Configure Task Modules in the NSM User Interface Overview

The Configure task includes the following top-level modules:

Device Manager

The Device Manager contains the device objects that represent your security devices. Table 7 describes the objects that you can create in Device Manger.

Table 7: Device Objects in Device Manager

Device Object


Security devices and systems

The devices you use to enable access to your network and to protect your network against malicious traffic.

Vsys devices

A vsys is a virtual device that exists within a physical security device.


A cluster is two security devices joined together in a high availability configuration to ensure continued network uptime.

Vsys cluster

A vsys cluster device is a vsys device that has a cluster as its root device.

Extranet devices

Firewalls or VPN devices that are not Juniper Networks security devices.


A template is a partial device configuration that you can define once and then use for multiple devices.

Device Groups

A device group is a user-defined collection of devices.

Security Policies

Security policies contain the firewall, multicast, and VPN rules that control traffic on your network. Using a graphical, easy-to-use rule building platform, you can quickly create and deploy new policies to your security devices.

Use security policies to:

Note: Devices running ScreenOS 6.3, support IPv6 in policy rulebases, IDP, address objects, and attack objects. You can also configure IPv6 host, network, and multicast addresses. For more information on IPv6 support, see the Network and Security Manager Administration Guide..

If the device configurations that you imported from your security devices contained policies, security policies display those imported policies. For details on editing those imported polices or creating policies, see Chapter 9, “Configuring Security Policies”, or Chapter 10, “Configuring VPNs”, of the Network and Security Manager Administration Guide.

VPN Manager

The VPN Manager contains the VPN abstractions that control the VPN tunnels between your managed devices and remote users. Using VPN objects, such as protected resources and IKE Pproposals, you can create multiple VPNs for use in your security policies.

Use the VPN Manager to:

Object Manager

The Object Manager contains objects, which are reusable, basic NSM building blocks that contain specific information. You use objects to create device configurations, policies, and VPNs. All objects are shared, meaning they can be shared by all devices and policies in the domain.

Table 8 describes the objects that you can create in NSM.

Table 8: Objects in Object Manager



Address Objects

Represent components of your network (hosts, networks, servers). On devices running ScreenOS 6.3, he new policy appears in the security policy list and supports IPv6 in policy rule bases, IDP, address and attack objects. After you have created a security policy, you can add rules to the new policy. Rules include IPv4, IPv6, VPN, and also VPN link. For more information, see the IDP Concepts & Examples guide. A rule with combination of IPv4 or IPv6 address objects is not allowed.

QoS Profiles

Represent the resource reservation control mechanisms rather than the achieved service quality. You can provide different priority to different applications, users, or data flows, or to guarantee a certain level of performance to a data flow. You can configure QoS into a policy role, using role options. There are two types of QoS profiles and they are DSCP and IP precedence.

Schedule Objects

Represent specific dates and times. You can use schedule objects in firewall rules to specify a time or time period that the rule is in effect.

DI Objects

Define the attack signature patterns, protocol anomalies, and the action you want a security device to take against matching traffic. On devices running ScreenOS 6.3, you can also set IPv6 version signature information while editing IP settings and header matches of a custom attack.

IDP Attack Objects

Represent attack patterns that detect known and unknown attacks. You use IDP attack objects within IDP rules. On devices running ScreenOS 6.3, you can also set IPv6 version signature information while editing IP settings and header matches of a custom attack. When you select the IPv6 option, the Protocol tab displays the ICMP6 Packet Header Fields value, and then you can also modify the respective configurable parameters.

AV Objects

Represent the AV servers, software, and profiles available to devices managed by NSM.

ICAP Objects

Represent the Internet Content Adaptation Protocol (ICAP) servers and server groups used in ICAP AV objects.

Web Filtering Objects (Web Profiles)

Define the URLs, the Web categories, and the action you want a security device to take against matching traffic.

Service Objects

Represent services running on your network, such as FTP, HTTP, and Telnet. NSM contains a database of Service Objects for well-known services; you can also create Service Objects to represent the custom services you are running on your network.

SCTP Objects

Provide a reliable transport service that supports data transfer across the network, in sequence and without errors. s of ScreenOS 6.3, the existing SCTP stateful firewall supports protocol filtering.

Note: You can configure the security device to perform stateful inspection on all SCTP traffic without performing deep inspection (DI). If you enable stateful inspection of SCTP traffic, the SCTP ALG drops any anomalous SCTP packets.

User Objects

Represent the remote users that access the network protected by the security device. To provide remote users with access, create a user object for each user, and then create a VPN that includes those user objects.

IP Pools

Represent a range of IP addresses. You use IP pools when you configure a DHCP server for your managed devices.

Authentication Servers

Represent external authentication servers, such as RADIUS and SecureID servers. You can use an authentication server object to authenticate NSM administrators (RADIUS only), XAuth users, IKE RAS users, L2TP users, and IKEv2 EAP users. NSM provides configuration support for Authentication Manager version 5 or later. This provision has introduced the concept of a primary server with up to 10 replica servers. In the Primary/Replica version, each server can process authentication requests. The more current agents will send to the server, the faster the responder.

Group Expressions

Are OR, AND, and NOT statements that set conditions for authentication requirements.

Remote Settings

Represent DNS and WINS servers. You use remote settings object when configuring XAuth or L2TP authentication in a VPN.

NAT Objects

Represent MIPs, VIPs, and DIPs.

GTP Objects

Represent GTP client connections.

CA Objects

Represent the certificate authority’s certificate.

CRL Objects

Represent the certificate authority’s certificate revocation list.

You can use the object Manager to:

For more details on objects, see Chapter 8, “Configuring Objects,” of the Network and Security Manager Administration Guide.

Related Documentation