Table of Contents
Advertisement
Network and Security Manager Administration Guide
Configuring IDP Policy Push Timeout
512
Assigned the policy to your devices—After you have created a security policy, you must
assign that policy to the devices you want to use that policy. Assigning a policy to a
device links the device to that policy, enabling NSM to install the policy on that device.
Selected the correct devices for the Install On column of each rule—A security device
can only use one security policy at a time; when you install a new policy, it overwrites
all existing policies on the security device.
Configured each device in the Install On column of each rule correctly—When you push
a policy to a device, you also push the device configuration to the device. Any changes
made (by you or another administrator) to the device configuration are pushed to the
device along with the policy.
Configured rules in each rulebase correctly—The management system installs rules
from all rulebases on the specified device. For information about rule installation and
rule execution sequence, see "Rule Execution Sequence" on page 439.
Configured the VPN rules or VPN links in the policy correctly—The management system
installs all VPN rules in the policy.
NSM does not validate VPN rules.
Additionally, to help you identify possible problems in your policy, you might want to run
a Delta Config Summary before pushing the policy.
During policy installation, NSM installs the rules in the policy on the security devices you
selected in the Install On column of each rule. The install process occurs between the
management system and your managed devices. First, the GUI Server creates the ADM
file that contains all policies for all devices selected for update (although the ADM file
collects information from all policies, it does not merge the policies) The GUI Server
sends the ADM to the Device Server. Next, the NSM Device Server receives the ADM and
uses it to create a separate, individual DM for each device that you selected for update:
For 5.0 and later devices, the Device Server sends the DM to the managed device, which
translates the information in the DM into commands and runs those commands on
the devices.
IDP policies, due to their possibly large number of attack objects, may take a long time
to upload and compile. The default timeout for IDP policy is 40 minutes, but you can set
it higher if your policy uploads are timing out. Usually, this will only occur the first time a
policy is pushed to a newly deployed Sensor.
To set the timeout to a higher value, edit the following file:
/usr/netscreen/DevSvr/var/devSvr.cfg
Change the following setting:
devSvrDirectiveHandler.idpPolicyPush.timeout 2400000
The setting is measured in milliseconds (1000's of a second). So, 2400000 milliseconds
is equal to 40 minutes.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
Need help?
Do you have a question about the NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 and is the answer not in the manual?
Questions and answers