Table of Contents
Advertisement
Network and Security Manager Administration Guide
Configuring Notification in IDP Rules
468
Source, Destination, Destination Port and Protocol—The security device blocks future
traffic based on the source, destination, destination port, and protocol of the attack
traffic. This is the default.
Source—The security device blocks future traffic based on the source of the attack
traffic.
Destination—The security device blocks future traffic based on the destination of the
attack traffic.
From Zone, Destination, Destination Port and Protocol—The security device blocks
future traffic based on the source zone, destination, destination port, and protocol of
the attack traffic.
From Zone—The security device blocks future traffic based on the source zone of the
attack traffic.
Setting Logging Options
When the security device detects attack traffic that matches a rule and an IP action is
triggered, the device can log information about the IP action that was taken or create an
alert in the Log Viewer. By default, there are no logging options set.
Setting Timeout Options
You can set the number of seconds that you want the IP action to remain in effect after
a traffic match. For permanent IP actions, leave the timeout at 0 (this is the default).
You can choose to log an attack and create log records with attack information that you
can view real-time in the Log Viewer. For more critical attacks, you can also set an alert
flag to appear in the log record.
To log an attack for a rule, right-click the Notification column of the rule and select
Configure. The Configure Notification dialog box appears.
The first time you design a security policy, you might be tempted to log all attacks and
let the policy run indefinitely. Don't do this! Some attack objects are informational only,
and others can generate false positives and redundant logs. If you become overloaded
with data, you can miss something important. Remember that security policies that
generate too many log records are hazardous to the security of your network, as you
might discover an attack too late or miss a security breach entirely due to sifting through
hundreds of log records. Excessive logging can also affect throughput, performance, and
available disk space. A good security policy generates enough logs to fully document
only the important security events on your network.
NOTE: J Series and SRX Series devices do not send packet data to NSM. If your policy
rules attempt to do so, then NSM does not log the data.
Setting Logging—In the Configure Notification dialog box, select Logging and then click
OK. Each time the rule is matched, the NSM system creates a log record that appears
in the Log Viewer.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
