Security

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  SRX IDP observations mode, no action, Intrusion detection system mode

    Posted 02-16-2022 09:33
    Hi everybody

    Can we apply IDP, in a separate security policy, in watch mode, monitor, without action on traffic?
    As I can see. This can be done by changing the predefined rules, namely by adding the parameter no-action.
    If it is possible, please specify in the config example.
    TAP Mode not suitable.

    ------------------------------
    BADMA BUTAEV
    ------------------------------


  • 2.  RE: SRX IDP observations mode, no action, Intrusion detection system mode

    Posted 02-17-2022 10:56
    Hello,

    Your understanding is correct. If you simply want to have IDP alert on events but take no action, set the action within the IDP rule to 'no-action' and set notification to 'log-attacks' 

    This can be done on a per-IDP rule basis as well. You can have certain sets of signatures actively block malicious traffic and certain other sets of signatures set to 'no-action'

    ------------------------------
    Craig Dods
    ------------------------------



  • 3.  RE: SRX IDP observations mode, no action, Intrusion detection system mode

    Posted 02-17-2022 14:45
    Thanks Craig, got it.
    As I understand it, I can copy the policy, and in the newly created policy, make changes from action to no-action.
    I will test.

    ------------------------------
    Badma Butaev
    ------------------------------