Table of Contents
Advertisement
Network and Security Manager Administration Guide
Using the Policy Filter Tool
Using a Predefined IDP Policy
440
Naming of Address Objects in a Security Policy That References Devices Running
ScreenOS or Junos OS
Device updates might fail when a policy that references address objects for ScreenOS
devices is assigned to a J Series device or an SRX Series device because the address
object naming conventions in Junos OS are more restrictive than the naming conventions
in ScreenOS . For devices running Junos OS, the address object name must be a string
that begins with a letter and consists of letters, numbers, dashes, and underscores. For
devices running ScreenOS, the address object name can include numbers, characters,
and symbols. To ensure that a device running Junos OS can use the address objects
referenced by the security policy that is assigned to the device, all address objects in that
policy must follow the address object naming conventions for Junos OS. If the policy that
is assigned to a device running Junos OS contains preexisting address objects for ScreenOS
devices, these address objects must be renamed to follow the address object naming
conventions for Junos OS.
NSM provides a Policy Filter tool to filter policy rules-based on one or more filter conditions
specified for rule attributes. One filter can contain several filter conditions for different
attributes. The filter only applies to the current selected rulebase. The filter results are
displayed in the same rulebase. Rules that do not match filter conditions are hidden. In
the firewall rulebase, only open rule groups are filtered. When a filter is set and a closed
rule group is expanded, only rules that match the filter will be displayed in the group. For
information about using the Policy Filter tool, refer to the NSM Online Help.
Filtering the Comment Field
You can use filters for the comments field of your policy. By default, search finds an exact
match unless used with a regular expression.
For example, you have two rules with the following two comments: test1 and
juniper,\ntest1. If you want to find all the rules that have test1 in the comments field, you
must use a regular expression. If you do not use the regular expression checkbox, the
search returns rules with comment test1 only.
If you want to find all rules that end with the string test1, you can use one of the following
regular expressions:
.*test1|.*\ntest1
(.*|.*\n)test1
When you create a new IDP security policy, you can select from the following predefined
policies or use the Policy Creation Wizard, as described in the next section.
NOTE: IDP predefined policies are empty after an attack update. Relaunch the GUI to
reinstate the policies.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
