Juniper ISG 2000 User Manual
  1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Security System
  5. ISG 2000
  6. User manual

Juniper ISG 2000 User Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
ISG 2000
User's Guide
ScreenOS 5.0.0-IDP1
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Part Number: 093-1524-000, Rev. A

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the ISG 2000 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Juniper ISG 2000

Summary of Contents for Juniper ISG 2000

  • Page 1 ISG 2000 User’s Guide ScreenOS 5.0.0-IDP1 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 408-745-2000 www.juniper.net Part Number: 093-1524-000, Rev. A...
  • Page 2 NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, NetScreen-IDP 1000, IDP 50, IDP 200, IDP 600, IDP 1100, ISG 1000, ISG 2000, NetScreen-Global Pro Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-SA 1000 Series, NetScreen-SA 3000 Series, NetScreen-SA 5000 Series, NetScreen-SA Central Manager, NetScreen Secure Access, NetScreen-SM 3000, NetScreen-Security Manager, GigaScreen ASIC, GigaScreen-II ASIC, NMC-RX, SDX, Stateful Signature, T320, T640, and T-series.

  • Page 3: Table Of Contents

    About This Guide Content Summary................... vi CLI Conventions....................vi Terminology....................vii IDP Requirements and Documentation............viii ISG 2000 Upgrade .................. viii IDP Configuration through NetScreen-Security Manager......viii NetScreen Product Documentation Guide ............ix Technical Support .................... x Chapter 1 Configuring Before Beginning....................
  • Page 4 ISG 2000 User’s Guide Chapter 2 Installing Connecting the Device to a Network ..............24 Equipment Rack Mounting................26 Equipment Rack Installation Guidelines...........26 Equipment Rack Accessories and Required Tools ........26 Rear-and-Front Mount ................27 Mid-Mount ....................28 Chapter 3 Hardware and Servicing The Front Panel .....................30 LED Dashboard ..................32...

  • Page 5: About This Guide

    About This Guide This guide describes how to install, configure, and service the ISG 2000. It presents an example of a basic installation and configuration that secures resources in the Trust and DMZ security zones, sets up a MGT zone for device administrators, and defines a route-based VPN tunnel between the ISG 2000 and a remote peer (see Figure 1).

  • Page 6: Content Summary

    This guide contains the following chapters and appendix: Chapter 1, “Configuring” provides instructions for making a console connection to the ISG 2000, logging in, and performing a basic yet complete firewall and VPN configuration. Chapter 2, “Installing” provides instructions for cabling the ISG 2000 to the network, mounting the device in a rack, and connecting the power supplies.

  • Page 7: Terminology

    VPN tunnel bound to a tunnel interface to which a route points Route mode an operational mode for Layer 3 interfaces that routes IP packets through the ISG 2000 without modifying the packet header content security zone a collection of one or more network segments requiring the...

  • Page 8: Idp Requirements And Documentation

    NetScreen-Security Manager to configure IDP on the device. ISG 2000 Upgrade To run IDP on the ISG 2000, you must set up the device as follows: Upgrade the OS loader to v.1.1.5 or later. Load the following license keys and firmware:...

  • Page 9: Netscreen Product Documentation Guide

    ScreenOS NetScreen-Remote VPN client Intrusion Detection and Prevention (IDP) Another resource is the WebUI Help. When logged in to the ISG 2000 through the WebUI, click the Help button to learn more about ScreenOS features: Figure 3: WebUI Help You can access context-sensitive Help by clicking the Help button in the upper right corner of the WebUI …...

  • Page 10: Technical Support

    NOTE: You need the serial number of the ISG 2000 to complete the account setup and device registration. After you have a customer account, you can create and submit technical support cases for any product under warranty or with a valid support contract.

  • Page 11: Configuring

    Chapter 1 Configuring This chapter describes how to make a console connection to the ISG 2000, log in, and perform a basic configuration. Table 1: Important Default Configuration Settings Default MGT IP address: 192.168.1.1/24 Default ethernet IP addresses: 0.0.0.0/0 Default username: netscreen...

  • Page 12: Before Beginning

    1. Consider the network topology and the resources that you want to protect so that you can decide where to put the ISG 2000. You want to make sure that all traffic on which you want to enforce policies flows through the device. (A typical network topology showing where to put the ISG 2000 is shown in Figure 1 on page v, and on Figure 5 on page 4.)

  • Page 13: Console Connection And Login

    ISG 2000 and run a vt100 terminal emulator program. 1. Connect the power cable to the ISG 2000 and turn on the power. 2. Connect the female end of the supplied DB-9 adapter to the serial port (or Com port) of your workstation.

  • Page 14: Basic Configuration

    ISG 2000 User’s Guide Basic Configuration The following sections contain the CLI commands for setting up the ISG 2000 as a firewall and VPN termination point for the network shown in Figure 5. By entering these commands, you can perform a basic configuration of the ISG 2000 so that it can perform firewall and VPN functions.

  • Page 15: System Clock And Console Timeout

    You can also change the timeout value for an idle console connection. By default, the ISG 2000 automatically closes a console connection if it is idle for 10 minutes. You can change this to a higher or lower interval, or disable the timeout completely.

  • Page 16: Security Zones And Interfaces

    ISG 2000 Security Zone The ISG 2000 ships with seven predefined security zones—including the Global zone, which is used mainly for holding mapped IP (MIP) and virtual IP (VIP) addresses. For information on all zone types and their uses, see the Fundamentals volume in the NetScreen Concepts &...
  • Page 17 The example in this guide uses the three predefined Layer 3 security zones. Figure 7: Untrust, DMZ, and Untrust Security Zones Untrust Zone This zone typically contains the public network that the NetScreen-ISG 2000 protects against. DMZ Zone This zone typically contains...

  • Page 18: Binding Interfaces To Zones

    ISG 2000 User’s Guide Binding Interfaces to Zones The ISG 2000 supports different types of interface modules in four interface module bays. The leftmost interface in the module in the upper left bay is ethernet1/1. The interface to the right of ethernet1/1 is ethernet1/2. If there are more interfaces in that module, they are numbered ethernet1/3, ethernet1/4, and so on.

  • Page 19: Interface Modes

    Trust Zone Interface Modes An ISG 2000 security zone interface can operate in one of three modes: NAT mode, Route mode, or Transparent mode. NAT mode and Route mode operate at the Network Layer (Layer 3) in the OSI Model. Transparent mode operates at the Data Link Layer (Layer 2).

  • Page 20: Configuring Interfaces

    By default, no ISG 2000 security zone interfaces have IP addresses and all are in the Null zone. The Null zone is a function zone that holds interfaces until you bind them to a security zone.

  • Page 21: Dmz Interface

    ISG 2000 uses network address translation (NAT) to translate their private addresses to a public address in the IP packet header. In our example, the ISG 2000 translates the private addresses to the address of the Untrust zone interface. Use the following commands: set interface ethernet2/1 ip 10.1.1.1/24...

  • Page 22: Dns And Default Route

    2.2.2.6 save When the ISG 2000 receives a static IP address, the ISP also provides the IP address of the default gateway to which the ISG 2000 sends traffic destined for addresses for which there are no specific routes. It is important that the ISG 2000 has a default route pointing to this gateway.

  • Page 23: Policies

    Chapter 1: Configuring Policies By default, the ISG 2000 does not allow any traffic between zones. To permit traffic to cross the firewall, you must create policy that specifically permits one or more services to pass from hosts in one zone to others in another zone. Because the ISG 2000 performs stateful inspection, you do not need to define a policy to permit return traffic.
  • Page 24 7 from untrust to dmz any mail-relay mail permit log count save The keyword log instructs the ISG 2000 to create entries in its traffic log for all traffic to which the policy applies. The keyword “count” instructs the ISG 2000 to keep a running tally of the number of bytes to which the policy applies.

  • Page 25: Intrusion Detection And Protection

    ISG 2000 on the network so that NetScreen-Security Manager can connect to it. At a minimum, you need to configure the following on the ISG 2000: Set an IP address for the interface through which NetScreen-Security Manager can connect to the ISG 2000.

  • Page 26: Ipsec Vpn

    ISG 2000 User’s Guide IPSec VPN This section presents a configuration for a route-based VPN tunnel between the ISG 2000 and a remote peer with a dynamically assigned IP address. The NetScreen device at the remote peer site is a NetScreen-5GT in Trust-Untrust mode. Because it receives its address dynamically through PPPoE or DHCP, Phase 1 negotiations must be in aggressive mode.

  • Page 27: Isg 2000

    Define the security level for Phase 1 proposals as “Compatible”. This set includes the following four Phase 1 proposals, each of which has a lifetime of 28,800 seconds (or 8 hours). When the lifetime expires, the ISG 2000 renegotiates Phase 1 with its peer.

  • Page 28: Remote Peer

    If the route through tunnel.1 becomes unavailable, the ISG 2000 then uses the null route, sending traffic for the remote peer to the null interface, which effectively drops it. If tunnel.1 goes down, the route associated with it becomes inactive.

  • Page 29: Summary Of Cli Commands

    Chapter 1: Configuring Summary of CLI Commands The following sets of commands include all the CLI commands used in the example configuration featured in the previous sections in this chapter. The section in which each type of command is described is also provided. CLI Commands –...

  • Page 30: Cli Commands - Example Route-Based Vpn Configuration

    ISG 2000 User’s Guide CLI Commands – Example Route-Based VPN Configuration ISG 2000 Commands Description set interface tunnel.1 zone untrust “ISG 2000” on page 17 set interface tunnel.1 ip unnumbered interface ethernet2/1 set address trust local 10.1.1.0/24 set address untrust peer1 10.2.2.0/24 set ike gateway peer1 dynamic peer1@jnpr.net...

  • Page 31: Returning The Device To Factory Default Settings

    Chapter 1: Configuring Returning the Device to Factory Default Settings If you want to return the ISG 2000 to its default settings, you can do either of the following, depending on whether or not your are logged in: If you are logged in, you can enter the following sequence of commands: unset all The following prompt appears: “Erase all system config, are you sure y / [n]?”...
  • Page 32 ISG 2000 User’s Guide Returning the Device to Factory Default Settings...

  • Page 33: Installing

    Chapter 2 Installing This chapter describes how to cable the ISG 2000 to the network and install it in an equipment rack. Topics in this chapter include: “Connecting the Device to a Network” on page 24 “Equipment Rack Mounting” on page 26 “Equipment Rack Installation Guidelines”...

  • Page 34: Connecting The Device To A Network

    ISG 2000 User’s Guide Connecting the Device to a Network The ISG 2000 has four interface module bays, which can contain the following types of modules: 10/100 Mbps interface module, for 10/100 Base-T connections (4 and 8 ports) 10/100/1000 Mbps interface module, for 10/100/1000 Base-T connections (2...
  • Page 35 6. Connect an RJ-45 or gigabit ethernet cable from the ethernet2/1 port to a hub or Layer 2 switch in the Trust zone. 7. Connect an RJ-45 ethernet cable from the MGT interface on the ISG 2000 to a hub or Layer 2 switch that leads to the administrators’ workstations.

  • Page 36: Equipment Rack Mounting

    ISG 2000 User’s Guide Equipment Rack Mounting The ISG 2000 comes with accessories for mounting the device in a standard 19-inch equipment rack. Equipment Rack Installation Guidelines The location of the chassis, the layout of the equipment rack, and the security of your wiring room are crucial for proper system operation.

  • Page 37: Rear-And-Front Mount

    Chapter 2: Installing Rear-and-Front Mount To mount the ISG 2000 with support from the rear and front, use the rear slide mount kit. 1. Screw the left and right brackets to the front of each side of the ISG 2000 chassis.

  • Page 38: Mid-Mount

    Mid-Mount To mid-mount the ISG 2000: 1. Screw the left and right brackets to the middle of each side of the ISG 2000 chassis. 2. Position the ISG 2000 in the rack, and screw the left and right brackets to the left and right rack posts.

  • Page 39: Chapter 3 Hardware And Servicing

    NOTE: IDP requires the installation of at least one security module, an advanced license key, and an IDP license key. To configure IDP on the ISG 2000, you must use NetScreen-Security Manager. The ISG 2000 is built around a custom, fourth-generation purpose-built GigaScreen ASIC, which provides accelerated encryption algorithms.

  • Page 40: The Front Panel

    The front panel of the ISG 2000 has the following components: Interface Modules The front of the ISG 2000 has four interface module bays. Each interface module has two, four, or eight ports, and each port has a pair of LEDs.
  • Page 41 Connect the ports using a twisted pair cable with RJ-45 connectors. (See “Connecting the Device to a Network” on page 24 for cabling guidelines.) The ISG 2000 supports a maximum port count of 28. If there is an 8-port 10/100 interface module in each bay, then ports five through eight on the module in bay 4 are disabled.

  • Page 42: Led Dashboard

    ISG 2000 User’s Guide LED Dashboard The LED dashboard displays up-to-date information about critical ISG 2000 functions. The following table shows the LEDs in the dashboard: Purpose Color Meaning POWER Power Supply Green Power supply is functioning correctly. System is not receiving power.

  • Page 43: The Rear Panel

    Chapter 3: Hardware and Servicing When you turn on the ISG 2000, the Status LED changes from off to blinking green. Startup takes around 90 seconds to complete. If you want to restart the ISG 2000, wait a few seconds between shutting it down and powering it back up.

  • Page 44: Removing Interface Modules

    ISG 2000 User’s Guide Removing Interface Modules To remove an interface module from a bay: WARNING: When inserting or removing interface modules, be sure that the power is off. Interface modules are not hot swappable. 1. Loosen the thumbscrews on each side of the interface module by turning them counterclockwise.

  • Page 45: Inserting Interface Modules

    Chapter 3: Hardware and Servicing Inserting Interface Modules To insert an interface module into a module bay, perform the following steps: WARNING: When inserting or removing interface modules, be sure that the power is off. Interface modules are not hot swappable. 1.

  • Page 46: Connecting And Disconnecting Gigabit Ethernet Cables

    ISG 2000 User’s Guide 3. With your thumbs, push in the locking levers to secure the module. Figure 20: Locking the Interface Module in Place Swivel levers inward. If you push in the levers before they contact the ridge on the bay wall,...
  • Page 47 Chapter 3: Hardware and Servicing To remove the cable from the transceiver port: 1. Make sure the transceiver latch is in a secured locked position (the latch is flat against the front of the transceiver). Otherwise, when you attempt to remove the cable, the transceiver might come out with the cable still attached.

  • Page 48: Replacing A Mini-Gbic Transceiver

    ISG 2000 User’s Guide Replacing a Mini-GBIC Transceiver To remove a mini-GBIC transceiver from an interface module: 1. Push in the transceiver release latch (located on the underside of the transceiver) until it locks into place, disengaging the transceiver. Figure 24: Disengaging the Transceiver...

  • Page 49: Replacing Power Supplies

    The power supplies are hot-swappable, so you can remove or replace one power supply without interrupting device operation. You can order the ISG 2000 with one or two power supplies: DC and AC. Although the ISG 2000 can run with one power supply, it is advisable to install two. This practice minimizes the chance of system failure due to an individual power supply failure.
  • Page 50 8. Connect the power cord to a standard 100-240-volt power outlet Whenever you deploy two power supplies to a ISG 2000, connect each to a NOTE: different power source. Each power supply is intended to receive power from separate feeds.

  • Page 51: Replacing Dc Power Supplies

    Chapter 3: Hardware and Servicing Replacing DC Power Supplies A DC power supply weighs about three pounds. The faceplate contains a power LED, a power switch, a cooling fan vent, a DC power terminal block with three connectors, a handle, two thumbscrews, and a grounding screw. Figure 28: DC Power Supply WARNING: You must shut off current to the DC feed wires before connecting the...
  • Page 52 ISG 2000 User’s Guide 2. Place the ground lug on the grounding screw, and tighten the hex nut by rotating it clockwise until it holds firmly. Figure 30: Adding the Ground Lug 3. Connect the other end of the grounding wire to a grounding point at your site.
  • Page 53 Chapter 3: Hardware and Servicing 2. Insert a 0V DC (positive voltage) return wire into the center COM connector and a -48V DC power feed wire into either the left or right connector. Figure 32: Wiring Power Feeds to the Terminal Block Terminal Block Grounding Screw Grounding...

  • Page 54: Replacing The Fan Tray

    During the one-year warranty period, you can obtain a replacement fan tray by NOTE: contacting Juniper Networks Technical Support. After the warranty period, contact the Juniper Networks Sales department. You only need to replace the fan tray when a failure occurs. When this happens, the Fan LED glows red, and the device generates an event alarm and an SNMP trap.

  • Page 55: Replacing The Fan Tray Filter

    Chapter 3: Hardware and Servicing 3. Insert the new fan tray in the fan bay, and then push it straight in. 4. Secure the fan tray in place by pushing the release lever flat against the front panel, and turning the lock counterclockwise to the Lock position. Replacing the Fan Tray Filter Before you replace the fan tray filter, make sure you have the following tools: Flashlight or other light source...
  • Page 56 ISG 2000 User’s Guide Replacing the Fan Tray...

  • Page 57: Appendix A Specifications

    Appendix A Specifications This appendix provides general system specifications for the NetScreen-ISG 2000. It contains the following sections: “ISG 2000 Attributes” on page 47 “Electrical Specifications” on page 47 “Environmental Specifications” on page 48 “NEBS Certifications” on page 48 “Safety Certifications” on page 48 “EMI Certifications”...

  • Page 58: Environmental Specifications

    Humidity 10 - 90% RH, non-condensing The maximum normal altitude is 12,000 feet (3,660 meters). NEBS Certifications Level 3 NS-ISG 2000 with DC power supply GR-63-Core: NEBS, Environmental Testing GR-1089-Core: EMC and Electrical Safety for Network Telecommunications Equipment Safety Certifications...

  • Page 59: Connectors

    The mini-gigabit transceivers are compatible with the IEEE 802.3z Gigabit Ethernet standard. The following table lists media types and distances for the different types of interfaces used in the NetScreen-ISG 2000. Table 3: Interface Media Types and Maximum Distances Standard...
  • Page 60 ISG 2000 User’s Guide Connectors...

  • Page 61: Index

    Index AC power supplies ............39 fan tray acronyms................vii location in front panel ..........30 addresses replacing fan tray ..........44–45 defining ...............13, 14 replacing filter ............45 group.................13 predefined ANY ............13 admin name, changing ............5 gigabit ethernet cable asset recovery..............21 connecting..............36 disabling..............21 disconnecting ............37 grounding DC power............41 cabling...
  • Page 62 ISG 2000 User’s Guide IPSec VPN See VPN rack mounting ............26–28 ISG 2000 device mid-mount ..............28 description ..............29 rack mount kit contents ..........26 front panel ............30–31 rear and front mount..........27 rear panel..............33 registration, product ............1 ISG 2000 installation Route mode ................9...

Table of Contents