Related Documentation
- J Series
- Understanding IDP Exempt Rulebases
- Example: Inserting a Rule in the IDP Rulebase
- Example: Deactivating and Activating Rules in an IDP Rulebase
- Example: Enabling IDP in a Security Policy
- SRX Series
- Understanding IDP Exempt Rulebases
- Example: Inserting a Rule in the IDP Rulebase
- Example: Deactivating and Activating Rules in an IDP Rulebase
- Example: Enabling IDP in a Security Policy
- Additional Information
- Junos OS CLI Reference

- Junos OS Feature Support Reference for SRX Series and J Series Devices

Example: Defining Rules for an IDP Exempt Rulebase
This example shows how to define rules for an exempt IDP rulebase.
Requirements
Before you begin, create rules in the IDP IPS rulebase. See Example: Defining Rules for an IDP IPS Rulebase.
Overview
When you create an exempt rule, you must specify the following:
- Source and destination for traffic you want to exempt. You can set the source or destination to Any to exempt network traffic originating from any source or sent to any destination. You can also set source-except or destination-except to specify all the sources or destinations except the specified source or destination addresses.
- The attacks you want IDP to exempt for the specified source/destination addresses. You must include at least one attack object in an exempt rule.
This example shows that the IDP policy generates false positives for the attack FTP:USER:ROOT on an internal network. You configure the rule to exempt attack detection for this attack when the source IP is from your internal network.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Step-by-Step Procedure
The following example requires you to navigate various
levels in the configuration hierarchy. For instructions on how to
do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide
.
To define rules for an exempt IDP rulebase:
- Specify the IDP IPS rulebase for which you want to define
and exempt the rulebase.[edit]user@host# edit security idp idp-policy base-policy
- Associate the exempt rulebase with the policy and zones,
and add a rule to the rulebase. [edit security idp idp-policy base-policy]user@host# set rulebase-exempt rule R1 match from-zone trust to-zone any
- Specify the source and destination addresses for the rulebase. [edit security idp idp-policy base-policy]user@host# set rulebase-exempt rule R1 match source-address internal-devices destination-address any
- Specify the attacks that you want to exempt from attack
detection. [edit security idp idp-policy base-policy]user@host# set rulebase-exempt rule R1 match attacks predefined-attacks "FTP:USER:ROOT"
- Activate the policy.[edit]user@host# set security idp active-policy base-policy
Results
From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform this task:
Verifying the Configuration
Purpose
Verify that the defined rules were exempt from the IDP rulebase configuration.
Action
From operational mode, enter the show security idp status command.
Related Documentation
- J Series
- Understanding IDP Exempt Rulebases
- Example: Inserting a Rule in the IDP Rulebase
- Example: Deactivating and Activating Rules in an IDP Rulebase
- Example: Enabling IDP in a Security Policy
- SRX Series
- Understanding IDP Exempt Rulebases
- Example: Inserting a Rule in the IDP Rulebase
- Example: Deactivating and Activating Rules in an IDP Rulebase
- Example: Enabling IDP in a Security Policy
- Additional Information
- Junos OS CLI Reference

- Junos OS Feature Support Reference for SRX Series and J Series Devices


