Related Documentation
- J Series
- Understanding IDP Terminal Rules
- Example: Defining Rules for an IDP IPS Rulebase
- Example: Enabling IDP in a Security Policy
- SRX Series
- Understanding IDP Terminal Rules
- Example: Defining Rules for an IDP IPS Rulebase
- Example: Enabling IDP in a Security Policy
- Additional Information
- Junos OS CLI Reference
- Junos OS Feature Support Reference for SRX Series and J Series Devices
Example: Setting Terminal Rules in Rulebases
This example shows how to configure terminal rules.
Requirements
Before you begin:
- Configure network interfaces. See the Junos OS Interfaces Configuration Guide for Security Devices .
- Enable IDP application services in a security policy. See Example: Enabling IDP in a Security Policy.
- Create security zones. See Example: Creating Security Zones.
- Define rules. See Example: Inserting a Rule in the IDP Rulebase .
Overview
By default, rules in the IDP rulebase are not terminal, which means IDP examines all rules in the rulebase and executes all matches. You can specify that a rule is terminal; that is, if IDP encounters a match for the source, destination, and service specified in a terminal rule, it does not examine any subsequent rules for that connection.
This example shows how to configure terminal rules. You define rule R2 to terminate the match algorithm if the source IP of the traffic originates from a known trusted network in your company. If this rule is matched, IDP disregards traffic from the trusted network and does not monitor the session for malicious data.
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Step-by-Step Procedure
The following example requires you to navigate various
levels in the configuration hierarchy. For instructions on how to
do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide .
To configure terminal rules:
- Create an IDP policy. [edit]user@host# edit set security idp idp-policy base-policy
- Define a rule and set its match criteria. [edit security idp idp-policy base-policy]user@host# set rulebase-ips rule R2 match source-address internal destination-address any
- Set the terminal flag for the rule. [edit security idp idp-policy base-policy]user@host# set rulebase-ips rule R2 terminal
Results
From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform this task:
Verifying the Configuration
Purpose
Verify that the terminal rules were configured correctly.
Action
From operational mode, enter the show security idp status command.
Related Documentation
- J Series
- Understanding IDP Terminal Rules
- Example: Defining Rules for an IDP IPS Rulebase
- Example: Enabling IDP in a Security Policy
- SRX Series
- Understanding IDP Terminal Rules
- Example: Defining Rules for an IDP IPS Rulebase
- Example: Enabling IDP in a Security Policy
- Additional Information
- Junos OS CLI Reference
- Junos OS Feature Support Reference for SRX Series and J Series Devices
