Table of Contents
Advertisement
Network and Security Manager Administration Guide
Validating Security Policies
498
After you have created a security policy, you must assign that policy to a device. Assigning
a policy to a device links the device to that policy, enabling NSM to install the policy on
that device. To assign an existing policy to a device, use one of the following methods:
Right-click a device and select Policy > Assign Policy. Select the policy you want to
assign to the device.
Double-click a device to open the device configuration. In the Info tab, under Policy for
device, select the policy you want to assign to the device.
You can use a single security policy to control multiple security devices. Each rule in a
security policy contains an Install On column that specifies the devices the rule is applied
to. This means that you can assign a security policy to a device, but only some of the
rules in that policy are actually installed on that device during a device update.
You can also create multiple policies for a single device, but only one security policy can
be active on the device. When you update a device configuration, NSM installs the active
policy on the security device. By default, NSM considers the active policy to be the policy
that was most recently edited.
NOTE: If you delete and then re-import a device, you must reassign a policy to the
device.
You should validate a security policy to identify potential problems before you install it.
NSM contains a Policy Validation tool to help you locate common problems, such as:
Rule Duplication—Occurs when one or more rules in the security policy are identical.
For more information, see "Rule Duplication" on page 499.
Zone Mismatch—Occurs when the source or destination zone you have chosen in a
rule is not available on the device you selected in the Install column.
Rule Shadowing—Occurs when a strict rule has no effect on traffic because it follows
a broader ruler. For more information, see "Rule Shadowing" on page 499.
Unsupported Options—Occurs when a device in the Install column of a rule does not
support a specific rule option configured for the rule. For details, see "Unsupported
Options" on page 500.
To use the Policy Validation tool to validate a security policy, you must first assign the
security policy to a device. Then, to validate a policy, from the menu bar click Devices >
Policy > Validate Policy. A Job Manager window displays job information and progress.
Policy validation analyzes the source and destination addresses, the to and from zones,
and the service when validating. If NSM identifies any problems in the policy during policy
validation, it displays information about the problem at the bottom of the selected
rulebase.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
