Pre And Post Rules - Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual

Pre and Post Rules

Copyright © 2010, Juniper Networks, Inc.
In NSM, a policy supports many kinds of rulebases. Each rulebase is an ordered list of
rules. Prerule and postrule lists are also ordered lists of rules that are defined from the
Central Manager at the global domain and subdomain levels as well as on regional servers
in standalone NSM installations. You can define and apply rules for each rulebase type.
When you update a device, device-specific policy configurations are generated for the
device. This creates rulebases by applying the following rules in the following order (from
first to last):
Prerules
Policy rulebase rules
Postrules
The prerules and postrules feature provides a policy definition at a domain level that can
be applied to all devices within the specific domain and all subdomains. Users can define
two sets of rules for any rulebase type that can be applied as prerules and postrules for
any device of the given domain and subdomains.
NOTE: The Central Manager attack database version must match the regional server
attack database version to push prerules and postrules.
Prerules and postrules are two sets of rules of any rulebase type that can be created for
any domain. Configuration of pre/post rules are located in the main navigational tree
under Policy Manager called Central Manager Policies. Domain Administrators can edit
domain level policies from this option.
Prerules apply before any rules of a rulebase are applied to a device and post rules apply
after any rules of a rulebase are applied to a device. Prerules and postrules in the
integrated view are not editable. There is only one instance of pre/post rules for a specific
domain.
Domain hierarchy is used when applying pre/post rules to subdomains. Within any
subdomain, global domain pre rules take precedence over subdomain pre rules, which
take precedence over Security policy specific rules. Similarly, Security policy rules take
precedence over subdomain post rules, which take precedence over global domain post
rules.
NOTE: You cannot push a pre/post rule from the central manager to a regional server.
All features of security policies are available for prerules and postrules.
Import device command—Imports all rules into the security policy that is created for
the device.
Config summary—displays the prerules and postrules.
Chapter 9: Configuring Security Policies
519