Table of Contents
Advertisement
Copyright © 2010, Juniper Networks, Inc.
Use Scan Manager with Profile—Scan Manager is an embedded scanning engine. This
setting tells the device to use the global profile specified. This setting only works for
devices running ScreenOS 5.3.
Use ICAP Profile—ICAP is a method of redirecting traffic to an ICAP-capable server
running AV software. This feature is available on devices running ScreenOS 5.4 and
higher.
Configuring a DI Profile/Enable IDP for Firewall Rules
Use the DI Profile/Enable IDP rule options to configure Deep Inspection (DI) or Intrusion
Detection and Prevention (IDP) functionality within the rule.
This function applies to firewall and ISG devices only. Standalone IDP devices do not use
firewall rules. DI and IDP are mutually exclusive. When you install the IDP license key on
a security device, DI is automatically disabled.
Configuring DI Profile for a Rule
Security devices running ScreenOS 5.x and later, include Deep Inspection attack protection
that can detect malicious network traffic at the application level. To configure attack
protection, select a DI Profile object in your firewall rule to detect intrusion attempts
within permitted traffic.
Attacks are specific patterns of malicious activity within a network connection, and an
attack object uses selected sections of the attack pattern to detect the attack itself.
NSM contains a database of predefined attack objects that detect known and unknown
attacks against your network. You can use these predefined attack objects (and your
own custom attack objects) to create a DI Profile object, which you then use in a firewall
rule. When configuring a DI Profile, you can also defined the action that the device
performs against those attacks when detected in permitted traffic.
You can configure one DI Profile for each rule. When the device detects a match between
the permitted network traffic and an attack object within the selected DI Profile, the
device generates an attack log entry.
To use a DI Profile:
The firewall action must be permit. You cannot detect attacks in traffic that the device
denies or rejects.
The security device you install the policy on must be running ScreenOS 5.0 and later.
If you install a policy that contains a DI Profile on an earlier ScreenOS device, the device
executes and processes traffic according to the rule, but does not detect
application-level attacks.
Configuring IDP for a Firewall Rule
When configuring a rule for an IDP-capable device, such as the ISG2000 or ISG1000
security gateway running ScreenOS 5.0 IDP1, you can enable IDP and select an IDP mode
in the DI Profile/Enable IDP rule options. Enabling IDP directs the security device to pass
all traffic permitted by the firewall rule to the IDP rulebase.
Chapter 9: Configuring Security Policies
463
Advertisement
Table of Contents
