Table of Contents
Advertisement
Defining a Match
Setting Attack Objects
Copyright © 2010, Juniper Networks, Inc.
In the main navigation tree, select Policies. Open a security policy by double-clicking
1.
the policy name in the security policies window or click the policy name and then
select the Edit icon.
Click the Add icon in the upper right corner of the Security Policy window and select
2.
Add Exempt Rulebase to enable the Exempt rulebase tab.
To configure an exempt rule, click the Add icon on the left side of the Security Policy
3.
window to open a default exempt rule. You can modify this rule as necessary.
You specify the traffic you want to exempt from attack detection. The Match columns
From Zone, Source, To Zone, and Destination are required for all rules in the exempt
rulebase.
The following sections detail the Match columns of an exempt rule.
Configuring Source and Destination Zones
You can select multiple zones for the source and destination, however these zones must
be available on the security devices on which you will install the policy. You can specify
"any" for the source or destination zones to monitor network traffic originating or destined
for any zone.
NOTE: You can create custom zones for some security devices. The list of zones from
which you can select source and destination zones includes the predefined and custom
zones that have been configured for all devices managed by NSM. Therefore, you should
only select zones that are applicable for the device on which you will install the security
policy.
Configuring Source and Destination Address Objects
In the NSM system, address objects are used to represent components on your network:
hosts, networks, servers, etc. You can specify "any" to monitor network traffic originating
from any IPv4 address and "AnyIPv6" to monitor network traffic originating from any
IPv6 address. You can also negate the address objects listed in the Source or Destination
column to specify all sources or destinations except the excluded object.
You can create address objects either before you create an exempt rule or while creating
or editing an exempt rule. To select or configure an address object, right-click either the
Source or Destination column of a rule and select Select Address. In the Select Source
Addresses dialog box, you can either select an already-created address object or click
the Add icon to create a new host, network, or group object.
To improve performance and eliminate false positives between your Internal Lab devices
and your Engineering desktops, you want to exempt attack detection.
You specify the attacks you want IDP to exempt for the specified source/destination
addresses. You must include at least one attack object in an exempt rule.
Chapter 9: Configuring Security Policies
481
Advertisement
Table of Contents
