Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Specifying Rule Match Conditions (NSM Procedure)

    The IDP engine inspects the session beginning with the first packet to determine whether the session matches a rule. If the session matches all rule settings for source, destination, service, and VLAN tag ID, the IDP engine decodes the traffic and inspects the session packets for the attack objects specified in the rule. If the first packet matches only some of the rule settings, the rule is not a match.Table 1 describes match condition columns for IDP rulebase rules.

    To modify rule match settings:

    1. In the NSM navigation tree, select Policy Manager > Security Policies.
    2. Select the security policy you want to edit.
    3. In the security policy pane, click the IDP tab to display the IDP rulebase table.
    4. Modify a rule match setting by right-clicking the table cell for the setting and making your selection.
    5. Click OK to save your changes.

    Table 1: IDP Rulebase Match Condition Settings

    Column

    Description

    From zone/To zone

    Not applicable for IDP Series appliances.

    Source

    Select Address—Displays the Select Source Address dialog box where you can select or configure address objects for traffic sources.

    Any—Turns off matching on source IP address. To guard against incoming attacks, which might come from anywhere, you typically specify Any.

    Negate—Matches any except those specified.

    To use address negation:

    1. Add the address object.
    2. Right-click the address object and select Negate.

    User Role

    Select User Role—Displays the Select User Role dialog box where you can select or configure user role matches.

    You must choose to configure either source IP address or user role as match criteria for a rule. User role-based rules are evaluated before IP address-based rules. If a user-role based rule matches, the rule is applied and IP address-based rules are not consulted.

    Note: Matching based on user role depends on integration with a compatible Juniper Networks IC Series Unified Access Control appliance.

    Destination

    Select Address—Displays the Select Destination Address dialog box where you can select or configure address objects for destination servers.

    Any—Turns off matching based on destination IP address.

    Negate—Specifies any except those specified.

    To use address negation:

    1. Add the address object.
    2. Right-click the address object and select Negate.

    Service

    Default—Matches the service(s) specified in the rule attack object(s).

    With the application identification feature enabled, the IDP engine identifies services even if they are running on nonstandard ports. The application identification feature is enabled by default.

    If you have disabled application identification and specify Default, the IDP engine assumes that standard ports are used for the service.

    Note: If you disable application identification and your service uses nonstandard ports, you must create a custom service object.

    Any—Turns off matching based on service.

    Select Service—Displays the Select Services dialog box where you can select predefined or custom service objects.

    Terminate Match

    Select this option to mark the rule as a terminal rule. If a session matches a terminal rule, the IDP engine does not process any subsequent rules. It takes action, if any, according to the terminal rule.


    Published: 2011-02-08