Example: Setting Terminal Rules in Rulebases
This example shows how to configure terminal rules.
Requirements
Before you begin:
- Configure network interfaces. See the Junos OS Interfaces Configuration Guide for Security Devices.
- Enable IDP application services in a security policy. See Example: Enabling IDP in a Security Policy.
- Create security zones. See Example: Creating Security Zones.
- Define rules. See Example: Inserting a Rule in the IDP Rulebase .
Overview
By default, rules in the IDP rulebase are not terminal. That means that IDP examines all rules in the rulebase and executes all matches. You can specify that a rule is terminal; if IDP encounters a match for the source, destination, and service specified in a terminal rule, it does not examine any subsequent rules for that connection.
This example shows how to configure terminal rules. You define a rule R2 to terminate the match algorithm if the source IP of the traffic originates from a known trusted network in your company. If this rule is matched, IDP disregards traffic from the trusted network and does not monitor the session for malicious data.
Configuration
CLI Quick Configuration
To quickly configure terminal rules, copy the following commands and paste them into the CLI.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure terminal rules:
- Define a rule and add it to a rulebase in a policy. [edit]user@host# set security idp idp-policy P1 rulebase-ips rule R2
- Define the match criteria for the rule. [edit security idp idp-policy P1]user@host# set rulebase-ips rule R2 match source-address internal destination-address any
- Set the terminal flag for the rule. [edit security idp idp-policy P1]user@host# set rulebase-ips rule R2 terminal
Results
From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform this task:
Verifying the Configuration
Purpose
Verify if the terminal rules were configured.
Action
From operational mode, enter the show security idp command.
Related Topics
- Junos OS Feature Support Reference for SRX Series and J Series Devices
- Understanding IDP Terminal Rules
- Example: Defining Rules for an IDP IPS Rulebase
- Example: Enabling IDP in a Security Policy
Hide Navigation Pane
Show Navigation Pane
Download
SHA1