TechLibrary

Navigation

Table of Contents

Guide That Contains This Content

[+] Expand All

[-] Collapse All

Example: Defining Rules for an IDP Exempt Rulebase

This example shows how to define rules for an exempt IDP rulebase.

Requirements

Before you begin, create rules in the IDP IPS rulebase. See Example: Defining Rules for an IDP IPS Rulebase.

Overview

When you create an exempt rule, you must specify the following:

Source and destination for traffic you want to exempt. You can set the source or destination to Any to exempt network traffic originating from any source or sent to any destination. You can also set source-except or destination-except to specify all the sources or destinations except the specified source or destination addresses.
The attacks you want IDP to exempt for the specified source/destination addresses. You must include at least one attack object in an exempt rule.

This example shows that the IDP policy generates false positives for the attack FTP:USER:ROOT on an internal network. You configure the rule to exempt attack detection for this attack when the source IP is from your internal network.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

set security idp idp-policy base-policyset security idp idp-policy base-policy rulebase-exempt rule R1 match from-zone trust to-zone any set security idp idp-policy base-policy rulebase-exempt rule R1 match source-address internal-devices destination-address anyset security idp idp-policy base-policy rulebase-exempt rule R1 match attacks predefined-attacks "FTP:USER:ROOT" set security idp active-policy base-policy

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide .

To define rules for an exempt IDP rulebase:

Specify the IDP IPS rulebase for which you want to define and exempt the rulebase.
[edit]user@host# edit security idp idp-policy base-policy
Associate the exempt rulebase with the policy and zones, and add a rule to the rulebase.
[edit security idp idp-policy base-policy]user@host# set rulebase-exempt rule R1 match from-zone trust to-zone any
Specify the source and destination addresses for the rulebase.
[edit security idp idp-policy base-policy]user@host# set rulebase-exempt rule R1 match source-address internal-devices destination-address any
Specify the attacks that you want to exempt from attack detection.
[edit security idp idp-policy base-policy]user@host# set rulebase-exempt rule R1 match attacks predefined-attacks "FTP:USER:ROOT"
Activate the policy.
[edit]user@host# set security idp active-policy base-policy

Results

From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]user@host# show security idpidp-policy base-policy {rulebase-exempt {rule R1 {match {from-zone trust;source-address internal-devices;to-zone any;destination-address any;attacks {predefined-attacks FTP:USER:ROOT;}}}}active-policy base-policy;

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verifying the Configuration

Verifying the Configuration

Purpose

Verify that the defined rules were exempt from the IDP rulebase configuration.

Action

From operational mode, enter the show security idp status command.