Table of Contents
Advertisement
Network and Security Manager Administration Guide
Defining Actions for Firewall Rules
446
Configuring Services for Firewall Rules
Services are application layer protocols that define how data is structured as it travels
across the network. In NSM, service objects represent the services running on your network.
In a firewall rule, you specify which services are supported by the destination address
object.
NOTE: All services rely on a transport layer protocol to transmit data. NSM includes
services that use TCP, UDP, RPC, and ICMP transport layer protocols.
NSM comes with several service objects based on industry-standard services already
created for you. You use these predefined service objects in firewall rules to specify the
services that traffic can use to traverse your network.
TIP: When a Policy Manager tree table view includes an address group or service group,
you can view the object (leaf member) count for the group by hovering over the group
with the mouse. This feature is also supported for polymorphic objects in the address
or service object category.
To control FTP traffic from the Engineering Server in the trust zone to the corporate Web
Server in the DMZ zone, select the FTP, HTTP, IMCP ANY, and TELNET service objects.
You can create your own service objects to use in rules using the Object Editor, such as
service objects for protocols that use nonstandard ports.
If you use a nonstandard port (8080) for your HTTP services, create an HTTP service
object on port 8080. Add this service object to your firewall rule. NSM uses the specified
service object, HTTP on port 8080, and considers all connections to TCP/8080 to be
HTTP connections.
If the service of the network traffic matches a service selected in the rule, the firewall
performs the action.
NOTE: For firewall rules installed on a ScreenOS 5.x device, if you use a custom service
to relocate an application to a nonstandard port, you must also enable the Application
option in the Rule Options > Miscellaneous > ScreenOS 5.x devices. For details, see
"ScreenOS 5.x and Later Options" on page 453.
You can specify the action that your security device performs against traffic that matches
the zones, address objects, and services specified in the firewall rule. You can set different
actions for each rule:
Permit—The managed device permits the traffic to pass through the firewall to its
destination address.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
Need help?
Do you have a question about the NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 and is the answer not in the manual?
Questions and answers