NIPS V5.6R10 Policy Matching Mechanism

NIPS V5.6R10 Policy Matching Mechanism

February 3, 2023 | NSFOCUS

The NIPS policy matching mechanism is blocking first. That is, when traffic is matched against all policies, if one policy is matched whose action is set to block, traffic is blocked.

When configuring IPS policies, it is recommended that they should not be overlapped. For example, security zones should not be overlapped, and address objects should not have intersections. If policy overlapping occurs, data packets may match two policies simultaneously, thus causing failure to achieve the intended goal. The following shows several configuration errors and how to correct them.

1. Configure an IP address whitelist whose action is set to unblock. Packets from the remaining IP addresses are blocked.

Problem description:

Policy 2 is configured to permit packets from the IP segment in the whitelist to pass, and policy 1 is configured to block packets from the remaining IP segment. However, it is found that all IP addresses are matched against policy 1.

Solution:

Invert the IP segment in policy 1 to achieve the effect of whitelist configuration, as shown below.

2. A false positive is generated due to a specified rule, so a whitelist is configured to permit packets from specified IP addresses to pass.

Problem description:

A policy is configured not to match IP addresses in the whitelist against rule 10000. However, IP addresses in this whitelist are still matched with rule 10000.

Solution:

Add an exception rule as follows:

(1) Choose Object > Rule > Exception Rule, and click New.

(2) Configure an exception rule, click OK, and then click Apply Settings to save settings.

Description

  • Rule ID: ID of the exception rule. This ID must be the same as the ID of the related intrusion prevention rule.
  • Source IP: Specifies the source IP address or IP segment, that is, the valid range of IP addresses to be covered by this exception rule. Only packets from the specified source IP address or IP segment are allowed to pass.
  • Destination IP: Specifies the destination IP address or IP segment, that is, the valid range of IP addresses to be covered by this exception rule. Only packets to the specified destination IP address or IP segment are allowed to pass.

3. When adding more than one IP segment whitelist, add all IP segments to a group address object and invert the group address object instead of a single IP address segment.

Note that when configuring multiple intrusion prevention policies on IPS, if security zones are overlapped, address objects must not have intersections.