Setting Attack Objects; Specifying Vlans; Setting Target Devices; Entering Comments - Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual

Setting Attack Objects

Specifying VLANs

Setting Target Devices

Entering Comments

Creating an Exempt Rule from the Log Viewer

Copyright © 2010, Juniper Networks, Inc.
To improve performance and eliminate false positives between your Internal Lab devices
and your Engineering desktops, you want to exempt attack detection.
You specify the attacks you want IDP to exempt for the specified source/destination
addresses. You must include at least one attack object in an exempt rule.
You consistently find that your security policy generates false positives for the attack
HTTP Buffer Overflow: Header on your internal network. You want to exempt attack
detection for this attack when the source IP is from your internal network.
You can specify that the rule be applied only to packets from particular VLANs. See
"Setting VLAN Tags for IDP Rules" on page 480 more information.
For each rule in the rulebase, you can select the IDP-capable device that will use that
rule to detect and prevent attacks. Alternatively, you can use Device Manager to assign
policies to devices.
You can enter notations about the rule in the Comments column. Anything you enter in
the Comments column is not pushed to the target devices. To enter a comment, right-click
the Comments column and select Edit Comments. The Edit Comments dialog box
appears. You can enter up to 1024 characters in the Comments field.
You can also create a rule in the Exempt rulebase directly from the NSM Log Viewer. You
might want to use this method to quickly eliminate rules that generate false positive log
records. .
To create an exempt rule from the Log Viewer:
View the IDP/DI logs in the Log Viewer.
1.
Right-click a log record that contains an attack you want to exempt and select Exempt.
2.
The Exempt rulebase for the security policy that generated the log record is displayed,
with the exempt rule that is associated with the log entry. The source, destination, and
attack settings for the rule are automatically filled in based on the information in the log
record.
NOTE: If the Exempt rulebase does not already exist when you create an
exempt rule from the Log Viewer, the rulebase is automatically created and
the rule is added.
You can modify, reorder, or merge an exempt rule created from the Log Viewer in the
same manner as any other exempt rule that you create directly in the Exempt rulebase.
Chapter 9: Configuring Security Policies
493