Table of Contents
Advertisement
Configuring IDP Policy Push Timeout
Updating Existing Security Policies
Copyright © 2010, Juniper Networks, Inc.
management system and your managed devices. First, the GUI Server creates the ADM
file that contains all policies for all devices selected for update (although the ADM file
collects information from all policies, it does not merge the policies) The GUI Server
sends the ADM to the Device Server. Next, the NSM Device Server receives the ADM and
uses it to create a separate, individual DM for each device that you selected for update:
For 5.0 and later devices, the Device Server sends the DM to the managed device, which
translates the information in the DM into commands and runs those commands on
the devices.
IDP policies, due to their possibly large number of attack objects, may take a long time
to upload and compile. The default timeout for IDP policy is 40 minutes, but you can set
it higher if your policy uploads are timing out. Usually, this will only occur the first time a
policy is pushed to a newly deployed Sensor.
To set the timeout to a higher value, edit the following file:
/usr/netscreen/DevSvr/var/devSvr.cfg
Change the following setting:
devSvrDirectiveHandler.idpPolicyPush.timeout 2400000
The setting is measured in milliseconds (1000's of a second). So, 2400000 milliseconds
is equal to 40 minutes.
To install a new or modified policy on a managed device, from the toolbar, select Devices
> Configuration > Update Device Config. If you changed the device configuration or
assigned policy for a device, that device is automatically selected. Unselect any devices
you do not want to update.
You can also enable session rematch for policy installations on managed devices running
ScreenOS 5.1 and later. Session rematch enables NSM to preserve the existing sessions
that are being tracked by the installed security policy during the policy update procedure.
At the end of the update, NSM restores all valid sessions on the managed device and
deletes all invalid sessions (a session is considered valid when the From Zone, Source,
To Zone, Destination, and Service of the traffic is the same before and after the new
policy installation).
You enable session rematch when you update devices (from the menu bar, select Devices
> Configuration > Update Device Config). To enable session rematch from the Update
Devices dialog box, select Options, then select Rematch, session treatment when
modifying a policy rule, then click OK.
Chapter 9: Configuring Security Policies
501
Advertisement
Table of Contents
Need help?
Do you have a question about the NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 and is the answer not in the manual?
Questions and answers