Table of Contents
Advertisement
Installing New Security Policies
Copyright © 2010, Juniper Networks, Inc.
the rule has no effect. Then, the device compares the packet to the next rule in the policy
(unless the prior rule was a " terminal" rule.) So, each packet gets compared to every
rule in the policy until a match occurs or a terminal rule ends the match process.
For example, if Rule 1 is a terminal rule, and a packet matches Rule 1, then the device will
never compare the packet to the next rules. Or, if Rule 1 causes the packet to be dropped,
and Rule 2 adds a diffserv marking, the diffserv marking will never be added.
In Table 47 on page 511 Rule 1 shadows Rule 2. Rule 1 allows any service to a web server,
but Rule 2 denies the service HTTP. When the security device receives a packet requesting
HTTP service with the web server, Rule 1 allows the traffic. Rule 2 which denies HTTP is
never checked.
Table 47: Rule Shadowing Example
Rule
From Zone
Source
1
Untrust
Any
2
Untrust
Any
Unsupported Options
Policy Validation can also identify unsupported options in your security policy. Because
different security devices and system support different features and options, policy
validation checks the rules in the policy to ensure that the devices specified in the Install
On column of the rule can support the Rule Options configured for the rule.
Some examples of unsupported option messages are included below:
"Permit/Tunnel" Rules from home zone to work zone are not allowed on a Dial 2 device
(except when NSRP Lite enabled).
NOTE: Because the " reject" firewall action is supported only by devices
running ScreenOS 5.1 and higher, when NSM installs this rule on a device
running an earlier OS, the action is automatically changed to " deny" .
Schedule option is not supported on a vsys device.
For example, if you configure a firewall rule option (such as Antivirus protection or Deep
Inspection) that is not supported by the security device in the Install column of the rule,
policy validation displays an information message that describes the unsupported feature.
Before you install a new security policy, ensure that you have:
Chapter 9: Configuring Security Policies
To Zone
Destination
DMZ
Web server
DMZ
Web server
Service
Action
Any
Allow
HTTP
Deny
511
Advertisement
Table of Contents
Related Manuals for Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1
Related Products for Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - CONFIGURING INTRUSION DETECTION AND PREVENTION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - API GUIDE REV 1
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - M-SERIES AND MX-SERIES DEVICES GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.2 - ADMINISTRATION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING J SERIES SERVICES ROUTERS AND SRX SERIES SERVICES GATEWAYS GUIDE REV
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - NSMXPRESS SERIES II REV 1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - REV1
- Juniper NETWORK AND SECURITY MANAGER 2010.4 - M-SERIES AND MX-SERIES DEVICES GUIDE REV 1
- Juniper NETWORK AND SECURITY MANAGER 2010.3
- Juniper NETWORK AND SECURITY MANAGER 2010.2
- Juniper MEDIA FLOW CONTROLLER 2.0.4 -
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - AQL EVENT AND FLOW QUERY CLI GUIDE
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - EVENT CATEGORY CORRELATION REV 1
- Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - SNMP AGENT GUIDE REV 1
- Juniper STRM LOG MANAGEMENT 2008.2 - S 6-2008
Need help?
Do you have a question about the NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 and is the answer not in the manual?