Autogenerating Vpn Rules; Configuring Overrides; Editing Policy Rules - Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual

Network and Security Manager Administration Guide

Autogenerating VPN Rules

Configuring Overrides

574
If your VPN includes only security devices, you can specify one predefined or custom
proposal that NSM propagates to all nodes in the VPN. If your VPN includes extranet
devices, you should use multiple proposals to increase security and ensure compatibility.
When you have completed configuring the policy- and route-based VPNs members, the
topology (if necessary) and termination points, and the IKE (if necessary) and gateway
parameters for the VPN, you are ready to autogenerate the VPN.
During autogeneration, NSM generates the VPN rules that control traffic between
policy-based VPN members, and edits the device configuration (gateways, security
parameters, and so on) of each VPN member to support the VPN.
Autogeneration does not:
Insert the VPN rules into a security policy. After you have reviewed the VPN rules and
made any necessary overrides, you must manual insert the VPN rules (known as a VPN
link) into a security policy. For details, see "Adding the VPN Link" on page 576.
Install the new VPN rules or edited device configurations on the managed devices in
the VPN. After you have inserted the VPN link into a security policy, you can install that
policy on your devices using the Updated directive.
Create static or dynamic routes for route-based VPNs.
To autogenerate the VPN, click Save.
The override area enables you configure individual settings for each VPN rules (for
policy-based and mixed-mode VPNs) and each VPN member. Each change you make
to the autogenerated rules or VPN member configuration is known as an override to the
VPN settings.
You might need to override the VPN settings to:
Configure additional security for specific tunnels.
Configure additional authentication between specific VPN members.
Configure unique monitoring or reporting options for specific VPN members or VPN
tunnels.
Configure unique IKE IDs for each VPN member.

Editing Policy Rules

For policy-based and mixed-mode VPNs, NSM automatically generates the VPN rules
to control traffic between VPN members. To view these autogenerated rules, click the
Policy Rules link in the Overrides area; the rules appear in a separate NSM window, using
the same row and column format as in the Security Policies.
NOTE: Policy rules do not appear for route-based VPNs.
Copyright © 2010, Juniper Networks, Inc.