Defining A Match; Configuring Source And Destination Address Objects; Configuring Services; Setting Detect Options - Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual

Network and Security Manager Administration Guide

Defining a Match

Setting Detect Options

Setting Response Options

Setting Notification

504
In the main navigation tree, select Policies. Open a security policy by double-clicking
1.
the policy name in the Security Policies window or by clicking the policy name and
then selecting the Edit icon.
Click the Add icon in the upper right corner of the Security Policy window and select
2.
Add Traffic Anomalies Rulebase to open the Traffic Anomalies rulebase tab.
Configure a Traffic Anomalies rule by clicking the Add icon on the left side of the
3.
Security Policy window to open a default Traffic Anomalies rule. You can modify this
rule as needed.
You specify the traffic you want IDP to monitor for network anomalies.

Configuring Source and Destination Address Objects

Set the Source Object to Any. Set the Destination Object to any address objects you want
to protect.

Configuring Services

Set the Service to Any, unless you want to tailor different rules to different services.
Right-click the rulebase cell in the Traffic anomalies column and select Detect. In the
View Detect Options dialog, set the Port Count and Time Threshold values for each value
you want to monitor. The values are measure in number of hits (Port Count) in a particular
number of seconds (Time Threshold).
The IP Action column governs what action the IDP Sensor takes when it finds a matching
condition.
Right-click the rulebase cell in the IP Action column and select Configure. The Configure
IP Action dialog displays.
Configure your IP Action settings as appropriate for your network.
You can choose to log an attack and create log records with attack information that you
can view real-time in the Log Viewer. For more critical attacks, you can also set an alert
flag to appear in the log record.
To log an attack for a rule, right-click the Notification column of the rule and select
Configure. The Configure Notification dialog box appears.
The first time you design a security policy, you might be tempted to log all attacks and
let the policy run indefinitely. Don't do this! Some attack objects are informational only,
and others can generate false positives and redundant logs. If you become overloaded
with data, you can miss something important. Remember that security policies that
generate too many log records are hazardous to the security of your network, as you
Copyright © 2010, Juniper Networks, Inc.