Chapter 23 - Policy Configuration

Abstract

NetScreen firewalls use different components to build policies. There are several required components for a policy. This chapter explores these components and how to create them for use in a policy. Components can be created via the Web user interface (WebUI) or the command line interface (CLI). Each method generates the same result, but the process is different. The chapter begins with discussing the main ideas of policies on a NetScreen firewall. When creating the list of policies one must create policies from least specific to most specific. This applies the specific policies first to the traffic as the least specific policies may unintendedly match your traffic. Three types of polices are considered and how and where they take effect is discussed. All three policies are very similar, but they are classified based upon the combination of zones in the policy. When creating policies on a NetScreen firewall, one builds them out of components. These components must be created before one makes a policy. Each one of the components for a NetScreen firewall is treated as an object. The components that are discussed in this chapter are the main components for a policy. Address objects represent hosts or subnets of IP addresses. Service objects can be a strange concept. Many competitive firewall products create services as a single protocol. If one wants to create several services and represents them as a compilation one must make a group. On a NetScreen firewall, a service object can contain up to eight protocols. This allows one to take an entire suite of protocols and make them into one logical object. Finally, this chapter makes use of components that are created to form policies.