Configure Task Modules in the NSM User Interface Overview
The Configure task includes
the following top-level modules:
Device Manager
The Device Manager contains the device objects
that represent your security devices. Table 1 describes
the objects that you can create in Device Manger.
Table 1: Device Objects in Device Manager
Device Object
|
Description
|
Security devices and systems
|
The devices you use to enable access to your network and to
protect your network against malicious traffic.
|
Vsys devices
|
A vsys is a virtual device that exists within a physical security
device.
|
Clusters
|
A cluster is two security devices joined together in a high
availability configuration to ensure continued network uptime.
|
Vsys cluster
|
A vsys cluster device is a vsys device that has a cluster as
its root device.
|
Extranet devices
|
Firewalls or VPN devices that are not Juniper Networks
security devices.
|
Templates
|
A template is a partial device configuration that you can define
once and then use for multiple devices.
|
Device Groups
|
A device group is a user-defined collection of devices.
|
Security Policies
Security policies contain the firewall, multicast,
and VPN rules that control traffic on your network. Using a graphical,
easy-to-use rule building platform, you can quickly create and deploy
new policies to your security devices.
Use security policies to:
- Add or modify existing security policies
- Add or modify existing VPN rules
- Add or modify existing IDP rules
- Create policies based on existing policies
- Install policies on one or multiple security devices
- Delete policies
 |
Note:
Devices running ScreenOS 6.3, support IPv6 in policy rulebases,
IDP, address objects, and attack objects. You can also configure IPv6
host, network, and multicast addresses. For more information on IPv6
support, see the Network and Security Manager Administration
Guide..
|
If the device configurations that you imported
from your security devices contained policies, security policies display
those imported policies. For details on editing those imported polices
or creating policies, see Chapter 9, “Configuring Security Policies”,
or Chapter 10, “Configuring VPNs”, of the Network
and Security Manager Administration Guide.
VPN Manager
The VPN Manager contains the VPN abstractions that
control the VPN tunnels between your managed devices and remote users.
Using VPN objects, such as protected resources and IKE Pproposals,
you can create multiple VPNs for use in your security policies.
Use the VPN Manager to:
- Define the protected resources on your network. Protected
resources represent the network resources you want to protect in a
VPN.
- Create custom IKE phase 1 and 2 proposals.
|
Note:
In ScreenOS 6.1 or later, users can set “group 14”
for phase 1 and 2 proposals.
|
- Configure AutoKey IKE, L2TP, and L2TP-over-AutoKey IKE
VPNs in policy-based or route-based modes. You can also create an
AutoKey IKE mixed mode VPN to connect policy-based VPN members with
route-based VPNs members.
- Configure AutoKey IKE and L2TP policy-based VPNs for remote
access server (RAS) and include multiple users.
|
Note:
In ScreenOS 6.1 or later, AutoKey IKE VPN and AutoKey IKE RAS
VPN are supported in IKEv2 parameters.
|
Object Manager
The Object Manager contains objects, which are
reusable, basic NSM building blocks that contain specific information.
You use objects to create device configurations, policies, and VPNs.
All objects are shared, meaning they can be shared by all devices
and policies in the domain.
Table 2 describes the objects
that you can create in NSM.
Table 2: Objects in Object Manager
Objects
|
Description
|
Address Objects
|
Represent components of your network (hosts, networks, servers).
On devices running ScreenOS 6.3, he new policy appears in the security
policy list and supports IPv6 in policy rule bases, IDP, address and
attack objects. After you have created a security policy, you can
add rules to the new policy. Rules include IPv4, IPv6, VPN, and also
VPN link. For more information, see the IDP Concepts &
Examples guide. A rule with combination of IPv4 or IPv6
address objects is not allowed.
|
QoS Profiles
|
Represent the resource reservation control mechanisms rather
than the achieved service quality. You can provide different priority
to different applications, users, or data flows, or to guarantee a
certain level of performance to a data flow. You can configure QoS
into a policy role, using role options. There are two types of QoS
profiles and they are DSCP and IP precedence.
|
Schedule Objects
|
Represent specific dates and times. You can use schedule objects
in firewall rules to specify a time or time period that the rule is
in effect.
|
DI Objects
|
Define the attack signature patterns, protocol anomalies, and
the action you want a security device to take against matching traffic.
On devices running ScreenOS 6.3, you can also set IPv6 version signature
information while editing IP settings and header matches of a custom
attack.
|
IDP Attack Objects
|
Represent attack patterns that detect known and unknown attacks.
You use IDP attack objects within IDP rules. On devices running ScreenOS
6.3, you can also set IPv6 version signature information while editing
IP settings and header matches of a custom attack. When you select
the IPv6 option, the Protocol tab displays the ICMP6 Packet Header
Fields value, and then you can also modify the respective configurable
parameters.
|
AV Objects
|
Represent the AV servers, software, and profiles available to
devices managed by NSM.
|
ICAP Objects
|
Represent the Internet Content Adaptation Protocol (ICAP) servers
and server groups used in ICAP AV objects.
|
Web Filtering Objects (Web Profiles)
|
Define the URLs, the Web categories, and the action you want
a security device to take against matching traffic.
|
Service Objects
|
Represent services running on your network, such as FTP, HTTP,
and Telnet. NSM contains a database of Service Objects for well-known
services; you can also create Service Objects to represent the custom
services you are running on your network.
|
SCTP Objects
|
Provide a reliable transport service that supports data transfer
across the network, in sequence and without errors. s of ScreenOS
6.3, the existing SCTP stateful firewall supports protocol filtering.
Note:
You can configure the security device to perform stateful inspection
on all SCTP traffic without performing deep inspection (DI). If you
enable stateful inspection of SCTP traffic, the SCTP ALG drops any
anomalous SCTP packets.
|
User Objects
|
Represent the remote users that access the network protected
by the security device. To provide remote users with access, create
a user object for each user, and then create a VPN that includes those
user objects.
|
IP Pools
|
Represent a range of IP addresses. You use IP pools when you
configure a DHCP server for your managed devices.
|
Authentication Servers
|
Represent external authentication servers, such as RADIUS and
SecureID servers. You can use an authentication server object to authenticate
NSM administrators (RADIUS only), XAuth users, IKE RAS users, L2TP
users, and IKEv2 EAP users. NSM provides configuration support for
Authentication Manager version 5 or later. This provision has introduced
the concept of a primary server with up to 10 replica servers. In
the Primary/Replica version, each server can process authentication
requests. The more current agents will send to the server, the faster
the responder.
|
Group Expressions
|
Are OR, AND, and NOT statements that set conditions for authentication
requirements.
|
Remote Settings
|
Represent DNS and WINS servers. You use remote settings object
when configuring XAuth or L2TP authentication in a VPN.
|
NAT Objects
|
Represent MIPs, VIPs, and DIPs.
|
GTP Objects
|
Represent GTP client connections.
|
CA Objects
|
Represent the certificate authority’s certificate.
|
CRL Objects
|
Represent the certificate authority’s certificate revocation
list.
|
You can use the object Manager to:
- View and/or edit the object properties
- Create, edit, or delete objects
- Create custom groups of Objects
For more details on objects, see Chapter 8, “Configuring
Objects,” of the Network and Security Manager Administration
Guide.
Published: 2009-08-20
