Configuring Application Policy Enforcement (Ape) Rules; Adding The Ape Rulebase Using The Policy Manager - Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual

Configuring Application Policy Enforcement (APE) Rules

Adding the APE Rulebase Using the Policy Manager

Copyright © 2010, Juniper Networks, Inc.
You can configure APE rules to detect network traffic based on application signatures
(rather than services, service contexts, and signatures) and to take a specified action.
APE rules are supported on IDP standalone devices running IDP release 5.0.
You complete the steps in the following sections to create an APE rulebase:
"Adding the APE Rulebase Using the Policy Manager" on page 483 or "Adding the APE
Rulebase to a Policy Using the Application Profiler" on page 484—Create, modify, or
delete APE rules from the Policy Manager or you can select one or more traffic flows
on the Application Profiler tab to create APE rules.
"Defining Matches For APE Rules" on page 484— Define the type of network traffic you
want IDP to monitor for applications, such as source/destination zones,
source/destination address objects, and the application layer protocols (services)
supported by the destination address object. You can also negate zones, address
objects, or services.
"Configuring Actions For APE Rules" on page 487— Specify the action you want IDP to
take when the monitored traffic matches the rule's application objects. You can specify
the action you want the security device to perform against the current connection and
future connections from the same source IP address (see Choosing an IP Action).
"Configuring Notification in APE Rules" on page 489— Disable or enable logging for the
IDP rule.
NOTE: All APE rules are terminal. When a match is discovered in a terminal
rule for the source, destination, service, and application, IDP does not continue
to check subsequent rules for the same source, destination, service, and
application.
You can create APE rules based on Layer-7 applications and protocols. Before you can
configure a rule in the APE rulebase, you need to add the APE rulebase to a security policy.
To configure an APE rulebase and APE rules:
In the main navigation tree, select Policies. Double-click the policy name in the security
1.
policies window or click the policy name and then select the Edit icon.
Click the Add icon in the upper right corner of the Security Policy window and select
2.
Add APE Rulebase to enable the APE rulebase tab.
To configure an APE rule, click the Add icon on the left side of the Security Policy
3.
window to open a default APE rule. You can modify the rule as necessary.
Click OK.
4.
Chapter 9: Configuring Security Policies
483