Help Center User GuideGetting StartedFAQRelease Notes
User Guide
Getting Started
Release Notes

Rule Base Overview

In Security Director, you can configure one type or both types (zone-based or global) of rule bases for each policy. All zone-based rules are grouped under Zone and all devices rules are grouped under Global.

If devices are assigned to a policy that does not have one of the rule bases under its management, Security Director still interprets that rule base as being in its scope. For example, if you configure firewall policies out of band on a device in an unmanaged rule base, Security Director deletes those policies. If you do not select the previously configured rule base in the Security Director modify workflow for the policy, Security Director automatically deletes all rules in the policy in the next publish and update.

Example: Removing a Previously Managed Rule Base

You can remove a managed device from Security Director. To remove a previously managed rule base when no other policies are published on the device except the existing policy, follow these guidelines:

Note: Security Director will continue to delete any all-devices policy configured on the device through the CLI at subsequent publish updates.

Policy Analysis

Over a period of time, firewall rule bases can become inefficient as rules become disorganized, causing some rules to become ineffective. This primarily occurs because of a lack of timely notification given to end users when new rules, or changed rules, are added, which can adversely affect the other rules in the rule base.

This problem can be addressed by analyzing the policy and reporting the anomalies in the rules of a policy to the end user. Policy analysis reports on shadowing and redundant anomalies in a rule; these reports are available in PDF format. Also, policy analysis finds the anomaly between the address and the service of the rules.

Policy analysis helps you to analyze the firewall rule base for policies managed by Security Director, and it identifies the firewall rules that contain the following issues:

The policy analysis report is generated in PDF format and can be sent through e-mail to multiple recipients. The reports contain a summary and a pie chart showing all anomalies. You can schedule the report generation.

The following list shows the policy analysis behavior for different types of firewall policies:

Policy analysis is not performed in the following scenarios:

Related Documentation

Ask questions in TechWiki

Check documentation in TechLibrary

Rating by you:      

Additional Comments

800 characters remaining

May we contact you if necessary?


Need product assistance? Contact Juniper Support