Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual

Table of Contents

Quick Links

Download this manual

Juniper Networks

Network and Security

Manager

Administration Guide

Release

2010.3

Published: 2010-08-17

Revision 1

Table of Contents

Summary of Contents for Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1

Page 2 Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Page 3 REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable...
Page 4 Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license. Copyright © 2010, Juniper Networks, Inc.
Page 5 (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA http://www.gnu.org/licenses/gpl.html...
Page 8 SSL VPN Secure Access Products ......20 Juniper Networks IC Series Unified Access Control Appliances ..21 Extranet Devices .
Page 45: About This Guide
NSM uses the technology developed for Juniper Networks ScreenOS to enable and simplify management support for previous and current versions of ScreenOS and current versions of Junos OS. By integrating management of all Juniper Networks security devices, NSM enhances the overall security of the Internet gateway.
Page 46: Conventions
Routing Process OSPF 2 with Router ID 5.5.0.250 Router is an area Border Router (ABR) Key names linked with a plus (+) sign Indicates that you must press two or more Ctrl + d keys simultaneously. xlvi Copyright © 2010, Juniper Networks, Inc.
Page 47: Documentation
It also includes information on how to install and run the NSM user interface. This guide is intended for IT administrators responsible for the installation or upgrade of NSM. Copyright © 2010, Juniper Networks, Inc. xlvii...
Page 48 Release Notes differs from the information found in the documentation set, follow the Release Notes. Release notes are included on the corresponding software CD and are available on the Juniper Networks website. Network and Security Provides details about configuring the device features for all Manager Configuring supported Infranet Controllers.
Page 49: Requesting Technical Support
7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/...
Page 50: Opening A Case With Jtac
Use the Case Management tool in the CSC at http://www.juniper.net/cm/ Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, visit us at http://www.juniper.net/support/requesting-support.html Copyright © 2010, Juniper Networks, Inc.
Page 51: Getting Started With Nsm
NSM role-based administration tools. Part 1 contains the following chapters: Introduction to Network and Security Manager on page 3 Planning Your Virtual Network on page 41 Configuring Role-Based Administration on page 61 Copyright © 2010, Juniper Networks, Inc.
Page 53: Introduction To Network And Security Manager
Introduction to Network and Security Manager Juniper Networks Network and Security Manager (NSM) gives you complete control over your network. Using NSM, you can configure all your Juniper Networks devices from one location, at one time. This chapter contains the following sections:...
Page 54: Security Integration
Activities and Roles—An activity is a predefined task performed in the NSM system. A role is a collection of activities that defines an administrative function. Use activities to create custom roles for your NSM administrators. Copyright © 2010, Juniper Networks, Inc.
Page 55: Centralized Device Configuration
Grouping—A group is a collection of similar devices or objects. Use device groups and object groups to update multiple devices simultaneously, simplify rule creation and deployment, and enable group-specific reporting. You can even link groups using Group Expressions to create a custom group. Copyright © 2010, Juniper Networks, Inc.
Page 56: Device Management
Create simplified and efficient security policies for your managed devices. You can manage security policies either in a Central Policy Manager or through in-device policy management, depending on the type of device. The tools at your disposal are also device-dependent, but can include: Copyright © 2010, Juniper Networks, Inc.
Page 57: Error Prevention, Recovery, And Auditing
Because the device no longer needs to maintain a constant connection to the management system during updating, you can configure changes to management connection from the NSM UI. Copyright © 2010, Juniper Networks, Inc.
Page 58: Device Image Updates
VPN, start from a system perspective: Determine which users and networks need access to each other, and then add those components to the VPN. Using AutoKey IKE, you can create the following VPNs with VPN Manager: Copyright © 2010, Juniper Networks, Inc.
Page 59: Integrated Logging And Reporting
Job Manager tracks the progress of the command as it travels to the device and back to the management system. Each job contains: Name of the command Date and time the command was sent Completion status for each device that received the command Copyright © 2010, Juniper Networks, Inc.
Page 60: Technical Overview
The management system also provides a programmatic interface for integrating NSM into larger enterprise business systems. This NSM API provides an alternative interface to that provided by the UI. For details, see the Network and Security Manager API Guide. Copyright © 2010, Juniper Networks, Inc.
Page 61: User Interface
Device, security policy, and VPN configuration NSM administrator accounts, device administrator accounts, and domains Objects The GUI server also organizes and presents log entries from security devices. These log entries are actually stored on the Device Server. Copyright © 2010, Juniper Networks, Inc.
Page 62: Table 5: Gui Server Processes
If the GUI Server computer and the Device Server computer have a firewall between them, you must configure a rule on that firewall to permit NSM management traffic. Table 6 on page 13 describes the processes that the Device Server runs when you start Copyright © 2010, Juniper Networks, Inc.
Page 63: Managed Devices
Firewall and IDP (ScreenOS/IDP) Devices on page 13 Devices Running Junos OS on page 16 SSL VPN Secure Access Products on page 20 Juniper Networks IC Series Unified Access Control Appliances on page 21 Extranet Devices on page 21 Firewall and IDP (ScreenOS/IDP) Devices...
Page 64 ScreenOS 5.4, 5.4 FIPS, 6.0r2 or later ,6.1, 6.2, 6.3 Juniper Networks SSG5-ISDN-WLAN ScreenOS 5.4, 5.4 FIPS, 6.0r2 or later, 6.1, 6.2, 6.3 Juniper Networks SSG5-Serial ScreenOS 5.4, 5.4 FIPS, 6.0r2 or later, 6.1, 6.2, 6.3 Copyright © 2010, Juniper Networks, Inc.
Page 65 Juniper Networks IDP100 IDP 4.0, 4.1 Juniper Networks IDP200 IDP 4.0, 4.1, 5.0 Juniper Networks IDP 250 IDP 4.1, 5.0 Juniper Networks IDP500 IDP 4.0, 4.1 Juniper Networks IDP 600C IDP 4.0, 4.1, 5.0 Copyright © 2010, Juniper Networks, Inc.
Page 66: Devices Running Junos Os
Devices running Junos OS and managed by NSM are listed in the following sections: Juniper Networks J Series Services Routers and SRX Series Services Gateways on page 16 Juniper Networks M Series Multiservice Edge Routers and MX Series Ethernet Services Routers on page 18 Juniper Networks EX Series Ethernet Switches on page 19 NOTE: NSM only supports the domestic version of the Junos OS and not the export version.
Page 67: Table 8: J Series Services Routers And Srx Series Services Gateways Nsm Supports
Junos OS Release 9.4, 9.5, 9.6, 10.0, 10.1 Juniper Networks SRX3600 Junos OS Release 9.4, 9.5, 9.6, 10.0, 10.1 Juniper Networks SRX5600 Junos OS Release 9.3, 9.4, 9.5, 9.6, 10.1 Juniper Networks SRX5600–Modular Junos OS Release 9.5, 9.6, 10.1 Copyright © 2010, Juniper Networks, Inc.
Page 68: Table 9: M Series Multiservice Edge Routers And Mx Series Ethernet Services Routers Nsm Supports
Juniper Networks SRX5800–Modular Junos OS Release 9.5, 9.6, 10.1 Juniper Networks M Series Multiservice Edge Routers and MX Series Ethernet Services Routers Table 9 on page 18 lists the M Series and MX Series Routers, and the versions of Junos OS that NSM supports.
Page 69: Table 10: Ex Series Ethernet Switches Nsm Supports
Juniper Networks MX960 with IDP Junos OS Release 9.4, 9.5, 9.6, 10.0, 10.1 services Juniper Networks EX Series Ethernet Switches Table 10 on page 19 lists the Ethernet Switches and the versions of Junos OS that NSM supports. Table 10: EX Series Ethernet Switches NSM Supports...
Page 70: Ssl Vpn Secure Access Products
SA Release 6.3, 6.4, 6.5 Juniper Networks Secure Access 6000 SA Release 6.3, 6.4, 6.5 (FIPS) Juniper Networks Secure Access 6500 SA Release 6.3, 6.4, 6.5 Juniper Networks Secure Access 6500 SA Release 6.3, 6.4, 6.5 (FIPS) Copyright © 2010, Juniper Networks, Inc.
Page 71: Juniper Networks Ic Series Unified Access Control Appliances
Chapter 1: Introduction to Network and Security Manager Juniper Networks IC Series Unified Access Control Appliances In a Unified Access Control (UAC) solution, Infranet Controller (IC) products provide policy management. ScreenOS firewalls can provide the enforcement points. Table 12 on page 21 lists the Infranet Controller products and firmware versions supported by NSM 2010.3.
Page 72: Device Schemas
Network-Security Manager. Device families introduced in Release 2008.1 and later are described by schemas that are maintained on a schema repository owned by Juniper Networks. These schemas can be added dynamically to NSM. These devices include:...
Page 73: Working In The User Interface
The NSM UI appears after you log in, and displays a set of menus and toolbar icons at the top of the UI window. For some components, right-click menus are available to perform tasks. Figure 3 on page 24 shows a sample UI screen. Copyright © 2010, Juniper Networks, Inc.
Page 74: Navigation Tree
For details about each module, see “NSM Modules” on page 25. Common Tasks Pane The Common Tasks pane provides links to commonly accessed tasks throughout the UI. These common tasks change depending on what tasks are often selected in the UI. Copyright © 2010, Juniper Networks, Inc.
Page 75: Main Display Area
You can select which log entries and what log information is shown using log filters or by changing the column settings. Use the Log Viewer to: View summarized information about security events and alarms. View information about a specific log entry. Copyright © 2010, Juniper Networks, Inc.
Page 76 You can customize Realtime Monitor to display only the information you want to see, as well as to update information at specified intervals. You can also set alarm criteria for a device or process. For more details on Realtime Monitor, see “Realtime Monitoring” on page 649. Copyright © 2010, Juniper Networks, Inc.
Page 77: Configure Modules
Clusters—Two managed devices joined together in a high availability configuration to ensure continued network uptime. Vsys cluster—A vsys device that has a cluster as its root device. Extranet devices—Firewalls or VPN devices that are not Juniper Networks security devices. Copyright © 2010, Juniper Networks, Inc.
Page 78 IKE Proposals, you can create multiple VPNs for use in your security policies. Use the VPN Manager to: Define the protected resources on your network—the network resources you want to protect in a VPN. Create custom IKE Phase 1 and 2 Proposals. Copyright © 2010, Juniper Networks, Inc.
Page 79 AV objects—Represent the AV servers, software, and profiles available to devices managed by NSM. ICAP objects—Represents the Internet Content Adaptation Protocol (ICAP) servers and server groups used in ICAP AV objects. GTP objects—Represent GTP client connections. Copyright © 2010, Juniper Networks, Inc.
Page 80 Extranet policies objects—Enable you to configure and manage extranet devices, such as routers from other vendors. Binary Data—Enables efficient management of large binary data files used in the configuration of Secure Access and Infranet Controller devices. Copyright © 2010, Juniper Networks, Inc.
Page 81: Administer Modules
Table 13: Validation Status for Devices Icon Meaning Error. Indicates that a configuration or parameter is not configured correctly in the NSM UI. Updating a device with this modeled configuration will cause problems on the device. Copyright © 2010, Juniper Networks, Inc.
Page 82: Validation And Data Origination Icons
Confi g urati o n Indicates the value was inherited from a configuration group. Group Changes to the configuration group are also shown in the device edit dialog box. Copyright © 2010, Juniper Networks, Inc.
Page 83: Working With Other Nsm Administrators
UI screen or dialog box. To locate a word, begin typing the word. The search window appears in the top left of the selected screen or dialog box. The UI attempts to match your entry to an existing Copyright © 2010, Juniper Networks, Inc.
Page 84: Contains String [C] Search Mode
MS-RPC-ANY, as shown in Figure 5 on page 34. Figure 5: “Contains String” Search Mode Example Starts With [S] Search Mode Use to locate a pattern at the beginning of a string. For example, to locate the pattern “OR” in devices: Copyright © 2010, Juniper Networks, Inc.
Page 85: Regular Expression [R] Search Mode
Figure 7: “Regular Expression” Search Mode Details The UI automatically highlights the first match; click the down arrow key to highlight the next match. Both matches are shown in Figure 8 on page 36. Copyright © 2010, Juniper Networks, Inc.
Page 86: Ip [I] Search Mode
If you select a different column, such as Name, and perform the same search, the results differ. Figure 9 on page 37 shows both search results. NOTE: NSM Release 2009.1 allows you to search for an IP address with its specific netmask. Copyright © 2010, Juniper Networks, Inc.
Page 87: Search For An Exact Match (E)
Select any entry in the column, and then press the backslash key (\) to display Name the search mode window. Enter and then type NSM highlights the matching object as depicted in Figure bbbb. Copyright © 2010, Juniper Networks, Inc.
Page 88: Global Search
Regular Expression type of search. If you select , you can click the button to view a list of services. Service Select Service Check the desired services and click to select multiple services. Your selection Copyright © 2010, Juniper Networks, Inc.
Page 89: New Feature In 2010.3
Use the buttons above the list of search results to add or search for more results, edit a result, and delete a result. Click Close to exit the search. New Feature in 2010.3 NSM release 2010.3 introduces support for configuring NAT on devices that run on the Junos OS. Copyright © 2010, Juniper Networks, Inc.
Page 91: Chapter 2 Planning Your Virtual Network
Creating an Information Banner on page 57 Configuring Devices Overview To manage Juniper Networks devices that already exist on your network, you can import their device configurations into NSM. Each imported device appears in the NSM UI, where you can view or make changes to the device, such as change settings in the device configuration, edit the security policy for the device, and upgrade device firmware.
Page 92: Importing Existing Devices
Network and Security Manager Administration Guide NOTE: Juniper Networks also offers security devices with Intrusion Detection and Prevention (IDP) capability. For details on how to enable IDP functionality on these devices, see “Configuring IDP-Capable Devices Overview” on page 45. Importing Existing Devices For networks with deployed devices, if you have already designed, staged, and set up a working physical device, you don’t need to repeat that process;...
Page 93: Modeling New Devices
For details on adding devices, see “Adding Devices” on page 97. Modeling New Devices For new networks or networks that do not use a previously deployed Juniper Networks device, you should review your network topology thoroughly and design a security system that works for your organization.
Page 94: Editing A Device Configuration
Conversely, the device configuration can be edited by the device administrator using the device's native GUI or CLI. To synchronize the device object configuration in NSM with the actual device, you must then reimport the device. Copyright © 2010, Juniper Networks, Inc.
Page 95: Configuring Idp-Capable Devices Overview
When deployed inline in your network, Juniper Networks Intrusion Detection and Prevention (IDP) technology can detect—and stop—attacks. Unlike IDS, IDP uses multiple methods to detect attacks against your network and prevent attackers from gaining access and doing damage.
Page 96: Enabling Jumbo Frames (Isg1000 Only)
Select ScreenOS/IDP from the OS Name list. Select nsISG1000 from the Platform list. Select 6.0 or greater from the Managed OS Version list. Select the Enable Jumbo Frame check box, and then click Finish. Copyright © 2010, Juniper Networks, Inc.
Page 97: Enabling Idp Functionality
IDP and DI databases and the IDP detector engine, download new attack objects from the attack object database server to the GUI Server. NOTE: You must have DNS enabled on the NSM GUI server before you can update your attack objects. Copyright © 2010, Juniper Networks, Inc.
Page 98: Adding Objects (Optional)
When creating a new security policy for your IDP deployment, we highly recommend you use a security policy template. Each security policy template contains the IDP rulebase Copyright © 2010, Juniper Networks, Inc.
Page 99 Inline—In the inline mode, IDP is directly in the path of traffic on your network and can detect and block attacks. For example, you can deploy the ISG2000 or ISG1000 with integrated firewall/VPN/IDP capabilities between the Internet and the enterprise LAN, WAN, or special zones such as DMZ. Copyright © 2010, Juniper Networks, Inc.
Page 100 Add this rulebase to your security policy when you want to configure rules that detect backdoor activity on your internal network. For details on configuring rules in the Backdoor Detection Rulebase, see “Configuring Backdoor Rules” on page 486. Copyright © 2010, Juniper Networks, Inc.
Page 101 Add attack objects—Add the attacks you want the IDP security module to match in the monitored network traffic. Each attack is defined as an attack object, which represents a known pattern of attack. Whenever this known pattern of attack is Copyright © 2010, Juniper Networks, Inc.
Page 102 To assign an existing policy to the ISG2000 or ISG1000 device: In Device Manager, right-click the ISG2000 or ISG1000 device and select Policy > Assign Policy. From the Security Policy Name list, select the security policy you just created. Validate the security policy (optional). Copyright © 2010, Juniper Networks, Inc.
Page 103: Reviewing Idp Logs
IDP rules. Log entries are often a valuable insight into your network traffic. You can see where traffic is coming from, where traffic is going to, and what malicious content (if any) the traffic contains. Copyright © 2010, Juniper Networks, Inc.
Page 104: Maintaining Idp
NSM management features. These features include: Using Device Groups on page 55 Using Device Templates on page 55 Using Configuration Groups on page 55 Copyright © 2010, Juniper Networks, Inc.
Page 105: Using Device Groups
A special use of configuration group is to apply configuration data in different members of a cluster. For details about configuration groups, see “Using Configuration Groups” on page 221. Copyright © 2010, Juniper Networks, Inc.
Page 106: Merging Policies
You use the naming convention: nation_state_platform_name for your security devices. Your devices use names similar to the following: us_ca_ns5gt_01 us_co_ns204_05 us_tx_ns5200_10 Example: Using a Naming Convention for Address Objects For address objects that represent networks or hosts, use the following naming convention. state_function_service_00: Copyright © 2010, Juniper Networks, Inc.
Page 107: Creating An Information Banner
You can add an information banner from Central Manager or from a regional server. Adding an Information Banner This procedure assumes that a Central Manager administrator is logged onto a Central Manager client or a super user is logged into a regional server. Copyright © 2010, Juniper Networks, Inc.
Page 108: Figure 11: Selecting The Gui Server In Central Manager
Edit icon, as shown in Figure 11 on page 58. Figure 11: Selecting the GUI Server in Central Manager Enter the customized text in the Log In Warning Message text box, and then click OK, as shown in Figure 12 on page 59. Copyright © 2010, Juniper Networks, Inc.
Page 109: Figure 12: Setting Up An Information Banner
The message is immediately available to NSM users connected to the server, as shown in Figure 13 on page 59. Figure 13: Information Banner Login into Central Manager The NSM user must click Yes to access the GUI server. Copyright © 2010, Juniper Networks, Inc.
Page 110: Modifying An Information Banner
Double-click the GUI server for which you want to delete the banner server-wide. Delete the customized text in the Log In Warning Message text box, and then click The message is immediately removed from the login screen to all NSM users server-wide. Copyright © 2010, Juniper Networks, Inc.
Page 111: Chapter 3 Configuring Role-Based Administration
CHAPTER 3 Configuring Role-Based Administration This chapter details how to use the Juniper Networks Network and Security Manager (NSM) role-based administration (RBA) feature to configure domains, administrators, and roles to manage your network. Your organization probably already has an existing permission structure that is defined by job titles, responsibilities, and geographical access to your security devices.
Page 112: About Roles
Read-Only role, can create and run their own reports. You can define multiple NSM administrators and assign dedicated roles to each administrator: A role is a set of activities that specify the functions the administrator can perform. Copyright © 2010, Juniper Networks, Inc.
Page 113: Enterprise Organizations
Each enterprise defines administrative roles differently. With NSM, you have the flexibility to create the appropriate permission level. Geographical Divisions To manage large, geographically diverse networks, you can create domains for each separate geographical location. Typically, the larger the Enterprise, the deeper and more Copyright © 2010, Juniper Networks, Inc.
Page 114: Administrator Types
IT group—Integrates new devices into the existing network infrastructure. This group has roles with activities for setting up Layer 2 and Layer 3 aspects of the device (IP addressing, Routing, VLANs, Syslog, and so on). Within the IT group, the network Copyright © 2010, Juniper Networks, Inc.
Page 115: Service Providers
Telcos and Service Providers use their networks to generate revenue. Customers pay the MSSP to deploy devices and to manage the VPN or firewall infrastructure. MSSPs use different role structures that best match their organizational structure: Copyright © 2010, Juniper Networks, Inc.
Page 116: Configuring Role-Based Administration
From the menu bar, click Tools > Manage Administrators and Domains to display the RBA settings for NSM: Administrators—Configure administrators for NSM or IDP. Roles—View or edit default roles, or create your own custom roles for your NSM or IDP administrators. Copyright © 2010, Juniper Networks, Inc.
Page 117: Creating Administrators
For locally authenticated administrators, the NSM management server handles authentication. You must specify the password that NSM uses to authenticate the administrator; the administrator must enter this password at the NSM UI login screen. NOTE: All NSM passwords are case-sensitive. Copyright © 2010, Juniper Networks, Inc.
Page 118: Table 15: How To Authenticate Users
The NSM user is authenticated based on the rules listed in Table 15 on page 68. Table 15: How to Authenticate Users User in User Domain Local Auth Auth Rule Database Mode Mode Authentication Results Authorization Defined Local Local Authenticates user locally. Local Copyright © 2010, Juniper Networks, Inc.
Page 119 Figure 14 on page 70 shows the format for a custom role. The format for the custom role of NS-NSM-User-Role-Mapping is: domainName1:domainName2.roleName domainName1 is the domain that the current user can access. is the domain that the current role ( ) belongs to. domainName2 roleName Copyright © 2010, Juniper Networks, Inc.
Page 120: Figure 14: Creating Custom Domain
If a user is defined in the local database or defined in a RADIUS server, NSM uses a role mapping list from the local database. The custom roles must be created in NSM. If the custom role belongs to a subdomain, it must be created in that subdomain. If the role is Copyright © 2010, Juniper Networks, Inc.
Page 121: Figure 15: User In Domain "Global" With A Predefined Role
RADIUS server. Figure 15: User in Domain "global” with a Predefined Role Figure 16: User in Domain "global” with Custom Role "r1” The “r1” role was created in the NSM in “global” domain. Copyright © 2010, Juniper Networks, Inc.
Page 122: Figure 17: User In Subdomain "D1" With A Predefined Role
Figure 18: User in Subdomain “d1” With a Custom Role “r1” Create the custom role “r1” in the subdomain “d1.” Figure 19: Assigning Multiple Roles to a User in Global Domain Roles “r1” and “r2” are the custom roles assigned to the user. Copyright © 2010, Juniper Networks, Inc.
Page 123: Figure 20: Assigning Multiple Roles To A User In Subdomain
The user role “r1” is defined in global domain, but the user has access to only a subdomain d1 and therefore gets a the global role “r1.” Figure 22: Assigning Roles Defined in Domain "global” to Subdomain Only Copyright © 2010, Juniper Networks, Inc.
Page 124: Configuring Roles
An activity is a predefined task that defines access to a function in NSM. To assign one or more activities to an NSM administrator, create a role that includes those activities and assign the role to the administrator. Copyright © 2010, Juniper Networks, Inc.
Page 125: Table 16: Predefined Nsm Administrator Activities
Central Manager at the global domain and subdomain levels as well as on regional servers in standalone NSM installations. This activity allows Central Manager to install Central Manager pre/post rules into a Regional server. Copyright © 2010, Juniper Networks, Inc.
Page 126 A CA object represents a Certificate Authority which is a trusted third party that verifies an electronic signature. Delete Edit View Catalog Objects Create Catalog objects enable the management of report folders. Delete Edit View Copyright © 2010, Juniper Networks, Inc.
Page 127 Device Admins Import Device administrators have permissions to administer the devices through the CLI or UI for the device itself. Importing a device administrator allows that administrator to use the NSM UI. Copyright © 2010, Juniper Networks, Inc.
Page 128 Job Manager information details. Note: All passwords handled by NSM are case-sensitive. Device Reboot Reboot A device reboot is a reboot command sent to a managed device to power down, and then power up. Copyright © 2010, Juniper Networks, Inc.
Page 129 Use failover to enable the device to switch traffic from the primary interface to the backup interface, and from the backup to the primary when both primary and backup interfaces are bound to the Untrust zone. Copyright © 2010, Juniper Networks, Inc.
Page 130 Create Enables a system manager to create, delete, edit, or view IDP devices. Delete Edit View IDP Cluster Monitor View Enables a system administrator to run the IDP Cluster Monitor and monitor IDP clusters. Copyright © 2010, Juniper Networks, Inc.
Page 131 Edit View License Install This activity allows an administrator to install or view a new NSM license. View Logged in Admins View This activity allows an administrator to view the administrators logged into NSM. Copyright © 2010, Juniper Networks, Inc.
Page 132 Allows an administrator to manage custom objects added to a Policy Objects table. Delete Edit View Policy Custom Field Metadata Create Allows an administrator to manage metadata used in defining custom Objects Policy objects. Delete Edit View Policy Lookup Table Modify Copyright © 2010, Juniper Networks, Inc.
Page 133 Security Explorer View Allows an administrator to run the Security Explorer—a graphical tool that enables you to visualize and correlate network behavior based on data collected in the Profiler, Log Viewer, and Report Manager. Copyright © 2010, Juniper Networks, Inc.
Page 134 “Shared Reports” to “My Reports”. Subdomain and Groups View A subdomain is a separate, unique representation of other networks that exist within your larger network. Create Edit Delete Copyright © 2010, Juniper Networks, Inc.
Page 135 URL Filtering Create Allows an administrator to manage a web filtering profile for all devices by binding the profile to a firewall rule. Delete Edit View Copyright © 2010, Juniper Networks, Inc.
Page 136: Roles And Permissions
Permissions Changes in Release 2008.1 In Release 2008.1, the Create Device, Device Groups & Templates role does not allow Import Device, that is, the importing of the configuration from the device into NSM. Copyright © 2010, Juniper Networks, Inc.
Page 137: Table 17: Changes To Edit Devices, Device Groups, & Templates Activity
Set Admin Ports (4.x device only) Set Admin SSH Enable Disable (4.x device only) Failover Device Failover Device BGP Operations Modify BGP Peer Session BGP Refresh Route BGP Update Route on Peer Update AV Pattern Update AV Pattern Copyright © 2010, Juniper Networks, Inc.
Page 138: Table 18: Changes To View Devices, Device Groups, & Templates Role
ScreenOS/IDP devices, which includes the virtual router, routing configuration on the interface, and policy-based routing (PBR). IDP Policy Configuration (for EX Series switches)—Allows editing of policy configuration of EX Series switches in the device itself. Copyright © 2010, Juniper Networks, Inc.
Page 139: Viewing Logged Administrators
Logged In Administrators menu item. By default, this activity is assigned to the predefined system administrator role. Forcing an Administrator to Log Out As of Release 2007.3, the system administrator can forcibly log out an administrator. Copyright © 2010, Juniper Networks, Inc.
Page 140: Creating Subdomains
NOTE: Objects and groups defined in the global domain are not visible in subdomains. Viewing Current Domain Detail The domain detail displays the subdomains, administrators, their roles, and authentication server for the currently selected domain (subdomains appear only when you view the global domain). Copyright © 2010, Juniper Networks, Inc.
Page 141: Example: Configuring Role-Based Administration
Configure the following four subdomains: MA_company1 NH_company2 RI_company3 VT_company4 Click OK to save your changes. Step 2: Create the Subdomain Administrator In this step, you create a subdomain administrator with full permissions for the domain. Copyright © 2010, Juniper Networks, Inc.
Page 142: Step 3: Create The Viewing And Reporting Administrator
In the Permissions tab, click the Add icon, then configure the role as Viewing & Reporting and the Domain as MA_company1. Click OK to save your changes and return to the Administrators tab, which now displays the following administrators: Copyright © 2010, Juniper Networks, Inc.
Page 143: Figure 23: Manage Administrators And Domains: Administrators Tab
Manager, Job Manager, and the Audit Log Viewer do not appear). Additionally, all Add, Edit, and Delete icons appear in gray, indicating that the administrator cannot perform these tasks. Repeat for each subdomain and customer administrator. Copyright © 2010, Juniper Networks, Inc.
Page 147: Chapter 4 Adding Devices
CHAPTER 4 Adding Devices This chapter provides information about adding Juniper Networks devices to your network. These devices can include routers and switches, as well as the security devices that protect your network against malicious traffic. Juniper Networks Network and Security Manager (NSM) can manage all Juniper Networks devices running ScreenOS 5.x and later, IDP 4.0 and later, Junos 9.0 and later, IC 2.2 or...
Page 148: About Device Creation
J Series devices—Highly secure routers that can be added to your network and managed through NSM. SRX Series gateways—Firewall/VPN systems that have integrated service layer technologies such as IDP, AV, or Web Filtering. M Series and MX Series routers—Carrier Ethernet routers and services routers. Copyright © 2010, Juniper Networks, Inc.
Page 149: Adding Devices
Chapter 4: Adding Devices Unified Access Control (Infranet Controller) devices—The policy management server of the Juniper Networks LAN access control solution. SSL VPN (Secure Access) devices. Virtual Chassis—Stacked EX Series devices functioning as one logical EX Series switch or an SRX cluster represented in NSM as a virtual chassis.
Page 150: Verifying Device Configuration
Before adding a device to NSM, decide the following: Will you import or model the device? Will the device reside in the global domain or a subdomain? Will you add one or many devices? Copyright © 2010, Juniper Networks, Inc.
Page 151: Importing Versus Modeling
Finally, activate the device (using the Activate Device wizard) by configuring a connection between the management system and the physical device, and then update the modeled configuration to the device. Copyright © 2010, Juniper Networks, Inc.
Page 152: Device Add Process
After you have created subdomains, you can load a specific subdomain automatically when you log in to the UI. You must have access to that subdomain, and permissions to create, edit, and view devices in that subdomain. Copyright © 2010, Juniper Networks, Inc.
Page 153: Figure 24: Connecting Devices From Different Domains In Vpns
Model many ScreenOS devices at one time. Model, create configlets for, and activate multiple ScreenOS devices at one time for use with Rapid Deployment. NOTE: You cannot use the Add Many Devices wizard to add multiple IDP devices. Copyright © 2010, Juniper Networks, Inc.
Page 154: Specifying The Os And Version
OS. For example, NSM no longer supports devices running 4.x or earlier versions of ScreenOS. If you are not running a supported version, you must upgrade your devices before adding them into the management system. Contact Juniper Networks customer support for details.
Page 155: Figure 25: Trust-Untrust Port Mode Bindings
By default, there are no restrictions for traffic from the Home zone to the Untrust zone. See Figure 26 on page 105 for port, interface, and zone bindings. Figure 26: Home-Work Port Mode Bindings This mode provides the following bindings: Copyright © 2010, Juniper Networks, Inc.
Page 156: Figure 27: Dual-Untrust Port Mode Bindings
NOTE: The serial interface is not available in Dual Untrust port mode. Combined Port Mode Combined mode enables both primary and backup interfaces to the Internet and the segregation of users and resources in Work and Home zones. Copyright © 2010, Juniper Networks, Inc.
Page 157: Figure 28: Combined Port Mode Bindings
Web, e-mail, or other application servers from the internal network. NOTE: The Trust/Untrust/DMZ port mode is supported only on the NetScreen-5GT Extended platform. See Figure 29 on page 108 for port, interface, and zone bindings. Copyright © 2010, Juniper Networks, Inc.
Page 158: Figure 29: Trust-Untrust-Dmz Port Mode Bindings
See Figure 30 on page 108. Figure 30: Extended Port-Mode Interface to Zone Bindings Table 19 on page 108 provides the Extended mode interface-to-zone bindings. Table 19: Extended Bindings Port Interface Zone Untrusted Untrust Untrust Copyright © 2010, Juniper Networks, Inc.
Page 159: Figure 31: Dmz Dual Untrust Port Mode
Binds the Ethernet port 4 to the ethernet3 interface, which is bound to the Untrust security zone. Binds the Untrust Ethernet port to the ethernet4 interface, which is bound to the Untrust security zone. Copyright © 2010, Juniper Networks, Inc.
Page 160: Table 20: Security Device Port Mode Summary (Part 1)
Table 20 on page 110 and Table 21 on page 110 summarize the port, interface, and zone bindings provided by the ScreenOS port modes. Port numbers are as labeled on the Juniper Networks security device chassis. The Trust-Untrust mode entries represent the default port modes.
Page 161: Changing The Port Mode
MX Secure Infranet Series Series Series Device Access Controller devices devices devices Workflow ScreenOS (SA) (IC) (Junos) (Junos) (Junos) Device is reachable Device is reachable Model activate device Rapid deployment (configlets) Device discovery Copyright © 2010, Juniper Networks, Inc.
Page 162: Importing Devices
NSM for that device. To help avoid accidental configuration overwriting, when you attempt to import a configuration from a currently managed security device, NSM prompts you for confirmation to import. NOTE: IDP rulebases cannot be imported. Copyright © 2010, Juniper Networks, Inc.
Page 163: Requirements
From the domain menu, select the domain in which to import the device. In Device Manager, select Devices. Click the Add icon and select Device to open the Add Device wizard. Select Device is Reachable (default). Click Next. The Specify Connection Settings dialog box opens. Copyright © 2010, Juniper Networks, Inc.
Page 164 “ns5GT-Trust-Untrust-DMZ” and sets the license mode to Extended. To check the device configuration status, mouse over the device in Device Manager (you can also check configuration status in Device Monitor). The device status displays as Copyright © 2010, Juniper Networks, Inc.
Page 165: Idp Sensors
This action will take a moment. Verify that the device type, OS version, device serial number, and device mode are correct. The host name from the device is also discovered. You can change this name if desired. Copyright © 2010, Juniper Networks, Inc.
Page 166: Junos Devices
Click Next to have NSM import settings already present on the Sensor. Click Finish to complete the add operation. An IDP 4.1 or later sensor is also updated with the Juniper Networks Recommended policy. IDP 4.0 Sensors cannot use the Recommended policy.
Page 167: Sa And Ic Devices
From the Configure panel of the NSM main navigation tree, select Device Manager > Devices Click the Device Tree tab, click the New button, and select Device. The New Device dialog box appears. Select Device is Reachable and click Next. Copyright © 2010, Juniper Networks, Inc.
Page 168: Adding Devices With Dynamic Ip Addresses
NSM Device Server IP address and port. Use a MIP to configure the device to connect to the NSM Device Server through a mapped IP address and port. Copyright © 2010, Juniper Networks, Inc.
Page 169 To check the device configuration status, mouse over the device in Device Manager or check in Device Monitor. The device status displays as “Managed”, indicating that the device has connected and the management system has successfully imported the device configuration. Copyright © 2010, Juniper Networks, Inc.
Page 170: Idp Sensors
NSM. The commands enable management and set the management IP address to the Device Server IP address, enable the Management Agent, set the Unique External ID, and set the device OTP. Copyright © 2010, Juniper Networks, Inc.
Page 171: Device
The following sections explain how to add a Secure Access or Infranet Controller device: Install and Configure the Secure Access or Infranet Controller Device on page 122 Add the Device in NSM on page 122 Copyright © 2010, Juniper Networks, Inc.
Page 172 In the Specify Name, Color, OS Name, Version, and Platform screen: Enter a name and select a color to represent the device in the UI. From the OS Name list, select SA for a Secure Access device, or IC for an Infranet Controller device, Copyright © 2010, Juniper Networks, Inc.
Page 173 In the Primary Port field, enter 7804. Fill out the Backup Server and Backup Port fields if a high availability Device Server is configured. In the Device ID field, enter the unique external ID provided by the NSM administrator. Copyright © 2010, Juniper Networks, Inc.
Page 174: Adding And Importing A Junos Device With A Dynamic Ip Address
Install and Configure a Junos Device on page 125 Add the Device in NSM on page 125 Configure and Activate Connectivity on a Junos Device on page 126 Confirm Connectivity and Import the Device Configuration into NSM on page 127 Copyright © 2010, Juniper Networks, Inc.
Page 175 NSM Device Server IP address and port. Use a MIP to configure the device to connect to the NSM Device Server through a mapped IP address and port. Click Next. Copyright © 2010, Juniper Networks, Inc.
Page 176 For devices running the 9.1 and later versions of the operating system, use the following command syntax: set system services outbound ssh client <name> secret <secret string> services netconf device-id <external-id from nsm> <nsm device server ip> port 7804 Copyright © 2010, Juniper Networks, Inc.
Page 177: Verifying Imported Device Configurations
The next step is to verify the imported configuration using the Device Monitor or the Device Manager. See “Verifying Imported Device Configurations” on page 127 for details. Verifying Imported Device Configurations After importing a device, verify that all device information was imported as you expected. Copyright © 2010, Juniper Networks, Inc.
Page 178: Using Device Manager
CLI commands for administrators that do not have the assigned activity “View Device Passwords”. By default, only the super administrator has this assigned activity. Job Manager also tracks the status of configuration summaries, described in the following sections. Copyright © 2010, Juniper Networks, Inc.
Page 179: Using Configuration Summaries
CLI commands used in the device configuration and generates a summary report that lists those commands. For a just-imported device, the get running config summary report displays the device configuration currently running on the physical device. Copyright © 2010, Juniper Networks, Inc.
Page 180: Modeling Devices
From the domain menu, select the domain in which you want to model the device. In Device Manager, select Devices. Click the Add icon, and then select Device. The device wizard appears. Select Model Device, and then click Next. Copyright © 2010, Juniper Networks, Inc.
Page 181: Creating A Device Configuration
(IP addresses, zones, and interfaces) that is available for import. You can create a configuration for the device object in NSM, and then install that configuration on the device. Copyright © 2010, Juniper Networks, Inc.
Page 182: Activating A Device
If you selected an SSH version, click Next. The Verify Device Authenticity dialog box opens. The device wizard displays the RSA Key FingerPrint information. To prevent man-in-the-middle attacks, you should verify the fingerprint using an out-of-band method. Copyright © 2010, Juniper Networks, Inc.
Page 183 Click Update Now to update the configuration on the device with the settings from the modelled device. If you do not update the configuration now, you will have to do it manually later by right-clicking the device and selecting Update Device. Copyright © 2010, Juniper Networks, Inc.
Page 184 Network and Security Manager Administration Guide Updating the device also pushes the Juniper Networks Recommended policy to the device. After update is complete, the device status displays as “Managed”, indicating that the device has connected and the management system has successfully pushed the device configuration.
Page 185: Devices With Dynamic Ip Addresses
Update the device configuration by right-clicking the device and selecting Update Device. The Job Information box displays the job type and status for the update. When the job status displays successful completion, click Close. Copyright © 2010, Juniper Networks, Inc.
Page 186 NSM. NOTE: All passwords handled by NSM are case-sensitive. Click Finish to complete the Add Device wizard and include the new device in the Device Manager list. Copyright © 2010, Juniper Networks, Inc.
Page 187 NSM authenticates itself to the device based on user name and password. In the Device List, verify the connection status of the newly added device. The status changes from “Never connected” to “Up.” Copyright © 2010, Juniper Networks, Inc.
Page 188: Using Rapid Deployment (Screenos Only)
RD is supported on the following security devices: ns204 ns5GTadslwlan-Home-Work ns208 ns5GTadslwlan-Trust-Untrust ns25 ns5GTwlan-Combined ns50 ns5GTwlan-Dmz-Dual-Untrust ns5GT-Combined ns5GTwlan-Dual-Untrust ns5GT-Dmz-Dual-Untrust ns5GTwlan-Extended ns5GT-Dual-Untrust ns5GTwlan-Home-Work ns5GT-Extended ns5GTwlan-Trust-Untrust, ns5XP ns5GT-Home-Work ns5XT-Combined ns5GT-Trust-Untrust ns5XT-Dual-Untrust ns5GTadsl-Extended ns5XT-Home-Work ns5GTadsl-Home-Work ns5XT-Trust-Untrust ns5GTadsl-Trust-Untrust nsHSC-Home-Work ns5GTadslwlan-Extended nsHSC-Trust-Untrust Copyright © 2010, Juniper Networks, Inc.
Page 190: Creating The Configlet
NSM Device Server IP address and port. Use a MIP to configure the device to connect to the NSM Device Server through a mapped IP address and port. Click Next. Specify the connection setting on the device: Copyright © 2010, Juniper Networks, Inc.
Page 191 ANSI T1.413 Issue 2 Mode ITU G.992.1 Mode enables the ADSL interface to use the International Telecommunications Union (ITU) G.dmt standard, which supports minimum data rates of 6.144 Mbps downstream and 640 Kbps upstream. Copyright © 2010, Juniper Networks, Inc.
Page 192 After the onsite administrator has installed the configlet, the device automatically connects to the management system and the status displays “Update Needed”, Copyright © 2010, Juniper Networks, Inc.
Page 193: Installing The Configlet
Save the configlet on the standalone computer that you connected to the security device. In a Web browser, enter the IP address of the trust interface on the security device 192.168.1.1 . The Rapid Deployment Wizard appears. Copyright © 2010, Juniper Networks, Inc.
Page 194 The NSM administrator can now configure the device using NSM. NOTE: If the configlet installation process fails, you must reset the device to factory defaults. For details, see the user’s guide that came with the security device. Copyright © 2010, Juniper Networks, Inc.
Page 195: Updating The Device Configuration
NSM displays the delta configuration results for both devices. Click Update. Close the Job Information window and select Job Manager from the main navigation tree. Select Update Device to see the update device job results for both devices. Copyright © 2010, Juniper Networks, Inc.
Page 196: Fails
A Virtual System (vsys) is a virtual device that exists within a physical security device. The vsys device functions as a completely separate security device. The physical device, called the root device, can contain multiple vsys devices. The following Juniper Networks security devices can be root devices:...
Page 197: Figure 32: Connecting Vsys Devices Across Domains
To add vsys devices in a single subdomain, add the root device to that subdomain. An example is shown in Figure 32 on page 147. Figure 32: Connecting Vsys Devices Across Domains Importing Vsys Devices Importing vsys devices is a two-stage process: Copyright © 2010, Juniper Networks, Inc.
Page 198: Modeling Vsys Devices
Import or model the root device. Use the Add Device wizard to add the root device to the appropriate domain. For details, see “Importing Devices” on page 112 or “Modeling Devices” on page 130. Copyright © 2010, Juniper Networks, Inc.
Page 199 Device Manager, or by checking the configuration status in Device Monitor). Ensure that the configuration status for the vsys displays “Update Needed”, which indicates that the Copyright © 2010, Juniper Networks, Inc.
Page 200: Adding L2V Root Systems
ScreenOS and IDP Devices Guide. Adding an Extranet Device An extranet device is a firewall or VPN device that is not a Juniper Networks security device. If you use devices from multiple manufacturers, you can add extranet devices to Copyright © 2010, Juniper Networks, Inc.
Page 201: Adding Clusters
(Some ScreenOS devices only) Mode—Select the Port mode. See “Determining Port Mode (ScreenOS Devices Only)” on page 104. Managed OS version—Select the OS version that is to run on each member of the managed cluster. Copyright © 2010, Juniper Networks, Inc.
Page 202: Adding Members To The Cluster
Adding Secure Access or Infranet Controller Clusters To add a Secure Access or Infranet Controller cluster in NSM, you add the cluster and then add each member. Adding a member is similar to adding a standalone device. Copyright © 2010, Juniper Networks, Inc.
Page 203 UI will be reflected back to NSM, and NSM will display the modified cluster. For an examples of adding clusters in NSM, see “Example: Adding and Importing a Cluster” on page 158. Copyright © 2010, Juniper Networks, Inc.
Page 204: Through Unreachable Workflow
Expand Device Manager and select Devices. The Devices workspace appears on the right side of the screen. Click the Device Tree tab, and select the cluster to which you want to add the members. Copyright © 2010, Juniper Networks, Inc.
Page 206: Adding And Importing A Junos Cluster
Import Device from the list. You do this only once and for the entire cluster because the configuration is identical for all cluster members. NOTE: When importing a cluster of SRX Series Services Gateways, first import the node1 device in the cluster to prevent issues with sync status. Copyright © 2010, Juniper Networks, Inc.
Page 207: Adding A Junos Cluster With Modeled Cluster Members
On each cluster member, configure and activate the NSM agent and establish an SSH session with NSM. Push the modeled configuration to the device by right-clicking any cluster member icon and selecting Update Device from the list. Copyright © 2010, Juniper Networks, Inc.
Page 208: Figure 33: Adding A Secure Access Cluster
Enter the cluster-level information into the New Cluster dialog box as shown in Figure 33 on page 158. Figure 33: Adding a Secure Access Cluster Click OK. The new cluster appears in the Device Manager. Copyright © 2010, Juniper Networks, Inc.
Page 209: Adding The Cluster Members
In the Device ID field, enter the unique external ID provided by the NSM administrator. In the HMAC field, enter the one-time password, also provided by the NSM administrator. Click the Enable button to enable the NSM agent. Click Save Changes. Copyright © 2010, Juniper Networks, Inc.
Page 210: Figure 34: Adding A J Series Cluster
Select Device Manager > Devices, and then click the Add icon and select Cluster from the list. The add cluster wizard starts. Enter the cluster-level information into the New Cluster dialog box as shown in Figure 34 on page 160. Figure 34: Adding a J Series Cluster Copyright © 2010, Juniper Networks, Inc.
Page 211: Figure 35: Adding The First Member To A J Series Cluster
Figure 35 on page 171. Enter a name and color for the second member and select Model Device, Leave the Keep Adding Other Cluster Members box unchecked. Set the Member ID to 1. Copyright © 2010, Juniper Networks, Inc.
Page 212: Figure 36: Adding The Second Member To A J Series Cluster
Click the Device deployed, but IP is not reachable radio button. Click Next to display the Specify connections setting dialog box. Make a note the Unique External ID. The device administrator will need this ID to connect with NSM from the member device. Copyright © 2010, Juniper Networks, Inc.
Page 213 “Never connected” to “Up.” If the configuration status is “platform mismatch,” you selected the wrong device platform when adding the device into NSM. Delete the device from NSM and add it again using the correct device platform. Copyright © 2010, Juniper Networks, Inc.
Page 214: Updating The Cluster
In this example, you add a vsys cluster with two members and two vsys. Add the cluster device: In the main navigation tree, select Device Manager >Devices. Click the Add icon and select Cluster. The new cluster dialog box appears. Configure the following information: Copyright © 2010, Juniper Networks, Inc.
Page 215: Figure 38: Configuring Cluster Members For Paris Vsys Cluster
Click the Add icon and select Vsys Device. The new vsys device dialog box appears. Configure the root as the Paris Cluster device, select a color, and choose Model Virtual System/Virtual System Cluster Device. Click Next to continue. Copyright © 2010, Juniper Networks, Inc.
Page 216: Figure 39: Paris Cluster Members And Paris Vsys Cluster Members
You can use automatic discovery to add and import multiple Junos, SA, and IC devices into NSM. You do so by configuring and running discovery rules. For a Junos, SA, or IC device to be discovered by this mechanism, it must be configured with a static IP address. Copyright © 2010, Juniper Networks, Inc.
Page 217: Adding A Device Discovery Rule
Do not use more than 4096 IP addresses. NOTE: Device discovery supports only IPv4 addresses. IPv6 based devices are not discovered. NOTE: Device discovery will not add cluster members. Cluster members will have to be added to NSM manually. Copyright © 2010, Juniper Networks, Inc.
Page 218: Running A Device Discovery Rule
The wizard validates the CSV file, notifies you of any errors, and then adds the devices for which all defined values are valid. When importing devices with static IP addresses, the device configuration is automatically imported during the Add Many Devices workflow. Copyright © 2010, Juniper Networks, Inc.
Page 219: Creating The Csv File
NOTE: You can model many ScreenOS devices, but you cannot activate many devices except when using the Rapid Deployment process. Juniper Networks provides CSV templates in Microsoft Excel format for each type of CSV file. These templates are located in the utils subdirectory where you have stored the...
Page 220: Table 23: Csv File Information For Devices With Static Ip Addresses
Columbus,red,10.100.20.200,netscreen,netscreen,ssh_v2,,any Cincinnati,blue,10.100.20.2367,netscreen,netscreen,ssh_v2,,any Save the file as a .csv file. Device with Dynamic IP Addresses For devices with dynamic IP addresses, create a file with the parameters shown in .csv Table 24 on page 171. Copyright © 2010, Juniper Networks, Inc.
Page 221: Table 24: Csv File Information For Devices With Dynamic Ip Addresses
SSG5-ISDN, SSG5–SB, SSG5-ISDN-WLAN, SSG5-Serial, SSG5-Serial-WLAN, SSG5-v92, SSG5-v92-WLAN, SSG-20, SSG-20-WLAN, SSG-140, SSG-320, SSG-320M, SSG-350, SSG-350M, SSG-520, SSG-520M, SSG-550, SSG-550M With OS name junos: m7i, m10i, m120, m320, m40e, m7i, m320, mx240, mx480, mx960 Copyright © 2010, Juniper Networks, Inc.
Page 222 9.0, 9.1, 9.2, 9.3, 9.4, 9.5, 9.6. With OS name Junos: 9.0, 9.1, 9.2, 9.3, 9.4, 9.5, 9.6. With OS name SA: 6.3, 6.4 With OS name IC: 2.2, 3.0 Transparent Mode String on, off Copyright © 2010, Juniper Networks, Inc.
Page 223: Table 25: Csv File Information For Undeployed Devices
Table 25: CSV File Information for Undeployed Devices Field Name Type Required Acceptable Values Name String Valid character Color String black, gray, blue, red, green, yellow, cyan, magenta, orange, pink OS name String ScreenOS Copyright © 2010, Juniper Networks, Inc.
Page 224 Device Admin String Name Device Admin String Must be a minimum of 9 characters Password Telnet Port Integer Default to 23 SSH Port Integer Default to 22 Restrict to Serial String on, off Number Copyright © 2010, Juniper Networks, Inc.
Page 225: Validating The Csv File
The import process differs between devices that use static IP addresses and devices that use dynamic IP addresses: For devices with static IP addresses, the Add Many Devices wizard automatically imports the device configurations. Copyright © 2010, Juniper Networks, Inc.
Page 226: Adding And Importing Many Devices With Static Ip Addresses
.cli .cli saved to the following GUI Server directory: /usr/netscreen/GuiSvr/var/ManyDevicesOutput/<inputFile_YYYYMMDDHHMM>/ Before the device can be managed by NSM, you must enter the CLI commands in file on the physical security device. .cli Copyright © 2010, Juniper Networks, Inc.
Page 227: Modeling Many Devices
“Activating a Device” on page 132. Using Rapid Deployment You can model devices, generate configlets, and activate many ScreenOS devices at one time. Alternatively, you can model multiple devices initially, and then generate Copyright © 2010, Juniper Networks, Inc.
Page 228: Modeling And Activating Many Devices With Configlets
Update the device configuration by right-clicking the device and selecting Update Device. The Job Information box displays the job type and status for the update; when the job status displays successful completion, click Close. Copyright © 2010, Juniper Networks, Inc.
Page 229: Activating Many Devices With Configlets
NetScreen-5GTs in a domain), by physical location (such as all the security devices in the San Jose office), or logically (such as all the security devices in sales offices throughout western Europe). Use the groups to: Copyright © 2010, Juniper Networks, Inc.
Page 230: Example: Creating A Device Group
In the Non-members list, select the devices that you want to be part of the Sales device group. Click Add to move the selected devices to the Member list (or drag the selected devices into the Member list), and then click OK. Copyright © 2010, Juniper Networks, Inc.
Page 231: Setting Up Nsm To Work With Infranet Controller And Infranet Enforcer
Create a certificate signing request (CSR) for an Infranet Controller server certificate, and use the CA certificate to sign the server certificate. Import the server certificate into the Infranet Controller. Import the CA certificate into the Infranet Enforcer. Copyright © 2010, Juniper Networks, Inc.
Page 232 In the New Subdomain dialog box, enter an appropriate name for the subdomain so you know what it will be used for, and then click OK. From the drop-down list on the top left side, select your new domain. The new domain is empty. Copyright © 2010, Juniper Networks, Inc.
Page 233: Avoiding Nacn Password Conflicts
If there are, that means that the Infranet Controller has changed something on the Infranet Enforcer since you last imported the device configuration. If you do not reimport the configuration, be sure to update the Infranet Controller and Infranet Enforcer at the same time. Copyright © 2010, Juniper Networks, Inc.
Page 235: Chapter 5 Configuring Devices
Configuring Devices The Device Manager module in Network and Security Manager (NSM) enables you to configure the managed Juniper Networks devices in your network. You can edit configurations after you add and import a managed device, or create configurations when you model a device.
Page 236: About Device Configuration
NSM to the device itself. At that point, the edited configuration becomes active. About Configuring Clusters, VPNs, Vsys Devices, Policies, and Shared Objects In addition to configuring specific devices, NSM also enables you to configure clusters, VPNs, vsys devices, policies, and shared objects: Copyright © 2010, Juniper Networks, Inc.
Page 237: Configuring Devices
A template is a predefined set of configuration values that helps you reuse common information. A device object can refer to multiple templates, and you can use templates to configure and deploy multiple devices quickly. A device template looks like a device Copyright © 2010, Juniper Networks, Inc.
Page 238: About Configuration Groups
For details see “Using Configuration Groups” on page 221 and “Using Configuration Groups with Templates” on page 228. Editing Devices Using the Device Editor To configure device information in NSM, select Device Manager > Devices, select the device, and then click the Open icon. Copyright © 2010, Juniper Networks, Inc.
Page 239: Figure 40: Device Info And Configuration Tabs
NSM. Templates—All templates available to the device family to which the device belongs. See “Using Device Templates” on page 196 for details. Device Admin—Polling interval for alarm statistics. Copyright © 2010, Juniper Networks, Inc.
Page 240: Figure 41: Screenos And Idp Device Configuration Information
For details about using device templates, see “Using Device Templates” on page 196. For information about configuration groups, see “Using Configuration Groups” on page 221. Copyright © 2010, Juniper Networks, Inc.
Page 241: Table 26: Validation Icons
Select the device object and then click the Edit icon. Right-click the device object and select Edit. For ScreenOS and IDP devices, the device navigation tree appears on the left, listing the device configuration parameters by function. Copyright © 2010, Juniper Networks, Inc.
Page 242: Figure 42: Screenos Device Object Configuration Data
Configuring ScreenOS/IDP Device Features The device configuration tree for a ScreenOS or IDP device looks similar to the example in Figure 42 on page 192. Figure 42: ScreenOS Device Object Configuration Data Copyright © 2010, Juniper Networks, Inc.
Page 243 If you need to make any of the above changes to the managed device, use the Web UI or CLI to make the changes locally, and then reimport the device configuration into the NSM UI. Copyright © 2010, Juniper Networks, Inc.
Page 244: Figure 43: Secure Access Device Object
Figure 43: Secure Access Device Object For details about configuring Secure Access devices, see the Configuring Secure Access Devices Guide ( http://www.juniper.net/techpubs/en_US/nsm2010.3/information-products/pathway-pages/ secure-access-devices/index.html ). For details about configuring Infranet Controller devices, see the Configuring Infranet Controllers Guide http://www.juniper.net/techpubs/en_US/nsm2010.3/information-products/pathway-pages/ infranet-controller-devices/index.html Copyright © 2010, Juniper Networks, Inc.
Page 245: Configuring Junos Device Features
Execute device-specific troubleshooting commands. Use the technical support service that allows packaged collections of information for remote analysis by Juniper Networks Technical Assistance Center (JTAC). Reboot the device. The view of the configuration from NSM might also be missing data configured in large binary files.
Page 246: Updating The Configuration On The Device
A template contains all possible fields for all possible devices within a device family. NSM provides different templates for: ScreenOS/IDP devices Secure Access devices Infranet controller devices J Series devices (includes SRX Series devices) M Series and MX Series devices EX Series devices Copyright © 2010, Juniper Networks, Inc.
Page 247: Modifying Values In Templates
You can modify a template that has already been applied to one or more device configurations. When you change a field value in a template, the device object that references the template also changes. Copyright © 2010, Juniper Networks, Inc.
Page 248: Example: Creating And Applying A Device Template For Dns Settings
For Primary DNS Server IP, enter 1.1.1.1. For Secondary DNS Server IP, enter 2.2.2.2. For DNS Refresh Schedule, select Refresh Daily. Leave all other default settings. The From Object icon shows where the values are set. Copyright © 2010, Juniper Networks, Inc.
Page 249: Figure 44: Example Of Setting Values In A Template
In the device navigation tree, select Info > Templates. The templates configuration screen appears. Click the Edit icon. The Edit Templates dialog box appears. Select the DNS template. Copyright © 2010, Juniper Networks, Inc.
Page 250: Figure 45: Applying A Template
Promote Template. In the Select Templates dialog box, select the template to which you want to apply the selected part of the configuration. Copyright © 2010, Juniper Networks, Inc.
Page 251: Figure 46: Template Override Icon
An example is shown in Figure 47 on page 201. Figure 47: Revert to a Template or Default Value A device-specific configuration value always overrides a template value. Copyright © 2010, Juniper Networks, Inc.
Page 252: Reverting A Configuration To Default Values Of A Template
The lower the template appears in the template list, the higher priority it has when applying values to a device configuration. Copyright © 2010, Juniper Networks, Inc.
Page 253: Example: Using Multiple Device Templates
Select Destination IP Based Session Limit and set the Threshold to 4000. Click OK to save the new zone. Click OK to save the new device template. Apply the DoS template to a device configuration for a NetScreen-208 running ScreenOS 5.0: Copyright © 2010, Juniper Networks, Inc.
Page 254: Figure 48: View Denial Of Service Defense Values From Dos Template
In the template navigation tree, select Network > Zone. The Zone configuration screen appears. Click the Add icon in the Zone configuration screen and select Pre-Defined Security Zone—trust|untrust|dmz|global. The Predefined Zone dialog box appears. Copyright © 2010, Juniper Networks, Inc.
Page 255: Figure 49: Configure Dos Defense Settings For The Dos2 Template
Currently, the DoS2 template has the higher priority, which enables it to override any similar values set by the DoS template, as shown in Figure 50 on page 206. The DoS2 template overrides similar values set in the DoS template. Copyright © 2010, Juniper Networks, Inc.
Page 256: Figure 50: View Template Priority (Dos Highest)
Source IP Based Session Limit field, the higher threshold value from DoS2 appears in the device configuration because you assigned the DoS2 template a higher priority than the DoS template. Figure 51: View Values from DoS and DoS2 Templates Copyright © 2010, Juniper Networks, Inc.
Page 257: Figure 52: View Dos2 Value For Source Ip Based Session Limit
Referenced templates—Each referenced template (a template referred to by another template) reduces the maximum number of templates by one. For example, a device that uses template A, which in turn refers to templates B and C, counts as three templates. Copyright © 2010, Juniper Networks, Inc.
Page 259: Figure 55: Up And Down Arrows For Changing The Sequence Of A List
For details about how the order of list entries in a template is affected by configuration groups, see “Using Configuration Groups” on page 221. The following sections describe Copyright © 2010, Juniper Networks, Inc.
Page 260: Order
Adding or inserting new list entries in the template Adding or inserting new list entries in the device Deleting entries from an ordered list in the device Deleting entries from an ordered list in the template Deleting template-provided entries in the device Copyright © 2010, Juniper Networks, Inc.
Page 261: Rules For Reordering Lists
Now reverse the first three items in the template sequence. Because the reordering takes place within what was the matching subsequence, the new sequence is transferred to the device: After: Template Sequence Device Sequence Copyright © 2010, Juniper Networks, Inc.
Page 263 In this example, it is not obvious what the user intended. The user might have wanted to place D after 1 or 2. In this case, NSM makes a reasonable attempt and places it after C. Copyright © 2010, Juniper Networks, Inc.
Page 264: Configuration Group Order
The template provides six entries in the order a, b, c, d, e, f. In the regular device configuration, list entry g has been added directly (as shown by the lack of any data origin icon), the template has been added, and then the list has been reordered. Copyright © 2010, Juniper Networks, Inc.
Page 265: Figure 56: Identifying Ordered List Entries That Do Not Match The Template
NOTE: The Template Operations directive only updates the configuration database. To apply changes to devices, you must use the Update Device directive. Copyright © 2010, Juniper Networks, Inc.
Page 266: Figure 57: Template Operations Directive
Select Template Section Select one or more templates to apply to the selected devices. Use the edit button to open the Select Templates dialog box. Check one or more check boxes to select templates. Copyright © 2010, Juniper Networks, Inc.
Page 267: Figure 58: Select Template Dialog Box
Normally, template values do not override manually set values. Report irrelevant template values—Reports any values that are set in templates but that are not used on the selected devices. A template might provide values for features Copyright © 2010, Juniper Networks, Inc.
Page 268: Template Operations Box Recommended Workflow
Later templates can override the settings of earlier templates. Select Don’t change templates. If you want, you can select one or more of the following validation and reporting options: Copyright © 2010, Juniper Networks, Inc.
Page 269: Figure 59: Template Operations Job Information Dialog Box
Repeat the operations specified in Step 1, but specify one of the Add templates buttons. If desired, also check the Remove conflicting device values check box. Removing Templates with the Template Operations Directive To remove one or more templates from one or more devices, follow these steps: Copyright © 2010, Juniper Networks, Inc.
Page 270: Exporting And Importing Device Templates
Select the templates you want the saved template settings to be applied to. Select the saved template you want to import. The settings in the saved template are imported into the NSM template. Refer to the Network and Security Manager Online Help for detailed procedures. Copyright © 2010, Juniper Networks, Inc.
Page 271: Using Configuration Groups
Identify the origin of values derived from configuration groups; that is, identify which configuration group a value came from. Support the specification of configuration groups in templates. See “Using Configuration Groups with Templates” on page 228 for details. Copyright © 2010, Juniper Networks, Inc.
Page 272: Creating And Editing Configuration Groups
Click OK to save the interface definition. NOTE: After saving a configuration group entity, you cannot change its key field. Specifically, after saving an interface definition, you cannot change its name. Copyright © 2010, Juniper Networks, Inc.
Page 273: Figure 60: Adding A Configuration Group
NOTE: After saving a configuration group, you cannot change its name. Editing a Configuration Group You can edit configuration groups before or after applying them. If you edit the group after applying it, then the new edits take effect immediately in the device object. Copyright © 2010, Juniper Networks, Inc.
Page 274: Validating A Configuration Group
Group” on page 222 to the device object configuration. In the device object configuration tree, right-click Interfaces. Select Apply/Exclude Config Groups from the list. The Apply/Exclude Config Groups dialog appears, as shown in Figure 61 on page 225. Copyright © 2010, Juniper Networks, Inc.
Page 275: Figure 61: Applying A Configuration Group
Configuration groups applied at a higher level in the configuration can be explicitly excluded at lower levels. To exclude a configuration group from a branch of the configuration, follow these steps: Right-click on the branch and select Apply/Exclude Config Groups from the list. Copyright © 2010, Juniper Networks, Inc.
Page 276: Figure 63: Excluding A Configuration Group
To revert to the configuration group value for a specific field, right-click on the field, and select Revert to template/default value. NOTE: Nonwildcard list entries derived from configuration groups cannot be deleted in the device object. Copyright © 2010, Juniper Networks, Inc.
Page 277: Deleting A Configuration Group
For unordered lists, this rule is unimportant. For ordered lists such as policies and configuration group definitions, the rule is important. Reordering Lists Ordered lists that are inherited from a configuration group follow the same rules as ordered lists inherited from a template: Copyright © 2010, Juniper Networks, Inc.
Page 278: Using Configuration Groups With Templates
MTU value in the template itself or in the device object. Settings in the regular configuration take precedence over those set in the template which, in turn, take precedence over those set Copyright © 2010, Juniper Networks, Inc.
Page 279 Expand Interfaces, select Interface, and click the Add icon. Name the interface with the wildcard character by typing <*> in the Name field. NOTE: Be sure to include the angle brackets, because they are required by the Junos syntax. Copyright © 2010, Juniper Networks, Inc.
Page 280 Configure some interfaces in the device object. In this example, we set the MTU for to 5120, and create fe-0/0/0 fe-0/0/1 fe-0/0/2 with blank MTU values: In the Device Manager, select Devices. Select the device and click the Edit icon. Copyright © 2010, Juniper Networks, Inc.
Page 281 In the Device Manager, click Devices. Right-click the device, and select Update Device from the list. The equivalent Junos configuration syntax received by the device looks like this: groups { # CG defn from template group1 { Copyright © 2010, Juniper Networks, Inc.
Page 282: Configuring Clusters
In the main display area, select the cluster you want to edit, and then click the Edit icon. In the Cluster Info tab, click Templates, and then click the Edit icon. The Edit templates dialog box appears. Copyright © 2010, Juniper Networks, Inc.
Page 283: Configuring Member-Level Data In A Junos Cluster
Configure the group as desired and click OK. A configuration group called “node” appears in the Config Group List. Right-click Configuration in the cluster member tree and select Apply/Exclude Config Group from the list. Copyright © 2010, Juniper Networks, Inc.
Page 284: Configuring Junos Devices With Redundant Routing Engines
Add icon, name the new configuration group re0, and then save it. In the navigation tree for re0, select System. In the Host Name field, assign a name to the Routing Engine, for example, Dual-RE-re0. Click OK twice. Copyright © 2010, Juniper Networks, Inc.
Page 285: Figure 64: Configuring Routing Engine Specific Parameters
In the Info tab of the device editor, select Routing Engine Configuration. Double-click on the configuration group name to show the configuration for the corresponding Routing Engine. In the navigation tree, select System. The configured Routing Engine name appears in the Host Name field. Copyright © 2010, Juniper Networks, Inc.
Page 286: Figure 65: Viewing The Routing Engine Configuration
The NSM implementation of VRRP has the following limitations: WAN and serial interfaces cannot support VRRP. VRRP requires Ethernet or gigabit interfaces. A single interface can support only two VRRP groups. You can enable a VRRP group only on a single interface. Copyright © 2010, Juniper Networks, Inc.
Page 287: Platforms On Which Nsm Supports Vrrp
You can fetch a configuration file from a device interactively from the NSM menus, or you can set up a cron job to import the configuration text file periodically and put these configuration file versions into the NSM database. Copyright © 2010, Juniper Networks, Inc.
Page 288: Viewing And Comparing Configuration File Versions
NSM to have different versions of the device configuration. You can enable or disable the automatic import of config files and track those devices on which the feature is enabled. You can also see status of the config file versions. Copyright © 2010, Juniper Networks, Inc.
Page 289: Chapter 6 Updating Devices
Updating Devices This chapter explains how to update the running configuration (the configuration on the device) with the modeled configuration (the configuration in the Juniper Networks Network and Security Manager (NSM) UI). This chapter also describes the events that can require you to update your device, as well as NSM tools that help you to track, verify, and preview the update process.
Page 290: How The Update Process Works
For example, malicious traffic might have entered your network, requiring you to update the security policy for the device to detect and prevent that attack. Copyright © 2010, Juniper Networks, Inc.
Page 291: Updating Devices
(the device reboots). After rebooting, the device sends a final error message to the management system; the contents of this message, which include any CLI errors Copyright © 2010, Juniper Networks, Inc.
Page 292 15 seconds; these messages appear in the Job Manager status window for the update. During the update, the Job Manager status window displays other messages, depending on the success of the update: Copyright © 2010, Juniper Networks, Inc.
Page 293: Devices
Unlike ScreenOS devices, however, DMI-compatible devices do not need to reboot in order to rollback. If the connection between the device and NSM remains up throughout the Update Device operation, but the update itself fails, the DMI device will keep the original Copyright © 2010, Juniper Networks, Inc.
Page 294: Knowing When To Update
To overwrite the existing configuration on the physical device, update the physical device with the modeled configuration in NSM. To overwrite the modeled configuration in NSM, import the existing configuration from the physical device. NSM does not support delta updates from the device. Copyright © 2010, Juniper Networks, Inc.
Page 295: Verifying Device Status In Device Monitor
NSM and is awaiting manual import. Update Needed—Indicates that the running configuration is not the same as the modeled configuration, and the device is connected to NSM. You must update the Copyright © 2010, Juniper Networks, Inc.
Page 296 Although you cannot synchronize delta changes, you can run a delta configuration summary (see “Using a Delta Configuration Summary” on page 249) to identify the differences, then manually make the changes to the modeled configuration, and then update the device. Copyright © 2010, Juniper Networks, Inc.
Page 297: Verifying Device Status In Device Manager
For example: To track all events for a specific time period, create a filter on the timestamp column; when applied, the filter displays only the log entries that meet the specified time period. Copyright © 2010, Juniper Networks, Inc.
Page 298: Identifying Administrative Changes
Using Preview Tools When you update a managed device, you overwrite the existing configuration that is running on the physical device. Therefore, it is important to verify a configuration before sending it to the device. Copyright © 2010, Juniper Networks, Inc.
Page 299: Running A Configuration Summary
A delta configuration summary compares the active configuration on the ScreenOS or DMI-compatible device with the modeled configuration in NSM and displays the differences between the two configurations. The delta configuration summary produces four sets of data. See Table 28 on page 250. Copyright © 2010, Juniper Networks, Inc.
Page 300: Table 28: Delta Configuration Summary Information
Information window. Specifically, review the commands in the section “Config to be sent to device on next Update Device”; when you update the device, these are the commands that NSM uses to overwrite the running configuration. Copyright © 2010, Juniper Networks, Inc.
Page 301: Figure 66: Delta Configuration Summary Example
A sample delta configuration summary for a ScreenOS device is shown in Figure 66 on page 251. Figure 66: Delta Configuration Summary Example Occasionally, the delta configuration report might display discrepancies that do not actually exist between the running configuration and the modeled configuration. In some Copyright © 2010, Juniper Networks, Inc.
Page 302: Performing An Update
Apply Changes. NSM begins updating the selected devices or device groups with the modeled configuration. After updating: Review the information in the Job Information window to determine if the update was successful. Copyright © 2010, Juniper Networks, Inc.
Page 303: Retrying A Failed Update
Show Unconnected Devices in Device Selection Dialog—When enabled, the NSM UI displays devices that are not connected to the management system in the Update Devices dialog box (which appears when you attempt to update the configuration for a managed device). Copyright © 2010, Juniper Networks, Inc.
Page 304: Update Options For Dmi-Compatible Devices
Job Information window. The command you send is called a directive. Job Manager tracks the progress of the directive as it travels to the device and back to the management system. Each job contains: Copyright © 2010, Juniper Networks, Inc.
Page 305: Figure 67: Job Manager Module
Expand All displays all devices associated with a directive type. Collapse All displays the directive type. Job Type (Directive) List—Displays the job type (directives) and associated timestamp completion status information. All current and completed jobs appear, including device Copyright © 2010, Juniper Networks, Inc.
Page 306: Figure 68: Job Information Dialog Box
Number of Jobs Completed—The number of jobs completed out of the total number of jobs. Percent Complete—The percentage of total jobs successfully executed. When performing multiple jobs on multiple devices, this field displays the percentage complete Copyright © 2010, Juniper Networks, Inc.
Page 307: Table 29: Device States During Update
Device has successfully been updated with the modeled configuration. Failed Device has not been successfully updated with the modeled configuration. The Output pane of the Job Manager dialog box displays error messages and error codes. Copyright © 2010, Juniper Networks, Inc.
Page 308: Understanding Updating Errors
Job Manager information window. For successful updates, no discrepancies are found or displayed. For failed updates, the output area lists remaining discrepancies. For example, a failed update job is shown in Figure 69 on page 259. Copyright © 2010, Juniper Networks, Inc.
Page 309: Figure 69: Failed Update Job Dialog Box
The delta configuration summary correctly detected a difference between settings on the managed device and settings in NSM. This error might be the result of a command that was disabled by another NSM administrator or a local device administrator. Copyright © 2010, Juniper Networks, Inc.
Page 311: Chapter 7 Managing Devices
Updating the Web Category List on page 296 Miscellaneous Device Operations on page 297 Managing ScreenOS Device Capabilities on page 303 Archiving and Restoring on page 309 Managing Device Schemas Through the Juniper Update Mechanism on page 310 Copyright © 2010, Juniper Networks, Inc.
Page 312: Managing Device Software Versions
Upgrading the Device Software Version Upgrading the operating system is a three-step process: Download the new software image file from the Juniper Networks website to your computer running the client UI. Copy the image file to a repository on the GUI server using the NSM Software Manager, which you access from the Device Manager launchpad by selecting Manage Device Software (Select Tools >...
Page 313: Managing Devices
Verify the details and click Finish. NOTE: Do not change the name of the image file. The name of the image file must be exactly the same as the filename that you download from Juniper Networks, for example, ns5xp.4.0.3r2.0 sensor_4_1r1.sh When upgrading multiple device types, ensure that you have loaded the same version of the image file for each type of device on the Device Server.
Page 314: Upgrading A Device Software Version From Nsm
You must: to synchronize the device software inventory. reconcile inventory Import and update the device. In a Major Upgrade When you upgrade from one major release version to another, you can upgrade from: Copyright © 2010, Juniper Networks, Inc.
Page 315: Adjusting The Device Os Version
NSM does not support OS downgrades; you cannot use NSM to install an earlier version of Juniper Networks OS than is currently running on the device. You must use the Web UI or CLI commands to downgrade a managed device, and then add the device to NSM again.
Page 316: Deleting The Device Os Version
You must first obtain a license key from your value-added reseller (VAR) or from Juniper Networks. Then you can use the NSM UI to install the license key on the managed device.
Page 317: Installing License Keys On A Device
When your license expires, NSM notifies you that your trial period is over and prompts you to install a new license. You can proceed with the NSM GUI log in only after the installation of a valid permanent license. Copyright © 2010, Juniper Networks, Inc.
Page 318: Viewing And Reconciling Device Inventory
For a device with dual Routing Engines, NSM collects the inventory data from the master Routing Engine. To view the device inventory, the device must be in the “Managed” state. To view the device inventory, follow these steps: Copyright © 2010, Juniper Networks, Inc.
Page 319: Figure 70: Viewing The Device Inventory
Run the Inventory Diff tool to check for differences between the NSM database and the device inventory. To run this tool, follow these steps: In the Device Manager, select Devices, and then right-click on the device you want to compare. Select View/Reconcile Inventory. Copyright © 2010, Juniper Networks, Inc.
Page 320: Figure 71: Comparing The Device Inventory With The Nsm Database
The inventory status also changes to “Out of Sync” if differences exist between the NSM database and the device inventories when the device reboots and reconnects, or when an Update Device directive is issued to the device. In either case, you can reconcile the Copyright © 2010, Juniper Networks, Inc.
Page 321 Java applet that resides on a Secure Access device, and you have no intention of updating this applet. In this case, no shared object creation or file upload is necessary. NSM device objects will contain only the MD5 hash stub for these endpoints. Any delta configuration Copyright © 2010, Juniper Networks, Inc.
Page 322: Uploading And Linking Large Binary Data Files
In the Binary Data dialog box, enter a name for the object, select a color for the object icon, add a comment if desired, and select the file you uploaded in Step 2. See Figure 72 on page 273. Click OK. Copyright © 2010, Juniper Networks, Inc.
Page 323: Figure 72: Adding A Shared Binary Data Object
Navigate to the node in the configuration where you want to load the binary file. For example, to load an ESAP package, expand Authentication and then select Endpoint Security. In the Host Checker tab, select Endpoint Security Assessment Plug-Ins, and then click the Add icon. Copyright © 2010, Juniper Networks, Inc.
Page 324: Figure 73: Linking To A Shared Binary Data Object
Secure Access or Infranet Controller device. Infranet Controller devices can use customized sign-in access pages. Secure Access devices can use customized sign-in access pages and customized sign-in meeting pages. Copyright © 2010, Juniper Networks, Inc.
Page 325: Creating A Custom Sign-In Page
Click OK once to save the link, and again to save the configuration. Importing Antivirus Live Update Settings Uploading Live Update Settings Retrieve the latest AV live update file from the Juniper Networks Downloads Web site: Copyright © 2010, Juniper Networks, Inc.
Page 326: Linking To A Live Update File Shared Object
Controller device checks third-party applications on endpoints for compliance with the predefined rules you configure in a Host Checker policy. Uploading ESAP Packages To upload the Endpoint Security Assessment Plug-in from the Juniper Networks Customer Support Center to your NSM client computer, follow these steps: Open the following page: https://www.juniper.net/customers/csc/software/ive/...
Page 327: Linking To An Esap Package Shared Object
For example, a Host Checker policy package might contain: META-INF/MANIFEST.HCIF hcif-myPestPatrol.dll hcif-myPestPatrol.ini Upload the Host Checker package to the NSM shared object. You can upload multiple policy packages to NSM shared objects, each containing a different MANIFEST.HCIF file. Copyright © 2010, Juniper Networks, Inc.
Page 328: Linking To A Third-Party Host Checker Policy Shared Object
In the Device Manager, double-click the Secure Access device to open the device editor, and then select the Configuration tab. Expand Authentication. Select Endpoint Security. Copyright © 2010, Juniper Networks, Inc.
Page 329: Importing Hosted Java Applets (Secure Access Devices Only)
Give the applet and file each a name. Select a shared binary data object from the Applet file to be uploaded list. Click OK once to save the link, and then again to save the configuration. Copyright © 2010, Juniper Networks, Inc.
Page 330: Importing A Custom Citrix Client .Cab File (Secure Access Devices Only)
RMA state and do a full restore after activation. NOTE: NSM users who have the privileges to import a device can perform a backup operation. NSM users who have the privileges to update a device can perform a restore operation. Copyright © 2010, Juniper Networks, Inc.
Page 331: Backing Up An Sa Or Ic Device
Select the Purge Config File versions checkbox to automatically purge older backed up versions of the device after the maximum limit of backup versions has been exceeded. If this option is disabled, once the maximum limit for number Copyright © 2010, Juniper Networks, Inc.
Page 332: Viewing Backed Up Versions For An Sa Or Ic Device
RMA state and select RMA Device. The Confirm RMA Device dialog box appears. Click OK. The Latest Backup Details dialog box appears. (If you do not have a backup you will be prompted to take a backup before proceeding with). Copyright © 2010, Juniper Networks, Inc.
Page 333: Activating An Sa/Ic Device Set To The Rma State
The device administrator must make a Telnet connection to the physical device, paste the commands, and execute them to enable NSM management of the device Click OK to dismiss the Commands window and complete the Activate Device wizard. Copyright © 2010, Juniper Networks, Inc.
Page 334: Performing A Full Restore Of An Sa Or Ic Device
IP address assigned for the user's network connect session (shown only for SA devices) If you have not queried active user sessions using this dialog box, the bottom half of the dialog box will be empty. Copyright © 2010, Juniper Networks, Inc.
Page 335: Activating Subscription Services
NSM automatically chooses one of the cluster members. Activating Subscription Services To use some Juniper Networks services, such as internal AV or Deep Inspection Signature Service, you must activate the service on the device by first registering the device, and then obtaining the subscription for the service.
Page 336: Updating The Attack Object Database
To prepare for a local update, you manually download the attack objects files from the Attack Object Database server (managed by Juniper Networks), then copy these files to a local directory on the GUI Server. Then, during the local update, you specify the path to these files.
Page 337 Chapter 7: Managing Devices Obtain the attack update data file from the Juniper Networks Web site. Browse to https:/ /services.netscreen.com/restricted/sigupdates/nsm-updates/NSM-SecurityUpdateInfo.dat Copy and paste the content from the URL into a text file called NSM-SecurityUpdateInfo.dat Make sure the file has no HTML tags, RTF tags, or control characters. Use a text editor to make sure there are no control characters in the file.
Page 338: Updating Di Attacks On Screenos 5.0 Devices
In the main navigation tree, select Device Manager > Devices, and then double-click the device for which you want to configure the database. In the device navigation tree, select Security > AttackDB > Settings. For Attack Database Server, enter https://services.netscreen.com/restricted/sigupdates Copyright © 2010, Juniper Networks, Inc.
Page 339: Using Updated Attack Objects
When NSM detects that managed device contains an older attack object database version than the one stored on the GUI Server, the UI displays a warning for that device, indicating that you should update the attack object database on the device. Copyright © 2010, Juniper Networks, Inc.
Page 340: Manual Verification
You must update the attack object database on the device using the procedure detailed in “Updating DI Attacks on ScreenOS 5.0 Devices” on page 288. For details on disabling attacks, see the Network and Security Manager Online Help topic, Configuring Firewall/VPN Devices. Copyright © 2010, Juniper Networks, Inc.
Page 341: Versions
NOTE: Updating the IDP engine on a device does not require a reboot of the device. You can also download the new detector engine automatically. See “Scheduling Security Updates” on page 292. Copyright © 2010, Juniper Networks, Inc.
Page 342: Figure 74: Attack Update Summary
GUI Server and on those devices. For ScreenOS devices running ScreenOS 5.0 (except ScreenOS 5.0.0-IDP1), NSM does not automatically install new attack objects on the device but instead flags the device for manual updating using the UI. Copyright © 2010, Juniper Networks, Inc.
Page 343: Table 30: Scheduled Security Update (Ssu) Command Line Parameters
(managed by Juniper Networks), then specify the action you want the server to take. For a successful update, the device configuration must be “In-Sync”, meaning that the device is connected and that no configuration differences exist between the configuration on the physical device and the modeled configuration in NSM, or “Sync Pending”, meaning...
Page 344: Example: Update Attack Objects And Push To Connected Devices
Type the following to update attacks, including specifying the post-action options for the update: guiSvr.sh --update-attacks --post-action post-action options Enter your domain/username and password when prompted. To configure a scheduled security update using crontab: Copyright © 2010, Juniper Networks, Inc.
Page 345: Example: Using Crontab To Schedule Attack Updates
Create a shell script called attackupdates.sh with the following contents. export NSMUSER=idp/idpadminexport NSMPASSWD=idpadminpassword/usr/netscreen/GuiSvr/utils/guiSvrCli.sh --update-attacks --post-action --update-devices --skip Make the script executable. chmod 700 attackupdates.sh Run the crontab editor. crontab -e Add the script to the crontab. 0 5 * * * /usr/netscreen/GuiSvr/utils/attackupdates.sh Copyright © 2010, Juniper Networks, Inc.
Page 346: Viewing Scheduled Security Updates In The Job Manager
Web categories (predefined by SurfControl) are used to create the default Web Filtering Profile object, which you can use in a firewall rule to permit or deny specific URL requests to or from your protected network. Copyright © 2010, Juniper Networks, Inc.
Page 347: Miscellaneous Device Operations
Upgrading the OS Version During an RMA-Activate Device Workflow on page 302 Troubleshooting a BGP Peer Session on a Device on page 302 Reactivating Wireless Connections on page 303 Finding Usages on page 303 Copyright © 2010, Juniper Networks, Inc.
Page 348: Launching A Web Ui For A Device
Select Using the existing scheduled reboot functionality of the Junos devices, NSM allows you to choose one of the following options in the window. Reboot Device(s) : This causes an immediate reboot. Reboot now Copyright © 2010, Juniper Networks, Inc.
Page 349: Refreshing Dns Entries
The Perform NTP Time Update dialog box appears. Select the devices or group of devices that should be synchronized with NTP servers. Click OK. The Job Information window displays the status of the synchronization. Copyright © 2010, Juniper Networks, Inc.
Page 350: Setting The Root Administrator On A Device
Enter the new password in the Password field and then reenter the password in the Confirm Password field. Click OK. For more details on managing device administrators, including the root administrator, see the Network and Security Manager Online Help topic, “Configuring Firewall/VPN Devices”. Copyright © 2010, Juniper Networks, Inc.
Page 351: Failing Over Or Reverting Interfaces
Click OK. In the Device Monitor window, the device status is RMA. When the replacement device is installed, activate the device with the serial number of the replacement. For information about activating a device, see “Activating a Device” on page 132. Copyright © 2010, Juniper Networks, Inc.
Page 352: Upgrading The Os Version During An Rma-Activate Device Workflow
To perform these tests, you need to have configured a virtual router and the BGP dynamic routing protocol on the device, and enabled BGP on the virtual router and on the interface to the BGP neighbor. To connect or disconnect to a BGP peer: Copyright © 2010, Juniper Networks, Inc.
Page 353: Reactivating Wireless Connections
Click OK. Reactivating Wireless Connections You can deploy a Juniper Networks NetScreen-5GT Wireless security device running ScreenOS 5.0.0-WLAN as a wireless access point (WAP). When you make changes to the wireless settings for the security device, you must update the device with your changes before the new settings take effect.
Page 354: Figure 75: Import/Update Architecture
Your network may contain similar security devices that are running different ScreenOS versions. For example, a NetScreen-5XT may run ScreenOS 5.x, which supports the Routing Information Protocol (RIP), while another NetScreen-5XT runs ScreenOS 4.0.0r2, Copyright © 2010, Juniper Networks, Inc.
Page 355: Data Model Updating
ADM domain into device configuration information in a DM. The Device Server then translates the device configuration information in the DM into CLI commands and sends the commands to the device. See Figure 76 on page 306. Copyright © 2010, Juniper Networks, Inc.
Page 356: Figure 76: Data Model Update
The DM contains only the VPN information that relates to the specific device, not the entire VPN. During the device model update process: The GUI Server translates the object and object attributes in the ADM domain into device configuration information in a DM. Copyright © 2010, Juniper Networks, Inc.
Page 357: Data Model Importing
The GUI Server then translates the device configuration in the DM into objects and object attributes in the ADM, and uses the ADM to display current information in the management console. Copyright © 2010, Juniper Networks, Inc.
Page 358: Figure 77: Data Model Importing
DM with device configuration information. The GUI Server translates the device configuration in the DM into objects and object attributes in the ADM. The GUI Server then reads the ADM and displays the current information. Copyright © 2010, Juniper Networks, Inc.
Page 359: Archiving And Restoring
Run the appropriate backup command on your Solaris or Linux platform to backup the GUI Server data. For example: tar -cvf /netscreen_backup/db-date.tar /var/netscreen/GuiSvr Run the appropriate backup command on your Solaris or Linux platform to backup the Device Server data. Copyright © 2010, Juniper Networks, Inc.
Page 360: Restoring Logs And Configuration Data
Junos devices This mechanism does not apply to ScreenOS or IDP devices. The latest device schema is placed by Juniper Networks on the Juniper Update Server, which is a publicly available server. From there, schema upgrade is a two-stage process:...
Page 361: Downloading Schemas
NSM. To set these permissions, in the NSM server CLI, enter the following command: % chmod 777 filename Access to the Juniper Update server uses your Juniper Networks Download Center credentials—the credentials you use to download software from the www.juniper.net Web site.
Page 362: Downloading Schemas Using The Nsm Ui
Downloading a schema using GUI Server CLI will fail if the schema on the Juniper Update Server contains a disabled device family that is not yet disabled in the NSM staged schema. Copyright © 2010, Juniper Networks, Inc.
Page 363: Applying A Schema
The GUI Server and Device Server restart. When you log on in the restarted UI, the new schema will be active. The Job Information screen provides information about the progress of the job, and informs you if any device family is disabled in the new schema. Copyright © 2010, Juniper Networks, Inc.
Page 365 Configuring Junos NAT Policies on page 531 Configuring VPNs on page 543 Central Manager on page 619 Topology Manager on page 625 Role-based Port Templates on page 635 Unified Access Control Manager on page 641 Copyright © 2010, Juniper Networks, Inc.
Page 367: Chapter 8 Configuring Objects
Configuring Service Objects on page 382 Configuring SCTP Objects on page 390 Configuring Authentication Servers on page 390 Configuring User Objects on page 399 Configuring VLAN Objects on page 403 Configuring IP Pools on page 403 Copyright © 2010, Juniper Networks, Inc.
Page 368: About Objects
(dynamic IPs, mapped IPs, and virtual IPs), enabling multiple devices to share a single object. IP Pools define ranges of IP addresses used to assign an IP address to a RAS user. Remote Settings represent DNS and WINS servers. Services and schedules: Copyright © 2010, Juniper Networks, Inc.
Page 369: Configuring Objects
Extranet Policy objects define rules and actions that you may apply to certain traffic on an extranet device (third-party router). Custom Policy Field objects represent metadata information that you can store and use in a structured manner. Use VPN Manager to view and configure the following objects: Copyright © 2010, Juniper Networks, Inc.
Page 370: Using Objects Across Domains
All available objects of the same category from the global domain are displayed, except the selected object that you are replacing. Select an object that will replace all instances of the existing object and click Next. Click Finish. Copyright © 2010, Juniper Networks, Inc.
Page 371: Working With Unused Shared Objects
(for example, a database version), search for existing versions with and without filters, edit comments about versions, compare two versions, restore an older version, filter and sort versions, display the differences between versions, and update a device to an older object version. Copyright © 2010, Juniper Networks, Inc.
Page 372: Searching For And Deleting Duplicate Objects
Firewall and IDP Rules—Use address objects or groups to specify the source and destination of network traffic Multicast Rules—Use multicast group address objects to specify the destination of multicast traffic. VPNs—Use address objects or groups to create Protected Resources for your Policy-Based and Mixed-Mode VPNs. Copyright © 2010, Juniper Networks, Inc.
Page 373: Viewing Address Objects
IPv4 addresses cannot be copied to IPv6 rules and vice versa. During a device update, an IPv6 policy rule is dropped if the target platform does not support IPv6. The following sections detail each address object type. Copyright © 2010, Juniper Networks, Inc.
Page 374: Adding A Network Address Object
The new network address object immediately appears in the Address Tree and Address Table. NSM supports the wildcard masking feature policy on all devices running ScreenOS 6.1 and later, except those with IPv6 addresses. Copyright © 2010, Juniper Networks, Inc.
Page 375: Editing And Deleting Address Objects
To add an Address Object Group: In the navigation tree, select Address Objects. The address object tree appears. In the main display area, click the Add icon and select Group. Enter a unique name for the group. Copyright © 2010, Juniper Networks, Inc.
Page 376: Adding A Multicast Group Address Object
Select an IP version: IPv4 or IPv6. Enter the IP address of the multicast group. All IPv6 multicast addresses should have a prefix of The netmask field is unavailable for IPv6 multicast addresses ff00::/8. Copyright © 2010, Juniper Networks, Inc.
Page 377: Adding Static Dns Host Addresses
NOTE: If an address object is used in multiple zones, NSM pushes the address object into the zones without changing its name. When you import a device, NSM combines address objects with the same name and same content from different zones into a single address object. Copyright © 2010, Juniper Networks, Inc.
Page 378: Table 31: Application Table Tab Information
Server-to-Client DFA and PCRE patterns) Minimum data length which is the minimum number of layer-7 data bytes that the first data packet requires to make a successful match. This applies to both Client-to-Server and Server-to-Client packets. Copyright © 2010, Juniper Networks, Inc.
Page 379: Creating Custom Application Objects
Right-click on an application object and select in order to edit it. Similarly, you can Edit right-click on an application object and select to delete it. You can only delete a Delete custom application object and not a predefined one. Copyright © 2010, Juniper Networks, Inc.
Page 380: Configuring Schedule Objects
Configuring Access Profile Objects An access profile consists of a set of attributes that defines access to a device. You can configure multiple profiles and multiple clients for each profile. You can use Object Copyright © 2010, Juniper Networks, Inc.
Page 381: Configuring Quality Of Service Profiles
1 to 31 characters long. Select the QoS profile type from the drop-down list. Your options are: DSCP and IP. dialog box opens. In it you can set values for the following New/Edit QoS Profile fields: Copyright © 2010, Juniper Networks, Inc.
Page 382: Deleting A Quality Of Service Profile
Object Manager QoS profiles QoS profiles. Select a QoS profile to edit. Select the Edit icon at the top of the screen. The Edit QoS Profile window opens. Edit the values of the profile. Click Copyright © 2010, Juniper Networks, Inc.
Page 383: Working With Di Attack Objects
To create a Deep Inspection (DI) Profile object, you add predefined attack object groups (created by Juniper Networks) and your own custom attack object groups to the Profile object. After creating the DI Profile, you add the Profile object in the Rule Option column of a firewall rule.
Page 384: Viewing Predefined Di Attack Object Groups
A Deep Inspection (DI) Profile object contains predefined attack object groups (created by Juniper Networks), and your own custom attack object groups. After creating the DI Profile, you add the Profile object in the Rule Option column of a firewall rule.
Page 385: Table 32: Deep Inspection Profile Actions
The security device closes the connection to the client but not to the server. close server The security device closes the connection to the server but not to the client. Copyright © 2010, Juniper Networks, Inc.
Page 386: Table 33: Deep Inspection Ip Actions
Working with IDP Attack Objects NSM contains a database of predefined IDP attack objects and IDP attack object groups that you can use in security policies to match traffic against known and unknown attacks. Copyright © 2010, Juniper Networks, Inc.
Page 387: Viewing Predefined Idp Attacks
The Predefined Attack Group tab displays the following predefined attack groups: All — a list of all attack objects, organized in the categories described below. Recommended — a list of all attack object objects that Juniper Networks considers to be serious threats, organized into categories.
Page 388: Viewing Attack Version Information For Attack Objects And Groups
Updating Predefined IDP Attack Objects and Groups Juniper Networks updates the predefined attack objects and groups on a regular basis with newly-discovered attack patterns. You can update the attack object database on your security devices by downloading the new attacks and groups to the NSM GUI Server, then installing the new database on your devices.
Page 389: Using The Attack Object Wizard
The following sections explain the attack object creation process; for instructions for creating a custom attack object, see the NSM Online Help topic, “Creating Custom Attack Objects.” The fields that can be modified are described below. Copyright © 2010, Juniper Networks, Inc.
Page 390: Configuring Attack Name And Description
However, for IDP-capable devices running IDP 4.1 and later or ScreenOS 6.0 or later, you can tell the device to use the action recommended by Juniper Networks for that attack. Copyright © 2010, Juniper Networks, Inc.
Page 391: Configuring Extended Information
The BugTraq ID number is a three-digit code, such as 831 or 120. When you have completed entering the external references for the attack, you are ready to select the target platforms for the attack object. Copyright © 2010, Juniper Networks, Inc.
Page 392: Configuring Target Platforms
By combining and even specifying the order in which signatures or anomalies must match, you can be very specific about the Copyright © 2010, Juniper Networks, Inc.
Page 393: Creating A Signature Attack Object
You can specify the name of the protocol type, or the protocol type number. If you select IP as the service type, you should also specify an attack pattern (in the Detection area) and IP settings values (in the IP area). Additionally, if Copyright © 2010, Juniper Networks, Inc.
Page 394: Table 34: Ip Protocol Name And Type Numbers
ICMP, TCP, and UDP—Attacks that do not use a specific service might use a specific protocol to attack your network. Some TCP and UDP attacks use standard ports to enter your network and establish a connection; to detect these attack, configure the Copyright © 2010, Juniper Networks, Inc.
Page 395: Table 35: Supported Services For Service Bindings
Gopher Gopher HTTP Hypertext Transfer Protocol TCP/80, UDP/80 ICMP Internet Control Message Protocol IDENT IDENT TCP/113 IMAP Internet Message Access Protocol TCP/143, UDP/143 Internet Relay Chat LDAP Lightweight Directory Access Protocol Line Printer spooler Copyright © 2010, Juniper Networks, Inc.
Page 396 Simple Network Management Protocol TCP/161, UDP/161 SNMPTRAP SNMP trap TCP/162, UDP/162 Secure Shell TCP/22, UDP/22 Secure Sockets Layer syslog Syslog UDP/514 Telnet Telnet TCP protocol TCP/23, UDP/23 TFTP Trivial File Transfer Protocol Virtual Network Computing Whois whois Copyright © 2010, Juniper Networks, Inc.
Page 397: Configuring Attack Detection Properties
URL, or a value in a packet header), then create a syntactical expression that represents that pattern. Table 36 on page 348 lists the syntax based on regular expressions to match signature patterns for DI and IDP. Copyright © 2010, Juniper Networks, Inc.
Page 398: Table 36: Attack Pattern Syntax
01 86 A5 00 00 (hello|world) hello or world hello world (hello|world) + hello or world one or more times helloworld world hello hellohello \[hello\] hello in a case insensitive manner hElLo HEllO heLLO Copyright © 2010, Juniper Networks, Inc.
Page 400: Configuring Header Match Properties
Detection tab) you cannot specify header contents. If you are unsure of the options or flag settings for the malicious packet, leave all fields blank and the security device attempts to match the signature for all header contents. Copyright © 2010, Juniper Networks, Inc.
Page 401: Table 38: Di Attack Header Match Modifiers
Each router that processes the packet decrements the TTL by 1; when the TTL reaches 0, the packet is discarded. Protocol—Specify an operand (none, =, !, >, <) and a decimal value for the protocol used. Copyright © 2010, Juniper Networks, Inc.
Page 402 (identified by the port number) without waiting for the remaining packets in the sequence. RST—When set, the reset flag resets the TCP connection, discarding all packets in an existing sequence. Copyright © 2010, Juniper Networks, Inc.
Page 403: Configuring A Protocol Anomaly Attack Object
(RFCs and common RFC extensions). You cannot create new protocol anomalies, but you can configure a custom attack object that controls how the security device handles a predefined protocol anomaly when detected. Copyright © 2010, Juniper Networks, Inc.
Page 404: Configuring A Compound Attack Object
However, all members must use the same service setting or service binding. Configuring General Attack Properties False positive and time-based attack properties are configured for a compound attack object the same way as they are for a signature attack object. Copyright © 2010, Juniper Networks, Inc.
Page 405: Configuring Compound Attack Members
To add an attack pattern to the compound attack object, click the Add icon and select Signature. Pattern—Specify the pattern to match. You construct the attack pattern just as you would when creating a new signature attack object. To negate the pattern, enable Negate. Copyright © 2010, Juniper Networks, Inc.
Page 406 - if both of the member name patterns match, and if they appear in the same order as in the Boolean Expression, the expression matches. Example: Boolean Expression Suppose you have created six signature members, labelled s1 - s5. Copyright © 2010, Juniper Networks, Inc.
Page 407: Configuring The Direction Filter
Although you do not have to create a group to use an attack object within an IDP rule (you can add attack objects individually or by group), organizing attack objects into groups can help keep your security policies organized. Copyright © 2010, Juniper Networks, Inc.
Page 408: Creating Static Attack Groups
This eliminates the need to review each new signature to determine if you need to use it in your existing security policy. Copyright © 2010, Juniper Networks, Inc.
Page 409 Add Recommended Filter to include only attacks designated to be the most serious threats to the dynamic group. In the future, Juniper Networks will designate only attacks it considers to be serious threats as Recommended. These settings will be updated with new attack object updates.
Page 410: Figure 78: New Dynamic Group
IDP automatically applies all filters to the entire attack object database, identifies the attack objects that meet the defined criteria, and adds the matching objects as members of the group. View the members of the group by clicking the Members tab. Copyright © 2010, Juniper Networks, Inc.
Page 411: Figure 79: New Dynamic Group Members
NOTE: You can edit a custom dynamic attack group from within an IDP rule in a security policy. Double-click the group icon in the Attack Objects column of an IDP rule to display the Dynamic Group dialog box, make the desired changes, then click OK to save your edits. Copyright © 2010, Juniper Networks, Inc.
Page 412: Editing A Custom Attack Group
You can define profiles for antivirus, anti-spam, URL filters, and content filters for the new profile either from the same window or by navigating from their respective nodes in the navigation pane. You can create miscellaneous objects such as Extension lists, URL Copyright © 2010, Juniper Networks, Inc.
Page 413: Creating An Antivirus Profile
None, Block, Log and Permit. If you select the Juniper Express Engine, you need to also enable the same settings with the following exceptions, which do not appear in the Juniper Express Engine tab: Scan mode Extension list Copyright © 2010, Juniper Networks, Inc.
Page 414: Creating An Antispam Profile
Enter a name for the profile. Enter a comment or description. Select a color from the drop-down list. Set notification options: Notification type, Notify mail sender, and Custom message. Select the type of content to block. Copyright © 2010, Juniper Networks, Inc.
Page 415: Creating A Url Filtering Profile
Enter server information: Host name, Port in the range 1024- 65535, Sockets in the range 1-8. Mouse over the field to see a tool tip with the allowed values. Enter account name. Select Timeout period: In the range of 1-1800. Copyright © 2010, Juniper Networks, Inc.
Page 416: Miscellaneous Utm Features
Custom UTM Mime List Profiles window opens. Enter a name for the profile. Enter a comment or description. Select a color from the drop-down list. Enter the multipurpose internet mail extensions for the profile. Select Copyright © 2010, Juniper Networks, Inc.
Page 417: Extension Lists
Misc > URL Patterns. You can view all the URL patterns and create a new URL pattern. Select window opens. New URL Pattern Enter a name for the profile. Enter a comment or description. Copyright © 2010, Juniper Networks, Inc.
Page 418: Screenos Threat Management Features
Internal AV scanning—This method uses the AV scanner on the security device, and is not supported by all security devices. Internal scanning may be configured on a per-device basis, or it may be configured via templates. This section describes how to create the templates. Copyright © 2010, Juniper Networks, Inc.
Page 419: Configuring External Av Profiles
For Name, scanner1_HTTP For Server Name, enter 1.2.2.20. For Server Port, leave the default port number of 3300. Select HTTP, then configure the timeout as 300 seconds. Click OK to save the new profile. Copyright © 2010, Juniper Networks, Inc.
Page 420: Configuring Internal Av Profiles
Object Manager > AV Objects > Custom Mime Lists. Email Notify Virus Sender (IMAP, POP3, SMTP only): Notifies an e-mail sender if a virus was found in the e-mail. Copyright © 2010, Juniper Networks, Inc.
Page 421: Configuring Icap Av Servers And Profiles
If the server returns as in-service, the security device will send it traffic. If it returns as out-of-service, the security device will not send traffic. Maximum Connections: The maximum number of TCP connections between the security device and the ICAP AV server. Copyright © 2010, Juniper Networks, Inc.
Page 422: Configuring Icap Av Profiles
See “Configuring ICAP AV Servers and Profiles” on page 371 for information on creating ICAP AV servers and server group objects in NSM. Request URL: The request URL on the ICAP AV server. Response URL: The response URL on the ICAP AV server. Copyright © 2010, Juniper Networks, Inc.
Page 423: Configuring Web Filtering Objects
Click the Add icon. The New Web categories dialog box appears. For Name, enter Competitors, Gaming. Click the Add icon. The New URL Entries dialog box appears. Enter your configuration changes, then repeat to add a second URL Entry. Copyright © 2010, Juniper Networks, Inc.
Page 424: Configuring Custom Policy Fields
This is required and the custom object instance cannot be saved until this expression is satisfied. Comments -- This column allows the user to input any comments associated with the new object. Copyright © 2010, Juniper Networks, Inc.
Page 425: Defining Metadata
Objects with a String data type will provide a special edit dialog that allow you to change the string value contained within. The dialog allowing for this information is accessible by right-clicking on the selected value in the Context Menu. Objects with a Shared data Copyright © 2010, Juniper Networks, Inc.
Page 426: Open Log Viewer
In the GTP header, the message length field indicates the length of the GTP payload. It does not include the length of the GTP header itself, the UDP header, or the IP header. Copyright © 2010, Juniper Networks, Inc.
Page 427: Limiting Gtp Message Rate
GGSN. During the PDP context activation stage: The sending GGSN uses zero (0) as the Sequence Number value for the first G-PDU it sends through a tunnel to another GGSN. The sending GGSN then increments the Copyright © 2010, Juniper Networks, Inc.
Page 428: Filtering Gtp-In-Gtp Packets
A security device creates log entries for GTP events based on the status of the GTP packet. For each event type, you can also specify how much information (basic or extended) you want about each packet. Copyright © 2010, Juniper Networks, Inc.
Page 429: Configuring Imsi Prefix And Apn Filtering
GTP packet. Additionally, you can filter GTP packets based on the combination of an IMSI prefix and an APN. For details, see “Creating an IMSI Prefix Filter” on page 380. Copyright © 2010, Juniper Networks, Inc.
Page 430: Creating An Imsi Prefix Filter
GTP packet. You can set up to 1000 IMSI prefixes for each device (one per each filter). To disable IMSI prefix filtering, remove all MCC-MNC pairs from the GTP object. Copyright © 2010, Juniper Networks, Inc.
Page 431: Configuring Gtp Message Filtering
For Name, enter GPRS1, then enter a color and comment for the object. Select Sequence Number Validation. Select GTP in GTP Denied. Leave all other defaults. In the GTP navigation tree, select Traffic Logging/Counting. Configure the following: Copyright © 2010, Juniper Networks, Inc.
Page 432: Configuring Service Objects
You can view predefined services in a tree or table format. The Service Tree displays services in a tree format, with service groups and individual services. The Service Table 39 on page 383 displays services in a table format, and includes the following details: Copyright © 2010, Juniper Networks, Inc.
Page 433: Table 39: Service Table Tab Information
NOTE: The transport address is comprised of the port number of the server, the program ID, and the version number. NSM and security devices support 13 Sun-RPC predefined services. To permit or deny all Sun-RPC requests, include the Sun-RPC-Any service in a firewall or IDP rule; to Copyright © 2010, Juniper Networks, Inc.
Page 434: Creating Custom Services
User-defined. Enter a session timeout value. The maximum timeout value for TCP and UDP connections is 2160 minutes. Color—Select a color to represent this service object in the NSM UI. Comment—Add a comment, if desired. Add the service entry: Copyright © 2010, Juniper Networks, Inc.
Page 435: Service Object Groups
(hold Ctrl to select multiple objects), then click Add. NOTE: You can drag service objects into and out of service groups from the main service tree. Click OK. The new service object group appears in the Service Tree and Service Table tabs. Copyright © 2010, Juniper Networks, Inc.
Page 436: Example: Creating A Custom Service And Group
Configure the following: For Name, enter Remote Mail. For Color, select pink. Enter a comment, if desired. In the Non-members area, select the following services (press and hold Ctrl to select multiple services): Copyright © 2010, Juniper Networks, Inc.
Page 437: Example: Creating A Custom Sun-Rpc Service
OK: For Program Low, enter 100003. For Program High, enter 100003. Configure the second service entry. Click the Add icon to display the New Service Entry dialog box, configure the following, then click OK: Copyright © 2010, Juniper Networks, Inc.
Page 438: Example: Creating A Custom Ms-Rpc Service
For Color, select blue. Enter a comment, if desired. Select the MS-RPC tab. Configure a service entry for each of the following UUIDs: 0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde 1453c42c-0fa6-11d2-a910-00c04f990f3b 10f24e8e-0fa6-11d2-a910-00c04f990f3b 1544f5e0-613c-11d1-93df-00c04fd7bd09 Click OK to save the new service object. Copyright © 2010, Juniper Networks, Inc.
Page 439: Editing And Deleting Service Objects
Select the HTTPS service object. Click Next. The wizard next displays the objects affected by the Replace With operation. As an optional step, you can delete any replaced custom service objects by clicking on them and then selecting Delete Replaced Object. Copyright © 2010, Juniper Networks, Inc.
Page 440: Configuring Sctp Objects
You can also configure a RADIUS authentication server object to provide authentication for the global domain and each subdomain. For information about configuring a RADIUS server, see “Configuring a RADIUS Authentication Server” on page 393. Copyright © 2010, Juniper Networks, Inc.
Page 441: Configuring General Authentication Server Settings
0 (the device continues to use the backup server indefinitely). The interval countdown begins when the device fails over from the primary auth server to the backup or secondary backup server (RADIUS only). Copyright © 2010, Juniper Networks, Inc.
Page 442: Configuring Authentication For User Types
If the device does not locate the separator character in the username, it does not strip the domain name from the username (usernames are passed to the authentication server as-is). Conversely, if the number of specified separator characters exceeds the number Copyright © 2010, Juniper Networks, Inc.
Page 443: Configuring Authentication Server Types
For operations where RFC 2865/66 and RFC 2138 are both supported, the server complies with all three RFCs. When unselected (default), the server is compatible only with the current RADIUS standards RFC 2865 and 2866. Copyright © 2010, Juniper Networks, Inc.
Page 444 A RADIUS server supports the following user types: Auth users L2TP users (authentication and remote settings) XAuth users (authentication and remote settings) Admin users (authentication and privilege assignments) User groups A RADIUS server does not support IKE users. Copyright © 2010, Juniper Networks, Inc.
Page 445 After you define the VSA values, the security device can query those values when a user logs on to the device. You must load a Juniper Networks dictionary file to enable the RADIUS server to support NSM-specific attributes as administrator privileges, user groups, and remote L2TP and XAuth IP address, and DNS and WINS server address assignments.
Page 446: Configuring A Securid Authentication Server
3 seconds to 4 seconds. You also assign its two backup servers the IP addresses 10.20.1.110 and 10.20.1.120. In addition, you load the Juniper Networks dictionary file on the RADIUS server so that it can support queries for the following vendor-specific attributes (VSAs): user groups, administrator privileges, remote L2TP and XAuth settings.
Page 447 L2TP users (user authentication; L2TP user receives default L2TP settings from the security device) XAuth users (user authentication; no support for remote setting assignments) Admin users (user authentication; administrator user receives default privilege assignment of read-only) Copyright © 2010, Juniper Networks, Inc.
Page 448: Configuring An Ldap Authentication Server
To configure the TACACS server: In the NSM main navigation tree, click Object Manager > Authentication Servers. Select the TACACS server type from the Authentication Server dialog box. Configure the following parameters and click OK. Copyright © 2010, Juniper Networks, Inc.
Page 449: Configuring User Objects
L2TP. Enables authentication in the L2TP tunnel that the user uses to connect to the device. If you select this option, you must also enter an L2TP password for the user. Copyright © 2010, Juniper Networks, Inc.
Page 450: Configuring Local User Groups
RADIUS server. In phase 2 of IKE negotiations, the device uses the local user object or local user group for authentication. Typically, you configure the local user object with IKE authentication and a U-FQDN Copyright © 2010, Juniper Networks, Inc.
Page 451 “ midas.” Finally, you configure a security policy that permits only authenticated traffic from auth_grp2 to midas, both of which are in the Trust zone. Copyright © 2010, Juniper Networks, Inc.
Page 452 Network and Security Manager Administration Guide On the RADIUS server, load the Juniper Networks dictionary file and define auth user accounts. Use the Juniper Networks user group VSA to create the user group auth_grp2 and apply it to the auth user accounts that you want to add to that group.
Page 453: Configuring Vlan Objects
The Start IP must always be lower than the End IP. End IP—The end of the range of IP addresses included in the pool, inclusive. The End IP must always be higher than the Start IP. Copyright © 2010, Juniper Networks, Inc.
Page 454: Using Multiple Ip Ranges
Click OK again to save the IP Pool object and return to Object Manager. Configuring Group Expressions Group expressions are statements that set conditions for authentication requirements, enabling you to combine multiple external user objects. You can create group expressions Copyright © 2010, Juniper Networks, Inc.
Page 455: Table 40: Group Expression Operators
If the security policy defines authentication for user objects that match the description of group expression “a” OR group expression “b” , the security device authenticates the user if either group expression references that user. Copyright © 2010, Juniper Networks, Inc.
Page 456 Sales group and your Marketing group, then add the expression to a security policy that provides access to your protected networks. First, create two external user group objects: one to represent the Sales users and the other to represent the Marketing users. Copyright © 2010, Juniper Networks, Inc.
Page 457: Figure 80: Configure External User Groups For Sales And Marketing
DNS or WINS servers (primary and secondary). To configure a remote setting, select Remote Settings and click the Add icon. Enter a name, color, and comment for the object, then configure the following parameters: Copyright © 2010, Juniper Networks, Inc.
Page 458: Configuring Routing Instance Objects
Manager displays all the routing instance objects configured in NSM. In the main display area, click the Add icon. The New Routing Instance dialog box appears. Enter a unique name for the routing instance object. Copyright © 2010, Juniper Networks, Inc.
Page 459: Configuring Nat Objects
For SRX Series gateways, NAT settings must be configured in the device. For more information on DIP, MIP, and VIP objects, see the following sections: Configuring DIP Objects on page 410 Configuring MIP Objects on page 410 Configuring VIP Objects on page 410 Copyright © 2010, Juniper Networks, Inc.
Page 460: Configuring Dip Objects
Enter a name, color, and comment for the object, then click the Add icon to specify the device-specific VIP configuration: Device—Select the security device that includes the VIP. Interface—Select the interface on the device that uses the virtual IP address. Copyright © 2010, Juniper Networks, Inc.
Page 461: Configuring Junos Os Nat Objects
) to configure the parameters for the new source NAT object. A New – Junos Source NAT dialog box appears. Here, you must select the device that performs the translation and specify the address pool. Select a device from the drop-down list. Device Copyright © 2010, Juniper Networks, Inc.
Page 462: Table 41: Source Nat Configuration Options
Overflow Pool None current address pool is exhausted. The Pool-name —Select a user-defined pool. pool can be a user-defined pool or the IP —Enter the IP address of the address of an interface. Interface interface. Copyright © 2010, Juniper Networks, Inc.
Page 463 Click on a link to navigate to the area where this object is referenced. You can proceed with or cancel the deletion. If the deletion is successful, the following message appears in the dialog box: Deleted Source NAT-object name Click Finish Copyright © 2010, Juniper Networks, Inc.
Page 464: Configuring Destination Nat Objects
You will see a list of values to select from the drop-down list if you have previously configured address pools. Table 42 on page 415 lists the fields that are available and the action you need to perform on each fields. Copyright © 2010, Juniper Networks, Inc.
Page 465: Table 42: Destination Nat Configuration Options
Select the Edit icon at the top of the screen. The JunosDestination NAT dialog box appears. Select the device to edit. Select the Edit icon. The Junos Destination NAT dialog box appears. Edit the values of the destination NAT object. Click Copyright © 2010, Juniper Networks, Inc.
Page 466: Configuring Certificate Authorities
NSM. Because the CA certificate is an object, however, you can use the same CA for multiple devices, as long as those devices use local certificates that were issued by that CA. Copyright © 2010, Juniper Networks, Inc.
Page 467: Using Certificate Authorities
Best Effort. Best Effort. Enable this option to check for revocation accept the certificate if no revocation information is found. CRL Settings—Configure the default setting for the Certificate Revocation List. Copyright © 2010, Juniper Networks, Inc.
Page 468: Configuring Crl Objects
CRL for multiple devices, as long as those devices use local and CA certificates that were issued by that CA. Using CRLs You can use a CRL object in a VPN to check for VPN members using revoked certificates. Copyright © 2010, Juniper Networks, Inc.
Page 469: Configuring Crls
When you create the extranet device in NSM, bind the policy to the appropriate interface and specify the script you want to perform the required update actions. When you update the device, NSM invokes the script. Any XML output appears in the Job Information window. Copyright © 2010, Juniper Networks, Inc.
Page 471: Viewing, Editing, And Deleting Binary Data Objects
Each protected resource represents an address or a range of addresses on your network. Each resource also can specify a service (such as FTP or NSF). Therefore, the protected resource is the destination for all traffic using the selected service to the selected address. Copyright © 2010, Juniper Networks, Inc.
Page 473: Creating Custom Ike Phase1 Proposals
Select the group that meets your security requirements and user needs: Group 1. Uses a 768-bit modulus. Group 2. Uses a 1024-bit modulus Group 5. Uses a 1536-bit modulus. Group 14. Uses a 2048–bit modulus. Copyright © 2010, Juniper Networks, Inc.
Page 474: Creating Custom Ike Phase 2 Proposals
Select the DH group to encrypt the key: No Perfect Forward Secrecy. Diffie-Hellman Group 1. Diffie-Hellman Group 2. Diffie-Hellman Group 3. Diffie-Hellman Group 14. Copyright © 2010, Juniper Networks, Inc.
Page 475: Configuring Dial-In Objects
Object Manager > Dial-In. Select The New Dial in window opens. Add Dial In Object. Click in the Phone Settings table for either the White List or Black List. The New List Entry box opens. Copyright © 2010, Juniper Networks, Inc.
Page 476: Linking The Dial-In Profile With The Device
Admission controller objects are listed on the transaction policy’s shared-object menu, where you can drag and drop them into the transaction terms. When you import a device, the admission controller objects are also imported. Copyright © 2010, Juniper Networks, Inc.
Page 477 Chapter 8: Configuring Objects BSG objects are supported in Junos OS Release 9.5 and later. When updating devices running under earlier versions of Junos OS, the admission controller setting is dropped. Copyright © 2010, Juniper Networks, Inc.
Page 479: Chapter 9 Configuring Security Policies
You can also use firewall rules to control the shape of your network traffic as it passes through the firewall or to log specific network events. Multicast rules permit multicast control traffic, such as IGMP or PIM-SM messages, to cross Juniper Networks security devices. Multicast rules permit multicast control traffic only; to permit data traffic (both unicast and multicast) to pass between zones, you must configure firewall rules.
Page 480: About Security Policies
Move the cursor over a column header of the security policy. A small icon appears to the left above the No. column. Click on the icon to display the Select Visible Columns dialog box, as shown in Figure 82 on page 431. Copyright © 2010, Juniper Networks, Inc.
Page 481: Configuring Security Policies
You must create and save these custom policy fields as objects under the Object Manager before you can use them in policy. See “Configuring Custom Policy Fields” on page 374 for details. Copyright © 2010, Juniper Networks, Inc.
Page 482: About Rulebases
Juniper Networks provides predefined attack objects that you can use in IDP rules. You can also configure your own custom attack objects. NOTE: Juniper Networks updates predefined attack objects on a regular basis to keep current with newly-discovered attacks.
Page 483: Rule Execution Sequence
Zone rulebase Global rulebase Multicast rulebase Managed devices process and execute IDP rules in the following order: Exempt rulebase IDP rulebase APE rulebase Backdoor rulebase SYN Protector rulebase Traffic Anomalies rulebase Network Honeypot rulebase Copyright © 2010, Juniper Networks, Inc.
Page 484: About Rules
NOTE: On Juniper Networks vsys devices, rules defined in the root system do not affect rules defined in virtual systems.
Page 485: Vpn Links And Rules
However, you might want to create access rules to control the flow of traffic in a routing-based VPN tunnel. NOTE: VPN rules are not validated by rule validation. Only firewall rules are validated by rule validation. Copyright © 2010, Juniper Networks, Inc.
Page 486: About Rule Groups
IDP rulebases. If you do not enable IDP in a firewall rule for a target device, you can still configure rules in IDP rulebases, but you cannot apply the IDP rules when you update the security policy on the target security devices. Copyright © 2010, Juniper Networks, Inc.
Page 487: About Idp Rulebases On Standalone Idp Sensors
In sensor mode, a Sensor receives a copy of a packet while the original packet is forwarded on the network. The Sensor examines the copy of the packet and flags any potential problems. The Sensor’s inspection of packets does not affect the forwarding of the packet on the network. Copyright © 2010, Juniper Networks, Inc.
Page 488: Enabling Ipsec Null Encryption For Idp Inspection
Pre-Existing Policies—When creating a new policy, you can use an existing policy as a template. NSM comes with a collection of predefined IDP policies that you can use, or you can use a policy that was created earlier by your organization. Copyright © 2010, Juniper Networks, Inc.
Page 489: Configuring Objects For Rules
The selected column value is applied to all selected rules. NOTE: After you select the rules, a right-click on any column value displays the menu “Apply Value to selected rules,” and no other menu options are available for the selected column value. Copyright © 2010, Juniper Networks, Inc.
Page 490: Running Screenos Or Junos Os
When you create a new IDP security policy, you can select from the following predefined policies or use the Policy Creation Wizard, as described in the next section. NOTE: IDP predefined policies are empty after an attack update. Relaunch the GUI to reinstate the policies. Copyright © 2010, Juniper Networks, Inc.
Page 491: Using The Policy Creation Wizard
Stand Alone IDP—Select this option to create a new policy containing the IDP rulebase. Integrated Security Gateways/Security Routers—Select this option to create a new policy containing a zone-based firewall rulebase with one any-any-permit IDP enabled rule as well as the IDP rulebase. Copyright © 2010, Juniper Networks, Inc.
Page 492: Adding Rulebases
Configuring Firewall Rules The firewall rulebases enable you to create zone and global firewall rules that control the flow of traffic on your network. You can configure the following settings for a firewall rule: Copyright © 2010, Juniper Networks, Inc.
Page 493: Defining Match For Firewall Rules
ScreenOS 6.2 and later. If you choose "self" as the source zone, then you must also configure the source address as "any". The system validates devices on which security policies with source zone "self" Copyright © 2010, Juniper Networks, Inc.
Page 494: Configuring Source And Destination Addresses For Firewall Rules
When installing the rule on devices running ScreenOS 5.0 and later, you can add multiple MIPs. When installing the rule on devices running ScreenOS 5.3 and later, you can add multiple MIPs and VIPs. Copyright © 2010, Juniper Networks, Inc.
Page 495: Support For Any-Ipv6 As A Source Address
"yes" and then reboot the device. Since NSM does not manage environment variables, you cannot set this in NSM. The Any-IPv6 functionality is supported on ISG family devices running ScreenOS 6.2-IDP and laterversions, and devices running Junos 10.2 and later versions. Copyright © 2010, Juniper Networks, Inc.
Page 496: Configuring Services For Firewall Rules
You can set different actions for each rule: Permit—The managed device permits the traffic to pass through the firewall to its destination address. Copyright © 2010, Juniper Networks, Inc.
Page 497: Selecting Devices For Firewall Rules
Install Column of the rule, enabling you to use a single security policy for multiple security devices. To see the exact rules that are applied to a specific device, in Device Manager, right-click a device and select Policy > View Pending Device Policy. Copyright © 2010, Juniper Networks, Inc.
Page 498: Configuring Firewall Rule Options
IP address selected from the DIP pool. To translate the source IP address using the IP address of the outgoing interface on the security device, select Use Interface. Copyright © 2010, Juniper Networks, Inc.
Page 499: Enabling Gtp For Firewall Rules
For security devices running ScreenOS 5.3 and later, you can also manage the flow of traffic through the security device by limiting bandwidth at the point of ingress. You can configure the following traffic shaping parameters: Copyright © 2010, Juniper Networks, Inc.
Page 500 DiffServ field, which prevents upstream routers from altering priority levels. For information about changing the default mappings between priority levels and the DiffServ system, see the Network and Security Manager Configuring ScreenOS and IDP Devices Guide. Copyright © 2010, Juniper Networks, Inc.
Page 501: Enabling Logging And Counting For Firewall Rules
You must enable counting before you can enable alarms. Although you can enable counting without also enabling alarms, NSM does not use the counting data except to trigger alarms. If you do not intend to use alarms, you should leave counting disabled. Copyright © 2010, Juniper Networks, Inc.
Page 502: Miscellaneous
(recurring or one-time) of the time period. You can use schedules to control the flow of network traffic at a time-sensitive level, and also enhance your network security. Copyright © 2010, Juniper Networks, Inc.
Page 503 ID set to “ none”, which preserves the autogenerated ID number. When you copy and paste a rule within a rulebase, NSM automatically creates a new unique ID for the pasted rule. You are not required to set a ID for a rule. Copyright © 2010, Juniper Networks, Inc.
Page 504: Configuring Web Filtering For Firewall Rules
Select Web Filtering Through SurfControl CPA (Integrated). The Select SC-CPA Profile box appears. Select the profile ns_profile to bind to the firewall rule. NOTE: You can only bind one Web Filtering profile to a firewall rule. Click OK. Copyright © 2010, Juniper Networks, Inc.
Page 505: Configuring Authentication For Firewall Rules
Infranet Authentication—Use this option to enable specified RAS users to connect using a Juniper Networks Infranet Controller. An unauthenticated user trying to access a UAC protected resource via HTTP, is usually redirected to a URL of an authenticating IC. The redirect URL is a global parameter specified per controller.
Page 506: Configuring Antivirus For Firewall Rules
This setting only works for devices running ScreenOS 5.3. Use ICAP Profile—ICAP is a method of redirecting traffic to an ICAP-capable server running AV software. This feature is available on devices running ScreenOS 5.4 and higher. Copyright © 2010, Juniper Networks, Inc.
Page 507: Configuring A Di Profile/Enable Idp For Firewall Rules
Traffic that is denied by a firewall rule cannot be passed to IDP rules. To enable IDP in a firewall rule, the action must be permit. For firewall rules that pass traffic to the IDP rulebases, the Install On column must include IDP-capable devices only. Copyright © 2010, Juniper Networks, Inc.
Page 508: Limiting Sessions Per Policy From Source Ips
As an intermediate security device, a device running ScreenOS maintains a session for each TCP connection until it times out. Traffic can resume if a client sends an RST (reset) packet, but the client needs to be informed of Copyright © 2010, Juniper Networks, Inc.
Page 509: Comments For Firewall Rules
On security devices, you secure multicast control traffic using access lists. First, you create an access list, which defines one of the following: The multicast groups a host can join. The sources from which traffic can be received. Copyright © 2010, Juniper Networks, Inc.
Page 510: Configuring Source And Destination Zones
In the main navigation tree, select Object Manager > Address Objects. In the main display area, click the Add icon and select Multicast Group. In the New Multicast Group dialog box, configure the following then click OK: Copyright © 2010, Juniper Networks, Inc.
Page 511: Configuring Antivirus Rules
Use Scan Manager with Profile—Tells the device to use the indicated antivirus profile. Necessary for ScreenOS 5.3 and later. Use ICAP Profile—Tells the device to use the indicted ICAP AV profile. Available with ScreenOS 5.4 and later. Copyright © 2010, Juniper Networks, Inc.
Page 512: Configuring Antispam Rules
467) and future connections from the same source IP address (see “Choosing an IP Action” on page 471). “Configuring Notification in IDP Rules” on page 472—Disable or enable logging for the IDP rule. Copyright © 2010, Juniper Networks, Inc.
Page 513: Defining Match For Idp Rules
To detect incoming attacks that target your internal network, set the From Zone to Untrust, and the Source IP to any IP. Then, set the To Zone to dmz and trust. Next, select Copyright © 2010, Juniper Networks, Inc.
Page 514: Configuring User Roles For Idp Rules
Username-based IDP policy is not supported. The firewall must map either a source IP or the username to a user role before it can forward a packet. While the firewall supports 200 roles for one user, the IDP policy supports only 100 roles for each user. Copyright © 2010, Juniper Networks, Inc.
Page 515: Configuring Services For Idp Rules
Add this service object to your rule, then add several HTTP attack objects, which have a default service of TCP/80. IDP uses the specified service, HTTP-8080, instead of the default, and looks for matches to the HTTP attacks in TCP traffic on port 8080. Copyright © 2010, Juniper Networks, Inc.
Page 516: Configuring Terminal Idp Rules
Security Network and does not continue monitoring the session for malicious data. Rules 3 and 6 set different actions for different attacks when the destination IP is the Corporate or Europe E-mail server. Rule 3 terminates the match algorithm when the Copyright © 2010, Juniper Networks, Inc.
Page 517: Table 43: Idp Rule Actions
If an attack is specified in the rule, IDP inspects the session and generates a log for the first attack detected. Subsequently, IDP ignores the rest of that session and neither inspects the session for attacks nor generates attack logs. Use with caution. Copyright © 2010, Juniper Networks, Inc.
Page 518 Recommended IDP takes the action recommended by Juniper Networks. With IDP 4.1 and later, attack objects have a recommended action associated with them. If a packet triggers more than one attack object, IDP applies the most secure of the recommended actions.
Page 519: Configuring Attack Objects In Idp Rules
For example, if you rely extensively on FTP and HTTP for file transfers to and from your Web servers, choose the FTP and HTTP category groups to carefully monitor all traffic that uses these services. Copyright © 2010, Juniper Networks, Inc.
Page 520: Table 44: Severity Levels, Recommended Actions And Notifications
Rules” on page 467. You configure notification settings in the Notification column of the rule; see “Configuring Notification in IDP Rules” on page 472. Adding Custom Dynamic Attack Groups You can add previously created custom dynamic attack groups to a rule. Copyright © 2010, Juniper Networks, Inc.
Page 521: Figure 83: Configure Ip Action
IDP Close—The security device closes future connections that match the criteria in the Block list. Choosing a Block Option Each block option follows the criteria you set in the Actions box. Block options can be based on the following matches of the attack traffic: Copyright © 2010, Juniper Networks, Inc.
Page 522: Setting Logging Options
NSM does not log the data. Setting Logging—In the Configure Notification dialog box, select Logging and then click OK. Each time the rule is matched, the NSM system creates a log record that appears in the Log Viewer. Copyright © 2010, Juniper Networks, Inc.
Page 523: Setting Vlan Tags For Idp Rules
Any: Matches traffic with any or no VLAN tag (default) Single tag: Matches traffic with that specific tag only Range of tags: Matches traffic with any tag in that range None: Matches only traffic that has no VLAN tag Copyright © 2010, Juniper Networks, Inc.
Page 524: Setting Severity For Idp Rules
Trust zone. You create a firewall rule from the Trust to the Data_Center zone that allows traffic from any source to any destination for any service, then enable IDP in the Rule Options column. Copyright © 2010, Juniper Networks, Inc.
Page 525: Configuring Multiple Idp Policies For An Mx Series Router
4. Right-click on the policy that includes the rule in the Policies panel, and select Remove Rule. The rule will be removed from the corresponding IDP policy in the Policies panel but will remain in the IDP rule table. Copyright © 2010, Juniper Networks, Inc.
Page 526: Configuring Application Policy Enforcement (Ape) Rules
Adding the APE Rulebase Using the Policy Manager You can create APE rules based on Layer-7 applications and protocols. Before you can configure a rule in the APE rulebase, you need to add the APE rulebase to a security policy. Copyright © 2010, Juniper Networks, Inc.
Page 527: Adding The Ape Rulebase To A Policy Using The Application Profiler
Select one or more policies to which you want to add application rules, and click Next. From the New Application Rules dialog box, configure one or more application rules. Click Next. Verify that the new rules have been correctly configured in the policy, and click Finish. Copyright © 2010, Juniper Networks, Inc.
Page 528: Defining Matches For Ape Rules
Destination column of a rule and select Select Address. In the Select Source Addresses dialog box, you can either select an already created address object or click the Add icon to create a new host, network, or group object. Copyright © 2010, Juniper Networks, Inc.
Page 529: Configuring User Roles For Ape Rules
You can also create custom service objects to represent protocols that are not included in the predefined services. In the Service column you select the service of the traffic you want IDP to match: Copyright © 2010, Juniper Networks, Inc.
Page 530: Table 45: Ape Rule Actions
Diffserv Marking IDP assigns the service differentiation value indicated to the packet, then passes it on normally. The value is set in the dialog that appears when you select this action in the rulebase. Copyright © 2010, Juniper Networks, Inc.
Page 531: Configuring Ip Actions In Ape Rules
IDP Notify—The security device does not take any action against future traffic, but logs the event. This is the default. IDP Drop—The security device drops the matching connection and blocks future connections that match the criteria set in the Block list. Copyright © 2010, Juniper Networks, Inc.
Page 532: Choosing A Block Option
Excessive logging can also affect throughput, performance, and available disk space. A good security policy generates enough logs to fully document only the important security events on your network. Copyright © 2010, Juniper Networks, Inc.
Page 533: Setting Vlan Tags For Ape Rules
You can override the inherent attack severity on a per-rule basis within the APE rulebase. You can set the severity to Default, Info, Warning, Minor, Major, or Critical. To change the severity for a rule, right-click the Severity column of the rule and select a severity. Copyright © 2010, Juniper Networks, Inc.
Page 534: Setting Target Security Devices For Ape Rules
Exempt rulebase and all matches are executed. Adding the Exempt Rulebase Before you can configure a rule in the Exempt rulebase, you need to add the Exempt rulebase to a security policy. Copyright © 2010, Juniper Networks, Inc.
Page 535: Defining A Match
Engineering desktops, you want to exempt attack detection. Setting Attack Objects You specify the attacks you want IDP to exempt for the specified source/destination addresses. You must include at least one attack object in an exempt rule. Copyright © 2010, Juniper Networks, Inc.
Page 536: Specifying Vlans
A backdoor is a mechanism installed on a host computer that facilitates unauthorized access to the system. Attackers who have already compromised a system can install a backdoor to make future attacks easier. When attackers type commands to control a backdoor, they generate interactive traffic. Copyright © 2010, Juniper Networks, Inc.
Page 537: Adding The Backdoor Rulebase
In the main navigation tree, select Policies. Open a security policy by double-clicking the policy name in the security policies window or click the policy name and then select the Edit icon. Copyright © 2010, Juniper Networks, Inc.
Page 538: Configuring Source And Destination Address Objects
Do not include telnet, SSH, RSH, netmeeting, or VNC, as these services are often used to remotely control a system legitimately and their inclusion might generate false positives. Copyright © 2010, Juniper Networks, Inc.
Page 539: Table 46: Actions For Backdoor Rule
Setting Logging In the Configure Notification dialog box, select Logging and then click OK. Each time the rule is matched, the IDP system creates a log record that appears in the Log Viewer. Copyright © 2010, Juniper Networks, Inc.
Page 540: Setting An Alert
Setting Target Devices For each rule in the rulebase, you can select the IDP-capable device that will use that rule to detect and prevent attacks. Alternatively, you can use Device Manager to assign policies to devices. Copyright © 2010, Juniper Networks, Inc.
Page 541: Entering Comments
The attacker sends another SYN packet to the server, requesting another connection. And then another. And another. The connection table fills to capacity and cannot accept new SYN requests. The server is overwhelmed, and quickly becomes disabled. Copyright © 2010, Juniper Networks, Inc.
Page 542: Adding The Syn Protector Rulebase
Always set the SYN Protector service value to TCP-any. Selecting individual services can cause unpredictable interactions with other rulebases. Setting Mode Select the mode that indicates how IDP handles TCP traffic: None. IDP takes no action, and does not participate in the three-way handshake. Copyright © 2010, Juniper Networks, Inc.
Page 543 You can choose to log an attack and create log records with attack information that you can view real-time in the Log Viewer. For more critical attacks, however, you might want to be notified immediately by e-mail, have IDP run a script in response to the attack, or Copyright © 2010, Juniper Networks, Inc.
Page 544: Logging Packets
Comments column is not pushed to the target devices. To enter a comment, right-click the Comments column and select Edit Comments. The Edit Comments dialog box appears. You can enter up to 1024 characters in the Comments field. Copyright © 2010, Juniper Networks, Inc.
Page 545: Configuring Traffic Anomalies Rules
To create a Traffic Anomalies rule that looks for distributed port scans on your internal network, set the IP Count to 50 and the Time to 120 seconds. If 50 IP addresses attempt to scan ports on your internal network within 120 seconds, the rule is matched. Copyright © 2010, Juniper Networks, Inc.
Page 546: Example: Traffic Anomalies Rule
You specify the traffic you want IDP to monitor for network anomalies. Configuring Source and Destination Address Objects Set the Source Object to Any. Set the Destination Object to any address objects you want to protect. Copyright © 2010, Juniper Networks, Inc.
Page 547: Configuring Services
IDP run a script in response to the attack, or set an alarm flag to appear in the log record. Your goal is to fine-tune the attack notifications in your security policy to your individual security needs. Copyright © 2010, Juniper Networks, Inc.
Page 548: Setting Severity
Comments column is not pushed to the target devices. To enter a comment, right-click the Comments column and select Edit Comments. The Edit Comments dialog box appears. You can enter up to 1024 characters in the Comments field. Copyright © 2010, Juniper Networks, Inc.
Page 549: Configuring Network Honeypot Rules
Configuring the Source Set the Source object to Any. Configuring Destination Address Objects and Services Set the Destination Address and Service to the service that will appear to be available on the indicated address object. Copyright © 2010, Juniper Networks, Inc.
Page 550: Setting Response Options
If multiple rules with packet capture enabled match the same attack, IDP captures the maximum specified number of packets. For example, you configure Rule 1 to capture 10 packets before and after the attack, and Rule 2 to capture 5 packets before and after Copyright © 2010, Juniper Networks, Inc.
Page 551: Setting Target Devices
NSM automatically imports all existing policies for the device. To simplify policy management, you can merge these multiple device policies into a single security policy that you install on several devices at one time. For details, see “Merging Policies” on page 511. Copyright © 2010, Juniper Networks, Inc.
Page 552: Validating Security Policies
Policy validation analyzes the source and destination addresses, the to and from zones, and the service when validating. If NSM identifies any problems in the policy during policy validation, it displays information about the problem at the bottom of the selected rulebase. Copyright © 2010, Juniper Networks, Inc.
Page 553: Table 47: Rule Shadowing Example
HTTP service with the web server, Rule 1 allows the traffic. Rule 2 which denies HTTP is never checked. Table 47: Rule Shadowing Example Rule From Zone Source To Zone Destination Service Action Untrust Web server Allow Untrust Web server HTTP Deny Copyright © 2010, Juniper Networks, Inc.
Page 554: Unsupported Options
Delta Config Summary before pushing the policy. During policy installation, NSM installs the rules in the policy on the security devices you selected in the Install On column of each rule. The install process occurs between the Copyright © 2010, Juniper Networks, Inc.
Page 555: Configuring Idp Policy Push Timeout
You enable session rematch when you update devices (from the menu bar, select Devices > Configuration > Update Device Config). To enable session rematch from the Update Devices dialog box, select Options, then select Rematch, session treatment when modifying a policy rule, then click OK. Copyright © 2010, Juniper Networks, Inc.
Page 556: Updating Only The Idp Rulebases On Isg Devices
To push only the IDP rulebases, not the firewall or multicast rulebases, select the Update IDP Rulebase Only check box in the Update Device Options dialog box. The IDP-on-ISG rulebases are as follows: Backdoor Exempt Copyright © 2010, Juniper Networks, Inc.
Page 557: Managing Rules And Policies
Rules within a rule group follow the rulebase numbering sequence. The IDP, Exempt, or Backdoor rulebases are not included when you: Merge two policies into a single policy Import a security policy from an existing IDP-capable security device Copyright © 2010, Juniper Networks, Inc.
Page 558: Selecting Rules
From the policy rule you want to cut or copy from, right-click in the field and select Edit > Cut or Edit > Copy. When an element in the field is cut, it is replaced by either “any” or “default”, depending on the field. Copyright © 2010, Juniper Networks, Inc.
Page 559: Dragging And Dropping Objects
Source and Destination columns of Backdoor rulebase Source and Destination columns of Network Honeypot rulebase Source and Destination columns of Traffic Anamolies rulebase Source and Destination columns of SYN Protector rulebase Source and Destination columns of Permitted Object entries Copyright © 2010, Juniper Networks, Inc.
Page 560: Deleting A Rule
After you reimport the device configuration for a device that was previously managed by NSM: If you made no changes to the device policies using the WebUI or CLI, when you reimport the device, NSM does not create a new security policy. Copyright © 2010, Juniper Networks, Inc.
Page 561: Merging Policies
(the device policy pointer indicates which security policy is assigned to a device). When configuring Policy Merge settings, you can edit this option to keep the device policy pointers for both the source and target policies. Copyright © 2010, Juniper Networks, Inc.
Page 562: Figure 84: Security Policy A Rules (Before Policy Merge)
NSM merges the matching values in the columns to create a single, simplified policy (Policy C), shown in Figure 86 on page 512. Figure 86: Security Policy Rules (Merged from Policy A and Policy B) Copyright © 2010, Juniper Networks, Inc.
Page 563: Importing Srx Series Devices That Contain Inactive Policies
Then select File > Export Policy from the menu bar. In the dialog box, select Zone based Firewall Rules. Select Show Expanded View. Browse to an export directory and click Select Export Directory. Click Export. Copyright © 2010, Juniper Networks, Inc.
Page 565: Creating A New Policy Version
This section explains how to edit comments for an existing policy version. To edit comments for an existing version In the NSM GUI, right-click on a policy. In the popup menu, select View Versions. Copyright © 2010, Juniper Networks, Inc.
Page 566: Comparing Two Versions
Select an earlier version in the window and click Next. A Diff window appears comparing the old and current version. View the differences and click Next. The Object Editor appears. Make any necessary changes and click Finish. Copyright © 2010, Juniper Networks, Inc.
Page 567: Viewing, Editing, Filtering, And Sorting Database Versions
Click the down arrow to decrement the date.(default = none) Associated Object Type — If the database version is created as the result of a device update, this the pull-down menu for this filed shows all devices associated Copyright © 2010, Juniper Networks, Inc.
Page 568: Displaying The Differences Between Database Versions
Click Close in the Job Information and Version History windows to end the operation. If you right-click on the device, the Version History window lists the newly updated Current version and the previous version. Copyright © 2010, Juniper Networks, Inc.
Page 569: Pre And Post Rules
NOTE: You cannot push a pre/post rule from the central manager to a regional server. All features of security policies are available for prerules and postrules. Import device command—Imports all rules into the security policy that is created for the device. Config summary—displays the prerules and postrules. Copyright © 2010, Juniper Networks, Inc.
Page 570: Rule Application Sequence
(See “Polymorphic Objects” on page 522 for more details.) Invalid prerules and postrules in the regional server are removed when the policy is pushed to a device during the device update operation. Copyright © 2010, Juniper Networks, Inc.
Page 571: Install-On Column For Prerules And Postrules
Select either Central Manager Pre Rules or Central Manager Post Rules. Select Tools > Update Regional Servers. Select the regional servers to which you want to push prerules and postrules. Central Manager Administrator monitors progress from the Job Manager. Copyright © 2010, Juniper Networks, Inc.
Page 572: Modify Prerules And Postrules
Customizing Polymorphic Objects Each polymorphic object contains a mapping table. Each entry of the mapping table has an attribute of domain, device, and a concrete shared object reference of the same type. Copyright © 2010, Juniper Networks, Inc.
Page 573: Table 48: Polymorphic Objects
A vsys zone can only be supported with a polymorphic zone. Administrators must map every vsys manually with a vsys zone name. Copyright © 2010, Juniper Networks, Inc.
Page 574: Manage Polymorphic Objects
Comment (optional) NSM adds the polymorphic address object to the address tree. Add a Polymorphic Object to a Pre/Post Rule This procedure assumes that a Central Manager administrator is logged onto a Central Manager client. Copyright © 2010, Juniper Networks, Inc.
Page 575: Map A Polymorphic Object To A Real Value
If an error message is returned on import or update indicating that a mapping for a polymorphic object was not defined, you can define a mapping for the polymorphic object listed in the error message, and import or update the device again. Copyright © 2010, Juniper Networks, Inc.
Page 577: Chapter 10 Configuring Voice Policies
You can copy, paste, drag and drop any of these shared objects into the transaction rule. Juniper Networks M Series and MX Series routers running Junos 9.5 and later can be managed in two modes: Central Policy management (CPM) and In-Device management.
Page 578: Adding Rules To The Bsg Transaction Rulebase
You can add, edit, delete and search for shared objects Policy such as BSG Service Points and Admission Controllers. Add, delete, edit and search for policy sets in Policy Sets section to the right of the policy window. Copyright © 2010, Juniper Networks, Inc.
Page 581: Chapter 11 Configuring Junos Nat Policies
The translation can include IP addresses as well as port numbers. The types of NAT policies that are supported on Juniper Networks devices are: Source NAT policy, Destination NAT policy, and Static NAT policy.
Page 582: Adding A Source Nat Rulebase
(default) or not and can have the following From Device values: The default routing instance ( ), which ships with the device. You can default use this routing instance, if you do not wish to configure anything new. Copyright © 2010, Juniper Networks, Inc.
Page 583: Adding A Rule To A Source Nat Rule Set
If using Port Address Translation (PAT), specify a port range (between 1024 and 65535) in the fields. When PAT is used, multiple hosts can High share the same IP address. For more information on PAT, see http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/ junos-security-swconfig-security/id-11012.html#id-11012 Copyright © 2010, Juniper Networks, Inc.
Page 584: Editing A Source Nat Rule Or Rule Set
View/Modify Destination destination that you set previously. Dest Address — Enables you to cut, copy, and paste the values that are within this field. Edit —Enables you to add additional destinations. Add Dest address Copyright © 2010, Juniper Networks, Inc.
Page 585: Destination Nat Policy
Destination NAT policy is used to allow hosts from public network to communicate with private network through the translation of the destination IP address within a packet that is entering the Juniper Networks device. For more information on destination NAT, http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/ junos-security-swconfig-security/jd0e90828.html#jd0e90837...
Page 586: Adding A Destination Nat Rulebase
Other routing instances, if you have added them previously. To add a new routing instance, use > Object Manager Routing Instance Objects —Select the zone from the list. Zone Copyright © 2010, Juniper Networks, Inc.
Page 587: Adding A Rule To A Destination Nat Rule Set
IP address through which the traffic enters the private network. Select a destination port. This is the port through which the traffic enters the private network. Specify one of the following actions: —Do not perform destination NAT. Copyright © 2010, Juniper Networks, Inc.
Page 588: Editing A Destination Nat Rule Or Rule Set
View the applicable shared objects in the drop-down list in the Shared Objects for Policy section of the window. You can add, edit, delete and search for shared objects, which are applicable to the specific NAT rulebase. Copyright © 2010, Juniper Networks, Inc.
Page 589: Static Nat Policy
In general, the list displays the routing instances configured within a specific device or just the shared routing instances depending on whether the Select check box is selected (default) or not and can have the following From Device values: Copyright © 2010, Juniper Networks, Inc.
Page 590: Adding A Rule To A Static Nat Rule Set
As static NAT supports one to one mapping, if your source consists of a number of hosts, then make sure that you enter an equal number of public IP addresses in this field. Copyright © 2010, Juniper Networks, Inc.
Page 591: Editing A Static Nat Rule/Rule Set
View the applicable shared objects in the drop-down list in the Shared Objects for Policy section of the window. You can add, edit, delete and search for shared objects, which are applicable to the specific NAT rulebase. Copyright © 2010, Juniper Networks, Inc.
Page 593: Chapter 12 Configuring Vpns
Creating VPNs with VPN Manager on page 560 VPN Manager Examples on page 577 Creating Device-Level VPNs on page 592 Device-Level VPN Examples on page 607 Auto-Connect Virtual Private Network on page 616 IVE VPN Monitoring on page 618 Copyright © 2010, Juniper Networks, Inc.
Page 594: About Vpns
About VPNs With Network and Security Manager (NSM), you can use basic networking principles and your Juniper Networks security devices to create VPNs that connect your headquarters with your branch offices and your remote users with your protected networks. NSM supports tunnel and transport modes for AutoKey IKE, Manual Key, L2TP, and L2TP-over-AutoKey IKE VPNS in policy or route-based configurations.
Page 595: Configuring Vpns
Because you have so many choices, it’s a good idea to determine what your needs are before you create the VPN so you can make the right decisions for your network. These decisions include: Copyright © 2010, Juniper Networks, Inc.
Page 596: Determining Your Vpn Members And Topology
IP addresses in use on your network. Site-to-Site Site-to-site VPNs are the most common type of VPN. Typically, each remote site is an individual security device or RAS user that connects to a central security device. Advantages—Simple, easy to configure. Copyright © 2010, Juniper Networks, Inc.
Page 597: Hub And Spoke
To ensure stable, continuous VPN connection, use redundant gateways to create multiple tunnels between resources. If a tunnel fails, the management system automatically reroutes traffic. Redundant gateways use NSRP to determine the tunnel status. Copyright © 2010, Juniper Networks, Inc.
Page 598: Protecting Data In The Vpn
Using Encapsulating Security Payload (ESP) ESP encrypts the data in the VPN with DES, Triple DES, or AES symmetric encryption. When the encrypted data arrives at the destination, the receiving device uses a key to Copyright © 2010, Juniper Networks, Inc.
Page 599 Replay protection enables your security devices to inspect every IPSec packet to see if the packet has been received before—if packets arrive outside a specified sequence range, the security device rejects them. Copyright © 2010, Juniper Networks, Inc.
Page 600: Using L2Tp
VPN rule, it creates the VPN tunnel to encrypt, authenticate, and send the data to the specified destination. When no traffic matches the VPN rule, the firewall tears down the VPN tunnel. Copyright © 2010, Juniper Networks, Inc.
Page 601: About Route-Based Vpns
Define Members and Topology What do you want to connect? Devices Network Components/Protected Resources Remote Access Service (RAS) Users Extranet Devices How do you want to connect the VPN members? Site to Site Hub and Spoke Copyright © 2010, Juniper Networks, Inc.
Page 602: Define Vpn Type: Policy-Based, Route-Based, Or Mixed-Mode
Choose the VPN type that best matches your VPN requirements: Autokey IKE VPN—Use to authenticate and encrypt traffic between devices and/or protected resources. An Autokey IKE VPN supports: Mixed-mode VPNs (policy-based members and route-based members) Policy-based VPNs Route-based VPNs ESP and AH Authentication Copyright © 2010, Juniper Networks, Inc.
Page 603 ESP AutoKey IKE Encryption PPP or other non-IP traffic Remote access users Creating Device-Level VPNs You can create the following VPN types: AutoKey IKE VPN Manual Key IKE VPN L2TP VPN Redundant Site-Site VPN Copyright © 2010, Juniper Networks, Inc.
Page 604: Preparing Vpn Components
A policy-based VPN requires several components: Address objects Protected resources NAT objects User objects The following sections detail how to configure each component; after you have created a component, you can use it to create your VPN. Copyright © 2010, Juniper Networks, Inc.
Page 605: Configuring Address Objects
DIPs). Use the global NAT object in your VPN; when you install the VPN on a device, that device automatically replaces the shared NAT object with its device-specific NAT object. For details on shared NAT objects. Copyright © 2010, Juniper Networks, Inc.
Page 606: Configuring Remote Access Service (Ras) Users
The container part contains a continuous section of the DN; for example, "OU=a,O=b” . Any DN containing all specified elements in correct order are accepted. Up to seven wildcards can be specified, one for each of the following element: CN, OU, O, L, ST, C, Email. Copyright © 2010, Juniper Networks, Inc.
Page 607: Configuring Required Routing-Based Vpn Components
(cannot exceed the maximum number of allowed Phase 1 SAs or the maximum number of VPN tunnels allowed on the Juniper Networks security device platform). For details on group IKE IDs, see the Juniper Networks ScreenOS 5.x Concepts and Examples Guide.
Page 608: Configuring Tunnel Interfaces And Tunnel Zones
To create a static route, you must manually create a route for each tunnel on each device. For VPNs with more than just a few devices, Juniper Networks highly recommends using a dynamic routing protocol to automatically determine the best route for VPN traffic: To route between different networks over the Internet, use Border Gateway Protocol (BGP);...
Page 609: Creating Certificate Objects
Using this encrypted public key, you can contact a independent CA (or use your own internal CA, if available) to obtain a local device certificate file (a .cer file). Copyright © 2010, Juniper Networks, Inc.
Page 610: Creating Pki Defaults
Configuring a VPN using VPN Manager is an eight stage process: “Adding the VPN” on page 561 “Configuring Members” on page 562 (policy-based, RAS users, routing-based) “Configuring Topology” on page 566 (AutoKey IKE only) “Configuring Gateways” on page 568 “Configuring IKE” on page 572 Copyright © 2010, Juniper Networks, Inc.
Page 611: Adding The Vpn
Type (AutoKey IKE VPN Only). Select the components you want to configure for the VPN: Route-based components, Policy-based components, or both. By default, VPN Manager displays all Route- and Policy-based components for an AutoKey IKE VPN. Copyright © 2010, Juniper Networks, Inc.
Page 612 For details on configuring DIP objects. Configure Tunnel Interface and Zone—You can bind the VPN tunnel to a tunnel interface or tunnel zone to increase the number of available interfaces in the security device. Copyright © 2010, Juniper Networks, Inc.
Page 613 AutoKey IKE RAS VPN, this option does not appear.) Select the device for which you want to configure L2TP. In the L2TP tab, specify the following values (you cannot edit the name of the device). Copyright © 2010, Juniper Networks, Inc.
Page 614: Adding Ras Users
For details on creating routes, see the Network and Security Manager Configuring ScreenOS and IDP Devices Guide. Click the security devices link to display the route-based member selection dialog box. Copyright © 2010, Juniper Networks, Inc.
Page 615 For devices running ScreenOS 5.x and later, you can also enable/disable single tunnel interface and NHTB entries. After VPN Manager generates the tunnel interfaces, you must configure static or dynamic routes on each VPN member to route traffic to other VPN members. Copyright © 2010, Juniper Networks, Inc.
Page 616: Configuring Topology
If do not select a VPN member as the VPN hub, the hub routes VPN traffic from one branch to another. If you do select a VPN member as the VPN hub, the hub routes VPN traffic from itself and all connected branches. Copyright © 2010, Juniper Networks, Inc.
Page 617 To create a main and branch: Select the devices to act at mains; these devices can communicate with all other VPN members. Select remaining devices as branches; these devices communicate with all mains. Copyright © 2010, Juniper Networks, Inc.
Page 618: Defining Termination Points
Because Aggressive mode is typically faster but less secure than Main mode, use Aggressive mode when speed is more important than security. For RAS VPNs, you must use the Aggressive mode; for VPNs that do not include RAS users, select the mode that meets your requirements. Copyright © 2010, Juniper Networks, Inc.
Page 619 XAuthentication server, edit the VPN settings in the security device configuration. XAuth Server—Use when the remote gateway is a security device that you want to assign TCP/IP settings. Auth Server Name. Select a preconfigured authentication server object. Copyright © 2010, Juniper Networks, Inc.
Page 620: Configuring Gateway Security
To use a predefined value for the key, enter a value for the Preshared Key. PKI—Use if your VPN includes extranet devices or you require the additional security provided by certificates (PKI uses certificates for VPN member authentication). For details on creating and managing certificates. Copyright © 2010, Juniper Networks, Inc.
Page 621: Configuring Ike Ids
For details on how Group IKE IDs work, see “Configuring Group IKE IDS” on page 557. For details on determining the ASN1-DN container and wildcard values for Group IKE IDs, see the Juniper Networks ScreenOS 5.x Concepts and Examples Guide. FQDN—Use a Fully Qualified Domain Name when the gateway is a dynamic IP address.
Page 622: Configuring Ike
(pings) through the tunnel at specified intervals (configurable in seconds) to monitor network connectivity (each device uses the IP address of the local outgoing interface as the source address and the IP address of the remote gateway as the destination Copyright © 2010, Juniper Networks, Inc.
Page 623: Configuring Security Level
Automatically populate the next-hop tunnel binding table (NHTB table) and the route table when multiple VPN tunnels are bound to a single tunnel interface. For details on VPN monitoring at the device level, see the Juniper Networks ScreenOS 5.x Concepts and Examples Guide.
Page 624: Autogenerating Vpn Rules
Policy Rules link in the Overrides area; the rules appear in a separate NSM window, using the same row and column format as in the Security Policies. NOTE: Policy rules do not appear for route-based VPNs. Copyright © 2010, Juniper Networks, Inc.
Page 625: Editing Device Configuration
Overriding Gateways For all VPNs, this displays the gateway name, gateway mode, IP address, and IKE phase I proposals for each VPN gateway. To override the general properties, security, and IKE Copyright © 2010, Juniper Networks, Inc.
Page 626: Viewing The Device Tunnel Summary
In the navigation tree, select VPNs. A table listing all configured VPNs appears in the main display area. Right-click the VPN you want to edit and select Edit. The expanded VPN view dialog box appears. Make the necessary changes, then click OK to apply your changes. Copyright © 2010, Juniper Networks, Inc.
Page 627: Editing Vpn Protected Resources
“Example: Configuring XAuth Authentication with External User Group” on page 588 The following sections provide step-by-step instructions on creating each VPN type. NOTE: For examples on creating a Manual Key VPN, see “Device-Level VPN Examples” on page 607. Copyright © 2010, Juniper Networks, Inc.
Page 628: Example: Configuring An Autokey Ike, Policy-Based Site-To-Site Vpn
For Color, select magenta. For Comment, enter Paris Trust Zone. Create the Tokyo Protected Resources object. In Protected Resources (under VPN Manager), click the Add icon. Configure as shown in Figure 87 on page 579, then click Copyright © 2010, Juniper Networks, Inc.
Page 629: Figure 87: Create Tokyo Protected Resource Object For Autokey Ike Vpn
Create the VPN. In the navigation tree, double-click VPN Manager, then right-click VPNs and select AutoKey IKE VPN. The New AutoKey IKE VPN dialog box appears. Configure the General VPN Properties: In Name, enter Tokyo-Paris Policy-Based VPN. Select Enable. In Termination Point, select Untrust. Copyright © 2010, Juniper Networks, Inc.
Page 630 Click the Gateway Parameters link. The Properties tab appears. Leave all defaults and click the Security tab. In the Security tab, configure the PKI Information and Phase 1 Proposals as shown in Figure 89 on page 581. Copyright © 2010, Juniper Networks, Inc.
Page 631: Figure 89: Configure Gateway Parameters For Autokey Ike Vpn
Select the Tokyo-Paris Policy-Based VPN, then click OK to add the link. By default, the link appears at the top of the rulebase, but you can move the VPN link anywhere in the rulebase, just as you would a firewall rule. Copyright © 2010, Juniper Networks, Inc.
Page 632: Example: Configuring An Autokey Ike Ras, Policy-Based Vpn
Create Chicago Corporate Trusted LAN Protected Resources to represent the destination point of the VPN . In Protected Resources (under VPN Manager), click the Add icon. Configure as shown in Figure 91 on page 583, then click OK: Copyright © 2010, Juniper Networks, Inc.
Page 633: Figure 91: Add Chicago Protected Resource For Autokey Ike Ras Vpn
Figure 92: Add New Local User for AutoKey IKE RAS VPN Create the VPN. In the navigation tree, double-click VPN Manager, then right-click VPNs and select AutoKey IKE RAS VPN. The New AutoKey IKE RAS VPN dialog box appears. Configure as shown below: Copyright © 2010, Juniper Networks, Inc.
Page 634 Security tab. In the Security tab, enter the preshared key value (h1p8A24nG5), then click Generate Key. For Phase 1 Proposals, select User-Defined, then click the Add/Edit icon to add the pre-g2-3des-sha proposal. Copyright © 2010, Juniper Networks, Inc.
Page 635: Figure 93: Configure Security For Autokey Ike Ras Vpn
Configure the Tokyo device with the following interfaces: Ethernet1 is the Trust IP (10.1.1.1/24) in the Trust zone. Ethernet3 is the Untrust IP (1.1.1.1/24). Configure the Paris device with the following interfaces: Copyright © 2010, Juniper Networks, Inc.
Page 636 Click the Add icon to display available security devices. Select the Paris and Tokyo devices. Click OK to add the members to the VPN. Ensure that the route-based members are configured. Click OK to save your settings and return to the main display area. Copyright © 2010, Juniper Networks, Inc.
Page 637: Figure 94: View Tunnel Summary For Autokey Ike, Rb Site-To Site Vpn
Next, you must create the routes (in the route table of each device) that will connect the autogenerated tunnel interfaces and form the VPN tunnel (for details on creating routes, see the Network and Security Manager Configuring ScreenOS and IDP Devices Guide. You Copyright © 2010, Juniper Networks, Inc.
Page 638: Example: Configuring Xauth Authentication With External User Group
4500 (default is 1645), then add an authentication server object in NSM to represent that server. Next, to manage the users in this example, you define an external user group in two places: on the external RADIUS auth server and in NSM. Copyright © 2010, Juniper Networks, Inc.
Page 639 Configure the RADIUS Server. On the RADIUS server, load the Juniper Networks dictionary file and define Xauth user accounts. Use the Juniper Networks user group VSA to create the user group xa_grp2 and apply it to the auth user accounts that you want to add to that group.
Page 640 Address Objects, then click the Add icon and select Host. The New Host dialog box appears. Configure the following, then click OK: For Name, enter rsl-svr1. For Color, select green. For Comment, enter FTP Server. Select IP, then enter the IP Address 10.1.1.5. Copyright © 2010, Juniper Networks, Inc.
Page 641 Click the Gateway Parameters link. The Properties tab appears. For Mode, select Main. In the XAuth section, select XAuth Server and then select the radius1 authentication server for Auth Server Name. Later, after you have autogenerated the VPN rules Copyright © 2010, Juniper Networks, Inc.
Page 642: Creating Device-Level Vpns
By default, the link appears at the top of the policy, but you can move the VPN link anywhere in the policy, just as you would a firewall rule. Creating Device-Level VPNs You can create four types of device-level VPNs: Copyright © 2010, Juniper Networks, Inc.
Page 643: Supported Configurations
IKEv2 responder (VPN gateway) from the EAP authentication endpoint (backend AAA server). From the NSM UI, you can: Set the global account type to be authenticated by the authentication server: Navigate from > Object Manager Authentication Servers Copyright © 2010, Juniper Networks, Inc.
Page 644: Configuring Gateways
Add icon to display the New Gateway Dialog box. Configure the gateway as detailed in the following sections. Properties Enter a name for the new gateway, then specify the following gateway values: Mode—The mode determines how Phase 1 negotiations occur. Copyright © 2010, Juniper Networks, Inc.
Page 645 NAT device, it checks every VPN packet to determine if NAT-T is necessary. Because checking every packet impacts VPN performance, you should only use NAT Traversal for remote users that must connect to the VPN over an external NAT device. Copyright © 2010, Juniper Networks, Inc.
Page 646 IP address (such as a RAS user). A U-FQDN is an e-mail address, such as user1@mycompany.com. Use the XAuth protocol to authenticate RAS users with an authentication token (such as SecureID) and to make TCP/IP settings (IP address, DNS server, and WINS server) for the peer gateway. Copyright © 2010, Juniper Networks, Inc.
Page 647 ScreenOS limits and might not be accepted by the security device during update. To reduce the key size, shorten the autogenerated key value by deleting characters. To use a predefined value for the key, enter a value for the Preshared Key. Copyright © 2010, Juniper Networks, Inc.
Page 648: Configuring Routes (Route-Based Only)
VPN, the IKE Phase 2 proposals used by that gateway, and how you want NSM to monitor the VPN tunnel. For route-based VPNs, you are also binding the VPN to the tunnel interface or zone that sends and receives VPN traffic to and from the device. Copyright © 2010, Juniper Networks, Inc.
Page 649 To use a predefined proposal set, select one of the following: Basic (nopfs-esp-des-sha, nopfs-esp-des-md5) Compatible (nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, nopfs-esp-des-md5) Standard (gs-esp-3des-sha, gs-esp-aes128-sha) To use a user-defined proposal, select a single proposal from the list of predefined and custom IKE Phase 2 Proposals. Copyright © 2010, Juniper Networks, Inc.
Page 650 You can enable VPN Monitor and configure the monitoring parameters for the device. Monitoring is off by default. To enable the VPN Monitor in Realtime Monitor to display statistics for the VPN tunnel, configure the following: Copyright © 2010, Juniper Networks, Inc.
Page 651: Adding A Vpn Rule
For details on adding and configuring a VPN rule in a security policy, see “Adding VPN Rules” on page 606. Creating Manual Key VPNs Creating a device-level Manual Key VPN is a four stage process: Configure XAuth Users Configure Routes (Route-based only) Copyright © 2010, Juniper Networks, Inc.
Page 652: Adding Xauth Users
Local SPI—The local Security Parameter Index. Remote SPI—The remote Security Parameter Index. Outgoing Interface—The outgoing interface is the interface on the security device that sends and receives VPN traffic. Typically, the outgoing interface is in the untrust zone. Copyright © 2010, Juniper Networks, Inc.
Page 653 You can enable VPN Monitor and configure the monitoring parameters for the device. Monitoring is off by default. To enable the VPN Monitor in Realtime Monitor to display statistics for the VPN tunnel, configure the following: Copyright © 2010, Juniper Networks, Inc.
Page 654: Adding A Vpn Rule
For route-based VPNs, the VPN tunnel is already in place. However, you might want to add a VPN rule to control traffic through the tunnel. For details on adding and configuring a VPN rule in a security policy, see “Adding VPN Rules” on page 606. Copyright © 2010, Juniper Networks, Inc.
Page 655: Creating L2Tp Vpns
DNS and WINS servers assigned to L2TP RAS users after they have connected to the tunnel. IP Pool Name—Select the preconfigured IP pool object that represents the available IP addresses that can be assigned to L2TP RAS users after they have connected to the tunnel. Auth Server Copyright © 2010, Juniper Networks, Inc.
Page 656: Creating L2Tp Over Autokey Ike Vpns
Configure VPN to display the Configure VPN dialog box. Select the source security device that contains the termination interface for the VPN tunnel. Select a VPN Type: For IKE VPNs, select the VPN that you configured on the device. Copyright © 2010, Juniper Networks, Inc.
Page 657: Configuring The Security Policy
“Example: Configuring a Policy-Based Site-to-Site VPN, Manual Key” on page 613 “Example: Configuring a Policy-Based RAS VPN, L2TP” on page 614 The following sections provide step-by-step instructions on creating each type of device-level VPN. Copyright © 2010, Juniper Networks, Inc.
Page 658: Example: Configuring A Route-Based Site-To-Site Vpn, Manual Key
Add the Paris Trust LAN (10.2.2.0/24) as a network address object. In Address Objects, click the Add icon and select Network. Configure the following, then click OK: For Name, enter Paris Trust LAN. For IP Address/Netmask, enter 10.2.2.0/24. For Color, select magenta. Copyright © 2010, Juniper Networks, Inc.
Page 659 Double-click the trust-vr route to open the vr for editing. In the virtual router dialog box, click Routing Table, then click the Add icon under destination-based Routing Table to add a new static route. Copyright © 2010, Juniper Networks, Inc.
Page 660: Figure 95: Configure Tokyo Route For Rb Site-To-Site Vpn, Mk
Figure 95: Configure Tokyo Route for RB Site-to-Site VPN, MK Configure route from the trust zone to the tunnel interface, and then click OK. Figure 96: Configure Tokyo Trust Route for RB Site-to-Site VPN, MK Your routing table should appear. Copyright © 2010, Juniper Networks, Inc.
Page 661: Figure 97: View Tokyo Routing Table For Rb Site-To-Site Vpn, Mk
Select the Manual tab, then click the Add icon. The Properties screen appears. Configure the following: For Name, enter Paris_Tokyo. For Gateway, enter 2.2.2.2. For Local SP, enter 3020. For Remote SPI, enter 3030. For Outgoing Interface, select ethernet3. For ESP/AH, select ESP CBC. Copyright © 2010, Juniper Networks, Inc.
Page 662: Figure 98: Configure Rules For Rb Site-To-Site Vpn, Mk
For Security Policy Name, enter Corporate Route-based VPNs. Optionally, add comments. In the main navigation tree, select Policies > Corporate Route-based VPNs. The security policy appears in the main display area. Figure 98: Configure Rules for RB Site-to-Site VPN, MK Copyright © 2010, Juniper Networks, Inc.
Page 663: Example: Configuring A Policy-Based Site-To-Site Vpn, Manual Key
For Authentication Algorithm, select SHA-1. Select Generate Key by Password, then enter the password PNas134a. Select the Binding tab. Enable Tunnel Zone and select untrust-tun. Click OK to save the new VPN. Create Tokyo Routes. Copyright © 2010, Juniper Networks, Inc.
Page 664: Example: Configuring A Policy-Based Ras Vpn, L2Tp
In this example, you create a RAS user group called Field Sales and configure an L2TP tunnel called Sales_Corp, using ethernet3 (Untrust zone) as the outgoing interface for the L2TP tunnel. The security device applies the default L2TP tunnel settings to the RAS user group. Copyright © 2010, Juniper Networks, Inc.
Page 665 For Dns1, enter 1.1.1.2. For Dns2, enter 1.1.1.3. For Wins1, enter 0.0.0.0. For Wins2, enter 0.0.0.0. Configure the IP Pool object. Configure the following, then click OK: For IP Pool Name, enter Global. For Color, select magenta. Copyright © 2010, Juniper Networks, Inc.
Page 666: Auto-Connect Virtual Private Network
ACVPN, and then enable the Next Hop Resolution Protocol (NHRP). Configuring ACVPN You can configure ACVPN using VPN Manager. To configure auto-connect VPN, perform the following steps: Create a route-based auto-key IKE VPN. Copyright © 2010, Juniper Networks, Inc.
Page 667 Click the Import Gateway and AutoKey Parameters button to import the existing hub-and-spoke configuration for the hub and spoke. You can configure the VPN and gateway by using ACVPN-Dynamic(Mains) or ACVPN-Profile(Hub) parameters in the navigation tree. Copyright © 2010, Juniper Networks, Inc.
Page 668: Ive Vpn Monitoring
Verify that the NHS IP Address field has been populated. Click OK. IVE VPN Monitoring NSM real-time monitoring is available on Secure Access and Infranet Controller devices. For more information, see “Realtime Monitoring” on page 649. Copyright © 2010, Juniper Networks, Inc.
Page 669: Chapter 13 Central Manager
Data is not lost when logging on and off of Central Manager. In addition, Central Manager does not use any of the shared objects that exist only in any of the individual regional servers. Copyright © 2010, Juniper Networks, Inc.
Page 670: Self-Sufficient Regional Server
All firewall, VPN, and IDP policy information and policy related configurations (shared configurations such as addresses and services) are hidden from device editor view. Policies from the central policy manager are shared across ScreenOS-based firewall devices, standalone IDP devices, and J Series devices. Copyright © 2010, Juniper Networks, Inc.
Page 671: Device Management Mode
In the main navigation tree, select Object Manager > Regional Server. Click the Add icon in the toolbar. Enter the following information for the regional server you want to add. Name IP address Backup IP address (optional) Copyright © 2010, Juniper Networks, Inc.
Page 672: Deleting A Regional Server Object
Central Manager server are updated to regional servers managed by Central Manager. The Central Manager administrator can select which regional servers will receive the Central Manager rules and objects during the install. Copyright © 2010, Juniper Networks, Inc.
Page 673: Prerule And Postrule Updates During Global Policy Install
Global Policy Install transaction. All polymorphic objects are deleted if they are not used by any of the local policies in the regional server. Copyright © 2010, Juniper Networks, Inc.
Page 674: Name Space Conflict Resolution For Polymorphic Objects
Name conflict with a regional server regular shared object of the same type—The incoming polymorphic object is renamed “objname_n” where “n” is a sequentially increasing integer and inserted into the regional server’s global domain. Only names are pushed for polymorphic objects. Copyright © 2010, Juniper Networks, Inc.
Page 675: Chapter 14 Topology Manager
In addition to having either a seed device or configuring preferred subnets, you also need the following to initiate topology discovery: The management IP address of the EX Series switch that acts as the seed IP address SNMP credentials: Copyright © 2010, Juniper Networks, Inc.
Page 676: About The Nsm Topology Manager Toolbar
The Topology Manager status bar at the bottom of the screen indicates the time stamp of the last completed topology discovery and whether a discovery is in progress. Copyright © 2010, Juniper Networks, Inc.
Page 677: Initiating A Topology Discovery
SNMP enabled, in order that the maximum number of links are discovered. Check for NSM schema updates if some Juniper Networks devices are not discovered. Expand the range of the included subnets and ensure that all relevant routers are SNMP enabled if IP addresses for end-point devices connected to a switch are not discovered.
Page 678: Viewing A Network Topology
In map view, each network element is represented by an icon indicating whether the element is a Juniper Networks product and whether it is managed by NSM. Each device type is represented by a unique icon on the map. Managed and unmanaged devices appear as different colored icons.
Page 679: Groups View
Provide the Group name in the popup dialog. Select OK to locate the group matching the given criteria. Use this menu option to view all the devices in a selected subnet cloud. Show Devices: Copyright © 2010, Juniper Networks, Inc.
Page 680: About The Nsm Topology Table Views
Links View on page 631 Free Ports View on page 631 Devices View The NSM Topology Manager provides a tabular view of all the discovered Juniper Networks devices in the network along with relevant details about each device. The table Devices lists details about the Juniper Network devices and other third party routers and switches.
Page 681: Endpoint Devices View
Free Ports topology discovery engine. If the administrative status of a device port is down, it is considered a free port. The managed status of a Juniper Networks device is indicated in Device Status column. You can save the information in the table as comma-separated values in a file.
Page 682: Default Credentials Tab
Verify the RSA key fingerprint for each of the devices. The wizard detects each selected device and adds it to NSM. The wizard then imports the device configuration, hardware, software, and license inventory into NSM. Copyright © 2010, Juniper Networks, Inc.
Page 683 View link details between devices in the topology map: You can use the View details item on a selected link in the topology map to view link details between two managed devices, where one of the devices is the source and the other is the destination. Copyright © 2010, Juniper Networks, Inc.
Page 685: Chapter 15 Role-Based Port Templates
, and RSTP is enabled with the edge option. When you apply port templates on EX Series switches, NSM creates the required configuration in the following configuration groups and applies them at the top level configuration node: juniper-port-template-desktop juniper-port-template-desktop-phone juniper-port-template-layer2-uplink juniper-port-template-layer3-uplink Copyright © 2010, Juniper Networks, Inc.
Page 686: Managing Port Template Associations
Apply or Edit a Port Template The Manage Template Association screen displays the list of EX Series switches and their interfaces on which the selected port template is currently applied. To apply a port template: Copyright © 2010, Juniper Networks, Inc.
Page 687 —Saves the details of port templates to port associations in a text file. Save as Text Save as HTML —Saves the details of port templates to port associations in an HTML file. —Cancels all modifications and closes the Cancel Manage Template Port Association screen. Copyright © 2010, Juniper Networks, Inc.
Page 688: Detect And Resolve Configuration Conflicts
Percent Remainder remaining buffer available. Priority—Select a value from the list. Click to save the settings or to cancel all modifications. Cancel Click Save to create the customized port template. Copyright © 2010, Juniper Networks, Inc.
Page 689: Edit A Port Template
Priority—Select a value from the list. Click to save the settings or to cancel all modifications. Cancel Click to create the customized port template. Save See “Detect and Resolve Configuration Conflicts” on page 638. Copyright © 2010, Juniper Networks, Inc.
Page 691: Chapter 16 Unified Access Control Manager
From the IC table, you can edit the configuration of a selected IC using the edit button provided above the IC table. The edit dialog is similar to the edit device action in the Device Manager. Copyright © 2010, Juniper Networks, Inc.
Page 692: The Enforcement Point View
Select the check box to run a Summarize task that ensures the association between the IC and EP in the application database. The configuration status of these devices becomes Managed, NSM Changed. Select OK. The selected EPs are listed under the associated IC. Copyright © 2010, Juniper Networks, Inc.
Page 693: Manager
IC with data from the UAC Manager. Select the check box to overwrite the shared secret in the device. Select the check box to run an Update Device task after you make an update. Select OK. Copyright © 2010, Juniper Networks, Inc.
Page 694: Enabling 802.1X On Enforcement Point Ports In The Uac Manager
Select the check box to run a Summarize Delta Config task that ensures the association between the EP and the ports in the application database. The configuration status of these devices become Managed, NSM Changed. Select OK. Copyright © 2010, Juniper Networks, Inc.
Page 695: Disabling 802.1X On Enforcement Point Ports In The Uac Manager
Select the check box to run an Update Device task, which pushes configuration changes on the EP. Select the check box to run a Summarize Delta Config task that ensures the association between the EP and the ports in the application database. Select OK. Copyright © 2010, Juniper Networks, Inc.
Page 699: Realtime Monitoring
Realtime Monitoring The Realtime Monitor module includes four views that you can use to monitor the status and traffic statistics for all the managed Juniper Networks devices in your network in real time. To access, monitor, and configure the NSM management system, you use the Server Manager module.
Page 700: Realtime Monitor Views
Protocol) clusters in your network. If you implement NSRP for the purpose of deploying clusters in your Juniper Networks security system, you can use the NSRP Monitor to view and troubleshoot the status of security devices in clusters within the domain you are working in.
Page 701: Table 49: Device Status Information
Managed. The device is currently being managed by NSM. For devices running ScreenOS 5.0 and later, the Device Monitor can display the following additional configuration states: Managed, In Sync. The physical device configuration is synced with the modeled configuration in NSM. Copyright © 2010, Juniper Networks, Inc.
Page 702 N/A—The device's alarm is not pollable or discoverable, for example, this column shows "N/A" for ScreenOS and IDP devices. Alarm is colored: Red for Major. Orange for Minor. Green for Ignore, None, Unknown, or N/A. Copyright © 2010, Juniper Networks, Inc.
Page 703: Device Polling Intervals
To configure or view the device polling intervals, double-click the Server Manager > Servers node, then select the Device Server and click the Edit icon. The Device Server dialog box is displayed. Use the Device Polling tab to edit the intervals to meet your monitoring requirements: Copyright © 2010, Juniper Networks, Inc.
Page 704: Table 50: Device Polling Intervals
The Info tab dialog box is displayed. Select the Device Admin page to set the polling interval for the device. The minimum polling interval is 60 seconds. The maximum interval is 2,147,483,647 seconds. You cannot disable polling. Copyright © 2010, Juniper Networks, Inc.
Page 705: Table 51: Device Detail Status Items
Mem Allocated The original amount of memory allocated to the security device. Mem Left The amount of allocated memory that remains unused by the security device. Mem Fragmented The amount of fragmented memory. Copyright © 2010, Juniper Networks, Inc.
Page 706: Table 52: Device Statistics Summary
Vsys: Displays the serial number of the security device. Vsys The name of the virtual system (if applicable) Version The security device’s build, model, and operation mode (this is not displayed in the Vsys view). Copyright © 2010, Juniper Networks, Inc.
Page 707: Table 53: Device-Specific Views
VPN Distribution View the up/down status and active statistics of VPNs on the security device (if applicable). Also enables you to view a chart of the VPN distribution by VPN tunnel. Copyright © 2010, Juniper Networks, Inc.
Page 708 The graph displays a percentage of the absolute number of bytes for the top 10 policies by default. Table 54 on page 659 describes all of the information that is available from the Policy Distribution view. Copyright © 2010, Juniper Networks, Inc.
Page 709: Table 54: Policy Distribution Items
Adjusting Data Depicted Graphically You can adjust all elements depicted in the graph, including the policies, data values (such as absolute or delta), and type of data (bytes in or out, packets in or out, utilization). Copyright © 2010, Juniper Networks, Inc.
Page 710: Table 55: Protocol Distribution Items
The number of outgoing bytes for the protocol through the security device. Bytes Out Rel% Relative percentage of all outgoing bytes. Delta Bytes Out The total numerical difference between the current bytes out value and the previous bytes out value. Copyright © 2010, Juniper Networks, Inc.
Page 711 Click to select the VPN tunnel that you wish to view on the graph from the list of Available VPN tunnels. Click Add to add the VPN tunnel to the list of Selected VPN Copyright © 2010, Juniper Networks, Inc.
Page 712: Table 56: Vpn Monitor Table
Duration of last SA session. Group Group associated with the VPN. User User associated with the VPN. DN Name Distinguished Name (DN) of the VPN. Avg. Latency A rolling average of latency, presented in milliseconds. Copyright © 2010, Juniper Networks, Inc.
Page 713: Table 57: Active Vpn Table
Time-related statistics (such as lifetime, latency). Table 57 on page 663 lists the information that is available from the active VPN. Table 57: Active VPN Table Item Description Name Name of the active VPN. Copyright © 2010, Juniper Networks, Inc.
Page 714 Type of key associated with the VPN: Auto IKE (Internet Key Exchange) or manual key. Lifetime P1 Time listed in seconds before re-keying. Lifetime P2 Time reported in remaining bytes before re-keying. Independent from Lifetime P1. Copyright © 2010, Juniper Networks, Inc.
Page 715: Table 58: Ethernet Statistics View Data
The number of bytes of incoming traffic processed through the security device over the selected interface. Delta Bytes In The total numerical difference between the current bytes in value and the previous bytes in value. Copyright © 2010, Juniper Networks, Inc.
Page 716 To change the interface setting, right-click in the chart and select the interface that you want. Table 59 on page 667 describes all the information that is available from the Flow Statistics view: Copyright © 2010, Juniper Networks, Inc.
Page 717: Table 59: Flow Statistics View Data
The report separates the data and statistics for all available interfaces. Table 60 on page 667 describes each of the attack counters available from the Attack Statistics view: Table 60: Attack Counters Item Description Interface Name of the interface. Copyright © 2010, Juniper Networks, Inc.
Page 718 The security device internally logs the number of different ports scanned from one remote source. If a remote host scans 10 ports in 0.3 seconds, the device flags this as a port scan attack, and rejects further packets from the remote source. Copyright © 2010, Juniper Networks, Inc.
Page 719 This option is a loose source route because the gateway or host IP is allowed to use any route of any number of other intermediate gateways to reach the next address in the route. Copyright © 2010, Juniper Networks, Inc.
Page 720 When you enable the security device to deny IP fragments on a security zone, the security device blocks all IP packet fragments that it receives at interfaces bound to that zone. Zone The name of the zone associated with the attack. Copyright © 2010, Juniper Networks, Inc.
Page 721: Table 61: Resource Statistics Items
Item Description Administrator ID The administrator’s login ID. IP Address The administrator’s IP address. Service Used The type of service, for example, Console, Web, or Telnet. Time The time that the administrator logged in. Copyright © 2010, Juniper Networks, Inc.
Page 722: Table 63: Authenticated Users View
IP address of the receiving node of the connection. Destination Port Port number of the receiving node of the connection. Translated IP Translated IP address. Translated Port Translated port number. Duration (sec) Length in seconds of the connection session. Copyright © 2010, Juniper Networks, Inc.
Page 723 Click the Maximum number of sessions to retrieve check box and enter the total number of sessions you want the Session Filter to retrieve. Specify criteria for the sessions that you would like to view. You can specify an active session according to the following: Copyright © 2010, Juniper Networks, Inc.
Page 724 Telnet or a Secure Command Shell to troubleshoot problems. You can also add, delete, edit or search for custom CLI commands using the Add/Delete option under the menu in the Custom Troubleshoot Commands Tools Device Manager window. To troubleshoot a device: Copyright © 2010, Juniper Networks, Inc.
Page 725: Table 65: Ha Statistics View
The number of conflicts that occurred on the master security device. Primary Backup Conflict The number of conflicts that occurred on the primary backup security device. Tx Heartbeat The number of transmitted heartbeats on the security devices. Copyright © 2010, Juniper Networks, Inc.
Page 726: Table 66: Device Status Information
Config Status on each sensor displays that it is awaiting migration. It remains in this state until you have migrated the sensor. Update Needed. An update to this sensor is required. Managed. The sensor is currently being managed by NSM. Copyright © 2010, Juniper Networks, Inc.
Page 727: Table 67: Idp Device Detail Status Items
Table 67 on page 677 lists and describes the information that you can view for an IDP sensor through the Device Detail Status: Table 67: IDP Device Detail Status Items Item Description OS Version IDP firmware version running on the sensor. Copyright © 2010, Juniper Networks, Inc.
Page 728: Table 68: Idp Sensor Process Status Items
Name of the process running on the sensor. Total Mem Usage Amount (in megabytes) of memory used. Phys Mem Usage Amount of memory (in kilobytes) a process currently has in physical memory (not in swap). Copyright © 2010, Juniper Networks, Inc.
Page 729: Table 69: Device Statistics Summary (For Idp Sensors)
Other Packets Total number of other packets. ICMP Flows Total number of ICMP flows. TCP Flows Total number of TCP flows. UDP Flows Total number of UDP flows. Other Flows Total number of other flows. Copyright © 2010, Juniper Networks, Inc.
Page 730: Table 70: Vpn Tunnel Summary
Security Parameter Index (SPI) key into and out of the active VPN. This is the encryption method. IP (Local-Peer) Peer gateway IP address for the active VPN. Protocol Protocol used for the active VPN Peer GW ID Peer gateway ID for the active VPN. Copyright © 2010, Juniper Networks, Inc.
Page 731: Configuring A Vpn Filter
The VPN Filter dialog box is displayed. Select the edit icon. The View VPN Filter dialog box is displayed. Change the existing field values and click OK. The modified field values are updated in the Filter Table. Copyright © 2010, Juniper Networks, Inc.
Page 732: Deleting A Vpn Filter
NSRP Monitor to get an at-a-glance status of your Juniper Networks systems that are in clusters. These systems include both the NetScreen-500 and the NetScreen-1000. To launch the NSRP Monitor, click NSRP Monitor.
Page 733: Table 71: Nsrp Device Summary
(RTO) that have been attached to this cluster. Click the VSD or RTO icon to see summary information describing the object. Table 72 on page 684 describes the information available from the VSD/RTO summary: Copyright © 2010, Juniper Networks, Inc.
Page 734: Table 72: Vsd/Rto Summary
An administrator purposefully assigned a device so that it cannot participate in selecting a new master device. InOperable A VSD or RTO group device has an internal problem. Master Conflict The number of conflicts that occurred on the master device. Copyright © 2010, Juniper Networks, Inc.
Page 735: Table 74: Rto Counters Details
Table 75 on page 685 describes all of the information available from the IDP Cluster Monitor: Table 75: IDP Cluster Monitor Item Description Name Name of the cluster. Status Status of the cluster (OK, Warning, or Fail). Copyright © 2010, Juniper Networks, Inc.
Page 736: Table 76: Idp Cluster Summary
Number of cluster members that are in INIT state. Member Master Name of the master node. Backup Availability Whether a backup is available in the event that the master node goes down. No. of Backup Number of active backup devices. Members Copyright © 2010, Juniper Networks, Inc.
Page 737: Table 77: Idp Cluster Member Monitor
Log Viewer, and assign them to your security experts for further investigation. Monitoring the Management System Use the Server Manager to access, configure, and monitor the NSM management system. The management system includes a GUI Server and Device Server. Refer to the Network Copyright © 2010, Juniper Networks, Inc.
Page 738: Table 78: Server Information
Server when installing the GUI Server and Device Server on separate servers, or when installing the management system with High Availability (HA) enabled. You can configure the following parameters on a Device Server: Name—Name of the Device Server. IP Address—IP address of the Device Server. Copyright © 2010, Juniper Networks, Inc.
Page 739: Table 79: Gui Server Table
Whether the current server is a GUI Server or GUI Server Cluster. IP Address IP address of the GUI server. IP Address of secondary IP address of the secondary server. server. You can configure the following parameters for the GUI Server: Copyright © 2010, Juniper Networks, Inc.
Page 740: Using Server Monitor
To view the status of any server in the management system, select Server Manager in the navigation tree, and then select Server Monitor (Machine-wide Info). Figure 99 on page 691 shows the Server Monitor Window. Copyright © 2010, Juniper Networks, Inc.
Page 741: Figure 99: Server Monitor (Machine-Wide Info)
90%. You can edit the settings that apply for the Status indicators using Tools>Preferences>Alert Settings. Status based on CPU utilization: OK (CPU usage < 90%) Warning (CPU usage = 90-95%) Critical (CPU usage > 95%) N/A (when the server is down) Copyright © 2010, Juniper Networks, Inc.
Page 742: Table 81: Server Detail Status
Percentage of CPU utilization that occurred while executing at the user level. CPU Kernel Percentage of CPU utilization that occurred while executing at the system level. CPU Usage Percentage of CPU utilization. 1 Min Load One minute load average. Copyright © 2010, Juniper Networks, Inc.
Page 743: Viewing Process Status
You can also right-click the Server Monitor to open it in a new window. Click to select a server to view the status of the processes running on it. Figure 100 on page 694 shows process status for the Device Server. Copyright © 2010, Juniper Networks, Inc.
Page 744: Figure 100: Process Status For The Device Server
Table 82: Process Status Name Description Name Name of the GUI Server or Device Server process. Status Displays if the process is Up or Down. Total Mem Used Total amount (in megabytes) of memory utilized. Copyright © 2010, Juniper Networks, Inc.
Page 745: Table 83: Management System Utilities
Server. This utility is located on the GUI Server at /usr/netscreen/GuiSvr/utils Collects and compresses technical support data. tech-support.sh utils This utility is located in the directory on both the Device Server and GUI Server. Copyright © 2010, Juniper Networks, Inc.
Page 746: Using Schema Information
Address] - -domain=<domain id> - -device =<device name> Using Schema Information From NSM, you can select Schema Information to view current and running schema and update schema for devices whose schema are defined using XML. Copyright © 2010, Juniper Networks, Inc.
Page 747: Viewing Device Schema
In the navigation tree, select Server Manager > Schema Information The main display area displays the current staged and running schema details. The staged schema is the most current schema available for download. The running schema is the schema currently applied in NSM. Copyright © 2010, Juniper Networks, Inc.
Page 749: Chapter 18 Analyzing Your Network
After you configure the Profiler, it automatically learns about your internal network and the elements that constitute it, including hosts, peers (which host is talking to which other Copyright © 2010, Juniper Networks, Inc.
Page 750: Example Of Unique Events
To see all normal and unique events on your network, you configure and start the Profiler on multiple devices. This enables the Profiler to aggregate and display a complete view of your internal network. NOTE: Profiler DBs remain on individual devices even if the devices restart. Copyright © 2010, Juniper Networks, Inc.
Page 751: Analyzing Your Network
NOTE: Because devices collect data from network components on your internal network, it is helpful to create network objects to represent those components before you begin configuring the Profiler. Alternatively, you can create new network objects directly from the Profiler. Copyright © 2010, Juniper Networks, Inc.
Page 752: Table 84: General Idp Profiler Settings
The AVT feature is limited by its dependency on the NSM agent’s report delivery which might be unreliable, affecting the accuracy of information. Also, the AVT feature displays the cumulative count of all the traffic on a port, which could be over many sessions. Copyright © 2010, Juniper Networks, Inc.
Page 754: Configuring Alerts
The Device Update Options window prompts you to Restart IDP Profiler After Device Update. Click OK. The Job Information window shows the status of the update. After the operation finishes, the device begins collecting data for the Profiler DB. Copyright © 2010, Juniper Networks, Inc.
Page 755: Starting The Profiler
Customizing Profiler Preferences To configure the following Profiler preferences, use the Tools menu, and select Preferences > Profiler Settings: Profiler: Copyright © 2010, Juniper Networks, Inc.
Page 756: About Profiler Views
For example, Yahoo messenger, MSN, and AIM are chat applications; Kazaa, Bittorent, and Gnutella are file sharing applications. In the application hierarchy, you view both chat and file-sharing applications are grouped under peer-to-peer applications. Copyright © 2010, Juniper Networks, Inc.
Page 757: Table 85: Protocol Profiler Data
First Time Timestamp for the first time the device logged the event (within the specified time interval). Last Time Timestamp for the last time the device logged the event (within the specified time interval). Copyright © 2010, Juniper Networks, Inc.
Page 758: Table 86: Network Profiler Data
NOTE: OUI stands for Organizationally Unique Identifier. This value is a mapping of the first three bytes of the MAC address and the organization that owns the block of MACs. You can obtain a list of OUIs at http://standards.ieee.org/regauth/oui/oui.txt Copyright © 2010, Juniper Networks, Inc.
Page 759: About The Violation Viewer
Most of the time, however, you do not know exactly what you are looking for on the network. In these cases, it is easier to specify exactly what should be on the network, then detect any traffic that violates that specification. Copyright © 2010, Juniper Networks, Inc.
Page 760 Traffic that matches the object (uses a service specified in the object) is filtered out, leaving only the traffic that does not match (does not use a service specified in the object). Copyright © 2010, Juniper Networks, Inc.
Page 761: Table 87: Applciation Profiler Data
Byte count for the traffic profiled. Packet Count Packet count for the traffic profiled User The user login name. Role The role group to which the user that is associated with the traffic profiled belongs. Copyright © 2010, Juniper Networks, Inc.
Page 762: Using Profiler Views
Right-click on any filter criteria or on any entry in the Profiler view and select Clear All Column Filters to disable all filtering. Other options that you can set in the Profiler views include: Copyright © 2010, Juniper Networks, Inc.
Page 763: Filtering And Sorting From The Application Profiler
Click on the Negate option to hide entries that match the criteria that you have set as a filter. You can also right-click on any entry in the Profiler view and select Toggle Filter Negation to hide entries that match that criterion. Copyright © 2010, Juniper Networks, Inc.
Page 764: Refreshing Profiler Data
Click on the Refresh icon periodically to refresh the Profiler view with the latest data available. Viewing Database Information Click on the Show DB Information icon to view specific details about the Profiler database, including the database size. Copyright © 2010, Juniper Networks, Inc.
Page 765: Table 88: Detailed Network Information Data
Details about the contexts and values on the selected host IP. Use the context and value fields to identify: Software version of the application Username and password of an account on that host Computer name Copyright © 2010, Juniper Networks, Inc.
Page 766: Purging The Database
Recommended Profiler Options The following are recommended for using the Profiler: Configuring a Network Baseline on page 717 Keeping Your Network Current on page 717 Proactively Updating Your Network on page 718 Copyright © 2010, Juniper Networks, Inc.
Page 767: Configuring A Network Baseline
To help you maintain control of your network software versions, the Profiler uses passive application fingerprinting to identify the application version for each service used in your Copyright © 2010, Juniper Networks, Inc.
Page 768: Proactively Updating Your Network
Select the Protocol Profiler to see the applications running on the network. In the Context Filter data table, select HTTP Header Servers. The value data table lists all Web servers currently running. The network uses the following Web servers: Copyright © 2010, Juniper Networks, Inc.
Page 769: Stopping Worms And Trojans
Take appropriate measures to secure the network, such as: Apply patches. Remove the components from your network. Remove SQL from all components. Create a rule in your security policy that drops all SQL connections between your internal network objects. Copyright © 2010, Juniper Networks, Inc.
Page 770: Example: Blaster Worm
The IP/MAC address has the unique asset tag "darkness". After checking your IT inventory, you determine who the laptop user is and patch the infected system. Accessing Data in the Profiler Database The Profiler database is located on the NSM Device Server. Copyright © 2010, Juniper Networks, Inc.
Page 771: About Security Explorer
There are five main views in the Security Explorer: “Security Explorer Main Graph” on page 722 “Connections Detail Pane” on page 723 “Reference Point Pane” on page 724 Copyright © 2010, Juniper Networks, Inc.
Page 772: Figure 102: Security Explorer
Host—Displayed as an IP address Network—Displayed using CIDR notation (ip/class: 8/16/24) Protocol—These include TCP, ICMP, and so on Attack—Specific attack object name Service—Displayed in protocol/port notation Service range—Displayed in protocol/port range notation, for example, TCP/1-1024 Copyright © 2010, Juniper Networks, Inc.
Page 773: Graph Types
Connections Detail pane contains all services for this host. If a Peer IP graph appears, the Connections Detail pane contains all peers for the selected object. Double-clicking on one of the objects in the Details pane displays the relationship graph for it. Copyright © 2010, Juniper Networks, Inc.
Page 774: Reference Point Pane
You can select to view data from the last 24, 12, 8, 4, 2, 1 hours. Using Security Explorer You can launch the Security Explorer in any of the following ways: From the Security Monitor tree node, select Security Explorer. Copyright © 2010, Juniper Networks, Inc.
Page 775: Analyzing Relationships
Every option represents a transition from one graph to another. Viewing Data The following view options are available, making it easier for you to view and analyze each node in the main graph: Copyright © 2010, Juniper Networks, Inc.
Page 776: Table 89: Transitional Graphs
Click on the Time Period icon to set a specific time period during which you want to view data. Viewing Predefined Reports Use the Predefined Reports pull-down menu to view a predefined report of that data. You can access three predefined reports: Copyright © 2010, Juniper Networks, Inc.
Page 777: Refreshing Data
Use the – icon to remove the current Security Explorer panel. Exporting to HTML You can export any data depicted in the Security Explorer to an HTML file by using the Export to HTML option. Copyright © 2010, Juniper Networks, Inc.
Page 779: Logging
To view log entries from the NSM UI, you can use one or more of the logging-related UI components, such as the Log Viewer or the Log Investigator. Copyright © 2010, Juniper Networks, Inc.
Page 780: Table 90: Event-Generated Log Entries
Protocol Distribution Generates log entries for events related to protocols used in network Realtime Monitor activity. These log entries are used to produce statistical information for >Device Monitor monitoring. Copyright © 2010, Juniper Networks, Inc.
Page 781: Table 91: Log Entry Severity Levels For Dmi Devices
You can forward multiple log entries with different severity levels to the same log destination. Juniper Networks assigns a predefined severity level in the firmware of each Juniper Networks device. However, these severity levels are not the same as the severity levels that appear in the log entries viewed in an NSM UI module.
Page 782: Viewing Logs
NSM handles your log entries. NSM includes three primary logging modules: Log Viewer—Presents complete, summarized, or detailed log-entry information in a table format. You can view an individual log entry to analyze the raw log data, or use Copyright © 2010, Juniper Networks, Inc.
Page 783: Device Limitations For Viewing Logs
The severity setting applies to all log types for that destination. For example, if traffic log entries are enabled for , but the severity setting specifies critical and major severities, receives only critical and major traffic logs; all other severity traffic log entries are Copyright © 2010, Juniper Networks, Inc.
Page 784: Table 93: Destinations Of Log Entry Severities
Use the General settings to select the severity levels of the log entries you want to forward to a specific location. Juniper Networks assigns a predefined severity level for each event that generates a log entry on a managed device; using NSM, you can configure a device to send log entries with specific severity levels to specific destinations.
Page 785: Table 94: Self Log Entry Settings
Setting Description Enable Notification for Alarms When alarm is enabled for a rule in the installed security policy and traffic matches the rule, the device sends an e-mail notification to the specified SMTP server. Copyright © 2010, Juniper Networks, Inc.
Page 786: Configuring Events Reporting Settings
Enable the device to send log entries with the desired severity settings to NSM in Report Settings > General > NSM. Screen alarm log entries appear in the Log Viewer and display the following columns of information in the Log Viewer: Source Address Destination Address Service Action Category (Screen) Copyright © 2010, Juniper Networks, Inc.
Page 787: Event Alarm Log Entries
Threshold (displayed in the Misc. column of the Log Viewer) Deep Inspection Alarm Log Entries The device generates Deep Inspection alarm log entries when a device with Deep Inspection (DI) detects network traffic that matches an attack object specified in a Copyright © 2010, Juniper Networks, Inc.
Page 788: Configuration Log Entries
Information Log Entries The device generates information logs when it detects that an administrator has made a change to the basic settings of the device, such as logging in or out, setting a new Copyright © 2010, Juniper Networks, Inc.
Page 790: Policy Statistics
Realtime Monitor, see “Viewing Traffic Distribution by Protocol” on page 660. The device reports statistics generated by the following services: AH (Authentication Header) ESP (Encapsulating Security Payload) GRE (Generic Routing Encapsulation) ICMP (Internet Control Message Protocol) OSPF (Open Shortest Path First) Copyright © 2010, Juniper Networks, Inc.
Page 791: Atomic Updating Events
This contact information is useful when the SNMP community member needs to contact someone about the device. Location—The physical location of the device. Listen Port—The number of the port assigned to monitor SNMP traffic (listen and transmit SNMP traps). Copyright © 2010, Juniper Networks, Inc.
Page 792: Directing Logs To A Syslog Server
787. To send log entries to a Syslog server, click the Syslog option. NSM displays the Syslog dialog box. Enter appropriate data into the following fields. See Table 96 on page 743. Copyright © 2010, Juniper Networks, Inc.
Page 793: Table 96: Syslog Settings For Log Entries
Use NSM to configure the IDP sensor to: Store packet data on the IDP sensor, which NSM can later retrieve. For IDP 4.1 and later, this option is the default setting and improves performance. Copyright © 2010, Juniper Networks, Inc.
Page 794 To view a log with packet data, go to the main navigation tree and select Log Viewer, right-click the log containing the packet data, and then select Show > Packet Data. See Figure 103 on page 745. Copyright © 2010, Juniper Networks, Inc.
Page 795: Figure 103: View Packet Data In A Log
Chapter 19: Logging Figure 103: View Packet Data in a Log Figure 104 on page 746 provides an example of packet data. Copyright © 2010, Juniper Networks, Inc.
Page 796: Figure 104: Sample Packet Data
“Searching Log Entries” on page 754—For networks that generate large numbers of log entries, it can be difficult to locate the exact log entries that detail the events you want to investigate. This section describes how to use the log timeline to find logs generated Copyright © 2010, Juniper Networks, Inc.
Page 797: Table 98: Ex Series Switch Predefined Log Views
Table 98 on page 747 lists and describes the EX Switch predefined log views. Table 98: EX Series Switch Predefined Log Views Log Type Description All-Switch-logs Filters logs on devices whose device family name is junos-ex Copyright © 2010, Juniper Networks, Inc.
Page 798: Table 99: Ssl/Uac Predefined Log Views
Subcategory— NET24462, NET24463, Sensor Initiated Actions Subcategory— SUBCATEGORY: IDP24101, IDP24102, IDP24103, IDP24104, IDP24105, IDP24106, IDP24107, IDP24108, IDP24109, IDP24190, IDP24191 Sensors Category—(sensors)(15) System Restarts Subcategory—SYS10298, SYS10299, SYS10314, SYS24258, SYS24259 User Category— User(12) VLAN Assignments Subcategory—EAM24459 Copyright © 2010, Juniper Networks, Inc.
Page 799: Table 100: Predefined Log Views
Attackers—To track the activities of a known attacker, create a view that filters on a specific source IP. The source IP address of an attack appears in the source address Copyright © 2010, Juniper Networks, Inc.
Page 800: Creating Per-Session Views
The UI assignable flag associated with the current log. Src Addr The source address of the packet that generated the log. Dst Addr Default The destination device to which the packet associated with the log entry was targeted. Copyright © 2010, Juniper Networks, Inc.
Page 801 Bytes Out Number of bytes that comprised the log data being transmitted from the Log Viewer per session. Bytes Total The sum of the number of bytes transmitted and received by the Log Viewer. Copyright © 2010, Juniper Networks, Inc.
Page 802 The unique policy rule number that generated the log. This policy number is constant in both ScreenOS and NSM. Roles A role group to which the user belongs. Rule Domain The domain that contained the rule that generated this log. Copyright © 2010, Juniper Networks, Inc.
Page 803: Log Viewer Detail Panes
Whois tab—Enables you to perform a Whois lookup on an IP address to see what organization has registered a particular address. Quick Reports tab—Enables you to quickly generate a predefined report on a filter criteria in the Log Viewer. Copyright © 2010, Juniper Networks, Inc.
Page 804: Figure 105: View Category And Severity Filters
The Log Viewer can receive thousands or even millions of log entries each day. To quickly locate a specific log entry or logs, use the log searching tools in Table 103 on page 755. Copyright © 2010, Juniper Networks, Inc.
Page 805: Table 103: Search Tools For Log Viewer
The log entry list automatically jumps to the selected date and time (shown by the horizontal red line). Figure 106 on page 756 shows the time slider. Copyright © 2010, Juniper Networks, Inc.
Page 806: Figure 106: Log Viewer Time Slider
Click the In button to select the time block to the right of the currently selected time block. Alternatively, you can use the mouse wheel on your mouse to adjust the time interval. Copyright © 2010, Juniper Networks, Inc.
Page 807: Table 104: Log Viewer Flags
Within the Log Viewer, you can set a filter on one or more flags. Additionally, within Report Manager, you can generate a report that displays the count of all log entries that contain a specific flag. Copyright © 2010, Juniper Networks, Inc.
Page 808: Using The Find Utility
The following sections detail some common event-based and time-based filters used to manage log entries. Setting a Category Filter Apply a category filter to view log entries within a specific category or subcategory. Copyright © 2010, Juniper Networks, Inc.
Page 809: Setting An Alert Filter
Filter. Select the protocol types that you want to use as the filter criteria, then click OK. NSM applies the filter to all log entries and displays only the log entries that match the specified protocol types. Copyright © 2010, Juniper Networks, Inc.
Page 810: Setting A Domain Filter
Filtering Log Entries by Range A range filter is a criteria search for matching log entries within a value range. You can set a range filter for the following columns: Bytes In Bytes Out Bytes Total Packets In Copyright © 2010, Juniper Networks, Inc.
Page 811: Setting A Bytes In Or Bytes Out Range Filter
Dst Port or Src Port column: Right-click the Src Port or Dst Port column header and select Filter > Set Filter. The Dst/Src Port filter appears. Set the range for the port numbers: Copyright © 2010, Juniper Networks, Inc.
Page 812: Customizing Columns
To hide a column, right-click the column header and select Hide Column. To unhide a hidden column, you must use the Column Settings dialog box. To reorder the column display sequence, drag a column to a new location. Copyright © 2010, Juniper Networks, Inc.
Page 813 Src Addr column. To configure the column filters: In the main display area, right-click the Category column header and select Filter > Set Filter. The Category filter dialog box appears. Copyright © 2010, Juniper Networks, Inc.
Page 814: Filtering Log Entries By Column
Before you exit NSM, save the Filter Summary changes that you made in Log Viewer. Figure 108 on page 765 shows the Filter Summary dialog box that you would use to configure filtering by Device family column. Copyright © 2010, Juniper Networks, Inc.
Page 815: Figure 108: Filter Summary Dialog Box
To clear a single column: Clear the column check box that you do not want to use for filtering log entries, then click OK . To remove all columns: Click the Clear All button. Copyright © 2010, Juniper Networks, Inc.
Page 816: Using Log Viewer Integration
To quickly configure a parameter on an individual device from the Log Viewer, double-click a device in the Device column. NSM displays the device configuration for the device, enabling you to make changes to the device. Copyright © 2010, Juniper Networks, Inc.
Page 817: Figure 109: Viewing Summary Panel
If the attack is irrelevant, you can remove the matching attack object group from the rule that triggered the log entry, or monitor the attack object group using custom severity setting. Copyright © 2010, Juniper Networks, Inc.
Page 818: Using The Log Investigator
Log Investigator calculations “Excluding Data” on page 778—You can configure the Log Investigator to exclude data for a cell, row, or column in the Log Investigator matrix. Copyright © 2010, Juniper Networks, Inc.
Page 819: Figure 110: Log Investigator Ui Overview
Destination Port, Attack Subcategories, or Time Period details for any cell, row, or column. Zoom Chart—Displays a chart of log entry details. You can view Source, Destination, Destination Port, Attack Subcategories, or Time Period details for any cell, row, or column. Copyright © 2010, Juniper Networks, Inc.
Page 820 Log Investigator (100 log entries), causing a warning message to appear next to the Selected Logs indicator. If you do not make changes to the time interval filter, the Log Investigator automatically clears the session, requiring you to create a new time filter. Copyright © 2010, Juniper Networks, Inc.
Page 821: Figure 111: Configure Time Period Filter
Top Subcategories—The attack subcategory detected in the event. Top Destination Ports—The port numbers on the Destination device that received the event. The port number can help you identify the service used in the event. Copyright © 2010, Juniper Networks, Inc.
Page 822: Setting A Log Entry Limit
As the Log Investigator searches your log database for log entries that match the filter, time period, and data type criteria, it places all matching log entries in the log buffer. Copyright © 2010, Juniper Networks, Inc.
Page 823: Table 106: Log Investigator Filters
Dst Addr Dst Intf Direction Filters Packets In Identifies packets based on the direction they are heading to or from a specified device. Packets Out Packets Total Copyright © 2010, Juniper Networks, Inc.
Page 824: Example: Setting Filters In The Log Investigator
In this example, the Left Axis is set to Top Sources and the Top Axis is set to Top Destinations (these are the default settings). To set a filter that displays all attack category log entries generated by the Top Sources and received by the Top Destinations: Copyright © 2010, Juniper Networks, Inc.
Page 825: Figure 113: View Log Investigator Results
IP address. You might determine that destination 1 is receiving a large number of events from sources A, B, and C. This activity could be a harmless event, such as multiple users attempting to contact a single Copyright © 2010, Juniper Networks, Inc.
Page 826: Table 107: Log Investigator Analysis
Useful for analyzing attack traffic, such as one source generating traffic to multiple destinations. One Row One Column View specific activity between two specific data types. A single cell is selected. Useful for analyzing event traffic between two network components. Copyright © 2010, Juniper Networks, Inc.
Page 827: Zoom Details
Zoom In > Time. In the Zoom area, the left pane displays a table of attacks listed in order (the oldest attack is listed first); the right pane displays a chart using the same information. Copyright © 2010, Juniper Networks, Inc.
Page 828: Jumping To The Log Viewer
The Audit Log Viewer appears as one of the modules in the NSM UI. Select the Audit Log Viewer to display the audit log entry table, device view, and target view, as shown in Figure 114 on page 779. Copyright © 2010, Juniper Networks, Inc.
Page 829: Figure 114: Audit Log Viewer Ui Overview
— Audit-log entries from the global domain. Users of the global domain can view all audit-log global entries. Command The command applied to the object or system, for example, sys_logout modify Authorization Status The final access-control status of activities is either success or failure. Copyright © 2010, Juniper Networks, Inc.
Page 830: Managing The Audit Log Table
To select the columns on which you want to filter audit log entries: Select View >Set Filter. From the Filter Summary dialog box, select a column on which you want to filter log entries. Copyright © 2010, Juniper Networks, Inc.
Page 831 >= This Value— Displays log entries for events that were generated at or after the time specified in the selected row cell. <= This Value— Displays log entries for events that were generated before or at the time specified in the selected row cell. Copyright © 2010, Juniper Networks, Inc.
Page 832: Target View And Device View
Managing Log Volume Security administrators have different requirements for the number of log entries they need to retain. As directed by their corporate security policy, some administrators must Copyright © 2010, Juniper Networks, Inc.
Page 833: Automatic Device Log Cleanup
You can change the parameters for managing disk space on the Device Server by editing the Device Server configuration file. For more information on managing disk space on the Device Server, refer to the Network and Security Manager Installation Guide. Copyright © 2010, Juniper Networks, Inc.
Page 834: Archiving Logs
You can specify the number of days that NSM stores logs; as well as purge or archive a specified log based on the following configurable criteria: “Date Limits” on page 785 System-Wide Retention Policy Copyright © 2010, Juniper Networks, Inc.
Page 835: Date Limits
However, the selected logs are purged even if archival fails. Define Location Before you archive a log, you must first define a location for the archived logs. To do this, open NSM and select Server Manager > Servers>Device Server > Disk and Log Copyright © 2010, Juniper Networks, Inc.
Page 836: Forwarding Logs
(such as syslog, export, or alarm) on log data based on the criteria you specify. These actions occur for all the managed devices in a specific domain or subdomain. To enable the management system to export logs, you must configure the following: Copyright © 2010, Juniper Networks, Inc.
Page 837: Configuring Action Parameters
For exporting to CSV, configure the following CSV settings: File Path—The directory and filename that you want log entries exported to in .CSV format. Print Header—When selected, column headers are exported to .CSV format. Copyright © 2010, Juniper Networks, Inc.
Page 838: Setting Device Log Action Criteria
In the Category list, select a category of log entry for the criteria. Some categories contain subcategories; however, to set an action based on a subcategory, you must first select a category. For details on each category and subcategory, see “Log Entries” on page 861. Copyright © 2010, Juniper Networks, Inc.
Page 839 Skip. Directs the system to skip any log for which the script had an error. Retry. Directs the system to try the action again for the same log. When using this filter, you must also specify: Copyright © 2010, Juniper Networks, Inc.
Page 840: Using The Log2Action Utility To Export Logs
./devSvrCli.sh --log2action --filter --log-id 20060317:0-20060317:4294967294 --action --xml --file-path /tmp/newtest.xml If you wanted to view data for all logs from 2006/03/15 to 2006/03/17, run the following command: ./devSvrCli.sh --log2action --filter --log-id 20060315:0-20060317:4294967294 --action --xml --file-path /tmp/newtest.xml Copyright © 2010, Juniper Networks, Inc.
Page 841: Table 109: Common Filters
Specify one of the following values: none, info, device_warning_log, minor, major, device_critical_log, emergency, alert, critical, error, warning, notice, informational, or debug. --src-ip Source IP address <a.b.c.d[/n|-<a.b.c.d>]> --src-port Source port <[0-65535][-[0-65535]]> --time-recv Time received <<yyyymmdd>:<hhmmss>>-<<yyyymmdd>:<hhmmss>> Copyright © 2010, Juniper Networks, Inc.
Page 842 ./devSvrCli.sh --log2action --filter --category implicit,config --action --csv --file-path /tmp/sun.csv --include-header no NOTE: When a filter option includes multiple entries, use a comma-separated list with no space between the entries, as shown in the preceding example. Copyright © 2010, Juniper Networks, Inc.
Page 843: Exporting To Xml
Exporting to CSV The csv action directs the system to output logs using the CSV format. To export: Login to the Device Server as root, then change to the utility directory by typing: cd /usr/netscreen/DevSvr/utils. Copyright © 2010, Juniper Networks, Inc.
Page 844: Using Csv Required And Optional Format-Specific Filters
Login to the Device Server as root, then change to the utility directory by typing: cd /usr/netscreen/DevSvr/utils. To export to a file, type: sh devSvrCli.sh --log2action --action --snmp <community> <server> The Device Server exports all log records to the specified SNMP community and server. Copyright © 2010, Juniper Networks, Inc.
Page 845: Using Snmp Required And Optional Format-Specific Filters
Login to the Device Server as root, then change to the utility directory by typing: cd /usr/netscreen/DevSvr/utils. To export to a file, type: sh devSvrCli.sh --log2action --action --email <sender> <recipient> The Device Server exports all log records to the specified e-mail address for the recipient. Copyright © 2010, Juniper Networks, Inc.
Page 846: Using E-Mail Required And Optional Format-Specific Filters
Using Syslog Required and Optional Format-Specific Filters You can use the following required format-specific filters for exporting to syslog: Syslog Multiple Required Meaning --server Specify syslog server IP address as [IP|FQDN[:<port>]]. Examples: 192.168.1.25:7889 syslog.server@mycompany.com:7889 Copyright © 2010, Juniper Networks, Inc.
Page 847: Viewing Syslog Format Output
Meaning --script-name Specify the script name. The script must be located in /usr/netscreen/DevSvr/var/scripts/<domain>/<script-name> For example: /usr/netscreen/DevSvr/var/scripts/global/<script-name> / usr / netscreen/DevS vr / var / scri p ts/ gl o bal/<subdomai n >/<scri p t-name> Copyright © 2010, Juniper Networks, Inc.
Page 848 Specifies the number of seconds until the action is tried again. --num-retries Specifies the maximum number of retries to attempt before moving on to the next log record. The script format has no optional format-specific filters. Copyright © 2010, Juniper Networks, Inc.
Page 849: Reporting
Use the Report Manager module in Network and Security Manager to generate and view reports summarizing log and alarms generated by the managed Juniper Networks devices in your network. You can use these reports to track and analyze log incidents, network traffic, and potential attacks.
Page 850: Graphical Data Representation
Central Access to Management Information For network administrators and security analysts interested in tracking and identifying potential network trends and attacks, Report Manager provides a single graphical view into the network. Copyright © 2010, Juniper Networks, Inc.
Page 851: Report Types
The total number of traffic log entries generated by the managed security devices in your network, within filter constraints Top Configuration Logs The total number of configuration log entries generated by the managed security devices in your network, within filter constraints Copyright © 2010, Juniper Networks, Inc.
Page 852: Table 111: Di/Idp Reports
All attacks prevented during the last 7 days. days) All Attacks Over Time (last 30 days) All attacks detected during the last 30 days. All Attacks Prevented Over Time (last 30 All attacks prevented during the last 30 days. days) Copyright © 2010, Juniper Networks, Inc.
Page 853: Table 112: Screen Reports
Top Screen Attacks The most common attacks detected by the firmware on your security device Screen Attacks by The number of attacks detected by the firmware on your security device Severity according to severity level Copyright © 2010, Juniper Networks, Inc.
Page 854: Table 113: Administrative Reports
20 Infranet enforcer devices that have most frequently appeared on UAC (devices) for UAC logs logs over the last 7 days. Top 10 auth failures for Ten user authentication failures that have mostly frequently appeared user@realm on UAC logs over the last 24 hours. Copyright © 2010, Juniper Networks, Inc.
Page 855: Table 115: Profiler Reports
Five destination IP addresses with the highest volume in bytes in the past Volume over Time (last hour. 1 hour) SSL/VPN Reports Table 117 on page 806 lists and describes those reports in NSM that provide information about SSL/VPN session logs. Copyright © 2010, Juniper Networks, Inc.
Page 856: Table 117: Ssl/Vpn Reports
Generating a Predefined Report on page 807 Creating a Custom Report on page 807 Deleting Reports on page 808 Organizing Reports in Folders on page 808 Generating Reports Automatically on page 808 Exporting Reports to HTML on page 811 Copyright © 2010, Juniper Networks, Inc.
Page 857: Generating A Predefined Report
NSM creates the new report and displays it in a new folder called My DMZ Reports folder under My Reports. NOTE: You cannot create a subfolder under the first level of custom report folders. Copyright © 2010, Juniper Networks, Inc.
Page 858: Deleting Reports
UI. You can verify the status of an executed report in the Job Manager. Running Reports Using the guiSvrCLI.sh Utility utility is located in the directory on the GUI guiSvrCli.sh /usr/netscreen/GuiSvr/utils Server. Use the following syntax to generate reports: Copyright © 2010, Juniper Networks, Inc.
Page 859: Creating And Editing Action Scripts
You can attach or embed the report in the e-mail by uncommenting a specific line in email.sh . You can also deliver multiple reports in separate mail messages or in a single collated one. ######################################################################### CODE ######################################################################### dir=`dirname $0` Copyright © 2010, Juniper Networks, Inc.
Page 860: Using Cron With Scheduled Reports
Entries in the table consist of a command set and a schedule. The command to run the report is the same as described above. The timing of the job is determined by a string of numbers preceding the script. There are five places and they represent, in order: Copyright © 2010, Juniper Networks, Inc.
Page 861: Exporting Reports To Html
Select Export Reports from the File menu. Alternatively, you could right-click in the chart window, and use the “Export reports in HTML” option. Select the Top Attacks report check box. Copyright © 2010, Juniper Networks, Inc.
Page 862: Setting Report Options
Count-Based—Displays total current activity to date. For example, the Top Scan Targets report is a count-based report that displays the total number of scans currently recorded against a specified number of destination IP addresses. Copyright © 2010, Juniper Networks, Inc.
Page 863: Configuring Report Source Data
This makes it easier for you to focus on only the log data of interest to you. You can specify criteria to filter your log data on any of the columns that you have chosen to base the report. Copyright © 2010, Juniper Networks, Inc.
Page 864: Configuring Report Processing Warnings
Log Viewer from the View menu. The source log entries will appear in the Log Viewer. NOTE: You cannot save the view generated in the Log Viewer for use in a later UI session. Copyright © 2010, Juniper Networks, Inc.
Page 865: Figure 115: Generating A Quick Report
"Investigate". To flag a log entry, right-click on the log and select Flag > Investigate from the drop down menu. After completing their investigation, they change the flag to either "Closed" or "Assigned" for further investigation. During normal operations, firewall administrators investigate over 200 log entries per day. Copyright © 2010, Juniper Networks, Inc.
Page 866: Figure 116: Logs By User-Set Flag Report
You also set the report data point count to 100. In this way, you can get an indication for the top 100 rules that are generating log events. Figure 117 on page 817 shows the Top FW/VPN Rules report. Copyright © 2010, Juniper Networks, Inc.
Page 867: Figure 117: Top Fw/Vpn Rules Report
During the week, you can generate a similar report to track switches that have undergone the most configuration changes committed during the past seven days. Figure 118 on page 818 shows the Top Configuration Changes report. Copyright © 2010, Juniper Networks, Inc.
Page 868: Figure 118: Top Configuration Changes Report
"Top Attacks", "Top Attackers", and "Top Targets" reports to further investigate the nature and assess the risk of these attacks. For details on generating and configuring these reports, refer to the Network and Security Manager Online Help. Copyright © 2010, Juniper Networks, Inc.
Page 869: Example: Using Di Reports To Detect Application Attacks
Report Manager—Includes custom reports for destination and source watch lists. Access the Destination Watch List or Source Watch List from Tools >Preferences. For details about creating and configuring watch lists, refer to the Network and Security Manager Online Help. Copyright © 2010, Juniper Networks, Inc.
Page 871 PART 5 Appendixes Glossary on page 823 Unmanaged ScreenOS Commands on page 849 SurfControl Web Categories on page 851 Common Criteria EAL2 Compliance on page 859 Log Entries on page 861 Copyright © 2010, Juniper Networks, Inc.
Page 873: Appendix A Glossary
To guard against spoofing attacks, configure a security device to check its own route table. If the IP address is not in the route table, the security device denies the traffic. Copyright © 2010, Juniper Networks, Inc.
Page 874 Message Access Protocol (IMAP), Simple Mail Transfer Protocol (SMTP), Hypertext Transfer Protocol (HTTP)—including HTTP webmail—and Post Office Protocol version 3 (POP3) traffic. Juniper Networks offers an internal AV scanning solution. Access Point Name. An APN is an IE included in the header of a GTP packet that provides information on how to reach a network.
Page 875 The simplest form of authentication requires a username and password to gain access to a particular account. Authentication protocols can also be based on secret-key encryption, such as DES, or on public-key systems using digital signatures. Copyright © 2010, Juniper Networks, Inc.
Page 876 OSPF router dynamically detects its neighbor routers by sending Hello packets to the multicast address 224.0.0.5. For broadcast networks, the Hello protocol elects a Designated Router and Backup Designated Router for the network. Copyright © 2010, Juniper Networks, Inc.
Page 877: Table 119: Cidr Translation
BGP AS, you reduce the complexity associated with the matrix of routing connections, known as a mesh, within the AS. Configlet A configlet is a small, static configuration file that contains information on how a security device can connect to NSM. Copyright © 2010, Juniper Networks, Inc.
Page 878 The Device Server is the component of the NSM management system that handles communication between the GUI Server and the device, collects data from the managed devices on your network, formats configuration information sent to your managed device, and consolidates log and event data. Copyright © 2010, Juniper Networks, Inc.
Page 879 These messages populate the network, directing routers to rerun their algorithms and change their routing tables accordingly. There are two common forms of dynamic routing, including Distance Vector Routing and Link State Routing. Copyright © 2010, Juniper Networks, Inc.
Page 880 A filter organizes log entries based on administrator specifications. Firewall A firewall device that protects and controls incoming and outgoing traffic on network connections. Firewalls protect internal servers from damage (intentional or otherwise) and enable authorized external access. Copyright © 2010, Juniper Networks, Inc.
Page 881 Groups enable you to execute certain NSM operations on multiple security devices at the same time. GPRS Roaming Exchange. Global System for Mobile Communications. GPRS Tunneling Protocol. Copyright © 2010, Juniper Networks, Inc.
Page 882 In OSPF, the maximum amount of time between instances of initiating Shortest Path First (SPF) computations. In BGP, the maximum amount of time that elapses between message transmissions between a BGP speaker and its neighbor. Copyright © 2010, Juniper Networks, Inc.
Page 883 The policy management component of Juniper Networks UAC solution. Infranet Enforcer The policy enforcement point or firewall within a Juniper Networks UAC solution. Internet Control ICMP is a network-layer protocol that does not carry user data, but does encapsulate its Message Protocol messages in IP datagrams.
Page 884 The Job Manager is a module of the NSM User Interface. Job Manager tracks the progress of the command as it travels to the device and back to the management server. JSRP Junos Services Redundancy Protocol.—A process that controls chassis clustering of Junos devices. Copyright © 2010, Juniper Networks, Inc.
Page 885 Lockout is an object state during which the object cannot be edited. A Log is a grouping of log entries. Log Category A log category defines the log type (alarm, config, traffic, and so on). Copyright © 2010, Juniper Networks, Inc.
Page 886 The metric value for connected routes is always 0. The default metric value for static routes is 1, but you can specify a different value when defining a static route. Mobile Network Code. Copyright © 2010, Juniper Networks, Inc.
Page 887 Internet, eliminating the need to use a registered IP address for every machine in your network. NSAPI Network Service Access Point Identifier. NSGP NetScreen Gatekeeper Protocol. NSM Administrator The NSM administrator is the person who uses NSM User Interface to manage their devices. Copyright © 2010, Juniper Networks, Inc.
Page 888 Joins two routers over a Wide Area Network (WAN). An example of a point-to-point network Network is two security devices connected via an IPSec VPN tunnel. On point-to-point networks, the OSPF router dynamically detects neighbor routers by sending Hello packets to the multicast address 224.0.0.5. Copyright © 2010, Juniper Networks, Inc.
Page 889 Typically, you use a VPN to enable RAS, then add RAS users to the VPN. Real Time Streaming RTSP is an application layer protocol for controlling the delivery of a stream of real-time Protocol (RTSP) multimedia content. Copyright © 2010, Juniper Networks, Inc.
Page 890 If the route map entry is not a match, then the next entry is evaluated for matching criteria. Route Redistribution Route redistribution is the exporting of route rules from one virtual router to another. Copyright © 2010, Juniper Networks, Inc.
Page 891 Secure Access Device A Juniper Networks SSL VPN appliance. Secure Copy (SCP) A method of transferring files between a remote client and a security device using the SSH protocol.
Page 892 (It is generally regarded as more secure than MD5 because of the larger hashes it produces.) Shared Objects A shared object is an object that can be shared across domains. Short Frame A short frame contains less than 64 bytes of data. Copyright © 2010, Juniper Networks, Inc.
Page 893 The super administrator is the default administrator for all domains. The superadmin has immutable powers. You cannot change or delete permissions for the super administrator; you can, however, change the password for the super administrator. Copyright © 2010, Juniper Networks, Inc.
Page 894 Trojan A trojan is a program with hidden functionality. Trojans often install a remote administration program (known as a backdoor) that enables attackers to access the target system. Copyright © 2010, Juniper Networks, Inc.
Page 895 One of two predefined zones that enables packets to be seen by devices external to your current domain. User A user is a person using the network your security devices are protecting. NSM supports two types of users: local users and external users. Copyright © 2010, Juniper Networks, Inc.
Page 896 A virtual system is a subdivision of the main system that appears to the user to be a standalone entity. Virtual Systems reside separately from each other. Each one can be managed by its own Virtual System Administrator. Copyright © 2010, Juniper Networks, Inc.
Page 897 A zone can be a segment of network space to which security measures are applied (a security zone), a logical segment to which a VPN tunnel interface is bound (a tunnel zone), or either a physical or a logical entity that performs a specific function (a function zone). Copyright © 2010, Juniper Networks, Inc.
Page 899: Table 120: Unmanaged Commands For Firewall/Vpn Devices
(although future versions of NSM may support these commands). To use an unmanaged device command, you must connect locally to the Juniper Networks security device. Table 120 on page 849 details each unmanaged command.
Page 900 These commands create, remove, or display entries in the internal user authentication database. vr nsrp-config-sync This command unsets synchronization for a specific virtual router in an NSRP cluster. Copyright © 2010, Juniper Networks, Inc.
Page 901: Table 121: Surfcontrol Web Categories
Jokes, comics, comic books, comedians or any site designed to be funny or satirical Circuses, theatre, variety magazines, and radio Broadcasting firms and technologies (satellite, cable) Book reviews and promotions, publishing houses, and poetry Museums, galleries, artist sites (included sculpture, photography) Copyright © 2010, Juniper Networks, Inc.
Page 902 General finances and companies that advise thereof Accountancy, actuaries, banks, mortgages, and general insurance companies Food and Drink Recipes, cooking instruction and tips, food products, and wine advisors Restaurants, cafes, eateries, pubs, and bars Food/drink magazines, reviews Copyright © 2010, Juniper Networks, Inc.
Page 903 Sites that provide instruction or work-arounds for our filtering software Cracked software and information sites Pirated software and multimedia download sites Sites that provide or promote parasites, including Spyware, Adware and other unsolicited commercial software Copyright © 2010, Juniper Networks, Inc.
Page 904 Web sites that host business and individuals’ web pages (such as GeoCities, earthlink.net, AOL) Job Search and Career Employment agencies, contractors, job listings, career information Development Career searches, career-networking groups Kid's Sites Child oriented sites and sites published by children Copyright © 2010, Juniper Networks, Inc.
Page 905 Discussion sites on how to talk to your partner about diseases, pregnancy and respecting boundaries NOTE: Not included in the category are commercial sites that sell sexual paraphernalia. These sites are typically found in the Adult category. Search Engines General search engines (Yahoo, AltaVista, Google) Copyright © 2010, Juniper Networks, Inc.
Page 906 Sites promoting terrorism Excessively violent sports or games Offensive or violent language or satire NOTE: We do not block news, historical, or press incidents that may include the above criteria (except in graphic examples). Copyright © 2010, Juniper Networks, Inc.
Page 907 Clubs which offer training on machine guns, automatics and other assault weapons and/or sniper training NOTE: Weapons are defined as something (as a club, knife, or gun) used to injure, defeat, or destroy. Web-based E-mail Web-based e-mail accounts Messaging sites Copyright © 2010, Juniper Networks, Inc.
Page 909: Appendix D Common Criteria Eal2 Compliance
This appendix describes actions required for a security administrator to properly secure the Network and Security Manager (NSM) system and NSM User Interface to be in compliance with the Common Criteria EAL2 security target for Juniper Networks IDP 4.0 functionality.
Page 911: Appendix E Log Entries
Attacks > Critical > 00432 Block ZIP component Attacks > Critical > 00431 Destination IP session limit Attacks > Critical > 00430 ICMP Flood Attack Attacks > Alert > 00011 IDS ICMP Fragment Attacks > Critical > 00422 Copyright © 2010, Juniper Networks, Inc.
Page 912 Attacks > Critical > 00439 Source IP session limit Attacks > Critical > 00033 Tear Drop Attack Attacks > Emergency > 00006 UDP Flood Attack Attacks > Alert > 00012 VPN Replay Detected IKE > Critical > 00042 Copyright © 2010, Juniper Networks, Inc.
Page 913: Table 123: Alarm Log Entries
NSRP IP DUP Master High Availability > 00015 NSRP RTO DOWN High Availability > 00015 NSRP RTO Duplicate High Availability > 00015 NSRP RTO UP High Availability > 00015 NSRP Status High Availability > Critical > 00015 Copyright © 2010, Juniper Networks, Inc.
Page 914: Deep Inspection Alarm Log Entries
VPN Down VPN > Critical > 00041 VPN Up VPN > Critical > 00040 Deep Inspection Alarm Log Entries The Deep Inspection Alarm category contains the subcategories shown in Table 124 on page 865: Copyright © 2010, Juniper Networks, Inc.
Page 915: Table 124: Deep Inspection Alarm Log Entries
Yahoo! Messenger encrypted password is 1024. CHAT:MSN:ACCESS This signature detects MSN Messenger chat using the info sos5.1.0 specified content type "text/plain" on port 1863 (default port of MSN Messenger). Copyright © 2010, Juniper Networks, Inc.
Page 916 (such as SMTP queries) may trigger this anomaly. DNS:EXPLOIT:POINTER-LOOP This protocol anomaly is a DNS message with a set of DNS high sos5.0.0, pointers that form a loop. This may indicate a sos5.1.0 denial-of-service (DoS) attempt. Copyright © 2010, Juniper Networks, Inc.
Page 917 DNS:OVERFLOW:TOO-LONG-TCP-MSG This protocol anomaly is a DNS TCP-based request/reply high sos5.1.0 that exceeds the maximum length specified in the message header. This may indicate a buffer overflow or an exploit attempt. Copyright © 2010, Juniper Networks, Inc.
Page 918 TCP/8000. DOS:NETDEV:WEBJET-FW-INFOLEAK This signature detects attempts to exploit a vulnerability in medium sos5.0.0, HP Web JetAdmin service. Web JetAdmin version 6.5 is sos5.1.0 vulnerable. Attackers may access sensitive configuration information. Copyright © 2010, Juniper Networks, Inc.
Page 919 FTP server's /bin directory. Successful exploitation of this vulnerability may result in the attacker being able to execute arbitrary code on the victim ftp server, including the reading of sensitive files outside of the ftp server's path. Copyright © 2010, Juniper Networks, Inc.
Page 920 This signature detects buffer overflow attempts against the critical sos5.0.0, FTPD that ships with early versions of FreeBSD 4.x and sos5.1.0 OpenBSD 2.8. FTPD 6.00LS and 6.5/OpenBSD versions are vulnerable. Attackers may gain local host access and root permissions. Copyright © 2010, Juniper Networks, Inc.
Page 921 FTP:OVERFLOW:USERNAME-2-LONG This protocol anomaly is a username in an FTP connection high sos5.0.0, that exceeds the length threshold. This may be an attempt sos5.1.0 to overflow the server. Copyright © 2010, Juniper Networks, Inc.
Page 922 Attackers may send a pathname to the 'MKD' command to gain remote root access. FTP:PROFTP:PPC-FS1 This signature detects attempts to exploit a format string critical sos5.0.0, vulnerability in ProFTPD. Versions 1.2pre6 and earlier are sos5.1.0 vulnerable. Attackers may overflow the PWD command. Copyright © 2010, Juniper Networks, Inc.
Page 923 "root" account. This may indicate an attacker trying sos5.1.0 to gain root-level access, or it may indicate poor security practices. FTP typically uses plain-text passwords, and using the root account to FTP could expose sensitive data over the network. Copyright © 2010, Juniper Networks, Inc.
Page 924 File Transfer Protocol (FTP) services for UNIX and Linux systems. Wu-ftpd version 2.5.0 and earlier are vulnerable. Attackers may send a maliciously crafted FTP pathname to overflow a buffer in realpath() and execute arbitrary commands with administrator privileges. Copyright © 2010, Juniper Networks, Inc.
Page 925 2.0.38 and prior are vulnerable. Apache improperly calculates required buffer sizes for chunked encoded requests due to a signed interpretation of an unsigned integer value. The worm sends POST requests containing malicious chunked encoded data to exploit the Apache daemon. Copyright © 2010, Juniper Networks, Inc.
Page 926 'HTTP/...'. This may indicate command line access to an HTTP server. HTTP:AUDIT:UNKNWN-REQ This protocol anomaly is an unknown HTTP request. Known info sos5.1.0 requests are OPTION, GET, HEAD, POST, PUT, DELETE, TRACE, and CONNECT. Copyright © 2010, Juniper Networks, Inc.
Page 927 HTTP:CGI:BUGZILLA-SEMICOLON This signature detects shell access attempts to exploit the high sos5.0.0, process_bug.cgi script vulnerability in Bugzilla. Attackers sos5.1.0 may send a semicolon as an argument to the script, followed by arbitrary shell commands. Copyright © 2010, Juniper Networks, Inc.
Page 928 HTTPd process. HTTP:CGI:TECHNOTE-MAIN-DCLSR This signature detects directory traversal attempts that medium sos5.0.0, exploit the main.cgi script in TECH-NOTE 2000. Because sos5.1.0 the script validates input incorrectly, attackers may remotely access arbitrary files from the server. Copyright © 2010, Juniper Networks, Inc.
Page 929 CONNECT method to access other servers and launch further attacks. HTTP:CISCO:IOS-ADMIN-ACCESS This signature detects attempts to exploit a vulnerability in critical sos5.0.0, Cisco IOS. Attackers may remotely gain full administrative sos5.1.0 access to the router. Copyright © 2010, Juniper Networks, Inc.
Page 930 HTTP:EXPLOIT:AMBIG-CONTENT-LEN This protocol anomaly is an HTTP request that has a sos5.0.0, Content-Length and Transfer-Encoding header. sos5.1.0 RFC-2616#4.4 specifies that only one of these two headers should be used in an HTTP request. Copyright © 2010, Juniper Networks, Inc.
Page 932 URL request. HTTP:IIS:BAT-& This signature detects attempts to execute a command by high sos5.0.0, specifying a .bat or .cmd extension to a Microsoft Windows sos5.1.0 Web server. Copyright © 2010, Juniper Networks, Inc.
Page 933 (DoS). sos5.1.0 HTTP:IIS:MDAC-RDS This signature detects attempts to exploit the Microsoft high sos5.0.0, Data Access Components (MDAC) Remote Data Services sos5.1.0 (RDS) component. Attackers may access files and other services. Copyright © 2010, Juniper Networks, Inc.
Page 934 This signature detects buffer overflow attempts against critical sos5.1.0 Microsoft IIS WebDAV. Attackers may send a maliciously crafted WebDAV URL request that contains 65535 or 65536 bytes to the Web server to execute arbitrary code as the system account. Copyright © 2010, Juniper Networks, Inc.
Page 935 "This signature detects attempts to exploit a vulnerability in Vignette Story Server. Vignette Story Server versions 4.1 and 6 are vulnerable. Attackers may expose information about user sessions, server side code, and other sensitive information. Copyright © 2010, Juniper Networks, Inc.
Page 936 WG602 using an undocumented administrator username/password that cannot be changed or disabled. Attackers can modify any setting on the WG602 to perform a denial-of-service (DoS) on the Netgear device or circumvent other access control protocols. Copyright © 2010, Juniper Networks, Inc.
Page 937 GET request to the Web server daemon to overflow the buffer. HTTP:OVERFLOW:AUTHORIZATION This protocol anomaly is an HTTP authorization header that medium sos5.1.0 exceeds the user-defined maximum. The default length is 128. Copyright © 2010, Juniper Networks, Inc.
Page 938 The default length is HTTP:OVERFLOW:HTTPA-OF1 This signature detects buffer overflow attacks against the high sos5.1.0 HTTPa daemon. Attackers may send a maliciously crafted HTTP GET request to the host to overflow the buffer. Copyright © 2010, Juniper Networks, Inc.
Page 939 This signature detects attempts to exploit a remote file high sos5.1.0 inclusion vulnerability in AlexPHP. Attackers may send a maliciously crafted HTTP request to execute PHP code from a remote server on the host running AlexPHP. Copyright © 2010, Juniper Networks, Inc.
Page 940 URL to cause the Web server to download PHP code from a remote server, allowing the attacker to execute arbitrary code with the permissions of the user that is running the Web server daemon. Copyright © 2010, Juniper Networks, Inc.
Page 941 Attackers may send a maliciously crafted request that supplies SQL commands to the pm_sql_user parameter, changing database values and escalating client privileges. Copyright © 2010, Juniper Networks, Inc.
Page 942 2.2.1 and other versions are vulnerable. Attackers may send a malicious HTTP request to force the pMachine Web server to execute PHP code from a remote server; commands are executed with web server privileges. Copyright © 2010, Juniper Networks, Inc.
Page 943 CRM system. A vulnerability exists in the sos5.1.0 header.php that holds zenTrack configuration settings. It allows remote command execution as the webserver process privilege. This applies to zenTrack 2.4.1 and below. Copyright © 2010, Juniper Networks, Inc.
Page 944 Attackers may send a maliciously crafted HTTP GET request to the Web server to crash the server and create a DoS. HTTP:SPYWARE:DOWNLOAD-ACCEL This signature detects the use of Download Accelerator, a info sos5.1.0 spyware application. Copyright © 2010, Juniper Networks, Inc.
Page 945 This signature detects a maliciously crafted PDF file high sos5.1.0 downloaded via HTTP. Attackers may insert certain shell metacharacters at the beginning of a uuencoded PDF file to force Adobe Acrobat to execute arbitrary commands upon loading the file. Copyright © 2010, Juniper Networks, Inc.
Page 946 HTTP. Users may use proxy connections over the HTTP port to circumvent firewall policies. HTTP:TUNNEL:CHAT-MSN-IM This signature detects MSN Instant Messenger over HTTP. info sos5.1.0 Users may use proxy connections over the HTTP port to circumvent firewall policies. Copyright © 2010, Juniper Networks, Inc.
Page 947 IBM WebSphere Edge Server. Version 2.0 is vulnerable. Attackers may send a maliciously crafted HTTP GET request that does not have a proper version identifier to crash the proxy service and render the proxy unusable. Copyright © 2010, Juniper Networks, Inc.
Page 948 (DELE) to overflow the buffer and take complete control of the server. IMAP:OVERFLOW:COMMAND This protocol anomaly is an IMAP command that is too long. high sos5.0.0, This may indicate a buffer overflow attempt. sos5.1.0 Copyright © 2010, Juniper Networks, Inc.
Page 949 This protocol anomaly is a DCOM servername that is longer critical sos5.1.0 than 32 octets in unicode. MS-RPC:EPDUMP-SCAN This anomaly detects a client enumerating MSRPC endpoints sos5.1.0 on a windows server. This may indicate a probing scan prior to a more sophisticated attack. Copyright © 2010, Juniper Networks, Inc.
Page 950 This protocol anomaly is an MSRPC connectionless message high sos5.1.0 with a fragment length that conflicts with the common header length and the whole message length. MS-RPC:ERR:RESPONSE-NO-REQ This protocol anomaly is an MSRPC response that precedes medium sos5.1.0 the request. Copyright © 2010, Juniper Networks, Inc.
Page 952 0xff 'S' 'M' 'B'. NETBIOS:NBDS:OVERFLOW:MSG This protocol anomaly is a Netbios datagram that is bigger high sos5.1.0 than 1064. NETBIOS:NBDS:OVERFLOW:NAME This protocol anomaly is a Netbios name that is longer than high sos5.1.0 255. Copyright © 2010, Juniper Networks, Inc.
Page 953 This protocol anomaly is Netbios name response with an high sos5.1.0 RCODE that indicates the request has an invalid format. NETBIOS:NBNS:S2C_QUERY This protocol anomaly is a Netbios name response header medium sos5.1.0 with an OPCODE field that contains an unset response bit. Copyright © 2010, Juniper Networks, Inc.
Page 954 The default line length is 256. P2P:AUDIT:GNUTELLA-RTABLE-UPD This protocol anomaly is a Gnutella ROUTE_TABLE_UPDATE info sos5.1.0 message with a payload length of 0 bytes. Copyright © 2010, Juniper Networks, Inc.
Page 955 MLDonkey, a multi-protocol P2P file sharing application. P2P:SKYPE:VERSION-CHECK This signature detects a Skype client request (to a central info sos5.1.0 server) that checks for the latest version of the client software. Copyright © 2010, Juniper Networks, Inc.
Page 956 .adp and were received via POP3. Because .ADPs (Microsoft Access Project) files can contain macros, this may indicate an incoming e-mail virus. Attackers may create malicious scripts, tricking users into executing the macros and infecting the system. Copyright © 2010, Juniper Networks, Inc.
Page 957 '.exe' sent via POP3. This may indicate an incoming e-mail virus. EXEs (Executable files) contain one or more scripts. Attackers may create malicious executables, tricking the user into executing the file and infecting the system. Copyright © 2010, Juniper Networks, Inc.
Page 958 .isp and were received via POP3. Because .ISPs (Internet Communication Settings) files contain configuration parameters, this may indicate an incoming e-mail virus. Attackers may include malicious configurations, tricking users into executing the file and infecting the system. Copyright © 2010, Juniper Networks, Inc.
Page 959 .msp received via POP3. This may indicate an incoming e-mail virus. .MSPs (Microsoft Windows Installer Patch) contain executable code. Attackers may create malicious executables, tricking the user into executing the file and infecting the system. Copyright © 2010, Juniper Networks, Inc.
Page 960 .vb received via POP3. This may indicate an incoming e-mail virus. .VBs (VBScript File) contain scripts. Attackers may create malicious scripts, tricking the user into executing the file and infecting the system. Copyright © 2010, Juniper Networks, Inc.
Page 961 Because Zip files are frequently used for non-malicious purposes, this signature can generate false positives. As a general network security precaution, ensure that all users are aware of the dangers of sending and receiving binary files in e-mail attachments. Copyright © 2010, Juniper Networks, Inc.
Page 962 Qpopper, a POP3 server for Unix. Qpopper 3.0beta20 and sos5.1.0 earlier versions are vulnerable. POP3:OVERFLOW:QPOP-OF2 This signature detects a buffer overflow attempt to exploit critical sos5.0.0, a vulnerability in Qpopper. Version 3.0beta30 and many sos5.1.0 earlier versions are vulnerable. Copyright © 2010, Juniper Networks, Inc.
Page 963 Microsoft IIS 4.0 and 5.0. Attackers may send sos5.1.0 maliciously crafted HTR requests (.htr) with long variable names to overflow the buffer in the ism.dll ISAPI extension that implements HTR scripting and create a denial of service or execute arbitrary commands. Copyright © 2010, Juniper Networks, Inc.
Page 964 Vulnerability scanners and programs like enum that perform dictionary based or password-guessing attacks will likely trigger this attack. SMB:ERROR:INV-MSG-LEN This protocol anomaly is an invalid session message length high sos5.1.0 in an SMB message. Copyright © 2010, Juniper Networks, Inc.
Page 965 Malicious users can send "get", "put", and "dir" commands to a Samba server to access files outside the shared directories. SMB:EXPLOIT:WINBLAST-DOS Microsoft Windows Samba File Sharing Resource Exhaustion medium sos5.1.0 Vulnerability Copyright © 2010, Juniper Networks, Inc.
Page 966 SMTP server SMTP:AUDIT:TEXT-LINE This protocol anomaly is a text line (in the data section) in info sos5.1.0 an SMTP connection that is too long. This may indicate a buffer overflow attempt. Copyright © 2010, Juniper Networks, Inc.
Page 967 SMTP e-mail message by exploiting the pipe sos5.1.0 passthrough vulnerability. Attackers may use the invalid "mail from |" as the return e-mail address to cause Sendmail to reroute data to another program. Copyright © 2010, Juniper Networks, Inc.
Page 968 (HSC) when invoked with an hcp:// URL. By embedding a quote (") character in the URL, HSC can be instructed to load an arbitrary local file or remote web page, which can then be used to execute scripts in the local zone. Copyright © 2010, Juniper Networks, Inc.
Page 969 This signature detects e-mail attachments with the medium sos5.1.0 extension '.cmd' sent via SMTP. This may indicate an incoming e-mail virus. CMD files contain commands that when executed can cause significant damage to a windows system. Copyright © 2010, Juniper Networks, Inc.
Page 970 .inf and were sent via SMTP. Because .INFs (Setup Information) files contain scripts, this may indicate an incoming e-mail virus. Attackers may create malicious scripts, tricking users into executing the file and infecting the system. Copyright © 2010, Juniper Networks, Inc.
Page 971 Microsoft Common Console Document) files can contain configuration information, this may indicate an incoming e-mail virus. Attackers may change the configuration to point to a dangerous command, tricking users into executing the files and infecting the system. Copyright © 2010, Juniper Networks, Inc.
Page 972 .sct sent via SMTP. This may indicate an incoming e-mail virus. .SCTs (Windows Script Component) contain scripts. Attackers may create malicious scripts, tricking the user into executing the file and infecting the system. Copyright © 2010, Juniper Networks, Inc.
Page 974 URL that is included in an e-mail; when the URL is viewed, these control characters prevent Outlook Express and Internet Explorer from displaying the complete URL, which may have malicious content. Copyright © 2010, Juniper Networks, Inc.
Page 975 SMTP:OVERFLOW:EMAIL-USERNAME This protocol anomaly is a user name within an e-mail high sos5.0.0, address (for example, root in root@localhost.localdomain) sos5.1.0 that is too long. This may indicate a buffer overflow attempt. Copyright © 2010, Juniper Networks, Inc.
Page 976 Sendmail. Sendmail versions 5.79 to 8.12.7 are vulnerable. sos5.1.0 Attackers may include multiple empty address containers in an SMTP header field to overflow the SMTP header buffer and force Sendmail to execute arbitrary code on the host. Copyright © 2010, Juniper Networks, Inc.
Page 977 Sendmail versions 8.12.8 and earlier. Under certain sos5.1.0 conditions, the Sendmail address parser does not perform sufficient bounds checking when converting char to int. Attackers may use this exploit to gain control of the server. Copyright © 2010, Juniper Networks, Inc.
Page 978 Microsoft Outlook database, and sends infected messages containing a Dutch phrase to all addresses found. VIRUS:POP3:EICAR-ATTACHMENT This signature detects the EICAR antivirus test file sent as info sos5.1.0 an e-mail attachment. Copyright © 2010, Juniper Networks, Inc.
Page 979 Microsoft Outlook database and send infected files to up to 60 addresses found. This virus also install the file script.ini to the m IRC directory and use dcc to send irok.exe to IRC clients who join the channel. Copyright © 2010, Juniper Networks, Inc.
Page 980 Outlook preview pane; once triggered, the CHM file runs myromeo.exe in the background. Myromeo.exe obtains e-mail addresses from the Microsoft Outlook database, sends infected e-mail messages to all addresses found, and edits the Window directory file hh.dat. Copyright © 2010, Juniper Networks, Inc.
Page 981 "friendly" message featuring Pikachu while it overwrites the Autoexec.Bat file to delete most Microsoft Windows 9x system files upon reboot. Pikachu then obtains e-mail addresses from Microsoft Outlook database and sends infected messages to all addresses found. Copyright © 2010, Juniper Networks, Inc.
Page 982 The Fly then copies MSJSVM.JS to the Windows system directory and edits the Registry to run this JavaScript upon reboot. The virus also obtains e-mail addresses from the Microsoft Outlook database and sends infected messages to all addresses found. Copyright © 2010, Juniper Networks, Inc.
Page 983 Registry to run the virus on reboot. When activated, it obtains e-mail addresses from the Microsoft Outlook database and sends infected messages to all addresses found, overwrites mIRC and Pirch setup files, and sends infected messages via IRC. Copyright © 2010, Juniper Networks, Inc.
Page 984 This signature detects e-mail attachments that contain two high sos5.1.0 file extensions. Attackers or viruses may send e-mail attachments that use two file extensions to disguise the actual file name and trick users into opening a malicious attachment. Copyright © 2010, Juniper Networks, Inc.
Page 985 This signature detects e-mail attachments with one of the medium sos5.1.0 following file name sent via SMTP: approved.pif, application.pif, doc_details.pif, movie28.pif, password.pif, ref-39xxxx.pif, screen_doc.pif, screen_temp.pif, _approved.pif. This may indicate the SOBIG e-mail virus is attempting to enter the system. Copyright © 2010, Juniper Networks, Inc.
Page 986 IP addresses. Code Red also checks the host system time; on the 20th of each month (GMT), all infected systems send 100k bytes of data to TCP/80 of www.whitehouse.gov, causing a denial-of-service (DoS). Copyright © 2010, Juniper Networks, Inc.
Page 987 This signature detects WebDAV overflows, which can high sos5.0.0, indicate an infection attempt by the Nachi worm (D variant). sos5.1.0 Nachi.D, a worm, typically attempts to infect the target host by exploiting several vulnerabilities. Copyright © 2010, Juniper Networks, Inc.
Page 988 SMTP or POP3 server; adding files to a system configured to allow Windows file shares; or posting an infected HTML e-mail to the Web server where it can be accessed via HTTP. Copyright © 2010, Juniper Networks, Inc.
Page 989: Table 125: Configuration Log Entries
The Configuration category contains the subcategories shown in Table 125 on page 939: Table 125: Configuration Log Entries Configuration Log Entry Subcategories ScreenOS Message ID Address Addresses > Notification >00001 Admin Admin > Notification > 00002 Copyright © 2010, Juniper Networks, Inc.
Page 990 Policies > Notification > 00018 HDLC > Notification > 00042 PPPoE PPPoE > Notification > 00034 RIP > Notification > 00045 Route Route > Notification > 00011 Route Map Route > Notification > 00048 Copyright © 2010, Juniper Networks, Inc.
Page 991: Information Log Entries
Set ARP Always On Dest ARP > Notification > 0005 Unset ARP Always On Dest ARP > Notification > 00054 Information Log Entries The Information category contains the subcategories shown in Table 126 on page 942: Copyright © 2010, Juniper Networks, Inc.
Page 992: Table 126: Information Log Entries
NTP > Notification > 00531 NTP timeout NTP > Notification > 00531 OSPF OSPF > Information > 00541 Password Change Admin > Information > 00002 PKI > Information > 00535 PPP > Notification > 00539 Copyright © 2010, Juniper Networks, Inc.
Page 993: Traffic Log Entries
Self log entries appear in the Log Viewer under the category Self, which contains a single subcategory: Self Log. Traffic Log Entries Traffic log entries appear in the Log Viewer under the category Traffic, which contains a single subcategory: Traffic Log. Copyright © 2010, Juniper Networks, Inc.
Page 994: Gtp Log Entries
For log entries generated by deleted GTP tunnels, you can view the following information: Timestamp Interface name (if applicable) SGSN IP address GGSN IP address Tunnel duration time in seconds Number of messages sent to the SGSN Number of messages sent to the GGSN Copyright © 2010, Juniper Networks, Inc.
Page 997: Index
DI objects................79 allow pre/post rules............75 extranet policy objects..........79 antivirus profiles.............76 failover device..............79 attack update..............76 firewall rulebases............80 audit logs................76 force logout administrators........80 auditable activities............76 get entitlement from entitlement server.....80 authentication server............76 group expressions............80 Copyright © 2010, Juniper Networks, Inc.
Page 998 Application Profiler view............711 service objects..............84 application relocation, configuring in firewall shared historical log report........84 rules..................453 subdomains and groups..........84 ASN1-DN...................571 supplemental CLIs in devices and atomic configuration templates..............85 about.................241 SYNProtector rulebase..........85 atomic updating............242, 741 Copyright © 2010, Juniper Networks, Inc.
Page 999 TCP header matches....352 objects................390 custom signature, time binding......347 RADIUS................393 custom signature, UDP header matches...353 RADIUS example............396 custom, about..............338 RADIUS user support..........394 custom, extended information........341 Copyright © 2010, Juniper Networks, Inc.
Page 1000 Citrix client, custom............280 configuration groups clusters about..............55, 188, 221 adding................151 applying................224 configuring..............232 creating................222 configuring J Series............233 deleting................227 configuring Junos............233 editing................223 configuring SRX Series..........233 excluding.................225 Copyright © 2010, Juniper Networks, Inc.

This manual is also suitable for:

Network and security manager 2010.3

Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1 Administration Manual

Chapter 1 Introduction to Network and Security Manager

Chapter 2 Planning Your Virtual Network

Chapter 3 Configuring Role-Based Administration

Chapter 4 Adding Devices

Chapter 5 Configuring Devices

Quick Links

Related Manuals for Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1

Summary of Contents for Juniper NETWORK AND SECURITY MANAGER 2010.3 - ADMINISTRATION GUIDE REV1