Table of Contents
Advertisement
Copyright © 2010, Juniper Networks, Inc.
want to create a separate security policy per device when the management system
contains separate administrators with regional responsibilities, or when you need to
troubleshoot a device issue (use one security policy per device to enable an administrator
to troubleshoot on one device without making policy changes on other devices).
A firewall rule must contain the following elements:
Direction—The direction that the traffic flows between two zones; all traffic flows from
a source zone to a destination zone. You can select any zone for source or destination;
however, the zones must be valid for the security devices you select in the Install On
column of the rule. You can also use zone exceptions to specify unique to and from
zones for each device.
Source address—The address that initiates the traffic.
Destination address—The address that receives the traffic.
Service—The application-level protocol that the traffic uses to transmit data.
Action—The action the device performs when it receives traffic that matches the
direction, source, destination, and service specified in the rule.
Install On—The device on which the firewall rule is installed. You can install the same
rule on multiple devices.
To begin configuring firewall rules for your managed devices, see "Configuring Firewall
Rules" on page 438.
VPN Links and Rules
The rules for your rule-based VPNs appear in the Zone rulebase.
Use VPN Links for VPNs created in VPN Manager—By default, VPN Manager
autogenerated rules are implicitly executed as the first rule in the Zone rulebase, even
though they do not appear. Because VPN Manager autogenerates the access rules for
the VPN, you do not need to manually create them in the rulebase itself. However, to
specify the exact location of the autogenerated rules in your rulebase, you can add a
VPN link anywhere in the Zone rulebase.
Use VPN Rules for VPNs created manually—If you did not use VPN Manager to create
a rule-based VPN, you must manually add the VPN rules to create the VPN tunnel.
You can place VPN rules anywhere in the Zone rulebase.
Because route-based VPNs are on always-on connection between two or more
termination points, you do not need VPN rules to create the routing-based VPN tunnel.
However, you might want to create access rules to control the flow of traffic in a
routing-based VPN tunnel.
NOTE: VPN rules are not validated by rule validation. Only firewall rules are validated
by rule validation.
Chapter 9: Configuring Security Policies
431
Advertisement
Table of Contents
