Table of Contents
Advertisement
Policies
By default, the ISG 2000 does not allow any traffic between zones. To permit traffic
to cross the firewall, you must create policy that specifically permits one or more
services to pass from hosts in one zone to others in another zone. Because the ISG
2000 performs stateful inspection, you do not need to define a policy to permit
return traffic. The ISG 2000 maintains a session table that matches responses to
requests and thereby determines which traffic arriving at a particular interface does
or does not belong to an existing session.
The command syntax for the core elements of a policy is as follows:
NOTE:
For a complete explanation of all the elements that you can use when creating a
policy, see the chapter on policies in the Fundamentals volume in the NetScreen
Concepts & Examples ScreenOS Reference Guide.
Addresses
You can use the predefined address "any" to indicate all hosts in a particular
zone—either the source or destination zone. To use a more restrictive source or
destination address, you must define one, using the following command:
For example:
You can also put a set of addresses together to form a group. Use the following
command:
For information about creating and grouping addresses, see the section on
NOTE:
addresses in the NetScreen Concepts & Examples ScreenOS Reference Guide.
Services
There are over 100 predefined services that you can use when creating policies. You
can use the predefined service "any" to indicate any type of traffic. You can group
services together to apply a policy to all the services in that group. Also, you can
create custom services.
To create a service group, use the following command, repeating it with the same
group name and different service names:
set policy from src_zone to dst_zone src_addr dst_addr service { permit | deny |
reject | tunnel }
set address zone name { ip_addr/netmask | [ host. ] domainname }
set address dmz web1 1.2.2.2/32
or
set address dmz web1 www.jnpr.net
set group address zone name add name_str
set group service name add service
Chapter 1: Configuring
13
Policies
Advertisement
Table of Contents
Related Manuals for Juniper ISG 2000
Related Products for Juniper ISG 2000
- Juniper IDP 8200
- Juniper IDP 250
- Juniper IDP 800
- Juniper IGP - CONFIGURATION GUIDE V11.1.X
- Juniper IP - CONFIGURATION GUIDE V11.1.X
- Juniper IPV6 - CONFIGURATION GUIDE V11.1.X
- Juniper JUNOSE SOFTWARE FOR E SERIES 11.3.X - IP-IPV6-IGP CONFIGURATION GUIDE 2010-10-31
- Juniper NETWORK AND SECURITY MANAGER NSMXPRESS SERIES II - REV1