ISG 2000 User’s Guide
14 Policies
To create a custom service using the TCP or UDP protocols, use the following
command:
set service name protocol { tcp | udp } [ src-port number-number ] dst-port
number-number [ timeout number ]
In our example, you need to create the following addresses and policies:
set address dmz web1 1.2.2.2/32
set address dmz mail-relay 1.2.2.3/32
set address trust mail1 10.1.1.4/32
set policy id 1 from trust to dmz mail1 mail-relay mail permit log count
set policy id 2 from trust to dmz any web1 http permit log count
set policy id 3 from trust to untrust any any any permit log count
set policy id 4 from dmz to trust mail-relay mail1 mail permit log count
set policy id 5 from dmz to untrust mail-relay any mail permit log count
set policy id 6 from untrust to dmz any web1 http permit log count
set policy id 7 from untrust to dmz any mail-relay mail permit log count
save
The keyword log instructs the ISG 2000 to create entries in its traffic log for all
traffic to which the policy applies. The keyword “count” instructs the ISG 2000 to
keep a running tally of the number of bytes to which the policy applies. Both of
these options provide useful tools when analyzing traffic patterns and diagnosing
problems.
To view the policies that you have created, use the get policy command:
get policy
Total regular policies 7, Default deny.
The order of policies in the list determines the order in which the ISG 2000 applies
them. The ISG 2000 first notes the five-part tuple of source and destination zone,
source and destination address, and service in a packet arriving atone of its
interfaces. It then searches for a policy whose components match all five parts of
the tuple by starting at the top of the list and continuing down until it finds a match.
If it does not find a match, it drops the packet.
NOTE: For information about creating and grouping services, see the section on services
in the NetScreen Concepts & Examples ScreenOS Reference Guide.
ID From To Src-address Dst-address Service Action State ASTLCB
1 Trust DMZ mail1 mail-relay MAIL Permit enabled ---XXX
2 Trust DMZ Any web1 HTTP Permit enabled ---XXX
3 Trust Untrust Any Any ANY Permit enabled ---XXX
4 DMZ Trust mail-relay mail1 MAIL Permit enabled ---XXX
5 DMZ Untrust mail-relay Any MAIL Permit enabled ---XXX
6 Untrust DMZ Any web1 HTTP Permit enabled ---XXX
7 Untrust DMZ Any mail-relay MAIL Permit enabled ---XXX
To Next Page
Loading...
Need help?
General