Defining Rules for an IPS Rulebase

Each rule is composed of match conditions, objects, actions, and notifications. When you define an IDP rule, you must specify the type of network traffic you want IDP to monitor for attacks by using the following characteristics—source zone, destination zone, source IP address, destination IP address, and the Application Layer protocol supported by the destination IP address. The rules are defined in rulebases, and rulebases are associated with policies.

The configuration instructions in this topic describe how to create a policy called base-policy, specify a rulebase for this policy, and then add a rule R1 to this rulebase. In this example, rule R1:

• Specifies the match condition to include any traffic from a previously configured zone called trust to another previously configured zone called untrust. The match condition also includes a predefined attack group Critical - TELNET. The application setting in the match condition is default and matches any application configured in the attack object.
• Specifies an action to drop connection for any traffic that matches the criteria for rule R1,
• Enables attack logging and specifies that an alert flag is added to the attack log.
• Specifies a severity level as critical.

After defining the rule, you specify base-policy as the active policy on the device.

You can use either J-Web or the CLI configuration editor to configure an application set.

This topic contains:

• J-Web Configuration
• CLI Configuration
• Related Topics

Copyright © 2009, Juniper Networks, Inc. All rights reserved. Trademark Notice.