Configuring Application Rulebase Rules (NSM Procedure)

The Application Policy Enforcement (APE) rulebase enables you to limit bandwidth for specified users and/or applications. You can configure APE rules to detect network traffic based on application signatures. The user can define custom application signatures to be used in the APE rules. The APE rulebase enables actions based on an application-centered matching tuple.

To configure an APE rulebase rule:

  1. In the NSM navigation tree, select Policy Manager > Security Policies.
  2. Select and double-click the security policy to which you want to add the APE rulebase rule.
  3. Click New in the upper right corner of the policy viewer and select Add Application Rulebase.
  4. Click the New button within the rules viewer to add a rule.
  5. Modify the property of the rule by right-clicking the table cell for the property and making your modifications.
  6. Configure or modify the rule using the settings described in Table 34.
  7. Click OK to save your changes.

Table 34: APE Rulebase Rule Properties

OptionFunctionYour Action

No.

Specifies if you want to add, delete, copy, or reorder rules.

Right-click the table cell for the rule number and make your required modifications.

Match > Source

Specifies the address object that is the source of the traffic.

Select any to monitor network traffic originating from any IP address.

Note: For guidelines on specifying match parameters, see the IDP Concepts and Examples Guide.

Match > User Role

Specifies the user roles to match the session for the rule to be applied. If a value for User Role matches, the Source parameter is not consulted.

Matching based on user role depends on integration with a compatible Juniper Networks IC Series Unified Access Control appliance.

Right-click the table cell to select user roles.

Match > Destination

Specifies the address object that is the destination of the traffic, typically a server or other device on your network.

Select the destination object.

Note: You can also negate one or more address objects to specify all destinations except the excluded object.

Match > Service

Requires a match of one of the specified services. A single rule can match a service object definition or an application list, but not both. We recommend you create rules that match an application list whenever possible. Matching based on application uses the application identification feature, which can identify the application regardless of port. We support rules that match service object definitions for cases where there is not a suitable application object.

Right-click the table cell and select any one of the required options.

If you specify named values for both service and application, only the application value is used.

If your rule includes application or extended application objects, specify Default for the service parameter.

If you do not want to match on service or application list, specify Any for all three (service, application, and extended application).

If there are no suitable application objects, create a rule that uses the service object and set the application and extended application columns to Any.

Note: If the service uses standard ports, you can select from predefined services. If the service uses nonstandard ports, you can create a custom service object. The IDP engine can inspect services that use TCP, UDP, RPC, and ICMP transport layer protocols.

Match > Application

Requires one of the specified applications to match the session for the rule to be applied. The predefined list of applications is populated by the application identification feature. The application identification feature identifies the application regardless of port. Port-independent application identification simplifies rule configuration and ensures that you do not miss applications running on nonstandard ports. Hence it is recommended to use the application parameter instead of the service parameter whenever possible.

Right-click the table cell and make your required modifications.

If you specify named values for both service and application, only the application value is used.

Specify Any when creating a service-based rule or when creating an application-based rule where the application list consists only of extended application objects.

You can use the Shared Objects for Policy viewer (located below the rule editor) to browse application objects and explore object properties. You can create custom application objects.

Note: To apply an APE action to all traffic matching source and destination parameters, set both the service parameter and the application parameter to Any.

Extended application matching is more granular than application matching. Do not select HTTP in the application column if you also plan to specify extended application objects in the same rule. If you specify HTTP and HTTP:Facebook, for example, the rule matches HTTP or HTTP:Facebook. The result is indistinguishable from a rule matching only HTTP. We recommend you list rules targeting Extended Applications before a rule targeting HTTP.

Match > Extended Application

Requires one of the specified extended applications to match the session for the rule to be applied. Extended applications are also called nested applications. The Juniper Networks Security Center (J-Security Center) provides predefined application signatures for many Web 2.0 applications running over HTTP. Matching on these signatures depends on the application identification feature, which is enabled by default. You use the Application and Extended Application columns to build a list of applications to match the rule. The list is evaluated as a Boolean OR, so if one of the application or extended application objects specified in the rule is identified, the “service or application” component of the tuple matches.

Right-click the table cell and make your required modifications.

Specify Any when you are creating a service-based rule or when you are creating an application-based rule where the application list consists only of application objects.

Note: You can use the Shared Objects for Policy viewer (located below the rule editor) to browse extended application objects and explore object properties. You cannot create custom extended application objects.

Action

Specifies which actions to perform against attacks that match rules in your security policy.

Right-click the table cell and select any one of the following options:

  • None — IDP takes no action against the connection.
  • Drop Packet — IDP drops a matching packet before it can reach its destination but does not close the connection.
  • Drop Connection — IDP drops the connection without sending an RST packet to the sender, preventing the traffic from reaching its destination.
  • Close Client — IDP closes the connection to the client and not to the server.
  • Close Server — IDP closes the connection to the server and not to the client.
  • Close Client and Server — IDP closes the connection and sends a RST packet to both the client and the server.
  • Diffserv Marking — Assigns the differentiated service value you specify to the packet. This action is useful when your network has a class of service (CoS) design, and you want to use the IDP Series device to rewrite the CoS code point based on APE rules processing. The CoS rules you have implemented for the next devices in the network path ultimately determine the effect on the transmission rate.

    Note: In sniffer mode, this action has no effect because the IDP Series device is not in the path of network traffic.

  • Rate Limiting — IDP enforces a rate limit for all current sessions that match the rule (separate limits for client-to-server and server-to-client traffic). If the limit has not been reached, IDP forwards the packets. If the limit has been reached, IDP behaves as if no bandwidth is available. The rate limits that are best suited for your business case depend on the bandwidth for your links. If you have a 1-Gbps link and want no more than 10% available to peer-to-peer traffic, the sum of the rate limits you specify for all peer-to-peer rules must be less than 102.4 Mbps (in each direction).

    You configure separate rate limits for client-to-server and server-to-client directions. For peer-to-peer traffic, we recommend that you set the same rate for each direction.

    Note: For TFTP traffic, all traffic is considered client-to-server traffic. A TFTP server responds to get requests by establishing an ephemeral port from which to send the reply. In this case, both directions appear to the IDP Series device as client-to-server flows. We recommend you set the same rate for each direction. In sniffer mode, this action has no effect because the IDP Series device is not in the path of network traffic

  • Diffserv Marking & Rate Limiting — Takes both actions as described for Diffserv Marking and Rate Limiting.

Notification

Specifies logging options. Packet capture is not applicable for APE rulebase rules.

Right-click the table cell and select Configure to display a dialog box where you can configure logging options.

VLAN Tag

Specifies rules to traffic on certain VLANs. Normally, for a rule to take effect, it must match the packet source, destination, service, and attack objects. If the VLAN cell is populated with a value other than any, then the rule will also consider the packet’s VLAN tag when determining a match.

Right-click the table cell to assign a VLAN object to a rule or to set the VLAN tag value to none.

Install On

Specifies target IDP devices for the rule. By default, IDP security policy rules can be applied to any IDP device.

Right-click the table cell and select Select Target to display a dialog box to specify the IDP devices to which the rule can be installed.

Comments

Adds notations about the rule. This setting is optional and does not affect the functionality of the security policy rule.

Right-click the table cell and select Edit Comments to display a dialog box where you can make notations about the rule.

You can verify the APE rulebase functionality in your lab and view APE related statistics in the Command-Line Interface (CLI). It is recommended that you retain defaults for APE rulebase. By default:

For more information, see the IDP Concepts & Examples guide.

Related Documentation