Table of Contents
Advertisement
Updating Existing Security Policies
Copyright © 2010, Juniper Networks, Inc.
To install a new or modified policy on a managed device, from the toolbar, select Devices
> Configuration > Update Device Config. If you changed the device configuration or
assigned policy for a device, that device is automatically selected. Unselect any devices
you do not want to update.
You can also enable session rematch for policy installations on managed devices running
ScreenOS 5.1 and later. Session rematch enables NSM to preserve the existing sessions
that are being tracked by the installed security policy during the policy update procedure.
At the end of the update, NSM restores all valid sessions on the managed device and
deletes all invalid sessions (a session is considered valid when the From Zone, Source,
To Zone, Destination, and Service of the traffic is the same before and after the new
policy installation).
You enable session rematch when you update devices (from the menu bar, select Devices
> Configuration > Update Device Config). To enable session rematch from the Update
Devices dialog box, select Options, then select Rematch, session treatment when
modifying a policy rule, then click OK.
NOTE: You can also enable/disable session rematch in the system-wide
device update settings. To configure, from the menu bar, select Tools >
Preferences > Device Update. The system-wide setting (enabled or disabled)
becomes the default setting for all device updates, but you can change the
setting as needed for each individual update.
After you have selected the devices you want to update (and configured session rematch,
if desired), click OK to begin the update process. The Job Manager dialog box appears
and displays the progress of the policy installation. As the update is performed, the main
display area of the Job Manager dialog box displays the CLI commands that the
management system is sending to the physical device. In some cases, you might see that
the policy is unset, then reset on the device.
NSM does not need to reset the policy when:
The security policy you are installing does not exists on the physical device. The update
installs the security policy on the device.
The security policy you are installing already exists on the physical device. The update
modifies the policy on the physical device, without resetting the policy.
NSM must reset the policy when the security policy you are installing already exists on
the physical device, but an object within the policy has changed in NSM. The update first
unsets the current policy on the device, deletes the old object, adds the new changed
object, then installs the entire security policy again on the physical device.
Chapter 9: Configuring Security Policies
513
Advertisement
Table of Contents
Need help?
Do you have a question about the NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 and is the answer not in the manual?
Questions and answers