Configuring IP Actions in IDP Rules
Copyright © 2010, Juniper Networks, Inc.
Additionally, after you have added the custom group to a rule, you can edit the settings
for the dynamic group by double-clicking the group icon in the rule.
This column only appears when you view the security policy in Expanded Mode. To change
the security policy view from Compact Mode to Expanded Mode, from the menu bar,
select View > Expanded Mode.
If the current network traffic matches a rule, the security device can perform an IP action
against future network traffic that uses the same IP address. IP actions are similar to
other actions; they direct the device to drop or close the connection. However, because
you now also have the attacker's IP address, you can choose to block the attacker for a
specified amount of time. If attackers cannot immediately regain a connection to your
network, they might try to attack easier targets.
Use IP actions in conjunction with actions and logging to secure your network. In a rule,
first configure an action to detect and prevent current malicious connections from reaching
your address objects. Then right-click in the IP Action column of the rule and select
Configure. The Configure IP Action dialog box appears, as shown in Figure 83 on page 467.
Enable and configure an IP action to prevent future malicious connections from the
attacker's IP address.
Figure 83: Configure IP Action
Choosing an IP Action
For each IP action option, an IP action is generated by NSM. The IP action instructs the
security device to perform the specified task. Select from the following options:
IDP Notify—The security device does not take any action against future traffic, but logs
the event. This is the default.
IDP Drop—The security device drops the matching connection and blocks future
connections that match the criteria set in the Block list.
IDP Close—The security device closes future connections that match the criteria in the
Block list.
Choosing a Block Option
Each block option follows the criteria you set in the Actions box. Block options can be
based on the following matches of the attack traffic:
Chapter 9: Configuring Security Policies
467