Example: Setting Terminal Rules in Rulebases

This example shows how to configure terminal rules.

Requirements

Before you begin:

Configure network interfaces. See the Junos OS Interfaces Configuration Guide for Security Devices.
Enable IDP application services in a security policy. See Example: Enabling IDP in a Security Policy.
Create security zones. See Example: Creating Security Zones.
Define rules. See Example: Inserting a Rule in the IDP Rulebase .

Overview

By default, rules in the IDP rulebase are not terminal. That means that IDP examines all rules in the rulebase and executes all matches. You can specify that a rule is terminal; if IDP encounters a match for the source, destination, and service specified in a terminal rule, it does not examine any subsequent rules for that connection.

This example shows how to configure terminal rules. You define a rule R2 to terminate the match algorithm if the source IP of the traffic originates from a known trusted network in your company. If this rule is matched, IDP disregards traffic from the trusted network and does not monitor the session for malicious data.

Configuration

CLI Quick Configuration

To quickly configure terminal rules, copy the following commands and paste them into the CLI.

[edit]set security idp idp-policy P1 rulebase-ips rule R2 set security idp idp-policy P1 rulebase-ips rule R2 match source-address internal destination-address any set security idp idp-policy P1 rulebase-ips rule R2 terminal

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure terminal rules:

Define a rule and add it to a rulebase in a policy.
[edit]user@host# set security idp idp-policy P1 rulebase-ips rule R2
Define the match criteria for the rule.
[edit security idp idp-policy P1]user@host# set rulebase-ips rule R2 match source-address internal destination-address any
Set the terminal flag for the rule.
[edit security idp idp-policy P1]user@host# set rulebase-ips rule R2 terminal

Results

From configuration mode, confirm your configuration by entering the show security idp command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

user@host# show security idpidp-policy P1 {rulebase-ips {rule R2 {match {source-address internal;destination-address any;}terminal;}}}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform this task:

Verifying the Configuration

Verifying the Configuration

Purpose

Verify if the terminal rules were configured.

Action

From operational mode, enter the show security idp command.