Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Setting Terminal Rules in Rulebases

    This example shows how to configure terminal rules.

    Requirements

    Before you begin:

    Overview

    By default, rules in the IDP rulebase are not terminal, which means IDP examines all rules in the rulebase and executes all matches. You can specify that a rule is terminal; that is, if IDP encounters a match for the source, destination, and service specified in a terminal rule, it does not examine any subsequent rules for that connection.

    This example shows how to configure terminal rules. You define rule R2 to terminate the match algorithm if the source IP of the traffic originates from a known trusted network in your company. If this rule is matched, IDP disregards traffic from the trusted network and does not monitor the session for malicious data.

    Configuration

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set security idp idp-policy base-policy rulebase-ips rule R2 set security idp idp-policy base-policy rulebase-ips rule R2 match source-address internal destination-address any set security idp idp-policy base-policy rulebase-ips rule R2 terminal

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    To configure terminal rules:

    1. Create an IDP policy.
      [edit]user@host# edit set security idp idp-policy base-policy
    2. Define a rule and set its match criteria.
      [edit security idp idp-policy base-policy]user@host# set rulebase-ips rule R2 match source-address internal destination-address any
    3. Set the terminal flag for the rule.
      [edit security idp idp-policy base-policy]user@host# set rulebase-ips rule R2 terminal

    Results

    From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    [edit]user@host# show security idpidp-policy base-policy {rulebase-ips {rule R2 {match {source-address internal;destination-address any;}terminal;}}}

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    To confirm that the configuration is working properly, perform this task:

    Verifying the Configuration

    Purpose

    Verify that the terminal rules were configured correctly.

    Action

    From operational mode, enter the show security idp status command.

    Published: 2012-06-29