One of the limitations on the ScreenOS platform is that there is no way to write security policies for traffic with a destination of the firewall ip address. (self traffic). There are some basic tools:
You can choose per interface what types of mgmt traffic will work at all (ping, ssh, http, etc)
You can restrict by ip address the use of mgmt ports like ssh http
But for traffic like this were the fire expects legitiimate connections there is no way to apply restrictions.
On Junipers newer platform the SRX, you can create standard security polices for self traffic. The zone for these is junos-host.