Related Documentation
- J Series
- IDP Policies Overview
- Understanding IDP Policy Rules
- Understanding IDP Policy Rulebases
- Understanding IDP IPS Rulebases
- Understanding Predefined IDP Policy Templates
- Example: Defining Rules for an IDP Exempt Rulebase
- SRX Series
- IDP Policies Overview
- Understanding IDP Policy Rules
- Understanding IDP Policy Rulebases
- Understanding IDP IPS Rulebases
- Understanding Predefined IDP Policy Templates
- Example: Defining Rules for an IDP Exempt Rulebase
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices
Understanding IDP Exempt Rulebases
The exempt rulebase works in conjunction with the intrusion prevention system (IPS) rulebase to prevent unnecessary alarms from being generated. You configure rules in this rulebase to exclude known false positives or to exclude a specific source, destination, or source/destination pair from matching an IPS rule. If traffic matches a rule in the IPS rulebase, the system attempts to match the traffic against the exempt rulebase before performing the action specified. Carefully written rules in an exempt rulebase can significantly reduce the number of false positives generated by an IPS rulebase.
Configure an exempt rulebase in the following conditions:
- When an IDP rule uses an attack object group that contains one or more attack objects that produce false positives or irrelevant log records.
- When you want to exclude a specific source, destination, or source/destination pair from matching an IDP rule. This prevents IDP from generating unnecessary alarms.
 | Note: Make sure to configure the IPS rulebase before configuring the exempt rulebase. |
Table 1 summarizes the options that you can configure in the exempt-rulebase rules.
Table 1: Exempt Rulebase Options
Term | Definition |
|---|---|
Match condition | Specify the type of network traffic you want the device to monitor for attacks in the same way as in the IPS rulebase. However, in the exempt rulebase, you cannot configure an application; it is always set to any. |
Attack objects/groups | Specify the attack objects that you do not want the device to match in the monitored network traffic. |
Related Documentation
- J Series
- IDP Policies Overview
- Understanding IDP Policy Rules
- Understanding IDP Policy Rulebases
- Understanding IDP IPS Rulebases
- Understanding Predefined IDP Policy Templates
- Example: Defining Rules for an IDP Exempt Rulebase
- SRX Series
- IDP Policies Overview
- Understanding IDP Policy Rules
- Understanding IDP Policy Rulebases
- Understanding IDP IPS Rulebases
- Understanding Predefined IDP Policy Templates
- Example: Defining Rules for an IDP Exempt Rulebase
- Additional Information
- Junos OS Feature Support Reference for SRX Series and J Series Devices
