Table of Contents
Advertisement
Network and Security Manager Administration Guide
450
are configured. A validation error is generated for devices running versions below ScreenOS
6.2.
The Global rulebase does not contain source and destination zone columns. Because
global rules permit or deny traffic flow between all zones on a device, both the source
and destination zones are global and are not displayed.
NOTE: You can also configure "shared zones." The NSM Policy Manager uses
shared objects, also known as "polymorphic objects," including zones to
define various components of a policy rule. For more information, see "Central
Manager" on page 629.
Configuring Source and Destination Addresses for Firewall Rules
You create firewall rules to enable traffic to flow between two network components. In
the NSM system, address objects are used to represent the components on your network:
hosts, networks, and servers. When you add the address object to the rule, you are
assigning it to a security zone on your security device.
You can add predefined address objects for the network components that originate and
receive the traffic, or configure them as you create a firewall rule to control traffic between
those components:
To configure an address object as you are configuring the Source and Destination
components of a rule, right-click in the Source or Destination column of a rule and
select Add Address. Next, click the Add icon at the top of the New Source Addresses
or New Destination Addresses dialog box and configure the desired address object.
You can add an entire address group or select an individual address object from within
the group.
TIP: When a Policy Manager tree table view includes an address group or
service group, you can view the object (leaf member) count for the group
by hovering over the group with the mouse. This feature is also supported
for polymorphic objects in the address or service object category.
You can also negate all address objects in the source or destination columns of a rule.
When the source or destination is negated, NSM considers all address objects defined
for the current domain except the negated objects as part of the source or destination
for that rule. To negate the source or destination, you must have previously added one
or more address objects to the source or destination column of a rule.
You can add global MIP and VIP objects as the source or destination address in a rule;
however:
When installing the rule on devices running ScreenOS 5.0 and later, you can add multiple
MIPs.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
Need help?
Do you have a question about the NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 and is the answer not in the manual?
Questions and answers