Table of Contents
Advertisement
Network and Security Manager Administration Guide
Configuring Notification in APE Rules
478
IDP Close—The security device closes future connections that match the criteria in the
Block list.
Choosing a Block Option
Each block option follows the criteria you set in the Actions box. Block options can be
based on the following matches of the attack traffic:
Source, Destination, Destination Port and Protocol—The security device blocks future
traffic based on the source, destination, destination port, and protocol of the attack
traffic. This is the default.
Source—The security device blocks future traffic based on the source of the attack
traffic.
Destination—The security device blocks future traffic based on the destination of the
attack traffic.
From Zone, Destination, Destination Port and Protocol—The security device blocks
future traffic based on the source zone, destination, destination port, and protocol of
the attack traffic.
From Zone—The security device blocks future traffic based on the source zone of the
attack traffic.
Setting Logging Options
When the security device detects attack traffic that matches a rule and an IP action is
triggered, the device can log information about the IP action that was taken or create an
alert in the Log Viewer. By default, there are no logging options set.
Setting Timeout Options
You can set the number of seconds that you want the IP action to remain in effect after
a traffic match. For permanent IP actions, leave the timeout at 0 (this is the default).
You can log an attack and create log records with attack information that you can view
in realtime in the Log Viewer. For more critical attacks, you can also set an alert flag to
appear in the log record.
To log an attack for a rule, right-click the Notification column of the rule and select
Configure.
The first time you design a security policy, you might be tempted to log all attacks and
let the policy run indefinitely. Do not do this! Some attack objects are informational only,
and others can generate false positives and redundant logs. If you become overloaded
with data, you can miss something important. Security policies that generate too many
log records are hazardous to the security of your network, because you might discover
an attack too late or miss a security breach entirely due to sifting through hundreds of
log records. Excessive logging can also affect throughput, performance, and available
disk space. A good security policy generates enough logs to fully document only the
important security events on your network.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
