Table of Contents
Advertisement
Network and Security Manager Administration Guide
About the Multicast Rulebase
About IDP Rulebases on ISG Family Devices
436
About Rule Groups
A rule group is a user-defined grouping of rules within the Zone rulebase. Combining rules
into a rule group can help you better manage rules. For example, you might want to
combine your VPN rules in a single rule group, or combine all rules that manage traffic
from a specific interface on the device.
You can add, edit, and delete rule groups; however, deleting a rule group also deletes all
rules within that group. You can create multiple rule groups (40,000 rules max in a
security policy). NSM supports one level of rule groups; you cannot create a rule group
within a rule group.
NOTE: Rule groups can be created for all Policy Manager rulebases except global and
APE rulebases.
For information about rule groups, see "Using Rule Groups" on page 510.
By default, security devices do not permit multicast control traffic such as IGMP or PIM-SM
messages. If you run IGMP proxy or PIM-SM on your network, you must configure rules
in the Multicast rulebase to explicitly permit multicast control traffic between zones.
You can also configure multicast rules to translate multicast addresses. For example, to
translate a multicast group address in an internal zone to a different address on the
outgoing interface, specify both the original multicast address and the translated multicast
group address in a multicast rule.
When you create a multicast rule, you must specify the following:
Source zone—The zone from which traffic initiates.
Destination zone—The zone to which traffic is sent.
Multicast group—The multicast group or access list that specifies the multicast groups
for which you want the security device to permit multicast traffic.
Multicast rules control the flow of multicast control traffic only. To permit data traffic
(both unicast and multicast) to pass between zones, you must configure rules in a firewall
rulebase.
To begin configuring multicast rules for your managed devices, see "Configuring Multicast
Rules" on page 459.
For IDP-capable security devices, such as the ISG Series gateways running ScreenOS
5.0–IDP and later, you can enable IDP in a zone or global firewall rule to direct permitted
traffic to the IDP rulebases. If you do not enable IDP in a firewall rule for a target device,
you can still configure rules in IDP rulebases, but you cannot apply the IDP rules when
you update the security policy on the target security devices.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
