Download
Share
Print this page
Juniper NetScreen-200 Series Installer's Manual
  1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Firewall
  5. NETSCREEN-200 SERIES
  6. Installer's manual
Juniper NetScreen-200 Series Installer's Manual

Juniper NetScreen-200 Series Installer's Manual

Hide thumbs Also See for NetScreen-200 Series:

Advertisement

Quick Links

Download this manual
1
6
 6
(7
&5((1
(5,(6
,QVWDOOHU·V *XLGH
Version 4.0
P/N 093-0576-000
Rev.E

Advertisement

loading
Need help?

Need help?

Do you have a question about the NetScreen-200 Series and is the answer not in the manual?

Questions and answers

Related Manuals for Juniper NetScreen-200 Series

Summary of Contents for Juniper NetScreen-200 Series

  • Page 1  6 &5((1 (5,(6 ,QVWDOOHU·V *XLGH Version 4.0 P/N 093-0576-000 Rev.E...
  • Page 2 may radiate radio-frequency energy. If it is not installed in Copyright Notice accordance with NetScreen’s installation instructions, it may cause interference with Radio and television reception. This equipment NetScreen, NetScreen Technologies, GigaScreen, and the has been tested and found to comply with the limits for a Class B NetScreen logo are registered trademarks of NetScreen digital devices in accordance with the specifications in part 15 of Technologies, Inc.
  • Page 3 7DEOH RI &RQWHQWV 3UHIDFH Y *XLGH 2UJDQL]DWLRQ Y &RPPDQG /LQH ,QWHUIDFH &/, &RQYHQWLRQV Y &/, &RPPDQG 9DULDEOHV  Y 9DULDEOH 1RWDWLRQ  YL &RPPRQ &/, 9DULDEOH 1DPHV  YL &/, &RPPDQG 6\QWD[ YLL 'HSHQGHQF\ 'HOLPLWHUV YLLL 1HVWHG 'HSHQGHQFLHV YLLL $YDLODELOLW\ RI &/, &RPPDQGV DQG )HDWXUHV YLLL 1HW6FUHHQ 3XEOLFDWLRQV  L[ +RZ 7R *HW 0RUH ,QIRUPDWLRQ  L[ 2YHUYLHZ  ...
  • Page 4 7DEOH RI &RQWHQWV &RQILJXULQJ WKH 'HYLFH   2SHUDWLRQDO 0RGHV  7UDQVSDUHQW 0RGH   5RXWH 0RGH  7KH 1HW6FUHHQ ,QWHUIDFHV  &RQQHFWLQJ WKH 'HYLFH DV D 6LQJOH 6HFXULW\ *DWHZD\  &RQQHFWLYLW\ ([DPSOHV   3HUIRUPLQJ 'HYLFH &RQQHFWLRQ   (VWDEOLVKLQJ DQ +$ &RQQHFWLRQ %HWZHHQ 'HYLFHV  3HUIRUPLQJ ,QLWLDO &RQQHFWLRQ DQG &RQILJXUDWLRQ  (VWDEOLVKLQJ D 7HUPLQDO (PXODWRU &RQQHFWLRQ ...
  • Page 5 400 Mbps • The NetScreen-208, which has eight 10/100 BaseT interface ports and performs firewall functions at 550 Mbps All NetScreen-200 Series 10/100 BaseT ports perform auto-speed sensing and auto- polarity correction. 8,'( 5*$1,=$7,21 This manual has three chapters and two appendices.
  • Page 6 3UHIDFH 9DULDEOH 1RWDWLRQ The variable notation used in this manual consists of italicized parameter identifiers. For example, the set arp command uses four identifiers, as shown here: set arp ip_addr mac_addr interface age number | always-on-dest | no-cache where • ip_addr represents an IP address.
  • Page 7 &RPPDQG /LQH ,QWHUIDFH &/, &RQYHQWLRQV mbr_name The name of a member in a group, such as an address group or a service group. mask A subnet mask, such as 255.255.255.224 or /24. name_str The name of an item, such as an address book entry. number A numeric value, usually an integer, such as a threshold or a maximum.
  • Page 8 3UHIDFH 'HSHQGHQF\ 'HOLPLWHUV Each syntax description shows the dependencies between command features by using special characters. • The { and } symbols denote a mandatory feature. Features enclosed by these symbols are essential for execution of the command. • The [ and ] symbols denote an optional feature. Features enclosed by these symbols are not essential for execution of the command, although omitting such features might adversely affect the outcome.
  • Page 9 1HW6FUHHQ 3XEOLFDWLRQV ns-> set vpn ? ns-> set vpn vpn_name ? ns-> set vpn gateway gate_name ? &5((1 8%/,&$7,216 To obtain technical documentation for any NetScreen product, visit www.netscreen.com/ support/manuals.html. To access the latest NetScreen documentation, see the Current Manuals section. To access archived documentation from previous releases, see the Archived Manuals section.
  • Page 10 3UHIDFH ,QVWDOOHU·V *XLGH...
  • Page 11 8uhƒ‡r…à 2YHUYLHZ This chapter provides detailed descriptions of the NetScreen-200 Series system devices and their components. Topics in this chapter include: • “NetScreen-200 Systems” on page 2 – “The NetScreen-204 Device” on page 2 – “NetScreen-208 Device” on page 2 •...
  • Page 12 &KDSWHU  2YHUYLHZ  6 &5((1 <67(06 This NetScreen-200 Series currently includes the NetScreen-204 device and the NetScreen-208 device. 7KH 1HW6FUHHQ 'HYLFH The NetScreen-204 is a chassis-based, rack-mountable network security device with four ethernet 10/100 BaseT interface ports. The figure below shows a NetScreen-204 device.
  • Page 13 A Modem port • A Compact Flash Card Slot • Ethernet interfaces 6\VWHP 6WDWXV /(' 'LVSOD\ The front panel of each NetScreen-200 Series device has a System Status display, which contains six LEDs. Status LED HA LED Power LED Flash LED...
  • Page 14 &KDSWHU  2YHUYLHZ Alarm System Alarm Critical alarm: • Failure of hardware component or software module (such as a cryptographic algorithm). • Firewall attacks detected. Major alarm: amber • Low memory (less than 10% remaining). • High CPU utilization (more than 90% in use). •...
  • Page 15 7KH )URQW 3DQHO $VVHW 5HFRYHU\ 3LQKROH The Asset Recovery Pinhole is a switch that resets the device to its original default settings. To use this switch, insert a stiff wire (such as a straightened paper clip) into the pinhole. Warning! Because resetting the device restores it to the original factory default configuration, any new configuration settings are lost, and the firewall and all VPN service become inoperative.
  • Page 16 Network Link: Blinking = link activity On = link is up Off = link is down $1(/ The figure below shows the back panel of a NetScreen-200 Series device (with an AC power supply.) Power Outlet Fuse Cover Power Switch Note: Certain export restrictions may apply to international customers.
  • Page 17 7KH 5HDU 3DQHO 3RZHU )XVH Each NetScreen-200 Series device uses a 2.5 amp, slow-blow power fuse rated for 250 volts. To replace a fuse on a NetScreen-200 Series device: Take the device off-line by turning the power switch OFF and disconnecting the power cable.
  • Page 18 &KDSWHU  2YHUYLHZ ,QVWDOOHU·V *XLGH...
  • Page 19 8uhƒ‡r…Ã! ,QVWDOOLQJ WKH 'HYLFH This chapter describes how to install a device in an equipment rack or on a desktop, and how to connect the device to other devices. Topics in this chapter include: • “General Installation Guidelines” on page 10 •...
  • Page 20 48,30(17 $&. 167$//$7,21 Although you can install a NetScreen-200 Series device on a desktop, it is advisable to install the device in an equipment rack if possible. (TXLSPHQW 5DFN ,QVWDOODWLRQ *XLGHOLQHV The location of the chassis and the layout of your equipment rack or wiring room are crucial for proper system operation.
  • Page 21 &RQQHFWLQJ WKH 3RZHU 5DFN0RXQWLQJ WKH 'HYLFH To mount the NetScreen-200 device on your equipment rack: Screw the front mount bracket to the side of the chassis. Screw the front mount bracket to the rack, as shown below. & 211(&7,1* 7+( 2:(5 To connect the power supply to the NetScreen-200 device: Plug the female end of a power cable into the male power receptacles on the back...
  • Page 22 Connect the other end of the grounding lug wire to a grounding point at your site. NetScreen-200 Series devices can operate on one feed alone or two feeds. To connect DC power feeds to the terminal blocks, do the following: Strip the ends of the power cables.
  • Page 23 &RQQHFWLQJ WKH 1HW6FUHHQ 'HYLFH WR 2WKHU 'HYLFHV &  ' 211(&7,1* 7+( &5((1 (9,&( 72 7+(5 (9,&(6 To connect the device, use the ethernet interfaces (ethernet1 through ethernet4 on the NetScreen-204, or ethernet1 through ethernet8 on the NetScreen-208). The purpose of each interface depends upon the security zone to which it is bound.
  • Page 24 &KDSWHU  ,QVWDOOLQJ WKH 'HYLFH ,QVWDOOHU·V *XLGH...
  • Page 25 8uhƒ‡r…Ã" &RQILJXULQJ WKH 'HYLFH This chapter describes how to perform initial configuration on a NetScreen-200 Series device once you have mounted it in a rack or desktop, plugged in the necessary cables, and turned the power on. Topics in this chapter include: •...
  • Page 26 &KDSWHU  &RQILJXULQJ WKH 'HYLFH 3(5$7,21$/ 2'(6 The NetScreen-200 Series supports two device modes, Transparent mode and Route mode. The default mode is Transparent. 7UDQVSDUHQW 0RGH In Transparent mode, the NetScreen-200 device operates as a Layer-2 bridge. Because the device cannot translate packet IP addresses, it cannot perform Network Address Translation (NAT).
  • Page 27 7KH 1HW6FUHHQ ,QWHUIDFHV  , &5((1 17(5)$&(6 Each NetScreen-200 device provides ethernet interfaces for access and connectivity. In addition, there are logical (non-physical) interfaces that perform special Layer-2 or management functions. Ethernet Interfaces Console Port Modem Port ethernet1 through ethernet4 Ethernet Interfaces Console Port Modem Port...
  • Page 28 (&85,7< $7(:$< There are many ways to connect a NetScreen-200 Series device to your network system. In most cases, the device serves as a single security gateway that protects at least one LAN (usually connected to the device from a switch or a hub).
  • Page 29 The default vlan1 IP address and subnet mask of these interfaces is 192.168.1.1/24. Note: If you have multiple NetScreen-200 Series devices, install and configure them one at a time. Because they all share the same default vlan1 IP address and subnet mask (192.168.1.1/24), you might encounter IP address conflicts.
  • Page 30 &KDSWHU  &RQILJXULQJ WKH 'HYLFH +$ & 67$%/,6+,1* $1 211(&7,21 (7:((1 (9,&(6 To assure continuous traffic flow in the event of system failure, you can cable and configure two NetScreen devices in a redundant cluster. The devices propagate all network, configuration and session information to each other. Should one device fail, the other takes over the traffic processing.
  • Page 31 (VWDEOLVKLQJ DQ +$ &RQQHFWLRQ %HWZHHQ 'HYLFHV To cable two NetScreen-200 devices together for HA and connect them to the network: Note: The cabling instructions given below reproduce the configuration shown here. However, this is not the only possible HA configuration. In addition, the instructions assume that all physical ports and interfaces are still set at their default settings.
  • Page 32 PC. (Be sure that the DB-9 is seated properly by screwing in the thumbscrews.) Plug the RJ-45 end of the cable into the Console port of the NetScreen-200 Series device. (Be sure that the RJ-45 clip snaps into the port and is seated properly.)
  • Page 33 3HUIRUPLQJ ,QLWLDO &RQQHFWLRQ DQG &RQILJXUDWLRQ (Optional) By default, the console times out and terminates automatically after 10 minutes of idle time. To change this timeout interval, execute the following command: set console timeout number where number is the length of idle time in minutes before session termination. To prevent any automatic termination, specify a value of 0.
  • Page 34 (Optional) To confirm the new port settings, execute the following command: get interface ethernet3 $OORZLQJ 2XWERXQG 7UDIILF By default, the NetScreen-200 Series device does not allow inbound or outbound traffic, nor does it allow traffic to or from the DMZ. To permit (or deny) traffic, you must create access policies.
  • Page 35 &RQILJXULQJ WKH 'HYLFH IRU 7HOQHW DQG :HE8, 6HVVLRQV You can also use the Outgoing Policy Wizard in the WebUI management application to create access policies for outbound traffic. See “Establishing a GUI Management Session” on page 26 for information on accessing the WebUI application. &KDQJLQJ <RXU /RJLQ 1DPH DQG 3DVVZRUG Because all NetScreen products use the same default login name and password (netscreen), it is highly advisable to change them immediately.
  • Page 36 &KDSWHU  &RQILJXULQJ WKH 'HYLFH set console timeout number where number is the length of idle time in minutes before session termination. To prevent any automatic termination, specify a value of 0. 6WDUWLQJ D &RQVROH 6HVVLRQ 8VLQJ 'LDOXS Each NetScreen-200 device provides a modem port that allows you to establish a remote console session using a dialup connection through a 9600 bps modem cabled to the modem port.
  • Page 37 5HVHWWLQJ WKH 'HYLFH WR )DFWRU\ 'HIDXOW 6HWWLQJV (6(77,1* 7+( (9,&( 72 $&725< ()$8/7 (77,1*6 If you lose the admin password, you can use one of the following procedures to reset the NetScreen device to its default settings. This destroys any existing configurations, but restores access to the device.
  • Page 38 &KDSWHU  &RQILJXULQJ WKH 'HYLFH 8VLQJ WKH $VVHW 5HFRYHU\ 3LQKROH WR 5HVHW WKH 'HYLFH You can also reset the device and restore the factory default settings by pressing the asset recovery pinhole. To perform this operation, you need to make a console connection, as described in “Establishing a Terminal Emulator Connection”...
  • Page 39 6ƒƒrqv‘Ã6 6SHFLILFDWLRQV This appendix provides general system specifications for the NetScreen-200 Series devices. • “NetScreen-200 Attributes” on page 2 • “Electrical Specification” on page 2 • “Environmental” on page 2 • “Safety Certifications” on page 2 • “EMI Certifications” on page 2...
  • Page 40 $SSHQGL[ $ 6SHFLILFDWLRQV  $ &5((1 775,%87(6 Height: 1.73 inches Depth: 10.8 inches Width: 17.5 inches Weight: 8 pounds /(&75,&$/ 3(&,),&$7,21 AC voltage: 100-240 VAC +/- 10% DC voltage: -36 to -60 VDC AC Watts: 45 Watts DC Watts: 50 Watts Fuse Rating: 2.5A / 250V 19,5210(17$/...
  • Page 41 6ƒƒrqv‘Ã7 &RQILJXUDWLRQ IRU &RPPRQ &ULWHULD ($/ All NetScreen devices are designed to meet the Common Criteria requirements, and are currently under evaluation for Common Criteria, EAL2. However, there are certain configuration actions that are required for a security administrator to properly secure the device to be in compliance with the Common Criteria EAL2 security target.
  • Page 42 $SSHQGL[ % &RQILJXUDWLRQ IRU &RPPRQ &ULWHULD ($/ 523(5 7(36 72 (&85( $ &5((1 (9,&( )25 & & ($/ & 20021 5,7(5,$ 203/,$1&( To configure a NetScreen device to operate securely, and in conformance with the requirements outlined in NetScreen’s Security Target for Common Criteria EAL2, the following actions must be taken: •...
  • Page 43 $SSHQGL[ % &RQILJXUDWLRQ IRU &RPPRQ &ULWHULD ($/ To disable this default policy on the NetScreen-5XP and -5XT, enter the following CLI command: unset policy id 0 • NetScreen devices must be configured to prevent all types of Denial of Service (DoS) and attack signatures on every security zone to prevent these types of attacks from occurring on the LAN.
  • Page 44 $SSHQGL[ % &RQILJXUDWLRQ IRU &RPPRQ &ULWHULD ($/ passwords should not be easily guessed, such as a mother’s maiden name, a birth date, or names of relatives. NetScreen devices ship with a default user name and password of “netscreen”. You must change this as soon as possible to prevent unauthorized access.
  • Page 45 $SSHQGL[ % &RQILJXUDWLRQ IRU &RPPRQ &ULWHULD ($/ When creating a policy, always make sure that counting and logging are enabled. This ensures that all traffic matching the policy is logged appropriately. When creating a policy, always use specific source IP, destination IP, source zone, destination zone, protocol, and service when feasible.
  • Page 46 $SSHQGL[ % &RQILJXUDWLRQ IRU &RPPRQ &ULWHULD ($/ The event log shows the following events: Log setting is modified to {enable|disable} level-name level by admin name where level-name is the same as the level-name in the issued command and name is the person making the change.
  • Page 47 ,QGH[ ,QGH[ asset recovery 27 high availability 20 high availability, establishing an HA connection 20 Back panel 6 & installation guidelines 10 IP address Cables conflicts 19 connections 19 power 19 RJ-45 connectors 17 RJ45 connectors 5, 13 LEDs 6 twisted pair 13, 17 Link lights 6, 19 cabling...
  • Page 48 ,QGH[ Ports console 5 Rack 10, 19 ethernet 6 mounting 10 Power rack installation guidelines 10 supply 19 reset 27 power supplies DC, wiring 12 power supply, connecting to the system 11 Transparent mode 16 power supply, installing 11 Ventilation 10 viewing port settings 23 ,QVWDOOHU·V *XLGH...

This manual is also suitable for:

Netscreen-204Netscreen-208