Table of Contents
Advertisement
Network and Security Manager Administration Guide
470
You can also "negate" the address objects listed in the Source or Destination column to
specify all sources or destinations except the excluded objects.
You can create address objects either before you create an IDP rule or while creating or
editing an IDP rule. To select or configure an address object, right-click either the Source
or Destination column of a rule and select Select Address. In the Select Source Addresses
dialog box, you can either select an already-created address object or click the Add icon
to create a new host, network, or group object.
To detect incoming attacks that target your internal network, set the From Zone to
Untrust, and the Source IP to any IP. Then, set the To Zone to dmz and trust. Next, select
the address object that represents the host or server you want to protect from attacks
as the Destination IP.
To detect attacks between two network, select multiple address objects for the Source
and Destination.
The more specific you are in defining the source and destination of an attack, the more
you reduce false positives.
Configuring User Roles for IDP Rules
You can use role-based IDP policy to define roles and related access privileges, and apply
an application policy to them that is effective regardless of where the user logs in.
Role-based access control facilitates a dynamic network and access to partners. This
feature is supported on the ISG1000 and ISG2000 gateways with SM devices running
ScreenOS 6.3 and later.
To support role-based IDP policy, you must select both
the
Firewall Rule Options
. When it receives a packet, the firewall verifies the role name
of the user against the list of user roles and user role groups provided before forwarding
the packet. You can configure either IP-based rules or role-based rules in an IDP policy
but not both. Role-based rules have higher precedence than IP-based rules. Therefore,
if roles have been specified for a session, the firewall first tries to match role-based rules
and then tries to match IP-based rules. If roles are not configured for a session, the firewall
searches for IP-based rules.
You can configure this feature by selecting
policy and add an IDP rulebase. Right-cl
or
user roles. If you select user roles, the
Filter
Edit
Select the device from the drop-down list in the
to add either
Selected User Roles
a user role in the
New User Define
User Roles
dialog box allows you to view all the created user roles and add or remove
them from the IDP policy. Similarly, you can create user role groups in the
dialog box, view them, and add or remove them from the policy.
Defined User Role Group
When you right-click on the
provided. With the
option, you can choose to apply a filter (true or false, negate, or
Filter
ignore objects in group) to the user role values. The
or paste the user role name in the column.
Policy Manager
ick on the User Role
Select User Roles
Device
or
New User Roles
New User Role Groups
box and click
to create a new user role. The
OK
column, you can also use the
User Roles
Edit
and
Infranet Auth
IDP Enabled
>
Policies
. Select a device
column. You can then
dialog box opens.
field. Click the add icon
(+)
. You can enter
New User
and
options
Filter
Edit
option allows you to cut, copy,
Copyright © 2010, Juniper Networks, Inc.
in
,
Select
in the
Select
Advertisement
Table of Contents
Need help?
Do you have a question about the NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 and is the answer not in the manual?
Questions and answers