Configuring Application Policy Enforcement (Ape) Rules; Adding The Ape Rulebase Using The Policy Manager - Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual

Network and Security Manager Administration Guide

Configuring Application Policy Enforcement (APE) Rules

Adding the APE Rulebase Using the Policy Manager

476
NOTE: For other devices which do not support multiple IDP policies, an IDP rule's
association with multiple IDP policies on the Policies panel is ignored.
NOTE: From-Zone and To-Zones are not applicable to MX series devices and these
values will be trimmed or ignored if configured.
You can configure APE rules to detect network traffic based on application signatures
(rather than services, service contexts, and signatures) and to take a specified action.
APE rules are supported on IDP standalone devices running IDP release 5.0.
You complete the steps in the following sections to create an APE rulebase:
"Adding the APE Rulebase Using the Policy Manager" on page 476 or "Adding the APE
Rulebase to a Policy Using the Application Profiler" on page 477—Create, modify, or
delete APE rules from the Policy Manager or you can select one or more traffic flows
on the Application Profiler tab to create APE rules.
"Defining Matches For APE Rules" on page 478— Define the type of network traffic you
want IDP to monitor for applications, such as source/destination zones,
source/destination address objects, and the application layer protocols (services)
supported by the destination address object. You can also negate zones, address
objects, or services.
"Configuring Actions For APE Rules" on page 480— Specify the action you want IDP to
take when the monitored traffic matches the rule's application objects. You can specify
the action you want the security device to perform against the current connection and
future connections from the same source IP address (see Choosing an IP Action).
"Configuring Notification in APE Rules" on page 482— Disable or enable logging for the
IDP rule.
NOTE: All APE rules are terminal. When a match is discovered in a terminal rule for the
source, destination, service, and application, IDP does not continue to check subsequent
rules for the same source, destination, service, and application.
You can create APE rules based on Layer-7 applications and protocols. Before you can
configure a rule in the APE rulebase, you need to add the APE rulebase to a security policy.
Copyright © 2010, Juniper Networks, Inc.