Configure Task Modules in the NSM User Interface Overview
The Configure task includes the following top-level modules:
The Device Manager contains the device objects that represent your security devices. Table 1 describes the objects that you can create in Device Manger.
Table 1: Device Objects in Device Manager
Security devices and systems
The devices you use to enable access to your network and to protect your network against malicious traffic.
A vsys is a virtual device that exists within a physical security device.
A cluster is two security devices joined together in a high availability configuration to ensure continued network uptime.
A vsys cluster device is a vsys device that has a cluster as its root device.
Firewalls or VPN devices that are not Juniper Networks security devices.
A template is a partial device configuration that you can define once and then use for multiple devices.
A device group is a user-defined collection of devices.
Security policies contain the firewall, multicast, and VPN rules that control traffic on your network. Using a graphical, easy-to-use rule building platform, you can quickly create and deploy new policies to your security devices.
Use security policies to:
Add or modify existing security policies
Add or modify existing VPN rules
Add or modify existing IDP rules
Create policies based on existing policies
Install policies on one or multiple security devices
Devices running ScreenOS 6.3, support IPv6 in policy rulebases, IDP, address objects, and attack objects. You can also configure IPv6 host, network, and multicast addresses. For more information on IPv6 support, see the Network and Security Manager Administration Guide..
If the device configurations that you imported from your security devices contained policies, security policies display those imported policies. For details on editing those imported polices or creating policies, see Chapter 9, “Configuring Security Policies”, or Chapter 10, “Configuring VPNs”, of the Network and Security Manager Administration Guide.
The VPN Manager contains the VPN abstractions that control the VPN tunnels between your managed devices and remote users. Using VPN objects, such as protected resources and IKE Pproposals, you can create multiple VPNs for use in your security policies.
Use the VPN Manager to:
Define the protected resources on your network. Protected resources represent the network resources you want to protect in a VPN.
Create custom IKE phase 1 and 2 proposals.
In ScreenOS 6.1 or later, users can set “group 14” for phase 1 and 2 proposals.
Configure AutoKey IKE, L2TP, and L2TP-over-AutoKey IKE VPNs in policy-based or route-based modes. You can also create an AutoKey IKE mixed mode VPN to connect policy-based VPN members with route-based VPNs members.
Configure AutoKey IKE and L2TP policy-based VPNs for remote access server (RAS) and include multiple users.
In ScreenOS 6.1 or later, AutoKey IKE VPN and AutoKey IKE RAS VPN are supported in IKEv2 parameters.
The Object Manager contains objects, which are reusable, basic NSM building blocks that contain specific information. You use objects to create device configurations, policies, and VPNs. All objects are shared, meaning they can be shared by all devices and policies in the domain.
Table 2 describes the objects that you can create in NSM.
Table 2: Objects in Object Manager
Represent components of your network (hosts, networks, servers). On devices running ScreenOS 6.3, he new policy appears in the security policy list and supports IPv6 in policy rule bases, IDP, address and attack objects. After you have created a security policy, you can add rules to the new policy. Rules include IPv4, IPv6, VPN, and also VPN link. For more information, see the IDP Concepts & Examples guide. A rule with combination of IPv4 or IPv6 address objects is not allowed.
Represent the resource reservation control mechanisms rather than the achieved service quality. You can provide different priority to different applications, users, or data flows, or to guarantee a certain level of performance to a data flow. You can configure QoS into a policy role, using role options. There are two types of QoS profiles and they are DSCP and IP precedence.
Represent specific dates and times. You can use schedule objects in firewall rules to specify a time or time period that the rule is in effect.
Define the attack signature patterns, protocol anomalies, and the action you want a security device to take against matching traffic. On devices running ScreenOS 6.3, you can also set IPv6 version signature information while editing IP settings and header matches of a custom attack.
IDP Attack Objects
Represent attack patterns that detect known and unknown attacks. You use IDP attack objects within IDP rules. On devices running ScreenOS 6.3, you can also set IPv6 version signature information while editing IP settings and header matches of a custom attack. When you select the IPv6 option, the Protocol tab displays the ICMP6 Packet Header Fields value, and then you can also modify the respective configurable parameters.
Represent the AV servers, software, and profiles available to devices managed by NSM.
Represent the Internet Content Adaptation Protocol (ICAP) servers and server groups used in ICAP AV objects.
Web Filtering Objects (Web Profiles)
Define the URLs, the Web categories, and the action you want a security device to take against matching traffic.
Represent services running on your network, such as FTP, HTTP, and Telnet. NSM contains a database of Service Objects for well-known services; you can also create Service Objects to represent the custom services you are running on your network.
Provide a reliable transport service that supports data transfer across the network, in sequence and without errors. s of ScreenOS 6.3, the existing SCTP stateful firewall supports protocol filtering.
Note: You can configure the security device to perform stateful inspection on all SCTP traffic without performing deep inspection (DI). If you enable stateful inspection of SCTP traffic, the SCTP ALG drops any anomalous SCTP packets.
Represent the remote users that access the network protected by the security device. To provide remote users with access, create a user object for each user, and then create a VPN that includes those user objects.
Represent a range of IP addresses. You use IP pools when you configure a DHCP server for your managed devices.
Represent external authentication servers, such as RADIUS and SecureID servers. You can use an authentication server object to authenticate NSM administrators (RADIUS only), XAuth users, IKE RAS users, L2TP users, and IKEv2 EAP users. NSM provides configuration support for Authentication Manager version 5 or later. This provision has introduced the concept of a primary server with up to 10 replica servers. In the Primary/Replica version, each server can process authentication requests. The more current agents will send to the server, the faster the responder.
Are OR, AND, and NOT statements that set conditions for authentication requirements.
Represent DNS and WINS servers. You use remote settings object when configuring XAuth or L2TP authentication in a VPN.
Represent MIPs, VIPs, and DIPs.
Represent GTP client connections.
Represent the certificate authority’s certificate.
Represent the certificate authority’s certificate revocation list.
You can use the object Manager to:
View and/or edit the object properties
Create, edit, or delete objects
Create custom groups of Objects
For more details on objects, see Chapter 8, “Configuring Objects,” of the Network and Security Manager Administration Guide.