Example: Configuring Nsgp On Gtp And Gi Firewalls (Nsm Procedure) - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual

Configuring ScreenOS Devices Guide
Related
Documentation

Example: Configuring NSGP on GTP and Gi Firewalls (NSM Procedure)

132
The NSGP module includes two components: the client and the server. The client connects
to the server and sends requests, which the server processes. Both client and server
support multiple connections to each other and to others simultaneously. Using TCP,
NSGP monitors the connectivity between client and server by sending Hello messages
at set intervals.
NSGP uses a session context to ensure that the server and client know that status of the
connection. The session context stores is identified by a unique number (context ID);
when configuring NSGP on the client and server devices, you must use the same context
ID on each device. When the client sends a "clear session" request to the server, the
request includes the context ID and IP address of the server. When the server receives
the "clear session" message, it matches the context ID and then clears the session from
its table.
The security device acting as the NSGP server must run the ScreenOS 5.0 GPRS firmware,
and the other device acting as the GTP client must run the ScreenOS 5.0 NSGP firmware.
After you have deployed the two devices, you must:
Configure NSGP on the GTP server to recognize when a GTP tunnel is deleted and to
notify the GTP client.
Configure NSGP on the GTP client to automatically clear sessions whenever the NSGP
server gets a notification from the GTP client that a GTP tunnel was deleted.
By clearing the sessions, the NSGP server stops the unsolicited traffic and prevents
overbilling.
Configuring NSGP Overview on page 131
Configuring Hostnames and Domain Names Overview on page 130
Example: Configuring NSGP on GTP and Gi Firewalls (NSM Procedure) on page 132
In this example, you configure NSGP on both the GTP firewall (client) and the Gi firewall
(server). First, you must create the GTP object for the client connection. Then, to enable
NSGP on the security device, you must configure both the server and client side connection
parameters:
For the NSGP server connection, you enable NSGP on an interface.
For the GTP client connection, you select a source interface, and then copy the NSGP
server settings (from the NSGP server device) to configure the destination interface.
Finally, you create a firewall rule that includes the GTP object, the GTP firewall, and the
Gi firewall.
Copyright © 2010, Juniper Networks, Inc.