Example: Defining Rules for an IDP IPS Rulebase
This example shows how to define rules for an IDP IPS rulebase.
Requirements
Before you begin:
- Configure network interfaces. See the Junos OS Interfaces Configuration Guide for Security Devices.
- Create security zones. See Example: Creating Security Zones.
- Enable IDP in security policies. See Example: Enabling IDP in a Security Policy.
Overview
Each rule is composed of match conditions, objects, actions, and notifications. When you define an IDP rule, you must specify the type of network traffic you want IDP to monitor for attacks by using the following characteristics—source zone, destination zone, source IP address, destination IP address, and the Application Layer protocol supported by the destination IP address. The rules are defined in rulebases, and rulebases are associated with policies.
This example describes how to create a policy called base-policy, specify a rulebase for this policy, and then add a rule R1 to this rulebase. In this example, rule R1:
- Specifies the match condition to include any traffic from a previously configured zone called trust to another previously configured zone called untrust. The match condition also includes a predefined attack group Critical - TELNET. The application setting in the match condition is default and matches any application configured in the attack object.
- Specifies an action to drop connection for any traffic that matches the criteria for rule R1,
- Enables attack logging and specifies that an alert flag is added to the attack log.
- Specifies a severity level as critical.
After defining the rule, you specify base-policy as the active policy on the device.
Configuration
CLI Quick Configuration
To quickly define rules for an IDP IPS rulebase, copy the following commands and paste them into the CLI.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To define rules for an IDP IPS rulebase:
- Create a policy by assigning a meaningful name
to it.[edit]user@host# set security idp idp-policy base-policy
- Associate a rulebase with the policy.[edit security idp idp-policy base-policy]user@host# set rulebase-ips
- Add rules to the rulebase. [edit security idp idp-policy base-policy rulebase-ips]user@host# set rule R1
- Define the match criteria for the rule.[edit security idp idp-policy base-policy rulebase-ips rule R1]user@host# set match from-zone trust to-zone untrust source-address any destination-address any application default
- Define an attack as match criteria. [edit security idp idp-policy base-policy rulebase-ips rule R1]user@host# set match attacks predefined-attack-groups "Critical-TELNET"
- Specify an action for the rule. [edit security idp idp-policy base-policy rulebase-ips rule R1]user@host# set then action drop-connection
- Specify notification and logging options
for the rule. [edit security idp idp-policy base-policy rulebase-ips rule R1]user@host# set then notification log-attacks alert
- Set the severity level for the rule.
[edit security idp idp-policy base-policy rulebase-ips rule R1]user@host# then severity critical
- Activate the policy.[edit]user@host# set security idp active-policy base-policy
Results
From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform this task:
Verifying the Configuration
Purpose
Verify if the rules for the IDP IPS rulebase configuration are correct
Action
From operational mode, enter the show security idp command.
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
- Understanding IDP IPS Rulebases
- Example: Enabling IDP in a Security Policy
- Example: Inserting a Rule in the IDP Rulebase
- Example: Deactivating and Activating Rules in an IDP Rulebase
Hide Navigation Pane
Show Navigation Pane
Download
SHA1