Example: Defining Rules for an IDP Exempt Rulebase

This example shows how to define rules for an exempt IDP rulebase.

Requirements

Before you begin, create rules in the IPS rulebase. See Example: Inserting a Rule in the IDP Rulebase .

Overview

When you create an exempt rule, you must specify the following:

Source and destination for traffic you want to exempt. You can set the source or destination to Any to exempt network traffic originating from any source or sent to any destination. You can also set source-except or destination-except to specify all the sources or destinations except the specified source or destination addresses.
The attacks you want IDP to exempt for the specified source/destination addresses. You must include at least one attack object in an exempt rule.

This example shows that the IDP policy generates false positives for the attack FTP:USER:ROOT on an internal network. You configure the rule to exempt attack detection for this attack when the source IP is from your internal network.

Configuration

CLI Quick Configuration

To quickly define rules for an exempt IDP rulebase, copy the following commands and paste them into the CLI.

[edit]set security idp idp-policy P1set security idp idp-policy P1 rulebase-exempt rule R1 match from-zone trust to-zone any set security idp idp-policy P1 rulebase-exempt rule R1 match source-address internal-devices destination-address anyset security idp idp-policy P1 rulebase-exempt rule R1 match attacks predefined-attacks "FTP:USER:ROOT" set security idp active-policy P1

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To define rules for an exempt IDP rulebase:

Specify the IPS rulebase for which you want to define and exempt rulebase.
[edit]user@host# set security idp idp-policy P1
Associate the exempt rulebase with the policy and zones, and add a rule to the rulebase.
[edit security idp idp-policy P1]user@host# set rulebase-exempt rule R1 match from-zone trust to-zone any
Specify the source and destination addresses for the rulebase.
[edit security idp idp-policy P1]user@host# set rulebase-exempt rule R1 match source-address internal-devices destination-address any
Specify the attacks that you want to exempt from attack detection.
[edit security idp idp-policy P1]user@host# set rulebase-exempt rule R1 match attacks predefined-attacks "FTP:USER:ROOT"
Activate the policy.
[edit]user@host# set security idp active-policy P1

Results

From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

user@host# show security idpidp-policy P1 {rulebase-exempt {rule R1 {match {from-zone trust;source-address internal-devices;to-zone any;destination-address any;attacks {predefined-attacks FTP:USER:ROOT;}}}}}active-policy P1;

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verifying the Configuration

Verifying the Configuration

Purpose

Verify if the defined rules were exempt from the IDP rulebase configuration.

Action

From operational mode, enter the show security idp command.