Which are two (2) advanced policy configuration options?

A.
Schedule

B.
Service group

C.
Authentication

D.
Source address

E.
Action (permit, deny, tunnel)

Explanation:
Schedule
A schedule is a configurable object that you can associate with one or more policies to define when they are in
effect. Through the application of schedules, you can control network traffic flow and enforce network security.
The schedule option can be found under the advanced policy section. When you define a schedule, enter values for the following parameters:
Schedule Name: The name that appears in the Schedule drop-down list in the Policy Configuration dialog
box. Choose a descriptive name to help you identify the schedule. The name must be unique and is limited
to 19 characters.
Comment: Any additional information that you want to add. Recurring: Enable this when you want the schedule to repeat on a weekly basis. Start and End Times: You must configure both a start time and an end time. You can specify up to
two time periods within the same day.
Once: Enable this when you want the schedule to start and end only once. mm/dd/yyyy hh:mm: You must enter both start and stop dates and times.
Service Group
Services are objects that identify application protocols using layer 4 information such as standard and accepted TCP and UDP port numbers for application services like Telnet, FTP, SMTP, and HTTP. The ScreenOS includes predefined core Internet services. Additionally, you can define custom services. You can define policies that specify which services are permitted, denied, encrypted, authenticated, logged, or counted.
Authentication
Selecting this option requires the auth user at the source address to authenticate his/her identity by supplying a user name and password before traffic is allowed to traverse the firewall or enter the VPN tunnel. The NetScreen device can use the local database or an external RADIUS, SecurID, or LDAP auth server to perform the authentication check. The authentication options can be found under the advanced policy section. NetScreen provides two authentication schemes:
Run-time authentication, in which the NetScreen device prompts an auth user to log on when it receives
HTTP, FTP or Telnet traffic matching a policy that has authentication enabled WebAuth, in which a user must authenticate himself or herself before sending traffic through the NetScreen
device
Source Address
You can apply source address translation (NAT-src) at the policy level. With NAT-src, you can translate the source address on either incoming or outgoing network and VPN traffic. The new source address can come from either a dynamic IP (DIP) pool or the egress interface. NAT-src also supports source port address translation (PAT).
Action
An action is an object that describes what the firewall does to the traffic it receives. Deny blocks the packet from traversing the firewall.
Permit allows the packet to pass the firewall.
Reject blocks the packet from traversing the firewall. The NetScreen device drops the packet and sends a
TCP reset (RST) segment to the source host for TCP traffic3 and an ICMP "destination unreachable, port
unreachable" message (type 3, code 3) for UDP traffic. For types of traffic other than TCP and UDP, the
NetScreen device drops the packet without notifying the source host, which is also what occurs when the
action is "deny".
Tunnel encapsulates outgoing IP packets and decapsulates incoming IP packets. For an IPSec VPN
tunnel, specify which VPN tunnel to use. For an L2TP tunnel, specify which L2TP tunnel to use. For
L2TP-over-IPSec, specify both an IPSec VPN tunnel and an L2TP tunnel4. The NetScreen device applies the specified action on traffic that matches the previously presented criteria: zones (source and destination), addresses (source and destination), and service.