Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Create an IPS or an Exempt Rule

You can create intrusion prevention system (IPS) rules or exempt rules only for customized IPS profiles.

Create an IPS Rule

To create an IPS rule:

  1. Select SRX>Security Subscriptions>IPS>IPS Profiles.

    The IPS Profiles page opens.

  2. Click IPS-Profile-Name.

    The IPS-Profile-Name page opens.

  3. Click the add (+) icon on the IPS Rules tab.

    The parameters for an IPS rule are displayed inline at the top of the page.

  4. Complete the configuration according to the guidelines in Table 1.
    Note:

    Fields marked with an asterisk (*) are mandatory.

  5. Click the check mark () to save your changes.

    The changes are saved and a confirmation message is displayed at the top of the page.

    You can use the IPS profile in a firewall policy intent. When you deploy the firewall policy on the device, the IPS and exempt rules associated with the profile are also deployed.

    Table 1: Create IPS Rule Settings

    Setting

    Guideline

    Name

    Juniper Security Director Cloud generates a unique rule name by default. You can modify the name.

    The name must begin with an alphanumeric character and can contain maximum 63 characters, which includes alphanumeric characters and some special characters, such as colons, hyphens, forward slashes, periods, and underscores.

    Description

    Enter a description containing maximum 1024 characters for the rule.

    IPS Signatures

    Add one or more IPS signatures and IPS signature static and dynamic groups to be associated with the rule:

    1. Click inside the text box with the + icon.

      A list of IPS signatures and IPS signature static and dynamic groups opens.

    2. (Optional) Click the add (+) icon to add signatures. The Add IPS Signatures popup window opens.

    3. (Optional) Enter a search term and press Enter to filter the list of items displayed.

    4. Click a list item to add it to the IPS signatures and IPS signature static or dynamic groups associated with the rule.

    5. (Optional) Repeat the preceding step to add more signatures, static groups, and dynamic groups.

    Action

    Select the action to be taken when the monitored traffic matches the attack objects specified in the rules:

    • Recommended (default)—Uses the action that Juniper Networks recommends when an attack is detected. All predefined attack objects have a default action associated with the objects.

    • No action—No action is taken. Use this action to only generate logs for some traffic.

    • Drop Connection—Drops all packets associated with the connection and prevents traffic for the connection from reaching its destination. Use this action to drop connections for traffic that is not prone to spoofing.

    • Drop Packet—Drops a matching packet before it can reach its destination but does not close the connection. Use this action to drop packets for attacks in traffic that is prone to spoofing, such as UDP traffic. Dropping a connection for such traffic could result in a denial of service that prevents traffic from a legitimate source IP address.

    • Close Client—Closes the connection and sends an RST packet to the client, but not to the server.

    • Close Server—Closes the connection and sends an RST packet to the server, but not to the client.

    • Close Client and Server—Closes the connection and sends a TCP reset (RST) packet to both the client and the server.

    • Ignore Connection—Stops scanning traffic for the rest of the connection if an attack match is found. IPS disables the rulebase for the specific connection.

    • Mark DiffServ—Assigns the specified DSCP value to the packet in an attack and pass the packet on normally.

      When you select Mark DiffServ, the Code point popup is displayed.

      1. In the Code Point field, enter a DSCP value from 0 to 63.

      2. Click OK.

        The previous page opens displaying the entered DSCP value.

    Options

    Enable one or both the following options to create a log:

    • Log attacks—Enable this option to log attacks. You can enable the Alert flag option in the Advanced settings to add an alert flag to an attack log.

    • Log packets—Enable this option to log packet capture when a rule matches for further offline analysis of attacker behavior. You can configure the number of pre-attack and post-attack packets to be captured for this attack and limit the duration of the post-attack packet capture by specifying a timeout value.

      You must configure at least one of the Packets Before, Packets After, or Post Window Timeout fields in the Advanced settings.

    Table 2: Advanced

    Setting

    Guideline

    Threat Profiling

    Add attacker to feed

    Add the IP addresses of the attackers to the feed to configure threat profiles in the IPS rule.

    Add target to feed

    Add the IP addresses of the attack targets to the feed to configure threat profiles in the IPS rule.

    Alert Flag

    Enable this option to set the alert flag in the attack log.

    Packets Before

    Enter the number of received packets that must be captured before an attack for further analysis of the attack behavior.

    The range is from 1 to 255.

    This field is available only if you enable the Log packets option.

    Packets After

    Enter the number of received packets after an attack that must be captured for further analysis of attacker behavior.

    The range is 1 to 255.

    This field is available only if you enable the Log packets option.

    Post Window Timeout

    Enter a time limit in seconds for capturing packets received after an attack. No packets are captured after the specified timeout has elapsed.

    The range is from 1 to 1800 seconds.

    This field is available only if you enable the Log packets option.

    IP Actions

    Action

    Select the action to be taken on future connections that use the same IP address:

    Note:

    If an IP action matches with multiple rules, then the most severe IP action of all the matched rules is applied. In decreasing order of severity, the actions are block, close, and notify.

    • None (default)—Do not take any action. This is similar to not configuring the IP action.

    • IP Notify—Do not take any action on future traffic but log the event.

    • IP Close—Close future connections of new sessions that match the IP address by sending RST packets to the client and server.

    • IP Block—Block future connections of any session that matches the IP address.

    IP Target

    Select how the traffic must be matched for the configured IP actions:

    • None—Do not match any traffic.

    • Destination Address—Matches traffic based on the destination IP address of the attack traffic.

    • Service—For TCP and UDP, matches traffic based on the source IP address, source port, destination IP address, and destination port of the attack traffic.

    • Source Address—Matches traffic based on the source IP address of the attack traffic.

    • Source Zone—Matches traffic based on the source zone of the attack traffic.

    • Source Zone Address—Matches traffic based on the source zone and source IP address of the attack traffic.

    • Zone Service—Matches traffic based on the source zone, destination IP address, destination port, and protocol of the attack traffic.

    Refresh Timeout

    Enable this option to refresh the IP action timeout (entered in the Timeout Value field) if future traffic matches the IP actions configured.

    Timeout Value

    Configure the number of seconds for the IP action to remain in effect.

    For example, if you configure a timeout of 3600 seconds (1 hour) and the traffic matches the IP actions configured, the IP action remains in effect for 1 hour.

    The range is from 0 to 64800 seconds.

    Log IP-Action hits

    Enable this option to log the information about the IP action against the traffic that matches a rule.

    Log IP-Action rule creation

    Enable this option to generate an event when the IP action filter is triggered.

    Rule Modifiers

    Severity override

    Select a severity level to override the inherited attack severity in the rules.

    The most dangerous level is Critical which attempts to crash your server or gain control of your network, while the least dangerous level is Informational which you can use to discover vulnerabilities in your security systems.

    Terminal matching

    Enable this option to mark the IPS rule as terminal.

    When a terminal rule is matched, the device stops matching for the rest of the rules in that IPS profile.

Create an Exempt Rule

To create an exempt rule:

  1. Select SRX>Security Subscriptions>IPS>IPS Profiles.

    The IPS Profiles page opens.

  2. Click IPS-Profile-Name.

    The IPS-Profile-Name page opens.

  3. Click the add (+) icon on the IPS Rules tab.

    The parameters for an exempt rule are displayed inline at the top of the page.

  4. You can configure only the following fields:
    • Rule Name

    • Description

    • IPS Signatures

    See Table 1 for an explanation of these fields.

  5. Click Save to save your changes.

    The changes are saved and a confirmation message is displayed at the top of the page.

    You can use the IPS profile in a firewall policy intent. When you deploy the firewall policy on the device, the IPS and exempt rules associated with the profile are also deployed.