Table of Contents
Advertisement
Network and Security Manager Administration Guide
Rule Application Sequence
516
View device pending policy—Displays the policy being pushed to a device including
prerules and postrules from current and parent domains.
Validate policy—Validates policy rules.
View domain rules—When checked, any predefined or custom policy displays the
prerules and postrules above and below the policy rules. These rules are displayed in
a different color and not editable.
prerules and postrules can include rulegroups. The firewall rulebase for prerules and
postrules cannot contain VPN rules or VPN links.
When the regional server pushes a rulebase to a device that is not contained within the
regular policy, a warning message is displayed in the Job Manager window notifying the
user that a rulebase was pushed that is not contained within the regular policy.
Since prerules and postrules are defined at the Central Manager, global, and subdomain
levels, NSM imposes a rule application precedence. When all prerules and postrules are
defined, the application order of rules in a rulebase are applied in the following order
(from first to last):
Central Manager pre rules
Global domain pre rules
Subdomain prerules
Specific rulebase rules the device uses
Subdomain postrules
Global domain postrules
Central Manager postrules
ScreenOS Devices
ScreenOS devices require rules to have unique IDs. Rules pushed to devices are the
merged result of prerules and postrules based on pre/post policy and local policy from
the device. Enforcing uniqueness at the single policy level is not sufficient.
With the Central Manager prerules and postrules, NSM enforces the uniqueness of a
device rule's preferred ID server-wide. Therefore, when an administrator adds a domain
level pre/post rule either from the regional server or from the Central Manager server
pushing prerules and postrules to the regional server, the regional server generates a
server-wide unique preferred ID for the new rule. There is a preset ID range for firewall
rulebases.
Validation of prerules and postrules
In Central Manager servers, prerules and postrules are validated the same way as rules
validated in NSM policy manager. Central Manager pushes prerules and postrules to the
regional server and fills mapping tables with polymorphic objects. (See "Polymorphic
Objects" on page 518 for more details.) Invalid prerules and postrules in the regional server
are removed when the policy is pushed to a device during the device update operation.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
Need help?
Do you have a question about the NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1 and is the answer not in the manual?
Questions and answers