Table of Contents
Advertisement
Network and Security Manager Administration Guide
Rule Application Sequence
528
When the regional server pushes a rulebase to a device that is not contained within the
regular policy, a warning message is displayed in the Job Manager window notifying the
user that a rulebase was pushed that is not contained within the regular policy.
Since prerules and postrules are defined at the Central Manager, global, and subdomain
levels, NSM imposes a rule application precedence. When all prerules and postrules are
defined, the application order of rules in a rulebase are applied in the following order
(from first to last):
Central Manager pre rules
Global domain pre rules
Subdomain prerules
Specific rulebase rules the device uses
Subdomain postrules
Global domain postrules
Central Manager postrules
ScreenOS Devices
ScreenOS devices require rules to have unique IDs. Rules pushed to devices are the
merged result of prerules and postrules based on pre/post policy and local policy from
the device. Enforcing uniqueness at the single policy level is not sufficient.
With the Central Manager prerules and postrules, NSM enforces the uniqueness of a
device rule's preferred ID server-wide. Therefore, when an administrator adds a domain
level pre/post rule either from the regional server or from the Central Manager server
pushing prerules and postrules to the regional server, the regional server generates a
server-wide unique preferred ID for the new rule. There is a preset ID range for firewall
rulebases.
Validation of prerules and postrules
In Central Manager servers, prerules and postrules are validated the same way as rules
validated in NSM policy manager. Central Manager pushes prerules and postrules to the
regional server and fills mapping tables with polymorphic objects. (See "Polymorphic
Objects" on page 530 for more details.) Invalid prerules and postrules in the regional server
are removed when the policy is pushed to a device during the device update operation.
Install-On Column for prerules and postrules
In 2007.2 NSM Policy Manager, the Install-On column is the mechanism to specify which
devices use a particular rule. While configuring a pre/post rule in Central Manager, rule
application is applied at regional server level. The Install-On column, in this case, accepts
only the Regional Server object or ANY as legal entries. When a Central Manager pushes
a pre/post rule to a regional server, content in this column specifies which rule is pushed
to which regional server.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
