Validating A Security Policy (Nsm Procedure); Troubleshooting Security Policy Validation Errors (Nsm Procedure) - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING INTRUSION DETECTION PREVENTION DEVICES GUIDE REV 01 Manual

Configuring Intrusion Detection and Prevention Devices Guide

Validating a Security Policy (NSM Procedure)

Related
Documentation

Troubleshooting Security Policy Validation Errors (NSM Procedure)

Problem
Table 52: Troubleshooting: Security Policy Validation Errors
Error
Rule Duplication
Rule Shadowing
Protocol Mismatches
120
Validating a security policy can identify potential problems before you install it.
To validate a security policy:
In the navigation tree, select Device Manager. The Device manager appears.
1.
Select Validate > Validate IDP Policy and select the device. A Job Manager window
2.
displays job information and progress.
Click OK.
3.
For more information, see either the IDP Concepts & Examples Guide or the Network and
Security Manager Administration Guide.
Intrusion Detection and Prevention Devices and Security Policies Overview on page 31
Assigning a Security Policy in an Intrusion Detection and Prevention Device (NSM
Procedure) on page 119
Troubleshooting Security Policy Validation Errors (NSM Procedure) on page 120
If NSM identifies a problem in the policy during policy validation, it displays information
about the problem at the bottom of the selected rulebase. For example, if you included
a non-IDP capable security device in the Install On column of an IDP rule, policy validation
displays an error message. You can validate those errors and troubleshoot them.
Table 52 on page 120 describes security policy validation errors and how to resolve them.
Description
Rule appears more than once.
To resolve this problem, delete the duplicate.
Rule shadowing occurs when two rules are designed to detect the same attack, and the first
rule is either a terminal match rule or contains a more severe action than the second rule. In
these cases, the second rule will never be applied.
To resolve this problem, modify or delete one of the rules.
Protocol mismatches occur when a service object that is specified in the Service column of
the security policy uses a different protocol from that specified by the default service binding
of the attack object for that rule. Remember that the service binding specifies the service and
port that the attack uses. Because two different protocols are specified, IDP cannot match
attacks for the attack object.
To resolve this problem, set Service to Default.
Copyright © 2010, Juniper Networks, Inc.