Table 46: Actions For Backdoor Rule; Setting Operation; Setting Actions; Setting Notification - Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual

Setting Operation

Setting Actions

Setting Notification

Copyright © 2010, Juniper Networks, Inc.
Set the Operation to detect or ignore. If you select detect, choose an action to perform
if backdoor traffic is detected. If you are protecting a large number of address objects
from interactive traffic, you can create a rule that ignores accepted forms of interactive
traffic from those objects, then create a succeeding rule that detects all interactive traffic
from those objects.
Choose an action to perform from Table 46 on page 489 if IDP detects interactive traffic:

Table 46: Actions for Backdoor Rule:

Action Description
Accept IDP accepts the interactive traffic.
Drop IDP drops the interactive connection without sending a RST packet to the
Connection sender, preventing the traffic from reaching its destination. Use this action to
drop connections for traffic that is not prone to spoofing.
Close Client IDP closes the interactive connection and sends a RST packet to both the
and Server client and the server. If the IDP is in sniffer mode, IDP sends a RST packet to
both the client and server but does NOT close the connection.
Close Client IDP closes the interactive connection to the client, but not to the server.
Close Server IDP closes the interactive connection to the server, but not to the client.
You can choose to log an attack and create log records with attack information that you
can view real-time in the Log Viewer. For more critical attacks, you can also set an alert
flag to appear in the log record.
To log an attack for a rule, right-click the Notification column of the rule and select
Configure. The Configure Notification dialog box appears.
The first time you design a security policy, you might be tempted to log all attacks and
let the policy run indefinitely. Don't do this! Some attack objects are informational only,
and others can generate false positives and redundant logs. If you become overloaded
with data, you can miss something important. Remember that security policies that
generate too many log records are hazardous to the security of your network, as you
might discover an attack too late or miss a security breach entirely due to sifting through
hundreds of log records. Excessive logging can also affect IDP throughput, performance,
and available disk space. A good security policy generates enough logs to fully document
only the important security events on your network.

Setting Logging

In the Configure Notification dialog box, select Logging and then click OK. Each time the
rule is matched, the IDP system creates a log record that appears in the Log Viewer.
Chapter 9: Configuring Security Policies
489