Table of Contents
Advertisement
Configuring Notification in IDP Rules
Copyright © 2010, Juniper Networks, Inc.
Setting Timeout Options
You can set the number of seconds that you want the IP action to remain in effect after
a traffic match. For permanent IP actions, leave the timeout at 0 (this is the default).
You can choose to log an attack and create log records with attack information that you
can view real-time in the Log Viewer. For more critical attacks, you can also set an alert
flag to appear in the log record.
To log an attack for a rule, right-click the Notification column of the rule and select
Configure. The Configure Notification dialog box appears.
The first time you design a security policy, you might be tempted to log all attacks and
let the policy run indefinitely. Don't do this! Some attack objects are informational only,
and others can generate false positives and redundant logs. If you become overloaded
with data, you can miss something important. Remember that security policies that
generate too many log records are hazardous to the security of your network, as you
might discover an attack too late or miss a security breach entirely due to sifting through
hundreds of log records. Excessive logging can also affect throughput, performance, and
available disk space. A good security policy generates enough logs to fully document
only the important security events on your network.
NOTE: J Series and SRX Series devices do not send packet data to NSM. If
your policy rules attempt to do so, then NSM does not log the data.
Setting Logging—In the Configure Notification dialog box, select Logging and then click
OK. Each time the rule is matched, the NSM system creates a log record that appears
in the Log Viewer.
Setting an Alert—In the Configure Notification dialog box, select Alert and then click
OK. If Alert is selected and the rule is matched, the security device places an alert flag
in the Alert column of the Log Viewer for the matching log record.
Logging Packets—You can record the individual packets in the network traffic that
matched a rule by capturing the packet data for the attack. Viewing the packets used
in an attack on your network can help you determine the extent of the attempted attack
and its purpose, whether or not the attack was successful, and any possible damage
to your network.
NOTE: To improve performance, log only the packets after the attack.
If multiple rules with packet capture enabled match the same attack, the security
device captures the maximum specified number of packets. For example, you configure
Rule 1 to capture 10 packets before and after the attack, and Rule 2 to capture 5 packets
before and after the attack. If both rules match the same attack, IDP attempts to
capture 10 packets before and after the attack.
Chapter 9: Configuring Security Policies
479
Advertisement
Table of Contents
