Table of Contents
Advertisement
Network and Security Manager Administration Guide
Installing New Security Policies
500
Unsupported Options
Policy Validation can also identify unsupported options in your security policy. Because
different security devices and system support different features and options, policy
validation checks the rules in the policy to ensure that the devices specified in the Install
On column of the rule can support the Rule Options configured for the rule.
Some examples of unsupported option messages are included below:
"Permit/Tunnel" Rules from home zone to work zone are not allowed on a Dial 2 device
(except when NSRP Lite enabled).
NOTE: Because the " reject" firewall action is supported only by devices running
ScreenOS 5.1 and higher, when NSM installs this rule on a device running an earlier OS,
the action is automatically changed to " deny" .
Schedule option is not supported on a vsys device.
For example, if you configure a firewall rule option (such as Antivirus protection or Deep
Inspection) that is not supported by the security device in the Install column of the rule,
policy validation displays an information message that describes the unsupported feature.
Before you install a new security policy, ensure that you have:
Assigned the policy to your devices—After you have created a security policy, you must
assign that policy to the devices you want to use that policy. Assigning a policy to a
device links the device to that policy, enabling NSM to install the policy on that device.
Selected the correct devices for the Install On column of each rule—A security device
can only use one security policy at a time; when you install a new policy, it overwrites
all existing policies on the security device.
Configured each device in the Install On column of each rule correctly—When you push
a policy to a device, you also push the device configuration to the device. Any changes
made (by you or another administrator) to the device configuration are pushed to the
device along with the policy.
Configured rules in each rulebase correctly—The management system installs rules
from all rulebases on the specified device. For information about rule installation and
rule execution sequence, see "Rule Execution Sequence" on page 429.
Configured the VPN rules or VPN links in the policy correctly—The management system
installs all VPN rules in the policy.
NSM does not validate VPN rules.
Additionally, to help you identify possible problems in your policy, you might want to run
a Delta Config Summary before pushing the policy.
During policy installation, NSM installs the rules in the policy on the security devices you
selected in the Install On column of each rule. The install process occurs between the
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
