Table of Contents
Advertisement
Defining Match for Firewall Rules
Copyright © 2010, Juniper Networks, Inc.
Defining Match for Firewall Rules on page 449
Defining Actions for Firewall Rules on page 452
Selecting Devices for Firewall Rules on page 453
Configuring Firewall Rule Options on page 454
Comments for Firewall Rules on page 465
For each rule, you must configure the rule parameters for the Match columns. The
remaining columns are optional; however, the more specific you can be in defining rule
parameters in each column, the more efficient your security policy can be when protecting
your network.
A firewall rulebase controls traffic flow on your network, from one network component
to another network component. To do this, the firewall must know the path that the
traffic takes to reach its destination and the service the traffic uses to get there.
When creating your firewall rules, you must specify the areas in your network that the
traffic passes through. These areas include the network components that originate and
receive the traffic, and the firewall zones the traffic passes through. For firewall rules:
The Destination Address, Source Address, Service, and Action are required for all rules
in the Zone and Global rulebases.
The To Zone, From Zone, and service are required for rules in the Zone rulebase.
You can create IPv6 rules with specific IPv6 source and destination addresses using the
box. In this dialog box, you can populate hosts, networks, group
Select Address Dialog
addresses and polymorphic objects based on the context of the IP version selected. The
policy filter is also enabled to support IPv6 addresses.
The following sections detail the Match columns of a firewall rule.
Configuring Source and Destination Zones for Firewall Rules
In the Zone rulebase, you create firewall rules to enable traffic to flow between zones
(interzone) or between two interfaces bound to the same zone (intrazone). You must
create zones on your device before you can create a rule for that device. In a single rule:
You must select a single zone for the source zone and a single zone for the destination
zone. These zones must be available on the devices covered by your policies
You can also select multiple zone exceptions for both source and destination zones.
A zone exception includes a specific zone and the device that contains that zone.
You cannot create a rule that controls traffic between zones shared by vsys devices
or by devices in an NSRP configuration.
In addition to the security zone, you can now also configure the self zone as the source
zone in the security policy for all non-vsys devices running ScreenOS 6.2 and later. If you
choose "self" as the source zone, then you must also configure the source address as
"any". The system validates devices on which security policies with source zone "self"
Chapter 9: Configuring Security Policies
449
Advertisement
Table of Contents
