Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual
  1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE...
  6. Administration manual
Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual

Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 Administration Manual

Hide thumbs
1
2
3
4
5
6
Table Of Contents
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
Table of Contents

Advertisement

Quick Links

Download this manual
Juniper Networks
Network and Security
Manager
Administration Guide
Release
2010.4
Published: 2010-11-17
Revision 1
Copyright © 2010, Juniper Networks, Inc.

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1

Summary of Contents for Juniper NETWORK AND SECURITY MANAGER 2010.4 - ADMININISTRATION GUIDE REV1

  • Page 1 Juniper Networks Network and Security Manager Administration Guide Release 2010.4 Published: 2010-11-17 Revision 1 Copyright © 2010, Juniper Networks, Inc.
  • Page 2 Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
  • Page 3 REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable...
  • Page 4 Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license. Copyright © 2010, Juniper Networks, Inc.
  • Page 5 (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA http://www.gnu.org/licenses/gpl.html...
  • Page 6 Copyright © 2010, Juniper Networks, Inc.

  • Page 7: Table Of Contents

    Devices Running Junos OS ........16 Copyright © 2010, Juniper Networks, Inc.
  • Page 8 SSL VPN Secure Access Products ......20 Juniper Networks IC Series Unified Access Control Appliances ..21 Extranet Devices .
  • Page 9 Viewing Current Domain Detail ........91 Copyright © 2010, Juniper Networks, Inc.
  • Page 10 Using Job Manager ......... . 129 Copyright © 2010, Juniper Networks, Inc.
  • Page 11 Importing the Cluster configuration ......161 Copyright © 2010, Juniper Networks, Inc.
  • Page 12 Updating the Configuration on the Device ......198 Copyright © 2010, Juniper Networks, Inc.
  • Page 13 Reordering Lists ..........230 Copyright © 2010, Juniper Networks, Inc.
  • Page 14 Device States During Update ........261 Copyright © 2010, Juniper Networks, Inc.
  • Page 15 Restoring SA or IC Devices ........285 Copyright © 2010, Juniper Networks, Inc.
  • Page 16 Data Model Importing ........311 Copyright © 2010, Juniper Networks, Inc.
  • Page 17 Creating DI Profiles ..........338 Copyright © 2010, Juniper Networks, Inc.
  • Page 18 Configuring Web Filtering Objects ......378 xviii Copyright © 2010, Juniper Networks, Inc.
  • Page 19 Configuring Local User Groups ........405 Copyright © 2010, Juniper Networks, Inc.
  • Page 20 About Rules ..........440 Copyright © 2010, Juniper Networks, Inc.
  • Page 21 Configuring Antispam Rules ......... 468 Copyright © 2010, Juniper Networks, Inc.
  • Page 22 Entering Comments for APE Rules ....... . . 491 xxii Copyright © 2010, Juniper Networks, Inc.
  • Page 23 Session Limiting ......... . . 503 Copyright © 2010, Juniper Networks, Inc.
  • Page 24 Deleting a Rule ..........517 xxiv Copyright © 2010, Juniper Networks, Inc.
  • Page 25 Adding a Rule to a Source NAT Rule Set ......541 Copyright © 2010, Juniper Networks, Inc.
  • Page 26 Creating PKI Defaults ........568 xxvi Copyright © 2010, Juniper Networks, Inc.
  • Page 27 Adding a VPN Rule ......... . 615 Copyright © 2010, Juniper Networks, Inc.
  • Page 28 Free Ports View ..........641 xxviii Copyright © 2010, Juniper Networks, Inc.
  • Page 29 Viewing IDP Device Statistics ....... . . 689 Copyright © 2010, Juniper Networks, Inc.
  • Page 30 Configuring Permitted Objects ....... . . 719 Copyright © 2010, Juniper Networks, Inc.
  • Page 31 Device Limitations for Viewing Logs ....... . 743 Copyright © 2010, Juniper Networks, Inc.
  • Page 32 Setting a Port Number Range Filter ......771 xxxii Copyright © 2010, Juniper Networks, Inc.
  • Page 33 Exporting to CSV ......... . . 803 Using CSV Required and Optional Format-Specific Filters ..804 Copyright © 2010, Juniper Networks, Inc. xxxiii...
  • Page 34 Configuring the Chart Type ........823 xxxiv Copyright © 2010, Juniper Networks, Inc.
  • Page 35 Index ............957 Copyright © 2010, Juniper Networks, Inc.
  • Page 36 Network and Security Manager Administration Guide xxxvi Copyright © 2010, Juniper Networks, Inc.
  • Page 37 Figure 31: DMZ Dual Untrust Port Mode ....... . . 109 Copyright © 2010, Juniper Networks, Inc.
  • Page 38 Figure 74: Attack Update Summary ........296 xxxviii Copyright © 2010, Juniper Networks, Inc.
  • Page 39 Figure 109: Viewing Summary Panel ........777 Copyright © 2010, Juniper Networks, Inc.
  • Page 40 Figure 118: Top Configuration Changes Report ......828 Copyright © 2010, Juniper Networks, Inc.
  • Page 41 Table 26: Validation Icons ......... . . 193 Copyright © 2010, Juniper Networks, Inc.
  • Page 42 Table 62: Administrators View ........682 xlii Copyright © 2010, Juniper Networks, Inc.
  • Page 43 Table 108: Audit Log Information ........789 Copyright © 2010, Juniper Networks, Inc.
  • Page 44 Table 126: Information Log Entries ........952 xliv Copyright © 2010, Juniper Networks, Inc.

  • Page 45: About This Guide

    NSM uses the technology developed for Juniper Networks ScreenOS to enable and simplify management support for previous and current versions of ScreenOS and current versions of Junos OS. By integrating management of all Juniper Networks security devices, NSM enhances the overall security of the Internet gateway.

  • Page 46: Conventions

    Routing Process OSPF 2 with Router ID 5.5.0.250 Router is an area Border Router (ABR) Key names linked with a plus (+) sign Indicates that you must press two or more Ctrl + d keys simultaneously. xlvi Copyright © 2010, Juniper Networks, Inc.

  • Page 47: Documentation

    It also includes information on how to install and run the NSM user interface. This guide is intended for IT administrators responsible for the installation or upgrade of NSM. Copyright © 2010, Juniper Networks, Inc. xlvii...
  • Page 48 Release Notes differs from the information found in the documentation set, follow the Release Notes. Release notes are included on the corresponding software CD and are available on the Juniper Networks website. Network and Security Provides details about configuring the device features for all Manager Configuring supported Infranet Controllers.

  • Page 49: Requesting Technical Support

    7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/...

  • Page 50: Opening A Case With Jtac

    Use the Case Management tool in the CSC at http://www.juniper.net/cm/ Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico). For international or direct-dial options in countries without toll-free numbers, visit us at http://www.juniper.net/support/requesting-support.html Copyright © 2010, Juniper Networks, Inc.

  • Page 51: Getting Started With Nsm

    NSM role-based administration tools. Part 1 contains the following chapters: Introduction to Network and Security Manager on page 3 Planning Your Virtual Network on page 41 Configuring Role-Based Administration on page 61 Copyright © 2010, Juniper Networks, Inc.
  • Page 52 Network and Security Manager Administration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 53: Introduction To Network And Security Manager

    Introduction to Network and Security Manager Juniper Networks Network and Security Manager (NSM) gives you complete control over your network. Using NSM, you can configure all your Juniper Networks devices from one location, at one time. This chapter contains the following sections:...

  • Page 54: Security Integration

    NSM administrators. Administrators—An administrator is a user of NSM. Each administrator has a specific level of permissions. Create multiple administrators with specific roles to control access to the devices in each domain. Copyright © 2010, Juniper Networks, Inc.

  • Page 55: Centralized Device Configuration

    Expressions to create a custom group. Device Management As your network grows, you might need to add existing devices, add new devices, reconfigure existing devices, update software versions on older devices, or integrate a Copyright © 2010, Juniper Networks, Inc.

  • Page 56: Importing Devices

    Create simplified and efficient security policies for your managed devices. You can manage security policies either in a Central Policy Manager or through in-device policy management, depending on the type of device. The tools at your disposal are also device-dependent, but can include: Copyright © 2010, Juniper Networks, Inc.

  • Page 57: Error Prevention, Recovery, And Auditing

    Because the device no longer needs to maintain a constant connection to the management system during updating, you can configure changes to management connection from the NSM UI. Copyright © 2010, Juniper Networks, Inc.

  • Page 58: Device Image Updates

    VPN, start from a system perspective: Determine which users and networks need access to each other, and then add those components to the VPN. Using AutoKey IKE, you can create the following VPNs with VPN Manager: Copyright © 2010, Juniper Networks, Inc.

  • Page 59: Integrated Logging And Reporting

    Job Manager tracks the progress of the command as it travels to the device and back to the management system. Each job contains: Name of the command Date and time the command was sent Copyright © 2010, Juniper Networks, Inc.

  • Page 60: Technical Overview

    The management system also provides a programmatic interface for integrating NSM into larger enterprise business systems. This NSM API provides an alternative interface to that provided by the UI. For details, see the Network and Security Manager API Guide. Copyright © 2010, Juniper Networks, Inc.

  • Page 61: User Interface

    Device, security policy, and VPN configuration NSM administrator accounts, device administrator accounts, and domains Objects The GUI server also organizes and presents log entries from security devices. These log entries are actually stored on the Device Server. Copyright © 2010, Juniper Networks, Inc.

  • Page 62: Table 5: Gui Server Processes

    If the GUI Server computer and the Device Server computer have a firewall between them, you must configure a rule on that firewall to permit NSM management traffic. Table 6 on page 13 describes the processes that the Device Server runs when you start Copyright © 2010, Juniper Networks, Inc.

  • Page 63: Managed Devices

    Firewall and IDP (ScreenOS/IDP) Devices on page 13 Devices Running Junos OS on page 16 SSL VPN Secure Access Products on page 20 Juniper Networks IC Series Unified Access Control Appliances on page 21 Extranet Devices on page 21 Firewall and IDP (ScreenOS/IDP) Devices...
  • Page 64 ScreenOS 5.4, 5.4 FIPS, 6.0r2 or later ,6.1, 6.2, 6.3 Juniper Networks SSG5-ISDN-WLAN ScreenOS 5.4, 5.4 FIPS, 6.0r2 or later, 6.1, 6.2, 6.3 Juniper Networks SSG5-Serial ScreenOS 5.4, 5.4 FIPS, 6.0r2 or later, 6.1, 6.2, 6.3 Copyright © 2010, Juniper Networks, Inc.
  • Page 65 IDP 4.0, 4.1 Juniper Networks IDP200 IDP 4.0, 4.1, 5.0, 5.1 Juniper Networks IDP 250 IDP 4.1, 5.0, 5.1 Juniper Networks IDP500 IDP 4.0, 4.1 Juniper Networks IDP 600C IDP 4.0, 4.1, 5.0, 5.1 Copyright © 2010, Juniper Networks, Inc.

  • Page 66: Devices Running Junos Os

    Devices running Junos OS and managed by NSM are listed in the following sections: Juniper Networks J Series Services Routers and SRX Series Services Gateways on page 16 Juniper Networks M Series Multiservice Edge Routers and MX Series Ethernet Services Routers on page 18 Juniper Networks EX Series Ethernet Switches on page 19 NOTE: NSM only supports the domestic version of the Junos OS and not the export version.

  • Page 67: Table 8: J Series Services Routers And Srx Series Services Gateways Nsm Supports

    Junos OS Release 9.3, 9.4, 9.5, 9.6, 10.1, 10.2, 10.3 Juniper Networks SRX5600–Modular Junos OS Release 9.5, 9.6, 10.1, 10.2, 10.3 Juniper Networks SRX5800 Junos OS Release 9.3, 9.4, 9.5, 9.6, 10.1, 10.2, 10.3 Copyright © 2010, Juniper Networks, Inc.

  • Page 68: Table 9: M Series Multiservice Edge Routers And Mx Series Ethernet Services Routers Nsm Supports

    Juniper Networks SRX5800–Modular Junos OS Release 9.5, 9.6, 10.1, 10.2, 10.3 Juniper Networks M Series Multiservice Edge Routers and MX Series Ethernet Services Routers Table 9 on page 18 lists the M Series and MX Series Routers, and the versions of Junos OS that NSM supports.

  • Page 69: Table 10: Ex Series Ethernet Switches Nsm Supports

    Juniper Networks MX960 with IDP Junos OS Release 9.4, 9.5, 9.6, 10.0, 10.1, 10.2, 10.3 services Juniper Networks EX Series Ethernet Switches Table 10 on page 19 lists the Ethernet Switches and the versions of Junos OS that NSM supports.

  • Page 70: Ssl Vpn Secure Access Products

    Juniper Networks Secure Access 6500 SA Release 6.3, 6.4, 6.5, 7.0 Juniper Networks Secure Access 6500 SA Release 6.3, 6.4, 6.5, 7.0 (FIPS) Juniper Networks VA-SPE SA Release 7.0 Juniper Networks VA-DTE SA Release 7.0 Copyright © 2010, Juniper Networks, Inc.

  • Page 71: Juniper Networks Ic Series Unified Access Control Appliances

    Chapter 1: Introduction to Network and Security Manager Juniper Networks IC Series Unified Access Control Appliances In a Unified Access Control (UAC) solution, Infranet Controller (IC) products provide policy management. ScreenOS firewalls can provide the enforcement points. Table 12 on page 21 lists the Infranet Controller products and firmware versions supported by NSM 2010.4.

  • Page 72: Device Schemas

    Network-Security Manager. Device families introduced in Release 2008.1 and later are described by schemas that are maintained on a schema repository owned by Juniper Networks. These schemas can be added dynamically to NSM. These devices include:...

  • Page 73: Scaling And Performance

    You can configure additional preferences for UI behavior, such as appearance, external tool use, polling statistics, and UI timeout. For details on configuring these settings, see the topics under “Network and Security Manager User Interface” in the Network and Security Manager Online Help. Copyright © 2010, Juniper Networks, Inc.

  • Page 74: Ui Overview

    Navigation Tree The navigation tree provides three panels: Investigate panel—Provides NSM modules with tree structures for monitoring your network. Configure panel—Provides NSM modules with tree structures for configuring devices, policies, VPNs, and other objects. Copyright © 2010, Juniper Networks, Inc.

  • Page 75: Common Tasks Pane

    Audit Log Viewer on page 27 Log Viewer The Log Viewer displays log entries that your security devices generate based on criteria that you defined in your security policies, on the GUI Server, and in the device configuration. Copyright © 2010, Juniper Networks, Inc.
  • Page 76 Manipulate and change constraints on log information. Correlate log entries visually and rapidly. Filter log entries while maintaining the broader picture. Realtime Monitor Realtime Monitor provides a graphical view of the current status of all devices managed by NSM: Copyright © 2010, Juniper Networks, Inc.

  • Page 77: Configure Modules

    ScreenOS security devices and IDP sensors—The devices you use to enable access to your network and to protect your network against malicious traffic. Devices running Junos OS: EX Series Ethernet Switches—Enterprise-class switches managed by NSM. J Series Services Routers—Routers managed by NSM. Copyright © 2010, Juniper Networks, Inc.
  • Page 78 Vsys cluster—A vsys device that has a cluster as its root device. Extranet devices—Firewalls or VPN devices that are not Juniper Networks security devices. Templates—A partial device configuration that you can define once, and then use for multiple devices.
  • Page 79 You use IDP attack objects within IDP rules. Custom Policy Fields objects—Represent metadata information that you can store and use in a structured manner. Users can add custom objects to the policy table, such Copyright © 2010, Juniper Networks, Inc.
  • Page 80 To provide remote users with access, create a user object for each user, and then create a VPN that includes those user objects. VLAN objects—Limit rule matching to packets within a particular VLAN. Copyright © 2010, Juniper Networks, Inc.

  • Page 81: Administer Modules

    NSM uses automatic validation to help you identify the integrity of a configuration or specific parameter at a glance. The icons shown in Table 13 on page 32 might appear as you work in the UI: Copyright © 2010, Juniper Networks, Inc.

  • Page 82: Validation And Data Origination Icons

    Confi g urati o n Indicates the value was inherited from a configuration group. Group Changes to the configuration group are also shown in the device edit dialog box. Copyright © 2010, Juniper Networks, Inc.

  • Page 83: Working With Other Nsm Administrators

    UI screen or dialog box. To locate a word, begin typing the word. The search window appears in the top left of the selected screen or dialog box. The UI attempts to match your entry to an existing Copyright © 2010, Juniper Networks, Inc.

  • Page 84: Contains String [C] Search Mode

    MS-RPC-ANY, as shown in Figure 5 on page 34. Figure 5: “Contains String” Search Mode Example Starts With [S] Search Mode Use to locate a pattern at the beginning of a string. For example, to locate the pattern “OR” in devices: Copyright © 2010, Juniper Networks, Inc.

  • Page 85: Regular Expression [R] Search Mode

    Figure 7: “Regular Expression” Search Mode Details The UI automatically highlights the first match; click the down arrow key to highlight the next match. Both matches are shown in Figure 8 on page 36. Copyright © 2010, Juniper Networks, Inc.

  • Page 86: Ip [I] Search Mode

    If you select a different column, such as Name, and perform the same search, the results differ. Figure 9 on page 37 shows both search results. NOTE: NSM Release 2009.1 allows you to search for an IP address with its specific netmask. Copyright © 2010, Juniper Networks, Inc.

  • Page 87: Search For An Exact Match (E)

    Select any entry in the column, and then press the backslash key (\) to display Name the search mode window. Enter and then type NSM highlights the matching object as depicted in Figure bbbb. Copyright © 2010, Juniper Networks, Inc.

  • Page 88: Global Search

    Regular Expression type of search. If you select , you can click the button to view a list of services. Service Select Service Check the desired services and click to select multiple services. Your selection Copyright © 2010, Juniper Networks, Inc.
  • Page 89 Use the buttons above the list of search results to add or search for more results, edit a result, and delete a result. Click Close to exit the search. Copyright © 2010, Juniper Networks, Inc.
  • Page 90 Network and Security Manager Administration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 91: Chapter 2 Planning Your Virtual Network

    Creating an Information Banner on page 58 Configuring Devices Overview To manage Juniper Networks devices that already exist on your network, you can import their device configurations into NSM. Each imported device appears in the NSM UI, where you can view or make changes to the device, such as change settings in the device configuration, edit the security policy for the device, and upgrade device firmware.

  • Page 92: Importing Existing Devices

    Infranet Controller device. These devices must be added to NSM by importing. NOTE: Juniper Networks also offers security devices with Intrusion Detection and Prevention (IDP) capability. For details on how to enable IDP functionality on these devices, see “Configuring IDP-Capable Devices Overview” on page 45.

  • Page 93: Modeling New Devices

    For details on adding devices, see “Adding Devices” on page 97. Modeling New Devices For new networks or networks that do not use a previously deployed Juniper Networks device, you should review your network topology thoroughly and design a security system that works for your organization.

  • Page 94: Editing A Device Configuration

    Conversely, the device configuration can be edited by the device administrator using the device's native GUI or CLI. To synchronize the device object configuration in NSM with the actual device, you must then reimport the device. Copyright © 2010, Juniper Networks, Inc.

  • Page 95: Configuring Idp-Capable Devices Overview

    When deployed inline in your network, Juniper Networks Intrusion Detection and Prevention (IDP) technology can detect—and stop—attacks. Unlike IDS, IDP uses multiple methods to detect attacks against your network and prevent attackers from gaining access and doing damage.

  • Page 96: Enabling Jumbo Frames (Isg1000 Only)

    Select ScreenOS/IDP from the OS Name list. Select nsISG1000 from the Platform list. Select 6.0 or greater from the Managed OS Version list. Select the Enable Jumbo Frame check box, and then click Finish. Copyright © 2010, Juniper Networks, Inc.

  • Page 97: Enabling Idp Functionality

    IDP and DI databases and the IDP detector engine, download new attack objects from the attack object database server to the GUI Server. NOTE: You must have DNS enabled on the NSM GUI server before you can update your attack objects. Copyright © 2010, Juniper Networks, Inc.

  • Page 98: Adding Objects (Optional)

    IDP rulebases. Enabling IDP functionality in a security policy is a two-step process: first enable a firewall rule to pass permitted traffic to the IDP rulebases, then create the IDP rules that detect and prevent malicious traffic from entering your network. Copyright © 2010, Juniper Networks, Inc.
  • Page 99 Policies, and then double-click the policy name in the Security Policies window to open the firewall rulebase. In the Rule Options column of a firewall rule, select IDP. Select one of the following modes: Copyright © 2010, Juniper Networks, Inc.
  • Page 100 A backdoor is a mechanism installed on a host computer that facilitates unauthorized access to the system. Attackers who have already compromised a system often install a backdoor to make future attacks easier. Copyright © 2010, Juniper Networks, Inc.
  • Page 101 (services) supported by the destination address object. You can also negate zones, address objects, or services. You configure the match criteria in the following IDP rulebase columns: From Zone Source To Zone Copyright © 2010, Juniper Networks, Inc.
  • Page 102 After you have created the necessary firewall and IDP rules within the security policy, you must perform the following steps to apply the policy to your network traffic: Assign the policy to a device. Copyright © 2010, Juniper Networks, Inc.

  • Page 103: Reviewing Idp Logs

    To view IDP log entries: Go to the main navigation tree and expand the Investigate panel. Select Log Viewer > Predefined > 3-IDP/DI. The Log Viewer displays all IDP logs generated by the security device. Copyright © 2010, Juniper Networks, Inc.

  • Page 104: Maintaining Idp

    Create/Edit/Delete Shared Objects and Groups For details on RBA in NSM, see “Configuring Role-Based Administration” on page 66; for an example that shows how to create an IDP-only administrator, see “Creating Administrators” on page 67. Copyright © 2010, Juniper Networks, Inc.

  • Page 105: Simplifying Management

    You can map a maximum of 63 templates to the same device; you set the priority of the template to determine the order in which they applied. For example, you might create the following templates: DNS setting template Default PKI Settings template Authentication template Copyright © 2010, Juniper Networks, Inc.

  • Page 106: Using Configuration Groups

    Having a logical and standardized naming convention can help you quickly identify the appropriate administrator for the component, as well as quickly identify the component location without having to review subnet tables. Copyright © 2010, Juniper Networks, Inc.

  • Page 107: Example: Using A Naming Convention For Devices

    FLastname—The first initial and last name of the main user (or general account name if it is a multiuser machine) (M or W)—A single letter to designate Mobile computer or Workstation OS—A two-character abbreviation for the operating system Copyright © 2010, Juniper Networks, Inc.

  • Page 108: Figure 11: Selecting The Gui Server In Central Manager

    Select the GUI server to which you want to add the banner server-wide, and click the Edit icon, as shown in Figure 11 on page 58. Figure 11: Selecting the GUI Server in Central Manager Copyright © 2010, Juniper Networks, Inc.

  • Page 109: Figure 12: Setting Up An Information Banner

    The message is immediately available to NSM users connected to the server, as shown in Figure 13 on page 59. Figure 13: Information Banner Login into Central Manager The NSM user must click Yes to access the GUI server. Copyright © 2010, Juniper Networks, Inc.

  • Page 110: Modifying An Information Banner

    Double-click the GUI server for which you want to delete the banner server-wide. Delete the customized text in the Log In Warning Message text box, and then click The message is immediately removed from the login screen to all NSM users server-wide. Copyright © 2010, Juniper Networks, Inc.

  • Page 111: Chapter 3 Configuring Role-Based Administration

    CHAPTER 3 Configuring Role-Based Administration This chapter details how to use the Juniper Networks Network and Security Manager (NSM) role-based administration (RBA) feature to configure domains, administrators, and roles to manage your network. Your organization probably already has an existing permission structure that is defined by job titles, responsibilities, and geographical access to your security devices.

  • Page 112: About Roles

    Read-Only role, can create and run their own reports. You can define multiple NSM administrators and assign dedicated roles to each administrator: A role is a set of activities that specify the functions the administrator can perform. Copyright © 2010, Juniper Networks, Inc.

  • Page 113: Using Role-Based Administration Effectively

    CIO to access reports. Enterprise Organizations Each enterprise defines administrative roles differently. With NSM, you have the flexibility to create the appropriate permission level. Copyright © 2010, Juniper Networks, Inc.

  • Page 114: Administrator Types

    Tier 1 administrators view events and audit configurations. Tier 2 administrators view events and audit configurations, but also change network configurations during troubleshooting. Tier 3 administrators have full access to all functionality on the device, and make configuration and policy changes. Copyright © 2010, Juniper Networks, Inc.

  • Page 115: Service Providers

    Service Providers Service Providers can use NSM domain, subdomains, and roles to manage their internal infrastructure and their customers’ infrastructures. Copyright © 2010, Juniper Networks, Inc.

  • Page 116: Internal Network

    MSSP creates a customer subdomain and a virtual system within that subdomain. Configuring Role-Based Administration When you have analyzed your network and permission structure and designed your domain strategy, you are ready to create subdomains and new NSM administrators for Copyright © 2010, Juniper Networks, Inc.

  • Page 117: Creating Administrators

    NOTE: The following characters are not supported for NSM administrator names: Period ( . ) Number sign ( # ) Dollar sign ( $ ) Asterisk ( * ) Ampersand ( & ) Circumflex ( ^ ) Copyright © 2010, Juniper Networks, Inc.

  • Page 118: Configuring Authorization

    The default authentication mode is local mode. The RADIUS user is created only on a RADIUS server and can only be authenticated using a remote RADIUS server. Copyright © 2010, Juniper Networks, Inc.

  • Page 119: Table 15: How To Authenticate Users

    When a user is defined only in RADIUS, you must define NS-NSM-User-Domain- Name and role mapping assignment. Auth Handler checks if the domain name matches the user’s login domain name when NSM authenticates the user. Role mapping lists are used for NSM access control purposes. Copyright © 2010, Juniper Networks, Inc.

  • Page 120: Figure 14: Creating Custom Domain

    Read-Only Domain Administrator Read-Only IDP Administrator Read-Only System Administrator System Administrator Predefined roles do not belong to any domain. The format for predefined roles is: DomainName1:(predefined-role-name) is the domain that the current user can access. DomainName1 Copyright © 2010, Juniper Networks, Inc.

  • Page 121: Figure 15: User In Domain "Global" With A Predefined Role

    Figure 15 on page 71 through Figure 21 on page 74 show examples of assigning predefined and custom roles through RADIUS. All examples assume that the user will be authenticated and authorized using a RADIUS server. Figure 15: User in Domain "global” with a Predefined Role Copyright © 2010, Juniper Networks, Inc.

  • Page 122: Figure 16: User In Domain "Global" With Custom Role "R1

    The “r1” role was created in the NSM in “global” domain. Figure 17: User in Subdomain “d1” With a Predefined Role Figure 18: User in Subdomain “d1” With a Custom Role “r1” Create the custom role “r1” in the subdomain “d1.” Copyright © 2010, Juniper Networks, Inc.

  • Page 123: Figure 19: Assigning Multiple Roles To A User In Global Domain

    Roles “r1” and “r2” are the custom roles assigned to the user. Figure 20: Assigning Multiple Roles to a User in Subdomain Both “r1” and “r2” are the custom roles assigned to the user. Copyright © 2010, Juniper Networks, Inc.

  • Page 124: Figure 21: Assigning Roles Defined In Domain "Global

    Domain Administrator—Can perform all activities in the domain. Read-Only Domain Administrator—Can perform all read-only activities in the domain. IDP Administrator—Can perform all IDP activities. All other activities are excluded. Read-Only IDP Administrator—Can perform all read-only IDP activities. Copyright © 2010, Juniper Networks, Inc.

  • Page 125: Table 16: Predefined Nsm Administrator Activities

    Description Action Attributes View The Action Manager is a node on the main navigation tree that enables you to configure the management system to forward logs generated Modify within a specific domain or subdomain. Copyright © 2010, Juniper Networks, Inc.
  • Page 126 NSM system and on each managed device that supports Deep Inspection. Auditable Activities Edit Allows the administrator to select read/write or read only actions to determine what actions get reported to the Audit Log Viewer. View Copyright © 2010, Juniper Networks, Inc.
  • Page 127 NSM system using guiSvrCli command utility. Config Sync Status Check Verifies the configuration status of the device. Configlet View A configlet is a small, static configuration file that contains information on how a security device can connect to NSM. Copyright © 2010, Juniper Networks, Inc.
  • Page 128 A device certificate authenticates packets passing through a device. Upload Delete Device Config To/From File Export Allows a system administrator to import a device configuration from a file or export a device configuration to a file. Import Copyright © 2010, Juniper Networks, Inc.
  • Page 129 Device Software Keys Install A device software key provides, enhances, or adds functionality for a managed device. Device Status Monitor View The device status monitor tracks the status of devices, VPN tunnels, and NSRP. Copyright © 2010, Juniper Networks, Inc.
  • Page 130 Get Entitlement from Entitles the administrator to configure devices to receive services that Entitlement Server require subscriptions, such as internal AV or Deep Inspection Signature Service. Copyright © 2010, Juniper Networks, Inc.
  • Page 131 IDP capable devices, such as the ISG2000, ISG1000 running 5.0–IDP1, SRX Series, J Series, and MX Series. View Import Device Allows an administrator to import device information to NSM from the device, including Inventory information. Copyright © 2010, Juniper Networks, Inc.
  • Page 132 NAT Objects and subtree Create Allows an administrator to manage NAT objects, which allow multiple devices to share a single object. Delete Edit View Copyright © 2010, Juniper Networks, Inc.
  • Page 133 Allows an administrator to create polymorphic service objects. Polymorphic objects can be used as place holders for values that will be defined in a different context (in a regional server domain or subdomain, for instance). Copyright © 2010, Juniper Networks, Inc.
  • Page 134 Delete Edit View Schema Apply Allows an administrator to download or apply schemas for managing devices. Download Schema Details View Allows an administrator to view the details of schemas for managing devices. Copyright © 2010, Juniper Networks, Inc.
  • Page 135 System UrlCategory Update The system URL category list contains predefined Web categories used in Web filtering profiles. You can update the system Web category list from the master Web category list maintained by SurfControl. Copyright © 2010, Juniper Networks, Inc.
  • Page 136 LAN. Edit Delete View VPN Monitor View VPN Monitor tracks VPN tunnel statistics. To enable NSM to track these statistics, you must enable “VPN Monitor” in the Gateway properties for each VPN. Copyright © 2010, Juniper Networks, Inc.

  • Page 137: Roles And Permissions

    Groups & Templates" will contain the Import Device permission as well after upgrade. Permissions Changes in Release 2006.1 In Release 2006.1, the Create Devices, Device Groups, & Templates activity does not allow permission to run the following directives: Import Admin Copyright © 2010, Juniper Networks, Inc.

  • Page 138: Table 17: Changes To Edit Devices, Device Groups, & Templates Activity

    Table 18 on page 88. Use the Device Site Survey activity instead. Table 18: Changes to View Devices, Device Groups, & Templates Role Activity Directives Device Site Survey Site Survey Copyright © 2010, Juniper Networks, Inc.

  • Page 139: Assigning And Viewing Custom Roles

    Disable the filters that are not required and click OK. Viewing Logged Administrators NSM lets you view information associated with all the administrators currently logged into the system. This information includes the following columns: Copyright © 2010, Juniper Networks, Inc.

  • Page 140: Forcing An Administrator To Log Out

    Any objects that were locked by the administrator during the login session are unlocked. The server operations triggered by the logged-out GUI (Jobs, Reports, Log-Viewer, and so on) run to completion in the server. An administrator cannot forcibly log out from his own session. Copyright © 2010, Juniper Networks, Inc.

  • Page 141: Creating Subdomains

    ISP's goal is to manage all devices and policies from the co-location facility and provide read-only permission for customers to view log entries and generate reports. No VPNs are used. To configure this domain structure, use the following process: Copyright © 2010, Juniper Networks, Inc.

  • Page 142: Step 1: Create The Subdomains

    Step 3: Create the Viewing and Reporting Administrator In this step, you create a custom role and administrator account that permits the ISP customers to view log entries and generate reports for devices in their subdomain. Copyright © 2010, Juniper Networks, Inc.

  • Page 143: Figure 23: Manage Administrators And Domains: Administrators Tab

    Click OK to log in. The NSM navigation tree and main display area appear. Because the domain administrator account has full permissions for the domain, the UI displays all modules and enables all functionality for the domain. However, the domain menu (at Copyright © 2010, Juniper Networks, Inc.
  • Page 144 Manager, Job Manager, and the Audit Log Viewer do not appear). Additionally, all Add, Edit, and Delete icons appear in gray, indicating that the administrator cannot perform these tasks. Repeat for each subdomain and customer administrator. Copyright © 2010, Juniper Networks, Inc.
  • Page 145 PART 2 Integrating Adding Devices on page 97 Configuring Devices on page 187 Updating Devices on page 243 Managing Devices on page 265 Copyright © 2010, Juniper Networks, Inc.
  • Page 146 Network and Security Manager Administration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 147: Chapter 4 Adding Devices

    CHAPTER 4 Adding Devices This chapter provides information about adding Juniper Networks devices to your network. These devices can include routers and switches, as well as the security devices that protect your network against malicious traffic. Juniper Networks Network and Security Manager (NSM) can manage all Juniper Networks devices running ScreenOS 5.x and later, IDP 4.0 and later, Junos 9.0 and later, IC 2.2 or...

  • Page 148: About Device Creation

    J Series devices—Highly secure routers that can be added to your network and managed through NSM. SRX Series gateways—Firewall/VPN systems that have integrated service layer technologies such as IDP, AV, or Web Filtering. M Series and MX Series routers—Carrier Ethernet routers and services routers. Copyright © 2010, Juniper Networks, Inc.

  • Page 149: Adding Devices

    Chapter 4: Adding Devices Unified Access Control (Infranet Controller) devices—The policy management server of the Juniper Networks LAN access control solution. SSL VPN (Secure Access) devices. Virtual Chassis—Stacked EX Series devices functioning as one logical EX Series switch or an SRX cluster represented in NSM as a virtual chassis.

  • Page 150: Verifying Device Configuration

    Before You Begin Adding Devices Before adding a device to NSM, decide the following: Will you import or model the device? Will the device reside in the global domain or a subdomain? Copyright © 2010, Juniper Networks, Inc.

  • Page 151: Importing Versus Modeling

    OS and device type of the actual, physical device. Then model the device configuration in the NSM UI. Configure all device features—zones, interfaces, virtual routers, policies, logging features. Finally, activate the device (using the Activate Copyright © 2010, Juniper Networks, Inc.

  • Page 152: Device Add Process

    For details on creating new subdomains, see “Configuring Role-Based Administration” on page 61. After you have created the subdomain, select it from the domain menu and begin the device addition process. Copyright © 2010, Juniper Networks, Inc.

  • Page 153: Figure 24: Connecting Devices From Different Domains In Vpns

    Import many ScreenOS, Junos, Secure Access, or Infranet Controller devices at one time. Model many ScreenOS devices at one time. Model, create configlets for, and activate multiple ScreenOS devices at one time for use with Rapid Deployment. Copyright © 2010, Juniper Networks, Inc.

  • Page 154: Specifying The Os And Version

    OS. For example, NSM no longer supports devices running 4.x or earlier versions of ScreenOS. If you are not running a supported version, you must upgrade your devices before adding them into the management system. Contact Juniper Networks customer support for details.

  • Page 155: Figure 25: Trust-Untrust Port Mode Bindings

    By default, there are no restrictions for traffic from the Home zone to the Untrust zone. See Figure 26 on page 105 for port, interface, and zone bindings. Figure 26: Home-Work Port Mode Bindings This mode provides the following bindings: Copyright © 2010, Juniper Networks, Inc.

  • Page 156: Figure 27: Dual-Untrust Port Mode Bindings

    NOTE: The serial interface is not available in Dual Untrust port mode. Combined Port Mode Combined mode enables both primary and backup interfaces to the Internet and the segregation of users and resources in Work and Home zones. Copyright © 2010, Juniper Networks, Inc.

  • Page 157: Figure 28: Combined Port Mode Bindings

    Web, e-mail, or other application servers from the internal network. NOTE: The Trust/Untrust/DMZ port mode is supported only on the NetScreen-5GT Extended platform. See Figure 29 on page 108 for port, interface, and zone bindings. Copyright © 2010, Juniper Networks, Inc.

  • Page 158: Figure 29: Trust-Untrust-Dmz Port Mode Bindings

    See Figure 30 on page 108. Figure 30: Extended Port-Mode Interface to Zone Bindings Table 19 on page 108 provides the Extended mode interface-to-zone bindings. Table 19: Extended Bindings Port Interface Zone Untrusted Untrust Untrust Copyright © 2010, Juniper Networks, Inc.

  • Page 159: Figure 31: Dmz Dual Untrust Port Mode

    Binds the Ethernet port 4 to the ethernet3 interface, which is bound to the Untrust security zone. Binds the Untrust Ethernet port to the ethernet4 interface, which is bound to the Untrust security zone. Copyright © 2010, Juniper Networks, Inc.

  • Page 160: Table 20: Security Device Port Mode Summary (Part 1)

    Table 20 on page 110 and Table 21 on page 110 summarize the port, interface, and zone bindings provided by the ScreenOS port modes. Port numbers are as labeled on the Juniper Networks security device chassis. The Trust-Untrust mode entries represent the default port modes.

  • Page 161: Changing The Port Mode

    MX Secure Infranet Series Series Series Device Access Controller devices devices devices Workflow ScreenOS (SA) (IC) (Junos) (Junos) (Junos) Device is reachable Device is reachable Model activate device Rapid deployment (configlets) Device discovery Copyright © 2010, Juniper Networks, Inc.

  • Page 162: Importing Devices

    NSM for that device. To help avoid accidental configuration overwriting, when you attempt to import a configuration from a currently managed security device, NSM prompts you for confirmation to import. Copyright © 2010, Juniper Networks, Inc.

  • Page 163: Requirements

    NSM 2008.1 or later release. To import a ScreenOS 5.0 or later device with a known IP address: From the domain menu, select the domain in which to import the device. In Device Manager, select Devices. Copyright © 2010, Juniper Networks, Inc.
  • Page 164 Click Next to add the device to NSM. After the device is added, click Next to import the device configuration. Click Finish to complete the Add Device wizard. Double-click the device in Device Manager to view the imported configuration. Copyright © 2010, Juniper Networks, Inc.

  • Page 165: Idp Sensors

    Enter the password for the device root user. NOTE: All passwords handled by NSM are case-sensitive. Select the connection method (SSH Version 2) and the port number for the selected service. Select the Port Number. The default (port 22) is recommended. Copyright © 2010, Juniper Networks, Inc.

  • Page 166: Junos Devices

    Click Next to have NSM import settings already present on the Sensor. Click Finish to complete the add operation. An IDP 4.1 or later sensor is also updated with the Juniper Networks Recommended policy. IDP 4.0 Sensors cannot use the Recommended policy.

  • Page 167: Sa And Ic Devices

    The SSH port must be configured in the device. The default SSH port is 22. The DMI agent admin realms must be configured and an admin user must be mapped to a role with full admin privileges. Copyright © 2010, Juniper Networks, Inc.

  • Page 168: Adding Devices With Dynamic Ip Addresses

    Click the Add icon and select Device to open the Add Device wizard. Select Device Is Not Reachable, and then click Next. Enter a name for the device and select a color to represent the device in the UI. Copyright © 2010, Juniper Networks, Inc.
  • Page 169 Device. The Job Information box displays the job type and status for the import; when the job status displays successful completion, click Close. After the import finishes, double-click the device to view the imported configuration. Copyright © 2010, Juniper Networks, Inc.

  • Page 170: Idp Sensors

    NSM. This ID number represents the device within the management system. The wizard automatically provides this value. b. Specify the First Connection One Time Password (OTP) that authenticates the device. Copyright © 2010, Juniper Networks, Inc.

  • Page 171: Device

    See “Managing Large Binary Data Files (Secure Access and Infranet Controller Devices Only)” on page 275 for details. Copyright © 2010, Juniper Networks, Inc.
  • Page 172 Access Administration Guide. For complete details on installing and configuring Infranet Controller devices, see the Unified Access Control Administration Guide. Add the Device in NSM To add the device in the NSM UI, follow these steps: Copyright © 2010, Juniper Networks, Inc.
  • Page 173 Device Manager list. Verify in the Device List tab that the new device is visible and has the connection status “Never connected.” Convey the unique external ID and the one-time password to the device manager. Copyright © 2010, Juniper Networks, Inc.
  • Page 174 Right-click the device in the Device Manager and select Import Device from the list. In the Device Import Options dialog, check Summarize Delta Config if desired. Click OK, and then click Yes. The Job Information window shows progress. You can also monitor progress in Job Manager. Copyright © 2010, Juniper Networks, Inc.

  • Page 175: Adding And Importing A Junos Device With A Dynamic Ip Address

    To add a J Series or SRX Series device or an SRX virtual chassis, select J/SRX Series from the list. To add an EX Series device or virtual chassis, select EX Series. To add an M Series or MX Series device, select M/MX Series. Copyright © 2010, Juniper Networks, Inc.
  • Page 176 Log on to the Junos device. At the command-line prompt, identify the management system by device name, device ID, and HMAC. For devices running the 9.0 version of the operating system, use the following command syntax: Copyright © 2010, Juniper Networks, Inc.
  • Page 177 If the configuration status shows “device firmware mismatch,” you selected the wrong managed OS version when adding the device into NSM. Delete the device from NSM and add it again using the correct managed OS version. Copyright © 2010, Juniper Networks, Inc.

  • Page 178: Verifying Imported Device Configurations

    Ensure that imported device administrator name and password are correct for the physical device. NOTE: All passwords handled by NSM are case-sensitive. Ensure that interfaces on the imported device are correct for the physical device. Copyright © 2010, Juniper Networks, Inc.

  • Page 179: Using Job Manager

    CLI commands or XML messages to send to the physical device during the next device update. For a just-imported device, the configuration summary report displays the device configuration that matches the configuration currently running on the physical device. Copyright © 2010, Juniper Networks, Inc.

  • Page 180: Modeling Devices

    Model the device in the UI. Create the device object configuration. Activate the device. Update the device configuration. For details on modeling multiple devices at one time, see “Adding Many Devices Using CSV Files” on page 169. Copyright © 2010, Juniper Networks, Inc.

  • Page 181: Modeling A Device

    For EX Series switches, check Virtual Chassis if you wish to model a virtual chassis (an array of EX4200 series switches). For an SRX virtual chassis check Virtual Chassis if you wish to model an SRX virtual chassis. Copyright © 2010, Juniper Networks, Inc.

  • Page 182: Creating A Device Configuration

    NSM, you can install the configuration you created on the device. Devices with Static IP Addresses A static IP address is an IP address that does not change. ScreenOS Devices To activate a ScreenOS 5.0 or later device with a static IP address: Copyright © 2010, Juniper Networks, Inc.
  • Page 183 “Modeled”, indicating that the management system is waiting for the device to be activated. Right-click the device and select Activate Device to display the Activate Device wizard. Select Device deployed and IP is reachable. Copyright © 2010, Juniper Networks, Inc.
  • Page 184 If you do not update the configuration now, you will have to do it manually later by right-clicking the device and selecting Update Device. Updating the device also pushes the Juniper Networks Recommended policy to the device. After update is complete, the device status displays as “Managed”, indicating that the device has connected and the management system has successfully pushed the device configuration.

  • Page 185: Devices With Dynamic Ip Addresses

    Specify the First Connection One Time Password (OTP) that authenticates the device. NOTE: All passwords handled by NSM are case-sensitive. Edit the Device Server Connection parameters, if desired. Click Next. The Specify device connections characteristics dialog box opens. Copyright © 2010, Juniper Networks, Inc.
  • Page 186 Install the device and configure it with logon credentials for the NSM administrator: Connect the device to the network and configure one of the interfaces so that the device can reach the NSM device server. Copyright © 2010, Juniper Networks, Inc.
  • Page 187 <name> secret <string> services netconf device-id <external-id from nsm> <NSM device server ip> port 7804 For example: % set system services outbound-ssh application-id nsm-wei secret 123456789 services netconf device-id abcdef 10.150.42.16 port 7804 Copyright © 2010, Juniper Networks, Inc.
  • Page 188 Update the device configuration by right-clicking the device and selecting Update Device. The Job Information box displays the job type and status for the update. When the job status displays successful completion, click Close. Copyright © 2010, Juniper Networks, Inc.

  • Page 189: Using Rapid Deployment (Screenos Only)

    Enters the basic information that defines how a security device can contact your NSM Device Server. Generates a small, static command file called a configlet. Saves the configlet in a user-defined directory, using email, CD, or another out-of-band method. Copyright © 2010, Juniper Networks, Inc.
  • Page 190 Device Manager, or by checking the configuration status in Device Monitor. The status should display “Modeled”, indicating that the management system has modeled the device, but the device is not activated and has not connected. Copyright © 2010, Juniper Networks, Inc.

  • Page 191: Creating The Configlet

    For devices that use a PPPoE connection to the Internet, you can predefine the user name and password, or ask the onsite administrator to specify the user name and password during configlet installation. NOTE: All passwords handled by NSM are case-sensitive. Copyright © 2010, Juniper Networks, Inc.
  • Page 192 If you don’t know the ISP environment or the environment has location-specific networking requirements, prompt the onsite administrator to configure the ISP environment during configlet installation. Specify the password for the configlet, or use the default device password (which is netscreen Copyright © 2010, Juniper Networks, Inc.

  • Page 193: Installing The Configlet

    The onsite administrator performs RD in two stages: Preparing the security device Installing the configlet The following sections detail each stage. For detailed, step-by-step instructions on installing the configlet, see the Rapid Deployment Getting Started Guide. Copyright © 2010, Juniper Networks, Inc.

  • Page 194: Preparing The Device

    NSM management. If prompted, enter the configlet password and click Next. The configlet password is given to you by the NSM administrator who sent you the configlet file. Click Next. Copyright © 2010, Juniper Networks, Inc.

  • Page 195: Updating The Device Configuration

    Ensure that the device is connected by viewing the device status. Check the device configuration status by holding your mouse cursor over the device in Device Manager, Copyright © 2010, Juniper Networks, Inc.

  • Page 196: Summarize Delta Configuration

    From the Device Manager launchpad, select Update Device to open the Update Device(s) dialog box, listing all connected and managed devices. Select two devices you want to update. Select Run Summarize Delta Config (if deselected), and then click Apply Changes. Copyright © 2010, Juniper Networks, Inc.

  • Page 197: Option

    A Virtual System (vsys) is a virtual device that exists within a physical security device. The vsys device functions as a completely separate security device. The physical device, called the root device, can contain multiple vsys devices. The following Juniper Networks security devices can be root devices:...

  • Page 198: Figure 32: Connecting Vsys Devices Across Domains

    Import the vsys devices—To import a vsys device, use the Add vsys wizard to add the vsys device. If you are adding multiple vsys devices to the same domain, you can add them all at once. To import a vsys device: Copyright © 2010, Juniper Networks, Inc.

  • Page 199: Modeling Vsys Devices

    In Device Manager, select Devices. Click the Add icon and select vsys Device. The Add Device wizard appears. Select the root device for the vsys. Select a color to represent the vsys in the UI. Copyright © 2010, Juniper Networks, Inc.

  • Page 200: Adding L2V Root Systems

    Adding L2V Root Systems The NetScreen-5000 series security devices running ScreenOS 5.0 L2V also support vsys transparent mode, also known as layer 2 vsys, or L2V vsys. The VLAN Trunk vsys Copyright © 2010, Juniper Networks, Inc.

  • Page 201: Adding An Extranet Device

    ScreenOS and IDP Devices Guide. Adding an Extranet Device An extranet device is a firewall or VPN device that is not a Juniper Networks security device. If you use devices from multiple manufacturers, you can add extranet devices to NSM to represent your heterogeneous network environment. After you have added the extranet device to the NSM UI, you can use the device in groups, security policies, and VPNs.

  • Page 202: Adding A Cluster Device Object

    After creating the cluster object, add the members of the cluster. In Device Manager, select Devices, right-click the Cluster device, and then select New > Cluster Member. The Add Cluster Member wizard appears. Follow the instructions in the wizard to import or add a new cluster member. Copyright © 2010, Juniper Networks, Inc.

  • Page 203: Adding Screenos Or Idp Clusters

    You can have no more than two cluster members in active/passive mode. In active/active mode you can have up to eight members in a Secure Access cluster, or up to four members in an Infranet Controller cluster. Copyright © 2010, Juniper Networks, Inc.
  • Page 204 Provide the cluster name, color of the icon, OS name, platform, and managed OS version. The OS name, platform, and OS version must match those on the physical devices. In NSM, add each cluster member. Copyright © 2010, Juniper Networks, Inc.

  • Page 205: Through Reachable Workflow

    Admin User Name—Administrator user name created for the device. Password—Administrator password created for the device. NOTE: The ssh port number for cluster member is 22 by default and the port number cannot be modified. Copyright © 2010, Juniper Networks, Inc.

  • Page 206: Adding Clusters Of Routers Running Junos Os

    Members” on page 161. Adding and Importing a Junos Cluster on page 157 Adding a Junos Cluster with Modeled Cluster Members on page 157 Activating and Updating a Modeled Junos Cluster on page 158 Copyright © 2010, Juniper Networks, Inc.

  • Page 207: Adding And Importing A Junos Cluster

    At that point, you provide the remaining information necessary for managing the device through NSM, such as the first connection one-time password, the NSM administrator username and password, and the Device Server IP address. To add a cluster with modeled cluster members: Copyright © 2010, Juniper Networks, Inc.

  • Page 208: Activating And Updating A Modeled Junos Cluster

    Push the modeled configuration to the device by right-clicking any cluster member icon and selecting Update Device from the list. You need push the configuration to only the primary cluster member, because software on the cluster ensures that both cluster members are synchronized. Copyright © 2010, Juniper Networks, Inc.

  • Page 209: Figure 33: Adding A Secure Access Cluster

    Enter the cluster-level information into the New Cluster dialog box as shown in Figure 33 on page 159. Figure 33: Adding a Secure Access Cluster Click OK. The new cluster appears in the Device Manager. Copyright © 2010, Juniper Networks, Inc.

  • Page 210: Adding The Cluster Members

    Fill out the Backup Server and Backup Port fields if a high availability Device Server is configured. In the Device ID field, enter the unique external ID provided by the NSM administrator. In the HMAC field, enter the one-time password, also provided by the NSM administrator. Copyright © 2010, Juniper Networks, Inc.

  • Page 211: Importing The Cluster Configuration

    Select Device Manager > Devices, and then click the Add icon and select Cluster from the list. The add cluster wizard starts. Enter the cluster-level information into the New Cluster dialog box as shown in Figure 34 on page 162. Copyright © 2010, Juniper Networks, Inc.

  • Page 212: Figure 34: Adding A J Series Cluster

    Check the Keep Adding Other Cluster Members box and leave the Member ID as 0. Figure 35: Adding the First Member to a J Series Cluster Click Next to finish adding the first member. Copyright © 2010, Juniper Networks, Inc.

  • Page 213: Figure 36: Adding The Second Member To A J Series Cluster

    If you expand the cluster icon in the Device Manager, you will see the new cluster members, as shown in Figure 36 on page 172. Figure 37: Cluster Member Icons Activating the Cluster Members When the cluster has been properly installed, activate the cluster as follows: Copyright © 2010, Juniper Networks, Inc.
  • Page 214 <external-id from nsm> <nsm device server ip> port 7804 For example: set system services outbound ssh client nsm wei secret 123456789 services netconf device-id abcdef 10.150.42.16 port 7804 Establish the SSH connection with the network management system. Copyright © 2010, Juniper Networks, Inc.

  • Page 215: Updating The Cluster

    151. (You add members later.) The UI also creates a vsys cluster member for each vsys device that uses the cluster as its root device. The vsys cluster member contains local information; the cluster Copyright © 2010, Juniper Networks, Inc.

  • Page 216: Example: Adding A Vsys Cluster

    Configure the cluster members OfficeA and OfficeB as shown in Figure 38 on page 167. As you add each cluster member, NSM automatically creates both the cluster member and the vsys cluster member. Copyright © 2010, Juniper Networks, Inc.

  • Page 217: Figure 38: Configuring Cluster Members For Paris Vsys Cluster

    Configure the NSM and ScreenOS name as Paris V2 and select global as the domain. Click Next to continue. d. Configure the vrouter for the vsys as the Default Vrouter, and then click Next to continue. e. Click Finish to add the new vsys cluster device. Copyright © 2010, Juniper Networks, Inc.

  • Page 218: Figure 39: Paris Cluster Members And Paris Vsys Cluster Members

    NSM, its name will be USA_10.204.32.155 Check the Use Host Name if Available checkbox, if you want the device hostname to be used as the prefix. An IP subnet or range of IP addresses. Copyright © 2010, Juniper Networks, Inc.

  • Page 219: Running A Device Discovery Rule

    Adding Many Devices Using CSV Files If your network includes a large number of devices, you can save time by adding multiple devices in a single workflow using the Add Many Device wizard. Copyright © 2010, Juniper Networks, Inc.

  • Page 220: Creating The Csv File

    The required and optional values depend not only on how the device is deployed on your network—static IP addresses, dynamic IP addresses, or undeployed devices—but also on the device family. You must create a separate CSV file for the following devices: Copyright © 2010, Juniper Networks, Inc.

  • Page 221: Table 23: Csv File Information For Devices With Static Ip Addresses

    NOTE: You can model many ScreenOS devices, but you cannot activate many devices except when using the Rapid Deployment process. Juniper Networks provides CSV templates in Microsoft Excel format for each type of CSV file. These templates are located in the utils subdirectory where you have stored the...

  • Page 222: Table 24: Csv File Information For Devices With Dynamic Ip Addresses

    OS Name String ScreenOS, SA, IC, junos-es (for J Series or SRX Series devices), junos for (M Series or MX Series devices), junos-ex (for EX Series devices) Copyright © 2010, Juniper Networks, Inc.
  • Page 223 SSG5-ISDN, SSG5–SB, SSG5-ISDN-WLAN, SSG5-Serial, SSG5-Serial-WLAN, SSG5-v92, SSG5-v92-WLAN, SSG-20, SSG-20-WLAN, SSG-140, SSG-320, SSG-320M, SSG-350, SSG-350M, SSG-520, SSG-520M, SSG-550, SSG-550M With OS name junos: m7i, m10i, m120, m320, m40e, m7i, m320, mx240, mx480, mx960 Copyright © 2010, Juniper Networks, Inc.
  • Page 224 9.0, 9.1, 9.2, 9.3, 9.4, 9.5, 9.6. With OS name Junos: 9.0, 9.1, 9.2, 9.3, 9.4, 9.5, 9.6. With OS name SA: 6.3, 6.4 With OS name IC: 2.2, 3.0 Transparent Mode String on, off Copyright © 2010, Juniper Networks, Inc.

  • Page 225: Table 25: Csv File Information For Undeployed Devices

    Table 25: CSV File Information for Undeployed Devices Field Name Type Required Acceptable Values Name String Valid character Color String black, gray, blue, red, green, yellow, cyan, magenta, orange, pink OS name String ScreenOS Copyright © 2010, Juniper Networks, Inc.
  • Page 226 Device Admin String Name Device Admin String Must be a minimum of 9 characters Password Telnet Port Integer Default to 23 SSH Port Integer Default to 22 Restrict to Serial String on, off Number Copyright © 2010, Juniper Networks, Inc.

  • Page 227: Validating The Csv File

    UI and make the necessary changes. Importing Many Devices The import process differs between devices that use static IP addresses and devices that use dynamic IP addresses: Copyright © 2010, Juniper Networks, Inc.

  • Page 228: Adding And Importing Many Devices With Static Ip Addresses

    Specify the output directory for the file. For each valid device configuration that .cli uses a dynamic IP address, NSM creates a output file. By default, the file is .cli .cli saved to the following GUI Server directory: Copyright © 2010, Juniper Networks, Inc.

  • Page 229: Modeling Many Devices

    After that device has made contact with NSM, you can install the modeled configuration you created on the physical device. For details on activating a device, see “Activating a Device” on page 132. Copyright © 2010, Juniper Networks, Inc.

  • Page 230: Using Rapid Deployment

    Device Manager, or check the configuration status in Device Monitor. Ensure that the configuration status for the device displays “Update Needed”, which indicates that the device has connected but the management system has not yet updated the device configuration. Copyright © 2010, Juniper Networks, Inc.

  • Page 231: Activating Many Devices With Configlets

    You can group devices by type (such as all the NetScreen-5GTs in a domain), by physical location (such as all the security devices in Copyright © 2010, Juniper Networks, Inc.

  • Page 232: Example: Creating A Device Group

    In the navigation tree, select Device Manager > Devices. Click the Add icon and select Group from the list. The New Group dialog box displays all existing devices for the current domain in the Non-members list. In the Name field, enter Sales. Copyright © 2010, Juniper Networks, Inc.

  • Page 233: Setting Up Nsm To Work With Infranet Controller And Infranet Enforcer

    If you do not have one already, create a CA certificate for each Infranet Enforcer. Create a certificate signing request (CSR) for an Infranet Controller server certificate, and use the CA certificate to sign the server certificate. Import the server certificate into the Infranet Controller. Copyright © 2010, Juniper Networks, Inc.
  • Page 234 In the New Subdomain dialog box, enter an appropriate name for the subdomain so you know what it will be used for, and then click OK. From the drop-down list on the top left side, select your new domain. The new domain is empty. Copyright © 2010, Juniper Networks, Inc.

  • Page 235: Avoiding Nacn Password Conflicts

    If there are, that means that the Infranet Controller has changed something on the Infranet Enforcer since you last imported the device configuration. If you do not reimport the configuration, be sure to update the Infranet Controller and Infranet Enforcer at the same time. Copyright © 2010, Juniper Networks, Inc.
  • Page 236 Network and Security Manager Administration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 237: Chapter 5 Configuring Devices

    Configuring Devices The Device Manager module in Network and Security Manager (NSM) enables you to configure the managed Juniper Networks devices in your network. You can edit configurations after you add and import a managed device, or create configurations when you model a device.

  • Page 238: About Device Configuration

    NSM to the device itself. At that point, the edited configuration becomes active. About Configuring Clusters, VPNs, Vsys Devices, Policies, and Shared Objects In addition to configuring specific devices, NSM also enables you to configure clusters, VPNs, vsys devices, policies, and shared objects: Copyright © 2010, Juniper Networks, Inc.

  • Page 239: Configuring Devices

    See “Editing Devices Using the Device Editor” on page 190 for details. About Device Templates A template is a predefined set of configuration values that helps you reuse common information. A device object can refer to multiple templates, and you can use templates Copyright © 2010, Juniper Networks, Inc.

  • Page 240: About Configuration Groups

    For details see “Using Configuration Groups” on page 223 and “Using Configuration Groups with Templates” on page 230. Editing Devices Using the Device Editor To configure device information in NSM, select Device Manager > Devices, select the device, and then click the Open icon. Copyright © 2010, Juniper Networks, Inc.

  • Page 241: Figure 40: Device Info And Configuration Tabs

    NSM. Templates—All templates available to the device family to which the device belongs. See “Using Device Templates” on page 198 for details. Device Admin—Polling interval for alarm statistics. Copyright © 2010, Juniper Networks, Inc.

  • Page 242: Figure 41: Screenos And Idp Device Configuration Information

    For details about using device templates, see “Using Device Templates” on page 198. For information about configuration groups, see “Using Configuration Groups” on page 223. Copyright © 2010, Juniper Networks, Inc.

  • Page 243: Table 26: Validation Icons

    Select the device object and then click the Edit icon. Right-click the device object and select Edit. For ScreenOS and IDP devices, the device navigation tree appears on the left, listing the device configuration parameters by function. Copyright © 2010, Juniper Networks, Inc.

  • Page 244: Figure 42: Screenos Device Object Configuration Data

    Configuring ScreenOS/IDP Device Features The device configuration tree for a ScreenOS or IDP device looks similar to the example in Figure 42 on page 194. Figure 42: ScreenOS Device Object Configuration Data Copyright © 2010, Juniper Networks, Inc.
  • Page 245 If you need to make any of the above changes to the managed device, use the Web UI or CLI to make the changes locally, and then reimport the device configuration into the NSM UI. Copyright © 2010, Juniper Networks, Inc.

  • Page 246: Figure 43: Secure Access Device Object

    Figure 43: Secure Access Device Object For details about configuring Secure Access devices, see the Configuring Secure Access Devices Guide ( http://www.juniper.net/techpubs/en_US/nsm2010.4/information-products/pathway-pages/ ). For details about configuring Infranet Controller secure-access-devices/index.html devices, see the Configuring Infranet Controllers Guide http://www.juniper.net/techpubs/en_US/nsm2010.4/information-products/pathway-pages/ infranet-controller-devices/index.html Copyright © 2010, Juniper Networks, Inc.

  • Page 247: Configuring Junos Device Features

    Execute device-specific troubleshooting commands. Use the technical support service that allows packaged collections of information for remote analysis by Juniper Networks Technical Assistance Center (JTAC). Reboot the device. The view of the configuration from NSM might also be missing data configured in large binary files.

  • Page 248: Updating The Configuration On The Device

    A template contains all possible fields for all possible devices within a device family. NSM provides different templates for: ScreenOS/IDP devices Secure Access devices Infranet controller devices J Series devices (includes SRX Series devices) M Series and MX Series devices EX Series devices Copyright © 2010, Juniper Networks, Inc.

  • Page 249: Modifying Values In Templates

    You can modify a template that has already been applied to one or more device configurations. When you change a field value in a template, the device object that references the template also changes. Copyright © 2010, Juniper Networks, Inc.

  • Page 250: Example: Creating And Applying A Device Template For Dns Settings

    For Primary DNS Server IP, enter 1.1.1.1. For Secondary DNS Server IP, enter 2.2.2.2. For DNS Refresh Schedule, select Refresh Daily. Leave all other default settings. The From Object icon shows where the values are set. Copyright © 2010, Juniper Networks, Inc.

  • Page 251: Figure 44: Example Of Setting Values In A Template

    In the device navigation tree, select Info > Templates. The templates configuration screen appears. Click the Edit icon. The Edit Templates dialog box appears. Select the DNS template. Copyright © 2010, Juniper Networks, Inc.

  • Page 252: Figure 45: Applying A Template

    To promote a device configuration to a template, in the left panel of the device editor, right-click on the configuration node you want to promote to a template, and select Copyright © 2010, Juniper Networks, Inc.

  • Page 253: Figure 46: Template Override Icon

    An example is shown in Figure 47 on page 203. Figure 47: Revert to a Template or Default Value A device-specific configuration value always overrides a template value. Copyright © 2010, Juniper Networks, Inc.

  • Page 254: Reverting A Configuration To Default Values Of A Template

    The lower the template appears in the template list, the higher priority it has when applying values to a device configuration. Copyright © 2010, Juniper Networks, Inc.

  • Page 255: Example: Using Multiple Device Templates

    Select Destination IP Based Session Limit and set the Threshold to 4000. Click OK to save the new zone. h. Click OK to save the new device template. Apply the DoS template to a device configuration for a NetScreen-208 running ScreenOS 5.0: Copyright © 2010, Juniper Networks, Inc.

  • Page 256: Figure 48: View Denial Of Service Defense Values From Dos Template

    In the template navigation tree, select Network > Zone. The Zone configuration screen appears. d. Click the Add icon in the Zone configuration screen and select Pre-Defined Security Zone—trust|untrust|dmz|global. The Predefined Zone dialog box appears. Copyright © 2010, Juniper Networks, Inc.

  • Page 257: Figure 49: Configure Dos Defense Settings For The Dos2 Template

    Currently, the DoS2 template has the higher priority, which enables it to override any similar values set by the DoS template, as shown in Figure 50 on page 208. The DoS2 template overrides similar values set in the DoS template. Copyright © 2010, Juniper Networks, Inc.

  • Page 258: Figure 50: View Template Priority (Dos Highest)

    Source IP Based Session Limit field, the higher threshold value from DoS2 appears in the device configuration because you assigned the DoS2 template a higher priority than the DoS template. Figure 51: View Values from DoS and DoS2 Templates Copyright © 2010, Juniper Networks, Inc.

  • Page 259: Figure 52: View Dos2 Value For Source Ip Based Session Limit

    VPNs—Each centrally managed VPN that the device belongs to also reduces the maximum number of templates by one. Referenced templates—Each referenced template (a template referred to by another template) reduces the maximum number of templates by one. For example, a device Copyright © 2010, Juniper Networks, Inc.

  • Page 260: Device Groups

    If you create a zone in a template and apply the template to a device, you cannot change the Copyright © 2010, Juniper Networks, Inc.

  • Page 261: Figure 55: Up And Down Arrows For Changing The Sequence Of A List

    The default order of entries in a list depends on their order in the template, their order in the device object, their order in a configuration group, and their order on the device itself. Copyright © 2010, Juniper Networks, Inc.

  • Page 262: Order

    Adding a template Deleting a template from the device object Adding or inserting new list entries in the template Adding or inserting new list entries in the device Copyright © 2010, Juniper Networks, Inc.

  • Page 263: Rules For Reordering Lists

    Device Sequence Matching Subsequence Change: Now reverse the first three items in the template sequence. Because the reordering takes place within what was the matching subsequence, the new sequence is transferred to the device: Copyright © 2010, Juniper Networks, Inc.
  • Page 264 Device Sequence Matching None Subsequence Change: Now reverse the first two entries in the template sequence. Because there is no matching subsequence, the order in the device remains unchanged. The rule is implemented this Copyright © 2010, Juniper Networks, Inc.
  • Page 265 Device Sequence Example 2: In the following example, the device has reordered the entries that it inherited from the template. The user then inserts a new entry into the template. Template Sequence Device Sequence Copyright © 2010, Juniper Networks, Inc.

  • Page 266: Configuration Group Order

    Figure 56 on page 217 shows a template and a device configuration to which it has been applied. The template provides six entries in the order a, b, c, d, e, f. In the regular device Copyright © 2010, Juniper Networks, Inc.

  • Page 267: Figure 56: Identifying Ordered List Entries That Do Not Match The Template

    Using the Template Operations Directive The Template Operations directive allows you to add templates or remove templates for multiple devices at one time, and to validate configurations after changes. Copyright © 2010, Juniper Networks, Inc.

  • Page 268: Figure 57: Template Operations Directive

    Select Template Section Select one or more templates to apply to the selected devices. Use the edit button to open the Select Templates dialog box. Check one or more check boxes to select templates. Copyright © 2010, Juniper Networks, Inc.

  • Page 269: Figure 58: Select Template Dialog Box

    Normally, template values do not override manually set values. Report irrelevant template values—Reports any values that are set in templates but that are not used on the selected devices. A template might provide values for features Copyright © 2010, Juniper Networks, Inc.

  • Page 270: Template Operations Box Recommended Workflow

    Later templates can override the settings of earlier templates. Select Don’t change templates. If you want, you can select one or more of the following validation and reporting options: Copyright © 2010, Juniper Networks, Inc.

  • Page 271: Figure 59: Template Operations Job Information Dialog Box

    Repeat the operations specified in Step 1, but specify one of the Add templates buttons. If desired, also check the Remove conflicting device values check box. Removing Templates with the Template Operations Directive To remove one or more templates from one or more devices, follow these steps: Copyright © 2010, Juniper Networks, Inc.

  • Page 272: Exporting And Importing Device Templates

    Select the templates you want the saved template settings to be applied to. Select the saved template you want to import. The settings in the saved template are imported into the NSM template. Refer to the Network and Security Manager Online Help for detailed procedures. Copyright © 2010, Juniper Networks, Inc.

  • Page 273: Using Configuration Groups

    Identify the origin of values derived from configuration groups; that is, identify which configuration group a value came from. Support the specification of configuration groups in templates. See “Using Configuration Groups with Templates” on page 230 for details. Copyright © 2010, Juniper Networks, Inc.

  • Page 274: Creating And Editing Configuration Groups

    In the Speed field, set the speed to 100m. A tooltip icon appears next to the Speed field. This icon indicates that its value has been set in the configuration group. Click OK to save the interface definition. Copyright © 2010, Juniper Networks, Inc.

  • Page 275: Figure 60: Adding A Configuration Group

    225. Mouse over the icons to see a summary of what has been set and where the information came from. Figure 60: Adding a Configuration Group Click OK to save the configuration group. The new configuration group appears in the Config Groups List. Copyright © 2010, Juniper Networks, Inc.

  • Page 276: Editing A Configuration Group

    The following example applies the configuration group defined in “Creating a Configuration Group” on page 224 to the device object configuration. Copyright © 2010, Juniper Networks, Inc.

  • Page 277: Figure 61: Applying A Configuration Group

    NOTE: The first configuration group in the list has the highest priority. This convention is the reverse of the ordering for templates, where the last template in the list has the highest priority. Figure 62: Configuration Group Applied Copyright © 2010, Juniper Networks, Inc.

  • Page 278: Figure 63: Excluding A Configuration Group

    When you edit an entity that was derived from a configuration group, the new value overrides the value derived from the configuration group. The tooltip icon changes so you can easily identify which entries have been overridden, Copyright © 2010, Juniper Networks, Inc.

  • Page 279: Deleting A Configuration Group

    # from the regular configuration # merger of data from regular configuration and configuration group K (regular configuration takes precedence) # from configuration group J # merger of data from configuration groups J and K (J takes precedence) Copyright © 2010, Juniper Networks, Inc.

  • Page 280: Reordering Lists

    The use of configuration groups enhances the capabilities of templates, for example, by allowing you to set the same field value on all interfaces across multiple devices by using the configuration group wildcard feature. Copyright © 2010, Juniper Networks, Inc.
  • Page 281 In the New dialog box, name the new group, for example, group1. Expand Interfaces, select Interface, and click the Add icon. Name the interface with the wildcard character by typing <*> in the Name field. Copyright © 2010, Juniper Networks, Inc.
  • Page 282 3k; } # wildcard matches all interfaces interfaces { apply-groups group1; # apply-groups takes a list fe-0/0/0 { mtu 6k; } fe-0/0/1 { mtu 4k; } Configure some interfaces in the device object. Copyright © 2010, Juniper Networks, Inc.
  • Page 283 Therefore, it takes the value from the wildcard setting in the configuration group. Push the configuration to the device using the Update Device directive: In the Device Manager, click Devices. Copyright © 2010, Juniper Networks, Inc.

  • Page 284: Configuring Clusters

    See “Editing Devices Using the Device Editor” on page 190 for details about editing a configuration. Configuring Cluster Objects Using Templates To configure a cluster object using a template: Copyright © 2010, Juniper Networks, Inc.

  • Page 285: Configuring Member-Level Data In A Junos Cluster

    To configure member-level data in a J Series cluster, follow these steps: In the Device Manager, select Devices. From the list of devices, select the cluster whose member you want to configure, and then click the Edit icon. In the Configuration tab, select Config Groups. Copyright © 2010, Juniper Networks, Inc.

  • Page 286: Configuring Junos Devices With Redundant Routing Engines

    In the navigation tree, select Device Manager > Devices. In the Device Tree, double-click the Junos router with redundant Routing Engines. In the Configuration tab of the device editor, select Config Groups List. Copyright © 2010, Juniper Networks, Inc.

  • Page 287: Figure 64: Configuring Routing Engine Specific Parameters

    Engine. See Figure 65 on page 238 and follow these steps: In the navigation tree, select Device Manager > Devices. In the Device Tree, double-click the Junos router with redundant Routing Engines. In the Info tab of the device editor, select Routing Engine Configuration. Copyright © 2010, Juniper Networks, Inc.

  • Page 288: Figure 65: Viewing The Routing Engine Configuration

    One of the VRRP routers acts as the master and the others are backups. If the master fails, one of the backup routers becomes the new master, providing a virtual default router, and ensuring that traffic on the LAN is continuously routed. Copyright © 2010, Juniper Networks, Inc.

  • Page 289: Platforms On Which Nsm Supports Vrrp

    VRRP. You can enter the IP mask for the VRRP. A new page is added under the VSI Protocol subtree for configuring VRRP parameters. NSRP cluster settings are disabled on the new VRRP page. Copyright © 2010, Juniper Networks, Inc.

  • Page 290: Managing Configuration Files

    UI. Select Config File Management > Diff Running Config File to compare the running configuration on the device with the latest available version in the database. The display highlights the differences. Copyright © 2010, Juniper Networks, Inc.

  • Page 291: Automatic Import Of Configuration Files

    NSM to have different versions of the device configuration. You can enable or disable the automatic import of config files and track those devices on which the feature is enabled. You can also see status of the config file versions. Copyright © 2010, Juniper Networks, Inc.
  • Page 292 Network and Security Manager Administration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 293: Chapter 6 Updating Devices

    Updating Devices This chapter explains how to update the running configuration (the configuration on the device) with the modeled configuration (the configuration in the Juniper Networks Network and Security Manager (NSM) UI). This chapter also describes the events that can require you to update your device, as well as NSM tools that help you to track, verify, and preview the update process.

  • Page 294: How The Update Process Works

    For example, malicious traffic might have entered your network, requiring you to update the security policy for the device to detect and prevent that attack. Copyright © 2010, Juniper Networks, Inc.

  • Page 295: Updating Devices

    If the device cannot execute a command, NSM resets the device, unlocks the active configuration, and restores the saved active configuration to the device (the device reboots). After rebooting, the device sends a final error message to the management Copyright © 2010, Juniper Networks, Inc.
  • Page 296 15 seconds; these messages appear in the Job Manager status window for the update. During the update, the Job Manager status window displays other messages, depending on the success of the update: Copyright © 2010, Juniper Networks, Inc.

  • Page 297: Devices

    Unlike ScreenOS devices, however, DMI-compatible devices do not need to reboot in order to rollback. If the connection between the device and NSM remains up throughout the Update Device operation, but the update itself fails, the DMI device will keep the original Copyright © 2010, Juniper Networks, Inc.

  • Page 298: Knowing When To Update

    To overwrite the existing configuration on the physical device, update the physical device with the modeled configuration in NSM. To overwrite the modeled configuration in NSM, import the existing configuration from the physical device. NSM does not support delta updates from the device. Copyright © 2010, Juniper Networks, Inc.

  • Page 299: Verifying Device Status In Device Monitor

    NSM and is awaiting manual import. Update Needed—Indicates that the running configuration is not the same as the modeled configuration, and the device is connected to NSM. You must update the Copyright © 2010, Juniper Networks, Inc.
  • Page 300 Although you cannot synchronize delta changes, you can run a delta configuration summary (see “Using a Delta Configuration Summary” on page 253) to identify the differences, then manually make the changes to the modeled configuration, and then update the device. Copyright © 2010, Juniper Networks, Inc.

  • Page 301: Verifying Device Status In Device Manager

    For example: To track all events for a specific time period, create a filter on the timestamp column; when applied, the filter displays only the log entries that meet the specified time period. Copyright © 2010, Juniper Networks, Inc.

  • Page 302: Identifying Administrative Changes

    Using Preview Tools When you update a managed device, you overwrite the existing configuration that is running on the physical device. Therefore, it is important to verify a configuration before sending it to the device. Copyright © 2010, Juniper Networks, Inc.

  • Page 303: Running A Configuration Summary

    A delta configuration summary compares the active configuration on the ScreenOS or DMI-compatible device with the modeled configuration in NSM and displays the differences between the two configurations. The delta configuration summary produces four sets of data. See Table 28 on page 254. Copyright © 2010, Juniper Networks, Inc.

  • Page 304: Table 28: Delta Configuration Summary Information

    Specifically, review the commands in the section “Config to be sent to device on next Update Device”; when you update the device, these are the commands that NSM uses to overwrite the running configuration. Copyright © 2010, Juniper Networks, Inc.

  • Page 305: Figure 66: Delta Configuration Summary Example

    A sample delta configuration summary for a ScreenOS device is shown in Figure 66 on page 255. Figure 66: Delta Configuration Summary Example Occasionally, the delta configuration report might display discrepancies that do not actually exist between the running configuration and the modeled configuration. In some Copyright © 2010, Juniper Networks, Inc.

  • Page 306: Performing An Update

    Apply Changes. NSM begins updating the selected devices or device groups with the modeled configuration. After updating: Review the information in the Job Information window to determine if the update was successful. Copyright © 2010, Juniper Networks, Inc.

  • Page 307: Retrying A Failed Update

    Show Unconnected Devices in Device Selection Dialog—When enabled, the NSM UI displays devices that are not connected to the management system in the Update Devices dialog box (which appears when you attempt to update the configuration for a managed device). Copyright © 2010, Juniper Networks, Inc.

  • Page 308: Update Options For Dmi-Compatible Devices

    Job Information window. The command you send is called a directive. Job Manager tracks the progress of the directive as it travels to the device and back to the management system. Each job contains: Copyright © 2010, Juniper Networks, Inc.

  • Page 309: Figure 67: Job Manager Module

    Expand All displays all devices associated with a directive type. Collapse All displays the directive type. Job Type (Directive) List—Displays the job type (directives) and associated timestamp completion status information. All current and completed jobs appear, including device Copyright © 2010, Juniper Networks, Inc.

  • Page 310: Figure 68: Job Information Dialog Box

    Number of Jobs Completed—The number of jobs completed out of the total number of jobs. Percent Complete—The percentage of total jobs successfully executed. When performing multiple jobs on multiple devices, this field displays the percentage complete Copyright © 2010, Juniper Networks, Inc.

  • Page 311: Table 29: Device States During Update

    Device has successfully been updated with the modeled configuration. Failed Device has not been successfully updated with the modeled configuration. The Output pane of the Job Manager dialog box displays error messages and error codes. Copyright © 2010, Juniper Networks, Inc.

  • Page 312: Understanding Updating Errors

    Job Manager information window. For successful updates, no discrepancies are found or displayed. For failed updates, the output area lists remaining discrepancies. For example, a failed update job is shown in Figure 69 on page 263. Copyright © 2010, Juniper Networks, Inc.

  • Page 313: Figure 69: Failed Update Job Dialog Box

    The delta configuration summary correctly detected a difference between settings on the managed device and settings in NSM. This error might be the result of a command that was disabled by another NSM administrator or a local device administrator. Copyright © 2010, Juniper Networks, Inc.
  • Page 314 Network and Security Manager Administration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 315: Chapter 7 Managing Devices

    Updating the Web Category List on page 300 Miscellaneous Device Operations on page 301 Managing ScreenOS Device Capabilities on page 307 Archiving and Restoring on page 313 Managing Device Schemas Through the Juniper Update Mechanism on page 314 Copyright © 2010, Juniper Networks, Inc.

  • Page 316: Managing Device Software Versions

    Upgrading the Device Software Version Upgrading the operating system is a three-step process: Download the new software image file from the Juniper Networks website to your computer running the client UI. Copy the image file to a repository on the GUI server using the NSM Software Manager, which you access from the Device Manager launchpad by selecting Manage Device Software (Select Tools >...

  • Page 317: Managing Devices

    Data Model (ADM) when the firmware is loaded onto the managed device. If you deselect this option, the firmware is loaded onto the device, but you cannot manage the device from the UI until the ADM is updated. For example, you might want to deselect this option Copyright © 2010, Juniper Networks, Inc.

  • Page 318: Upgrading A Device Software Version From Nsm

    You must: to synchronize the device software inventory. reconcile inventory Import and update the device. In a Major Upgrade When you upgrade from one major release version to another, you can upgrade from: Copyright © 2010, Juniper Networks, Inc.

  • Page 319: Adjusting The Device Os Version

    NSM does not support OS downgrades; you cannot use NSM to install an earlier version of Juniper Networks OS than is currently running on the device. You must use the Web UI or CLI commands to downgrade a managed device, and then add the device to NSM again.

  • Page 320: Deleting The Device Os Version

    You must first obtain a license key from your value-added reseller (VAR) or from Juniper Networks. Then you can use the NSM UI to install the license key on the managed device.

  • Page 321: Installing License Keys On A Device

    When your license expires, NSM notifies you that your trial period is over and prompts you to install a new license. You can proceed with the NSM GUI log in only after the installation of a valid permanent license. Copyright © 2010, Juniper Networks, Inc.

  • Page 322: Viewing And Reconciling Device Inventory

    For a device with dual Routing Engines, NSM collects the inventory data from the master Routing Engine. To view the device inventory, the device must be in the “Managed” state. To view the device inventory, follow these steps: Copyright © 2010, Juniper Networks, Inc.

  • Page 323: Figure 70: Viewing The Device Inventory

    Run the Inventory Diff tool to check for differences between the NSM database and the device inventory. To run this tool, follow these steps: In the Device Manager, select Devices, and then right-click on the device you want to compare. Select View/Reconcile Inventory. Copyright © 2010, Juniper Networks, Inc.

  • Page 324: Figure 71: Comparing The Device Inventory With The Nsm Database

    The inventory status also changes to “Out of Sync” if differences exist between the NSM database and the device inventories when the device reboots and reconnects, or when an Update Device directive is issued to the device. In either case, you can reconcile the Copyright © 2010, Juniper Networks, Inc.
  • Page 325 Java applet that resides on a Secure Access device, and you have no intention of updating this applet. In this case, no shared object creation or file upload is necessary. NSM device objects will contain only the MD5 hash stub for these endpoints. Any delta configuration Copyright © 2010, Juniper Networks, Inc.

  • Page 326: Uploading And Linking Large Binary Data Files

    In the Binary Data dialog box, enter a name for the object, select a color for the object icon, add a comment if desired, and select the file you uploaded in Step 2. See Figure 72 on page 277. Click OK. Copyright © 2010, Juniper Networks, Inc.

  • Page 327: Figure 72: Adding A Shared Binary Data Object

    Navigate to the node in the configuration where you want to load the binary file. For example, to load an ESAP package, expand Authentication and then select Endpoint Security. In the Host Checker tab, select Endpoint Security Assessment Plug-Ins, and then click the Add icon. Copyright © 2010, Juniper Networks, Inc.

  • Page 328: Figure 73: Linking To A Shared Binary Data Object

    Secure Access or Infranet Controller device. Infranet Controller devices can use customized sign-in access pages. Secure Access devices can use customized sign-in access pages and customized sign-in meeting pages. Copyright © 2010, Juniper Networks, Inc.

  • Page 329: Creating A Custom Sign-In Page

    Enter a name for the sign-in meeting page. Select Custom Sign-in Page. Select a shared binary data object from the Template File list. Click OK once to save the link, and again to save the configuration. Copyright © 2010, Juniper Networks, Inc.

  • Page 330: Importing Antivirus Live Update Settings

    Network and Security Manager Administration Guide Importing Antivirus Live Update Settings Uploading Live Update Settings Retrieve the latest AV live update file from the Juniper Networks Downloads Web site: https://download.juniper.net/software/av/uac/epupdate_hist.xml Retrieve the latest patch file also: https://download.juniper.net/software/hc/patchdata/patchupdate.dat Linking to a Live Update File Shared Object...

  • Page 331: Linking To An Esap Package Shared Object

    For example, a Host Checker policy package might contain: META-INF/MANIFEST.HCIF hcif-myPestPatrol.dll hcif-myPestPatrol.ini Upload the Host Checker package to the NSM shared object. You can upload multiple policy packages to NSM shared objects, each containing a different MANIFEST.HCIF file. Copyright © 2010, Juniper Networks, Inc.

  • Page 332: Linking To A Third-Party Host Checker Policy Shared Object

    To create a link from a Secure Access device configuration tree to a shared object containing a secure virtual workspace wallpaper image, follow these steps: In the Device Manager, double-click the Secure Access device to open the device editor, and then select the Configuration tab. Expand Authentication. Copyright © 2010, Juniper Networks, Inc.

  • Page 333: Importing Hosted Java Applets (Secure Access Devices Only)

    Configuration tab. Expand Users. Expand Resource Profiles. Select Hosted Java Applets, and then click the Add icon in the right pane. Give the applet and file each a name. Copyright © 2010, Juniper Networks, Inc.

  • Page 334: Importing A Custom Citrix Client .Cab File (Secure Access Devices Only)

    RMA state and do a full restore after activation. NOTE: NSM users who have the privileges to import a device can perform a backup operation. NSM users who have the privileges to update a device can perform a restore operation. Copyright © 2010, Juniper Networks, Inc.

  • Page 335: Backing Up An Sa Or Ic Device

    The default value is 3 while the maximum allowed is 5 versions. Select the Purge Config File versions checkbox to automatically purge older backed up versions of the device after the maximum limit of backup versions has been Copyright © 2010, Juniper Networks, Inc.

  • Page 336: Viewing Backed Up Versions For An Sa Or Ic Device

    RMA state and select RMA Device. The Confirm RMA Device dialog box appears. Click OK. The Latest Backup Details dialog box appears. (If you do not have a backup you will be prompted to take a backup before proceeding with). Copyright © 2010, Juniper Networks, Inc.

  • Page 337: Activating An Sa/Ic Device Set To The Rma State

    The device administrator must make a Telnet connection to the physical device, paste the commands, and execute them to enable NSM management of the device Click OK to dismiss the Commands window and complete the Activate Device wizard. Copyright © 2010, Juniper Networks, Inc.

  • Page 338: Performing A Full Restore Of An Sa Or Ic Device

    IP address assigned for the user's network connect session (shown only for SA devices) If you have not queried active user sessions using this dialog box, the bottom half of the dialog box will be empty. Copyright © 2010, Juniper Networks, Inc.

  • Page 339: Activating Subscription Services

    Activating Subscription Services To use some Juniper Networks services, such as internal AV or Deep Inspection Signature Service, you must activate the service on the device by first registering the device, and then obtaining the subscription for the service. Even though devices with bundled AV services come with a temporary, preinstalled subscription, you must register your product and retrieve the subscription to receive your fully paid subscription.

  • Page 340: Updating The Attack Object Database

    To prepare for a local update, you manually download the attack objects files from the Attack Object Database server (managed by Juniper Networks), then copy these files to a local directory on the GUI Server. Then, during the local update, you specify the path to these files.
  • Page 341 Chapter 7: Managing Devices Obtain the attack update data file from the Juniper Networks Web site. Browse to https://services.netscreen.com/restricted/sigupdates/nsm-updates/NSM-SecurityUpdateInfo.dat Copy and paste the content from the URL into a text file called NSM-SecurityUpdateInfo.dat Make sure the file has no HTML tags, RTF tags, or control characters. Use a text editor to make sure there are no control characters in the file.

  • Page 342: Updating Di Attacks On Screenos 5.0 Devices

    In the main navigation tree, select Device Manager > Devices, and then double-click the device for which you want to configure the database. In the device navigation tree, select Security > AttackDB > Settings. For Attack Database Server, enter https://services.netscreen.com/restricted/sigupdates Copyright © 2010, Juniper Networks, Inc.

  • Page 343: Using Updated Attack Objects

    When NSM detects that managed device contains an older attack object database version than the one stored on the GUI Server, the UI displays a warning for that device, indicating that you should update the attack object database on the device. Copyright © 2010, Juniper Networks, Inc.

  • Page 344: Manual Verification

    You must update the attack object database on the device using the procedure detailed in “Updating DI Attacks on ScreenOS 5.0 Devices” on page 292. For details on disabling attacks, see the Network and Security Manager Online Help topic, Configuring Firewall/VPN Devices. Copyright © 2010, Juniper Networks, Inc.

  • Page 345: Versions

    Click Next, and then follow the instructions in the wizard to update the IDP engine on the selected device. NOTE: Updating the IDP engine on a device does not require a reboot of the device. Copyright © 2010, Juniper Networks, Inc.

  • Page 346: Figure 74: Attack Update Summary

    Select Tools > View/Update NSM Attack Database. The Attack Update Manager wizard appears. Click Next. The Attack Update Summary displays information about the current version downloaded on the GUI Server and the latest version available from Juniper Networks. See Figure 74 on page 296. Figure 74: Attack Update Summary Click Cancel to exit the Attack Update Manager.

  • Page 347: Table 30: Scheduled Security Update (Ssu) Command Line Parameters

    (managed by Juniper Networks), then specify the action you want the server to take. For a successful update, the device configuration must be “In-Sync”, meaning that the device is connected and that no configuration differences exist between the configuration on the physical device and the modeled configuration in NSM, or “Sync Pending”, meaning...

  • Page 348: Example: Update Attack Objects And Push To Connected Devices

    Type the following to update attacks, including specifying the post-action options for the update: guiSvr.sh --update-attacks --post-action post-action options Enter your domain/username and password when prompted. To configure a scheduled security update using crontab: Copyright © 2010, Juniper Networks, Inc.

  • Page 349: Example: Using Crontab To Schedule Attack Updates

    Create a shell script called attackupdates.sh with the following contents. export NSMUSER=idp/idpadminexport NSMPASSWD=idpadminpassword/usr/netscreen/GuiSvr/utils/guiSvrCli.sh --update-attacks --post-action --update-devices --skip Make the script executable. chmod 700 attackupdates.sh Run the crontab editor. crontab -e Add the script to the crontab. 0 5 * * * /usr/netscreen/GuiSvr/utils/attackupdates.sh Copyright © 2010, Juniper Networks, Inc.

  • Page 350: Viewing Scheduled Security Updates In The Job Manager

    Web categories (predefined by SurfControl) are used to create the default Web Filtering Profile object, which you can use in a firewall rule to permit or deny specific URL requests to or from your protected network. Copyright © 2010, Juniper Networks, Inc.

  • Page 351: Miscellaneous Device Operations

    Upgrading the OS Version During an RMA-Activate Device Workflow on page 306 Troubleshooting a BGP Peer Session on a Device on page 306 Reactivating Wireless Connections on page 307 Finding Usages on page 307 Copyright © 2010, Juniper Networks, Inc.

  • Page 352: Launching A Web Ui For A Device

    Select Using the existing scheduled reboot functionality of the Junos devices, NSM allows you to choose one of the following options in the window. Reboot Device(s) : This causes an immediate reboot. Reboot now Copyright © 2010, Juniper Networks, Inc.

  • Page 353: Refreshing Dns Entries

    The Perform NTP Time Update dialog box appears. Select the devices or group of devices that should be synchronized with NTP servers. Click OK. The Job Information window displays the status of the synchronization. Copyright © 2010, Juniper Networks, Inc.

  • Page 354: Setting The Root Administrator On A Device

    Enter the new password in the Password field and then reenter the password in the Confirm Password field. Click OK. For more details on managing device administrators, including the root administrator, see the Network and Security Manager Online Help topic, “Configuring Firewall/VPN Devices”. Copyright © 2010, Juniper Networks, Inc.

  • Page 355: Failing Over Or Reverting Interfaces

    Click OK. In the Device Monitor window, the device status is RMA. When the replacement device is installed, activate the device with the serial number of the replacement. For information about activating a device, see “Activating a Device” on page 132. Copyright © 2010, Juniper Networks, Inc.

  • Page 356: Upgrading The Os Version During An Rma-Activate Device Workflow

    To perform these tests, you need to have configured a virtual router and the BGP dynamic routing protocol on the device, and enabled BGP on the virtual router and on the interface to the BGP neighbor. Copyright © 2010, Juniper Networks, Inc.

  • Page 357: Reactivating Wireless Connections

    Click OK. Reactivating Wireless Connections You can deploy a Juniper Networks NetScreen-5GT Wireless security device running ScreenOS 5.0.0-WLAN as a wireless access point (WAP). When you make changes to the wireless settings for the security device, you must update the device with your changes before the new settings take effect.

  • Page 358: Figure 75: Import/Update Architecture

    Your network may contain similar security devices that are running different ScreenOS versions. For example, a NetScreen-5XT may run ScreenOS 5.x, which supports the Routing Information Protocol (RIP), while another NetScreen-5XT runs ScreenOS 4.0.0r2, Copyright © 2010, Juniper Networks, Inc.

  • Page 359: Data Model Updating

    ADM domain into device configuration information in a DM. The Device Server then translates the device configuration information in the DM into CLI commands and sends the commands to the device. See Figure 76 on page 310. Copyright © 2010, Juniper Networks, Inc.

  • Page 360: Figure 76: Data Model Update

    The DM contains only the VPN information that relates to the specific device, not the entire VPN. During the device model update process: The GUI Server translates the object and object attributes in the ADM domain into device configuration information in a DM. Copyright © 2010, Juniper Networks, Inc.

  • Page 361: Data Model Importing

    The GUI Server then translates the device configuration in the DM into objects and object attributes in the ADM, and uses the ADM to display current information in the management console. Copyright © 2010, Juniper Networks, Inc.

  • Page 362: Figure 77: Data Model Importing

    DM with device configuration information. The GUI Server translates the device configuration in the DM into objects and object attributes in the ADM. The GUI Server then reads the ADM and displays the current information. Copyright © 2010, Juniper Networks, Inc.

  • Page 363: Archiving And Restoring

    Run the appropriate backup command on your Solaris or Linux platform to backup the GUI Server data. For example: tar -cvf /netscreen_backup/db-date.tar /var/netscreen/GuiSvr Run the appropriate backup command on your Solaris or Linux platform to backup the Device Server data. Copyright © 2010, Juniper Networks, Inc.

  • Page 364: Restoring Logs And Configuration Data

    Junos devices This mechanism does not apply to ScreenOS or IDP devices. The latest device schema is placed by Juniper Networks on the Juniper Update Server, which is a publicly available server. From there, schema upgrade is a two-stage process:...

  • Page 365: Downloading Schemas

    NSM. To set these permissions, in the NSM server CLI, enter the following command: % chmod 777 filename Access to the Juniper Update server uses your Juniper Networks Download Center credentials—the credentials you use to download software from the www.juniper.net Web site.

  • Page 366: Downloading Schemas Using The Nsm Ui

    Downloading a schema using GUI Server CLI will fail if the schema on the Juniper Update Server contains a disabled device family that is not yet disabled in the NSM staged schema. Copyright © 2010, Juniper Networks, Inc.

  • Page 367: Applying A Schema

    The GUI Server and Device Server restart. When you log on in the restarted UI, the new schema will be active. The Job Information screen provides information about the progress of the job, and informs you if any device family is disabled in the new schema. Copyright © 2010, Juniper Networks, Inc.
  • Page 368 Network and Security Manager Administration Guide Copyright © 2010, Juniper Networks, Inc.
  • Page 369 Configuring Junos NAT Policies on page 539 Configuring VPNs on page 551 Central Manager on page 629 Topology Manager on page 635 Role-based Port Templates on page 645 Unified Access Control Manager on page 651 Copyright © 2010, Juniper Networks, Inc.
  • Page 370 Network and Security Manager Administration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 371: Chapter 8 Configuring Objects

    Configuring Service Objects on page 387 Configuring SCTP Objects on page 395 Configuring Authentication Servers on page 395 Configuring User Objects on page 404 Configuring VLAN Objects on page 408 Configuring IP Pools on page 408 Copyright © 2010, Juniper Networks, Inc.

  • Page 372: About Objects

    (dynamic IPs, mapped IPs, and virtual IPs), enabling multiple devices to share a single object. IP Pools define ranges of IP addresses used to assign an IP address to a RAS user. Remote Settings represent DNS and WINS servers. Services and schedules: Copyright © 2010, Juniper Networks, Inc.

  • Page 373: Configuring Objects

    Extranet Policy objects define rules and actions that you may apply to certain traffic on an extranet device (third-party router). Custom Policy Field objects represent metadata information that you can store and use in a structured manner. Use VPN Manager to view and configure the following objects: Copyright © 2010, Juniper Networks, Inc.

  • Page 374: Using Objects Across Domains

    All available objects of the same category from the global domain are displayed, except the selected object that you are replacing. Select an object that will replace all instances of the existing object and click Next. Click Finish. Copyright © 2010, Juniper Networks, Inc.

  • Page 375: Working With Unused Shared Objects

    (for example, a database version), search for existing versions with and without filters, edit comments about versions, compare two versions, restore an older version, filter and sort versions, display the differences between versions, and update a device to an older object version. Copyright © 2010, Juniper Networks, Inc.

  • Page 376: Searching For And Deleting Duplicate Objects

    Firewall and IDP Rules—Use address objects or groups to specify the source and destination of network traffic Multicast Rules—Use multicast group address objects to specify the destination of multicast traffic. VPNs—Use address objects or groups to create Protected Resources for your Policy-Based and Mixed-Mode VPNs. Copyright © 2010, Juniper Networks, Inc.

  • Page 377: Viewing Address Objects

    IPv4 addresses cannot be copied to IPv6 rules and vice versa. During a device update, an IPv6 policy rule is dropped if the target platform does not support IPv6. The following sections detail each address object type. Copyright © 2010, Juniper Networks, Inc.

  • Page 378: Adding A Network Address Object

    The new network address object immediately appears in the Address Tree and Address Table. NSM supports the wildcard masking feature policy on all devices running ScreenOS 6.1 and later, except those with IPv6 addresses. Copyright © 2010, Juniper Networks, Inc.

  • Page 379: Editing And Deleting Address Objects

    To add an Address Object Group: In the navigation tree, select Address Objects. The address object tree appears. In the main display area, click the Add icon and select Group. Enter a unique name for the group. Copyright © 2010, Juniper Networks, Inc.

  • Page 380: Adding A Multicast Group Address Object

    Select a color to represent the multicast group address. Enter a comment about the multicast group address. Select an IP version: IPv4 or IPv6. Copyright © 2010, Juniper Networks, Inc.

  • Page 381: Adding Static Dns Host Addresses

    Select the address object you just created, click Add, then click OK. When the address object is pushed to a device, the host name resolves dynamically. One policy can be assigned to multiple devices. Copyright © 2010, Juniper Networks, Inc.

  • Page 382: Table 31: Application Table Tab Information

    IDP sees (not necessarily the first one in policy) is taken. You can double-click on an application object to view its settings which include the following additional information: Copyright © 2010, Juniper Networks, Inc.

  • Page 383: Creating Custom Application Objects

    You must configure either one TCP or UDP port for a custom application. Signature: Specify a DFA and a PCRE pattern under each of the following sections: Client-to-server Server-to-client You must specify at least one DFA pattern. Copyright © 2010, Juniper Networks, Inc.

  • Page 384: Editing And Deleting Application Objects

    Enter a name and comment for the schedule object. Select the frequency of the schedule: To configure a one-time schedule, select Once, and enter the start date, start time, stop date, and stop time. Copyright © 2010, Juniper Networks, Inc.

  • Page 385: Configuring Access Profile Objects

    For a DSCP QoS profile, the six most significant bits in the ToS field of the IP packet are used to match entries; for an IP precedence QoS profile, only the three most significant bits in the ToS field are used. Copyright © 2010, Juniper Networks, Inc.

  • Page 386: Creating A Quality Of Service Profile

    NOTE: QoS profiles cannot co-exist with traffic shaping in the same policy. Deleting a Quality of Service Profile Select > . The QoS profile screen opens with a list of QoS Object Manager QoS profiles profiles. Select a QoS profile to delete. Copyright © 2010, Juniper Networks, Inc.

  • Page 387: Editing A Quality Of Service Profile

    To create a Deep Inspection (DI) Profile object, you add predefined attack object groups (created by Juniper Networks) and your own custom attack object groups to the Profile object. After creating the DI Profile, you add the Profile object in the Rule Option column of a firewall rule.

  • Page 388: Viewing Attack Version Information For Attack Objects

    A Deep Inspection (DI) Profile object contains predefined attack object groups (created by Juniper Networks), and your own custom attack object groups. After creating the DI Profile, you add the Profile object in the Rule Option column of a firewall rule.

  • Page 389: Table 32: Deep Inspection Profile Actions

    IP address. For TCP connections, dropping a single packet will result in the same packet being resent. So, Drop Packet settings are translated to Drop Connection settings for TCP connections. Copyright © 2010, Juniper Networks, Inc.

  • Page 390: Table 33: Deep Inspection Ip Actions

    The specified set of elements in an IP packet arriving during a specified timeout period must match that in the packet that the security detected as part of a brute force attack for the subsequent packet Copyright © 2010, Juniper Networks, Inc.

  • Page 391: Working With Idp Attack Objects

    NSM contains a database of predefined IDP attack objects and IDP attack object groups that you can use in security policies to match traffic against known and unknown attacks. Juniper Networks updates the predefined attack objects and groups on a regular basis with newly-discovered attack patterns.

  • Page 392: Viewing Attack Version Information For Attack Objects And Groups

    General box (which appears when you double-click the object) displays the regular expression used to identify the attack. Juniper Networks Security Engineering may choose to hide the exact pattern for specific attack objects. This is done to protect the confidentiality of either the source or target of the specific attack object.

  • Page 393: Configuring Custom Di And Idp Attack Objects

    Copyright © 2010, Juniper Networks, Inc.

  • Page 394: Objects

    Severity categories, in order of increasing lethality, are: info, warning, minor, major, critical. Critical attacks are the most dangerous—typically these attacks attempt to crash your server or gain control of your network. Informational attacks are the least Copyright © 2010, Juniper Networks, Inc.

  • Page 395: Configuring Extended Information

    When you have completed entering the extended attack information, you can configure the external references. Configuring External References In the Extended tab, enter the external references, such as links to the security community’s official descriptions of an attack, you used when researching the attack. Copyright © 2010, Juniper Networks, Inc.

  • Page 396: Configuring Target Platforms

    Next, select the type of attack that the attack object detects. After you have added the supported platform to the custom attack object, you can configure the attack type on that platform. Select from one of the following attack types: Copyright © 2010, Juniper Networks, Inc.

  • Page 397: Creating A Signature Attack Object

    (scope and count) that determine when a traffic abnormality is identified as an attack. The following sections detail the attack version general properties. Copyright © 2010, Juniper Networks, Inc.

  • Page 398: Table 34: Ip Protocol Name And Type Numbers

    Table 34 on page 348 lists the supported protocol types. Table 34: IP Protocol Name and Type Numbers Protocol Name Protocol Type Number IGMP IPIP IPV6 ROUTING FRAGMENT RSVP Copyright © 2010, Juniper Networks, Inc.

  • Page 399: Table 35: Supported Services For Service Bindings

    256, or line context). To detect these attacks, configure the service binding to match the attack service. See Table 35 on page 349. Table 35: Supported Services for Service Bindings Service Description Default Port AOL Instant Messenger Chargen Chargen TCP/19, UDP/19 Copyright © 2010, Juniper Networks, Inc.
  • Page 400 UDP/137 (NBName) NBDS UDP/138 (NBDS) Network File System nntp Network News Transfer Protocol Network Time Protocol POP3 Post Office Protocol, Version 3 TCP/110, UDP/110 Portmapper Portmapper TCP/111 RADIUS Remote Authentication Dial In User Service Copyright © 2010, Juniper Networks, Inc.
  • Page 401 IP address. Destination. Select this option to detect attacks to the destination IP address for the specified number of times, regardless of the source IP address. Copyright © 2010, Juniper Networks, Inc.

  • Page 402: Table 36: Attack Pattern Syntax

    Direct binary match (octal) \0<octal-number> Direct binary match (hexadecimal) \X<hexadecimal-number>\X Case insensitive matches \[<character-set\] Match any symbol Match 1 or more symbols Match 0 or 1 symbols Grouping of expressions Alternation, typically used with ( ) Copyright © 2010, Juniper Networks, Inc.

  • Page 403: Table 37: Attack Pattern Syntax Example Matches

    Anything with the first letter of c, d, or e, the middle letter a and ending in d or t [^c-d]a(d|t) Expressions that begin with a letter other than c, d, or e, have the second letter a, and end in d or t Copyright © 2010, Juniper Networks, Inc.
  • Page 404 Select stream 256 context to reassemble packets and search for a pattern match within the first 256 bytes of a traffic stream. When the flow direction is set to any, the Copyright © 2010, Juniper Networks, Inc.

  • Page 405: Configuring Header Match Properties

    NOTE: You can configure header values only for attack objects that use a packet, first data packet, or first packet context. If you selected a stream, stream 256, stream 1K, stream 8K, or a service context (in the Detection area) you cannot specify header contents. Copyright © 2010, Juniper Networks, Inc.

  • Page 406: Table 38: Di Attack Header Match Modifiers

    (TTL) value of the packet. This value represents the number of routers the packet can pass through. Each router that processes the packet decrements the TTL by 1; when the TTL reaches 0, the packet is discarded. Copyright © 2010, Juniper Networks, Inc.
  • Page 407 The value indicates that the data in the packet is urgent; the URG flag must be set to activate this field. Urgent Bit—When set, the urgent flag indicates that the packet data is urgent. ACK bit—When set, the acknowledgment flag acknowledges receipt of a packet. Copyright © 2010, Juniper Networks, Inc.
  • Page 408 Data Length—Specify an operand (none, =, !, >, <) and a decimal value for the number of bytes in the data payload. Copyright © 2010, Juniper Networks, Inc.

  • Page 409: Configuring A Protocol Anomaly Attack Object

    All members of the compound attack object must use the same service setting or service binding, such as FTP, Telnet, YMSG, or TCP/80. You can add protocol anomaly attack objects to a compound attack object. Copyright © 2010, Juniper Networks, Inc.

  • Page 410: Configuring General Attack Properties

    Select Session to allow multiple matches for the object within the same session. Select Transaction to match the object across multiple transactions that occur within the same session. Copyright © 2010, Juniper Networks, Inc.
  • Page 411 NSM supports three Boolean operators: or, and, and oand (ordered and). NSM also supports the use of parenthesis to determine precedence. Boolean operators: or—If either of the member name patterns match, the expression matches. Copyright © 2010, Juniper Networks, Inc.

  • Page 412: Configuring The Direction Filter

    Rule Options of a firewall rule. For information about creating a DI Profile, see “Creating DI Profiles” on page 338. NOTE: Attack group names cannot be the same as attack object names. Copyright © 2010, Juniper Networks, Inc.

  • Page 413: Creating Custom Idp Attack Groups

    Enter a name and description for the static group. Select a color for the group icon. To add an attack or group to the static group, select the attack or group from the Attacks/Group list and click the Add button. Click OK. Copyright © 2010, Juniper Networks, Inc.

  • Page 414: Creating Dynamic Attack Groups (Idp Only)

    Add Recommended Filter to include only attacks designated to be the most serious threats to the dynamic group. In the future, Juniper Networks will designate only attacks it considers to be serious threats as Recommended. These settings will be updated with new attack object updates.

  • Page 415: Figure 78: New Dynamic Group

    Add a Severity filter to add attack objects that have a severity level of critical or major. IDP automatically applies all filters to the entire attack object database, identifies the attack objects that meet the defined criteria, and adds the matching objects as members of the group. Copyright © 2010, Juniper Networks, Inc.

  • Page 416: Figure 79: New Dynamic Group Members

    Double-click the group icon in the Attack Objects column of an IDP rule to display the Dynamic Group dialog box, make the desired changes, then click OK to save your edits. Copyright © 2010, Juniper Networks, Inc.

  • Page 417: Editing A Custom Attack Group

    You can define profiles for antivirus, anti-spam, URL filters, and content filters for the new profile either from the same window or by navigating from their respective nodes in the navigation pane. You can create miscellaneous objects such as Extension lists, URL Copyright © 2010, Juniper Networks, Inc.

  • Page 418: Creating An Antivirus Profile

    Juniper Express Engine tab: Scan mode Extension list Actions inapplicable to the Juniper Express Engine: Corrupt file, Password file, and Decompression Layer Select Apply and then Copyright © 2010, Juniper Networks, Inc.

  • Page 419: Creating An Antispam Profile

    Set notification options: Notification type, Notify mail sender, and Custom message. Select the type of content to block. Set filters. You can select from existing lists or create new lists for each filter by clicking beside the field. Permitted command list Block command list Copyright © 2010, Juniper Networks, Inc.

  • Page 420: Creating A Url Filtering Profile

    1-8. Mouse over the field to see a tool tip with the allowed values. Enter account name. Select Timeout period: In the range of 1-1800. Enter Deny message. Set Fallback actions— either deny or permit— for the following: Default, Server Conn, Time out, Too many requests. Select Copyright © 2010, Juniper Networks, Inc.

  • Page 421: Miscellaneous Utm Features

    You can only view but not edit the listed predefined profiles. You can create and edit custom profiles. Select in the Custom UTM Extension List Profiles table. The New Extension List window opens. Profile Enter a name for the profile. Copyright © 2010, Juniper Networks, Inc.

  • Page 422: Command Lists

    You can create and edit your own categories. Select in the Custom UTM URL Categories table. The New URL Category window opens. Enter a name for the category. Copyright © 2010, Juniper Networks, Inc.
  • Page 423 ICAP AV scanning—This method forwards traffic to an Internet Content Adaptation Protocol (ICAP) server for examination. To forward traffic to an ICAP server, create an ICAP server object, create an ICAP profile, and then specify that profile in a policy. Copyright © 2010, Juniper Networks, Inc.

  • Page 424: Configuring External Av Profiles

    For Name, scanner1_HTTP For Server Name, enter 1.2.2.20. For Server Port, leave the default port number of 3300. Select HTTP, then configure the timeout as 300 seconds. Click OK to save the new profile. Copyright © 2010, Juniper Networks, Inc.

  • Page 425: Configuring Internal Av Profiles

    Object Manager > AV Objects > Custom Mime Lists. Email Notify Virus Sender (IMAP, POP3, SMTP only): Notifies an e-mail sender if a virus was found in the e-mail. Copyright © 2010, Juniper Networks, Inc.

  • Page 426: Configuring Icap Av Servers And Profiles

    If the server returns as in-service, the security device will send it traffic. If it returns as out-of-service, the security device will not send traffic. Maximum Connections: The maximum number of TCP connections between the security device and the ICAP AV server. Copyright © 2010, Juniper Networks, Inc.

  • Page 427: Configuring Icap Av Profiles

    See “Configuring ICAP AV Servers and Profiles” on page 376 for information on creating ICAP AV servers and server group objects in NSM. Request URL: The request URL on the ICAP AV server. Response URL: The response URL on the ICAP AV server. Copyright © 2010, Juniper Networks, Inc.

  • Page 428: Configuring Web Filtering Objects

    In the main navigation tree, select Object Manager > UTM >ScreenOS >Web Filtering (Integrated)> Web categories > Custom Lists. Click the Add icon. The New Web categories dialog box appears. For Name, enter Competitors, Gaming. Copyright © 2010, Juniper Networks, Inc.

  • Page 429: Configuring Custom Policy Fields

    This is required and the custom object instance cannot be saved until this expression is satisfied. Comments -- This column allows the user to input any comments associated with the new object. Copyright © 2010, Juniper Networks, Inc.

  • Page 430: Defining Metadata

    Objects with a String data type will provide a special edit dialog that allow you to change the string value contained within. The dialog allowing for this information is accessible by right-clicking on the selected value in the Context Menu. Objects with a Shared data Copyright © 2010, Juniper Networks, Inc.

  • Page 431: Open Log Viewer

    In the GTP header, the message length field indicates the length of the GTP payload. It does not include the length of the GTP header itself, the UDP header, or the IP header. Copyright © 2010, Juniper Networks, Inc.

  • Page 432: Limiting Gtp Message Rate

    GGSN. During the PDP context activation stage: The sending GGSN uses zero (0) as the Sequence Number value for the first G-PDU it sends through a tunnel to another GGSN. The sending GGSN then increments the Copyright © 2010, Juniper Networks, Inc.

  • Page 433: Filtering Gtp-In-Gtp Packets

    A security device creates log entries for GTP events based on the status of the GTP packet. For each event type, you can also specify how much information (basic or extended) you want about each packet. Copyright © 2010, Juniper Networks, Inc.

  • Page 434: Configuring Imsi Prefix And Apn Filtering

    GTP packet. Additionally, you can filter GTP packets based on the combination of an IMSI prefix and an APN. For details, see “Creating an IMSI Prefix Filter” on page 385. Copyright © 2010, Juniper Networks, Inc.

  • Page 435: Creating An Imsi Prefix Filter

    GTP packet. You can set up to 1000 IMSI prefixes for each device (one per each filter). To disable IMSI prefix filtering, remove all MCC-MNC pairs from the GTP object. Copyright © 2010, Juniper Networks, Inc.

  • Page 436: Configuring Gtp Message Filtering

    For Name, enter GPRS1, then enter a color and comment for the object. Select Sequence Number Validation. Select GTP in GTP Denied. Leave all other defaults. In the GTP navigation tree, select Traffic Logging/Counting. Configure the following: Copyright © 2010, Juniper Networks, Inc.

  • Page 437: Configuring Service Objects

    You can view predefined services in a tree or table format. The Service Tree displays services in a tree format, with service groups and individual services. The Service Table 39 on page 388 displays services in a table format, and includes the following details: Copyright © 2010, Juniper Networks, Inc.

  • Page 438: Table 39: Service Table Tab Information

    ID, and the version number. NSM and security devices support 13 Sun-RPC predefined services. To permit or deny all Sun-RPC requests, include the Sun-RPC-Any service in a firewall or IDP rule; to Copyright © 2010, Juniper Networks, Inc.

  • Page 439: Creating Custom Services

    User-defined. Enter a session timeout value. The maximum timeout value for TCP and UDP connections is 2160 minutes. Color—Select a color to represent this service object in the NSM UI. Comment—Add a comment, if desired. Add the service entry: Copyright © 2010, Juniper Networks, Inc.

  • Page 440: Service Object Groups

    (hold Ctrl to select multiple objects), then click Add. NOTE: You can drag service objects into and out of service groups from the main service tree. Click OK. The new service object group appears in the Service Tree and Service Table tabs. Copyright © 2010, Juniper Networks, Inc.

  • Page 441: Example: Creating A Custom Service And Group

    For Name, enter Remote Mail. b. For Color, select pink. c. Enter a comment, if desired. d. In the Non-members area, select the following services (press and hold Ctrl to select multiple services): Copyright © 2010, Juniper Networks, Inc.

  • Page 442: Example: Creating A Custom Sun-Rpc Service

    OK: For Program Low, enter 100003. For Program High, enter 100003. Configure the second service entry. Click the Add icon to display the New Service Entry dialog box, configure the following, then click OK: Copyright © 2010, Juniper Networks, Inc.

  • Page 443: Example: Creating A Custom Ms-Rpc Service

    For Color, select blue. d. Enter a comment, if desired. Select the MS-RPC tab. Configure a service entry for each of the following UUIDs: 0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde 1453c42c-0fa6-11d2-a910-00c04f990f3b 10f24e8e-0fa6-11d2-a910-00c04f990f3b 1544f5e0-613c-11d1-93df-00c04fd7bd09 Click OK to save the new service object. Copyright © 2010, Juniper Networks, Inc.

  • Page 444: Editing And Deleting Service Objects

    Select the HTTPS service object. Click Next. The wizard next displays the objects affected by the Replace With operation. As an optional step, you can delete any replaced custom service objects by clicking on them and then selecting Delete Replaced Object. Copyright © 2010, Juniper Networks, Inc.

  • Page 445: Configuring Sctp Objects

    You can also configure a RADIUS authentication server object to provide authentication for the global domain and each subdomain. For information about configuring a RADIUS server, see “Configuring a RADIUS Authentication Server” on page 398. Copyright © 2010, Juniper Networks, Inc.

  • Page 446: Configuring General Authentication Server Settings

    0 (the device continues to use the backup server indefinitely). The interval countdown begins when the device fails over from the primary auth server to the backup or secondary backup server (RADIUS only). Copyright © 2010, Juniper Networks, Inc.

  • Page 447: Configuring Authentication For User Types

    If the device does not locate the separator character in the username, it does not strip the domain name from the username (usernames are passed to the authentication server as-is). Conversely, if the number of specified separator characters exceeds the number Copyright © 2010, Juniper Networks, Inc.

  • Page 448: Configuring Authentication Server Types

    For operations where RFC 2865/66 and RFC 2138 are both supported, the server complies with all three RFCs. When unselected (default), the server is compatible only with the current RADIUS standards RFC 2865 and 2866. Copyright © 2010, Juniper Networks, Inc.
  • Page 449 A RADIUS server supports the following user types: Auth users L2TP users (authentication and remote settings) XAuth users (authentication and remote settings) Admin users (authentication and privilege assignments) User groups A RADIUS server does not support IKE users. Copyright © 2010, Juniper Networks, Inc.
  • Page 450 After you define the VSA values, the security device can query those values when a user logs on to the device. You must load a Juniper Networks dictionary file to enable the RADIUS server to support NSM-specific attributes as administrator privileges, user groups, and remote L2TP and XAuth IP address, and DNS and WINS server address assignments.
  • Page 451 3 seconds to 4 seconds. You also assign its two backup servers the IP addresses 10.20.1.110 and 10.20.1.120. In addition, you load the Juniper Networks dictionary file on the RADIUS server so that it can support queries for the following vendor-specific attributes (VSAs): user groups, administrator privileges, remote L2TP and XAuth settings.

  • Page 452: Configuring A Securid Authentication Server

    For retry timeout, select 4. Click OK to save the RADIUS authentication server object. Load the Juniper Networks dictionary file on the RADIUS server. Configuring a SecurID Authentication Server Security devices also support the RSA SecurID system. The device acts as a SecurID client, forwarding authentication requests to the external server for approval and relaying login information between the user and the server.

  • Page 453: Configuring An Ldap Authentication Server

    L2TP users (user authentication; L2TP user receives default L2TP settings from the security device) XAuth users (user authentication; no support for remote setting assignments) Admin users (user authentication; administrator user receives default privilege assignment of read-only) LDAP servers cannot assign L2TP or XAuth remote settings. Copyright © 2010, Juniper Networks, Inc.

  • Page 454: Configuring A Tacacs Authentication Server

    New Local User dialog box. Enter a name, color, and comment for the local group. Select Enable to enable authentication for this user, then configure the authentication methods for the user: Copyright © 2010, Juniper Networks, Inc.

  • Page 455: Configuring Local User Groups

    NSM, such as an external RADIUS or SecureID server. When an external user is included in a security policy (under Authentication rule options), the security device uses the external server to authenticate that user. To configure an external user: Copyright © 2010, Juniper Networks, Inc.

  • Page 456: Configuring External User Groups

    In this example, you configure an external RADIUS auth server named radius1 and define an external auth user group named auth_grp2. You define the external auth user group auth_grp2 in two places: External RADIUS auth server “ radius1,” and in NSM. For the Copyright © 2010, Juniper Networks, Inc.
  • Page 457 Trust zone. On the RADIUS server, load the Juniper Networks dictionary file and define auth user accounts. Use the Juniper Networks user group VSA to create the user group auth_grp2 and apply it to the auth user accounts that you want to add to that group.

  • Page 458: Configuring Vlan Objects

    The IP pool you select for the VPN or the local user determines the range of IP addresses the device can assign to the L2TP RAS user when the user connects to the L2TP VPN. Copyright © 2010, Juniper Networks, Inc.

  • Page 459: Using Multiple Ip Ranges

    In the IP Pool dialog box, click the Add icon to configure the first IP pool range. The New IP Pool Name dialog box appears. Configure the Start IP and End IP, then click Copyright © 2010, Juniper Networks, Inc.

  • Page 460: Table 40: Group Expression Operators

    If the security policy defines authentication for any user object that is not the “c” user (NOT “c” ), the security device authenticates all users except the “c” user. Copyright © 2010, Juniper Networks, Inc.
  • Page 461 In the main display area, click the Add icon and select New. The New Group Expression dialog box appears. Enter a name, color, and comment for the group expression. Select the operator you want to use in the expression (OR, AND, NOT) and then configure the operands: Copyright © 2010, Juniper Networks, Inc.

  • Page 462: Figure 80: Configure External User Groups For Sales And Marketing

    Next, create a group expression object that references both the Sales and Marketing groups. Figure 81: Configure Group Expression for Sales and Marketing Finally, add the group expression object to your firewall rule in the Authentication rule option. Copyright © 2010, Juniper Networks, Inc.

  • Page 463: Configuring Remote Settings

    You can create, view, edit, or delete a routing instance object in the Object Manager. You can also perform a Find Usages operation, and view the version history of a routing instance object. For more information on configuring routing instances, see the Junos Routing Protocols Configuration Guide. Copyright © 2010, Juniper Networks, Inc.

  • Page 464: Viewing Routing Instance Objects

    NAT objects for Screen OS devices and Junos NAT objects for Junos OS devices. For more information, see the following sections: Configuring Legacy NAT Objects on page 415 Configuring Junos OS NAT Objects on page 417 Copyright © 2010, Juniper Networks, Inc.

  • Page 465: Configuring Legacy Nat Objects

    If no values appear in the pull-down menu for interface, DIP, or DIP group, make sure that you have configured DIP correctly in the Device Manager. You can add multiple device DIPs to a single global DIP object (one DIP per device). Copyright © 2010, Juniper Networks, Inc.

  • Page 466: Configuring Mip Objects

    Enter a name, color, and comment for the object, then click the Add icon to specify the device-specific destination NAT configuration: Device—Select the security device. Destination-nat—Select a value from the pull-down menu. If no values appear on the pull-down menu, click the Add icon to create a new value. Copyright © 2010, Juniper Networks, Inc.

  • Page 467: Configuring Junos Os Nat Objects

    If the proxy ARP functionality is required, select the IP address of the interface, which accepts the ARP requests, from the Proxy ARP drop-down list. If no values are listed, select ( ) to configure a new value. The dialog box appears. Specify New Interface Copyright © 2010, Juniper Networks, Inc.

  • Page 468: Table 41: Source Nat Configuration Options

    Specify the hosts (range of IP addresses) whose ARP requests this device must accept, as follows: Click and select (+) to configure the start of the address range in the Address dialog box. Click and configure the end of the address range. Copyright © 2010, Juniper Networks, Inc.

  • Page 469: Configuring Destination Nat Objects

    You can add, edit, delete, and search for a destination NAT object from Object Manager For more information, see the following sections: Adding a Destination NAT Object on page 420 Editing a Destination NAT Object on page 421 Deleting a Destination NAT Object on page 422 Copyright © 2010, Juniper Networks, Inc.

  • Page 470: Table 42: Destination Nat Configuration Options

    Select the routing instance name. The values are Routing Ri Name the pool is bound. listed only if you have added them previously. Instance To add a new routing instance to a device, select > Object Manager Routing Instance Objects Copyright © 2010, Juniper Networks, Inc.
  • Page 471 Select the Edit icon at the top of the screen. The dialog box JunosDestination NAT appears. Select the device to edit. Select the Edit icon. The Junos Destination NAT dialog box appears. Edit the values of the destination NAT object. Click Copyright © 2010, Juniper Networks, Inc.

  • Page 472: Configuring Certificate Authorities

    NSM. Because the CA certificate is an object, however, you can use the same CA for multiple devices, as long as those devices use local certificates that were issued by that CA. Copyright © 2010, Juniper Networks, Inc.

  • Page 473: Using Certificate Authorities

    Best Effort. Best Effort. Enable this option to check for revocation accept the certificate if no revocation information is found. CRL Settings—Configure the default setting for the Certificate Revocation List. Copyright © 2010, Juniper Networks, Inc.

  • Page 474: Configuring Crl Objects

    CRL for multiple devices, as long as those devices use local and CA certificates that were issued by that CA. Using CRLs You can use a CRL object in a VPN to check for VPN members using revoked certificates. Copyright © 2010, Juniper Networks, Inc.

  • Page 475: Configuring Crls

    When you create the extranet device in NSM, bind the policy to the appropriate interface and specify the script you want to perform the required update actions. When you update the device, NSM invokes the script. Any XML output appears in the Job Information window. Copyright © 2010, Juniper Networks, Inc.

  • Page 476: Configuring Binary Data Objects

    UI file system. Click OK to add the object to the Binary Data list in the Object Manager. Copyright © 2010, Juniper Networks, Inc.

  • Page 477: Viewing, Editing, And Deleting Binary Data Objects

    Each protected resource represents an address or a range of addresses on your network. Each resource also can specify a service (such as FTP or NSF). Therefore, the protected resource is the destination for all traffic using the selected service to the selected address. Copyright © 2010, Juniper Networks, Inc.

  • Page 478: Creating Protected Resources

    Because IKE generates keys automatically, you can give each key a short life span, making it expire before it can be Copyright © 2010, Juniper Networks, Inc.

  • Page 479: Creating Custom Ike Phase1 Proposals

    Select the group that meets your security requirements and user needs: Group 1. Uses a 768-bit modulus. Group 2. Uses a 1024-bit modulus Group 5. Uses a 1536-bit modulus. Group 14. Uses a 2048–bit modulus. Copyright © 2010, Juniper Networks, Inc.

  • Page 480: Creating Custom Ike Phase 2 Proposals

    Select the DH group to encrypt the key: No Perfect Forward Secrecy. Diffie-Hellman Group 1. Diffie-Hellman Group 2. Diffie-Hellman Group 3. Diffie-Hellman Group 14. Copyright © 2010, Juniper Networks, Inc.

  • Page 481: Configuring Dial-In Objects

    Object Manager Dial-In. Select The New Dial in window opens. Add Dial In Object. Click in the Phone Settings table for either the White List or Black List. The New List Entry box opens. Copyright © 2010, Juniper Networks, Inc.

  • Page 482: Linking The Dial-In Profile With The Device

    Admission controller objects are listed on the transaction policy’s shared-object menu, where you can drag and drop them into the transaction terms. When you import a device, the admission controller objects are also imported. Copyright © 2010, Juniper Networks, Inc.
  • Page 483 Chapter 8: Configuring Objects BSG objects are supported in Junos OS Release 9.5 and later. When updating devices running under earlier versions of Junos OS, the admission controller setting is dropped. Copyright © 2010, Juniper Networks, Inc.
  • Page 484 Network and Security Manager Administration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 485: Chapter 9 Configuring Security Policies

    You can also use firewall rules to control the shape of your network traffic as it passes through the firewall or to log specific network events. Multicast rules permit multicast control traffic, such as IGMP or PIM-SM messages, to cross Juniper Networks security devices. Multicast rules permit multicast control traffic only; to permit data traffic (both unicast and multicast) to pass between zones, you must configure firewall rules.

  • Page 486: About Security Policies

    Move the cursor over a column header of the security policy. A small icon appears to the left above the No. column. Click on the icon to display the Select Visible Columns dialog box, as shown in Figure 82 on page 437. Copyright © 2010, Juniper Networks, Inc.

  • Page 487: Configuring Security Policies

    You must create and save these custom policy fields as objects under the Object Manager before you can use them in policy. See “Configuring Custom Policy Fields” on page 379 for details. Copyright © 2010, Juniper Networks, Inc.

  • Page 488: About Rulebases

    NSM supports the following IDP rulebases: IDP—This rulebase protects your network from attacks by using attack objects to detect known and unknown attacks. Juniper Networks provides predefined attack objects that you can use in IDP rules. You can also configure your own custom attack objects.

  • Page 489: Rule Execution Sequence

    Zone rulebase Global rulebase Multicast rulebase Managed devices process and execute IDP rules in the following order: Exempt rulebase IDP rulebase APE rulebase Backdoor rulebase SYN Protector rulebase Traffic Anomalies rulebase Network Honeypot rulebase Copyright © 2010, Juniper Networks, Inc.

  • Page 490: About Rules

    NOTE: On Juniper Networks vsys devices, rules defined in the root system do not affect rules defined in virtual systems.

  • Page 491: Vpn Links And Rules

    However, you might want to create access rules to control the flow of traffic in a routing-based VPN tunnel. NOTE: VPN rules are not validated by rule validation. Only firewall rules are validated by rule validation. Copyright © 2010, Juniper Networks, Inc.

  • Page 492: About Rule Groups

    IDP rulebases. If you do not enable IDP in a firewall rule for a target device, you can still configure rules in IDP rulebases, but you cannot apply the IDP rules when you update the security policy on the target security devices. Copyright © 2010, Juniper Networks, Inc.

  • Page 493: About Idp Rulebases On Standalone Idp Sensors

    LAN, WAN, or special zones such as DMZ. In sensor mode, a Sensor receives a copy of a packet while the original packet is forwarded on the network. The Sensor examines the copy of the packet and flags any Copyright © 2010, Juniper Networks, Inc.

  • Page 494: Enabling Ipsec Null Encryption For Idp Inspection

    You use these objects when configuring rules within the policy. If you are running an IDP-enabled device, you can use the profiler to monitor the traffic of interest on your network. Copyright © 2010, Juniper Networks, Inc.

  • Page 495: Configuring Objects For Rules

    Right-click on the column value of the rule that you want to apply to the selected rules and select Apply value to selected rules from the menu. The selected column value is applied to all selected rules. Copyright © 2010, Juniper Networks, Inc.

  • Page 496: Running Screenos Or Junos Os

    (.*|.*\n)test1 Using a Predefined IDP Policy When you create a new IDP security policy, you can select from the following predefined policies or use the Policy Creation Wizard, as described in the next section. Copyright © 2010, Juniper Networks, Inc.

  • Page 497: Using The Policy Creation Wizard

    Stand Alone IDP—Select this option to create a new policy containing the IDP rulebase. Integrated Security Gateways/Security Routers—Select this option to create a new policy containing a zone-based firewall rulebase with one any-any-permit IDP enabled rule as well as the IDP rulebase. Copyright © 2010, Juniper Networks, Inc.

  • Page 498: Adding Rulebases

    Configuring Firewall Rules The firewall rulebases enable you to create zone and global firewall rules that control the flow of traffic on your network. You can configure the following settings for a firewall rule: Copyright © 2010, Juniper Networks, Inc.

  • Page 499: Defining Match For Firewall Rules

    ScreenOS 6.2 and later. If you choose "self" as the source zone, then you must also configure the source address as "any". The system validates devices on which security policies with source zone "self" Copyright © 2010, Juniper Networks, Inc.

  • Page 500: Configuring Source And Destination Addresses For Firewall Rules

    You can add global MIP and VIP objects as the source or destination address in a rule; however: When installing the rule on devices running ScreenOS 5.0 and later, you can add multiple MIPs. Copyright © 2010, Juniper Networks, Inc.

  • Page 501: Support For Any-Ipv6 As A Source Address

    To enable IPv6 functionality, you should set the environment variable IPv6 on the device to "yes" and then reboot the device. Since NSM does not manage environment variables, you cannot set this in NSM. Copyright © 2010, Juniper Networks, Inc.

  • Page 502: Configuring Services For Firewall Rules

    Defining Actions for Firewall Rules You can specify the action that your security device performs against traffic that matches the zones, address objects, and services specified in the firewall rule. You can set different actions for each rule: Copyright © 2010, Juniper Networks, Inc.

  • Page 503: Selecting Devices For Firewall Rules

    NSM installs the rule only on the devices specified in the Install Column of the rule, enabling you to use a single security policy for multiple security devices. Copyright © 2010, Juniper Networks, Inc.

  • Page 504: Configuring Firewall Rule Options

    IP address selected from the DIP pool. To translate the source IP address using the IP address of the outgoing interface on the security device, select Use Interface. Copyright © 2010, Juniper Networks, Inc.

  • Page 505: Enabling Gtp For Firewall Rules

    For security devices running ScreenOS 5.3 and later, you can also manage the flow of traffic through the security device by limiting bandwidth at the point of ingress. Copyright © 2010, Juniper Networks, Inc.
  • Page 506 IP priority preference. When the DSCP class selector is enabled, the class selector zeroes the remaining five bits in the DiffServ field, which prevents upstream routers from altering priority levels. Copyright © 2010, Juniper Networks, Inc.

  • Page 507: Enabling Logging And Counting For Firewall Rules

    To set an alarm, enable counting and specify the minimum and maximum byte thresholds for matching network traffic. You can specify a predefined number of bytes per second, number of Kilobytes per minute, or both. Each time your security device detects network Copyright © 2010, Juniper Networks, Inc.

  • Page 508: Miscellaneous

    In NSM, schedules are represented by schedule objects. Before you can define a schedule for a rule, you must create a schedule object that describes a time period. The schedule Copyright © 2010, Juniper Networks, Inc.
  • Page 509 For VPN rules that are automatically created by VPN Manager, NSM creates a unique ID for each VPN rule. You can change this predefined ID, if desired, to a ID number, or leave the predefined ID set to “ none”, which preserves the autogenerated ID number. Copyright © 2010, Juniper Networks, Inc.

  • Page 510: Configuring Web Filtering For Firewall Rules

    Select Web Filtering. In the Edit Web filter dialog box, click Enable. Select Web Filtering Through SurfControl CPA (Integrated). The Select SC-CPA Profile box appears. Select the profile ns_profile to bind to the firewall rule. Copyright © 2010, Juniper Networks, Inc.

  • Page 511: Configuring Authentication For Firewall Rules

    Infranet Authentication—Use this option to enable specified RAS users to connect using a Juniper Networks Infranet Controller. An unauthenticated user trying to access a UAC protected resource via HTTP, is usually redirected to a URL of an authenticating IC. The redirect URL is a global parameter specified per controller.

  • Page 512: Configuring Antivirus For Firewall Rules

    NetScreen-Hardware Security Client device running ScreenOS 5.0 - 5.2. If you install a policy that uses Scan Manager on a different device, the device executes and processes traffic according to the rule, but does not detect viruses using the embedded scanning engine. Copyright © 2010, Juniper Networks, Inc.

  • Page 513: Configuring A Di Profile/Enable Idp For Firewall Rules

    ScreenOS 5.0 IDP1, you can enable IDP and select an IDP mode in the DI Profile/Enable IDP rule options. Enabling IDP directs the security device to pass all traffic permitted by the firewall rule to the IDP rulebase. Copyright © 2010, Juniper Networks, Inc.

  • Page 514: Limiting Sessions Per Policy From Source Ips

    In a synchronized NSRP setup, the session limit policy also counts sessions in the slave device, which does not impose any limit. When the slave becomes the master, a new session is created only if the existing session count does not exceed the threshold. If the Copyright © 2010, Juniper Networks, Inc.

  • Page 515: Configuring The Session Close Notification Rule

    The Comments column of a rule contains the rule title, which is also the ScreenOS policy name (the name of the policy when viewing the device configuration using the WebUI). You can also enter comments in the Comment Field, if desired. Copyright © 2010, Juniper Networks, Inc.

  • Page 516: Configuring Multicast Rules

    A rule can apply to either IGMP messages or PIM-SM messages: When running IGMP proxy on the security device, configure a rule that permits IGMP messages to flow between zones. When running PIM-SIM on the security device, configure a rule that permits PIM-SM messages. Copyright © 2010, Juniper Networks, Inc.

  • Page 517: Configuring Antivirus Rules

    Select an Antivirus option: None—Turns off antivirus scanning for that rule. Use External AV Server—Indicates that you want to use an External AV Server. You must select the external AV server you wish to use. Copyright © 2010, Juniper Networks, Inc.

  • Page 518: Configuring Antispam Rules

    Whenever this known pattern of attack is encountered in the monitored network traffic, the attack object is matched. You can add attack objects by category, operating system, severity, or individually. Copyright © 2010, Juniper Networks, Inc.

  • Page 519: Defining Match For Idp Rules

    (see “Configuring Backdoor Rules” on page 494 for more information on interactive attacks). You can specify “ any” to monitor network traffic originating from any IPv4 address and “ AnyIPv6 ” to monitor network traffic originating from any IPv6 address. Copyright © 2010, Juniper Networks, Inc.

  • Page 520: Configuring User Roles For Idp Rules

    (true or false, negate, or Filter ignore objects in group) to the user role values. The Edit option allows you to cut, copy, or paste the user role name in the column. Copyright © 2010, Juniper Networks, Inc.

  • Page 521: Configuring Services For Idp Rules

    FTP buffer overflow attempts. The Service column in the rule still displays “ Default” , but the rule actually uses the default service of TCP-FTP, which is specified in the attack object. Copyright © 2010, Juniper Networks, Inc.

  • Page 522: Configuring Terminal Idp Rules

    Terminal rules should appear near the top of the rulebase, before other rules that would match the same traffic. You set a rule as terminal by selecting the box in the Terminate Match column of the Security Policy window when the rule is created or modified. Copyright © 2010, Juniper Networks, Inc.

  • Page 523: Table 43: Idp Rule Actions

    IDP inspects for attacks but takes no action against the connection if an attack is found. If a rule that contains an action None is matched, the corresponding log record displays accept in the action column of the Log Viewer. Copyright © 2010, Juniper Networks, Inc.
  • Page 524 Diffserv Marking IDP assigns the service differentiation value indicated to the packet, then passes it on normally. The value is set in the dialog that appears when you select this action in the rulebase. Copyright © 2010, Juniper Networks, Inc.

  • Page 525: Configuring Attack Objects In Idp Rules

    Action Description Recommended IDP takes the action recommended by Juniper Networks. With IDP 4.1 and later, attack objects have a recommended action associated with them. If a packet triggers more than one attack object, IDP applies the most secure of the recommended actions. Available with IDP 4.1 and later.

  • Page 526: Table 44: Severity Levels, Recommended Actions And Notifications

    Logging install or use a trojan (1c), or gain user-level access to a host. Drop Connection Alert Minor Attacks attempt to obtain critical information through directory (no recommended Logging traversal or information leaks. action) Copyright © 2010, Juniper Networks, Inc.

  • Page 527: Adding Custom Dynamic Attack Groups

    Then right-click in the IP Action column of the rule and select Configure. The Configure IP Action dialog box appears, as shown in Figure 83 on page 478. Enable and configure an IP action to prevent future malicious connections from the attacker’s IP address. Copyright © 2010, Juniper Networks, Inc.

  • Page 528: Figure 83: Configure Ip Action

    When the security device detects attack traffic that matches a rule and an IP action is triggered, the device can log information about the IP action that was taken or create an alert in the Log Viewer. By default, there are no logging options set. Copyright © 2010, Juniper Networks, Inc.

  • Page 529: Setting Timeout Options

    Rule 1 to capture 10 packets before and after the attack, and Rule 2 to capture 5 packets before and after the attack. If both rules match the same attack, IDP attempts to capture 10 packets before and after the attack. Copyright © 2010, Juniper Networks, Inc.

  • Page 530: Setting Vlan Tags For Idp Rules

    You can override the inherent attack severity on a per-rule basis within the IDP rulebase. You can set the severity to either Default, Info, Warning, Minor, Major, or Critical. To change the severity for a rule, right-click the Severity column of the rule and select a severity. Copyright © 2010, Juniper Networks, Inc.

  • Page 531: Setting Target Devices For Idp Rules

    Multiple IDP policies allow administrators to reference a service set associated with a subscriber to a pre-configured IDP policy. This IDP policy is used to enforce security inspection for traffic per subscriber. Service set configuration is supported in-device in Copyright © 2010, Juniper Networks, Inc.
  • Page 532 NOTE: For other devices which do not support multiple IDP policies, an IDP rule’s association with multiple IDP policies on the Policies panel is ignored. NOTE: From-Zone and To-Zones are not applicable to MX series devices and these values will be trimmed or ignored if configured. Copyright © 2010, Juniper Networks, Inc.

  • Page 533: Configuring Application Policy Enforcement (Ape) Rules

    Add APE Rulebase to enable the APE rulebase tab. To configure an APE rule, click the Add icon on the left side of the Security Policy window to open a default APE rule. You can modify the rule as necessary. Click OK. Copyright © 2010, Juniper Networks, Inc.

  • Page 534: Adding The Ape Rulebase To A Policy Using The Application Profiler

    APE rulebase. If IDP encounters a match for the other Match columns in an APE rule, no other rules in the rulebase are examined. . The following sections describe the Match columns of an APE rule. Copyright © 2010, Juniper Networks, Inc.

  • Page 535: Configuring Source And Destination Address Objects For Ape Rules

    Untrust, and the Source IP to any IP. Then set the To Zone to dmz and trust. Next, select the address object that represents the host or server you want to protect from attacks as the Destination IP. Copyright © 2010, Juniper Networks, Inc.

  • Page 536: Configuring User Roles For Ape Rules

    Select Service to choose specific services from the list of defined service objects. For example, to take some action on FTP traffic, set the service to Default and add the application object FTP. The Service column in the rule still displays “Default,” but the Copyright © 2010, Juniper Networks, Inc.

  • Page 537: Table 45: Ape Rule Actions

    Diffserv Marking IDP assigns the service differentiation value indicated to the packet, then passes it on normally. The value is set in the dialog that appears when you select this action in the rulebase. Copyright © 2010, Juniper Networks, Inc.

  • Page 538: Configuring Ip Actions In Ape Rules

    IDP Notify—The security device does not take any action against future traffic, but logs the event. This is the default. IDP Drop—The security device drops the matching connection and blocks future connections that match the criteria set in the Block list. Copyright © 2010, Juniper Networks, Inc.

  • Page 539: Choosing A Block Option

    Excessive logging can also affect throughput, performance, and available disk space. A good security policy generates enough logs to fully document only the important security events on your network. Copyright © 2010, Juniper Networks, Inc.

  • Page 540: Setting Vlan Tags For Ape Rules

    You can override the inherent attack severity on a per-rule basis within the APE rulebase. You can set the severity to Default, Info, Warning, Minor, Major, or Critical. To change the severity for a rule, right-click the Severity column of the rule and select a severity. Copyright © 2010, Juniper Networks, Inc.

  • Page 541: Setting Target Security Devices For Ape Rules

    You must include at least one attack object in an exempt rule. NOTE: The Exempt rulebase is a non-terminal rulebase. That is, IDP attempts to match traffic against all rules in the Exempt rulebase and all matches are executed. Copyright © 2010, Juniper Networks, Inc.

  • Page 542: Adding The Exempt Rulebase

    Source or Destination column of a rule and select Select Address. In the Select Source Addresses dialog box, you can either select an already-created address object or click the Add icon to create a new host, network, or group object. Copyright © 2010, Juniper Networks, Inc.

  • Page 543: Setting Attack Objects

    You can modify, reorder, or merge an exempt rule created from the Log Viewer in the same manner as any other exempt rule that you create directly in the Exempt rulebase. Copyright © 2010, Juniper Networks, Inc.

  • Page 544: Configuring Backdoor Rules

    “ detects” all interactive traffic from those devices. NOTE: The Backdoor rulebase is a terminal rulebase. That is, when IDP finds a match on a rule in the Backdoor rulebase, it does not execute succeeding rules. Copyright © 2010, Juniper Networks, Inc.

  • Page 545: Adding The Backdoor Rulebase

    Source or Destination column of a rule and select Select Address. In the Select Source Addresses dialog box, you can either select an already-created address object or click the Add icon to create a new host, network, or group object. Copyright © 2010, Juniper Networks, Inc.

  • Page 546: Table 46: Actions For Backdoor Rule

    Remember that security policies that generate too many log records are hazardous to the security of your network, as you might discover an attack too late or miss a security breach entirely due to sifting through Copyright © 2010, Juniper Networks, Inc.

  • Page 547: Setting Logging

    You can override the inherent attack severity on a per-rule basis within the Backdoor rulebase. You can set the severity to either Default, Info, Warning, Minor, Major, or Critical. To change the severity for a rule, right-click the Severity column of the rule and select a severity. Copyright © 2010, Juniper Networks, Inc.

  • Page 548: Specifying Vlans

    While the connection table can sustain hundreds of concurrent connections across multiple ports, attackers can generate enough connection requests to exhaust all allocated resources. SYN-Floods Attackers initiate a SYN flood by manipulating the basic three-way handshake: Copyright © 2010, Juniper Networks, Inc.

  • Page 549: Adding The Syn Protector Rulebase

    Specify the traffic you want IDP to monitor for SYN floods. Configuring Source and Destination Address Objects Set the Source Object to Any. Set the Destination Object to any address objects you want to protect. Copyright © 2010, Juniper Networks, Inc.

  • Page 550: Setting Mode

    If you become overloaded with data, you can miss something important. Remember that security policies that generate too many log records are hazardous to the security of your network, as you Copyright © 2010, Juniper Networks, Inc.

  • Page 551: Setting An Alert

    You can override the inherent attack severity on a per-rule basis within the SYN Protector rulebase. You can set the severity to either Default, Info, Warning, Minor, Major, or Critical. To change the severity for a rule, right-click the Severity column of the rule and select a severity. Copyright © 2010, Juniper Networks, Inc.

  • Page 552: Setting Target Devices

    The rule is matched if the same Source IP scans 20 TCP ports on your internal network within 120 seconds, or if the same Source IP scans 20 UDP ports on your internal network within 120 seconds. Copyright © 2010, Juniper Networks, Inc.

  • Page 553: Detecting Other Scans

    IP action of IDP Block and chose Source, Protocol from the Blocking Options menu. Adding the Traffic Anomalies Rulebase Before you can configure a rule in the Traffic Anomalies rulebase, you need to add the Traffic Anomalies rulebase to a security policy. Copyright © 2010, Juniper Networks, Inc.

  • Page 554: Defining A Match

    If you become overloaded with data, you can miss something important. Remember that security policies that generate too many log records are hazardous to the security of your network, as you Copyright © 2010, Juniper Networks, Inc.

  • Page 555: Logging Packets

    You can override the inherent attack severity on a per-rule basis within the SYN Protector rulebase. You can set the severity to either Default, Info, Warning, Minor, Major, or Critical. To change the severity for a rule, right-click the Severity column of the rule and select a severity. Copyright © 2010, Juniper Networks, Inc.

  • Page 556: Entering Comments

    Add Network Honeypot Rulebase. The Network Honeypot rulebase tab appears. Configure a Network Honeypot rule by clicking the Add icon on the left side of the Security Policy window. A default Network Honeypot rule appears. You can modify this rule as needed. Copyright © 2010, Juniper Networks, Inc.

  • Page 557: Configuring The Source

    IDP run a script in response to the attack, or set an alarm flag to appear in the log record. Your goal is to fine-tune the attack notifications in your security policy to your individual security needs. Copyright © 2010, Juniper Networks, Inc.

  • Page 558: Setting Severity

    Comments column is not pushed to the target devices. To enter a comment, right-click the Comments column and select Edit Comments. The Edit Comments dialog box appears. You can enter up to 1024 characters in the Comments field. Copyright © 2010, Juniper Networks, Inc.

  • Page 559: Installing Security Policies

    Validating Security Policies You should validate a security policy to identify potential problems before you install it. NSM contains a Policy Validation tool to help you locate common problems, such as: Copyright © 2010, Juniper Networks, Inc.
  • Page 560 When a packet comes in, a security device compares it to the first rule in the policy. If a match occurs, the device executes the action associated with the rule. If no match occurs, Copyright © 2010, Juniper Networks, Inc.

  • Page 561: Table 47: Rule Shadowing Example

    Inspection) that is not supported by the security device in the Install column of the rule, policy validation displays an information message that describes the unsupported feature. Installing New Security Policies Before you install a new security policy, ensure that you have: Copyright © 2010, Juniper Networks, Inc.

  • Page 562: Configuring Idp Policy Push Timeout

    To set the timeout to a higher value, edit the following file: /usr/netscreen/DevSvr/var/devSvr.cfg Change the following setting: devSvrDirectiveHandler.idpPolicyPush.timeout 2400000 The setting is measured in milliseconds (1000’s of a second). So, 2400000 milliseconds is equal to 40 minutes. Copyright © 2010, Juniper Networks, Inc.

  • Page 563: Updating Existing Security Policies

    NSM. The update first unsets the current policy on the device, deletes the old object, adds the new changed object, then installs the entire security policy again on the physical device. Copyright © 2010, Juniper Networks, Inc.

  • Page 564: Updating Only The Idp Rulebases On Isg Devices

    Reimporting Devices and Security Policies on page 518 Merging Policies on page 518 Importing SRX Series Devices That Contain Inactive Policies on page 520 Exporting Policies on page 520 Helpful Tips Some helpful tips about managing your rules and policies: Copyright © 2010, Juniper Networks, Inc.

  • Page 565: Selecting Rules

    To quickly create multiple rules that use the same basic information, copy and paste the rule, then change the parameters in each copied rule to make the rule unique (this is especially useful for rules that contain detailed rule options such as attack protection). Copyright © 2010, Juniper Networks, Inc.

  • Page 566: Using Cut, Copy, And Paste On Rule Fields

    Global MIP, Global VIP, attack, device, VLAN, and custom field objects, to your security policies. Select the object and drag it into the appropriate policy column. When you drag objects beyond the visible rows or columns, Copyright © 2010, Juniper Networks, Inc.

  • Page 567: Deleting A Rule

    Enter a name and description for the rule group, then click Combining rules into a rule group can help you better manage rules. For example, you might want to create rule group for: Copyright © 2010, Juniper Networks, Inc.

  • Page 568: Reimporting Devices And Security Policies

    To simplify policy management and maintenance, you can merge two policies into a single security policy. To merge two policies, select a source policy and a target policy: Copyright © 2010, Juniper Networks, Inc.

  • Page 569: Figure 84: Security Policy A Rules (Before Policy Merge)

    Policy A contains the rules as shown in Figure 84 on page 519. Figure 84: Security Policy A Rules (Before Policy Merge) Policy B contains the rules as shown in Figure 85 on page 520. Copyright © 2010, Juniper Networks, Inc.

  • Page 570: Figure 85: Security Policy B Rules (Before Policy Merge)

    You can export a security policy rulebase to an HTML file. To export a security policy, select File > Export Policy. (You can also use the button or Alt-E.) In the dialog box, select from the following options: Export Policy Copyright © 2010, Juniper Networks, Inc.

  • Page 571: Automatic Policy Versioning

    This section explains how to set NSM for automatic policy versioning, create a new policy version, and view existing versions. Setting NSM to Automatic Policy Versioning This section explains how to use the GUI to make NSM default to automatic policy versioning. Copyright © 2010, Juniper Networks, Inc.

  • Page 572: Viewing Existing Policy Versions

    In the NSM GUI, right-click on a policy. Select View Versions. Click Create Version. Optionally, fill in Version Comments and click OK. The new version appears in the list in the Version History window. Click Close to save the changes. Copyright © 2010, Juniper Networks, Inc.

  • Page 573: Using A Filter To Search For A Policy Version

    NSM creates a new policy object that has two versions. The older version being the original and the newer version being the modified object. You can then use the compare versions tool to find out the changes to the object. Copyright © 2010, Juniper Networks, Inc.

  • Page 574: Restore An Older Version

    More than one database version must exist before you can sort them. To view, edit, filter, and sort versions In the NSM GUI, select Tools >Database Versions. All versions are listed in the popup Database Versions window. Copyright © 2010, Juniper Networks, Inc.

  • Page 575: Displaying The Differences Between Database Versions

    Displaying the Differences Between Database Versions This section explains how to display the difference between two versions. To display the differences: In the NSM GUI, select Tools >Database Versions. In the popup menu, select two databases. Click Compare. Copyright © 2010, Juniper Networks, Inc.

  • Page 576: Update Device With An Older Database Version

    NSM installations. You can define and apply rules for each rulebase type. When you update a device, device-specific policy configurations are generated for the device. This creates rulebases by applying the following rules in the following order (from first to last): Prerules Policy rulebase rules Copyright © 2010, Juniper Networks, Inc.
  • Page 577 These rules are displayed in a different color and not editable. prerules and postrules can include rulegroups. The firewall rulebase for prerules and postrules cannot contain VPN rules or VPN links. Copyright © 2010, Juniper Networks, Inc.

  • Page 578: Rule Application Sequence

    Regional Server object or ANY as legal entries. When a Central Manager pushes a pre/post rule to a regional server, content in this column specifies which rule is pushed to which regional server. Copyright © 2010, Juniper Networks, Inc.

  • Page 579: Managing Prerules And Postrules

    Modify prerules and postrules This procedure assumes that a Central Manager administrator is logged onto a Central Manager client, and a pre/post rule has been pushed to a regional server. To modify a pre/post rule: Copyright © 2010, Juniper Networks, Inc.

  • Page 580: Delete Prerules And Postrules

    The mapping table shows only the current domain’s entries. Therefore, if an administrator is in the global domain, no subdomain entries are visible. This section contains the following topics: Access Control of Polymorphic Object on page 531 Copyright © 2010, Juniper Networks, Inc.

  • Page 581: Table 48: Polymorphic Objects

    When polymorphic objects are created in the Central Manager they are pushed to one or more regional servers where they are available to be populated with real values. The workflow for using polymorphic objects is: Copyright © 2010, Juniper Networks, Inc.

  • Page 582: Create A Polymorphic Object

    In the main navigation tree, select Policy Manager > Central Manager Policies. Select either Central Manager Pre Rules or Central Manager Post Rules. Click the Add icon in the toolbar and select Polymorphic Address. Copyright © 2010, Juniper Networks, Inc.

  • Page 583: Map A Polymorphic Object To A Real Value

    If an error message is returned on import or update indicating that a mapping for a polymorphic object was not defined, you can define a mapping for the polymorphic object listed in the error message, and import or update the device again. Copyright © 2010, Juniper Networks, Inc.
  • Page 584 Network and Security Manager Administration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 585: Chapter 10 Configuring Voice Policies

    You can copy, paste, drag and drop any of these shared objects into the transaction rule. Juniper Networks M Series and MX Series routers running Junos 9.5 and later can be managed in two modes: Central Policy management (CPM) and In-Device management.

  • Page 586: Adding Rules To The Bsg Transaction Rulebase

    You can add, edit, delete and search for shared objects Policy such as BSG Service Points and Admission Controllers. Add, delete, edit and search for policy sets in Policy Sets section to the right of the policy window. Copyright © 2010, Juniper Networks, Inc.
  • Page 587 If a rule or a rule set is Install On not applicable to the device being updated, NSM skips that rule or rule set. Copyright © 2010, Juniper Networks, Inc.
  • Page 588 Network and Security Manager Administration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 589: Chapter 11 Configuring Junos Nat Policies

    The translation can include IP addresses as well as port numbers. The types of NAT policies that are supported on Juniper Networks devices are: Source NAT policy, Destination NAT policy, and Static NAT policy.

  • Page 590: Adding A Source Nat Rulebase

    (default) or not and can have the following From Device values: The default routing instance ( ), which ships with the device. You can default use this routing instance, if you do not wish to configure anything new. Copyright © 2010, Juniper Networks, Inc.

  • Page 591: Adding A Rule To A Source Nat Rule Set

    If using Port Address Translation (PAT), specify a port range (between 1024 and 65535) in the fields. When PAT is used, multiple hosts can share the High same IP address. For more information on PAT, see http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/ junos-security-swconfig-security/id-11012.html#id-11012 Copyright © 2010, Juniper Networks, Inc.

  • Page 592: Editing A Source Nat Rule Or Rule Set

    View/Modify Destination destination that you set previously. Dest Address — Enables you to cut, copy, and paste the values that are within this field. Edit —Enables you to add additional destinations. Add Dest address Copyright © 2010, Juniper Networks, Inc.

  • Page 593: Destination Nat Policy

    Destination NAT policy is used to allow hosts from public network to communicate with private network through the translation of the destination IP address within a packet that is entering the Juniper Networks device. For more information on destination NAT, http://www.juniper.net/techpubs/software/junos-security/junos-security10.0/ junos-security-swconfig-security/jd0e90828.html#jd0e90837...

  • Page 594: Adding A Destination Nat Rulebase

    Other routing instances, if you have added them previously. To add a new routing instance, use > Object Manager Routing Instance Objects —Select the zone from the list. Zone Copyright © 2010, Juniper Networks, Inc.

  • Page 595: Adding A Rule To A Destination Nat Rule Set

    Select a destination port. This is the port through which the traffic enters the private network. Specify one of the following actions: —Do not perform destination NAT. Copyright © 2010, Juniper Networks, Inc.

  • Page 596: Editing A Destination Nat Rule Or Rule Set

    View the applicable shared objects in the drop-down list in the Shared Objects for Policy section of the window. You can add, edit, delete and search for shared objects, which are applicable to the specific NAT rulebase. Copyright © 2010, Juniper Networks, Inc.

  • Page 597: Static Nat Policy

    In general, the list displays the routing instances configured within a specific device or just the shared routing instances depending on whether the Select check box is selected (default) or not and can have the following From Device values: Copyright © 2010, Juniper Networks, Inc.

  • Page 598: Adding A Rule To A Static Nat Rule Set

    As static NAT supports one to one mapping, if your source consists of a number of hosts, then make sure that you enter an equal number of public IP addresses in this field. Copyright © 2010, Juniper Networks, Inc.

  • Page 599: Editing A Static Nat Rule/Rule Set

    View the applicable shared objects in the drop-down list in the Shared Objects for Policy section of the window. You can add, edit, delete and search for shared objects, which are applicable to the specific NAT rulebase. Copyright © 2010, Juniper Networks, Inc.
  • Page 600 Network and Security Manager Administration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 601: Chapter 12 Configuring Vpns

    Creating VPNs with VPN Manager on page 568 VPN Manager Examples on page 586 Creating Device-Level VPNs on page 601 Device-Level VPN Examples on page 616 Auto-Connect Virtual Private Network on page 625 IVE VPN Monitoring on page 627 Copyright © 2010, Juniper Networks, Inc.

  • Page 602: About Vpns

    About VPNs With Network and Security Manager (NSM), you can use basic networking principles and your Juniper Networks security devices to create VPNs that connect your headquarters with your branch offices and your remote users with your protected networks. NSM supports tunnel and transport modes for AutoKey IKE, Manual Key, L2TP, and L2TP-over-AutoKey IKE VPNS in policy or route-based configurations.

  • Page 603: Configuring Vpns

    Because you have so many choices, it’s a good idea to determine what your needs are before you create the VPN so you can make the right decisions for your network. These decisions include: Copyright © 2010, Juniper Networks, Inc.

  • Page 604: Determining Your Vpn Members And Topology

    IP addresses in use on your network. Site-to-Site Site-to-site VPNs are the most common type of VPN. Typically, each remote site is an individual security device or RAS user that connects to a central security device. Copyright © 2010, Juniper Networks, Inc.

  • Page 605: Hub And Spoke

    Disadvantages—When you add a member to the VPN, you must reconfigure all devices. Use a full mesh VPN when you need to ensure that every VPN member can communicate with every other VPN member. Copyright © 2010, Juniper Networks, Inc.

  • Page 606: Creating Redundancy

    VPN node, then authenticates the VPN data using MD5 or SHA hash algorithms against the secret. Certificates—IKE uses a trusted authority on the client as the certificate server. For details on using certificates, see the Network and Security Manager Configuring ScreenOS and IDP Devices Guide. Copyright © 2010, Juniper Networks, Inc.
  • Page 607 In Phase 1, two members establish a secure and authenticated communication channel. In Phase 2, two members negotiate Security Associations for services (such as IPSec) that require key material and/or parameters. VPN nodes must use the same authentication and encryption algorithms to establish communication. Copyright © 2010, Juniper Networks, Inc.

  • Page 608: Using L2Tp

    VPN members. You cannot add RAS users in a routing-mode VPN. Mixed-mode VPNs—Connects policy-based VPNs to route-based VPNs in a mixed-mode VPN. You cannot add RAS users in a mixed-mode VPN. The following sections detail Policy-based and Route-based VPN types. Copyright © 2010, Juniper Networks, Inc.

  • Page 609: About Policy-Based Vpns

    VPN members, their IP addresses and gateways, and the type of tunnel between them. Define Members and Topology What do you want to connect? Devices Network Components/Protected Resources Copyright © 2010, Juniper Networks, Inc.

  • Page 610: Define Vpn Type: Policy-Based, Route-Based, Or Mixed-Mode

    VPN topology, then autogenerate the VPN rules that create the VPN. You can inspect the VPN rules and override any VPN property before sending the VPN configuration to your devices. Choose the VPN type that best matches your VPN requirements: Copyright © 2010, Juniper Networks, Inc.
  • Page 611 An L2TP over Autokey IKE RAS VPN supports: Policy-based VPNs ESP and AH Authentication ESP AutoKey IKE Encryption PPP or other non-IP traffic Remote access users Creating Device-Level VPNs You can create the following VPN types: Copyright © 2010, Juniper Networks, Inc.

  • Page 612: Preparing Vpn Components

    Zones—Configure each security device with at least two zones (trust and untrust); each zone must contain at least one interface (physical or virtual). Preparing Required Policy-Based VPN Components A policy-based VPN requires several components: Address objects Protected resources Copyright © 2010, Juniper Networks, Inc.

  • Page 613: Configuring Address Objects

    First, create a device-specific NAT object by editing the device configuration of each security device member. Then, create a global NAT object that includes the device-specific NAT objects. In the Object Manager, create a single shared NAT object to represent similar Copyright © 2010, Juniper Networks, Inc.

  • Page 614: Configuring Remote Access Service (Ras) Users

    On the client side, the certificate DN is sent as IKE ID for the server to match the VPN configuration based on the content of DN. The server DN configuration can contain a container part and a wildcard part as follows: Copyright © 2010, Juniper Networks, Inc.

  • Page 615: Configuring Required Routing-Based Vpn Components

    (cannot exceed the maximum number of allowed Phase 1 SAs or the maximum number of VPN tunnels allowed on the Juniper Networks security device platform). For details on group IKE IDs, see the Juniper Networks ScreenOS 5.x Concepts and Examples Guide.

  • Page 616: Configuring Tunnel Interfaces And Tunnel Zones

    NOTE: If you are using VPN Manager to create the route-based VPNs, you create the routes after autogenerating the VPN. If you are creating a device-level VPN, you can create the routes after configuring the tunnel interfaces. Copyright © 2010, Juniper Networks, Inc.

  • Page 617: Creating Certificate Objects

    To create a static route, you must manually create a route for each tunnel on each device. For VPNs with more than just a few devices, Juniper Networks highly recommends using a dynamic routing protocol to automatically determine the best route for VPN traffic: To route between different networks over the Internet, use Border Gateway Protocol (BGP);...

  • Page 618: Creating Pki Defaults

    Manager Configuring ScreenOS and IDP Devices Guide. Creating VPNs with VPN Manager Configuring a VPN using VPN Manager is an eight stage process: “Adding the VPN” on page 569 “Configuring Members” on page 570 (policy-based, RAS users, routing-based) Copyright © 2010, Juniper Networks, Inc.

  • Page 619: Adding The Vpn

    When you configure the topology for the VPN, you can select a unique termination point for each VPN member. View Properties—Configure the VPN components that the VPN Manager displays for the VPN: Copyright © 2010, Juniper Networks, Inc.
  • Page 620 Incoming Global DIP. Select the Global DIP object that represents range of IP addresses available to the security device. (This DIP pool must include IP addresses that are routeable on your internal network.) For details on configuring DIP objects. Copyright © 2010, Juniper Networks, Inc.
  • Page 621 Below the Protected Resources pane, select L2TP/NAT to display the protecting security devices for each protected resource. (If you are configuring an AutoKey IKE VPN or AutoKey IKE RAS VPN, this option does not appear.) Select the device for which you Copyright © 2010, Juniper Networks, Inc.

  • Page 622: Adding Ras Users

    VPN Manager automatically creates the necessary tunnel interfaces for each route-based VPNs member. However, after VPN Manager autogenerates the VPN tunnels, you must configure static or dynamic routes on the security devices to route traffic through these Copyright © 2010, Juniper Networks, Inc.
  • Page 623 VPN. After you have added the device to the VPN, you can double-click the device and configure overrides for the default tunnel interface zone, the physical source interface. For devices running ScreenOS 5.x and later, you can also enable/disable single tunnel interface and NHTB entries. Copyright © 2010, Juniper Networks, Inc.

  • Page 624: Configuring Topology

    Hub and Spoke—Select a device to act as the hub; this device connects VPN members and enables them to communicate. Next, select the VPN members to be the spokes. You are not required to use a VPN member as a hub: Copyright © 2010, Juniper Networks, Inc.
  • Page 625 Main and Branch—Main and branch topologies combine the flexibility of hub and spoke with the redundancy of full mesh. Because you can select multiple mains, each branch has an alternate tunnel to use if one main fails. To create a main and branch: Copyright © 2010, Juniper Networks, Inc.

  • Page 626: Defining Termination Points

    Aggressive mode—The IKE identity of each node is not protected. The initiating node sends two messages and the receiving node sends one (three messages total); all messages are sent in the clear, including the IKE identity exchange between the nodes. Copyright © 2010, Juniper Networks, Inc.
  • Page 627 "keep alive” packets through the NAT device. Configuring XAuth Use the XAuth protocol to authenticate RAS users with an authentication token (such as SecureID) and to make TCP/IP settings (IP address, DNS server, and WINS server) for the peer gateway. Copyright © 2010, Juniper Networks, Inc.

  • Page 628: Configuring Gateway Security

    To generate a random key, enter a value for the seed, then click Generate Key. NSM uses the seed value to generate a random key, which is used to authenticate VPN members. Copyright © 2010, Juniper Networks, Inc.

  • Page 629: Configuring Ike Ids

    RAS users, so you do not need to configure this option. However, if you do not want to use the default IKE ID, you can select a different IKE ID type and configure an IKE ID for each VPN gateway. Copyright © 2010, Juniper Networks, Inc.

  • Page 630: Configuring Ike

    For details on how Group IKE IDs work, see “Configuring Group IKE IDS” on page 565. For details on determining the ASN1-DN container and wildcard values for Group IKE IDs, see the Juniper Networks ScreenOS 5.x Concepts and Examples Guide. FQDN—Use a Fully Qualified Domain Name when the gateway is a dynamic IP address.
  • Page 631 Automatically populate the next-hop tunnel binding table (NHTB table) and the route table when multiple VPN tunnels are bound to a single tunnel interface. For details on VPN monitoring at the device level, see the Juniper Networks ScreenOS 5.x Concepts and Examples Guide.

  • Page 632: Configuring Security Level

    VPN. After you have inserted the VPN link into a security policy, you can install that policy on your devices using the Updated directive. Create static or dynamic routes for route-based VPNs. To autogenerate the VPN, click Save. Copyright © 2010, Juniper Networks, Inc.

  • Page 633: Configuring Overrides

    To save this rule order, click Apply. Configuring Rule Options You can configure rule options for each rule, including traffic shaping, logging, antivirus and attack objects, and protection actions. For details on configuring these options. Copyright © 2010, Juniper Networks, Inc.

  • Page 634: Editing Device Configuration

    For route-based and mixed-mode VPNs, you can view the VPN tunnels between each route-based member, including the source and peer devices, the tunnel interface, zone, and physical interface. NOTE: The device tunnel summary does not appear for policy-based VPNs. Copyright © 2010, Juniper Networks, Inc.

  • Page 635: Adding The Vpn Link

    Editing Users To edit a user object in the VPN, right-click the user and select Edit Remote User. Make your changes, then click OK to save your changes. Copyright © 2010, Juniper Networks, Inc.

  • Page 636: Editing The Vpn Configuration

    Configure the Tokyo device with the following interfaces: Ethernet1 is the Trust IP (10.1.1.1/24) in the Trust zone. Ethernet3 is the Untrust IP (1.1.1.1/24) in the Untrust zone. b. Configure the Paris device with the following interfaces: Copyright © 2010, Juniper Networks, Inc.
  • Page 637 For Color, select magenta. For Comment, enter Paris Trust Zone. Create the Tokyo Protected Resources object. In Protected Resources (under VPN Manager), click the Add icon. Configure as shown in Figure 87 on page 588, then click Copyright © 2010, Juniper Networks, Inc.

  • Page 638: Figure 87: Create Tokyo Protected Resource Object For Autokey Ike Vpn

    VPNs and select AutoKey IKE VPN. The New AutoKey IKE VPN dialog box appears. Configure the General VPN Properties: a. In Name, enter Tokyo-Paris Policy-Based VPN. b. Select Enable. c. In Termination Point, select Untrust. Copyright © 2010, Juniper Networks, Inc.
  • Page 639 Click the Gateway Parameters link. The Properties tab appears. Leave all defaults and click the Security tab. In the Security tab, configure the PKI Information and Phase 1 Proposals as shown in Figure 89 on page 590. Copyright © 2010, Juniper Networks, Inc.

  • Page 640: Figure 89: Configure Gateway Parameters For Autokey Ike Vpn

    Select the Tokyo-Paris Policy-Based VPN, then click OK to add the link. By default, the link appears at the top of the rulebase, but you can move the VPN link anywhere in the rulebase, just as you would a firewall rule. Copyright © 2010, Juniper Networks, Inc.

  • Page 641: Example: Configuring An Autokey Ike Ras, Policy-Based Vpn

    Create Chicago Corporate Trusted LAN Protected Resources to represent the destination point of the VPN . In Protected Resources (under VPN Manager), click the Add icon. Configure as shown in Figure 91 on page 592, then click OK: Copyright © 2010, Juniper Networks, Inc.

  • Page 642: Figure 91: Add Chicago Protected Resource For Autokey Ike Ras Vpn

    Figure 92: Add New Local User for AutoKey IKE RAS VPN Create the VPN. In the navigation tree, double-click VPN Manager, then right-click VPNs and select AutoKey IKE RAS VPN. The New AutoKey IKE RAS VPN dialog box appears. Configure as shown below: Copyright © 2010, Juniper Networks, Inc.
  • Page 643 Security tab. b. In the Security tab, enter the preshared key value (h1p8A24nG5), then click Generate Key. c. For Phase 1 Proposals, select User-Defined, then click the Add/Edit icon to add the pre-g2-3des-sha proposal. Copyright © 2010, Juniper Networks, Inc.

  • Page 644: Figure 93: Configure Security For Autokey Ike Ras Vpn

    Configure the Tokyo device with the following interfaces: Ethernet1 is the Trust IP (10.1.1.1/24) in the Trust zone. Ethernet3 is the Untrust IP (1.1.1.1/24). Configure the Paris device with the following interfaces: Copyright © 2010, Juniper Networks, Inc.
  • Page 645 Click OK to add the members to the VPN. d. Ensure that the route-based members are configured. e. Click OK to save your settings and return to the main display area. f. Configure the VPN topology: Copyright © 2010, Juniper Networks, Inc.

  • Page 646: Figure 94: View Tunnel Summary For Autokey Ike, Rb Site-To Site Vpn

    Network and Security Manager Configuring ScreenOS and IDP Devices Guide. You can use static or dynamic routes, however, this example details only the static route creation. For each device, you will create two routes using the trust virtual router (trust-vr): Copyright © 2010, Juniper Networks, Inc.

  • Page 647: Example: Configuring Xauth Authentication With External User Group

    1 IKE negotiations. In NSM, you leave the external user group unpopulated, but you must define each user as a local user with an IKE ID, then create a group that includes those local users as Copyright © 2010, Juniper Networks, Inc.
  • Page 648 Configure the RADIUS Server. On the RADIUS server, load the Juniper Networks dictionary file and define Xauth user accounts. Use the Juniper Networks user group VSA to create the user group xa_grp2 and apply it to the auth user accounts that you want to add to that group.
  • Page 649 Add a NetScreen-208 security device named "Bozeman.” This is the device protects the FTP server. Configure the Bozeman device with the following interfaces: Ethernet1 is the Trust IP (10.1.1.1/24) in the Trust zone. Ethernet3 is the Untrust IP (2.2.2.2/24) in the Untrust zone. Copyright © 2010, Juniper Networks, Inc.
  • Page 650 Auth Server Name. Later, after you have autogenerated the VPN rules and gateway, you can override this setting to include only the Reseller external user group. In the Security tab, enter the preshared key value (netscreen4), then click Generate Key. Copyright © 2010, Juniper Networks, Inc.

  • Page 651: Creating Device-Level Vpns

    By default, the link appears at the top of the policy, but you can move the VPN link anywhere in the policy, just as you would a firewall rule. Creating Device-Level VPNs You can create four types of device-level VPNs: Copyright © 2010, Juniper Networks, Inc.

  • Page 652: Supported Configurations

    IKEv2 responder (VPN gateway) from the EAP authentication endpoint (backend AAA server). From the NSM UI, you can: Set the global account type to be authenticated by the authentication server: Navigate from Object Manager > Authentication Servers Copyright © 2010, Juniper Networks, Inc.

  • Page 653: Configuring Gateways

    Add icon to display the New Gateway Dialog box. Configure the gateway as detailed in the following sections. Properties Enter a name for the new gateway, then specify the following gateway values: Mode—The mode determines how Phase 1 negotiations occur. Copyright © 2010, Juniper Networks, Inc.
  • Page 654 NAT device, it checks every VPN packet to determine if NAT-T is necessary. Because checking every packet impacts VPN performance, you should only use NAT Traversal for remote users that must connect to the VPN over an external NAT device. Copyright © 2010, Juniper Networks, Inc.
  • Page 655 IP address (such as a RAS user). A U-FQDN is an e-mail address, such as user1@mycompany.com. Use the XAuth protocol to authenticate RAS users with an authentication token (such as SecureID) and to make TCP/IP settings (IP address, DNS server, and WINS server) for the peer gateway. Copyright © 2010, Juniper Networks, Inc.
  • Page 656 To reduce the key size, shorten the autogenerated key value by deleting characters. To use a predefined value for the key, enter a value for the Preshared Key. Copyright © 2010, Juniper Networks, Inc.

  • Page 657: Configuring Routes (Route-Based Only)

    VPN, the IKE Phase 2 proposals used by that gateway, and how you want NSM to monitor the VPN tunnel. For route-based VPNs, you are also binding the VPN to the tunnel interface or zone that sends and receives VPN traffic to and from the device. Copyright © 2010, Juniper Networks, Inc.
  • Page 658 To use a predefined proposal set, select one of the following: Basic (nopfs-esp-des-sha, nopfs-esp-des-md5) Compatible (nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, nopfs-esp-des-md5) Standard (gs-esp-3des-sha, gs-esp-aes128-sha) To use a user-defined proposal, select a single proposal from the list of predefined and custom IKE Phase 2 Proposals. Copyright © 2010, Juniper Networks, Inc.
  • Page 659 You can enable VPN Monitor and configure the monitoring parameters for the device. Monitoring is off by default. To enable the VPN Monitor in Realtime Monitor to display statistics for the VPN tunnel, configure the following: Copyright © 2010, Juniper Networks, Inc.

  • Page 660: Adding A Vpn Rule

    For details on adding and configuring a VPN rule in a security policy, see “Adding VPN Rules” on page 615. Creating Manual Key VPNs Creating a device-level Manual Key VPN is a four stage process: Configure XAuth Users Configure Routes (Route-based only) Copyright © 2010, Juniper Networks, Inc.

  • Page 661: Adding Xauth Users

    Local SPI—The local Security Parameter Index. Remote SPI—The remote Security Parameter Index. Outgoing Interface—The outgoing interface is the interface on the security device that sends and receives VPN traffic. Typically, the outgoing interface is in the untrust zone. Copyright © 2010, Juniper Networks, Inc.
  • Page 662 You can enable VPN Monitor and configure the monitoring parameters for the device. Monitoring is off by default. To enable the VPN Monitor in Realtime Monitor to display statistics for the VPN tunnel, configure the following: Copyright © 2010, Juniper Networks, Inc.

  • Page 663: Adding A Vpn Rule

    For route-based VPNs, the VPN tunnel is already in place. However, you might want to add a VPN rule to control traffic through the tunnel. For details on adding and configuring a VPN rule in a security policy, see “Adding VPN Rules” on page 615. Copyright © 2010, Juniper Networks, Inc.

  • Page 664: Creating L2Tp Vpns

    DNS and WINS servers assigned to L2TP RAS users after they have connected to the tunnel. IP Pool Name—Select the preconfigured IP pool object that represents the available IP addresses that can be assigned to L2TP RAS users after they have connected to the tunnel. Auth Server Copyright © 2010, Juniper Networks, Inc.

  • Page 665: Creating L2Tp Over Autokey Ike Vpns

    VPN rule. right-click in the Source Address, Destination Address, Action, or Install On column and select Configure VPN to display the Configure VPN dialog box. Select the source security device that contains the termination interface for the VPN tunnel. Select a VPN Type: Copyright © 2010, Juniper Networks, Inc.

  • Page 666: Configuring The Security Policy

    “Example: Configuring a Policy-Based Site-to-Site VPN, Manual Key” on page 622 “Example: Configuring a Policy-Based RAS VPN, L2TP” on page 624 The following sections provide step-by-step instructions on creating each type of device-level VPN. Copyright © 2010, Juniper Networks, Inc.

  • Page 667: Example: Configuring A Route-Based Site-To-Site Vpn, Manual Key

    Add the Paris Trust LAN (10.2.2.0/24) as a network address object. In Address Objects, click the Add icon and select Network. Configure the following, then click OK: For Name, enter Paris Trust LAN. For IP Address/Netmask, enter 10.2.2.0/24. For Color, select magenta. Copyright © 2010, Juniper Networks, Inc.
  • Page 668 Double-click the trust-vr route to open the vr for editing. In the virtual router dialog box, click Routing Table, then click the Add icon under destination-based Routing Table to add a new static route. Copyright © 2010, Juniper Networks, Inc.

  • Page 669: Figure 95: Configure Tokyo Route For Rb Site-To-Site Vpn, Mk

    Figure 95: Configure Tokyo Route for RB Site-to-Site VPN, MK Configure route from the trust zone to the tunnel interface, and then click OK. Figure 96: Configure Tokyo Trust Route for RB Site-to-Site VPN, MK Your routing table should appear. Copyright © 2010, Juniper Networks, Inc.

  • Page 670: Figure 97: View Tokyo Routing Table For Rb Site-To-Site Vpn, Mk

    Select the Manual tab, then click the Add icon. The Properties screen appears. Configure the following: For Name, enter Paris_Tokyo. For Gateway, enter 2.2.2.2. For Local SP, enter 3020. For Remote SPI, enter 3030. For Outgoing Interface, select ethernet3. For ESP/AH, select ESP CBC. Copyright © 2010, Juniper Networks, Inc.
  • Page 671 Configure the following, then click OK: For Security Policy Name, enter Corporate Route-based VPNs. Optionally, add comments. In the main navigation tree, select Policies > Corporate Route-based VPNs. The security policy appears in the main display area. Copyright © 2010, Juniper Networks, Inc.

  • Page 672: Figure 98: Configure Rules For Rb Site-To-Site Vpn, Mk

    For Remote SPI, enter 3030. For Outgoing Interface, select ethernet3. For ESP/AH, select ESP CBC. For Encryption Algorithm, select 3DES-CBC. Select Generate Key by Password, then enter the password asdlk24234. For Authentication Algorithm, select SHA-1. Copyright © 2010, Juniper Networks, Inc.
  • Page 673 Configure two VPN rules. Rule 1 creates the VPN tunnel from the Tokyo device to the Paris device. Rule 2 creates the VPN tunnel from the Paris device to the Tokyo device. Save the security policy. Copyright © 2010, Juniper Networks, Inc.

  • Page 674: Example: Configuring A Policy-Based Ras Vpn, L2Tp

    Create a local user group called Field Sales that includes the Adam, Betty, and Carol local user objects. Configure the following, then click OK: For Name, enter RM_L2TP. For Color, select green. For Dns1, enter 1.1.1.2. For Dns2, enter 1.1.1.3. For Wins1, enter 0.0.0.0. Copyright © 2010, Juniper Networks, Inc.

  • Page 675: Auto-Connect Virtual Private Network

    VPN tunnels. With ACVPN, all spokes are connected to the hub by VPN tunnels. All VPN tunnels configured towards the hub must be route based. After you set up a static VPN tunnel Copyright © 2010, Juniper Networks, Inc.

  • Page 676: Configuring Acvpn

    Right-click the tunnels and assign the IP address. The Tunnel Interface dialog box appears. Enter the IP address and netmask, and then click OK. Click the Close button in the AutoKey IKE VPN. Copyright © 2010, Juniper Networks, Inc.

  • Page 677: Ive Vpn Monitoring

    Verify that the NHS IP Address field has been populated. Click OK. IVE VPN Monitoring NSM real-time monitoring is available on Secure Access and Infranet Controller devices. For more information, see “Realtime Monitoring” on page 659. Copyright © 2010, Juniper Networks, Inc.
  • Page 678 Network and Security Manager Administration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 679: Chapter 13 Central Manager

    Data is not lost when logging on and off of Central Manager. In addition, Central Manager does not use any of the shared objects that exist only in any of the individual regional servers. Copyright © 2010, Juniper Networks, Inc.

  • Page 680: Self-Sufficient Regional Server

    All firewall, VPN, and IDP policy information and policy related configurations (shared configurations such as addresses and services) are hidden from device editor view. Policies from the central policy manager are shared across ScreenOS-based firewall devices, standalone IDP devices, and J Series devices. Copyright © 2010, Juniper Networks, Inc.

  • Page 681: Device Management Mode

    To add a regional server object: In the main navigation tree, select Object Manager > Regional Server. Click the Add icon in the toolbar. Enter the following information for the regional server you want to add. Name IP address Copyright © 2010, Juniper Networks, Inc.

  • Page 682: Deleting A Regional Server Object

    Central Manager server are updated to regional servers managed by Central Manager. The Central Manager administrator can select which regional servers will receive the Central Manager rules and objects during the install. Copyright © 2010, Juniper Networks, Inc.

  • Page 683: Prerule And Postrule Updates During Global Policy Install

    Global Policy Install transaction. All polymorphic objects are deleted if they are not used by any of the local policies in the regional server. Copyright © 2010, Juniper Networks, Inc.

  • Page 684: Name Space Conflict Resolution For Polymorphic Objects

    Name conflict with a regional server regular shared object of the same type—The incoming polymorphic object is renamed “objname_n” where “n” is a sequentially increasing integer and inserted into the regional server’s global domain. Only names are pushed for polymorphic objects. Copyright © 2010, Juniper Networks, Inc.

  • Page 685: Chapter 14 Topology Manager

    In addition to having either a seed device or configuring preferred subnets, you also need the following to initiate topology discovery: The management IP address of the EX Series switch that acts as the seed IP address SNMP credentials: Copyright © 2010, Juniper Networks, Inc.

  • Page 686: About The Nsm Topology Manager Toolbar

    The Topology Manager status bar at the bottom of the screen indicates the time stamp of the last completed topology discovery and whether a discovery is in progress. Copyright © 2010, Juniper Networks, Inc.

  • Page 687: Initiating A Topology Discovery

    SNMP enabled, in order that the maximum number of links are discovered. Check for NSM schema updates if some Juniper Networks devices are not discovered. Expand the range of the included subnets and ensure that all relevant routers are SNMP enabled if IP addresses for end-point devices connected to a switch are not discovered.

  • Page 688: Viewing A Network Topology

    In map view, each network element is represented by an icon indicating whether the element is a Juniper Networks product and whether it is managed by NSM. Each device type is represented by a unique icon on the map. Managed and unmanaged devices appear as different colored icons.

  • Page 689: Subnets View

    Select OK to locate the subnet matching the given criteria. Use this tool to locate a particular group cloud in the groups topology Locate Groups: map view. Open the Groups topology view. Select the Locate Groups option from the right-click menu. Copyright © 2010, Juniper Networks, Inc.

  • Page 690: About The Nsm Topology Table Views

    Links View on page 641 Free Ports View on page 641 Devices View The NSM Topology Manager provides a tabular view of all the discovered Juniper Networks devices in the network along with relevant details about each device. The table Devices lists details about the Juniper Network devices and other third party routers and switches.

  • Page 691: Endpoint Devices View

    Free Ports topology discovery engine. If the administrative status of a device port is down, it is considered a free port. The managed status of a Juniper Networks device is indicated in Device Status column. You can save the information in the table as comma-separated values in a file.

  • Page 692: About Topology Manager Preferences

    You can add any of the devices on the list to NSM by following these steps. Select and right-click on a device in the map. NSM launches a wizard to help you add devices to be managed. Copyright © 2010, Juniper Networks, Inc.
  • Page 693 View link details between devices in the topology map: You can use the View details item on a selected link in the topology map to view link details between two managed devices, where one of the devices is the source and the other is the destination. Copyright © 2010, Juniper Networks, Inc.
  • Page 694 Network and Security Manager Administration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 695: Chapter 15 Role-Based Port Templates

    , and RSTP is enabled with the edge option. When you apply port templates on EX Series switches, NSM creates the required configuration in the following configuration groups and applies them at the top level configuration node: juniper-port-template-desktop juniper-port-template-desktop-phone juniper-port-template-layer2-uplink juniper-port-template-layer3-uplink Copyright © 2010, Juniper Networks, Inc.

  • Page 696: Managing Port Template Associations

    Apply or Edit a Port Template The Manage Template Association screen displays the list of EX Series switches and their interfaces on which the selected port template is currently applied. To apply a port template: Copyright © 2010, Juniper Networks, Inc.
  • Page 697 —Saves the details of port templates to port associations in a text file. Save as Text —Saves the details of port templates to port associations in an HTML Save as HTML file. —Cancels all modifications and closes the Cancel Manage Template Port Association screen. Copyright © 2010, Juniper Networks, Inc.

  • Page 698: Detect And Resolve Configuration Conflicts

    Percent Remainder buffer available. Priority—Select a value from the list. Click to save the settings or to cancel all modifications. Cancel Click to create the customized port template. Save Copyright © 2010, Juniper Networks, Inc.

  • Page 699: Edit A Port Template

    Priority—Select a value from the list. Click to save the settings or to cancel all modifications. Cancel Click to create the customized port template. Save See “Detect and Resolve Configuration Conflicts” on page 648. Copyright © 2010, Juniper Networks, Inc.
  • Page 700 Network and Security Manager Administration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 701: Chapter 16 Unified Access Control Manager

    From the IC table, you can edit the configuration of a selected IC using the edit button provided above the IC table. The edit dialog is similar to the edit device action in the Device Manager. Copyright © 2010, Juniper Networks, Inc.

  • Page 702: The Enforcement Point View

    Select the check box to run a Summarize task that ensures the association between the IC and EP in the application database. The configuration status of these devices becomes Managed, NSM Changed. Select OK. The selected EPs are listed under the associated IC. Copyright © 2010, Juniper Networks, Inc.

  • Page 703: Manager

    Update the Enforcement Point Association in the Infranet Controller to update the data in the IC with data from the UAC Manager. Select the check box to overwrite the shared secret in the device. Copyright © 2010, Juniper Networks, Inc.

  • Page 704: Enabling 802.1X On Enforcement Point Ports In The Uac Manager

    Select the check box to run a Summarize Delta Config task that ensures the association between the EP and the ports in the application database. The configuration status of these devices become Managed, NSM Changed. Select OK. Copyright © 2010, Juniper Networks, Inc.

  • Page 705: Disabling 802.1X On Enforcement Point Ports In The Uac Manager

    Select the check box to run an Update Device task, which pushes configuration changes on the EP. Select the check box to run a Summarize Delta Config task that ensures the association between the EP and the ports in the application database. Select OK. Copyright © 2010, Juniper Networks, Inc.
  • Page 706 Network and Security Manager Administration Guide Copyright © 2010, Juniper Networks, Inc.
  • Page 707 PART 4 Monitoring Realtime Monitoring on page 659 Analyzing Your Network on page 709 Logging on page 739 Reporting on page 809 Copyright © 2010, Juniper Networks, Inc.
  • Page 708 Network and Security Manager Administration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 709: Chapter 17 Realtime Monitoring

    Realtime Monitoring The Realtime Monitor module includes four views that you can use to monitor the status and traffic statistics for all the managed Juniper Networks devices in your network in real time. To access, monitor, and configure the NSM management system, you use the Server Manager module.

  • Page 710: Realtime Monitor Views

    Protocol) clusters in your network. If you implement NSRP for the purpose of deploying clusters in your Juniper Networks security system, you can use the NSRP Monitor to view and troubleshoot the status of security devices in clusters within the domain you are working in.

  • Page 711: Realtime Monitoring

    Managed. The device is currently being managed by NSM. For devices running ScreenOS 5.0 and later, the Device Monitor can display the following additional configuration states: Managed, In Sync. The physical device configuration is synced with the modeled configuration in NSM. Copyright © 2010, Juniper Networks, Inc.
  • Page 712 N/A—The device's alarm is not pollable or discoverable, for example, this column shows "N/A" for ScreenOS and IDP devices. Alarm is colored: Red for Major. Orange for Minor. Green for Ignore, None, Unknown, or N/A. Copyright © 2010, Juniper Networks, Inc.

  • Page 713: Device Polling Intervals

    To configure or view the device polling intervals, double-click the Server Manager > Servers node, then select the Device Server and click the Edit icon. The Device Server dialog box is displayed. Use the Device Polling tab to edit the intervals to meet your monitoring requirements: Copyright © 2010, Juniper Networks, Inc.

  • Page 714: Table 50: Device Polling Intervals

    The Info tab dialog box is displayed. Select the Device Admin page to set the polling interval for the device. The minimum polling interval is 60 seconds. The maximum interval is 2,147,483,647 seconds. You cannot disable polling. Copyright © 2010, Juniper Networks, Inc.

  • Page 715: Table 51: Device Detail Status Items

    Mem Allocated The original amount of memory allocated to the security device. Mem Left The amount of allocated memory that remains unused by the security device. Mem Fragmented The amount of fragmented memory. Copyright © 2010, Juniper Networks, Inc.

  • Page 716: Table 52: Device Statistics Summary

    Vsys: Displays the serial number of the security device. Vsys The name of the virtual system (if applicable) Version The security device’s build, model, and operation mode (this is not displayed in the Vsys view). Copyright © 2010, Juniper Networks, Inc.

  • Page 717: Table 53: Device-Specific Views

    VPN Distribution View the up/down status and active statistics of VPNs on the security device (if applicable). Also enables you to view a chart of the VPN distribution by VPN tunnel. Copyright © 2010, Juniper Networks, Inc.
  • Page 718 The graph displays a percentage of the absolute number of bytes for the top 10 policies by default. Table 54 on page 669 describes all of the information that is available from the Policy Distribution view. Copyright © 2010, Juniper Networks, Inc.

  • Page 719: Table 54: Policy Distribution Items

    Adjusting Data Depicted Graphically You can adjust all elements depicted in the graph, including the policies, data values (such as absolute or delta), and type of data (bytes in or out, packets in or out, utilization). Copyright © 2010, Juniper Networks, Inc.

  • Page 720: Table 55: Protocol Distribution Items

    The number of outgoing bytes for the protocol through the security device. Bytes Out Rel% Relative percentage of all outgoing bytes. Delta Bytes Out The total numerical difference between the current bytes out value and the previous bytes out value. Copyright © 2010, Juniper Networks, Inc.
  • Page 721 Click to select the VPN tunnel that you wish to view on the graph from the list of Available VPN tunnels. Click Add to add the VPN tunnel to the list of Selected VPN Copyright © 2010, Juniper Networks, Inc.

  • Page 722: Table 56: Vpn Monitor Table

    Time that the SA status last changed. Last SA Session Duration Duration of last SA session. Group Group associated with the VPN. User User associated with the VPN. DN Name Distinguished Name (DN) of the VPN. Copyright © 2010, Juniper Networks, Inc.
  • Page 723 Key details describing the VPN (such as name, Policy IP, local and peer gateway IDs and IP addresses). Security established on the active VPN. Time-related statistics (such as lifetime, latency). Table 57 on page 674 lists the information that is available from the active VPN. Copyright © 2010, Juniper Networks, Inc.

  • Page 724: Table 57: Active Vpn Table

    Second algorithm used for user encrypted communication between the security device and server. Type of key associated with the VPN: Auto IKE (Internet Key Exchange) or manual key. Lifetime P1 Time listed in seconds before re-keying. Copyright © 2010, Juniper Networks, Inc.

  • Page 725: Table 58: Ethernet Statistics View Data

    Ethernet Statistics view: Table 58: Ethernet Statistics View Data Item Description Interface The data for each interface. Bytes In The number of bytes of incoming traffic processed through the security device over the selected interface. Copyright © 2010, Juniper Networks, Inc.
  • Page 726 Click the Flow Statistics node to view data for various flow counters on a specific security device or virtual interface. For each security device, the data and statistics are separated by all available interfaces. Copyright © 2010, Juniper Networks, Inc.

  • Page 727: Table 59: Flow Statistics View Data

    Click the Attack Statistics node to view distribution of the attacks that have occurred on a specific security device. The report separates the data and statistics for all available interfaces. Table 60 on page 678 describes each of the attack counters available from the Attack Statistics view: Copyright © 2010, Juniper Networks, Inc.

  • Page 728: Table 60: Attack Counters

    WinNuke can cause any computer on the Internet running Windows to crash. WinNuke introduces a NetBIOS anomaly that forces Windows to restart. Security devices can scan any incoming Microsoft NetBIOS Session Service packets, modify them, and record the event as a WinNuke attack. Copyright © 2010, Juniper Networks, Inc.
  • Page 729 The security device blocks packets where the IP option list includes option 4 (Internet Timestamp). IP Security This option provides a way for hosts to send security, compartmentation, TCC (closed user group) parameters, and Handling Restriction Codes compatible with DOD requirements. Copyright © 2010, Juniper Networks, Inc.
  • Page 730 This option defines the maximum number of sessions the security device can establish per second for a single IP address. (The default threshold is 128 sessions per second per IP address.) Copyright © 2010, Juniper Networks, Inc.

  • Page 731: Table 61: Resource Statistics Items

    The number of sessions that failed to allocate (after maximum reached). Viewing Active Statistics Click the Active Statistics node to view administrator and user activities for a security device. The Administrators tab displays information about the administrators, including Copyright © 2010, Juniper Networks, Inc.

  • Page 732: Table 62: Administrators View

    Table 64 on page 682 describes all of the information that is available from the Active Sessions view: Table 64: Active Sessions Items Item Description Session ID A unique identifier specified with the active session. Copyright © 2010, Juniper Networks, Inc.
  • Page 733 Configuring the Session Filter To configure the session filter: Use the Options menu, and select Session Filter. The Session Filter dialog box appears. Click the Long Form check box to display additional information about the Active Session. Copyright © 2010, Juniper Networks, Inc.
  • Page 734 CLI commands (such as exec debug ) to a security device using Telnet or a Secure Command Shell to troubleshoot problems. You can also add, delete, edit or search for custom CLI commands using the Add/Delete Copyright © 2010, Juniper Networks, Inc.

  • Page 735: Table 65: Ha Statistics View

    InOperable A VSD (or RTO) group security device has an internal problem. Master Conflict The number of conflicts that occurred on the master security device. Copyright © 2010, Juniper Networks, Inc.

  • Page 736: Table 66: Device Status Information

    Domain in NSM in which the sensor is managed. NOTE: If you have configured multiple subdomains, you can view all your managed devices from the global domain. Platform Model number of the sensor. OS Version IDP firmware version running on the sensor. Copyright © 2010, Juniper Networks, Inc.

  • Page 737: Viewing Idp Device Detail And Statistics

    The last time the sensor disconnected from the NSM Device Server. Viewing IDP Device Detail and Statistics If a sensor is running, you can view additional status using Device Details and view traffic-related statistics and other information using Device Statistics. Copyright © 2010, Juniper Networks, Inc.

  • Page 738: Table 67: Idp Device Detail Status Items

    Total amount (in megabytes) of memory. Used Mem Amount (in megabytes) of used memory. Mem Usage Percentage of used memory. Total Swap Total amount (in megabytes) of swap space. Used Swap Amount (in megabytes) of used swap space. Copyright © 2010, Juniper Networks, Inc.

  • Page 739: Table 68: Idp Sensor Process Status Items

    Table 69 on page 689 details additional information you can view from the Device Statistics Summary for IDP sensors. Table 69: Device Statistics Summary (for IDP Sensors) Item Description OS Version IDP firmware version running on the sensor. Copyright © 2010, Juniper Networks, Inc.

  • Page 740: Table 70: Vpn Tunnel Summary

    Type of tunnel: Dialup or Site-to-Site. From Hostname (IP)(Vsys) Source security devices used in the VPN. For example, a root security device named NS5000 with an IP address of 1.1.1.1 appears as NS5000(1.1.1.1). For a Vsys 1, “NS5000(1.1.1.1)(1)” appears. Copyright © 2010, Juniper Networks, Inc.

  • Page 741: Configuring A Vpn Filter

    TIP: In the Selected Devices/Vsys area, by default, all devices or virtual systems are included in the filter. To improve system performance, you can remove devices or virtual systems by selecting them and clicking Remove. Next, select Exclude all selected devices. Copyright © 2010, Juniper Networks, Inc.

  • Page 742: Modifying A Vpn Filter

    Active VPN Details (alternatively, you can also right-click the VPN tunnel and select Active VPN Details). Refer to “Viewing Active VPN Information” on page 673 for more information on the Active VPN Details table. Copyright © 2010, Juniper Networks, Inc.

  • Page 743: Table 71: Nsrp Device Summary

    NSRP Monitor to get an at-a-glance status of your Juniper Networks systems that are in clusters. These systems include both the NetScreen-500 and the NetScreen-1000. To launch the NSRP Monitor, click NSRP Monitor.

  • Page 744: Table 72: Vsd/Rto Summary

    The primary backup system. Viewing VSD Counter Details Click the Counters tab to view specific information about your VSD counters. Table 73 on page 695 describes the information that is available from the VSD counters view: Copyright © 2010, Juniper Networks, Inc.

  • Page 745: Table 73: Vsd Counter Details

    The direction of the RTO: In or Out. Lost Heartbeat The number of heartbeats not received from the RTOs peers. Counter to Active The number of times that the RTO was placed to Active. Copyright © 2010, Juniper Networks, Inc.

  • Page 746: Table 75: Idp Cluster Monitor

    Description Domain Domain in NSM in which the source IDP cluster is managed. Name Name of the cluster. Cluster ID Number uniquely identifying a cluster on a given Ethernet segment (retrieved from all nodes) Copyright © 2010, Juniper Networks, Inc.

  • Page 747: Table 77: Idp Cluster Member Monitor

    VPNs, and NSRP clusters in NSM. In this example, you are a network administrator responsible for monitoring the day-to-day operation of all the security devices managed in your network. You are using NSM to Copyright © 2010, Juniper Networks, Inc.

  • Page 748: Table 78: Server Information

    Table 78 on page 698 lists and describes Device Server and GUI Server information that you can view from Servers . Table 78: Server Information Item Description Name Name of the GUI Server or Device Server. Copyright © 2010, Juniper Networks, Inc.

  • Page 749: Configuring Device Servers

    Device Polling—The Device Server polls security devices it manages for Device, VPN, NSRP, or Interface statistics every 300 seconds by default. If you wish to change this behavior, you can edit the interval, using the Device Polling tab. Copyright © 2010, Juniper Networks, Inc.

  • Page 750: Table 79: Gui Server Table

    You can use the Server Monitor to view the status of the running GUI Server and Device Server. The Server Monitor lists all GUI Servers and Device Servers in your management system. For example, if you have installed a primary and secondary GUI Server in a high Copyright © 2010, Juniper Networks, Inc.

  • Page 751: Figure 99: Server Monitor (Machine-Wide Info)

    Table 80: Server Monitor (Machine-wide Info) Data Indicator Description Name Name of the GUI Server or Device Server. Server Type Whether the current server is a GUI Server, GUI Server Cluster, Device Server, or Device Server Cluster. Copyright © 2010, Juniper Networks, Inc.

  • Page 752: Viewing Additional Server Status Details

    Server Detail Status window by double-clicking any of the servers that appear in the Server Monitor. You can also right-click anywhere on the Server Monitor and select View Details. Table 81 on page 703 describes information available in the Server Detail Status: Copyright © 2010, Juniper Networks, Inc.

  • Page 753: Table 81: Server Detail Status

    You can also right-click the Server Monitor to open it in a new window. Click to select a server to view the status of the processes running on it. Figure 100 on page 704 shows process status for the Device Server. Copyright © 2010, Juniper Networks, Inc.

  • Page 754: Figure 100: Process Status For The Device Server

    Table 82: Process Status Name Description Name Name of the GUI Server or Device Server process. Status Displays if the process is Up or Down. Total Mem Used Total amount (in megabytes) of memory utilized. Copyright © 2010, Juniper Networks, Inc.

  • Page 755: Table 83: Management System Utilities

    Server. This utility is located on the GUI Server at /usr/netscreen/GuiSvr/utils Collects and compresses technical support data. tech-support.sh utils This utility is located in the directory on both the Device Server and GUI Server. Copyright © 2010, Juniper Networks, Inc.

  • Page 756: Using Schema Information

    Address] - -domain=<domain id> - -device =<device name> Using Schema Information From NSM, you can select Schema Information to view current and running schema and update schema for devices whose schema are defined using XML. Copyright © 2010, Juniper Networks, Inc.

  • Page 757: Viewing Device Schema

    In the navigation tree, select Server Manager > Schema Information The main display area displays the current staged and running schema details. The staged schema is the most current schema available for download. The running schema is the schema currently applied in NSM. Copyright © 2010, Juniper Networks, Inc.
  • Page 758 Network and Security Manager Administration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 759: Chapter 18 Analyzing Your Network

    After you configure the Profiler, it automatically learns about your internal network and the elements that constitute it, including hosts, peers (which host is talking to which other Copyright © 2010, Juniper Networks, Inc.

  • Page 760: Example Of Unique Events

    To see all normal and unique events on your network, you configure and start the Profiler on multiple devices. This enables the Profiler to aggregate and display a complete view of your internal network. NOTE: Profiler DBs remain on individual devices even if the devices restart. Copyright © 2010, Juniper Networks, Inc.

  • Page 761: Analyzing Your Network

    NOTE: Because devices collect data from network components on your internal network, it is helpful to create network objects to represent those components before you begin configuring the Profiler. Alternatively, you can create new network objects directly from the Profiler. Copyright © 2010, Juniper Networks, Inc.

  • Page 762: Table 84: General Idp Profiler Settings

    The AVT feature is limited by its dependency on the NSM agent’s report delivery which might be unreliable, affecting the accuracy of information. Also, the AVT feature displays the cumulative count of all the traffic on a port, which could be over many sessions. Copyright © 2010, Juniper Networks, Inc.

  • Page 763: Enabling Os Fingerprinting

    Later, when you have analyzed your traffic, you can eliminate contexts that you know will not be used on your network. Copyright © 2010, Juniper Networks, Inc.

  • Page 764: Configuring Alerts

    To update the settings on the device: From the Device Manager, right-click on the device and select Update Device. The Device Update Options window prompts you to Restart IDP Profiler After Device Update. Click OK. Copyright © 2010, Juniper Networks, Inc.

  • Page 765: Starting The Profiler

    Customizing Profiler Preferences To configure the following Profiler preferences, use the Tools menu, and select Preferences > Profiler Settings: Copyright © 2010, Juniper Networks, Inc.

  • Page 766: About Profiler Views

    For example, Yahoo messenger, MSN, and AIM are chat applications; Kazaa, Bittorent, and Gnutella are file sharing applications. In the application hierarchy, you view both chat and file-sharing applications are grouped under peer-to-peer applications. Copyright © 2010, Juniper Networks, Inc.

  • Page 767: Table 85: Protocol Profiler Data

    First Time Timestamp for the first time the device logged the event (within the specified time interval). Last Time Timestamp for the last time the device logged the event (within the specified time interval). Copyright © 2010, Juniper Networks, Inc.

  • Page 768: Table 86: Network Profiler Data

    NOTE: OUI stands for Organizationally Unique Identifier. This value is a mapping of the first three bytes of the MAC address and the organization that owns the block of MACs. You can obtain a list of OUIs at http://standards.ieee.org/regauth/oui/oui.txt Copyright © 2010, Juniper Networks, Inc.

  • Page 769: About The Violation Viewer

    Most of the time, however, you do not know exactly what you are looking for on the network. In these cases, it is easier to specify exactly what should be on the network, then detect any traffic that violates that specification. Copyright © 2010, Juniper Networks, Inc.
  • Page 770 Traffic that matches the object (uses a service specified in the object) is filtered out, leaving only the traffic that does not match (does not use a service specified in the object). Copyright © 2010, Juniper Networks, Inc.

  • Page 771: Table 87: Applciation Profiler Data

    Byte count for the traffic profiled. Packet Count Packet count for the traffic profiled User The user login name. Role The role group to which the user that is associated with the traffic profiled belongs. Copyright © 2010, Juniper Networks, Inc.

  • Page 772: Using Profiler Views

    Right-click on any filter criteria or on any entry in the Profiler view and select Clear All Column Filters to disable all filtering. Other options that you can set in the Profiler views include: Copyright © 2010, Juniper Networks, Inc.

  • Page 773: Filtering And Sorting From The Application Profiler

    Click on the Negate option to hide entries that match the criteria that you have set as a filter. You can also right-click on any entry in the Profiler view and select Toggle Filter Negation to hide entries that match that criterion. Copyright © 2010, Juniper Networks, Inc.

  • Page 774: Refreshing Profiler Data

    Click on the Refresh icon periodically to refresh the Profiler view with the latest data available. Viewing Database Information Click on the Show DB Information icon to view specific details about the Profiler database, including the database size. Copyright © 2010, Juniper Networks, Inc.

  • Page 775: Table 88: Detailed Network Information Data

    Details about the contexts and values on the selected host IP. Use the context and value fields to identify: Software version of the application Username and password of an account on that host Computer name Copyright © 2010, Juniper Networks, Inc.

  • Page 776: Purging The Database

    Profiler DB, and all records for all the subdomains are purged. Recommended Profiler Options The following are recommended for using the Profiler: Configuring a Network Baseline on page 727 Keeping Your Network Current on page 727 Copyright © 2010, Juniper Networks, Inc.

  • Page 777: Configuring A Network Baseline

    As new versions or security updates are announced, you must first determine if your network is affected, locate the affected components, then patch as appropriate. Copyright © 2010, Juniper Networks, Inc.

  • Page 778: Proactively Updating Your Network

    Select the Protocol Profiler to see the applications running on the network. In the Context Filter data table, select HTTP Header Servers. The value data table lists all Web servers currently running. The network uses the following Web servers: Copyright © 2010, Juniper Networks, Inc.

  • Page 779: Stopping Worms And Trojans

    Take appropriate measures to secure the network, such as: Apply patches. Remove the components from your network. Remove SQL from all components. Create a rule in your security policy that drops all SQL connections between your internal network objects. Copyright © 2010, Juniper Networks, Inc.

  • Page 780: Example: Blaster Worm

    The IP/MAC address has the unique asset tag "darkness". After checking your IT inventory, you determine who the laptop user is and patch the infected system. Accessing Data in the Profiler Database The Profiler database is located on the NSM Device Server. Copyright © 2010, Juniper Networks, Inc.

  • Page 781: About Security Explorer

    There are five main views in the Security Explorer: “Security Explorer Main Graph” on page 732 “Connections Detail Pane” on page 733 “Reference Point Pane” on page 734 Copyright © 2010, Juniper Networks, Inc.

  • Page 782: Figure 102: Security Explorer

    Host—Displayed as an IP address Network—Displayed using CIDR notation (ip/class: 8/16/24) Protocol—These include TCP, ICMP, and so on Attack—Specific attack object name Service—Displayed in protocol/port notation Service range—Displayed in protocol/port range notation, for example, TCP/1-1024 Copyright © 2010, Juniper Networks, Inc.

  • Page 783: Graph Types

    Connections Detail pane contains all services for this host. If a Peer IP graph appears, the Connections Detail pane contains all peers for the selected object. Double-clicking on one of the objects in the Details pane displays the relationship graph for it. Copyright © 2010, Juniper Networks, Inc.

  • Page 784: Reference Point Pane

    You can select to view data from the last 24, 12, 8, 4, 2, 1 hours. Using Security Explorer You can launch the Security Explorer in any of the following ways: From the Security Monitor tree node, select Security Explorer. Copyright © 2010, Juniper Networks, Inc.

  • Page 785: Analyzing Relationships

    Every option represents a transition from one graph to another. Viewing Data The following view options are available, making it easier for you to view and analyze each node in the main graph: Copyright © 2010, Juniper Networks, Inc.

  • Page 786: Table 89: Transitional Graphs

    Outbound IP, Inbound IP Attack Source IP, Destination IP, Protocol Ports Setting a Time Duration Click on the Time Period icon to set a specific time period during which you want to view data. Copyright © 2010, Juniper Networks, Inc.

  • Page 787: Viewing Predefined Reports

    Use the – icon to remove the current Security Explorer panel. Exporting to HTML You can export any data depicted in the Security Explorer to an HTML file by using the Export to HTML option. Copyright © 2010, Juniper Networks, Inc.
  • Page 788 Network and Security Manager Administration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 789: Chapter 19 Logging

    To view log entries from the NSM UI, you can use one or more of the logging-related UI components, such as the Log Viewer or the Log Investigator. Copyright © 2010, Juniper Networks, Inc.

  • Page 790: Table 90: Event-Generated Log Entries

    Protocol Distribution Generates log entries for events related to protocols used in network Realtime Monitor activity. These log entries are used to produce statistical information for >Device Monitor monitoring. Copyright © 2010, Juniper Networks, Inc.

  • Page 791: Logging

    You can forward multiple log entries with different severity levels to the same log destination. Juniper Networks assigns a predefined severity level in the firmware of each Juniper Networks device. However, these severity levels are not the same as the severity levels that appear in the log entries viewed in an NSM UI module.

  • Page 792: Viewing Logs

    NSM handles your log entries. NSM includes three primary logging modules: Log Viewer—Presents complete, summarized, or detailed log-entry information in a table format. You can view an individual log entry to analyze the raw log data, or use Copyright © 2010, Juniper Networks, Inc.

  • Page 793: Device Limitations For Viewing Logs

    The severity setting applies to all log types for that destination. For example, if traffic log entries are enabled for , but the severity setting specifies critical and major severities, receives only critical and major traffic logs; all other severity traffic log entries are Copyright © 2010, Juniper Networks, Inc.

  • Page 794: Table 93: Destinations Of Log Entry Severities

    Use the General settings to select the severity levels of the log entries you want to forward to a specific location. Juniper Networks assigns a predefined severity level for each event that generates a log entry on a managed device; using NSM, you can configure a device to send log entries with specific severity levels to specific destinations.

  • Page 795: Table 94: Self Log Entry Settings

    Setting Description Enable Notification for Alarms When alarm is enabled for a rule in the installed security policy and traffic matches the rule, the device sends an e-mail notification to the specified SMTP server. Copyright © 2010, Juniper Networks, Inc.

  • Page 796: Configuring Events Reporting Settings

    Enable the device to send log entries with the desired severity settings to NSM in Report Settings > General > NSM. Screen alarm log entries appear in the Log Viewer and display the following columns of information in the Log Viewer: Source Address Destination Address Service Action Copyright © 2010, Juniper Networks, Inc.

  • Page 797: Event Alarm Log Entries

    “Alarm Log Entries” on page 873. Alarm log entries contain information in the following Log Viewer columns: To Zone From Zone Source IP Destination IP Threshold (displayed in the Misc. column of the Log Viewer) Copyright © 2010, Juniper Networks, Inc.

  • Page 798: Deep Inspection Alarm Log Entries

    Enable the device to send log entries with a notification severity setting to NSM in Report Settings >General >NSM. Configuration log entries appear in the Log Viewer under the category Configuration. For details on configuration subcategories, see “Configuration Log Entries” on page 949. Copyright © 2010, Juniper Networks, Inc.

  • Page 799: Information Log Entries

    “Self” for Category and Subcategory columns. Consequently, self log entries are not necessarily the result of packets that terminate at the device or packets that were dropped by a security device. Copyright © 2010, Juniper Networks, Inc.

  • Page 800: Traffic Log Entries

    Realtime Monitor module. For details on how protocol distribution is displayed in the Realtime Monitor, see “Viewing Traffic Distribution by Protocol” on page 670. The device reports statistics generated by the following services: Copyright © 2010, Juniper Networks, Inc.

  • Page 801: Atomic Updating Events

    Contact Person—The name of the network administrator who manages the device. This contact information is useful when the SNMP community member needs to contact someone about the device. Location—The physical location of the device. Copyright © 2010, Juniper Networks, Inc.

  • Page 802: Directing Logs To A Syslog Server

    797. To send log entries to a Syslog server, click the Syslog option. NSM displays the Syslog dialog box. Enter appropriate data into the following fields. See Table 96 on page 753. Copyright © 2010, Juniper Networks, Inc.

  • Page 803: Table 96: Syslog Settings For Log Entries

    Use NSM to configure the IDP sensor to: Store packet data on the IDP sensor, which NSM can later retrieve. For IDP 4.1 and later, this option is the default setting and improves performance. Copyright © 2010, Juniper Networks, Inc.
  • Page 804 To view a log with packet data, go to the main navigation tree and select Log Viewer, right-click the log containing the packet data, and then select Show > Packet Data. See Figure 103 on page 755. Copyright © 2010, Juniper Networks, Inc.

  • Page 805: Figure 103: View Packet Data In A Log

    Chapter 19: Logging Figure 103: View Packet Data in a Log Figure 104 on page 756 provides an example of packet data. Copyright © 2010, Juniper Networks, Inc.

  • Page 806: Figure 104: Sample Packet Data

    “Searching Log Entries” on page 764—For networks that generate large numbers of log entries, it can be difficult to locate the exact log entries that detail the events you want to investigate. This section describes how to use the log timeline to find logs generated Copyright © 2010, Juniper Networks, Inc.

  • Page 807: Table 98: Ex Series Switch Predefined Log Views

    Table 98 on page 757 lists and describes the EX Switch predefined log views. Table 98: EX Series Switch Predefined Log Views Log Type Description All-Switch-logs Filters logs on devices whose device family name is junos-ex Copyright © 2010, Juniper Networks, Inc.

  • Page 808: Table 99: Ssl/Uac Predefined Log Views

    Subcategory— NET24462, NET24463, Sensor Initiated Actions Subcategory— SUBCATEGORY: IDP24101, IDP24102, IDP24103, IDP24104, IDP24105, IDP24106, IDP24107, IDP24108, IDP24109, IDP24190, IDP24191 Sensors Category—(sensors)(15) System Restarts Subcategory—SYS10298, SYS10299, SYS10314, SYS24258, SYS24259 User Category— User(12) VLAN Assignments Subcategory—EAM24459 Copyright © 2010, Juniper Networks, Inc.

  • Page 809: Table 100: Predefined Log Views

    Attackers—To track the activities of a known attacker, create a view that filters on a specific source IP. The source IP address of an attack appears in the source address Copyright © 2010, Juniper Networks, Inc.

  • Page 810: Creating Per-Session Views

    The UI assignable flag associated with the current log. Src Addr The source address of the packet that generated the log. Dst Addr Default The destination device to which the packet associated with the log entry was targeted. Copyright © 2010, Juniper Networks, Inc.
  • Page 811 Bytes Out Number of bytes that comprised the log data being transmitted from the Log Viewer per session. Bytes Total The sum of the number of bytes transmitted and received by the Log Viewer. Copyright © 2010, Juniper Networks, Inc.
  • Page 812 The unique policy rule number that generated the log. This policy number is constant in both ScreenOS and NSM. Roles A role group to which the user belongs. Rule Domain The domain that contained the rule that generated this log. Copyright © 2010, Juniper Networks, Inc.

  • Page 813: Log Viewer Detail Panes

    Whois tab—Enables you to perform a Whois lookup on an IP address to see what organization has registered a particular address. Quick Reports tab—Enables you to quickly generate a predefined report on a filter criteria in the Log Viewer. Copyright © 2010, Juniper Networks, Inc.

  • Page 814: Figure 105: View Category And Severity Filters

    The Log Viewer can receive thousands or even millions of log entries each day. To quickly locate a specific log entry or logs, use the log searching tools in Table 103 on page 765. Copyright © 2010, Juniper Networks, Inc.

  • Page 815: Table 103: Search Tools For Log Viewer

    The log entry list automatically jumps to the selected date and time (shown by the horizontal red line). Figure 106 on page 766 shows the time slider. Copyright © 2010, Juniper Networks, Inc.

  • Page 816: Figure 106: Log Viewer Time Slider

    Click the In button to select the time block to the right of the currently selected time block. Alternatively, you can use the mouse wheel on your mouse to adjust the time interval. Copyright © 2010, Juniper Networks, Inc.

  • Page 817: Table 104: Log Viewer Flags

    Within the Log Viewer, you can set a filter on one or more flags. Additionally, within Report Manager, you can generate a report that displays the count of all log entries that contain a specific flag. Copyright © 2010, Juniper Networks, Inc.

  • Page 818: Using The Find Utility

    The following sections detail some common event-based and time-based filters used to manage log entries. Setting a Category Filter Apply a category filter to view log entries within a specific category or subcategory. Copyright © 2010, Juniper Networks, Inc.

  • Page 819: Setting An Alert Filter

    Apply a protocol filter to view log entries for events that use a specific protocol type. To create a protocol filter, right-click the Protocol column header and select Filter > Set Filter. Select the protocol types that you want to use as the filter criteria, then click OK. Copyright © 2010, Juniper Networks, Inc.

  • Page 820: Setting A Domain Filter

    Filtering Log Entries by Range A range filter is a criteria search for matching log entries within a value range. You can set a range filter for the following columns: Bytes In Bytes Out Copyright © 2010, Juniper Networks, Inc.

  • Page 821: Setting A Bytes In Or Bytes Out Range Filter

    To view log entries based on a range of port numbers used in the event, set a range filter on the Dst Port or Src Port column: Right-click the Src Port or Dst Port column header and select Filter > Set Filter. The Dst/Src Port filter appears. Copyright © 2010, Juniper Networks, Inc.

  • Page 822: Customizing Columns

    To hide a column, right-click the column header and select Hide Column. To unhide a hidden column, you must use the Column Settings dialog box. To reorder the column display sequence, drag a column to a new location. Copyright © 2010, Juniper Networks, Inc.
  • Page 823 Src Addr column. To configure the column filters: In the main display area, right-click the Category column header and select Filter > Set Filter. The Category filter dialog box appears. Copyright © 2010, Juniper Networks, Inc.

  • Page 824: Filtering Log Entries By Column

    Before you exit NSM, save the Filter Summary changes that you made in Log Viewer. Figure 108 on page 775 shows the Filter Summary dialog box that you would use to configure filtering by Device family column. Copyright © 2010, Juniper Networks, Inc.

  • Page 825: Figure 108: Filter Summary Dialog Box

    To clear a single column: Clear the column check box that you do not want to use for filtering log entries, then click OK . To remove all columns: Click the Clear All button. Copyright © 2010, Juniper Networks, Inc.

  • Page 826: Using Log Viewer Integration

    To quickly configure a parameter on an individual device from the Log Viewer, double-click a device in the Device column. NSM displays the device configuration for the device, enabling you to make changes to the device. Copyright © 2010, Juniper Networks, Inc.

  • Page 827: Figure 109: Viewing Summary Panel

    If the attack is irrelevant, you can remove the matching attack object group from the rule that triggered the log entry, or monitor the attack object group using custom severity setting. Copyright © 2010, Juniper Networks, Inc.

  • Page 828: Using The Log Investigator

    Log Investigator calculations “Excluding Data” on page 788—You can configure the Log Investigator to exclude data for a cell, row, or column in the Log Investigator matrix. Copyright © 2010, Juniper Networks, Inc.

  • Page 829: Figure 110: Log Investigator Ui Overview

    Destination Port, Attack Subcategories, or Time Period details for any cell, row, or column. Zoom Chart—Displays a chart of log entry details. You can view Source, Destination, Destination Port, Attack Subcategories, or Time Period details for any cell, row, or column. Copyright © 2010, Juniper Networks, Inc.
  • Page 830 When using a large time interval, the number of matching log entries might exceed the capacity of the Log Investigator (100 log entries), causing a warning message to appear next to the Selected Logs indicator. If you do not make changes to the time interval filter, Copyright © 2010, Juniper Networks, Inc.

  • Page 831: Figure 111: Configure Time Period Filter

    Top Subcategories—The attack subcategory detected in the event. Top Destination Ports—The port numbers on the Destination device that received the event. The port number can help you identify the service used in the event. Copyright © 2010, Juniper Networks, Inc.

  • Page 832: Setting A Log Entry Limit

    As the Log Investigator searches your log database for log entries that match the filter, time period, and data type criteria, it places all matching log entries in the log buffer. Copyright © 2010, Juniper Networks, Inc.

  • Page 833: Table 106: Log Investigator Filters

    Dst Addr Dst Intf Direction Filters Packets In Identifies packets based on the direction they are heading to or from a specified device. Packets Out Packets Total Copyright © 2010, Juniper Networks, Inc.

  • Page 834: Example: Setting Filters In The Log Investigator

    In this example, the Left Axis is set to Top Sources and the Top Axis is set to Top Destinations (these are the default settings). To set a filter that displays all attack category log entries generated by the Top Sources and received by the Top Destinations: Copyright © 2010, Juniper Networks, Inc.

  • Page 835: Figure 113: View Log Investigator Results

    IP address. You might determine that destination 1 is receiving a large number of events from sources A, B, and C. This activity could be a harmless event, such as multiple users attempting to contact a single Copyright © 2010, Juniper Networks, Inc.

  • Page 836: Table 107: Log Investigator Analysis

    Useful for analyzing attack traffic, such as one source generating traffic to multiple destinations. One Row One Column View specific activity between two specific data types. A single cell is selected. Useful for analyzing event traffic between two network components. Copyright © 2010, Juniper Networks, Inc.

  • Page 837: Zoom Details

    Zoom In > Time. In the Zoom area, the left pane displays a table of attacks listed in order (the oldest attack is listed first); the right pane displays a chart using the same information. Copyright © 2010, Juniper Networks, Inc.

  • Page 838: Jumping To The Log Viewer

    The Audit Log Viewer appears as one of the modules in the NSM UI. Select the Audit Log Viewer to display the audit log entry table, device view, and target view, as shown in Figure 114 on page 789. Copyright © 2010, Juniper Networks, Inc.

  • Page 839: Figure 114: Audit Log Viewer Ui Overview

    — Audit-log entries from the global domain. Users of the global domain can view all audit-log global entries. Command The command applied to the object or system, for example, sys_logout modify Authorization Status The final access-control status of activities is either success or failure. Copyright © 2010, Juniper Networks, Inc.

  • Page 840: Managing The Audit Log Table

    To select the columns on which you want to filter audit log entries: Select View >Set Filter. From the Filter Summary dialog box, select a column on which you want to filter log entries. Copyright © 2010, Juniper Networks, Inc.
  • Page 841 >= This Value— Displays log entries for events that were generated at or after the time specified in the selected row cell. <= This Value— Displays log entries for events that were generated before or at the time specified in the selected row cell. Copyright © 2010, Juniper Networks, Inc.

  • Page 842: Target View And Device View

    Select a date and time, then click OK to save and apply the time change to the Audit Log Viewer. The Audit Log table now displays only the audit log entries that were generated on or after the date and time you specified. Copyright © 2010, Juniper Networks, Inc.

  • Page 843: Managing Log Volume

    Device Server shuts down automatically. —With this parameter, you can define a threshold for available storageManager.threshold disk space which if breached, causes the Device Server to automatically shut down. The default value is 800 MB. Copyright © 2010, Juniper Networks, Inc.

  • Page 844: Archiving Logs

    Device Server. The restored logs are then available in the Log Viewer Log Investigator just as they were before archival. Use scp to copy directories from the remote archival location to /usr/netscreen/DevSvr/var/logs/ Analyze the logs using the NSM UI. Copyright © 2010, Juniper Networks, Inc.

  • Page 845: Setting Log Storage Limits

    (scp and sftp). The path on the remote server is stored in the user’s preferences. SCP and SFTP work only with trusted hosts. File Name One log archive location is applicable throughout the system. The following naming convention is used for storing log files: YYYYMMDD_<No>.tar.gz Copyright © 2010, Juniper Networks, Inc.

  • Page 846: Forwarding Logs

    In the main navigation tree, click Action Manager > Device Log Action Criteria, then click the Add icon. Click the Category drop-down list box and select Info, select the Device Disconnnect subcategory, then click OK to save the changes. Copyright © 2010, Juniper Networks, Inc.

  • Page 847: Using The Action Manager To Forward Logs By Domain

    SNMP settings for the management system. To actually export logs to the specified SNMP servers and community, you must select “SNMP Enable” using the Actions tab in the Device Log Action Criteria node. Copyright © 2010, Juniper Networks, Inc.

  • Page 848: Setting Device Log Action Criteria

    (category and severity), and multiple action settings for logs that meet the criteria settings. For example, to only export critical severity attack logs to XML, you create a device log action criteria instance that specifies the log category Copyright © 2010, Juniper Networks, Inc.
  • Page 849 The directory must be created subDomainName manually. directory contains two sample scripts you can /usr/netscreen/DevSvr/lib/scripts/ use or modify, sample.sh sample.pl Action Upon Script Failure—Specify the error handling for the script: Copyright © 2010, Juniper Networks, Inc.

  • Page 850: Using The Log2Action Utility To Export Logs

    For example, if you wanted to view data in the logs of 20060317, run the following command: ./devSvrCli.sh --log2action --filter --log-id 20060317:0-20060317:4294967294 --action --xml --file-path /tmp/newtest.xml If you wanted to view data for all logs from 2006/03/15 to 2006/03/17, run the following command: Copyright © 2010, Juniper Networks, Inc.

  • Page 851: Table 109: Common Filters

    Specify one of the following values: none, info, device_warning_log, minor, major, device_critical_log, emergency, alert, critical, error, warning, notice, informational, or debug. --src-ip Source IP address <a.b.c.d[/n|-<a.b.c.d>]> --src-port Source port <[0-65535][-[0-65535]]> --time-recv Time received <<yyyymmdd>:<hhmmss>>-<<yyyymmdd>:<hhmmss>> Copyright © 2010, Juniper Networks, Inc.
  • Page 852 ./devSvrCli.sh --log2action --filter --category implicit,config --action --csv --file-path /tmp/sun.csv --include-header no NOTE: When a filter option includes multiple entries, use a comma-separated list with no space between the entries, as shown in the preceding example. Copyright © 2010, Juniper Networks, Inc.

  • Page 853: Exporting To Xml

    Device Server, use the --category common filter to specify the /usr categories: sh devSvrCli.sh --log2action --category predefined --action --xml --file-path /usr/MyXmlLogRecords/attacks.xml Exporting to CSV The csv action directs the system to output logs using the CSV format. To export: Copyright © 2010, Juniper Networks, Inc.

  • Page 854: Using Csv Required And Optional Format-Specific Filters

    To export: Login to the Device Server as root, then change to the utility directory by typing: cd /usr/netscreen/DevSvr/utils. To export to a file, type: sh devSvrCli.sh --log2action --action --snmp <community> <server> Copyright © 2010, Juniper Networks, Inc.

  • Page 855: Using Snmp Required And Optional Format-Specific Filters

    To export: Login to the Device Server as root, then change to the utility directory by typing: cd /usr/netscreen/DevSvr/utils. To export to a file, type: sh devSvrCli.sh --log2action --action --email <sender> <recipient> Copyright © 2010, Juniper Networks, Inc.

  • Page 856: Using E-Mail Required And Optional Format-Specific Filters

    Using Syslog Required and Optional Format-Specific Filters You can use the following required format-specific filters for exporting to syslog: Syslog Multiple Required Meaning --server Specify syslog server IP address as [IP|FQDN[:<port>]]. Examples: 192.168.1.25:7889 syslog.server@mycompany.com:7889 Copyright © 2010, Juniper Networks, Inc.

  • Page 857: Viewing Syslog Format Output

    Login to the Device Server as root, then change to the utility directory by typing: cd /usr/netscreen/DevSvr/lib. To export to a file, type: sh devSvrCli.sh --log2action --action --script <script-name> <error-handling> The Device Server exports all log records to the specified script. Copyright © 2010, Juniper Networks, Inc.

  • Page 858: Using Script Required And Optional Format-Specific Filters

    Specifies the number of seconds until the action is tried again. --num-retries Specifies the maximum number of retries to attempt before moving on to the next log record. The script format has no optional format-specific filters. Copyright © 2010, Juniper Networks, Inc.

  • Page 859: Reporting

    Use the Report Manager module in Network and Security Manager to generate and view reports summarizing log and alarms generated by the managed Juniper Networks devices in your network. You can use these reports to track and analyze log incidents, network traffic, and potential attacks.

  • Page 860: Graphical Data Representation

    Central Access to Management Information For network administrators and security analysts interested in tracking and identifying potential network trends and attacks, Report Manager provides a single graphical view into the network. Copyright © 2010, Juniper Networks, Inc.

  • Page 861: Report Types

    The total number of traffic log entries generated by the managed security devices in your network, within filter constraints Top Configuration Logs The total number of configuration log entries generated by the managed security devices in your network, within filter constraints Copyright © 2010, Juniper Networks, Inc.

  • Page 862: Table 111: Di/Idp Reports

    All attacks prevented during the last 7 days. days) All Attacks Over Time (last 30 days) All attacks detected during the last 30 days. All Attacks Prevented Over Time (last 30 All attacks prevented during the last 30 days. days) Copyright © 2010, Juniper Networks, Inc.

  • Page 863: Table 112: Screen Reports

    Top Screen Attacks The most common attacks detected by the firmware on your security device Screen Attacks by The number of attacks detected by the firmware on your security device Severity according to severity level Copyright © 2010, Juniper Networks, Inc.

  • Page 864: Table 113: Administrative Reports

    20 Infranet enforcer devices that have most frequently appeared on UAC (devices) for UAC logs logs over the last 7 days. Top 10 auth failures for Ten user authentication failures that have mostly frequently appeared user@realm on UAC logs over the last 24 hours. Copyright © 2010, Juniper Networks, Inc.

  • Page 865: Table 115: Profiler Reports

    Five destination IP addresses with the highest volume in bytes in the past Volume over Time (last hour. 1 hour) SSL/VPN Reports Table 117 on page 816 lists and describes those reports in NSM that provide information about SSL/VPN session logs. Copyright © 2010, Juniper Networks, Inc.

  • Page 866: Table 117: Ssl/Vpn Reports

    Generating a Predefined Report on page 817 Creating a Custom Report on page 817 Deleting Reports on page 818 Organizing Reports in Folders on page 818 Generating Reports Automatically on page 818 Exporting Reports to HTML on page 822 Copyright © 2010, Juniper Networks, Inc.

  • Page 867: Generating A Predefined Report

    NSM creates the new report and displays it in a new folder called My DMZ Reports folder under My Reports. NOTE: You cannot create a subfolder under the first level of custom report folders. Copyright © 2010, Juniper Networks, Inc.

  • Page 868: Deleting Reports

    NOTE: The preceding configuration must be done from the GUI Server console, not the UI. You can verify the status of an executed report in the Job Manager. Copyright © 2010, Juniper Networks, Inc.

  • Page 869: Running Reports Using The Guisvrcli.sh Utility

    —This script is called in the utility and defines how the reports are email.sh guiSvrCli.sh to be included in the e-mail message —This script is called by and configures the actual SMTP parameters. Email.pl email.sh Copyright © 2010, Juniper Networks, Inc.
  • Page 870 MTA configuration. If you are using the FTP script to send you reports, you will also need to add values for the remote host, userid and password for the FTP account in the file. ftp.sh Copyright © 2010, Juniper Networks, Inc.

  • Page 871: Using Cron With Scheduled Reports

    Screen Attacks\” " --script ftp.sh Make the script executable. Make sure the person who creates the cron job can run the script. Run the crontab editor: crontab -e Add the following line: 0 0 * * 1 /usr/netscreen/GuiSvr/utils/reportscript.sh Copyright © 2010, Juniper Networks, Inc.

  • Page 872: Exporting Reports To Html

    You can enter a name for a new report or rename an existing report in the General tab of the Set Report Options window. You can also configure the name of the report displayed in the report graph by editing its title. Copyright © 2010, Juniper Networks, Inc.

  • Page 873: Setting The Report Type

    5; the maximum data point count is 200. Configuring the Chart Type By default, each report depicts information in a horizontal bar chart. You can also configure the report to depict information using a pie chart. Copyright © 2010, Juniper Networks, Inc.

  • Page 874: Sharing Your Custom Report

    Report Manager uses log data as the basis of all the information presented in each report. Because of this, we recommend that you consider requirements for reporting as you decide how many log entries you want to maintain and store. Copyright © 2010, Juniper Networks, Inc.

  • Page 875: Figure 115: Generating A Quick Report

    From the Quick Report screen, you can further set report options using the pull-down menus provided to define the report. You can then save the report as a custom report. Using Reports The following examples describe typical use cases for the reports in NSM. Copyright © 2010, Juniper Networks, Inc.

  • Page 876: Figure 116: Logs By User-Set Flag Report

    By setting the duration of the report to one week, you can determine the total number of log entries flagged for investigation, total closed, and total assigned for further analysis. Figure 116: Logs by User-Set Flag Report Copyright © 2010, Juniper Networks, Inc.

  • Page 877: Figure 117: Top Fw/Vpn Rules Report

    IP address incorrectly. Regular review of the "Top FW/VPN Rules" report can help you to update and optimize the rulebases implemented in your security policies. Copyright © 2010, Juniper Networks, Inc.

  • Page 878: Figure 118: Top Configuration Changes Report

    SSL/VPN security devices on your network. You routinely watch for unauthorized users attempting to access your network by tracking authentication failures. To keep watch for potential hackers, you can generate a "Top 10 auth failures for user@realm" report each night. Copyright © 2010, Juniper Networks, Inc.

  • Page 879: Example: Using Screen Reports To Identify Attack Trends

    Log Viewer—Includes logs with destination or source watch lists in a query filter. Log Investigator—Investigates logs with destination or source watch lists as data point sources. Report Manager—Includes custom reports for destination and source watch lists. Copyright © 2010, Juniper Networks, Inc.
  • Page 880 Network and Security Manager Administration Guide Access the Destination Watch List or Source Watch List from Tools >Preferences. For details about creating and configuring watch lists, refer to the Network and Security Manager Online Help. Copyright © 2010, Juniper Networks, Inc.
  • Page 881 PART 5 Appendixes Glossary on page 833 Unmanaged ScreenOS Commands on page 859 SurfControl Web Categories on page 861 Common Criteria EAL2 Compliance on page 869 Log Entries on page 871 Copyright © 2010, Juniper Networks, Inc.
  • Page 882 Network and Security Manager Administration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 883: Appendix A Glossary

    To guard against spoofing attacks, configure a security device to check its own route table. If the IP address is not in the route table, the security device denies the traffic. Copyright © 2010, Juniper Networks, Inc.
  • Page 884 Message Access Protocol (IMAP), Simple Mail Transfer Protocol (SMTP), Hypertext Transfer Protocol (HTTP)—including HTTP webmail—and Post Office Protocol version 3 (POP3) traffic. Juniper Networks offers an internal AV scanning solution. Access Point Name. An APN is an IE included in the header of a GTP packet that provides information on how to reach a network.
  • Page 885 The simplest form of authentication requires a username and password to gain access to a particular account. Authentication protocols can also be based on secret-key encryption, such as DES, or on public-key systems using digital signatures. Copyright © 2010, Juniper Networks, Inc.
  • Page 886 OSPF router dynamically detects its neighbor routers by sending Hello packets to the multicast address 224.0.0.5. For broadcast networks, the Hello protocol elects a Designated Router and Backup Designated Router for the network. Copyright © 2010, Juniper Networks, Inc.

  • Page 887: Table 119: Cidr Translation

    BGP AS, you reduce the complexity associated with the matrix of routing connections, known as a mesh, within the AS. Configlet A configlet is a small, static configuration file that contains information on how a security device can connect to NSM. Copyright © 2010, Juniper Networks, Inc.
  • Page 888 The Device Server is the component of the NSM management system that handles communication between the GUI Server and the device, collects data from the managed devices on your network, formats configuration information sent to your managed device, and consolidates log and event data. Copyright © 2010, Juniper Networks, Inc.
  • Page 889 These messages populate the network, directing routers to rerun their algorithms and change their routing tables accordingly. There are two common forms of dynamic routing, including Distance Vector Routing and Link State Routing. Copyright © 2010, Juniper Networks, Inc.
  • Page 890 A filter organizes log entries based on administrator specifications. Firewall A firewall device that protects and controls incoming and outgoing traffic on network connections. Firewalls protect internal servers from damage (intentional or otherwise) and enable authorized external access. Copyright © 2010, Juniper Networks, Inc.
  • Page 891 Groups enable you to execute certain NSM operations on multiple security devices at the same time. GPRS Roaming Exchange. Global System for Mobile Communications. GPRS Tunneling Protocol. Copyright © 2010, Juniper Networks, Inc.
  • Page 892 In OSPF, the maximum amount of time between instances of initiating Shortest Path First (SPF) computations. In BGP, the maximum amount of time that elapses between message transmissions between a BGP speaker and its neighbor. Copyright © 2010, Juniper Networks, Inc.
  • Page 893 The policy management component of Juniper Networks UAC solution. Infranet Enforcer The policy enforcement point or firewall within a Juniper Networks UAC solution. Internet Control ICMP is a network-layer protocol that does not carry user data, but does encapsulate its Message Protocol messages in IP datagrams.
  • Page 894 The Job Manager is a module of the NSM User Interface. Job Manager tracks the progress of the command as it travels to the device and back to the management server. JSRP Junos Services Redundancy Protocol.—A process that controls chassis clustering of Junos devices. Copyright © 2010, Juniper Networks, Inc.
  • Page 895 Lockout is an object state during which the object cannot be edited. A Log is a grouping of log entries. Log Category A log category defines the log type (alarm, config, traffic, and so on). Copyright © 2010, Juniper Networks, Inc.
  • Page 896 The metric value for connected routes is always 0. The default metric value for static routes is 1, but you can specify a different value when defining a static route. Mobile Network Code. Copyright © 2010, Juniper Networks, Inc.
  • Page 897 Internet, eliminating the need to use a registered IP address for every machine in your network. NSAPI Network Service Access Point Identifier. NSGP NetScreen Gatekeeper Protocol. NSM Administrator The NSM administrator is the person who uses NSM User Interface to manage their devices. Copyright © 2010, Juniper Networks, Inc.
  • Page 898 Joins two routers over a Wide Area Network (WAN). An example of a point-to-point network Network is two security devices connected via an IPSec VPN tunnel. On point-to-point networks, the OSPF router dynamically detects neighbor routers by sending Hello packets to the multicast address 224.0.0.5. Copyright © 2010, Juniper Networks, Inc.
  • Page 899 Typically, you use a VPN to enable RAS, then add RAS users to the VPN. Real Time Streaming RTSP is an application layer protocol for controlling the delivery of a stream of real-time Protocol (RTSP) multimedia content. Copyright © 2010, Juniper Networks, Inc.
  • Page 900 If the route map entry is not a match, then the next entry is evaluated for matching criteria. Route Redistribution Route redistribution is the exporting of route rules from one virtual router to another. Copyright © 2010, Juniper Networks, Inc.
  • Page 901 Secure Access Device A Juniper Networks SSL VPN appliance. Secure Copy (SCP) A method of transferring files between a remote client and a security device using the SSH protocol.
  • Page 902 (It is generally regarded as more secure than MD5 because of the larger hashes it produces.) Shared Objects A shared object is an object that can be shared across domains. Short Frame A short frame contains less than 64 bytes of data. Copyright © 2010, Juniper Networks, Inc.
  • Page 903 The super administrator is the default administrator for all domains. The superadmin has immutable powers. You cannot change or delete permissions for the super administrator; you can, however, change the password for the super administrator. Copyright © 2010, Juniper Networks, Inc.
  • Page 904 Trojan A trojan is a program with hidden functionality. Trojans often install a remote administration program (known as a backdoor) that enables attackers to access the target system. Copyright © 2010, Juniper Networks, Inc.
  • Page 905 One of two predefined zones that enables packets to be seen by devices external to your current domain. User A user is a person using the network your security devices are protecting. NSM supports two types of users: local users and external users. Copyright © 2010, Juniper Networks, Inc.
  • Page 906 A virtual system is a subdivision of the main system that appears to the user to be a standalone entity. Virtual Systems reside separately from each other. Each one can be managed by its own Virtual System Administrator. Copyright © 2010, Juniper Networks, Inc.
  • Page 907 A zone can be a segment of network space to which security measures are applied (a security zone), a logical segment to which a VPN tunnel interface is bound (a tunnel zone), or either a physical or a logical entity that performs a specific function (a function zone). Copyright © 2010, Juniper Networks, Inc.
  • Page 908 Network and Security Manager Administration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 909: Table 120: Unmanaged Commands For Firewall/Vpn Devices

    (although future versions of NSM may support these commands). To use an unmanaged device command, you must connect locally to the Juniper Networks security device. Table 120 on page 859 details each unmanaged command.
  • Page 910 These commands create, remove, or display entries in the internal user authentication database. vr nsrp-config-sync This command unsets synchronization for a specific virtual router in an NSRP cluster. Copyright © 2010, Juniper Networks, Inc.

  • Page 911: Table 121: Surfcontrol Web Categories

    Jokes, comics, comic books, comedians or any site designed to be funny or satirical Circuses, theatre, variety magazines, and radio Broadcasting firms and technologies (satellite, cable) Book reviews and promotions, publishing houses, and poetry Museums, galleries, artist sites (included sculpture, photography) Copyright © 2010, Juniper Networks, Inc.
  • Page 912 General finances and companies that advise thereof Accountancy, actuaries, banks, mortgages, and general insurance companies Food and Drink Recipes, cooking instruction and tips, food products, and wine advisors Restaurants, cafes, eateries, pubs, and bars Food/drink magazines, reviews Copyright © 2010, Juniper Networks, Inc.
  • Page 913 Sites that provide instruction or work-arounds for our filtering software Cracked software and information sites Pirated software and multimedia download sites Sites that provide or promote parasites, including Spyware, Adware and other unsolicited commercial software Copyright © 2010, Juniper Networks, Inc.
  • Page 914 Web sites that host business and individuals’ web pages (such as GeoCities, earthlink.net, AOL) Job Search and Career Employment agencies, contractors, job listings, career information Development Career searches, career-networking groups Kid's Sites Child oriented sites and sites published by children Copyright © 2010, Juniper Networks, Inc.
  • Page 915 Discussion sites on how to talk to your partner about diseases, pregnancy and respecting boundaries NOTE: Not included in the category are commercial sites that sell sexual paraphernalia. These sites are typically found in the Adult category. Search Engines General search engines (Yahoo, AltaVista, Google) Copyright © 2010, Juniper Networks, Inc.
  • Page 916 Sites promoting terrorism Excessively violent sports or games Offensive or violent language or satire NOTE: We do not block news, historical, or press incidents that may include the above criteria (except in graphic examples). Copyright © 2010, Juniper Networks, Inc.
  • Page 917 Clubs which offer training on machine guns, automatics and other assault weapons and/or sniper training NOTE: Weapons are defined as something (as a club, knife, or gun) used to injure, defeat, or destroy. Web-based E-mail Web-based e-mail accounts Messaging sites Copyright © 2010, Juniper Networks, Inc.
  • Page 918 Network and Security Manager Administration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 919: Appendix D Common Criteria Eal2 Compliance

    This appendix describes actions required for a security administrator to properly secure the Network and Security Manager (NSM) system and NSM User Interface to be in compliance with the Common Criteria EAL2 security target for Juniper Networks IDP 4.0 functionality.
  • Page 920 Network and Security Manager Administration Guide Copyright © 2010, Juniper Networks, Inc.

  • Page 921: Appendix E Log Entries

    Attacks > Critical > 00432 Block ZIP component Attacks > Critical > 00431 Destination IP session limit Attacks > Critical > 00430 ICMP Flood Attack Attacks > Alert > 00011 IDS ICMP Fragment Attacks > Critical > 00422 Copyright © 2010, Juniper Networks, Inc.
  • Page 922 Attacks > Critical > 00439 Source IP session limit Attacks > Critical > 00033 Tear Drop Attack Attacks > Emergency > 00006 UDP Flood Attack Attacks > Alert > 00012 VPN Replay Detected IKE > Critical > 00042 Copyright © 2010, Juniper Networks, Inc.

  • Page 923: Table 123: Alarm Log Entries

    NSRP IP DUP Master High Availability > 00015 NSRP RTO DOWN High Availability > 00015 NSRP RTO Duplicate High Availability > 00015 NSRP RTO UP High Availability > 00015 NSRP Status High Availability > Critical > 00015 Copyright © 2010, Juniper Networks, Inc.

  • Page 924: Deep Inspection Alarm Log Entries

    VPN Down VPN > Critical > 00041 VPN Up VPN > Critical > 00040 Deep Inspection Alarm Log Entries The Deep Inspection Alarm category contains the subcategories shown in Table 124 on page 875: Copyright © 2010, Juniper Networks, Inc.

  • Page 925: Table 124: Deep Inspection Alarm Log Entries

    Yahoo! Messenger encrypted password is 1024. CHAT:MSN:ACCESS This signature detects MSN Messenger chat using the info sos5.1.0 specified content type "text/plain" on port 1863 (default port of MSN Messenger). Copyright © 2010, Juniper Networks, Inc.
  • Page 926 (such as SMTP queries) may trigger this anomaly. DNS:EXPLOIT:POINTER-LOOP This protocol anomaly is a DNS message with a set of DNS high sos5.0.0, pointers that form a loop. This may indicate a sos5.1.0 denial-of-service (DoS) attempt. Copyright © 2010, Juniper Networks, Inc.
  • Page 927 DNS:OVERFLOW:TOO-LONG-TCP-MSG This protocol anomaly is a DNS TCP-based request/reply high sos5.1.0 that exceeds the maximum length specified in the message header. This may indicate a buffer overflow or an exploit attempt. Copyright © 2010, Juniper Networks, Inc.
  • Page 928 TCP/8000. DOS:NETDEV:WEBJET-FW-INFOLEAK This signature detects attempts to exploit a vulnerability in medium sos5.0.0, HP Web JetAdmin service. Web JetAdmin version 6.5 is sos5.1.0 vulnerable. Attackers may access sensitive configuration information. Copyright © 2010, Juniper Networks, Inc.
  • Page 929 FTP server's /bin directory. Successful exploitation of this vulnerability may result in the attacker being able to execute arbitrary code on the victim ftp server, including the reading of sensitive files outside of the ftp server's path. Copyright © 2010, Juniper Networks, Inc.
  • Page 930 This signature detects buffer overflow attempts against the critical sos5.0.0, FTPD that ships with early versions of FreeBSD 4.x and sos5.1.0 OpenBSD 2.8. FTPD 6.00LS and 6.5/OpenBSD versions are vulnerable. Attackers may gain local host access and root permissions. Copyright © 2010, Juniper Networks, Inc.
  • Page 931 FTP:OVERFLOW:USERNAME-2-LONG This protocol anomaly is a username in an FTP connection high sos5.0.0, that exceeds the length threshold. This may be an attempt sos5.1.0 to overflow the server. Copyright © 2010, Juniper Networks, Inc.
  • Page 932 Attackers may send a pathname to the 'MKD' command to gain remote root access. FTP:PROFTP:PPC-FS1 This signature detects attempts to exploit a format string critical sos5.0.0, vulnerability in ProFTPD. Versions 1.2pre6 and earlier are sos5.1.0 vulnerable. Attackers may overflow the PWD command. Copyright © 2010, Juniper Networks, Inc.
  • Page 933 "root" account. This may indicate an attacker trying sos5.1.0 to gain root-level access, or it may indicate poor security practices. FTP typically uses plain-text passwords, and using the root account to FTP could expose sensitive data over the network. Copyright © 2010, Juniper Networks, Inc.
  • Page 934 File Transfer Protocol (FTP) services for UNIX and Linux systems. Wu-ftpd version 2.5.0 and earlier are vulnerable. Attackers may send a maliciously crafted FTP pathname to overflow a buffer in realpath() and execute arbitrary commands with administrator privileges. Copyright © 2010, Juniper Networks, Inc.
  • Page 935 2.0.38 and prior are vulnerable. Apache improperly calculates required buffer sizes for chunked encoded requests due to a signed interpretation of an unsigned integer value. The worm sends POST requests containing malicious chunked encoded data to exploit the Apache daemon. Copyright © 2010, Juniper Networks, Inc.
  • Page 936 'HTTP/...'. This may indicate command line access to an HTTP server. HTTP:AUDIT:UNKNWN-REQ This protocol anomaly is an unknown HTTP request. Known info sos5.1.0 requests are OPTION, GET, HEAD, POST, PUT, DELETE, TRACE, and CONNECT. Copyright © 2010, Juniper Networks, Inc.
  • Page 937 HTTP:CGI:BUGZILLA-SEMICOLON This signature detects shell access attempts to exploit the high sos5.0.0, process_bug.cgi script vulnerability in Bugzilla. Attackers sos5.1.0 may send a semicolon as an argument to the script, followed by arbitrary shell commands. Copyright © 2010, Juniper Networks, Inc.
  • Page 938 HTTPd process. HTTP:CGI:TECHNOTE-MAIN-DCLSR This signature detects directory traversal attempts that medium sos5.0.0, exploit the main.cgi script in TECH-NOTE 2000. Because sos5.1.0 the script validates input incorrectly, attackers may remotely access arbitrary files from the server. Copyright © 2010, Juniper Networks, Inc.
  • Page 939 CONNECT method to access other servers and launch further attacks. HTTP:CISCO:IOS-ADMIN-ACCESS This signature detects attempts to exploit a vulnerability in critical sos5.0.0, Cisco IOS. Attackers may remotely gain full administrative sos5.1.0 access to the router. Copyright © 2010, Juniper Networks, Inc.
  • Page 940 HTTP:EXPLOIT:AMBIG-CONTENT-LEN This protocol anomaly is an HTTP request that has a sos5.0.0, Content-Length and Transfer-Encoding header. sos5.1.0 RFC-2616#4.4 specifies that only one of these two headers should be used in an HTTP request. Copyright © 2010, Juniper Networks, Inc.
  • Page 941 User involvement is required to activate GRP files; typically they are attached or linked to a harmless-appearing e-mail message. Copyright © 2010, Juniper Networks, Inc.
  • Page 942 URL request. HTTP:IIS:BAT-& This signature detects attempts to execute a command by high sos5.0.0, specifying a .bat or .cmd extension to a Microsoft Windows sos5.1.0 Web server. Copyright © 2010, Juniper Networks, Inc.
  • Page 943 (DoS). sos5.1.0 HTTP:IIS:MDAC-RDS This signature detects attempts to exploit the Microsoft high sos5.0.0, Data Access Components (MDAC) Remote Data Services sos5.1.0 (RDS) component. Attackers may access files and other services. Copyright © 2010, Juniper Networks, Inc.
  • Page 944 This signature detects buffer overflow attempts against critical sos5.1.0 Microsoft IIS WebDAV. Attackers may send a maliciously crafted WebDAV URL request that contains 65535 or 65536 bytes to the Web server to execute arbitrary code as the system account. Copyright © 2010, Juniper Networks, Inc.
  • Page 945 "This signature detects attempts to exploit a vulnerability in Vignette Story Server. Vignette Story Server versions 4.1 and 6 are vulnerable. Attackers may expose information about user sessions, server side code, and other sensitive information. Copyright © 2010, Juniper Networks, Inc.
  • Page 946 WG602 using an undocumented administrator username/password that cannot be changed or disabled. Attackers can modify any setting on the WG602 to perform a denial-of-service (DoS) on the Netgear device or circumvent other access control protocols. Copyright © 2010, Juniper Networks, Inc.
  • Page 947 GET request to the Web server daemon to overflow the buffer. HTTP:OVERFLOW:AUTHORIZATION This protocol anomaly is an HTTP authorization header that medium sos5.1.0 exceeds the user-defined maximum. The default length is 128. Copyright © 2010, Juniper Networks, Inc.
  • Page 948 The default length is HTTP:OVERFLOW:HTTPA-OF1 This signature detects buffer overflow attacks against the high sos5.1.0 HTTPa daemon. Attackers may send a maliciously crafted HTTP GET request to the host to overflow the buffer. Copyright © 2010, Juniper Networks, Inc.
  • Page 949 This signature detects attempts to exploit a remote file high sos5.1.0 inclusion vulnerability in AlexPHP. Attackers may send a maliciously crafted HTTP request to execute PHP code from a remote server on the host running AlexPHP. Copyright © 2010, Juniper Networks, Inc.
  • Page 950 URL to cause the Web server to download PHP code from a remote server, allowing the attacker to execute arbitrary code with the permissions of the user that is running the Web server daemon. Copyright © 2010, Juniper Networks, Inc.
  • Page 951 Attackers may send a maliciously crafted request that supplies SQL commands to the pm_sql_user parameter, changing database values and escalating client privileges. Copyright © 2010, Juniper Networks, Inc.
  • Page 952 2.2.1 and other versions are vulnerable. Attackers may send a malicious HTTP request to force the pMachine Web server to execute PHP code from a remote server; commands are executed with web server privileges. Copyright © 2010, Juniper Networks, Inc.
  • Page 953 CRM system. A vulnerability exists in the sos5.1.0 header.php that holds zenTrack configuration settings. It allows remote command execution as the webserver process privilege. This applies to zenTrack 2.4.1 and below. Copyright © 2010, Juniper Networks, Inc.
  • Page 954 Attackers may send a maliciously crafted HTTP GET request to the Web server to crash the server and create a DoS. HTTP:SPYWARE:DOWNLOAD-ACCEL This signature detects the use of Download Accelerator, a info sos5.1.0 spyware application. Copyright © 2010, Juniper Networks, Inc.
  • Page 955 This signature detects a maliciously crafted PDF file high sos5.1.0 downloaded via HTTP. Attackers may insert certain shell metacharacters at the beginning of a uuencoded PDF file to force Adobe Acrobat to execute arbitrary commands upon loading the file. Copyright © 2010, Juniper Networks, Inc.
  • Page 956 HTTP. Users may use proxy connections over the HTTP port to circumvent firewall policies. HTTP:TUNNEL:CHAT-MSN-IM This signature detects MSN Instant Messenger over HTTP. info sos5.1.0 Users may use proxy connections over the HTTP port to circumvent firewall policies. Copyright © 2010, Juniper Networks, Inc.
  • Page 957 IBM WebSphere Edge Server. Version 2.0 is vulnerable. Attackers may send a maliciously crafted HTTP GET request that does not have a proper version identifier to crash the proxy service and render the proxy unusable. Copyright © 2010, Juniper Networks, Inc.
  • Page 958 (DELE) to overflow the buffer and take complete control of the server. IMAP:OVERFLOW:COMMAND This protocol anomaly is an IMAP command that is too long. high sos5.0.0, This may indicate a buffer overflow attempt. sos5.1.0 Copyright © 2010, Juniper Networks, Inc.
  • Page 959 This protocol anomaly is a DCOM servername that is longer critical sos5.1.0 than 32 octets in unicode. MS-RPC:EPDUMP-SCAN This anomaly detects a client enumerating MSRPC endpoints sos5.1.0 on a windows server. This may indicate a probing scan prior to a more sophisticated attack. Copyright © 2010, Juniper Networks, Inc.
  • Page 960 This protocol anomaly is an MSRPC connectionless message high sos5.1.0 with a fragment length that conflicts with the common header length and the whole message length. MS-RPC:ERR:RESPONSE-NO-REQ This protocol anomaly is an MSRPC response that precedes medium sos5.1.0 the request. Copyright © 2010, Juniper Networks, Inc.
  • Page 961 However, because system administrators also use the SAMR service legitimately, this signature may also detect non-malicious activity. Copyright © 2010, Juniper Networks, Inc.
  • Page 962 0xff 'S' 'M' 'B'. NETBIOS:NBDS:OVERFLOW:MSG This protocol anomaly is a Netbios datagram that is bigger high sos5.1.0 than 1064. NETBIOS:NBDS:OVERFLOW:NAME This protocol anomaly is a Netbios name that is longer than high sos5.1.0 255. Copyright © 2010, Juniper Networks, Inc.
  • Page 963 This protocol anomaly is Netbios name response with an high sos5.1.0 RCODE that indicates the request has an invalid format. NETBIOS:NBNS:S2C_QUERY This protocol anomaly is a Netbios name response header medium sos5.1.0 with an OPCODE field that contains an unset response bit. Copyright © 2010, Juniper Networks, Inc.
  • Page 964 The default line length is 256. P2P:AUDIT:GNUTELLA-RTABLE-UPD This protocol anomaly is a Gnutella ROUTE_TABLE_UPDATE info sos5.1.0 message with a payload length of 0 bytes. Copyright © 2010, Juniper Networks, Inc.
  • Page 965 MLDonkey, a multi-protocol P2P file sharing application. P2P:SKYPE:VERSION-CHECK This signature detects a Skype client request (to a central info sos5.1.0 server) that checks for the latest version of the client software. Copyright © 2010, Juniper Networks, Inc.
  • Page 966 .adp and were received via POP3. Because .ADPs (Microsoft Access Project) files can contain macros, this may indicate an incoming e-mail virus. Attackers may create malicious scripts, tricking users into executing the macros and infecting the system. Copyright © 2010, Juniper Networks, Inc.
  • Page 967 '.exe' sent via POP3. This may indicate an incoming e-mail virus. EXEs (Executable files) contain one or more scripts. Attackers may create malicious executables, tricking the user into executing the file and infecting the system. Copyright © 2010, Juniper Networks, Inc.
  • Page 968 .isp and were received via POP3. Because .ISPs (Internet Communication Settings) files contain configuration parameters, this may indicate an incoming e-mail virus. Attackers may include malicious configurations, tricking users into executing the file and infecting the system. Copyright © 2010, Juniper Networks, Inc.
  • Page 969 .msp received via POP3. This may indicate an incoming e-mail virus. .MSPs (Microsoft Windows Installer Patch) contain executable code. Attackers may create malicious executables, tricking the user into executing the file and infecting the system. Copyright © 2010, Juniper Networks, Inc.
  • Page 970 .vb received via POP3. This may indicate an incoming e-mail virus. .VBs (VBScript File) contain scripts. Attackers may create malicious scripts, tricking the user into executing the file and infecting the system. Copyright © 2010, Juniper Networks, Inc.
  • Page 971 Because Zip files are frequently used for non-malicious purposes, this signature can generate false positives. As a general network security precaution, ensure that all users are aware of the dangers of sending and receiving binary files in e-mail attachments. Copyright © 2010, Juniper Networks, Inc.
  • Page 972 Qpopper, a POP3 server for Unix. Qpopper 3.0beta20 and sos5.1.0 earlier versions are vulnerable. POP3:OVERFLOW:QPOP-OF2 This signature detects a buffer overflow attempt to exploit critical sos5.0.0, a vulnerability in Qpopper. Version 3.0beta30 and many sos5.1.0 earlier versions are vulnerable. Copyright © 2010, Juniper Networks, Inc.
  • Page 973 Microsoft IIS 4.0 and 5.0. Attackers may send sos5.1.0 maliciously crafted HTR requests (.htr) with long variable names to overflow the buffer in the ism.dll ISAPI extension that implements HTR scripting and create a denial of service or execute arbitrary commands. Copyright © 2010, Juniper Networks, Inc.
  • Page 974 Vulnerability scanners and programs like enum that perform dictionary based or password-guessing attacks will likely trigger this attack. SMB:ERROR:INV-MSG-LEN This protocol anomaly is an invalid session message length high sos5.1.0 in an SMB message. Copyright © 2010, Juniper Networks, Inc.
  • Page 975 Malicious users can send "get", "put", and "dir" commands to a Samba server to access files outside the shared directories. SMB:EXPLOIT:WINBLAST-DOS Microsoft Windows Samba File Sharing Resource Exhaustion medium sos5.1.0 Vulnerability Copyright © 2010, Juniper Networks, Inc.
  • Page 976 SMTP server SMTP:AUDIT:TEXT-LINE This protocol anomaly is a text line (in the data section) in info sos5.1.0 an SMTP connection that is too long. This may indicate a buffer overflow attempt. Copyright © 2010, Juniper Networks, Inc.
  • Page 977 SMTP e-mail message by exploiting the pipe sos5.1.0 passthrough vulnerability. Attackers may use the invalid "mail from |" as the return e-mail address to cause Sendmail to reroute data to another program. Copyright © 2010, Juniper Networks, Inc.
  • Page 978 (HSC) when invoked with an hcp:// URL. By embedding a quote (") character in the URL, HSC can be instructed to load an arbitrary local file or remote web page, which can then be used to execute scripts in the local zone. Copyright © 2010, Juniper Networks, Inc.
  • Page 979 This signature detects e-mail attachments with the medium sos5.1.0 extension '.cmd' sent via SMTP. This may indicate an incoming e-mail virus. CMD files contain commands that when executed can cause significant damage to a windows system. Copyright © 2010, Juniper Networks, Inc.
  • Page 980 .inf and were sent via SMTP. Because .INFs (Setup Information) files contain scripts, this may indicate an incoming e-mail virus. Attackers may create malicious scripts, tricking users into executing the file and infecting the system. Copyright © 2010, Juniper Networks, Inc.
  • Page 981 Microsoft Common Console Document) files can contain configuration information, this may indicate an incoming e-mail virus. Attackers may change the configuration to point to a dangerous command, tricking users into executing the files and infecting the system. Copyright © 2010, Juniper Networks, Inc.
  • Page 982 .sct sent via SMTP. This may indicate an incoming e-mail virus. .SCTs (Windows Script Component) contain scripts. Attackers may create malicious scripts, tricking the user into executing the file and infecting the system. Copyright © 2010, Juniper Networks, Inc.
  • Page 983 This vulnerability is present in Microsoft Windows 2000 Service Pack 2 and later. It is also present in Microsoft Windows XP Service Pack 1. Copyright © 2010, Juniper Networks, Inc.
  • Page 984 URL that is included in an e-mail; when the URL is viewed, these control characters prevent Outlook Express and Internet Explorer from displaying the complete URL, which may have malicious content. Copyright © 2010, Juniper Networks, Inc.
  • Page 985 SMTP:OVERFLOW:EMAIL-USERNAME This protocol anomaly is a user name within an e-mail high sos5.0.0, address (for example, root in root@localhost.localdomain) sos5.1.0 that is too long. This may indicate a buffer overflow attempt. Copyright © 2010, Juniper Networks, Inc.
  • Page 986 Sendmail. Sendmail versions 5.79 to 8.12.7 are vulnerable. sos5.1.0 Attackers may include multiple empty address containers in an SMTP header field to overflow the SMTP header buffer and force Sendmail to execute arbitrary code on the host. Copyright © 2010, Juniper Networks, Inc.
  • Page 987 Sendmail versions 8.12.8 and earlier. Under certain sos5.1.0 conditions, the Sendmail address parser does not perform sufficient bounds checking when converting char to int. Attackers may use this exploit to gain control of the server. Copyright © 2010, Juniper Networks, Inc.
  • Page 988 Microsoft Outlook database, and sends infected messages containing a Dutch phrase to all addresses found. VIRUS:POP3:EICAR-ATTACHMENT This signature detects the EICAR antivirus test file sent as info sos5.1.0 an e-mail attachment. Copyright © 2010, Juniper Networks, Inc.
  • Page 989 Microsoft Outlook database and send infected files to up to 60 addresses found. This virus also install the file script.ini to the m IRC directory and use dcc to send irok.exe to IRC clients who join the channel. Copyright © 2010, Juniper Networks, Inc.
  • Page 990 Outlook preview pane; once triggered, the CHM file runs myromeo.exe in the background. Myromeo.exe obtains e-mail addresses from the Microsoft Outlook database, sends infected e-mail messages to all addresses found, and edits the Window directory file hh.dat. Copyright © 2010, Juniper Networks, Inc.
  • Page 991 "friendly" message featuring Pikachu while it overwrites the Autoexec.Bat file to delete most Microsoft Windows 9x system files upon reboot. Pikachu then obtains e-mail addresses from Microsoft Outlook database and sends infected messages to all addresses found. Copyright © 2010, Juniper Networks, Inc.
  • Page 992 The Fly then copies MSJSVM.JS to the Windows system directory and edits the Registry to run this JavaScript upon reboot. The virus also obtains e-mail addresses from the Microsoft Outlook database and sends infected messages to all addresses found. Copyright © 2010, Juniper Networks, Inc.
  • Page 993 Registry to run the virus on reboot. When activated, it obtains e-mail addresses from the Microsoft Outlook database and sends infected messages to all addresses found, overwrites mIRC and Pirch setup files, and sends infected messages via IRC. Copyright © 2010, Juniper Networks, Inc.
  • Page 994 This signature detects e-mail attachments that contain two high sos5.1.0 file extensions. Attackers or viruses may send e-mail attachments that use two file extensions to disguise the actual file name and trick users into opening a malicious attachment. Copyright © 2010, Juniper Networks, Inc.
  • Page 995 This signature detects e-mail attachments with one of the medium sos5.1.0 following file name sent via SMTP: approved.pif, application.pif, doc_details.pif, movie28.pif, password.pif, ref-39xxxx.pif, screen_doc.pif, screen_temp.pif, _approved.pif. This may indicate the SOBIG e-mail virus is attempting to enter the system. Copyright © 2010, Juniper Networks, Inc.
  • Page 996 IP addresses. Code Red also checks the host system time; on the 20th of each month (GMT), all infected systems send 100k bytes of data to TCP/80 of www.whitehouse.gov, causing a denial-of-service (DoS). Copyright © 2010, Juniper Networks, Inc.
  • Page 997 This signature detects WebDAV overflows, which can high sos5.0.0, indicate an infection attempt by the Nachi worm (D variant). sos5.1.0 Nachi.D, a worm, typically attempts to infect the target host by exploiting several vulnerabilities. Copyright © 2010, Juniper Networks, Inc.
  • Page 998 SMTP or POP3 server; adding files to a system configured to allow Windows file shares; or posting an infected HTML e-mail to the Web server where it can be accessed via HTTP. Copyright © 2010, Juniper Networks, Inc.

  • Page 999: Table 125: Configuration Log Entries

    The Configuration category contains the subcategories shown in Table 125 on page 949: Table 125: Configuration Log Entries Configuration Log Entry Subcategories ScreenOS Message ID Address Addresses > Notification >00001 Admin Admin > Notification > 00002 Copyright © 2010, Juniper Networks, Inc.
  • Page 1000 Policies > Notification > 00018 HDLC > Notification > 00042 PPPoE PPPoE > Notification > 00034 RIP > Notification > 00045 Route Route > Notification > 00011 Route Map Route > Notification > 00048 Copyright © 2010, Juniper Networks, Inc.

This manual is also suitable for:

Network and security manager 2010.4

Table of Contents