Policies 13
Chapter 1: Configuring
Policies
By default, the ISG 2000 does not allow any traffic between zones. To permit traffic
to cross the firewall, you must create policy that specifically permits one or more
services to pass from hosts in one zone to others in another zone. Because the ISG
2000 performs stateful inspection, you do not need to define a policy to permit
return traffic. The ISG 2000 maintains a session table that matches responses to
requests and thereby determines which traffic arriving at a particular interface does
or does not belong to an existing session.
The command syntax for the core elements of a policy is as follows:
set policy from src_zone to dst_zone src_addr dst_addr service { permit | deny |
reject | tunnel }
Addresses
You can use the predefined address “any” to indicate all hosts in a particular
zone—either the source or destination zone. To use a more restrictive source or
destination address, you must define one, using the following command:
set address zone name { ip_addr/netmask | [ host. ] domainname }
For example:
set address dmz web1 1.2.2.2/32
or
set address dmz web1 www.jnpr.net
You can also put a set of addresses together to form a group. Use the following
command:
set group address zone name add name_str
Services
There are over 100 predefined services that you can use when creating policies. You
can use the predefined service “any” to indicate any type of traffic. You can group
services together to apply a policy to all the services in that group. Also, you can
create custom services.
To create a service group, use the following command, repeating it with the same
group name and different service names:
set group service name add service
NOTE:
For a complete explanation of all the elements that you can use when creating a
policy, see the chapter on policies in the Fundamentals volume in the NetScreen
Concepts & Examples ScreenOS Reference Guide.
NOTE: For information about creating and grouping addresses, see the section on
addresses in the NetScreen Concepts & Examples ScreenOS Reference Guide.
To Next Page
Loading...
Need help?
General