Table of Contents
Advertisement
Copyright © 2010, Juniper Networks, Inc.
Configuring a DI Profile/Enable IDP for Firewall Rules
Use the DI Profile/Enable IDP rule options to configure Deep Inspection (DI) or Intrusion
Detection and Prevention (IDP) functionality within the rule.
This function applies to firewall and ISG devices only. Standalone IDP devices do not use
firewall rules. DI and IDP are mutually exclusive. When you install the IDP license key on
a security device, DI is automatically disabled.
Configuring DI Profile for a Rule
Security devices running ScreenOS 5.x and later, include Deep Inspection attack protection
that can detect malicious network traffic at the application level. To configure attack
protection, select a DI Profile object in your firewall rule to detect intrusion attempts
within permitted traffic.
Attacks are specific patterns of malicious activity within a network connection, and an
attack object uses selected sections of the attack pattern to detect the attack itself.
NSM contains a database of predefined attack objects that detect known and unknown
attacks against your network. You can use these predefined attack objects (and your
own custom attack objects) to create a DI Profile object, which you then use in a firewall
rule. When configuring a DI Profile, you can also defined the action that the device
performs against those attacks when detected in permitted traffic.
You can configure one DI Profile for each rule. When the device detects a match between
the permitted network traffic and an attack object within the selected DI Profile, the
device generates an attack log entry.
To use a DI Profile:
The firewall action must be permit. You cannot detect attacks in traffic that the device
denies or rejects.
The security device you install the policy on must be running ScreenOS 5.0 and later.
If you install a policy that contains a DI Profile on an earlier ScreenOS device, the device
executes and processes traffic according to the rule, but does not detect
application-level attacks.
Configuring IDP for a Firewall Rule
When configuring a rule for an IDP-capable device, such as the ISG2000 or ISG1000
security gateway running ScreenOS 5.0 IDP1, you can enable IDP and select an IDP mode
in the DI Profile/Enable IDP rule options. Enabling IDP directs the security device to pass
all traffic permitted by the firewall rule to the IDP rulebase.
DI and IDP are mutually exclusive. When you install the IDP license key on a security
device, DI is automatically disabled.
When configuring the firewall rule, consider the following:
Traffic that is denied by a firewall rule cannot be passed to IDP rules. To enable IDP in
a firewall rule, the action must be permit.
For firewall rules that pass traffic to the IDP rulebases, the Install On column must
include IDP-capable devices only.
Chapter 9: Configuring Security Policies
457
Advertisement
Table of Contents
