Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] [NSM] Pre and post rules limited to 250 rules each

0

0

Article ID: KB23078 KB Last Updated: 18 Oct 2020Version: 2.0
Summary:
Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE).  Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.
This article provides information about the design limitation of NSM domain pre and post rules being limited to 250 rules each. 
Symptoms:
  • Pre-rules and post-rules are two sets of rules of any rulebase type, which can be created for any domain.

  • Configuration of pre/post rules is located in the main navigational tree under Policy Manager > Central Manager Policies. Domain Administrators can edit domain level policies from this option.

  • Pre rules applied before any rules of a rulebase are applied to a device and post rules applied after any rules of a rulebase are applied to a device.

  • Pre rules and post rules in the integrated view are not editable.

  • There is only one instance of pre/post rules for a specific domain.

  • Domain hierarchy is used when applying pre/post rules to sub-domains. Within any sub-domain, global domain pre rules take precedence over sub-domain pre rules, which take precedence over Security policy specific rules.

  • Similarly, Security policy rules take precedence over sub-domain post rules, which take precedence over global domain post rules.

 
Cause:
There is no mention of Domain Pre- and Post- rule limits in documentation.
Solution:
 In NSM Policy Manager, a user can create Domain based Pre- and Post- rules. There is a limit of 250 rules for each pre rule and post rule in a domain. The policy numbering is also limited to specific ranges as specified below:
 
  • Sub-Domain Pre-Rules: 998750 to 998999

  • Sub-Domain Post-Rules: 998500 to 998749

  • Global Domain Pre-Rules: 999250 to 999499

  • Global Domain Post-Rules: 999000 to 999249

  • CM Pre-Rules: 999750 to 999999

  • CM Post-Rules: 999500 to 999749
Modification History:
2020-10-18: Tagged article for EOL/EOE.
 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search