Table of Contents
Advertisement
Network and Security Manager Administration Guide
460
the address object that represents the host or server you want to protect from attacks
as the Destination IP.
To detect attacks between two network, select multiple address objects for the Source
and Destination.
The more specific you are in defining the source and destination of an attack, the more
you reduce false positives.
Configuring User Roles for IDP Rules
You can use role-based IDP policy to define roles and related access privileges, and apply
an application policy to them that is effective regardless of where the user logs in.
Role-based access control facilitates a dynamic network and access to partners. This
feature is supported on the ISG1000 and ISG2000 gateways with SM devices running
ScreenOS 6.3 and later.
To support role-based IDP policy, you must select both
the
. When it receives a packet, the firewall verifies the role name
Firewall Rule Options
of the user against the list of user roles and user role groups provided before forwarding
the packet. You can configure either IP-based rules or role-based rules in an IDP policy
but not both. Role-based rules have higher precedence than IP-based rules. Therefore,
if roles have been specified for a session, the firewall first tries to match role-based rules
and then tries to match IP-based rules. If roles are not configured for a session, the firewall
searches for IP-based rules.
You can configure this feature by selecting
policy and add an IDP rulebase. Right-cl
Filter
or
Edit
user roles. If you select user roles, the
Select the device from the drop-down list in the
to add either
Selected User Roles
a user role in the
New User Define
dialog box allows you to view all the created user roles and add or remove
User Roles
them from the IDP policy. Similarly, you can create user role groups in the
dialog box, view them, and add or remove them from the policy.
Defined User Role Group
When you right-click on the
provided. With the
Filter
option, you can choose to apply a filter (true or false, negate, or
ignore objects in group) to the user role values. The
or paste the user role name in the column.
After making your changes, save the policy, and then update the device. Ensure that the
device reflects the correct user role information.
The role-based access control feature has the following limitations:
The role names in IDP policy must match those of the Infranet Controller (IC).
Username-based IDP policy is not supported. The firewall must map either a source
IP or the username to a user role before it can forward a packet.
While the firewall supports 200 roles for one user, the IDP policy supports only 100
roles for each user.
Policy Manager
ick on the User Role
Select User Roles
Device
or
New User Roles
New User Role Groups
box and click
to create a new user role. The
OK
column, you can also use the
User Roles
Edit
Infranet Auth
and
IDP Enabled
>
. Select a device
Policies
column. You can then
dialog box opens.
field. Click the add icon
(+)
. You can enter
New User
and
options
Filter
Edit
option allows you to cut, copy,
Copyright © 2010, Juniper Networks, Inc.
in
,
Select
in the
Select
Advertisement
Table of Contents
