Technical Documentation

Managing Devices in a Virtual Environment Using NSM

A production network is a living entity, constantly evolving to adapt to the needs of your organization. As your network grows, you might need to add new devices, reconfigure existing devices, update software versions on older devices, or integrate a new network to work with your existing network. NSM helps you take control of your network by providing a virtual environment in which to first model, verify, and then update your managed devices with changes.

The following topics are the device management features in NSM:

Device Modeling

Using your virtual network to change, review, and test your network configuration before deploying it to your physical network can help you discover problems like routing issues, IP conflicts, and version mismatches across your entire network before they actually occur. NSM includes configuration validation to help you identify device configuration errors and missing information, and then points you to the trouble spot so you can quickly fix the problem. When you have designed a virtual configuration that works, you can push this configuration to your devices with a single update.

With NSM, you can implement a new routing protocol across your network, design and deploy a new security policy with traffic shaping, or create a VPN tunnel that connects a branch office to your corporate network—then deploy all changes with a single click.

Rapid Deployment (RD)

Rapid Deployment enables deployment of multiple security devices in a large networked environment with minimal user involvement. Rapid Deployment is designed to simplify the staging and configuration of security devices in non-technical environments, enabling the secure and efficient deployment of a large number of devices.

To use Rapid Deployment, the NSM administrator creates a small file (called a configlet) in NSM, and then sends that configlet to an onsite administrator that has local access to the security device. With the help of the Rapid Deployment wizard, the onsite administrator installs the configlet on the device, which automatically contacts NSM and establishes a secure connection for device management.

Rapid Deployment is ideal for quickly bringing new security devices under NSM management for initial configuration. You can model and verify your device configurations for undeployed devices, and then install the completed device configuration when the device contacts NSM.

Policy-Based Management

You can create simplified and efficient security policies for your managed devices using the Policy-Based Management feature. Table 1 describes the different policy-based management features:

Table 1: Policy-Based Management Options

Option

Description

Groups

Group your devices by platform, ScreenOS version, location, or function, and then add them to your security policies.

Zone Exceptions

Simplify your rules, by defining a common To Zone and From Zone for all devices in the rule, and then specify zone exceptions to change the To and From zones for specific devices. Zone exceptions add flexibility to your firewall rules, enabling you to manage more devices in a single rule.

Filtering

Filter on From and To Zones to see rules between zones.

Scheduling

Schedule a period during which a security policy is in effect on the devices in a rule. Create schedule objects as one-time, recurring, or both; you can even select multiple schedule objects in a firewall rule.

Security and Protection

Configure a rule to look for attacks, viruses, or specific URLs (devices running ScreenOS 5.x only).

Traffic Shaping

Use your firewall rules to control the amount of traffic permitted through your security devices.

Published: 2009-08-20