines

    Setting

    Guideline

    From zone/To zone

    Not applicable to IDP Series devices.

    Source

    Requires one of the specified source IP addresses to match the session in order for the rule to be applied. You can add address objects for hosts, groups, or network address ranges.

    A rule can specify matching criteria for Source IP or user role, but not both. A policy can include rules that match on Source IP and rules that match on user role.

    Note: If a value for user role matches, the source parameter is not used.

    User Role

    Requires one of the specified user roles to match the session in order for the rule to be applied.

    A rule can specify matching criteria for Source IP or user role, but not both. In a rulebase, the user role-based rules are evaluated before the IP address-based rules. If a user-role based rule matches, the rule is applied and the IP address-based rules are not consulted.

    Matching based on user role depends on integration with a Juniper Networks IC Series UAC device.

    Destination

    Requires one of the specified destination IP addresses to match the session for the rule to be applied. You can add address objects for hosts, groups, or network address ranges.

    Service

    Requires a match of one of the specified services.

    A single rule can match a service object definition or an application list, but not both. We recommend you create rules that match an application list whenever possible. Matching based on application uses the application identification feature, which can identify the application regardless of port. We support rules that match service object definitions for cases where there is not a suitable application object.

    If your rule includes application or extended application objects, specify Default for the service parameter.

    If you do not want to match on service or application list, specify Any for all three (service, application, and extended application).

    If there are no suitable application objects, create a rule that uses the service object and set the application and extended application columns to Any.

    If the service uses standard ports, you can select from predefined services. If the service uses nonstandard ports, you can create a custom service object. The IDP engine can inspect services that use TCP, UDP, RPC, and ICMP transport layer protocols.

    Application

    Requires one of the specified applications to match the session for the rule to be applied.

    You use the Application and Extended Application columns to build a list of applications to match the rule. You can specify individual applications or application groups. When you add a group, you are in effect adding its members to the list. The group object itself is not evaluated. The list is evaluated as a Boolean OR, so if one of the application or extended application objects specified in the rule is identified, the “service or application” component of the tuple matches. If any application or member of a group matches, the rule matches.

    The predefined list of applications is populated by the application signatures included in J-Security Center signature updates. The application identification feature uses both heuristic methods and signature pattern matching to identify the application regardless of port. Port-independent application identification simplifies rule configuration and ensures that you do not miss applications that are running on nonstandard ports. For this reason, we recommend that you use the application parameter instead of the service parameter whenever possible.

    Specify Any in the Application column when creating a service-based rule or when creating an application-based rule where the application list consists only of extended application objects.

    Note: Extended application matching is more granular than application matching. Do not select HTTP in the application column if you also plan to specify extended application objects in the same rule. If you specify HTTP and HTTP:Facebook, for example, the rule matches HTTP or HTTP:Facebook. The result is indistinguishable from a rule matching only HTTP.

    Extended Application

    Requires one of the specified extended applications to match the session for the rule to be applied. Extended applications are also called nested applications. The Juniper Networks Security Center (J-Security Center) provides predefined application signatures for many Web 2.0 applications running over HTTP. Matching on these signatures depends on the application identification feature, which is enabled by default.

    You use the Application and Extended Application columns to build a list of applications to match the rule. The list is evaluated as a Boolean OR, so if one of the application or extended application objects specified in the rule is identified, the “service or application” component of the tuple matches.

    Specify Any in the Extended Application column when you are creating a service-based rule or when you are creating an application-based rule where the application list consists only of application objects.

    VLAN

    Requires one of the specified VLAN IDs to match the session for the rule to be applied.

    Specifying Any effectively removes VLAN ID from the tuple.

    Tip: You can use Profiler to identify the destination servers and services that are included in your network. In NSM, you can create address objects and service objects to facilitate configuration. One benefit of using objects is that you can configure them once and then use them in multiple rules. For details, see the NSM online Help.


    Published: 2011-02-08