Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Understanding the APE Rulebase

    The APE rulebase (application policy enforcement) leverages the application identification feature to enable you to manage network traffic based on application. APE rules match source-destination-application criteria. APE rules do not use attack objects.

    You can configure rule actions to meet application policy enforcement objectives. For example:

    • To use the IDP Series device like an application firewall, you can specify drop or close actions. Matching traffic is terminated at the IDP Series device.
    • To set a cap on available bandwidth for disfavored applications or use of certain applications by certain users, you can specify a rate limiting action. When the limit is reached, the IDP Series device begins dropping matching traffic.
    • To support deployments where you use other network equipment to implement quality-of-service (QoS) guarantees, you can specify a DiffServ marker action. If a session matches a rule, the IDP engine applies the DSCP marker to the session packets before transmitting them.

    Any traffic not terminated by APE rules can be inspected subsequently by the IDP rulebase and other rulebases.

    When you create rules for the APE rulebase, you specify:

    • Match conditions
    • An action
    • Notification options

    Published: 2011-02-08