About Rule Groups
A rule group is a user-defined grouping of rules within the Zone rulebase. Combining rules
into a rule group can help you better manage rules. For example, you might want to
combine your VPN rules in a single rule group, or combine all rules that manage traffic
from a specific interface on the device.
You can add, edit, and delete rule groups; however, deleting a rule group also deletes all
rules within that group. You can create multiple rule groups (40,000 rules max in a
security policy). NSM supports one level of rule groups; you cannot create a rule group
within a rule group.
NOTE:
Rule groups can be created for all Policy Manager rulebases except global and
APE rulebases.
For information about rule groups, see “Using Rule Groups” on page 510.
About the Multicast Rulebase
By default, security devices do not permit multicast control traffic such as IGMP or PIM-SM
messages. If you run IGMP proxy or PIM-SM on your network, you must configure rules
in the Multicast rulebase to explicitly permit multicast control traffic between zones.
You can also configure multicast rules to translate multicast addresses. For example, to
translate a multicast group address in an internal zone to a different address on the
outgoing interface, specify both the original multicast address and the translated multicast
group address in a multicast rule.
When you create a multicast rule, you must specify the following:
•
Source zone—The zone from which traffic initiates.
•
Destination zone—The zone to which traffic is sent.
•
Multicast group—The multicast group or access list that specifies the multicast groups
for which you want the security device to permit multicast traffic.
Multicast rules control the flow of multicast control traffic only. To permit data traffic
(both unicast and multicast) to pass between zones, you must configure rules in a firewall
rulebase.
To begin configuring multicast rules for your managed devices, see “Configuring Multicast
Rules” on page 459.
About IDP Rulebases on ISG Family Devices
For IDP-capable security devices, such as the ISG Series gateways running ScreenOS
5.0–IDP and later, you can enable IDP in a zone or global firewall rule to direct permitted
traffic to the IDP rulebases. If you do not enable IDP in a firewall rule for a target device,
you can still configure rules in IDP rulebases, but you cannot apply the IDP rules when
you update the security policy on the target security devices.
Copyright © 2010, Juniper Networks, Inc.
436
Network and Security Manager Administration Guide
Содержание NETWORK AND SECURITY MANAGER 2010.3
Страница 6: ...Copyright 2010 Juniper Networks Inc vi...
Страница 36: ...Copyright 2010 Juniper Networks Inc xxxvi Network and Security Manager Administration Guide...
Страница 52: ...Copyright 2010 Juniper Networks Inc 2 Network and Security Manager Administration Guide...
Страница 90: ...Copyright 2010 Juniper Networks Inc 40 Network and Security Manager Administration Guide...
Страница 144: ...Copyright 2010 Juniper Networks Inc 94 Network and Security Manager Administration Guide...
Страница 146: ...Copyright 2010 Juniper Networks Inc 96 Network and Security Manager Administration Guide...
Страница 234: ...Copyright 2010 Juniper Networks Inc 184 Network and Security Manager Administration Guide...
Страница 310: ...Copyright 2010 Juniper Networks Inc 260 Network and Security Manager Administration Guide...
Страница 364: ...Copyright 2010 Juniper Networks Inc 314 Network and Security Manager Administration Guide...
Страница 366: ...Copyright 2010 Juniper Networks Inc 316 Network and Security Manager Administration Guide...
Страница 478: ...Copyright 2010 Juniper Networks Inc 428 Network and Security Manager Administration Guide...
Страница 576: ...Copyright 2010 Juniper Networks Inc 526 Network and Security Manager Administration Guide...
Страница 580: ...Copyright 2010 Juniper Networks Inc 530 Network and Security Manager Administration Guide...
Страница 592: ...Copyright 2010 Juniper Networks Inc 542 Network and Security Manager Administration Guide...
Страница 684: ...Copyright 2010 Juniper Networks Inc 634 Network and Security Manager Administration Guide...
Страница 690: ...Copyright 2010 Juniper Networks Inc 640 Network and Security Manager Administration Guide...
Страница 696: ...Copyright 2010 Juniper Networks Inc 646 Network and Security Manager Administration Guide...
Страница 698: ...Copyright 2010 Juniper Networks Inc 648 Network and Security Manager Administration Guide...
Страница 748: ...Copyright 2010 Juniper Networks Inc 698 Network and Security Manager Administration Guide...
Страница 778: ...Copyright 2010 Juniper Networks Inc 728 Network and Security Manager Administration Guide...
Страница 870: ...Copyright 2010 Juniper Networks Inc 820 Network and Security Manager Administration Guide...
Страница 872: ...Copyright 2010 Juniper Networks Inc 822 Network and Security Manager Administration Guide...
Страница 898: ...Copyright 2010 Juniper Networks Inc 848 Network and Security Manager Administration Guide...
Страница 908: ...Copyright 2010 Juniper Networks Inc 858 Network and Security Manager Administration Guide...
Страница 910: ...Copyright 2010 Juniper Networks Inc 860 Network and Security Manager Administration Guide...
Страница 995: ...PART 6 Index Index on page 947 945 Copyright 2010 Juniper Networks Inc...
Страница 996: ...Copyright 2010 Juniper Networks Inc 946 Network and Security Manager Administration Guide...