Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INTRUSION DETECTION PREVENTION DEVICES GUIDE REV 01 Manual page 66

Configuring Intrusion Detection and Prevention Devices Guide
50
Table 31: SYN Protector Rulebase Rule Properties (continued)
Option
Match > Service
Mode
Function
Specifies service objects in
rules to service an attack to
access your network.
Specifies the mode that
indicates how IDP handles
TCP traffic.
Your Action
Set a service by selecting any of
the available options.
NOTE: We recommend that you
do not change the default value,
TCP-ANY.
Select any of the following
options:
None—Specifies that IDP takes
no action and does not
participate in the three-way
handshake.
Relay—Specifies that IDP acts
as the middleman or relay, for
the connection establishment,
performing the three-way
handshake with the client host
on behalf of the server.
NOTE: Relay mode might note
work as expected for MPLS traffic.
When the IDP engine processes
MPLS traffic, it stores the MPLS
label information for traffic in each
direction. In the case of traffic that
matches SYN Protector rules in
relay mode, the IDP appliance is
programmed to send a SYN-ACK
before the traffic has reached the
server. In these cases, the IDP
engine does not have
server-to-client MPLS label
information. Therefore, the
SYN-ACK packet does not include
an MPLS label. Some MPLS
routers can add packets without
a label to an existing MPLS tunnel;
others drop such packets.
Passive—Specifies that IDP
handles the transfer of packets
between the client host and the
server, but does not actively
prevent the connection from
being established.
Copyright © 2010, Juniper Networks, Inc.