Table of Contents
Advertisement
Merging Policies
Copyright © 2010, Juniper Networks, Inc.
If you made changes to the devices policies using the WebUI or CLI, when you reimport
the device, NSM creates a new security policy.
You must manually reassign a policy to a reimported device. For example, if you reimport
a previously-managed security device, you might want to first merge the imported policy
with a more comprehensive policy, then assign the comprehensive policy to the device.
NOTE: Importing the running configuration from a device completely overwrites all
configuration information stored within NSM for that device. To help avoid accidental
configuration overwriting, when you attempt to import a configuration from a currently
managed security device, NSM prompts you for confirmation.
When you import policies from a single managed device, those policies appear in NSM
as rules in a new policy. Each device policy is imported as a single rule, and the rules make
up the policy that exists on the device.
NOTE: In the ScreenOS WebUI and CLI, a security policy is a single statement that
defines a source, destination, zone, direction, and service. In NSM, those same
statements are known as rules, and a security policy is a collection of rules.
To simplify policy management and maintenance, you can merge two policies into a
single security policy. To merge two policies, select a source policy and a target policy:
The source policy contains the rules that you want to merge into another policy (in the
UI, this is the From Policy).
The target policy receives the rules from the source policy (in the UI, this is the To
Policy).
NSM copies the rules from the source policy and pastes them above, below, or inline with
the rules in the target policy. When placing rules inline, be aware of the intra-policy
dependence of both policies. Because rule order is important (rules are executed
top-down), rules can be dependent on other rules. If you rearrange the order of dependent
rules by inserting merged rules, the security device changes the way it handles the packets.
If you are unsure if you have intra-policy dependence in your rules, it's best to merge rules
above or below the existing rules.
After creating a single security policy that contains both source and target rules, NSM
also identifies rules that contain similar values in the source, destination, service, and
install on columns, then collapses those rules into a single rule. NSM does not collapse
rules that contain different zones, or rules that refer to unique VPNs.
By default, NSM also updates the device policy pointers to reference the new merged
policy (the device policy pointer indicates which security policy is assigned to a device).
When configuring Policy Merge settings, you can edit this option to keep the device policy
pointers for both the source and target policies.
Chapter 9: Configuring Security Policies
507
Advertisement
Table of Contents
