SRX

Hi Experts

I am inspecting the users zone to internal servers zone traffic through IDP policy for virus, worms etc. I want to exclude inspection for sharepoint server. Now I have two ways to do this:

1- Make a specific firewall policy before the IDP enabled firewall policy from users zone to servers zone and just permit and not enable IPS

2- I will make the exeempt rulebase in the IDP policy for the sharepoint

What is the preferred and optimal method to do so?

Thanks

Hi 

Its more effective from performance perspective to exclude traffic

from IDP processing completely (with firewall rule) then to process

it in IDP and do exempts once the attack is found.

So my question is that if we have the facility to exlude the IPS inspection through firewall policy then why there is a need for exeempt rulebase in IPS?

Thanks

Exempt rulebase is mostly for fine-tuning your IDP policies. In particular,

it allows to remove false positives that happen frequently from the logs.

For example you see that between 1.1.1.1 and 2.2.2.2 an attack (say)

HTTP directory traversal happens very often, and after investigation

you decide that it is a false positive. You add the tuple

1.1.1.1 - 2.2.2.2 - <This-attack-object>

to the exempt database, and IDP does not catch these events anymore.

Thanks. It makes sense 🙂