Download
Share
Print this page
  1. Manuals
  2. Brands
  3. NetScreen Technologies Manuals
  4. Firewall
  5. 10
  6. Installer's manual

NetScreen Technologies 10 Installer's Manual

Hide thumbs

Advertisement

Quick Links

Download this manual
1
6
(7
&5((1
,QVWDOOHU·V *XLGH
Wr…†v‚Ã!%
QIÃ("#!
Sr‰Ã9

Advertisement

loading

Related Manuals for NetScreen Technologies 10

Summary of Contents for NetScreen Technologies 10

  • Page 1 &5((1 ,QVWDOOHU·V *XLGH Wr…†v‚Ã!% QIÃ("#! Sr‰Ã9...
  • Page 2 1. License Grant. This is a license, not a sales agreement, other countries. Hyperterminal is a registered trademarks of between you, the end user, and NetScreen Technologies, Inc. Hilgaeve Corporation. All other brands and their products (“NetScreen”). The term “Firmware” includes all NetScreen...
  • Page 3 WARRANTY BY NETSCREEN WITH RESPECT TO THE computer Firmware license Supplement and its successors. PRODUCT. 10. Tax Liability. You agree to be responsible for the The warranties set forth above shall not apply to any payment of any sales or use taxes imposed at any time Product or Hardware which has been modified, repaired or whatsoever on this transaction.
  • Page 5 7DEOH RI &RQWHQWV 0DQXDO 2UJDQL]DWLRQ YLL 5HODWHG 3XEOLFDWLRQV  [ &KDSWHU  +DUGZDUH 'HVFULSWLRQ   &KDSWHU  &RQQHFWLQJ WKH 1HW6FUHHQ WR WKH 1HWZRUN   *DWKHULQJ WKH 1HFHVVDU\ 7RROV   &RQQHFWLQJ WKH 1HW6FUHHQ DV D 6LQJOH 6HFXULW\ $SSOLDQFH   &RQQHFWLQJ WKH 1HW6FUHHQ IRU +LJK $YDLODELOLW\   &KDSWHU  ,QLWLDO &RQILJXUDWLRQ  &RQILJXULQJ YLD WKH :HE8,  ...
  • Page 6 *HQHUDO 6LWH 5HTXLUHPHQWV  $ 2QVLWH 3UHFDXWLRQV $ (TXLSPHQW 5DFN 0RXQWLQJ *XLGHOLQHV  $ %60, /DEHOLQJ 5HTXLUHPHQW $ $SSHQGL[ % '& 3RZHU 6XSSO\  % &RQQHFWLQJ WR '& 3RZHU 6XSSO\ &DEOHV % ,QGH[  ,; ‰v Ir‡Tp…rr   ÃÃÃ...
  • Page 7 Chapter 2, Connecting the NetScreen-10/100 to the Network, explains how to connect the NetScreen-10/100 to the network as a standalone unit or, with two or more NetScreen-100 devices, for High Availability (HA). Chapter 3, Initial Configuration, explains how to configure the NetScreen-10/100 with a network using both the command line interface (CLI) and the web user interface (WebUI).
  • Page 8 These pages generally contain links to dialog boxes through links such as New Policy, New Manual Key User, New Entry, Edit, and so forth. Menu column categories Links The NetScreen-10/100 Central Display Area ‰vvv Ir‡Tp…rr   ÃÃÃ...

  • Page 9: Down Arrow Key

    • To see the next available keyword or input, and a brief description of usage, type a question mark (?). • The console times out and the connection is broken if no keyboard activity is detected for 10 minutes. Items you enter are into the system are in bold text. D†‡hyyr…·†ÃBˆvqr...
  • Page 10 This technical publication is shipped with the NetScreen-100 device. NetScreen-100 Getting Started Guide (P/N 093-0019-000, Rev. C) This technical publication is shipped with the NetScreen-10 device: NetScreen-10 Getting Started Guide (P/N 093-0018-000, Rev. C) The following publications are included on the product CD for both devices: NetScreen CLI Reference Guide (P/N 093-0011-000, Rev.
  • Page 11 This chapter provides illustrations and descriptions of the NetScreen-10 and NetScreen-100 front and back panels. A front view of the NetScreen-10 or NetScreen-100 is shown below. The label on the left side indicates the model name: NetScreen-10 or NetScreen-100. Figure 1-1 Front Panel of the NetScreen-10 or -100 These items are located on the front panel of the NetScreen-10/100: •...
  • Page 12 LEDs. The left LED indicates network traffic activity and the right LED indicates if the link is up (connected to an active device). These LEDs differ for the NetScreen-10 and NetScreen-100. See Figure 1-2. Figure 1-2 Ethernet LEDs...
  • Page 13 Note: Certain export restrictions apply to international customers. Check with your sales representative. • Power Outlet: Use the outlet to connect power to the NetScreen-10/100 with the supplied power cable. Note: Figure 1-3 does not show a NetScreen-10/100 equipped with a DC power supply.
  • Page 15 &RQQHFWLQJ WKH 1HW6FUHHQ WR WKH 1HWZRUN Follow the instructions in this chapter to connect the NetScreen-10/100 device to the network and to configure the software for the first time. For further configuration options, see the NetScreen Concepts & Examples ScreenOS Reference Guide on the product CD.
  • Page 16 IP address (192.168.1.1), you might encounter IP address conflicts. To set up the NetScreen-10/100 network connections, follow these steps: 1. Install the NetScreen-10/100 in a rack (optional) or on a level surface. 2. Make sure that the power connection to the NetScreen-10/100 is turned off;...
  • Page 17 8‚rp‡vtÇurÃIr‡Tp…rr  Ãh†ÃhÃTvtyrÃTrpˆ…v‡’Ã6ƒƒyvhpr '0= SRUW 7UXVWHG SRUW 8QWUXVWHG SRUW FURVVRYHU FDEOH Figure 2-1 Sample Configuration with a Router Connected to the Untrusted Port, Local Area Network (LAN) Connected to the Trusted Port D†‡hyyr…·†ÃBˆvqr !" ÃÃÃ...
  • Page 18 8uhƒ‡r…Ã!Ã8‚rp‡vtÇurÃIr‡Tp…rr  Ç‚ÇurÃIr‡‚…x To use the DMZ, connect a crossover cable from the DMZ port on the NetScreen-10/100 to the switch linking the machines in the DMZ to the DMZ interface. See Figure 2-2 for an example of this configuration.
  • Page 19 8‚rp‡vtÇurÃIr‡Tp…rr Ãs‚…ÃCvtuÃ6‰hvyhivyv‡’ &  211(&7,1* 7+( &5((1 9$,/$%,/,7< High Availability (HA) is an option for NetScreen-100 devices that provides protection against device failures in networks with two or more devices. If one unit fails, the second unit can assume its functions with no service or traffic interruption.
  • Page 20 8uhƒ‡r…Ã!Ã8‚rp‡vtÇurÃIr‡Tp…rr  Ç‚ÇurÃIr‡‚…x Table 2-1 Typical NetScreen-10/100 Cable Connections. For a device connected to: Untrusted Port (DTE) Trusted Port (DCE) Workstation (DTE) crossover straight-through Switch/Hub (DCE) straight-through crossover § Router (DTE) crossover straight-through An Untrusted Ethernet port is not technically a DTE, but for cabling purposes should be treated as such.
  • Page 21 8uhƒ‡r…Ã" ,QLWLDO &RQILJXUDWLRQ The NetScreen-10/100 device supports three operational modes: Transparent mode, NAT (Network Address Translation) mode, and Route mode. 7UDQVSDUHQW 0RGH In Transparent mode, the NetScreen device inspects packets traversing the firewall without modifying any of the source or destination information in the IP packet header.
  • Page 22 Access Policy that permits outgoing traffic. Incoming traffic is denied by default; therefore, no incoming Access Policy must be set expressly to deny it. Note: For instructions on configuring the NS-10/100 for NAT or Route mode, see the NetScreen Concepts and Examples ScreenOS Reference Guide.
  • Page 23 The following sections detail the procedures for administration of the NetScreen- 10/100 device from the administrator’s workstation. Note: The NetScreen-10/100 ships from the factory with the IP address set to 192.168.1.1. Refer to Table 3-1 for administration requirements. For further information regarding levels of administration, see the NetScreen Concepts and Examples ScreenOS Guide.
  • Page 24 8uhƒ‡r…Ã"ÃDv‡vhyÃ8‚svtˆ…h‡v‚ Figure 3-1 Enter Network Password Dialog Box 5. In the dialog box, type netscreen for both the Username and Password, and then click OK. Note: The username and Password are case-sensitive. After configuring the NetScreen device for the first time, change the default Username and Password as described in “Changing the Administrator Login Name and Password”...
  • Page 25 NetScreen-10/100, and then click OK. Note: Check the Synchronize system clock with this client checkbox to synchronize the NetScreen-10/100 clock with the clock in the administrator’s workstation. The IP address must be a valid and available IP address on your local network and the subnet mask must be an appropriate value for your local network.
  • Page 26 8uhƒ‡r…Ã"ÃDv‡vhyÃ8‚svtˆ…h‡v‚ Figure 3-4 Access Policies Page 6HWWLQJ ,QWHUIDFH $GGUHVVHV The NetScreen-10/100 has a Trusted interface, an Untrusted interface, and a DMZ interface. These are physical interfaces used for channeling network user traffic. To configure the NetScreen-10/100 device for Network Address Translation (NAT) mode or Route mode, you must configure the Trusted, Untrusted, and DMZ (if used) interfaces.
  • Page 27 IP Address: Type an IP address for the Trusted interface. • Netmask: Type an appropriate netmask. • Default Gateway: Type the IP address of the router (if there is one) that exists between the Trusted network and the NetScreen-10/100. D†‡hyyr…·†ÃBˆvqr "& ÃÃÃ...
  • Page 28 2. For the Untrusted Interface Configuration, select one of the following and click Save and Reset: Obtain IP using DHCP (Dynamic Host Control Protocol) (NetScreen-10 only) Static IP, and enter the following (NetScreen-10 only): • IP Address: Enter the Untrusted IP address. •...
  • Page 29 8‚svtˆ…vtÉvhÇurÃXriVD '0= ,QWHUIDFH &RQILJXUDWLRQ 1. If you plan to use the DMZ interface to add another security domain, click the DMZ tab, and then click Edit to open the DMZ Interface Configuration dialog box. Figure 3-7 DMZ Interface Configuration 2. Enter the following, and then click Save and Reset: •...
  • Page 30 8uhƒ‡r…Ã"ÃDv‡vhyÃ8‚svtˆ…h‡v‚ $OORZLQJ 2XWERXQG 7UDIILF By default, the NetScreen-10/100 does not allow inbound or outbound traffic. To permit outbound traffic to traverse the firewall, create an outgoing Access Policy. 1. On the Outgoing Access Policies page, click the New Policy link in the lower left corner of the page.
  • Page 31 8‚svtˆ…vtÉvhÇurÃXriVD – Destination Address: Outside Any (Outside Any is a predefined address for all locations on the Untrusted network, usually the Internet.) – Service: Any (Any is a predefined value for any IP service.) – Action: Permit (Allows the traffic defined by the Access Policy to traverse the firewall.) –...
  • Page 32 8uhƒ‡r…Ã"ÃDv‡vhyÃ8‚svtˆ…h‡v‚ 2. Select the Local Administrator Name field, and click Edit under the Options menu. The Admin User Configuration Menu appears, as in Figure 3-10. Figure 3-10 Admin User Configuration Menu 3. Type a new Admin Login Name. Note: The login username and Password must be alphanumeric, and are case-sensitive.
  • Page 33 The browser should be able to locate the site and access the available Web pages. If the browser cannot access the Web site, check the following: • Link lights on the NetScreen-10/100, workstations, hubs, and the router are glowing. • The workstation IP and Netmask have the correct settings.
  • Page 34 8uhƒ‡r…Ã"ÃDv‡vhyÃ8‚svtˆ…h‡v‚ &RQILJXULQJ +LJK $YDLODELOLW\ YLD WKH :HE8, Before you can configure two NetScreen-100 devices in a redundant group for high availability (HA), you must cable them together and assign one device as the master unit and one as the slave. The master performs all firewall, VPN, and traffic management functions, while the slave waits to take over should the master unit fail.
  • Page 35 8‚svtˆ…vtÉvhÇurÃXriVD &RQILJXULQJ WKH 0DVWHU 8QLW 1. To configure the Master Unit, in the Interface menu, select Trusted, Untrusted, or Mgt and then click Edit. The menu appears, as in Figure 3-12 on page 15: Figure 3-12 Master Unit Interface Configuration 2.
  • Page 36 0DNLQJ D &RQQHFWLRQ You can access the NetScreen-10/100 either by connecting directly via a console (or serial) cable to the NetScreen-10/100 console port, or you can create a network connection via Telnet. Connection instructions are offered for both methods. &RQQHFWLQJ YLD WKH &RQVROH 3RUW...
  • Page 37 • An Ethernet connection to the NetScreen device Before you begin, be sure you connected the NetScreen device hardware to the network as outlined in “Connecting the NetScreen-10/100 as a Single Security Appliance” on page 2-2. 1. Establish a Telnet connection to the NetScreen device.
  • Page 38 8uhƒ‡r…Ã"ÃDv‡vhyÃ8‚svtˆ…h‡v‚ The NetScreen-10/100 ships from the factory with a default IP address of 192.168.1.1. To administer the NetScreen device over a network connection, you must change this IP address. To change this to an address on the same subnet as the other network devices to which the NetScreen-10/100 is connected, enter the following command, substituting your system IP address for <a.b.c.d>:...
  • Page 39 Guide. 7HVWLQJ WKH &RQILJXUDWLRQ From a workstation on the Trusted side of the NetScreen-10/100, use a Web browser to access an external Web site (for example, www.netscreen.com). The browser should be able to locate the site and access the available Web pages.
  • Page 40 8uhƒ‡r…Ã"ÃDv‡vhyÃ8‚svtˆ…h‡v‚ 6ODYH 8QLW 1. ns-> set interface {trust | untrust | dmz} manage-ip <a.b.c.d> 2. ns-> set ha group <same_number_as_master> 3. ns-> set ha priority <larger_number_than_master> 4. ns-> save config ha-master 5. ns-> reset Configuration modified, save? y/]/[n] (Type n.) System reset, are you sure? y/[n] (Type y.) "! Ir‡Tp…rr  Ã...
  • Page 41 $51,1*6 Make sure that you adhere to the following set of safety warnings. ,QVWDOODWLRQ :DUQLQJ Caution Read the cabling instructions before connecting the NetScreen-10/100 to its power source. 3RZHU 'LVFRQQHFWLRQ :DUQLQJ Warning Before working on a device that has an On/Off switch, turn OFF the power and unplug the power cord.
  • Page 42 6(/9 &LUFXLW :DUQLQJ Warning The Ethernet 10BaseT, 100BaseT, serial, console, and auxiliary ports contain safety extra-low voltage (SELV) circuits. Do not connect the NetScreen-10/100 to a telephone line or any Telco line (e.g., T-1, T-3, RJ-48 lines). /LJKWQLQJ $FWLYLW\ :DUQLQJ...
  • Page 43 0-12,000 feet, 0-3,660 meters 2QVLWH 3UHFDXWLRQV You can place the NetScreen-10/100 on a desktop or mounted in a rack. The location of the chassis and the layout of your equipment rack or wiring room are extremely important for proper system operation. Equipment placed too close...
  • Page 44 6ƒƒrqv‘Ã6)ÃThsr‡’ÃSrp‚€€rqh‡v‚†ÃhqÃXh…vt† When planning your site layout and equipment locations, follow the precautions described below to help avoid equipment failures and reduce the possibility of environmentally caused shutdowns. If you are experiencing shutdowns or unusually high errors with your existing equipment, these precautions may help you isolate the cause of the failures and prevent future problems.
  • Page 45 Brr…hyÃTv‡rÃSr„ˆv…r€r‡† %60, /DEHOLQJ 5HTXLUHPHQW The Bureau of Standards Metrology and Inspection (BSMI) is an agency of the government of China (Taiwan), which requires the following label on technological equipment: D†‡hyyr…·†ÃBˆvqr ÃÃÃ...
  • Page 46 6ƒƒrqv‘Ã6)ÃThsr‡’ÃSrp‚€€rqh‡v‚†ÃhqÃXh…vt† Ir‡Tp…rr  à à Ã...
  • Page 47 The figure below shows the DC terminal block, with two -48V DC feeds connected. The NetScreen-10/100 can operate on either one feed alone or with two feeds in use. The block is located on the back of the chassis.
  • Page 48 6ƒƒrqv‘Ã7)Ã98ÃQ‚r…ÃTˆƒƒy’ Ir‡Tp…rr   ÃÃÃ...
  • Page 49 Dqr‘ ,QGH[ conventions 1-ix Access Policies outgoing 3-2 Administration requirements 3-2 Data circuit-terminating equipment See DCE Data Communications Equipment 2-5 Data Terminal Equipment Back panel 1-1 See DTE BSMI labeling requirement A-5 DB25 serial port connector 1-2 DCE 2-2 & Default Cables administrator login 3-11...
  • Page 50 2-1 Requirements administration 3-2 NAT 3-6 general site A-3 NAT mode 3-1 3-17 workstation 3-2 NetScreen-10/100 Reset 3-13 connecting 2-2 Route mode 3-1 Network Address Translation (NAT) 3-6 Router 2-6 3-19 Network address translation mode See NAT mode DY! Ir‡Tp…rr  ...
  • Page 51 Dqr‘ Safety A-1 Untrusted port 2-2 guidelines A-1 Username recommendations A-1 initial use 3-4 Sample configuration 2-3 Site requirements A-3 Ventilation A-3 TCP/IP 3-2 Telnet 3-17 Web browser Terminal emulator 3-2 requirements 3-2 Transparent mode 3-1 WebUI 3-2 Trusted port 2-2 Workstation requirements 3-2 D†‡hyyr…·†ÃBˆvqr DY"...
  • Page 52 DY# Ir‡Tp…rr   ÃÃÃ...

This manual is also suitable for:

100