Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 Administration Manual page 499

Copyright © 2010, Juniper Networks, Inc.
To prevent employees from downloading large files during business hours, set the service
object to FTP, the Action to deny, and configure traffic shaping to limit bandwidth. Using
the Object Manager, create a schedule object called Business Day that describes the
time period of 9:00 AM to 7:00 PM, M-F, recurring weekly. Right-click the schedule column
in the rule and select the Business Day schedule object.
HA Session Backup
NetScreen-5XT and NetScreen-5GT security devices can disable active firewall rules
that permit traffic if the session switches over to the modem link. This feature is ON by
default.
ScreenOS 5.x and Later Options
For security devices running ScreenOS 5.x and later, you can configure additional rule
options.
Application—You can configure the security device to handle the service for the firewall
rule as a known Layer 4 protocol service. If you are using application relocation (using
a nonstandard port to handle an application service), enable this option to ensure that
the security device correctly checks traffic.
ID
The rule ID is a number that uniquely identifies a rule within the rulebase and security
policy. After you install a rule as part of a security policy on a security device, you can
view that rule by logging in locally to the device with the WebUI or CLI where the rule
appears as an individual policy. The individual policy on the device has the same ID as
the rule in the management system, which helps you keep track of which rules are on
which devices.
You can configure a rule ID for any zone-based firewall rule or VPN rule:
For new rules, NSM automatically assigns a unique ID to that rule. You can change this
ID, if desired, or leave the ID number.
For rules that are already installed on a device, NSM has already created a unique ID
for the rule. You can change this predefined ID if desired, to an ID number, or leave the
ID set to "none" , which preserves the autogenerated ID number.
NOTE: When the ID is set to "none", NSM uses a hashing algorithm on the source zone,
destination zone, source address, destination address, and service fields for the rule to
generate a unique ID.
For VPN rules that are automatically created by VPN Manager, NSM creates a unique
ID for each VPN rule. You can change this predefined ID, if desired, to a ID number, or
leave the predefined ID set to " none", which preserves the autogenerated ID number.
When you copy and paste a rule within a rulebase, NSM automatically creates a new
unique ID for the pasted rule.
You are not required to set a ID for a rule.
Chapter 9: Configuring Security Policies
449