Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual page 560

Network and Security Manager Administration Guide
510
Rule Duplication—Occurs when one or more rules in the security policy are identical.
For more information, see "Rule Duplication" on page 510.
Zone Mismatch—Occurs when the source or destination zone you have chosen in a
rule is not available on the device you selected in the Install column.
Rule Shadowing—Occurs when a strict rule has no effect on traffic because it follows
a broader ruler. For more information, see "Rule Shadowing" on page 510.
Unsupported Options—Occurs when a device in the Install column of a rule does not
support a specific rule option configured for the rule. For details, see "Unsupported
Options" on page 511.
To use the Policy Validation tool to validate a security policy, you must first assign the
security policy to a device. Then, to validate a policy, from the menu bar click Devices >
Policy > Validate Policy. A Job Manager window displays job information and progress.
Policy validation analyzes the source and destination addresses, the to and from zones,
and the service when validating. If NSM identifies any problems in the policy during policy
validation, it displays information about the problem at the bottom of the selected
rulebase.
NOTE: We highly recommend that you validate a policy before installing it.
A security policy that has internal problems can leave your network vulnerable.
Rule Duplication
Rule duplication occurs when an administrator configures the same rule in a rulebase
more than once. Rule duplication can also occur during the rule validation process for
devices running ScreenOS 5.0 and later. NSM treats each element of the rule as a separate
rule. For example, when a rule with two service objects (AOL and DNS) is sent to the
device, NSM sends it as two rules, one rule with AOL and another with DNS.
NOTE: For ScreenOS 5.0 and later, NSM sends rules with multiple objects
or elements. For example, NSM can send a rule with two or more service
objects as one rule.
You should delete all duplicate rules to maintain policy lookup efficiency.
A ScreenOS 5.0 and later device passes the policy validation process for HTTP; however,
Rule 2 is not needed. To correct this problem, you should delete Rule 2.
Rule Shadowing
Rule shadowing occurs when an administrator selects or configures a policy in such as
way that the next rules have no effect on traffic. Rule shadowing can introduce system
vulnerabilities and packet dropping. Policy validation identifies rule shadowing. You
should modify or delete all rules that overshadow others.
When a packet comes in, a security device compares it to the first rule in the policy. If a
match occurs, the device executes the action associated with the rule. If no match occurs,
Copyright © 2010, Juniper Networks, Inc.