Hello team,
I have an issue related to this.
I am trying to make an idp rule to inspect a few customized pattern which has to be permitted, and then drop anything else.
I have created a first rulebase which matches correctly and has "no action", and then a second rulebase which denies everything.
The problem is that traffic is beind dropped because of the most severe action.
I have seen this post and thought I could make a terminal rulebase, but I guess that way won't deny any traffic.
This is an example:
set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" description "Whitelist: Permitted ranges"
set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" match application default
set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" match attacks custom-attacks VOIP:SIP:HEADER-1000
set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" match attacks custom-attacks VOIP:SIP:HEADER-2000
set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" then action recommended
set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" then notification log-attacks
set security idp idp-policy IPS_SIP rulebase-ips rule "Whitelist: Permitted ranges" terminal
set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" description "Blacklist: Denied ranges"
set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" match application default
set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" match attacks custom-attacks VOIP:SIP:RANGE-ANY
set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" then action drop-packet
set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" then notification log-attacks
set security idp idp-policy IPS_SIP rulebase-ips rule "Blacklist: Denied ranges" then severity info
I need some help.