Page 2 Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Page 3 REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable...
Page 4 Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license. Copyright © 2010, Juniper Networks, Inc.
Page 5 (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA http://www.gnu.org/licenses/gpl.html...
Page 19: About This Guide
Requesting Technical Support on page xxii Objectives The Network and Security Manager (NSM) is a software application that centralizes control and management of your Juniper Networks devices. With NSM, Juniper Networks delivers integrated, policy-based security and network management for all security devices.
Page 20 The angle bracket (>) Indicates navigation paths through the UI Object Manager > User Objects > Local by clicking menu options and links. Objects Table 3 on page xxi defines syntax conventions used in this guide. Copyright © 2010, Juniper Networks, Inc.
Page 21: Documentation
Describes NSM features that relate to device configuration and Manager ScreenOS and IDP management. It also explains how to configure basic and advanced Devices Guide NSM functionality, including deploying new device configurations, managing Security Policies and VPNs, and general device administration. Copyright © 2010, Juniper Networks, Inc.
Page 22: Requesting Technical Support
7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/...
Page 23 About This Guide Search technical bulletins for relevant hardware and software notifications: https://www.juniper.net/alerts/ Join and participate in the Juniper Networks Community Forum: http://www.juniper.net/company/communities/ Open a case online in the CSC Case Manager: http://www.juniper.net/cm/ To verify service entitlement by product serial number, use our Serial Number Entitlement (SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/...
Page 25: Configuring
Routing on page 293 Virtual Systems on page 355 User Authentication on page 361 High Availability on page 363 WAN, ADSL, Dial, and Wireless on page 381 General Packet Radio Service on page 407 Copyright © 2010, Juniper Networks, Inc.
Page 27: Nsm User Interface And Nsm Key Management Features
Management Features Juniper Network and Security Manager (NSM) provides IT departments with an easy-to-use solution that controls all aspects of the Juniper Networks firewall, VPN, and IDP devices including device configuration, network settings, and security policy. NSM enables IT departments to control the entire device lifecycle with a single, centralized solution.
Page 28: Nsm Overview
You can create and manage device configurations for security devices or systems. NSM provides support for ScreenOS configuration commands, so you can retain complete control over your devices when using system-level management features like VPNs. Copyright © 2010, Juniper Networks, Inc.
Page 29: Network Organization
No network is too large—because you manage your security devices from one location, you can use the following system management mechanisms to help you quickly and efficiently create or modify multiple device configurations at one time: Copyright © 2010, Juniper Networks, Inc.
Page 30: Migration Tools
Migration Tools If you have existing security devices deployed on your network or are using a previous Juniper Networks management system, you can use the NSM migration tools to quickly import your existing security devices and their configurations, address books, service objects, policies, VPNs, and administrator privileges.
Page 31: Device Modeling
NSM. Policy-Based Management You can create simplified and efficient security policies for your managed devices using the Policy-Based Management feature. Table 5 on page 8 describes the different policy-based management features: Copyright © 2010, Juniper Networks, Inc.
Page 32: Error Prevention, Recovery, And Audit Management Using Nsm
The following topics are the error prevention, recovery, and audit management features in NSM: Device Configuration Validation on page 9 Policy Validation on page 9 Atomic Configuration and Updating on page 9 Device Image Updates on page 9 Auditing on page 9 Copyright © 2010, Juniper Networks, Inc.
Page 33: Device Configuration Validation
The Audit Log Viewer displays log entries in the order generated, and it includes: Date and time the administrative action occurred NSM administrator who performed the action Action performed Copyright © 2010, Juniper Networks, Inc.
Page 34: Management
Dynamic, route-based VPNs—Provide resilient, always-on access across your network. Add firewall rules on top of route-based VPNs to control traffic flow. Policy-based VPNs—Connect devices, remote access server (RAS) users, and control traffic flow (traffic flow can also be controlled using L2TP VPNs). Copyright © 2010, Juniper Networks, Inc.
Page 35: Integrated Logging And Reporting
Job Manager tracks the progress of the command as it travels to the device and back to the management system. Each job contains the following: Name of the command Date and time the command was sent Copyright © 2010, Juniper Networks, Inc.
Page 36: Nsm User Interface Overview
UI window. Depending on the component displayed, right-click menus are available to perform various tasks. Related NSM Modules Overview on page 13 Documentation Understanding the Search Function in the NSM User Interface on page 22 Copyright © 2010, Juniper Networks, Inc.
Page 37: Working With Multiple Nsm Administrators Overview
There are three containers in the left UI pane that contains the 11 modules. They are Investigate, Configure, and Administer. Navigation Tree on page 14 Main Display Area on page 14 Copyright © 2010, Juniper Networks, Inc.
Page 38: Navigation Tree
You can customize the view (which log entries and what log information is shown) using log filters or by changing the column settings. Use the Log Viewer to: Copyright © 2010, Juniper Networks, Inc.
Page 39: Report Manager
Tracks the status of IDP clusters. You can customize Realtime Monitor to display only the information you want to see, as well as update information at specified time periods. You can also set alarm criteria for Copyright © 2010, Juniper Networks, Inc.
Page 40: Security Monitor
Vsys cluster A vsys cluster device is a vsys device that has a cluster as its root device. Extranet devices Firewalls or VPN devices that are not Juniper Networks security devices. Copyright © 2010, Juniper Networks, Inc.
Page 41: Security Policies
IKE Pproposals, you can create multiple VPNs for use in your security policies. Use the VPN Manager to: Define the protected resources on your network. Protected resources represent the network resources you want to protect in a VPN. Create custom IKE phase 1 and 2 proposals. Copyright © 2010, Juniper Networks, Inc.
Page 42: Object Manager
Define the attack signature patterns, protocol anomalies, and the action you want a security device to take against matching traffic. On devices running ScreenOS 6.3, you can also set IPv6 version signature information while editing IP settings and header matches of a custom attack. Copyright © 2010, Juniper Networks, Inc.
Page 43 Represent DNS and WINS servers. You use remote settings object when configuring XAuth or L2TP authentication in a VPN. NAT Objects Represent MIPs, VIPs, and DIPs. GTP Objects Represent GTP client connections. CA Objects Represent the certificate authority’s certificate. Copyright © 2010, Juniper Networks, Inc.
Page 44: Administer Task Modules In The Nsm User Interface Overview
Domain” in the Network and Security Manager Administration Guide. Related Investigate Task Modules in the NSM User Interface Overview on page 14 Documentation Configure Task Modules in the NSM User Interface Overview on page 16 Copyright © 2010, Juniper Networks, Inc.
Page 45: Interface
Indicates that the displayed value came from the device when the device was imported. Changes to a template will not change this value unless you selected Remove conflicted device values in the template Operations dialog box. This is the lowest priority validation and data origination icon. Copyright © 2010, Juniper Networks, Inc.
Page 46: Understanding The Search Function In The Nsm User Interface
In the NSM navigation tree, select Device Manager > Devices > Predefined Service Objects, then select the Service Object icon at the top of the Device Tree tab. 2. Enter S, then enter OR. The UI automatically highlights the first match, OR_EU_208. Copyright © 2010, Juniper Networks, Inc.
Page 47 Name, and perform the same search, your results differ. Related Understanding Validation Icons and Validation Data in the NSM User Interface on Documentation page 21 NSM Modules Overview on page 13 NSM User Interface Overview on page 12 Copyright © 2010, Juniper Networks, Inc.
Page 49: Device Configuration
CHAPTER 2 Device Configuration Security devices are the Juniper Networks security components that you use to enable access to your network components and to protect your network against malicious traffic. When you use NSM to manage your security devices, you are creating a virtual network that represents your physical network.
Page 50: About Configuring Security Devices
A DoS attack can cause high CPU utilization and cause the security device to drop all packets. To prevent high CPU utilization during a DoS attack, the packet dropping feature was moved to the application-specific integrated circuit (ASIC) in ScreenOS 6.0. Copyright © 2010, Juniper Networks, Inc.
Page 51: Configuring A Blacklisted Entry (Nsm Procedure)
The source port in a TCP or UDP session. Set this to 0 to match all ports. Destination Port The destination port in a TCP or UDP session. Set this to 0 to match all ports. Copyright © 2010, Juniper Networks, Inc.
Page 52: Enabling Algs (Nsm Procedure)
ALGs are listed depending on the type of device you selected and the OS version. ALGs can be enabled or disabled by checking or clearing their check boxes. See Table 12 on page 29. Copyright © 2010, Juniper Networks, Inc.
Page 53: Overview
Forward Support (Blended)—When a new version of ScreenOS is available, you can download a schema patch, enabling you to manage devices using the new ScreenOS version. You cannot, however, manage the new features in ScreenOS with this level of support. Copyright © 2010, Juniper Networks, Inc.
Page 54: Configuring Extranet Devices Overview
To create a custom policy field: In the NSM navigation tree, click Object Manager > Custom Policy Fields. Select the Field Definition tab, and then click New. The New Custom Policy Fields Meta Data window appears. Copyright © 2010, Juniper Networks, Inc.
Page 55 Create the router as an extranet device in the Device Manager. You will need to configure the IP address of the device, any interfaces, and then bind the extranet policy to the appropriate interface. Copyright © 2010, Juniper Networks, Inc.
Page 56: Understanding Templates And Groups
NTP server. You can apply the same template to different types of security devices, from NetScreen-5XT appliances to NetScreen-5200 systems. Copyright © 2010, Juniper Networks, Inc.
Page 57: Using Global Device Templates
The devices that you add to a group must exist; that is, you must have previously added or modeled the devices in the domain. You can group devices before configuring them. You can add a device to more than one group. You can also add a group to another group. Copyright © 2010, Juniper Networks, Inc.
Page 58: Configuring Network Settings Options And Descriptions
You can configure predefined zones or create user-defined security zones. Overview” on page 39 You can also create a tunnel zone, which is a logical segment to which a VPN tunnel interface is bound. Copyright © 2010, Juniper Networks, Inc.
Page 59 Configuring Zones and Zone Properties in ScreenOS Devices Overview on page 39 Documentation Interface Types in ScreenOS Devices Overview on page 50 Configuring Physical and Function Zone Interfaces in ScreenOS Devices Overview on page 52 Interface Network Address Translation Using DIPs on page 67 Copyright © 2010, Juniper Networks, Inc.
Page 61: Network Settings
Network Settings The Device Manager module in Network and Security Manager (NSM) enables you to configure the managed Juniper Networks security devices in your network. You can edit configurations after you add or import a managed device, or create configurations when you model a device.
Page 62 ADSL, ADSL Interface, and ADSL Settings in ScreenOS Devices on page 89 Determining Physical Ports and Logical Interfaces and Zones Using ScreenOS Devices Port Mode on page 91 Backup Connection Using the Untrusted Ethernet Port in ScreenOS Devices on page 92 Copyright © 2010, Juniper Networks, Inc.
Page 63: Configuring Zones And Zone Properties In Screenos Devices Overview
For more information about zones on security devices, refer to the Concepts & Examples ScreenOS Reference Guide: Fundamentals. You can configure general properties and SCREEN attack protection for predefined or custom Security Zones. Zone General Properties Copyright © 2010, Juniper Networks, Inc.
Page 64: Predefined Screen Options Overview
Using this method, the device notes various components in a packet header, such as source and destination IP addresses, source and destination port numbers, and packet sequence numbers. The device uses this information to maintain the state of each session traversing the firewall. Copyright © 2010, Juniper Networks, Inc.
Page 66: Configuring Udp Flooding Protection
(for example, audio data), and uses Application Layer protocols such as RTP (Real-Time Transport Protocol) over UDP. Related Predefined Screen Options Overview on page 40 Documentation HTTP Components and MS-Windows Defense Method on page 43 Protection Against Scans, Spoofs, and Sweeps on page 44 Copyright © 2010, Juniper Networks, Inc.
Page 67: Example: Configuring Udp Flooding Protection (Nsm Procedure)
Java Virtual Machine (VM) on a target system. Because attackers can program Java applets to operate outside the VM you might want to block them from passing through the security device. Copyright © 2010, Juniper Networks, Inc.
Page 68: Protection Against Scans, Spoofs, And Sweeps
IP address. To protect targets in the zone from sweeps, scans, and spoofing attempts, configure the detection and blocking settings as described in Table 17 on page 45. Copyright © 2010, Juniper Networks, Inc.
Page 69: Ip And Tcp/Ip Anomaly Detection
IP options to evade detection mechanisms and/or perform reconnaissance on a network. To detect (and block) anomalous IP fragments as they pass through the zone, configure the settings as described in Table 18 on page 46. Copyright © 2010, Juniper Networks, Inc.
Page 70 OS running on a target by examining the target’s response to the packet. To protect targets in the security zone from these reconnaissance attempts, you can configure the settings as described in Table 19 on page 47. Copyright © 2010, Juniper Networks, Inc.
Page 71: Prevention Of Security Zones Using Denial Of Service Attacks
Ping of Death Attack Protection Select this option to reject oversized and irregular ICMP packets. Attackers might send a maliciously crafted ping (ICMP packet) that is larger than the allowed size of 65,507 bytes to cause a DoS. Copyright © 2010, Juniper Networks, Inc.
Page 72 IP address. The default threshold is 128 sessions; you can customize this threshold to meet your networking requirements. Related IP and TCP/IP Anomaly Detection on page 45 Documentation Protection Against Scans, Spoofs, and Sweeps on page 44 Predefined Screen Options Overview on page 40 Copyright © 2010, Juniper Networks, Inc.
Page 73: Malicious Url Protection
Examples ScreenOS Reference Guide: Attack Detection and Defense Mechanisms. Related Example: Enabling the Malicious URL Blocking Option (NSM Procedure) on page 50 Documentation Predefined Screen Options Overview on page 40 Interface Types in ScreenOS Devices Overview on page 50 Copyright © 2010, Juniper Networks, Inc.
Page 74: Example: Enabling The Malicious Url Blocking Option (Nsm Procedure)
Malicious URL Protection on page 49 Interface Types in ScreenOS Devices Overview The Interface screen displays the physical interfaces available on the security device. Some security devices support functional zone interfaces, which are either a separate Copyright © 2010, Juniper Networks, Inc.
Page 75 (PVCs) on a single physical line. Before you can configure the adsl1 interface, however, you must obtain the DSLAM configuration details for the ADSL connection from the service provider. Copyright © 2010, Juniper Networks, Inc.
Page 76: Configuring Physical And Function Zone Interfaces In Screenos Devices
OSPFv3) in the virtual router and on the interfaces, see “OSPF Protocol Configuration Overview” on page 313. For information about configuring multicast routing protocols (PIM-SIM, IGMP, IGMP-Proxy) and multicast route entries, see “Multicast Route Overview” on page 337. Interface Secondary IP Interface Monitoring Copyright © 2010, Juniper Networks, Inc.
Page 77: Setting Interface Properties Using The General Properties Screen
Full support of IPv6 features for VLAN and loopback interfaces on ISG Series devices. See the Concepts & Examples ScreenOS Reference Guide: IPv6 Configuration. DNS proxy (for details, see “DNS Server Configuration Using DNS Settings” on page 103). PPP settings. Copyright © 2010, Juniper Networks, Inc.
Page 78: Setting Wan Properties Using The Wan Properties Screen
Setting Port Properties Using the Port Properties Screen Use the Port Properties screen to configure the following properties for port cards on available devices: Port Configuration (Serial, E1, T1, or DS3) DCE options DTE options Line encoding Copyright © 2010, Juniper Networks, Inc.
Page 80: Enabling Management Service Options For Interfaces
Windows 95 and later, Windows NT, Linux, and UNIX. The security device communicates with the SSH client through its built-in SSH server, which provides device configuration and management services. Selecting this option enables SSH manageability. Copyright © 2010, Juniper Networks, Inc.
Page 81: Setting Dhcpv6 Overview
You can also set a server preference option. In the DHCPv6 screen, you can configure options such as a device-unique identification (DUID), an identity association for prefix delegation identification (IAPD-ID), prefix Copyright © 2010, Juniper Networks, Inc.
Page 82: Example: Assigning Tcp/Ip Settings For Hosts Using Dhcp (Nsm Procedure)
For NetInfo Server #1 and Server #2, enter 1.1.1.1. For POP3, enter 1.1.1.1. For SMTP, enter 1.1.1.1. For WINS#1 and WINS#2, enter 1.1.1.1. Select Enable Next Server IP. Click OK to apply the settings. Copyright © 2010, Juniper Networks, Inc.
Page 83: Configuring Custom Dhcp Options (Nsm Procedure)
(DHCP contains several predefined option codes). Table 23 on page 59 lists the predefined option codes and associated RFC 2132 terms: Table 23: DHCP Option Codes Netmask Gateway DNS1, DNS2, DNS3 Domain Name WINS1, WINS2 Lease SMTP POP3 News NIS1, NIS2 NISTAG Copyright © 2010, Juniper Networks, Inc.
Page 84 Click OK to save your changes to the interface, and then click OK again to save your changes to the device. Related Example: Assigning TCP/IP Settings for Hosts Using DHCP (NSM Procedure) on page 58 Documentation Enabling Management Service Options for Interfaces on page 56 Copyright © 2010, Juniper Networks, Inc.
Page 85: Using Interface Protocol
Timeout for the track IP The Failover Threshold is compared to the sum of the weights of failed IP connections. Instead of tracking specific IP addresses, you can alternatively set the device to track the interface’s default gateway. Copyright © 2010, Juniper Networks, Inc.
Page 86: Supporting Generic Routing Encapsulation Using Tunnel Interfaces
IP address in an IP packet header to another static IP address, enabling inbound traffic to reach private addresses in a zone whose interface is in NAT mode. When a MIP host initiates outbound traffic, the security device translates the source IP Copyright © 2010, Juniper Networks, Inc.
Page 87: Example: Configuring Mips (Nsm Procedure)
MIP points—in the Trust zone. All security zones are in the trust-vr routing domain. To configure a MIP: Add a NetScreen-50 security device. Choose Model when adding the device and configure the device as running ScreenOS 5.x. Configure the Trust interface for ethernet1. Copyright © 2010, Juniper Networks, Inc.
Page 88 Configure a firewall rule to route inbound HTTP traffic to the MIP address. Related Interface Network Address Translation Using MIPs on page 62 Documentation Interface Network Address Translation Using DIPs on page 67 Interface Network Address Translation Methods on page 62 Copyright © 2010, Juniper Networks, Inc.
Page 89: Interface Network Address Translation Using Vips
FTP server. You can map predefined and custom services in a VIP. A single VIP can support custom services with: The same source and destination port numbers but different transports. Single port entries (by default). Copyright © 2010, Juniper Networks, Inc.
Page 90: Example: Configuring Vips (Nsm Procedure)
Configure the IP address as 1.1.1.1 and the netmask as 24. Leave all other settings as default. Click OK to save your changes. Configure the VIP for ethernet3: Double-click ethernet3. The General Properties screen appears. In the interface navigation tree, select NAT > VIP to display the VIP screen. Copyright © 2010, Juniper Networks, Inc.
Page 91: Interface Network Address Translation Using Dips
6.2 is in Transparent mode. Related Example: Enabling Multiple Hosts Using Port Address Translation (NSM Procedure) Documentation on page 68 Example: Translating Source IP Addresses into a Different Subnet (NSM Procedure) on page 69 Copyright © 2010, Juniper Networks, Inc.
Page 92: Example: Enabling Multiple Hosts Using Port Address Translation
Add multiple DIP ranges for a particular DIP ID as follows: Select the Multiple DIP Range check box. Click the Add icon. The New Dynamic IP dialog box appears. For Rang ID, enter 1. Copyright © 2010, Juniper Networks, Inc.
Page 93: Example: Translating Source Ip Addresses Into A Different Subnet
DIP pool containing the authorized IP address on ethernet3: Office A—extended interface IP 211.10.1.10/24; DIP pool 211.10.1.1 – 211.10.1.1; PAT enabled Office B—extended interface IP 211.20.1.10/24; DIP pool 211.20.1.1 – 211.20.1.1; PAT enabled Copyright © 2010, Juniper Networks, Inc.
Page 94 Click the Add icon. The New MultiRange of DIP dialog box appears. For Rang ID, enter 1. For Lower IP, enter 210.10.1.1. For Upper IP, enter 210.10.1.1. For Start, enter 210.10.1.1. For End, enter 210.10.1.1. For Shift From, enter 10.10.1.2. Copyright © 2010, Juniper Networks, Inc.
Page 95 In the interface navigation tree, select NAT > DIP. Click the Add icon to display the New Dynamic IP dialog box. Configure the DIP, and then click OK. Enter the DIP ID. To add multiple DIP ranges for a particular DIP ID: Copyright © 2010, Juniper Networks, Inc.
Page 96 Add icon and select Host. The New Host dialog box appears. Configure the Host as detailed below, and then click OK: For Name, enter Central Office HQ. Select IP, and then enter the IP Address 200.1.1.1. Copyright © 2010, Juniper Networks, Inc.
Page 97: Enabling Managed Devices Using Incoming Dip
DIP or DIP pool on the egress interface of the device. A single interface DIP is adequate for handling incoming calls in a small office; a DIP pool is recommended for larger networks or an enterprise environment. Copyright © 2010, Juniper Networks, Inc.
Page 98: Example: Configuring Interface-Based Dip (Nsm Procedure)
Create a Global DIP to reference the Interface DIP on Office A. You use a Global DIP when configuring NAT in a firewall rule; the Global DIP references the Interface DIP for an individual device. Copyright © 2010, Juniper Networks, Inc.
Page 99: Example: Configuring Dip Pools On The Untrust Interface (Nsm Procedure)
Configure IP address/netmask as 10.1.1.1/24 and Interface mode as NAT. Click OK to save your changes. Configure ethernet3 (Untrust Zone) for Office B: Double-click ethernet3. The General Properties screen appears. Configure IP address/netmask as 1.1.1.1/24. Copyright © 2010, Juniper Networks, Inc.
Page 100 Rule 2 handles incoming SIP traffic and uses the interface DIP to perform NAT. Related Example: Configuring Interface-Based DIP (NSM Procedure) on page 74 Documentation Interface Network Address Translation Using DIPs on page 67 Copyright © 2010, Juniper Networks, Inc.
Page 101: Example: Configuring An Aggregate Interface (Nsm Procedure)
Click OK to save your changes. Add the ethernet 2/1 interface as a member of the aggregate1 interface. In the device navigation tree, select Network > Interface. Double-click ethernet2/1. The General Properties screen appears. Copyright © 2010, Juniper Networks, Inc.
Page 102: Example: Configuring A Multilink Interface (Nsm Procedure)
Click the Add icon and select Multilink Interface. The General Properties screen appears. Configure the following options: For Name, accept the default. For Zone, select Trust. For Encapsulation Type, select mlfr-uni-nni. Configure MLFR options: For Name, accept the default. Copyright © 2010, Juniper Networks, Inc.
Page 103: Example: Configuring A Loopback Interface (Nsm Procedure)
VSI. In this example, you create the loopback interface loopback.1, bind it to the Untrust zone, and assign the IP address 1.1.1.27/24 to it. To configure a loopback interface: Add a device. Copyright © 2010, Juniper Networks, Inc.
Page 104: Configuring Virtual Security Interfaces
One of the two physical interfaces acts as the primary interface and handles all the traffic directed to the redundant interface; the other physical interface is the secondary interface and stands by. If the primary interface Copyright © 2010, Juniper Networks, Inc.
Page 105 VSIs are on the same redundant interface, physical interface, or subinterface. If the VSIs are on different interfaces, they must be in different subnets. Table 25 on page 82 lists IP addresses for the VSIs. Copyright © 2010, Juniper Networks, Inc.
Page 106 In the cluster navigation tree, select Network > Interface. Click the Add icon and select Redundant Interface. The General Properties screen appears. Configure the following options, and then click OK: For Zone, select Untrust. For IP address/netmask, enter 210.1.1.1/24. Copyright © 2010, Juniper Networks, Inc.
Page 107 In the cluster navigation tree, select Network > Interfaces. Click the Add icon and select VSI. The General Properties screen appears. Configure the following options, and then click OK: For Name, select redundant1, and then select 1 (for VSD Group 1). Copyright © 2010, Juniper Networks, Inc.
Page 108: Example: Configuring A Subinterface (Nsm Procedure)
Subinterfaces use names that indicate their physical interface, such as ethernet3/2.1 or ethernet2.1. You can create three types of subinterfaces: None (for ScreenOS 5.0 devices only)—The subinterface does not use VLAN tagging. Copyright © 2010, Juniper Networks, Inc.
Page 109 Click the Add icon and select Sub Interface. The General Properties screen appears. Configure the following options, and then click OK: For Name, select ethernet1, and then select 3. For VLAN tag, enter 3. For Zone, select accounting. Copyright © 2010, Juniper Networks, Inc.
Page 110: Example: Configuring A Wan Interface (Nsm Procedure)
For Zone, select Trust. Click OK to save your changes to the device. Related Setting Interface Properties Using the General Properties Screen on page 53 Documentation Interface Network Address Translation Methods on page 62 Copyright © 2010, Juniper Networks, Inc.
Page 112: Configuring Maximum Transmission Unit Size
NetScreen-5GT ADSL security device (which supports ADSL). Related Setting Interface Properties Using the General Properties Screen on page 53 Documentation ADSL, ADSL Interface, and ADSL Settings in ScreenOS Devices on page 89 Copyright © 2010, Juniper Networks, Inc.
Page 113: Adsl, Adsl Interface, And Adsl Settings In Screenos Devices
ADSL connection so you can configure the security device to connect to their servers. Not all service providers use the same implementation of ADSL; you might be given any combination of the ADSL parameters as described in Table 26 on page 90. Copyright © 2010, Juniper Networks, Inc.
Page 114 “splitterless DSL” because you do not have to install a signal splitter on your ADSL line (the service provider’s equipment splits the signal remotely). Related Interface Network Address Translation Methods on page 62 Documentation ADSL Interface in ScreenOS Devices on page 88 Copyright © 2010, Juniper Networks, Inc.
Page 115: Determining Physical Ports And Logical Interfaces And Zones Using Screenos
You can change the port mode to use different port, interface, and zone bindings on the device. For more information about port modes, see the “ Zones” chapter in the “ Fundamentals” volume of the Concepts & Examples ScreenOS Reference Guide. Copyright © 2010, Juniper Networks, Inc.
Page 116: Backup Connection Using The Untrusted Ethernet Port In Screenos Devices
Example: Configuring NetScreen5GT Devices to Connect to the Web Using the PPPoA and ADSL Interfaces (NSM Procedure) on page 94 Example: Configuring NetScreen5GT Devices as a Firewall Using the PPPoE and ADSL Interfaces (NSM Procedure) on page 96 Copyright © 2010, Juniper Networks, Inc.
Page 117: Example: Configuring Netscreen5Gt Devices To Permit Internal Hosts
Configure the interface to use an IP address and netmask of 192.168.1.1/24. For Interface Mode, select NAT. Select the DHCP Server IP Pools tab, and then configure the following options: For starting IP, enter 192.168.1.3. Copyright © 2010, Juniper Networks, Inc.
Page 118: Example: Configuring Netscreen5Gt Devices To Connect To The Web Using The Pppoa And Adsl Interfaces (Nsm Procedure)
IP addresses for DNS servers. As a DHCP server, the device provides hosts in the Trust zone with their IP addresses and the IP addresses of the DNS servers. Copyright © 2010, Juniper Networks, Inc.
Page 119 In the device navigation tree, select Network > PPPoA. Right-click the Trust interface and select the Edit icon. Click the Add icon to create a PPPoA instance, and then configure the following options: For PPPoA Instance, enter poa1. For Interface, select the adsl1 interface. Copyright © 2010, Juniper Networks, Inc.
Page 120: Example: Configuring Netscreen5Gt Devices As A Firewall Using The Pppoe And Adsl Interfaces (Nsm Procedure)
Select Model Device. For device platform, select ns5GTadsl-Home-Work. Configure the ADSL Interface. In the device navigation tree, select Network > Interface. Right-click the ADSL1 interface and select the Edit icon. Configure the General Properties tab: Copyright © 2010, Juniper Networks, Inc.
Page 121 Click OK to add the new IP pool, then click OK again to save your changes to the Home interface. Configure the PPPoE instance: In the device navigation tree, select Network > PPPoE. Right-click the Trust interface and select the Edit icon. Click the Add icon to create a PPPoE instance: Copyright © 2010, Juniper Networks, Inc.
Page 122 For Modem Name, enter mod1. For Init String, enter AT&FS7=255S32=6 Select Is Active. Click OK to save the new modem settings, and then click OK again to save your changes to the device configuration. Copyright © 2010, Juniper Networks, Inc.
Page 123: Wireless Interface On Screenos Devices Overview
DNS Server Configuration Using DNS Settings on page 103 Configuring DSCP Options Overview The administrator can configure the DiffServ code point (DSCP) value for traffic initiated by a security device. Altogether, the DSCP value can be configured for eleven services, Copyright © 2010, Juniper Networks, Inc.
Page 124: Example: Configuring Dip Groups (Nsm Procedure)
Untrust zone VSIs (for VSD groups 0 and 1) into one DIP group, Devices A and B can both process traffic matching policy “out-nat,” which references not an interface-specific DIP pool but the shared DIP group. To configure a DIP group: Create the Cluster. Copyright © 2010, Juniper Networks, Inc.
Page 125 Double-click ethernet1 (trust interface on the NS-208 A). The General Properties screen appears. Configure the IP address as 10.1.1.1, and the Netmask as 24. Leave all other settings as default. Click OK to save your changes. Copyright © 2010, Juniper Networks, Inc.
Page 126 Right-click ethernet1 and select New > VSI. Configure the IP address as 10.1.1.2, and the Netmask as 24. Leave all other settings as default. Click OK to save your changes. Create the DIP group: Copyright © 2010, Juniper Networks, Inc.
Page 127: Dns Server Configuration Using Dns Settings
Use the DNS option to configure DNS server information. Before the security device can use DNS for domain name/address resolution, you must configure the address for the primary DNS server that the device should use. Configuring DNS Settings on page 104 Configuring DNS Proxy on page 104 Copyright © 2010, Juniper Networks, Inc.
Page 128: Configuring Dns Settings
(*) for the default DNS proxy, and then select the “failover” option for all nondefault DNS proxies. Related Example: Configuring DNS Proxy Entries (NSM Procedure) on page 105 Documentation Example: Configuring DDNS Settings (NSM Procedure) on page 106 Advanced Network Settings Overview on page 108 Copyright © 2010, Juniper Networks, Inc.
Page 129: Example: Configuring Dns Proxy Entries (Nsm Procedure)
Click OK to save the new interface. Configure general DNS proxy settings: In the device navigation tree, select Network > DNS > DNS Proxy. Select Configure DNS Proxy Instance. Select Enable. Add the DNS proxy for acme.com: Copyright © 2010, Juniper Networks, Inc.
Page 130: Example: Configuring Ddns Settings (Nsm Procedure)
IP address of the security device changes. NOTE: You can configure Dynamic DDNS for the root device in a vsys, but not for the individual vsys devices. Copyright © 2010, Juniper Networks, Inc.
Page 131 For Service Type, enter static dns service. For Refresh Interval (Hours), enter 24. For Minimum Update Interval (Minutes), enter 15. For User Name of DDNS Account, enter swordfish. For Password for DDNS Account, enter ad93lvb. Copyright © 2010, Juniper Networks, Inc.
Page 132: Advanced Network Settings Overview
Untrust zone. (On some security devices, the IP address for the VIP can be the same address as the Untrust zone interface.) In addition, you need the following information to define a VIP: Copyright © 2010, Juniper Networks, Inc.
Page 133: Configuring Dip Options
For details about creating a DIP group, see “Example: Configuring DIP Groups (NSM Procedure)” on page 100. Related Example: Configuring DDNS Settings (NSM Procedure) on page 106 Documentation Example: Configuring DNS Proxy Entries (NSM Procedure) on page 105 Copyright © 2010, Juniper Networks, Inc.
Page 135: Advanced Network Settings
Using the PPP Option to Configure Point-To-Point Protocol Connections on page 134 About Configuring PPPoE on page 135 Example: Updating DNS Servers (NSM Procedure) on page 136 Example: Configuring Multiple PPPoE Sessions on a Single Interface (NSM Procedure) on page 138 Copyright © 2010, Juniper Networks, Inc.
Page 136: Configuring Advanced Device Settings Overview
The authentication table entry for the user is removed, as are all associated sessions for the authentication table entry. The default is 0 (disabled), and the range is 0 to 10000 (6.9 days). Copyright © 2010, Juniper Networks, Inc.
Page 137: Identifying Reasons For Session Close In Nsm
TCP connection torn down because of FIN packet. TCP RST TCP connection torn down because of RST packet. RESP Special sessions, such as PING and DNS, close when response is received. ICMP ICMP error received. AGE OUT Connection aged out normally. Copyright © 2010, Juniper Networks, Inc.
Page 138: Configuring Policy Schedules (Nsm Procedure)
Guide. Related Configuring Timeouts for Predefined Services (NSM Procedure) on page 115 Documentation Configuring Session Cache for Predefined Services (NSM Procedure) on page 115 Identifying Reasons for Session Close in NSM on page 113 Copyright © 2010, Juniper Networks, Inc.
Page 139: Configuring Timeouts For Predefined Services (Nsm Procedure)
In the device navigation tree, select Advanced > Pre-defined Service Session Cache. The Pre-defined Service Session Cache screen appears. Select the Enable session cache check box. Select a number from the Total session cache number field. Copyright © 2010, Juniper Networks, Inc.
Page 140: Configuring Sip Settings
RTP and one for RTCP. When managing the sessions, the security device considers the sessions in each voice channel as one group. Settings such as the inactivity timeout apply to a group as opposed to each session. Setting SIP Inactivity Timeouts Copyright © 2010, Juniper Networks, Inc.
Page 141 “Fundamentals” volume in the Concepts & Examples ScreenOS Reference Guide. Related Configuring Timeouts for Predefined Services (NSM Procedure) on page 115 Documentation Configuring MGCP Settings on page 118 Configuring Session Cache for Predefined Services (NSM Procedure) on page 115 Copyright © 2010, Juniper Networks, Inc.
Page 142: Configuring Mgcp Settings
(in seconds) higher than the configured rate. The range is 1 to 200 and the default is 200 seconds. For more information about configuring MGCP on security devices, see the “Fundamentals” volume in the Concepts & Examples ScreenOS Reference Guide. Copyright © 2010, Juniper Networks, Inc.
Page 143: Configuring H.323 Settings
(QoS). To classify traffic, you create security policies and specify the amount of guaranteed bandwidth and maximum bandwidth, and the priority for each class of traffic. Copyright © 2010, Juniper Networks, Inc.
Page 144: Enabling/Disabling Application Layer Gateway Protocols Overview
After analyzing the traffic, the ALG allocates resources to permit the traffic to pass securely. By default, all ALGs are enabled on a security device. In situations where a security device is receiving an excessive amount of Copyright © 2010, Juniper Networks, Inc.
Page 145 Network Layer. PPTP consists of a control connection and a data tunnel. The control connection runs over TCP and helps in establishing and disconnecting calls, and the data tunnel handles encapsulated Point-to-Point Protocol (PPP) packets carried over Copyright © 2010, Juniper Networks, Inc.
Page 146: Using Packet Flow Options
Check TCP SYN Bit Before Create Session for Tunneled Packets on page 125 Use SYN-Cookie for SYN Flood Protection on page 125 Enforce TCP Sequence Number Check on TCP RST Packet on page 126 Use Hub-and-Spoke Policies for Untrust MIP Traffic on page 126 Copyright © 2010, Juniper Networks, Inc.
Page 147: Icmp Path Mtu Discovery
When this option is enabled, the security device caches the source MAC address from incoming administrative traffic, and then uses that address when replying. You might need to enable this option for managed devices that use source-based routing. Copyright © 2010, Juniper Networks, Inc.
Page 148: Allow Unknown Mac Flooding
Normal session timeout intervals for common protocols: The TCP session timeout is 30 minutes. The UDP session timeout is 1 minute. The HTTP session timeout is 5 minutes. By default, this option is disabled. Copyright © 2010, Juniper Networks, Inc.
Page 149: Check Tcp Syn Bit Before Create Session
SYN/ACK containing an encrypted cookie as its initial sequence number (ISN). The cookie is a MD5 hash of the original source address and port number, destination address and port number, and ISN from the original SYN packet. After Copyright © 2010, Juniper Networks, Inc.
Page 150: Enforce Tcp Sequence Number Check On Tcp Rst Packet
MIP to a MIP at the other end of the VPN tunnel. By default, this option is enabled. NOTE: This option affects traffic forwarding only when the outgoing interface is bound to the Untrust zone. Copyright © 2010, Juniper Networks, Inc.
Page 151: Max Fragmented Packet Size
TCP packet to avoid fragmentation by other network components. You can set the TCP MSS range from 0 to 65,535 bytes; the default MSS for this option is set to none. Additionally, this option overrides the configuration for TCP MSS (described earlier): Copyright © 2010, Juniper Networks, Inc.
Page 152: Gre In Tcp Mss
When the session table is in any other state, the normal session timeout value is applied. Normal session timeout intervals for common protocols: The TCP session timeout is 30 minutes. The UDP session timeout is 1 minute. The HTTP session timeout is 5 minutes. Copyright © 2010, Juniper Networks, Inc.
Page 153: Early Ageout Time Before The Session's Normal Ageout
Configuring ScreenOS with TFTP or FTP Servers Enabled Using TFTP/FTP Options Use the TFTP/FTP option to configure a security device running to enable TFTP or FTP servers to save or import external files. These external files include configuration files Copyright © 2010, Juniper Networks, Inc.
Page 154: Configuring Hostnames And Domain Names Overview
NetScreen CLI Reference Guide. Related Configuring NSGP Overview on page 131 Documentation Configuring ScreenOS with TFTP or FTP Servers Enabled Using TFTP/FTP Options on page 129 NSGP Modules Overview on page 131 Copyright © 2010, Juniper Networks, Inc.
Page 155: Configuring Nsgp Overview
Chapter 4: Advanced Network Settings Configuring NSGP Overview NetScreen Gatekeeper Protocol (NSGP) is a Juniper Networks proprietary peer-to-peer protocol that enables a security device to act as a server for voice-over-IP (VoIP) traffic: NetScreen-500 security devices running ScreenOS 5.0 GPRS can be both the NSGP server and client.
Page 156: Example: Configuring Nsgp On Gtp And Gi Firewalls (Nsm Procedure)
For the GTP client connection, you select a source interface, and then copy the NSGP server settings (from the NSGP server device) to configure the destination interface. Finally, you create a firewall rule that includes the GTP object, the GTP firewall, and the Gi firewall. Copyright © 2010, Juniper Networks, Inc.
Page 157 In the interface navigation tree, select Service Options. Configure the following options: Select Telnet. Select NSGP Enabled. Select Enforce IPSec to encrypt the GTP connection. Click OK to save your changes to the interface, and then click OK to save your changes to the device. Copyright © 2010, Juniper Networks, Inc.
Page 158: Using The Ppp Option To Configure Point-To-Point Protocol Connections
For an interface with PPP encapsulation, you must configure a PPP access profile and bind it to the interface. You create an access profile with a user-defined name that is unique on the SSG device. You can bind the same access profile to more than one Copyright © 2010, Juniper Networks, Inc.
Page 159: About Configuring Pppoe
VSI interface—Use this option when running two devices using NSRP in active-passive mode. When failover occurs, the new primary device can use the same IP as the previous primary device to continue communicating with the ISP. Because the PPPoE Copyright © 2010, Juniper Networks, Inc.
Page 160: Example: Updating Dns Servers (Nsm Procedure)
Add a NetScreen-5GT device running ScreenOS 5.0 named “Device A.”. Configure the ethernet1 interface (Trust Interface): In the device navigation tree, select Network > Interface. Double-click the ethernet1 interface. The General Properties screen appears. Configure the General Properties options: Copyright © 2010, Juniper Networks, Inc.
Page 161 Click OK to add the instance, and then click OK again to save your changes to the device. Activate PPPoE and DHCP on the network. Turn off the power to the DSL modem, the security device, and any connected workstations. Turn on the DSL modem. Copyright © 2010, Juniper Networks, Inc.
Page 162 PPPoE sessions through a single interface. In the following example you define three PPPoE instances: Instance isp_new_york, password “swordfish,” bound to interface ethernet3. This instance provides access to a service named Big_Apple_Service . The AC is named isp_ny_ac . Copyright © 2010, Juniper Networks, Inc.
Page 163 In the device navigation tree, select Network > PPPoE. Click the Add icon. The New PPPoE Instance dialog box appears. Configure the following options, and then click OK: For Name, enter isp_new_york. For Interface, select the physical interface ethernet3. Copyright © 2010, Juniper Networks, Inc.
Page 164 Configure the following options, and then click OK: For Name, enter isp_chicago. For Interface, select the subinterface ethernet3.2. For Username, enter user3@domain3. For Password, enter trout. For Access Concentrator, enter isp_c_ac. For Service, enter Windy_City_Service. Copyright © 2010, Juniper Networks, Inc.
Page 165: Configuring A Pppoa Client Instance
For more detailed explanation about NACN on security devices, see the “Administration” volume in the Concepts & Examples ScreenOS Reference Guide for ScreenOS 5.0.0. Related Configuring a PPPoA Client Instance on page 141 Documentation Example: Configuring Modem Connections (NSM Procedure) on page 142 Copyright © 2010, Juniper Networks, Inc.
Page 166: Interface Failover In Screenos Devices
You can configure the parameters for the serial link as described in Table 30 on page 142. Table 30: Parameters for Serial Link Parameters Range Value Speed (BPS) The maximum baud rate for the serial link (the default rate is 115,200 bps). Copyright © 2010, Juniper Networks, Inc.
Page 167: Example: Creating Modem Settings (Nsm Procedure)
Specify whether this modem setting is active. You can activate only one of the configured modem settings at a time. Click OK. Related Example: Creating ISP Connection Settings (NSM Procedure) on page 144 Documentation Setting ISP Priority for Failover on page 144 Copyright © 2010, Juniper Networks, Inc.
Page 168: Example: Creating Isp Connection Settings (Nsm Procedure)
ISPs that a particular ISP will be contacted. The lower the value, the higher the priority of the ISP. The trustee admin can also check the availability of an ISP with a priority setting of zero (0). Copyright © 2010, Juniper Networks, Inc.
Page 169 ISP must be a unique number. You can also configure more than one ISP with a priority of zero. Related Example: Configuring Modem Connections (NSM Procedure) on page 142 Documentation Example: Creating Modem Settings (NSM Procedure) on page 143 Example: Creating ISP Connection Settings (NSM Procedure) on page 144 Copyright © 2010, Juniper Networks, Inc.
Page 171: Administration
Setting ScreenOS Authentication Options Using General Auth Settings on page 165 Setting ScreenOS Authentication Options Using Banners Overview on page 166 Setting ScreenOS Authentication Options Using Default Servers Overview on page 167 Setting ScreenOS Authentication Options Using Infranet Settings Overview on page 167 Copyright © 2010, Juniper Networks, Inc.
Page 172: Device Administration Options For Screenos Devices Overview
This message automatically appears after you perform the following operations: Adjust the ScreenOS version—For details, see Network and Security Administration Guide. To import device administrator information, from the File menu, select Devices > Configuration > Import Admins. Copyright © 2010, Juniper Networks, Inc.
Page 173: Device Administrator Authentication Overview
Use this option when storing accounts on a SecurID or LDAP server, or when using a RADIUS server that does not contain the Juniper Networks dictionary file. By default, the external device administrator privilege level is set to Read-Only.
Page 174: Device Administrator Account Configuration Overview
When you create other device administrators, you must assign a privilege level; these privileges are accessible to the device admin after successful log in to the device as described in Table 31 on page 151. Copyright © 2010, Juniper Networks, Inc.
Page 175: Configuring Authentication
However, regardless of the authentication method you want the device administrator to use, you must initially define a password for the admin account. If you later bind a public key to the admin, the password becomes irrelevant. Copyright © 2010, Juniper Networks, Inc.
Page 176: Admin Access Lock Setting
Admin access lock configuration locks out the administrator who fails to authenticate before the configured timeout from the specified account. If this option is disabled, you cannot set the authentication failure length and the default value is set to 1. If this option Copyright © 2010, Juniper Networks, Inc.
Page 177: Roles For Device Administrator Accounts
Related Restricting Management Connections Using Permitted IPs on page 154 Documentation Local Access Configuration Using CLI Management Overview on page 155 Device Administrator Account Configuration Overview on page 150 Copyright © 2010, Juniper Networks, Inc.
Page 178: Restricting Management Connections Using Permitted Ips
On devices running ScreenOS 6.3, permitted IPs used for restricting management connections supports IPv6. Related Local Access Configuration Using CLI Management Overview on page 155 Documentation File Formatting in NSM Overview on page 155 Supporting Admin Accounts for Dialup Connections on page 153 Copyright © 2010, Juniper Networks, Inc.
Page 179: Local Access Configuration Using Cli Management Overview
Port Numbers for SSH and Telnet Connections in NSM Overview on page 156 Documentation Limiting Login Attempts, Setting Dial-In Authentication, and Restricting Password Length in NSM Overview on page 156 Local Access Configuration Using CLI Management Overview on page 155 Copyright © 2010, Juniper Networks, Inc.
Page 180: Port Numbers For Ssh And Telnet Connections In Nsm Overview
To prevent a root device administrator from using short passwords (which are easier to decode and discover), you can set the minimum length requirement for the root device administrator password to any number from 1 to 31. Copyright © 2010, Juniper Networks, Inc.
Page 181: Asset Recovery And Reset Hardware In Nsm Overview
After the device has reconnected to the management system, you (the NSM administrator) can update the device with the modeled configuration. Related Console-Only Connections in NSM Overview on page 158 Documentation Secure Shell Server in NSM Overview on page 158 Copyright © 2010, Juniper Networks, Inc.
Page 182: Console-Only Connections In Nsm Overview
Web UI, Telnet, or SSH connections for the root device administrator. This setting overrides the management options enabled on the ingress interface. NOTE: This option does not appear for the Juniper Networks NSMXpress, which does not contain a console port.
Page 183: Using Ssh Version 1 (Sshv1)
NOTE: NSM supports PKA keys for device administrator authentication only for devices running ScreenOS 5.x. Using SSH Version 2 (SSHv2) SSHv2 is considered more secure than SSHv1 and is currently being developed as the IETF standard. Copyright © 2010, Juniper Networks, Inc.
Page 184: Configuring Cli Banners In Nsm Overview
Hence, if the user does not acknowledge the secondary banner, the device login process fails and the connection is closed. Related Configuring Remote Access Using Web Management Overview on page 161 Documentation Configuring HTTP Administrative Connections in ScreenOS Devices Using NSM Overview on page 161 Copyright © 2010, Juniper Networks, Inc.
Page 185: Configuring Remote Access Using Web Management Overview
Configuring Secure Connections in ScreenOS Devices Using NSM Overview on page 162 Documentation Configuring Network Time Protocol and NTP Backup Server in NSM Overview on page 163 Configuring Remote Access Using Web Management Overview on page 161 Copyright © 2010, Juniper Networks, Inc.
Page 186: Configuring Secure Connections In Screenos Devices Using Nsm Overview
Protocol (SSLRP), which provides basic security services to higher level protocols such as HTTP. Using certificates, SSL authenticates the server (the security device), and then encrypts the traffic sent during the session. Juniper Networks supports authentication only of the server (the security device), not the client (the device administrator); the device authenticates itself to the device administrator, but the device administrator does not use SSL to authenticate to the device.
Page 187: Overview
The date and time setting on the device affects VPN tunnel setup and schedule objects used in active security policies. You configure the device time in relation to GMT. Configuring Network Time Protocol on page 164 Configuring an NTP Backup Server on page 164 Copyright © 2010, Juniper Networks, Inc.
Page 188: Configuring Network Time Protocol
Setting ScreenOS Authentication Options Using General Auth Settings on page 165 Documentation Setting ScreenOS Authentication Options Using Banners Overview on page 166 Configuring Secure Connections in ScreenOS Devices Using NSM Overview on page 162 Copyright © 2010, Juniper Networks, Inc.
Page 189: Setting Screenos Authentication Options Using General Auth Settings
RADIUS, LDAP, or SecurID server through that interface (one source interface per authentication server object). Related Setting ScreenOS Authentication Options Using Banners Overview on page 166 Documentation Setting ScreenOS Authentication Options Using Default Servers Overview on page 167 Copyright © 2010, Juniper Networks, Inc.
Page 190: Setting Screenos Authentication Options Using Banners Overview
Setting ScreenOS Authentication Options Using Default Servers Overview on page 167 Documentation Setting ScreenOS Authentication Options Using General Auth Settings on page 165 Setting ScreenOS Authentication Options Using Infranet Settings Overview on page 167 Copyright © 2010, Juniper Networks, Inc.
Page 191: Setting Screenos Authentication Options Using Default Servers Overview
Setting ScreenOS Authentication Options Using Banners Overview on page 166 Setting ScreenOS Authentication Options Using Infranet Settings Overview If you have deployed Juniper Networks Infranet Controllers as part of your network security infrastructure, you can use the Infranet Settings screen on devices running ScreenOS 5.3 and later to configure the properties as described in Table 37 on page 167.
Page 192: General Report Settings For Screenos Devices Overview
By default, packets that are dropped on the security device are logged to the self log. In the Firewall Options, you can disable or enable logging of dropped packets for specific traffic types, including ICMP, IKE, SNMP, and multicast packets. Copyright © 2010, Juniper Networks, Inc.
Page 193: Configuring Syslog Host Using Nsm (Nsm Procedure)
Click the Add icon in the Syslog configuration screen. The host configuration dialog box appears. Specify the hostname and the port to which the security device sends syslog messages. For each syslog host, you specify the following: Copyright © 2010, Juniper Networks, Inc.
Page 194: Configuring Snmpv3 In Screenos Devices (Nsm Procedure)
General Report Settings for ScreenOS Devices Overview on page 168 Configuring SNMPv3 in ScreenOS Devices (NSM Procedure) The Simple Network Management Protocol (SNMP) agent for a Juniper Networks security device provides network administrators with a way to view statistical data about the network and the devices on it and to receive notification of system events of interest.
Page 195 Specifies the security model for the access group. Security Level Specifies the security level for the access group. Notify Specifies the notification parameter for the access group. Read Specifies the read access privilege for the access group. Copyright © 2010, Juniper Networks, Inc.
Page 196 32 for IPv4 addresses or 128 for IPv6 addresses. Netmask/Prefix Specifies the netmask of the IPv4 or IPv6 IP address. Port Specifies the port. Target Parameter Specifies the target parameter that you have created. Copyright © 2010, Juniper Networks, Inc.
Page 197 Tag List Specifies the tag value that you have selected in the filter. Related General Report Settings for ScreenOS Devices Overview on page 168 Documentation Device Administration Options for ScreenOS Devices Overview on page 148 Copyright © 2010, Juniper Networks, Inc.
Page 199: Security
Configuring IDP Security Module Settings in ScreenOS Overview on page 189 Configuring Integrated Web Filtering in ScreenOS (NSM Procedure) on page 190 Example: Configuring Integrated Web Filtering (NSM Procedure) on page 190 Redirect Web Filtering in ScreenOS Using NSM Overview on page 192 Copyright © 2010, Juniper Networks, Inc.
Page 200: Classification Of Security Options Overview
Some malicious viruses erase files or lock up systems, while other viruses merely infect files and can overwhelm the target host or network with bogus data. Juniper Networks supports internal and external antivirus (AV) scanning on select security devices. Use the antivirus (AV) option to configure AV scanning. Security devices may provide one or more of the following antivirus scanning methods: External AV scanning—Uses an external Trend Micro device for scanning.
Page 201: External Antivirus Scanner Settings Overview
70%; the acceptable range is from 1to 100%, where 100% allows unrestricted resource consumption. You might want to edit this option to prevent a malicious user from generating a large amount of traffic in an attempt to consume all available resources. Copyright © 2010, Juniper Networks, Inc.
Page 202: Internal Antivirus Scan Manager Settings Overview
You can use one of the following two default pattern-update server from which the device URLs: retrieves pattern file updates. To use the Kaspersky internal antivirus scanner, http://update.juniper-updates.net/av/5gt To use the Trend Micro internal antivirus scanner, http:/ /5gt-p.activeupdate.trendmicro.com/activeupdate/server.ini Copyright © 2010, Juniper Networks, Inc.
Page 203 Content drop You can specify that the device parameters drop messages if the size of the content or the number of concurrent messages exceed configurable limits. Copyright © 2010, Juniper Networks, Inc.
Page 204 You can indicate whether you want the device to notify the administrator through e-mail when an updated pattern file is available. Related Internal Antivirus HTTP Webmail Settings Overview on page 181 Documentation Antivirus Scanner Settings Overview on page 181 Copyright © 2010, Juniper Networks, Inc.
Page 205: Internal Antivirus Http Webmail Settings Overview
Internal Antivirus Scan Manager Settings Overview on page 178 Antivirus Scanner Settings Overview The third tab in the device-specific or template-specific antivirus settings is the AV Scanner Settings tab. Table 42 on page 182 describes the antivirus scanner settings available: Copyright © 2010, Juniper Networks, Inc.
Page 206 If the notification e-mail includes Japanese or other double-byte characters, you can specify the character set to be used to display the notification e-mail. For example, if the virus notification e-mail includes Japanese characters, you can set the charset to shift_jis. Copyright © 2010, Juniper Networks, Inc.
Page 207: Classification Of Deep Inspection Methods
NOTE: Deep inspection is only available on standalone devices. It cannot be used to disable attacks when the device is in a cluster. The Juniper Networks Security team provides multiple DI signature packs for different security needs. Packs are covered by license keys. You must get a license key to enable a signature pack.
Page 208: Attack Object Database Overview
Database option to configure a database that contains all the predefined attack objects, organized into attack object groups by protocol and severity level. Juniper Networks stores the attack object database on the attack object update server at https://services.netscreen.com/restricted/sigupdates. To gain access to the attack object update server, you must first obtain an attack object update subscription for your security device.
Page 209: Using Attack Objects Overview
Occasionally, an attack object produces false positives when included in a security policy for your network. You can remove the attack from the firewall rule by removing the attack object group to which the attack belongs or by disabling the individual attack object at Copyright © 2010, Juniper Networks, Inc.
Page 210: Antispam Settings In Screenos Overview
If it does not match a local list, it then attempts to match the e-mail against the list on the Juniper Networks server. Table 44 on page 187 lists the match criteria for the local whitelist, local blacklist, Juniper Networks blacklist, and corresponding actions.
Page 211: Configuring Antispam Settings In Screenos (Nsm Procedure)
To configure a security device for antispam, you must turn on antispam in a policy and configure antispam settings on a device. To configure antispam settings: Double-click a security device in Device Manager. Select Security > Antispam. Populate the listed boxes: Copyright © 2010, Juniper Networks, Inc.
Page 212 Click the Add icon in the Antispam Blacklist area. Enter wesendspam.com in the Entry box, and then click OK. In the Action for Spam box, select Tag Spam Email. In the Tag Subject or Header box, select subject. Copyright © 2010, Juniper Networks, Inc.
Page 213: Configuring Idp Security Module Settings In Screenos Overview
Related Configuring Integrated Web Filtering in ScreenOS (NSM Procedure) on page 190 Documentation Example: Configuring Integrated Web Filtering (NSM Procedure) on page 190 Configuring Antispam Settings in ScreenOS (NSM Procedure) on page 187 Copyright © 2010, Juniper Networks, Inc.
Page 214: Configuring Integrated Web Filtering In Screenos (Nsm Procedure)
Web Filtering profile to a firewall rule. A Web Filtering profile contains Web Categories and the action the security device takes (permit or block) when it receives a request to access a URL. Copyright © 2010, Juniper Networks, Inc.
Page 215 Click OK to save your settings and close the device configuration. Related Redirect Web Filtering in ScreenOS Using NSM Overview on page 192 Documentation Configuring Integrated Web Filtering in ScreenOS (NSM Procedure) on page 190 Copyright © 2010, Juniper Networks, Inc.
Page 216: Redirect Web Filtering In Screenos Using Nsm Overview
For the time interval, you can enter a number between 10 and 240. Fail Mode The fail mode (Block or Permit) determines how the security device handles HTTP requests if the device loses contact with the Web-filtering server. Copyright © 2010, Juniper Networks, Inc.
Page 217: Example: Configuring Redirect Web Filtering In Screenos (Nsm Procedure)
Web filtering. The device configuration appears. In the device navigation tree, select Security > Web Filtering, and then click the Websense (Redirect) tab. Select Enable Web Filtering, and then configure the following WebSense settings: Copyright © 2010, Juniper Networks, Inc.
Page 218: Adding Proxy Addresses Overview
You can create the proxy value under Device Manager > Devices > Security > Proxy. Related Example: Configuring Redirect Web Filtering in ScreenOS (NSM Procedure) on page 193 Documentation Redirect Web Filtering in ScreenOS Using NSM Overview on page 192 Copyright © 2010, Juniper Networks, Inc.
Page 219: Planning And Preparing Vpns
Configuring Required Routing-Based VPN Components Overview on page 215 Routing-Based VPN Support Using Tunnel Interfaces and Tunnel Zones Overview on page 215 Routing-Based VPN Support Using Static and Dynamic Routes Overview on page 216 Preparing Optional VPN Components Overview on page 216 Copyright © 2010, Juniper Networks, Inc.
Page 220: System-Level And Device-Level Vpn Using Nsm Overview
System-Level and Device-Level VPN Using NSM Overview With Network and Security Manager (NSM), you can use basic networking principles and your Juniper Networks security devices to create VPNs that connect your headquarters with your branch offices and your remote users with your protected networks.
Page 221: Device-Level Vpn In Device Manager Overview
You can also create AutoKey IKE, L2TP, and L2TP-over-AutoKey IKE VPNs at the device level. Related VPN Configuration Supported Overview on page 198 Documentation System-Level VPN with VPN Manager Overview on page 196 Planning Your VPN Using NSM Overview on page 198 Copyright © 2010, Juniper Networks, Inc.
Page 222: Vpn Configuration Supported Overview
The following topics provide information to help you make these decisions. Determining Your VPN Members and Topology Protecting Data in the VPN Choosing a VPN Tunnel Type VPN Checklist Related Defining Members and Topology in NSM on page 207 Documentation Copyright © 2010, Juniper Networks, Inc.
Page 223 Chapter 7: Planning and Preparing VPNs Traffic Protection Using Tunneling Protocol in NSM Overview on page 202 Traffic Protection Using IPsec Tunneling Protocol Overview on page 203 Copyright © 2010, Juniper Networks, Inc.
Page 225 RAS user that connects to a central security device. Advantages—Simple, easy to configure. Disadvantages—The central security device is a single point of failure. Use a site-to-site VPN to connect remote networks to a single, central network inexpensively. An example is shown below: Copyright © 2010, Juniper Networks, Inc.
Page 226: Traffic Protection Using Tunneling Protocol In Nsm Overview
NSM provides two tunneling protocols such as IPsec and L2TP. Related Traffic Protection Using IPsec Tunneling Protocol Overview on page 203 Documentation Traffic Protection Using L2TP Tunneling Protocol Overview on page 205 Defining Members and Topology in NSM on page 207 Copyright © 2010, Juniper Networks, Inc.
Page 227: Traffic Protection Using Ipsec Tunneling Protocol Overview
Using Encapsulating Security Payload (ESP) ESP encrypts the data in the VPN with DES, Triple DES, or AES symmetric encryption. When the encrypted data arrives at the destination, the receiving device uses a key to Copyright © 2010, Juniper Networks, Inc.
Page 229: Traffic Protection Using L2Tp Tunneling Protocol Overview
Route-based VPNs—The VPN tunnel is created when the route is defined and is maintained continuously. Use route-based VPNs when you want to encrypt and authenticate all traffic between two VPN members. You cannot add RAS users in a routing-mode VPN. Copyright © 2010, Juniper Networks, Inc.
Page 230: About Policy-Based Vpns
Related Defining VPN Checklist Overview on page 207 Documentation Defining Members and Topology in NSM on page 207 Traffic Protection Using L2TP Tunneling Protocol Overview on page 205 Copyright © 2010, Juniper Networks, Inc.
Page 231: Defining Vpn Checklist Overview
Use a policy-based VPN to encrypt and authenticate certain types of traffic between two network nodes. Use a route-based VPNs to encrypt and authenticate all traffic between two network nodes. Use a mixed-mode VPN to encrypt and authenticate traffic between policy-based and route-based VPNs nodes. Copyright © 2010, Juniper Networks, Inc.
Page 232: Defining Vpn Traffic Using Security Protocols In Nsm
You can inspect the VPN rules and override any VPN property before sending the VPN configuration to your devices. You can choose the VPN type that best matches your VPN requirements. Table 50 on page 209 describes the VPN types that match your VPN requirements. Copyright © 2010, Juniper Networks, Inc.
Page 233: Creating Device-Level Vpns
ESP AutoKey IKE Encryption PPP or other non-IP traffic Remote access users Creating Device-Level VPNs You can create the following VPN types: AutoKey IKE VPN Manual key IKE VPN L2TP VPN Redundant site-site VPN Copyright © 2010, Juniper Networks, Inc.
Page 234: Preparing Basic Vpn Components
“Configuring Zones and Zone Properties in ScreenOS Devices Overview” on page 39. Related Preparing Required Policy-Based VPN Components Overview on page 211 Documentation Policy-Based VPN Creation Using Address Objects and Protected Resources Overview on page 211 Copyright © 2010, Juniper Networks, Inc.
Page 235: Preparing Required Policy-Based Vpn Components Overview
The address specifies secured destination, the service specifies the type of traffic to be tunneled, and the device specifies where the VPN terminates (typically an outgoing interface in untrust zone). In a VPN rule, protected resources are the source and destination IP addresses. When creating protected resources: Copyright © 2010, Juniper Networks, Inc.
Page 236: Policy-Based Vpn Creation Using Shared Nat Objects Overview
Policy-Based VPN Creation Using Remote Access Server Users Overview on page 213 Documentation Configuring Required Routing-Based VPN Components Overview on page 215 Policy-Based VPN Creation Using Address Objects and Protected Resources Overview on page 211 Copyright © 2010, Juniper Networks, Inc.
Page 237: Policy-Based Vpn Creation Using Remote Access Server Users Overview
On the device sever, a partial or whole DN is associated with a VPN configuration. On the client side, the certificate DN is sent as IKE ID for the server to match the VPN configuration based on the content of DN. Copyright © 2010, Juniper Networks, Inc.
Page 238: Configuring Group Ike Ids
(cannot exceed the maximum number of allowed Phase 1 SAs or the maximum number of VPN tunnels allowed on the Juniper Networks security device platform). For details on group IKE IDs, see the ScreenOS 5.x Concepts and Examples Guide.
Page 239: Configuring Required Routing-Based Vpn Components Overview
A single VPN tunnel to multiple tunnel interfaces Multiple VPN tunnels to a single tunnel interface For details on tunnel interfaces and tunnel zones, see “Routing-Based VPN Support Using Tunnel Interfaces and Tunnel Zones Overview” on page 215. Copyright © 2010, Juniper Networks, Inc.
Page 240: Routing-Based Vpn Support Using Static And Dynamic Routes Overview
To create a static route, you must manually create a route for each tunnel on each device. For VPNs with more than just a few devices, Juniper Networks highly recommends using a dynamic routing protocol to automatically determine the best route for VPN traffic.
Page 241: Optional Vpn Support Using Authentication Servers Overview
(includes public/private key pair request) using the Generate Certificate Request directive. In response, the device provides certificate request that includes the encrypted public key for the device. Using this encrypted public key, you can contact a independent Copyright © 2010, Juniper Networks, Inc.
Page 242: Configuring Ca Objects
Network and Security Manager Administration Guide. Related Optional VPN Support Using Authentication Servers Overview on page 217 Documentation Preparing Optional VPN Components Overview on page 216 Copyright © 2010, Juniper Networks, Inc.
Page 243: Configuring Vpns
Device Level L2TP VPN: Using L2TP Users Configuration Overview on page 235 Device Level L2TP VPN: Using L2TP Configuration Overview on page 235 Device Level L2TP VPN: Using VPN Rule Configuration Overview on page 236 Copyright © 2010, Juniper Networks, Inc.
Page 244 Manual Installation of CA Certificates in NSM on page 274 Configuring Certificate Revocation Lists (NSM Procedure) on page 274 Imported Certificates in NSM Overview on page 275 PKI Default Settings Configuration in NSM Overview on page 276 Copyright © 2010, Juniper Networks, Inc.
Page 245: Device Level Vpn Types And Supported Configurations Overview
Add VPN rules to Security Policy A gateway is an interface on your security device that sends and receives traffic; a remote gateway is an interface on another device that handles traffic for that device. Each security Copyright © 2010, Juniper Networks, Inc.
Page 246: Screenos Devices Gateway Properties
IKE identity exchange between the nodes. Because Aggressive mode is typically faster but less secure than Main mode, use Aggressive mode when speed is more important than security. However, you must use Aggressive mode for VPNs that include RAS users. Copyright © 2010, Juniper Networks, Inc.
Page 247 Retry Times — Specifies the maximum number of times to send the response request before considering the peer to be dead. Reconnect(Seconds) — Specifies the reconnect interval. The parameter renegotiates the tunnel at configured intervals after it is cleaned up because of a dead peer detected. Copyright © 2010, Juniper Networks, Inc.
Page 248: Screenos Devices Ike Ids Or Xauth Identification Number
ID type for the VPN members at each end of the tunnel. However, the ID type can be different for each member. Table 54 on page 225 describes the different ID type for each member. Copyright © 2010, Juniper Networks, Inc.
Page 249 IKE IDs work, see, Configuring Group IKE IDS section in“Policy-Based VPN Creation Using Remote Access Server Users Overview” on page 213. For details on determining the ASN1-DN container and wildcard values for group IKE IDs, see the Juniper Networks ScreenOS 5.x Concepts and Examples Guide.
Page 250: Security Methods For Screenos Devices
In ScreenOS 6.1 or later, the user can set the following IKEv2 parameters: Half opened IKE session threshold for triggering stateless cookie exchange. Initiator sending dummy IPsec packet. Copyright © 2010, Juniper Networks, Inc.
Page 251: Device Level Autokey Ike Vpn: Using Routes Configuration Overview
ScreenOS Security Measures Using VPN Configuration on page 228 Binding/ProxyID on page 229 Monitor Management on ScreenOS Devices Using AutoKey IKE VPN on page 230 Device-Level AutoKey IKE VPN Properties Enter the following values as described in Table 55 on page 228. Copyright © 2010, Juniper Networks, Inc.
Page 252: Screenos Security Measures Using Vpn Configuration
If your VPN includes only security devices, you can specify one predefined or custom proposal that NSM propagates to all nodes in the VPN. If your VPN includes extranet devices, you should use multiple proposals to increase security and ensure compatibility. Copyright © 2010, Juniper Networks, Inc.
Page 253: Binding/Proxyid
In such cases, the security device uses multiple proxy IDs to direct the traffic. You can use either an IP address or an address name of the local and remote device to define a proxy ID. Copyright © 2010, Juniper Networks, Inc.
Page 254: Monitor Management On Screenos Devices Using Autokey Ike Vpn
For policy-based VPNs, you must add a VPN rule to create the VPN tunnel. For route-based VPNs, the VPN tunnel is already in place. However, you might want to add a VPN rule to control traffic through the tunnel. Copyright © 2010, Juniper Networks, Inc.
Page 255: Device-Level Manual Key Vpn: Using Xauth Users Overview
VPN traffic flows through the tunnel zones or tunnel interfaces on the security device, and uses static or dynamic routes to reach other VPN members. You must create the tunnel zones and interfaces before configuring routes. For details on configuring tunnel Copyright © 2010, Juniper Networks, Inc.
Page 256: Device-Level Manual Key Vpn: Using Vpn Configuration Overview
Clear—Use this option to enable IP packets to be fragmented. Set—Use this option to ensure that IP packets are not fragmented. Copy—Select to use the same option as specified in the internal IP header of the original packet. Copyright © 2010, Juniper Networks, Inc.
Page 257: Binding
You can enable VPN Monitor and configure the monitoring parameters for the device. Monitoring is off by default. Enable the VPN Monitor in RealTime Monitor to display statistics for the VPN tunnel as described in Table 59 on page 234. Copyright © 2010, Juniper Networks, Inc.
Page 258: Device Level Manual Key Vpn: Using Vpn Rule Configuration Overview
VPN rule to control traffic through the tunnel. For details on adding and configuring a VPN rule in a security policy, see “Adding VPN Rules to a Security Policy Overview” on page 237. Copyright © 2010, Juniper Networks, Inc.
Page 259: Device Level L2Tp Vpn: Using L2Tp Users Configuration Overview
Enter a name for the L2TP VPN, and then specify the following information as described in Table 60 on page 235. Table 60: Device Level L2TP VPN: using L2TP Configuration L2TP Options Description Host Name Enter the name of the L2TP host. Copyright © 2010, Juniper Networks, Inc.
Page 260: Device Level L2Tp Vpn: Using Vpn Rule Configuration Overview
Related Creating Device Level L2TP-over-Autokey IKE VPNs Overview on page 237 Documentation Adding VPN Rules to a Security Policy Overview on page 237 Device Level L2TP VPN: Using L2TP Configuration Overview on page 235 Copyright © 2010, Juniper Networks, Inc.
Page 261: Creating Device Level L2Tp-Over-Autokey Ike Vpns Overview
Select the source security device that contains the termination interface for the VPN tunnel. Select a VPN type: For IKE VPNs, select the VPN that you configured on the device. For L2TP VPNs, you must also select the L2TP tunnel that you configured on the device. Copyright © 2010, Juniper Networks, Inc.
Page 262: Configuring The Security Policy
This topic provides examples of the two device-level VPN types with step-by-step instructions on creating each type of device-level VPN. NOTE: For examples on creating other VPN types using VPN Manager, see the Network and Security Manager Administration Guide. Copyright © 2010, Juniper Networks, Inc.
Page 263 Add the Tokyo trust LAN (10.1.1.0/24) as an network address object. In Address Objects, click the Add icon and select Network. Configure the following settings, and then click For Name, enter Tokyo Trust LAN. For IP Address/Netmask, enter 10.1.1.0/24. Copyright © 2010, Juniper Networks, Inc.
Page 264 Select the Manual tab, and then click the Add icon. The Properties screen appears. Configure the Properties tab as follows: For Name, enter Tokyo_Paris. For Gateway, enter 2.2.2.2. For Local SP, enter 3020. For Remote SPI, enter 3030. For Outgoing Interface, select ethernet3. Copyright © 2010, Juniper Networks, Inc.
Page 265 Create the Paris VPN: In the device navigation tree, select VPN Settings > AutoKey IKE/Manual VPN. Select the Manual tab, and then click the Add icon. The Properties screen appears. Configure the following settings: Copyright © 2010, Juniper Networks, Inc.
Page 266 For Security Policy Name, enter Corporate Route-based VPNs. Add comments, if desired. In the NSM navigation tree, select Security Policies > Corporate Route-based VPNs. The security policy appears in the display area. Configure the rules. Copyright © 2010, Juniper Networks, Inc.
Page 267: Example: Creating Device Level Vpn Type 2 (Nsm Procedure)
For Authentication Algorithm, select SHA-1. Select Generate Key by Password, and then enter the password PNas134a. Select the Binding tab. Select Tunnel Zone and select untrust-tun. Click OK to save the new VPN. Create Tokyo routes. Copyright © 2010, Juniper Networks, Inc.
Page 268 Example: Creating Device Level VPN Type 1 (NSM Procedure) on page 238 Documentation Example: Creating Device Level VPN Type 3 (NSM Procedure) on page 245 Adding VPN Rules to a Security Policy Overview on page 237 Copyright © 2010, Juniper Networks, Inc.
Page 269: Example: Creating Device Level Vpn Type 3 (Nsm Procedure)
Select Enable, and then select L2TP. Select Password, and then enter and confirm the password: BviPsoJ1. Configure an L2TP user object for Carol, and then click OK: For Name, enter Carol. Select Enable, and then select L2TP. Copyright © 2010, Juniper Networks, Inc.
Page 270 For Peer IP, enter 0.0.0.0 (because the peer’s ISP dynamically assigns it an IP address, enter 0.0.0.0 here). Select Use Custom Settings, and leave the default authentication server as Local. For User/Group, select Dialup Group, and then select Field Sales. Copyright © 2010, Juniper Networks, Inc.
Page 271: L2Tp And Xauth Local Users Configuration Overview
RADIUS server. When you assign the L2TP user or user group a remote setting and IP pool at the device level, the settings override the remote settings and IP pool assigned to the VPN. You can even use different auth servers, one for each Copyright © 2010, Juniper Networks, Inc.
Page 272 In the NSM navigation tree, select Object Manager > IP Pools. Configure the new IP pool: In the display area, click the Add icon. The New IP Pool dialog box appears. Configure the following settings: Copyright © 2010, Juniper Networks, Inc.
Page 273: Xauth Users Authentication Overview
You can also assign an XAuth user IP, WINS, and DNS addresses from the device. When you assign the XAuth user or user group a remote setting and IP pool at the device level, the settings override the remote settings and IP pool assigned to the VPN. Copyright © 2010, Juniper Networks, Inc.
Page 274: Vsys Configurations In Nsm Overview
For more information about vsys, refer to the Concepts & Examples ScreenOS Reference Guide: Virtual Systems. For more information about how to configure transparent vsys, refer to the Juniper Networks New Features Guide for ScreenOS 5.0-L2V software. Related Virtual Router Configurations for Root and Vsys Overview on page 251...
Page 275: Virtual Router Configurations For Root And Vsys Overview
This zone is inherited from the root device. Trust-vsys_name zone This zone is created by default when you create the vsys. Untrust-Tun-vsys_name This zone is created by default when you create the vsys. zone Copyright © 2010, Juniper Networks, Inc.
Page 276: Interface Configurations For Root And Vsys Overview
By default, the untrust-vr and untrust zone are shared, enabling you to configure a vsys to share any root-level physical interface, subinterface, redundant interface, or aggregate interface that is bound to the untrust zone. Copyright © 2010, Juniper Networks, Inc.
Page 277: Viewing Root And Vsys Configurations
However, inter-vsys traffic through a shared untrust zone is often interrupted by external traffic. To overcome such traffic interference in the shared untrust zone, you can use a shared DMZ zone created at the root level. Each shared DMZ zone Copyright © 2010, Juniper Networks, Inc.
Page 278: Example: Routing Traffic To Vsys Using Vlan Ids (Nsm Procedure)
L2V supports vsys transparent mode, also known as Layer 2 vsys, or L2V vsys. In this example, you define three subinterfaces (10.1.1.1/24, 10.2.2.1/24, and 1.3.3.1/24) with VLAN tags on ethernet 2.3 for the three virtual systems vsys1, vsys2, and vsys3. The Copyright © 2010, Juniper Networks, Inc.
Page 279 In the device navigation tree, select Network > Interfaces. Click the Add icon and select Sub Interface. In the subinterface general properties, configure the following settings, and then click For Interface, select ethernet2/3.2. For Sub Interface Type, select tag. Copyright © 2010, Juniper Networks, Inc.
Page 280: Example: Routing Traffic To Vsys Using Ip Classification (Nsm Procedure)
(both internal and untrust zones are in the shared trust-vr routing domain). Within the internal zone, configure a subnet for each vsys (10.1.1.0/24 for vsys1, 10.1.2.0/24 for vsys2, and 10.1.3.0/24 for vsys3). Copyright © 2010, Juniper Networks, Inc.
Page 281 For IP Address and Netmask, enter 10.1.1.0/24. Right-click in the IP Classification screen and select New. The New IP Classification list appears. Configure the following settings, and then click OK: For Vsys, select vsys2. Copyright © 2010, Juniper Networks, Inc.
Page 282: Layer 2 Vsys Configuration Overview
A NetScreen 5000 line of security device running ScreenOS 5.0-L2V supports virtual systems in Transparent mode (the device functions similar to a Layer 2 switch or bridge). The device groups packets to or from a unique vsys based on the VLAN tag in the packet Copyright © 2010, Juniper Networks, Inc.
Page 283: Assigning L2V Vlan Ids (Nsm Procedure)
NSM no longer reserves those IDs, enabling you to import the IDs to another vsys. After you have imported VLAN IDs to a vsys, you can group those IDs and assign them to a physical port and zone. Copyright © 2010, Juniper Networks, Inc.
Page 284: L2V Vlan Groups In Nsm Overview
The exception is v1-null, which appears as v1-null; the regular null zone is unchanged, and appears as null. By default, the predefined VLAN zone is also sharable when using L2V. The VLAN zone contains all vsys management interfaces. Copyright © 2010, Juniper Networks, Inc.
Page 285: L2V Interface Management In Nsm Overview
(vlan1, vlan2, vlan3, and so on; acceptable range is 2-4094 only in Transparent mode). When assigning IP address to each interface, ensure that the IP subnets for all interfaces do not overlap. Copyright © 2010, Juniper Networks, Inc.
Page 286: Configuring L2V Aggregate Interfaces
Converting L2V to VLAN Trunking (NSM Procedure) When the VLAN interface is set to Trunk mode, the root system operates in VLAN trunk mode and L2V is disabled for the device. While in VLAN Trunk mode, all L2V functionality Copyright © 2010, Juniper Networks, Inc.
Page 287 5.0 L2V as the root system, and then configure the network module: Double-click the device to open the device configuration. In the device navigation tree, select Network > Slot. Double-click slot 2 to display the slot configuration dialog box. For Card Type, select 5000-8G SPM. Copyright © 2010, Juniper Networks, Inc.
Page 288 Vlan Group Port Settings. Configure the following settings, and then click OK. For Interface, select ethernet2/1. For Zone, select music-untrust. Create management interface for vsys music: In the vsys navigation tree, select Network > Interfaces, and then click the Add icon and select VLAN Interface. Copyright © 2010, Juniper Networks, Inc.
Page 289 OK. Create a rule that permits all traffic from music-trust to music untrust: For From zone, select music-trust. For Source Address, select any. For To zone, select music-untrust. For Destination Address, select any. Copyright © 2010, Juniper Networks, Inc.
Page 290: Configuring Crypto-Policy Overview
A read-write admin user with a cryptographic role Related Certificate Authentication Support in NSM Overview on page 267 Documentation Self-Signed Certificates in NSM Overview on page 267 Converting L2V to VLAN Trunking (NSM Procedure) on page 262 Copyright © 2010, Juniper Networks, Inc.
Page 291: Certificate Authentication Support In Nsm Overview
VPN member in an IKE VPN. A device running ScreenOS 5.1 and later automatically creates the self-signed certificate upon reboot, so you do not need to Copyright © 2010, Juniper Networks, Inc.
Page 292: Local Certificate Validation Of Screenos Devices Overview
For CA-signed local certificates, you can also use SCEP to configure the device to automatically obtain a local certificate (and a CA certificate) from the CA directly. Related Generating Certificate Requests to ScreenOS Devices (NSM Procedure) on page 269 Documentation Copyright © 2010, Juniper Networks, Inc.
Page 293: Generating Certificate Requests To Screenos Devices (Nsm Procedure)
Select this option to use the self-signed certificate on a device running ScreenOS 5.1 and later. (ScreenOS 5.1 and higher only) Because the self-signed certificate is both the local certificate and the CA certificate, when this option is enabled the SCEP options are automatically disabled. Copyright © 2010, Juniper Networks, Inc.
Page 294: Loading Local Certificate Into Nsm Management System
(the private key never leaves the device). During this time, the certificate status is key pair, meaning that a key pair exists but no certificate has been loaded. Copyright © 2010, Juniper Networks, Inc.
Page 295: Installing Local Certificates Using Scep In Nsm
Double-click the device configuration and then select VPN Settings > Local Certificates to view the local certificates. The certificate status appears as active, indicating that the certificate file has been successfully installed on both the physical device and the management system. Copyright © 2010, Juniper Networks, Inc.
Page 296: Manual Installation Of Local Certificates In Nsm
A CA certificate validates the identity of the third party CA that issued the local device certificate. To view the available CA certificates on a device, in the device navigation tree, select VPN Settings > CA Certificates. Copyright © 2010, Juniper Networks, Inc.
Page 297: Installing Ca Certificates Using Scep In Nsm
Open the device configuration to view the CA certificates in VPN Settings > CA Certificates. Related Manual Installation of CA Certificates in NSM on page 274 Documentation Configuring Certificate Revocation Lists (NSM Procedure) on page 274 Certificate Authority Configuration in NSM Overview on page 272 Copyright © 2010, Juniper Networks, Inc.
Page 298: Manual Installation Of Ca Certificates In Nsm
CA. After you have received a CRL, you can use the CRL object in your VPN. For details on configuring a certificate revocation list object, see “Configuring CRL Objects” on page 218. Copyright © 2010, Juniper Networks, Inc.
Page 299: Imported Certificates In Nsm Overview
After the CA certificate and CRL files have been loaded, you can use those CA and CRL objects in other devices. Related PKI Default Settings Configuration in NSM Overview on page 276 Documentation Configuring Certificate Revocation Lists (NSM Procedure) on page 274 Copyright © 2010, Juniper Networks, Inc.
Page 300: Pki Default Settings Configuration In Nsm Overview
Partial—Use partial validation to validate the certificate path only part of the way to the root. Revocation Check Select or clear revocation checking for certificates: Check for revocation—Select this option to enable revocation checking. Do not check for revocation—Select this option to disable revocation checking. Copyright © 2010, Juniper Networks, Inc.
Page 301: Configuring Simple Certificate Enrollment Protocol
CA certificate. CA IDENT Enter the name of the certificate authority to confirm certificate ownership. Challenge Enter the challenge word(s) sent to you by the CA that confirm the security device identity to the CA. Copyright © 2010, Juniper Networks, Inc.
Page 302 Poll—When enabled, you can configure the number of minutes between polls. Do not poll—Use this option to disable automatic polling. Related Configuring Certificate Revocation Lists (NSM Procedure) on page 274 Documentation Certificate Authority Configuration in NSM Overview on page 272 Copyright © 2010, Juniper Networks, Inc.
Page 303: Voice Over Internet Protocol
The SCCP ALG supports the following features: Call flow—Allows calls from a Skinny client, through the CallManager, to another Skinny client. Seamless failover—Switches over all calls in process to the standby firewall during failure of the primary firewall. Copyright © 2010, Juniper Networks, Inc.
Page 304: Configuring Sccp Alg In Screenos Devices (Nsm Procedure)
Enter a threshold value for the maximum number of calls per minute. The default is 20 calls per minute. NOTE: The threshold value is per client to protect the CallManager from being flooded with new calls either by an already compromised connected client or a faulty device. Copyright © 2010, Juniper Networks, Inc.
Page 305: Sip Alg Overview
Such sessions might include conferencing, telephony, or multimedia, with features such as instant messaging and application-level mobility in network environments. Juniper Networks security devices support SIP as a service and can screen SIP traffic, allowing and denying it based on a policy that you configure. SIP is a predefined service in ScreenOS and uses port 5060 as the destination port.
Page 306: Sip Request Methods Supported In Screenos Devices
To field to the appropriate IP address of the internal client. When the UA is inside NAT and the proxy is outside NAT, the SIP ALG translates the From, Via, and Call-ID fields. Copyright © 2010, Juniper Networks, Inc.
Page 307 Call-ID, Contact, Route, and In NAT mode, the address in the Record-Route header fields are Request-URI is changed to a private modified. IP address if the message is coming from the external network into the internal network. Copyright © 2010, Juniper Networks, Inc.
Page 308: Types Of Sip Response Classes Supported In Screenos Devices
Types of SIP Response Classes Supported in ScreenOS Devices SIP responses provide status information about SIP transactions and include a response code and a reason phrase. SIP responses are grouped into the following classes: Copyright © 2010, Juniper Networks, Inc.
Page 309 Global Failure (600 to 699)—Request cannot be fulfilled at any server. Table 71 on page 285 provides a complete list of current SIP responses, all of which are supported on Juniper Networks security devices. Table 71: SIP Responses Response Code-Reason...
Page 310: Alg Overview
The SIP ALG monitors SIP transactions and dynamically creates and manages pinholes based on the information it extracts from these transactions. The Juniper Networks SIP ALG supports all SIP methods and responses (see “SIP Request Methods Supported in ScreenOS Devices” on page 282 and “Types of SIP Response Classes Supported in ScreenOS Devices”...
Page 311: Configuring Sip Alg In Screenos Devices (Nsm Procedure)
NOTE: Juniper Networks security devices do not support encrypted SDP. If a security device receives a SIP message in which SDP is encrypted, the SIP ALG permits it through the firewall but generates a log message informing the user that it cannot process the packet.
Page 312: Sdp Session Description Overview
IP address and port numbers specified in the media description field m=. In this release of ScreenOS, the security device opens ports only for RTP and Real-Time Control Protocol (RTCP). Every RTP session has a corresponding RTCP session. Copyright © 2010, Juniper Networks, Inc.
Page 313: Pinhole Creation In Screenos Devices Overview
Table 72: Information for Pinhole Creation Field Description Protocol UDP. Source IP Unknown. Source port Unknown. Destination IP The parser extracts the destination IP address from the c= field in the media or session level. Copyright © 2010, Juniper Networks, Inc.
Page 314: Session Inactivity Timeout In Screenos Devices Overview
If either of these timeouts expires, the security device removes all sessions for this call from its table, thus terminating the call. Related SIP ALG Overview on page 281 Documentation SIP Request Methods Supported in ScreenOS Devices on page 282 Copyright © 2010, Juniper Networks, Inc.
Page 317: Routing
Dynamic Routing Configuration Overview on page 313 OSPF Protocol Configuration Overview on page 313 Enabling OSPF (NSM Procedure) on page 314 Global OSPF Settings Overview on page 315 Configuring OSPF Interface Parameters Overview on page 317 Copyright © 2010, Juniper Networks, Inc.
Page 318: Configuring Virtual Routers
To configure a virtual router, double-click the virtual router in the Virtual Router configuration screen (or, either select the virtual router and then click the Edit icon, or right-click the virtual router and select Edit). You can configure the following parameters for a virtual router: Copyright © 2010, Juniper Networks, Inc.
Page 319: Route Types Overview
All routes are contained within a virtual router. Related Configuring Virtual Routers Overview on page 294 Documentation Virtual Routers Overview on page 296 Virtual Router General Properties Overview on page 297 Copyright © 2010, Juniper Networks, Inc.
Page 320: Virtual Routers Overview
Click the Edit icon to edit the ISG2000 device. In the device navigation tree, click Network > Virtual Router. The Virtual Router screen appears. Create a customer virtual router, customer-vr1, and save the changes. Copyright © 2010, Juniper Networks, Inc.
Page 321: Virtual Router General Properties Overview
(preferred value 2), destination-based routes later only) (preferred value 1). To change this sequence, configure the values for each preference from 1 to 255; the higher the value, the more preferred the route. Copyright © 2010, Juniper Networks, Inc.
Page 322: Access List Overview
2.2.2.10 is denied. You can also use access lists to control the flow of multicast control traffic. You can create an access list to restrict the multicast groups that hosts can join or the sources Copyright © 2010, Juniper Networks, Inc.
Page 323: Example: Configuring Access Lists (Nsm Procedure)
For Prefix, select Prefix to Filter and enter the IP address/netmask 1.1.1.1/24. Click OK to save the new access list. Click OK to save your changes to the virtual router, and then click OK again to save your changes to the device configuration. Copyright © 2010, Juniper Networks, Inc.
Page 324: Route Map Overview
Select the route metric a route must match. Interface Select the interfaces a route must match. Access List Select the access list a route must match. Next-Hop Match a specified access list. It also supports IPv6, from ScreenOS 6.3. Copyright © 2010, Juniper Networks, Inc.
Page 325 Sets the local-pref attribute of the matching route to the specified value. (BGP) Preserve preference Preserves the preference value of the matching route that is exported (ScreenOS 5.1 and into another virtual router. later only) Copyright © 2010, Juniper Networks, Inc.
Page 326: Export And Import Rules In A Virtual Router Overview
Configuring an export or import rule is similar to configuring a redistribution rule. You configure a route map to specify which routes are to be exported/imported and the attributes of the routes. Copyright © 2010, Juniper Networks, Inc.
Page 327: Example: Configuring Export Rules In A Virtual Router (Nsm Procedure)
In the Access List Entries area, click the Add icon. The New Access List Entry dialog box appears. Configure the following, and then click OK: For Sequence Number, enter 10. For Action, select Permit. For Prefix, select Prefix to Filter and enter the IP address/netmask 1.1.1.1/24. Copyright © 2010, Juniper Networks, Inc.
Page 328 Double-click the trust-vr virtual router. The General Properties screen appears. Select Auto-export route to untrust-vr. Click OK to save your changes to the trust-vr. Configure the route map for the untrust-vr. Double-click the trust-vr virtual router. The General Properties screen appears. Copyright © 2010, Juniper Networks, Inc.
Page 329: Routing Table Entries Overview
Directly connected networks (the destination network is the IP address that you assign to an interface in Route mode) Dynamic routing protocols, such as OSPF, BGP, or RIP Routes that are imported from other routers or virtual routers Statically configured routes Copyright © 2010, Juniper Networks, Inc.
Page 330 It also allows you to search for a specific route in a route table when there are many static routes configured on the security device. For instructions for configuring virtual router static route entries, see the Network and Security Manager Online Help. Copyright © 2010, Juniper Networks, Inc.
Page 331: Destination-Based Routes Overview
NOTE: For security devices running ScreenOS 5.3, you can also configure source-based and source-interface-based routes with next hop as a virtual router within the same security device. Related Route Types Overview on page 295 Documentation Virtual Routers Overview on page 296 Copyright © 2010, Juniper Networks, Inc.
Page 332: Source-Based Routes Overview
In the device navigation tree, select Network > Virtual Routers. Double-click the trust-vr virtual router. The General Properties screen appears. In the virtual router navigation tree, select Routing Table. Select Enable Source-Based Routing. Copyright © 2010, Juniper Networks, Inc.
Page 333: Source Interface-Based Routes Overview
SIBR can be used in conjunction with the source-based routing feature, which enables traffic to be forwarded based on the source IP address of a data packet. When a security device performs route lookup, the source interface-based routing table is checked first. Copyright © 2010, Juniper Networks, Inc.
Page 334: Example: Source-Interface-Based Routing (Nsm Procedure)
ISP 1 router (1.1.1.1) as the next hop; subnetwork 10.1.2.0/24, with ethernet2/2 as the source interface and ethernet2/4 as the forwarding interface, uses the ISP 2 router (2.2.2.2) as the next hop. Copyright © 2010, Juniper Networks, Inc.
Page 335 Click OK to save your changes to the interface. In the device navigation tree, select Network > Virtual Routers. Double-click the trust-vr virtual router. The General Properties screen appears. In the router navigation tree, select Routing Table. Select Enable Source-Based Routing. Copyright © 2010, Juniper Networks, Inc.
Page 336: Configuring Route Preferences
To change the preference value for a protocol, enter a new value for the protocol in the Route Preferences configuration screen. Related Route Types Overview on page 295 Documentation Access List Overview on page 298 Route Maps Overview on page 300 Routing Table Entries Overview on page 305 Copyright © 2010, Juniper Networks, Inc.
Page 337: Dynamic Routing Configuration Overview
OSPF operation only on the specific interface. Additionally, you can set security-related OSPF settings at either the VR level or on a per-interface basis. The following topics detail how to enable OSPF and configure all optional parameters. Copyright © 2010, Juniper Networks, Inc.
Page 338: Enabling Ospf (Nsm Procedure)
“Configuring OSPF Interface Parameters Overview” on page 317. Click OK to save your changes to the interface. Related Configuring Route Preferences on page 312 Documentation Dynamic Routing Configuration Overview on page 313 OSPF Protocol Configuration Overview on page 313 Copyright © 2010, Juniper Networks, Inc.
Page 339: Global Ospf Settings Overview
OSPF routers in the network busy running the SPF algorithm. Advertising Default Select this option to direct the VR to advertise an active default route Route (0.0.0.0/0) in the VR route table to all OSPF areas. Copyright © 2010, Juniper Networks, Inc.
Page 340: Configuring Ospf Areas
You can summarize inter area routes or external routes. Configuring OSPF Redistribution Rules Use route redistribution to exchange route information between routing protocols. You can redistribute the following types of routes into the OSPF routing instance in the same Copyright © 2010, Juniper Networks, Inc.
Page 341: Configuring Ospf Virtual Links
You can enable OSPF on Ethernet and tunnel interfaces. When configuring OSPF on a tunnel interface, you can configure additional parameters to keep OSPF tunnel traffic to a minimum. The OSPF interface parameters are displayed in Table 77 on page 318. Copyright © 2010, Juniper Networks, Inc.
Page 342 BGP is also enabled on the interface. In addition you can configure OSPF demand circuit for ScreenOS 5.1 and later tunnel interfaces only. An OSPF demand circuit is a network segment on which connect time Copyright © 2010, Juniper Networks, Inc.
Page 343: Configuring Ospf Neighbors
To enable authentication, select one of the following authentication methods: Clear Text Authentication—To use a simple password for authentication, select this option and enter the password. NOTE: All passwords handled by NSM are case-sensitive. Copyright © 2010, Juniper Networks, Inc.
Page 344: Configuring Ospf (Nsm Procedure)
Click the Add icon. Enter ID in the Area ID box. Select the interfaces that are to be included in this OSPF area. Select the Type. Click OK to close the Area configuration screen. Copyright © 2010, Juniper Networks, Inc.
Page 345: Rip Overview
RIP on individual interfaces. You can also configure optional RIP settings, such as the following: Global settings, such as timers and trusted RIP neighbors, that are set at the VR level for the RIP protocol. Copyright © 2010, Juniper Networks, Inc.
Page 346: Configuring Rip (Nsm Procedure)
Select Enable RIP. If desired, configure additional interface and security settings, as detailed in “RIP Interface Parameters Overview” on page 325. Click OK to save your changes to the interface. Related Configuring Route Preferences on page 312 Documentation Copyright © 2010, Juniper Networks, Inc.
Page 347: Global Rip Settings Overview
Configure the maximum number of RIP routes for the same prefix Routes for Prefix Allowed that RIP can add to the RIP route database. By default, RIP does not (ScreenOS 5.1 and later allow alternate routes. only) Copyright © 2010, Juniper Networks, Inc.
Page 348 RIP-enabled interface. Route Maps To control which routes RIP learns and advertises, configure the following: The inbound route map defines the routes that RIP learns. The outbound route map defined the routes that RIP advertises. Copyright © 2010, Juniper Networks, Inc.
Page 349: Configuring Rip Redistribution Rules
RIP does not transmit or receive packets on the specified interface, but interface configuration parameters are preserved. For instructions for configuring RIP settings on the virtual router and on the interface, see the Network and Security Manager Online Help. Copyright © 2010, Juniper Networks, Inc.
Page 350: Configuring Rip Authentication
Authenticating RIP neighbors using MD5 authentication or simple password is the best way to fend off these types of attacks. When authentication is enabled, the device discards all unauthenticated RIP packets received on the interface. By default, authentication is disabled. Copyright © 2010, Juniper Networks, Inc.
Page 351: Bgp Overview
BGP notification message is sent to or received from the peer, which causes the connection to fail or close. For instructions for configuring BGP settings on the virtual router and on the interface, see the Network and Security Manager Online Help. Copyright © 2010, Juniper Networks, Inc.
Page 352: Route-Refresh Capabilities Overview
For more detailed information about zones on security devices, see the Concepts & Examples ScreenOS Reference Guide: Routing. Related RIP Overview on page 321 Documentation Global RIP Settings Overview on page 323 RIP Interface Parameters Overview on page 325 Route-Refresh Capabilities Overview on page 328 Copyright © 2010, Juniper Networks, Inc.
Page 354: Configuring Neighbors And Peer Groups Overview
(you cannot assign IBGP and EBGP peers to the same peer-group). Related BGP Overview on page 327 Documentation Route-Refresh Capabilities Overview on page 328 Configuring BGP Networks on page 329 Configuring Aggregate Addresses on page 329 Copyright © 2010, Juniper Networks, Inc.
Page 355: Configuring A Bgp Routing Instance (Nsm Procedure)
Documentation Route-Refresh Capabilities Overview on page 328 Multicast Route Overview on page 337 Configuring Neighbors and Peer Groups Overview on page 330 Configuring BGP Networks on page 329 Configuring Aggregate Addresses on page 329 Copyright © 2010, Juniper Networks, Inc.
Page 356: Configuring Nhrp Overview
Add NHRP to other dynamic routing protocols such as OSPF, BGP, and RIP redistribute. Set the routing on tunnel interface. You can configure the NHRP parameters as described in Table 81 on page 333. Copyright © 2010, Juniper Networks, Inc.
Page 357: Configuring Ospfv3 Overview
OSPFv3 Route Preference on page 335 OSPFv3 Support in Virtual Routers In dynamic routing protocols, each virtual router (VR) in the security device uses a unique virtual router identifier (VRID) to communicate with other routing devices. The identifier Copyright © 2010, Juniper Networks, Inc.
Page 358: Ospfv3 Support In Interfaces
Specifies the metric for the interface. The cost associated with an interface depends upon the bandwidth of the link to which the interface is connected. The higher the bandwidth, the lower the cost value is. Copyright © 2010, Juniper Networks, Inc.
Page 359: Ospfv3 Route Preference
For OSPFv3 and OSPFv3 External Type 2, select any value between 0 and 255. Related Configuring NHRP Overview on page 332 Documentation Configuring a BGP Routing Instance (NSM Procedure) on page 331 Configuring RIPng Overview on page 336 Copyright © 2010, Juniper Networks, Inc.
Page 360: Configuring Ripng Overview
Specifies, in seconds, when a route is removed from the time 120 seconds the route becomes invalid Invalid Timer Specifies, in seconds, when a route becomes invalid from 180 seconds the time a neighbor stops advertising the route. Copyright © 2010, Juniper Networks, Inc.
Page 361: Redistribution Rules
Directly connected routes Imported routes Statically configured routes Related Configuring NHRP Overview on page 332 Documentation Configuring a BGP Routing Instance (NSM Procedure) on page 331 Multicast Route Overview Multicast routing environments require the following items: Copyright © 2010, Juniper Networks, Inc.
Page 362: Configuring Igmp (Nsm Procedure)
Hosts running IGMPv3 indicate which multicast groups they want to join and the sources from which they expect to receive multicast traffic. IGMPv3 is required when you run Protocol Independent Multicast in source-specific multicast (PIM-SSM) mode. Copyright © 2010, Juniper Networks, Inc.
Page 363: Configuring Igmp Proxy (Nsm Procedure)
IGMP host. You must first enable IGMP in host mode on upstream interfaces, and then enable IGMP in Router mode on downstream interfaces, and finally enable IGMP proxy on router interfaces. Copyright © 2010, Juniper Networks, Inc.
Page 364 Multicast Route Overview on page 337 Configuring IGMP (NSM Procedure) on page 338 Configuring PIM Sparse Mode (NSM Procedure) on page 341 Configuring a Rendezvous Point to Group Mappings (NSM Procedure) on page 342 Copyright © 2010, Juniper Networks, Inc.
Page 365: Configuring Pim Sparse Mode (Nsm Procedure)
Double-click the virtual router in which you are configuring a PIM-SM instance. The General Properties screen appears. In the virtual router navigation tree, select Dynamic Routing Protocol. Select Configure PIM-SM. PIM-SM configuration options now appear in the virtual router navigation tree under Dynamic Routing Protocol. Copyright © 2010, Juniper Networks, Inc.
Page 366: Configuring A Rendezvous Point To Group Mappings (Nsm Procedure)
Configure the virtual router for PIM-SM: In the device navigation tree, select Network > Virtual Router. Double-click the virtual router in which you are configuring a PIM-SM instance. The General Properties screen appears. Copyright © 2010, Juniper Networks, Inc.
Page 367: Configuring Acceptable Groups (Nsm Procedure)
Configuring Acceptable Groups (NSM Procedure) You can create access lists to identify the acceptable sources, multicast groups, and RPs, and then configure the virtual router to accept PIM messages only from those specified in the access lists. Copyright © 2010, Juniper Networks, Inc.
Page 368 Access List Overview on page 298 Documentation RIP Overview on page 321 Multicast Route Overview on page 337 Configuring a Rendezvous Point to Group Mappings (NSM Procedure) on page 342 Example: Configuring Proxy RP on page 345 Copyright © 2010, Juniper Networks, Inc.
Page 369: Example: Configuring Proxy Rp
Configure a firewall rule that permits unicast and multicast data traffic to pass between zones. Configure a multicast rule permitting PIM-SM messages to pass between zones Related Access List Overview on page 298 Documentation RIP Overview on page 321 Multicast Route Overview on page 337 Copyright © 2010, Juniper Networks, Inc.
Page 370: Multicast Routing Table Entries Overview
By default, the timer is set to 90 seconds, meaning that the device deletes a route entry in the cache after 90 seconds. The acceptable range is 10 to 180 seconds. Copyright © 2010, Juniper Networks, Inc.
Page 371: Configuring Multicast Static Routes
In this example, you configure a static multicast route from a source with IP address 20.20.20.200 to the multicast group 238.1.1.1. You configure the security device to translate the multicast group from 238.1.1.1 to 238.2.2.1 on the outgoing interface. Copyright © 2010, Juniper Networks, Inc.
Page 372: Irdp Support Overview
Configuring Multicast Static Routes on page 347 IRDP Support Overview ICMP Router Discovery Protocol (IRDP) is an ICMP message exchange between a host and a router. The security device is the router and advertises the IP address of a specified Copyright © 2010, Juniper Networks, Inc.
Page 373: Example: Configuring Icmp Router Discovery Protocol (Nsm Procedure)
In the interface navigation tree, select Protocol and select the IRDP tab. Select the Enable IRDP check box. Click OK to apply the settings. Table 85 on page 350 lists the IRDP parameters, default values, and available settings. Copyright © 2010, Juniper Networks, Inc.
Page 374: Disabling Irdp
To disable the Trust interface from running IRDP, enter the following command: unset interface trust protocol irdp enable NOTE: For details on viewing IRDP information from the Web UI or the CLI, see the Concepts & Examples ScreenOS Reference Guide. Copyright © 2010, Juniper Networks, Inc.
Page 375: Policy-Based Routing Overview
Access List Overview on page 298 Route Maps Overview on page 300 IRDP Support Overview on page 348 Example: Configuring Access Lists (NSM Procedure) on page 299 Example: Configuring Policy-Based Routing (NSM Procedure) on page 352 Copyright © 2010, Juniper Networks, Inc.
Page 376: Example: Configuring Policy-Based Routing (Nsm Procedure)
In the virtual router navigation tree, select Policy-based, and click New in the Policy tab to view the configuration page. Each PBR policy needs to have a unique name. Use the policy binding tabs in the configuration page to bind policies. Copyright © 2010, Juniper Networks, Inc.
Page 377 Access List Overview on page 298 Route Maps Overview on page 300 IRDP Support Overview on page 348 Policy-Based Routing Overview on page 351 Disabling IRDP on page 350 Example: Configuring Access Lists (NSM Procedure) on page 299 Copyright © 2010, Juniper Networks, Inc.
Page 379: Virtual Systems
CHAPTER 11 Virtual Systems You can logically partition a single Juniper Networks security system into multiple virtual systems to provide multi-tenant services. Each virtual system (vsys) is a unique security domain and can have its own administrators (called virtual system administrators or vsys admins) who can individualize their security domain by setting their own address books, user lists, custom services, VPNs, and policies.
Page 380: Vsys Limitations Overview
When setting maximum and reserved limits for resources, keep the following in mind: You cannot set the maximum value higher than the device-dependent global maximum value. For all resources except sessions, you cannot set the maximum value lower than the resources currently being used (actual-use value). Copyright © 2010, Juniper Networks, Inc.
Page 381: Example: Configuring Vsys Resource Limits (Nsm Procedure)
Click OK to apply the settings. Related Virtual Routers Overview on page 296 Documentation Virtual Router General Properties Overview on page 297 Access List Overview on page 298 Policy-Based Routing Overview on page 351 Copyright © 2010, Juniper Networks, Inc.
Page 382: Vsys Session Limit Overview
Configure as follows: For Session Limitation enter 2500 (Maximum) and 2000 (Reserved). For Alarm, enter 90 (indicates the alarm triggers when 90% of the session maximum is achieved). Click OK to apply the settings. Copyright © 2010, Juniper Networks, Inc.
Page 383: Vsys Cpu Limit Overview
We recommend verifying that adverse packet dropping does not occur with the chosen weights prior to deployment.With this feature, you can also ensure a fixed CPU weight for the root vsys. Copyright © 2010, Juniper Networks, Inc.
Page 384: Example: Configuring Cpu Limit (Nsm Procedure)
Policy-Based Routing Overview on page 351 Documentation Vsys DHCP Enhancement Overview on page 355 Vsys Limitations Overview on page 356 Vsys Session Limit Overview on page 358 Example: Configuring Vsys Session Limit (NSM Procedure) on page 358 Copyright © 2010, Juniper Networks, Inc.
Page 385: User Authentication
(VSAs), you can use the zone-verification feature to verify the zones in which a client is a member. Related Route Types Overview on page 295 Documentation Routing Table Entries Overview on page 305 RIP Overview on page 321 Supported EAP Types on page 362 Copyright © 2010, Juniper Networks, Inc.
Page 386: Supported Eap Types
RIP Overview on page 321 IEEE 802.1x Support Overview on page 361 Creating an NSRP Cluster on page 365 Configuring Active/Passive Cluster on page 366 Example: Configuring Active/Passive Cluster (NSM Procedure) on page 367 Copyright © 2010, Juniper Networks, Inc.
Page 387: High Availability
High availability (HA) provides a way to minimize the potential for device failure within a network. Because all of your network traffic passes through a Juniper Networks security device, you need to remove as many points of failure as possible from your network by ensuring that the device has a backup in case it fails.
Page 388 (RTO) mirror group, which maintains the synchronicity of RTOs between a pair of devices. When the primary device fails, the backup becomes the primary device with minimal service downtime by maintaining all current sessions. Copyright © 2010, Juniper Networks, Inc.
Page 389: Creating An Nsrp Cluster
Follow the directions in the Add Device wizard to import or model the cluster member. NOTE: When importing cluster device members, ensure that their device configurations are in sync (errors can occur in the import process if you attempt to import out-of-sync configurations). Copyright © 2010, Juniper Networks, Inc.
Page 390: Configuring Active/Passive Cluster
PPPoE instance to a VSI interface. In the event of failover, this configuration enables the new master to use the same IP and PPPoE connection as the previous master. For details, see “About Configuring PPPoE” on page 135. Copyright © 2010, Juniper Networks, Inc.
Page 391: Example: Configuring Active/Passive Cluster (Nsm Procedure)
Set manage IP addresses for the Trust zone interfaces on both devices. Configure monitoring on ethernet1 and ethernet3 so that loss of network connectivity on either of those ports triggers a device failover. Select automatic synchronization of RTOs. Copyright © 2010, Juniper Networks, Inc.
Page 392 Ensure that the zone name is HA, and then click OK to save your changes. Configure the Untrust interface for the cluster: In the cluster navigation tree, select Network > Interface. Double-click ethernet1. The General Properties screen appears. For Zone, select Untrust. Copyright © 2010, Juniper Networks, Inc.
Page 393 Click the Add icon to display the new monitor interface dialog box. Select ethernet3, leave the default weight of 255, and click OK to save your changes. Click OK to close the device configuration for Corporate B. Copyright © 2010, Juniper Networks, Inc.
Page 394: Active/Active Configurations Overview
A second active device also guarantees that both devices have functioning network connections. Related Route Types Overview on page 295 Documentation Routing Table Entries Overview on page 305 RIP Overview on page 321 Copyright © 2010, Juniper Networks, Inc.
Page 395: Configuring An Active/Active Cluster (Nsm Procedure)
Synchronizing Virtual Router Configurations and RunTime Objects (NSM Procedure) The virtual router synchronization tasks are as follows: Synchronizing Virtual Router Configurations on page 372 Configuring the Virtual Router Synchronization Settings on page 372 Synchronizing Runtime Objects on page 373 Copyright © 2010, Juniper Networks, Inc.
Page 396: Synchronizing Virtual Router Configurations
ID. The virtual router ID setting is always configured at the local level (cluster member). Click OK to save your changes to the cluster member, and then click OK to save your changes to the cluster. Copyright © 2010, Juniper Networks, Inc.
Page 397: Synchronizing Runtime Objects
In the Device Manager, double-click the cluster to open the cluster configuration. In the cluster navigation tree, select NSRP Directives > Exec Mode. Select the device that will assume a new role, and then click Exec Mode. The Mode Selection dialog box appears. Copyright © 2010, Juniper Networks, Inc.
Page 398: Example: Changing Vsd Group Member States (Nsm Procedure)
Select Office A, and then click Exec Mode. Configure as master (primary) of VSD group 0. Select Office B, and then click Exec Mode. Configure as master (primary) of VSD group 1. Both configurations are shown in Figure 7 on page 375. Copyright © 2010, Juniper Networks, Inc.
Page 399: Configuring Nsrp To Detect Interface And Zone Failure
VSD group can fail over to the backup device or VSD group. To control when the device or VSD group fails over, you configure the device to monitor specific objects. Copyright © 2010, Juniper Networks, Inc.
Page 400: Configuring Track Ips
This threshold, known as the failure threshold, is the sum of the weights of all failed tracked IP addresses required for the tracked IP object to be considered failed. You configure the interface threshold Copyright © 2010, Juniper Networks, Inc.
Page 401: Configuring Interface Monitoring
For example, if the DMZ zone is more important than the trust zone, assign the DMZ zone a higher weight than the trust zone. All interfaces bound to the monitored zone must fail before the device considers the zone down. Specifically: Copyright © 2010, Juniper Networks, Inc.
Page 402: Configuring Monitor Threshold
VSIs, the VSIs must be in different subnets from each other and from the untrust zone VSI at the root level. After creating VSI, you must also create VSD groups to contain these VSIs. Copyright © 2010, Juniper Networks, Inc.
Page 403: Exporting And Importing Device Configurations (Nsm Procedure)
ScreenOS. Click Import. A Job Information window appears displaying the status of the import process. Related NSRP Clusters Overview on page 363 Documentation Creating an NSRP Cluster on page 365 Copyright © 2010, Juniper Networks, Inc.
Page 405: Wan, Adsl, Dial, And Wireless
CHAPTER 14 WAN, ADSL, Dial, and Wireless Juniper Networks wireless devices and systems provide wireless local area network (WLAN) connections with integrated IP Security virtual private network (IPsec VPN) and firewall services for wireless clients, such as telecommuters, branch offices, or retail outlets.
Page 406: Configuring General Wireless Settings
When you first deploy the NetScreen-5GT Wireless device on your network, the radio transmitter/receiver is configured with default settings designed to work in most networking environments. You can edit the default values for the following radio settings: Copyright © 2010, Juniper Networks, Inc.
Page 407: Configuring Antennas
By default, the wireless security device automatically selects the appropriate channel based on the country code. To select a specific channel, in the device navigation tree, select Wireless Settings and change the Channel for Wireless AP Radio setting to Channel Copyright © 2010, Juniper Networks, Inc.
Page 408: Configuring Operation Mode Settings
Use the transmission settings to control the power and rate used by the wireless interfaces. To configure the transmission settings, in the device navigation tree, select Wireless Settings, and then edit the default values for the following settings: Copyright © 2010, Juniper Networks, Inc.
Page 409: Configuring Advanced Wireless Settings
Configuring Aging The aging interval is the amount of time (in seconds) that a wireless client or bridge remembers an access point after communication with the WAP is lost. To configure the aging setting: Copyright © 2010, Juniper Networks, Inc.
Page 410: Configuring Beacons
Maximum Number of Frames in a Burst—The burst threshold defines the average maximum number of frames a WAP can use to handle wireless traffic before the device begins sending traffic in bursts. When wireless traffic exceeds the specified threshold, Copyright © 2010, Juniper Networks, Inc.
Page 411: Configuring Control Frame Protection
The default is 2346; accepted range is 256 to 2346. CTS Protection Mode—Enables clear-to-send (CTS) control frame protection, which requires wireless client to first receive a CTS frame from the WAP before sending data. Select one of the following protection modes: Copyright © 2010, Juniper Networks, Inc.
Page 412: Configuring Short Slots
A short preamble (56 bits) can improve efficiency because the client does not spend time processing the preamble. However, older wireless protocols do not support short preambles. By default, the device does not support long preambles. To enable long preambles for 802.11b packets only: Copyright © 2010, Juniper Networks, Inc.
Page 413: Configuring Wireless Mac Access Lists
Configuring MAC Addresses You can specify a maximum of 128 MAC addresses. To add an address: In the NSM navigation tree, select Device Manager > Devices. Double-click the device object to open the device configuration. Copyright © 2010, Juniper Networks, Inc.
Page 414: Configuring Wireless General Ssid Settings
A new SSID does not contain default general settings; you must at least configure a name and select wireless interface for the SSID before the device can handle wireless traffic for that BSS. The general SSID settings are displayed in Table 88 on page 391. Copyright © 2010, Juniper Networks, Inc.
Page 415: Configuring Ssid Authentication And Encryption
Wireless network users store one or more of the same keys on their systems and identify them with the same ID numbers. For details on configuring WEP, see “Configuring Wired Equivalent Privacy” on page 392. Copyright © 2010, Juniper Networks, Inc.
Page 416: Configuring Wired Equivalent Privacy
WEP key: None or Local—The key is stored on the security device. This is the default key-source when None is selected. When enabled, you must configure a default WEP key on the security device. Copyright © 2010, Juniper Networks, Inc.
Page 417: Configuring Wep Keys
When clients use static WEP keys stored locally on the security device, the device uses the default key to encrypt all transmitted wireless traffic. Clients must also have the default key loaded to decrypt traffic from the device. Copyright © 2010, Juniper Networks, Inc.
Page 418 (RADIUS dynamically creates and distributes a different key per session for each wireless client). An encryption key length specifies the length of the key in bits. Juniper Networks supports two WEP key lengths: 40 and 104 bits. Because the keys are concatenated with a 24-bit initialization vector (IV), the resulting lengths are 64 and 128 bits.
Page 419: Using Wi-Fi Protected Access
Passphrase—When enabled, you must configure a passphrase (8-63 ASCII characters) that permits access to the SSID. PSK—When enabled, you must enter a pre shared key (256 bit/64characters hexadecimal) that permits access to the SSID. Copyright © 2010, Juniper Networks, Inc.
Page 420: Reactivating Wireless Connections
Previously connected wireless clients must reconnect to reestablish their disrupted sessions. Related Virtual Routers Overview on page 296 Documentation Configuring General Wireless Settings on page 382 Configuring Advanced Wireless Settings on page 385 Copyright © 2010, Juniper Networks, Inc.
Page 421: Conducting A Site Survey For Detecting Access Points
8G2-G4, and 2XGE-G4. These rods need to use M3A-Management_Module, which is a special image for NetScreen 5000 line devices. Also, the ISG 1000 and ISG 2000 running ScreenOS 6.1 or later support a new 10Gb interface slot that large enterprise and service provider customers require. Copyright © 2010, Juniper Networks, Inc.
Page 422: Slot Information In Security Devices
Digital signal level 3 (DS3) PIMs on SSG devices contain one physical DS3 as DS3) port with integrated DSU. This port provides physical connection to T3 network media types at a bit rate of 44.736 Mbps. Copyright © 2010, Juniper Networks, Inc.
Page 423: Interface Modules (Copper)
NetScreen 5000 line. These modules are based on either the GigaScreen-II or Jupiter-II ASIC. SPMs handle packets as they enter and exit the system, providing packet parsing, classification, and flow-level processing. SPMs also provide encryption, decryption, Copyright © 2010, Juniper Networks, Inc.
Page 424: Chassis Information Overview
Conducting a Site Survey for Detecting Access Points on page 397 Chassis Information Overview For ISG series security devices, you can view read-only information about the modules installed in the chassis of the device. By default, the chassis includes a management module. Copyright © 2010, Juniper Networks, Inc.
Page 425: Overview
RADIUS server. After successfully authenticating a client, the RADIUS server sends an encryption key to the client and the security device. From that point, the security device manages the Copyright © 2010, Juniper Networks, Inc.
Page 426: Configuring Wi-Fi Protected Access (Nsm Procedure)
In the main navigation tree, select Wireless>SSID. Select New and configure the following settings: For Name, enter my-ssid. For Wireless Interface, select wireless 2. For Authentication/Encryption, select WPA2. For Select Encryption Method, select Auto. Copyright © 2010, Juniper Networks, Inc.
Page 427: Super G Methods Overview
By default, this feature is disabled. If wireless clients do not support Super G and the security device has Super G enabled, they can still connect to the wireless network, but the Super G feature is not available. Copyright © 2010, Juniper Networks, Inc.
Page 428: Configuring Atheros Xr (Nsm Procedure)
Select XR Support. If the security device has more than one radio, make the selection for the radio you want. Click OK to apply the settings. In the main navigation tree, select Wireless>SSID. Select New and configure the following settings: Copyright © 2010, Juniper Networks, Inc.
Page 429 WPA2, Extended Range and SuperG Support on NetScreen5GT Wireless Overview on page 401 Super G Methods Overview on page 403 Reactivating Wireless Connections on page 396 Conducting a Site Survey for Detecting Access Points on page 397 Copyright © 2010, Juniper Networks, Inc.
Page 431: General Packet Radio Service
Implementing Internet Protocol Security (IPsec) for connections between roaming partners, setting traffic rate limits, and using stateful inspection can eliminate a majority of the GTP’s security risks. Juniper Networks security devices mitigate a wide variety of attacks on the Gp, Gn, and Gi interfaces.
Page 432: Radio Access Technology
This IE is also useful in reports generated from the GGSN, AAA, and/or Wireless Application Protocol gateway (WAP). The GTP-aware security Copyright © 2010, Juniper Networks, Inc.
Page 433: Configuring Access Point Name Restriction (Nsm Procedure)
Click New and specify the following: For APN, enter access point name mobiphone.com.mnc123.mcc456.gprs. For Selection Mode, select Mobile Station, Network, Verified. For MCC-MNC (Mobile Country Code-Mobile Network Code), select MCC-MNC and enter 246565. Click OK to apply the settings. Copyright © 2010, Juniper Networks, Inc.
Page 434: Dhcp Relay Overview
DHCP allocation status reports because the remote DHCP server controls all the IP address allocations. Related Route Types Overview on page 295 Documentation 3GPP R6 Information Elements Support Overview on page 407 Copyright © 2010, Juniper Networks, Inc.
Page 437: Index
WAP............385 burst settings on WAP............386 aging, configuring on device..........128 ALG....................286 configuring on device..........120 CA certificates, configuring on device......272 SIP..................281 certificates ALGs, configuring..............28 certificate request............269 american encryption standard See AES configuring on device..........267 Copyright © 2010, Juniper Networks, Inc.
Page 438 CLI management, SSH and Telnet ports....156 virtual routers..........294, 361, 401 configuring HTTP............161 device NSRP options configuring SSL.............162 about................363 date/time................163 active/active..............370 device admins, authentication method....151 master/backup.............373 device admins, passwords........152 synchronizing..............371 device admins, privilege levels........150 Copyright © 2010, Juniper Networks, Inc.
Page 439 MIP traffic, about.................313 using..................126 BGP..................327 OSPF.................313 RIP..................321 ICMP path MTU discovery..........123 Ident-Reset, enabling access on device interface..................57 ECMP routes, configuring maximum on virtual IGMP..................338 router..................297 IGMP proxy................339 email notification, configuring on device.....169 Copyright © 2010, Juniper Networks, Inc.
Page 440 Network Time Protocol (NTP)........164 log severity next-hop, configuring on virtual router......298 configuring on device..........169 NSGP Log Viewer about..................131 about...................14 enabling access on device interface.......57 overbilling.................131 Copyright © 2010, Juniper Networks, Inc.
Page 441 (NSSA)........316 reporting options on device open shortest path first..........313 email notification............169 reduce LSA flooding............318 messages and destinations........169 stub area................316 SNMP................169 overbilling..................131 overlapping subnets, ignoring on virtual syslog................169 router..................298 WebTrends..............170 reset hardware (device)............157 Copyright © 2010, Juniper Networks, Inc.
Page 442 RTS/CTS settings..............387 ALG...................286 attack protection............117 defined................281 SCEP..................277 destination IP server protection.......117 incoming DIP for..............73 using for SSH..............158 INVITE messages............117 searching in UI messages................281 about...................22 multimedia sessions...........281 secondary banner..............160 request methods............282 secondary IP, configuring in device........61 Copyright © 2010, Juniper Networks, Inc.
Page 443 361, 401 access lists..............298 configuring for vsys............251 TCP MSS option..............127 configuring on device..........296 TCP MSS, all option..............127 Copyright © 2010, Juniper Networks, Inc.
Page 444 Web management, configuring on device....161 zone Web UI, enabling access on device interface....56 adding on device............39 WebAuth configuring for vsys............251 banners................166 configuring on device...........39 WebTrends reporting, configuring on device......170 WEP keys on WAP...............393 WEP settings on WAP............392 Copyright © 2010, Juniper Networks, Inc.

Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Chapter 1 NSM User Interface and NSM Key Management Features

Chapter 2 Device Configuration

Chapter 3 Network Settings

Chapter 5 Administration

Chapter 6 Security

Chapter 7 Planning and Preparing Vpns

Quick Links

Related Manuals for Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01

Summary of Contents for Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01