Page 2 Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Page 3 REGARDING LICENSE TERMS. 1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii) the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable...
Page 4 Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license. Copyright © 2010, Juniper Networks, Inc.
Page 5 (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA http://www.gnu.org/licenses/gpl.html...
Page 17: About This Guide
All examples show default file paths. If you do not accept the installation defaults, your paths will vary from the examples. Table 1 on page xviii defines notice icons used in this guide. Copyright © 2010, Juniper Networks, Inc. xvii...
Page 18: Table 1: Notice Icons
The angle bracket (>) Indicates navigation paths through the UI Object Manager > User Objects > Local by clicking menu options and links. Objects Table 3 on page xix defines syntax conventions used in this guide. xviii Copyright © 2010, Juniper Networks, Inc.
Page 19: Documentation
Provides details about configuring device features for all supported Manager Configuring ScreenOS platforms. ScreenOS Devices Guide Network and Security Provides details about configuring device features for all supported Manager Configuring Intrusion Detection and Prevention (IDP) platforms. Intrusion Detection and Prevention Devices Guide Copyright © 2010, Juniper Networks, Inc.
Page 20: Requesting Technical Support
Series Devices Guide Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need postsales technical support, you can access our tools and resources online or open a case with JTAC.
Page 21: Self-Help Online Tools And Resources
7 days a week, 365 days a year. Self-Help Online Tools and Resources For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: Find CSC offerings: http://www.juniper.net/customers/support/...
Page 23: Network And Security Manager Installation Procedures
Installing NSM in a Distributed Configuration on page 49 Installing NSM with High Availability on page 71 Upgrading to NSM 2010.4 from an Earlier Version on page 131 Upgrading NSM Appliances to NSM 2010.4 on page 155 Maintaining NSM on page 171 Copyright © 2010, Juniper Networks, Inc.
Page 25: Introduction
NSM management system. The management system installer is a shell archive script that you can run on any of the following dedicated platforms that meets minimum requirements: Solaris 10 (for SPARC) Copyright © 2010, Juniper Networks, Inc.
Page 26: User Interface Installation Process
All the software files required to install NSM are located on the NSM installation CD or on the Internet at the Juniper Networks corporate support web site. We recommend you download these files to the computers on which you plan to install NSM before you begin the installation process.
Page 27: Minimum System Requirements
40 GB disk space (minimum); 80 GB disk space (recommended) By directory: —7 GB minimum /usr /var —10 GB min /tmp —2 GB minimum Network Connection 100 Mbps (minimum) Ethernet adapter; higher speeds are recommended Copyright © 2010, Juniper Networks, Inc.
Page 28: Table 7: Minimum System Requirements-Management System On Separate
NSM Other Each server must be dedicated to running NSM. NSM should not be installed on a virtual system such as VMWare and Microsoft VM Server due to high system I/O requirements. Copyright © 2010, Juniper Networks, Inc.
Page 29: System Requirements-User Interface
Failure tolerance — The effect on the organization upon failure of an NSM component and the downtime during repair. You can increase fault tolerance by installing a standby management system on a single server for smaller installations, or on distributed servers for larger installations. Copyright © 2010, Juniper Networks, Inc.
Page 30: Standalone Configuration
For large enterprise networks that generate and store many traffic logs, we recommend that you install the GUI Server and Device Server on separate servers. The distributed system enables greater processing power per service. In addition, a failure of the GUI Copyright © 2010, Juniper Networks, Inc.
Page 31: Simple High Availability Configuration
For more information about installing the management system for high availability, see “High Availability Overview” on page 71. Other Configuration Options In addition to scale and fault tolerance, other configuration options include: Copyright © 2010, Juniper Networks, Inc.
Page 32: Local/Remote Database Backup
Statistical Report Server database and web server. If you choose to do so, the installer script prompts you to configure the following additional parameters enabling the management system to work with the NetScreen-Statistical Report Server database: Database type Database server IP address Database port Copyright © 2010, Juniper Networks, Inc.
Page 33: Device Server Database
NSM, there are four main options for configuring the management system depending upon the size and requirements of your specific network: Standalone, Distributed, Simple HA, or Extended HA configuration. Copyright © 2010, Juniper Networks, Inc.
Page 34: Installing Nsm In A Standalone Configuration
“Maintaining NSM” on page 171— Includes specific information describing how to maintain, control, backup/restore, and uninstall the management system and User Interface. For installation instructions for the NSM appliances, see the NSMXpress and NSM3000 User Guide. Copyright © 2010, Juniper Networks, Inc.
Page 35: Generating The Nsm License Key File
ID. Procedures provided in the following sections use the Installer to generate the installation ID. Alternatively, you can download a utility from the Juniper Networks Software Download site for generating the installation ID. Installing NSM for the First Time on page 13...
Page 36: Nsm Trial Licenses
Depending on the package you purchased, Juniper Networks provides an authorization code by e-mail. If you received a paper license certificate, and are managing more than 25 devices, call Juniper Networks Customer Service. The Customer Service will validate your purchase and generate a license key file.
Page 37: Upgrading To An Nsm Release That Requires A License
The serial number of your software is printed on the paper license certificate given to you when you purchased NSM. If you do not have the software serial number or the LMS System fails to recognize the serial number, call Juniper Networks Customer Service.
Page 38: Generating The License Key For An Nsm Appliance Upgrade Installation
Depending on the package you purchased, Juniper Networks provides an authorization code via e-mail. If you received a paper license certificate, and are managing more than 25 devices, call Juniper Networks Customer Service. The Customer Service will validate your purchase and generate a license key.
Page 39: Example Of An Nsm License File
The serial number of your software is printed on the paper license certificate given to you when you purchased NSM. If you do not have the software serial number or the LMS System fails to recognize the serial number, call Juniper Networks Customer Service.
Page 40: Installing The License Key File In Various Configurations
“Maximum number of supported devices is reached.” You are not allowed to add devices after reaching the license limit. you must purchase an upgrade before adding more devices. Copyright © 2010, Juniper Networks, Inc.
Page 41: Licensing Faq
For new installations, see “Installing NSM for the First Time” on page 13. file? For upgrades, see “Upgrading to an NSM Release that Requires a License” on page 15. I don't have an NSM Serial number available. Call Juniper Networks Customer Service. What do I do? Copyright © 2010, Juniper Networks, Inc.
Page 43: Installing Nsm In A Standalone Configuration
Define system parameters that you need to provide during the installation process. Perform prerequisite steps. Download the management system and user interface installer software from the NSM installation CD, or from the Juniper Networks website. Alternatively, you can Copyright © 2010, Juniper Networks, Inc.
Page 44: Defining System Parameters
By default, the Device Server stores data in: /var/netscreen/DevSvr/ CAUTION: Do not place your data directory in . That path normally contains binary files /usr/netscreen and should not be used for data. Copyright © 2010, Juniper Networks, Inc.
Page 45 Configuration file Configures a user and password for NSM to perform management configuration file management operations, and a password corresponding UNIX user and password. The NSM and UNIX passwords must be identical. Copyright © 2010, Juniper Networks, Inc.
Page 46: Prerequisite Steps
Device Server. You must specify a port number, superuser name and password. By default, the Postgres Database uses port 5432; the superuser is “nsm”. Prerequisite Steps Before you install the management system, you need to perform the following prerequisite steps: Copyright © 2010, Juniper Networks, Inc.
Page 47: Running The System Update Utility
Running the System Update Utility Use the system update utility to upgrade your system with the latest patches and packages required to run the NSM management system installer properly. To run the system update utility: Copyright © 2010, Juniper Networks, Inc.
Page 48: Configuring Shared Memory Size
On Solaris systems, you can do this by adding/updating the following in /etc/system set shmsys:shminfo_shmmax= 402653184 set shmsys:shminfo_shmmin=1 set shmsys:shminfo_shmmni=256 set shmsys:shminfo_shmseg=256 set semsys:seminfo_semmap=256 set semsys:seminfo_semmni=512 set semsys:seminfo_semmns=512 set semsys:seminfo_semmsl=32 On Linux systems, you can do this by adding/updating the following line in /etc/sysctl.conf Copyright © 2010, Juniper Networks, Inc.
Page 49: Establishing A Trust Relationship
For example, to test SSH connectivity from NSM Server1 to remote machine, enter the following command: ssh root@<IP ADDRESS of remote machine> Change the permissions of the .ssh directory on each machine to owner-only, using the following command: Copyright © 2010, Juniper Networks, Inc.
Page 50: Preparing A Solaris Server For Nsm
DVD (in this example, ) and issue the following commands: /solaris /usr/sbin/pkgadd -d /solaris/Solaris_10/Product SUNWladm /usr/sbin/localeadm -a en_US -d /solaris/Solaris_10/Product Edit the file to include the following lines: /etc/default/init LC_COLLATE=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 LC_MESSAGES=C LC_MONETARY=en_US.UTF-8 Copyright © 2010, Juniper Networks, Inc.
Page 51: Installing Nsm 2010.4
Load the installer software onto the server where you have decided to use NSM 2010.4. You can run the installer directly from the NSM installation CD, copy the installer to a directory on the server, or download the installer from the Juniper Networks Customer Services online website.
Page 52 Checking if system meets RAM requirement....ok Checking for sufficient disk space......ok Noting OS name..........ok Stopping any running servers ########## EXTRACTING PAYLOADS ########## Extracting and decompressing payload......ok Extracting license manager package......ok ########## GATHERING INFORMATION ########## Copyright © 2010, Juniper Networks, Inc.
Page 53 “Generating the License Key for an NSM Software-Only Installation” on page 14. b. Enter the license key file path. The installer validates the license key file. Copyright © 2010, Juniper Networks, Inc.
Page 54 NSM using the NSM user interface (UI). This account authenticates communication between the management system and the NSM UI. It possesses all administrative privileges by default. Type any text string longer than eight characters for the password. Type the password again for verification. Copyright © 2010, Juniper Networks, Inc.
Page 55 If you specify that you want to perform automatic backups, the installer prompts you to configure options for the backup operation: NOTE: If you want to specify remote backup, you must allow local backup. Copyright © 2010, Juniper Networks, Inc.
Page 56 Verify your settings. If they are correct, enter y to proceed. If you enter n, the installer returns you to the original selection prompt. The installer performs the following actions: Installs the Device Server. Installs the GUI Server. Copyright © 2010, Juniper Networks, Inc.
Page 57: Typical Output For A Standalone Installation
Checking if iptables is running......ok Checking if system meets RAM requirement....ok Checking for sufficient disk space......ok Noting OS name..........ok Stopping any running servers ########## EXTRACTING PAYLOADS ########## Extracting and decompressing payload......ok Extracting license manager package......ok Copyright © 2010, Juniper Networks, Inc.
Page 58 Enter the https port for NBI service [8443]> Setting GUI Server address and port to 10.157.48.108:7801 for Device Server Please enter a password for the 'super' user Enter password (password will not display as you type)> Copyright © 2010, Juniper Networks, Inc.
Page 59 Enter password (password will not display as you type)> ########## POST-INSTALLATION OPTIONS ########## Start server(s) when finished? (y/n) []> y ########## CONFIRMATION ########## About to proceed with the following actions: - Install Device Server Copyright © 2010, Juniper Networks, Inc.
Page 60: Servers
Putting NSROOT into start scripts......ok Filling in GUI Server config file(s)......ok Setting permissions for GUI Server......ok Running generateMPK utility.........ok Running fingerprintMPK utility......ok Installation of GUI Server complete. ----- INSTALLING HA Server ----- Looking for existing RPM package......ok Copyright © 2010, Juniper Networks, Inc.
Page 61: Starting Server Processes Manually
To validate that the management system is started and running properly, we recommend that you view the status of all the running server processes (the HA, Device, and GUI Servers) to confirm that all services are running. Copyright © 2010, Juniper Networks, Inc.
Page 62: Installing The User Interface
NOTE: For instructions on adding users to the Administrator group, refer to your operating system manual. Download the UI installer from the NSM installation CD or from the Juniper Networks corporate web site to the computer where you are installing the UI.
Page 63: Figure 1: Ui Installer Introduction Screen
NOTE: If you choose to not accept the terms of the License Agreement, then you are unable to proceed with the installation. If you accepted the License Agreement, then the Choose Install Folder screen appears as shown in Figure 2 on page 42. Copyright © 2010, Juniper Networks, Inc.
Page 64: Figure 2: Ui Installation-Choose Install Folder
To specify a new or different folder location, click Choose. If you decide to accept the default install folder, then click Restore Default Folder. On Windows-based computers, the Choose Shortcut Folder screen appears as shown in Figure 3 on page 43. Copyright © 2010, Juniper Networks, Inc.
Page 65: Figure 3: Ui Installation-Choose Shortcut Folder
Linux-based computer, select where you would like to create links to the NSM UI program. Click Next to continue. The Pre-Installation Summary screen appears as shown in Figure 4 on page 44. Copyright © 2010, Juniper Networks, Inc.
Page 66: Figure 4: Ui Installation-Preinstallation Summary
The installer generates a log file with information describing the context of the installation process. For troubleshooting purposes, you might need to access it. The installation log is saved by default in the following directory locations: For Windows-based computers: C:\Documents and Settings\<user name>\.nsm\ For Linux-based computers: Copyright © 2010, Juniper Networks, Inc.
Page 67: Running The User Interface
After you have installed the management system and UI, We recommend that you validate basic information configured on the Device Server. You can use the Server Manager to view and edit your configuration on the management system. To validate your configuration on the Device Server: Copyright © 2010, Juniper Networks, Inc.
Page 68: Figure 5: Validating The Nsm Installation
DMI Device Server Manager Port—The default port is 7804. Device Server ID—The ID number identifies the Device Server; you cannot change the Device Server ID. Mapped IP address—The IP address that is manually defined in the UI. Copyright © 2010, Juniper Networks, Inc.
Page 69: Running The User Interface In Demo Mode
NSM. Refer to the Network and Security Manager Administration Guide for information describing how to plan and implement NSM for your network. You can also refer to the Network and Security Manager Online Help for task specific information. Copyright © 2010, Juniper Networks, Inc.
Page 71: Installing Nsm In A Distributed Configuration
Define system parameters that you need to provide during the installation process. Perform prerequisite steps. Download the management system and User Interface installer software from the installation CD or the Juniper Networks corporate website. Copyright © 2010, Juniper Networks, Inc.
Page 72: Defining System Parameters
By default, the Device Server stores data in: /var/netscreen/DevSvr/ CAUTION: Do not place your data directory in . That path normally contains binary files /usr/netscreen and should not be used for data. Copyright © 2010, Juniper Networks, Inc.
Page 73 Configuration file Configures a user and password for NSM to perform management configuration file management operations, and a password corresponding UNIX user and password. The NSM and UNIX passwords must be identical. Copyright © 2010, Juniper Networks, Inc.
Page 74 Device Server ID Unique ID assigned when you add the Device Server. Password for GUI Password assigned to the Device Server enabling it to Server Connection authenticate with the GUI Server when attempting to connect. Copyright © 2010, Juniper Networks, Inc.
Page 75: Prerequisites
Checking for iptables service Iptables is found to be running on the system. Please make sure the ports 7801 7802, 443, 7800, 7804 are open and available for NSM to run. Please press enter to continue: Copyright © 2010, Juniper Networks, Inc.
Page 76 Extracting and decompressing payload......ok Extracting license manager package......ok ########## GATHERING INFORMATION ########## 1) Install Device Server only 2) Install GUI Server only 3) Install both Device Server and GUI Server Enter selection (1-3) []> 2 Copyright © 2010, Juniper Networks, Inc.
Page 77 NOTE: The installer validates the license key file. If the license key file is not there, press Ctrl+Z to exit the installer. If the NSM Server stops while doing this, you need to manually start the server. Copyright © 2010, Juniper Networks, Inc.
Page 78 You need this when you first log in to the system. f. Enter a one-time password for the GUI Server. This password authenticates this server to its peers in a high-availability configuration and to the central manager. Copyright © 2010, Juniper Networks, Inc.
Page 79 12; for midnight, type 00. Press Enter to accept the default setting of 02 (2:00 AM). b. Enter n so daily backups are not sent to a remote server. If you enter y, the installer prompts you for an IP address for the remote backup server. Copyright © 2010, Juniper Networks, Inc.
Page 80 NOTE: If you are installing NSM for the first time on a Solaris server, you must reboot the server after installation. The installer generates a log file with the output of the installation commands for troubleshooting purposes. Copyright © 2010, Juniper Networks, Inc.
Page 81: Typical Output For Installing A Gui Server In A Distributed Configuration
Enter base directory location for management servers [/usr/netscreen]> Enable FIPS Support? (y/n) [n]> ########## GENERAL SERVER SETUP DETAILS ########## Will this machine participate in an HA cluster? (y/n) [n]> ########## GUI SERVER SETUP DETAILS ########## Copyright © 2010, Juniper Networks, Inc.
Page 82 (y/n) [y]> ########## BACKUP SETUP DETAILS ########## Will this machine require local database backups? (y/n) [y]> Enter hour of day to start the database backup (00 = midnight, 02 = 2am, 14 = 2pm ...)[02]> Copyright © 2010, Juniper Networks, Inc.
Page 83 Running fingerprintMPK utility......ok Installation of GUI Server complete. ----- INSTALLING HA Server ----- Looking for existing RPM package......ok Removing existing HA Server RPM......ok Installing HA Server RPM........ok Creating var directory........ok Putting NSROOT into start scripts......ok Copyright © 2010, Juniper Networks, Inc.
Page 84: Installing The User Interface
Name In the box, enter the IP address of the Device Server. IP Address In the Password for GUI Server Connection box, enter the DevSvr one-time password you specified when installing the GUI Server. Copyright © 2010, Juniper Networks, Inc.
Page 85: Installing The Device Server
The installation begins automatically by performing a series of preinstallation checks. The installer extracts the software payloads and prompts you to specify the components of NSM that you want to install. Enter 1 to specify that you want to install the Device Server only. Copyright © 2010, Juniper Networks, Inc.
Page 86 If you do not want to restart the server processes, enter n. The installer next prompts you to determine if you want to perform a daily backup of the database locally. If you installed and configured the local database backup on Copyright © 2010, Juniper Networks, Inc.
Page 87 The installer will start the process with nsm user permissions. If you do not want the Device Server to start automatically, enter n. NOTE: When you reboot your server, the Device Server starts automatically. Copyright © 2010, Juniper Networks, Inc.
Page 88: Configuration
1) Install Device Server only 2) Install GUI Server only 3) Install both Device Server and GUI Server Enter selection (1-3) []> 1 Enter base directory location for management servers [/usr/netscreen]> Enable FIPS Support? (y/n) [n]> Copyright © 2010, Juniper Networks, Inc.
Page 89 Please enter again for verification Enter password (password will not display as you type)> ########## POST-INSTALLATION OPTIONS ########## NOTE: Do not start up the Device Server unless you have already added it to the system from the UI. Copyright © 2010, Juniper Networks, Inc.
Page 90 Setting permissions for HA Server......ok Installation of HA Server complete. ----- SETTING START SCRIPTS ----- Enabling Device Server start script......ok Enabling HA Server start script......ok ########## PERFORMING POST-INSTALLATION TASKS ########## Running nacnCertGeneration........ok Running idpCertGeneration........ok Removing staging directory........ok Copyright © 2010, Juniper Networks, Inc.
Page 91: Starting Server Processes Manually
Refer to the Network and Security Manager Administration Guide for information describing how to plan and implement for your network. You can also refer to the Network and Security Manager Online Help for more task-specific information. Copyright © 2010, Juniper Networks, Inc.
Page 93: Installing Nsm With High Availability
A primary server that runs on a server machine in active mode A secondary server that runs on a different server machine in standby mode If for any reason the primary server becomes unavailable, then the secondary server takes over as the active management system. Copyright © 2010, Juniper Networks, Inc.
Page 94: Ha Configuration Options
HA configuration. Figure 6: Simple HA Management System Configuration Communication Between Physical Servers This section discusses the following aspects of communication between the physical servers: Inter-server Communications on page 73 HA Server on page 73 Copyright © 2010, Juniper Networks, Inc.
Page 95: Inter-Server Communications
GUI Server, and from the GUI Server to NSM UI clients are all TCP-based and make use of Juniper Networks' proprietary SSP (Secure Server Protocol). This ensures that both AES encryption and certificate-based authentication are used throughout. There are some exceptions: Certificate loading onto security devices running ScreenOS 5.0...
Page 96: Ha Failover
Server1 and the secondary GUI Server and Device Server on Server 2; and the primary GUI Server fails—both the primary GUI Server and primary Device Server on Server1 are shut down; and both the secondary GUI Server and Device Server on Server 2 start up. Copyright © 2010, Juniper Networks, Inc.
Page 97: Restoring Connections
IP sddress to reconnect to the new GUI server IP address. NOTE: After failover, it will take some time for the standby management system to become fully active with the replicated database. For large networks, this can take up to 10 minutes. Copyright © 2010, Juniper Networks, Inc.
Page 98: Using A Shared Disk
The public keys are exchanged during the first time the Device Server connects to the GUI Server. This initial connection makes use of a OTP (one time password) which is configured on both Device Server and GUI Server during installation. Copyright © 2010, Juniper Networks, Inc.
Page 99: Checking Ha Status
Provides statistics on the HA processes. replicateDB Replicates data to the local or secondary server. restoreDbFromBackup Restores the local backup to current configuration. validateBinaries Checks if all binaries are present to run the server in HA. Copyright © 2010, Juniper Networks, Inc.
Page 100: Suggested Simple Ha Installation Order
Device Server services. Use the tail -f command on the secondary server's HaSvr error log to view the progress. Copyright © 2010, Juniper Networks, Inc.
Page 101: Defining System Parameters
Simple HA Configuration Parameters Table 13 on page 80 describes the system parameters that you need to identify to install HA with the Device Server and GUI Server on the same server machine. Copyright © 2010, Juniper Networks, Inc.
Page 102: Table 13: Simple Ha Configuration-System Parameters
NSM API. The range is from 1025 through 65535. The default value is 8443. Initial “super” user The password required to authenticate the initial user password in the system. By default, the initial superuser account receives all administrative privileges in the system. Copyright © 2010, Juniper Networks, Inc.
Page 103 Number of missing heartbeat messages before before switchover automatic switchover to the secondary machine occurs. occurs The default is 4 messages. IP Address outside the Network IP address used to monitor this server’s HA cluster network connection. Copyright © 2010, Juniper Networks, Inc.
Page 104 Time value (in seconds) that the rsync utility waits before timing out backup operations. By default, the rsync utility waits 3600 seconds before timing out. Enable Logging Enable logging related to local backup and HA. Copyright © 2010, Juniper Networks, Inc.
Page 105: Extended Ha Configuration Parameters
The command to check the integrity on the shared data integrity of the shared partition. data partition The default command is: /sbin/fsck Directory path for the Directory path of the shared disk mount point. shared disk Copyright © 2010, Juniper Networks, Inc.
Page 106: Prerequisites
This check is necessary because the failover logic determines whether to perform a restore from a database replicated remotely based on the timestamp of the last performed remote database replication. Copyright © 2010, Juniper Networks, Inc.
Page 107: Establishing An Ssh Trust Relationship
You should test connectivity via SSH from the primary server to the secondary server and vice versa. For example, to test SSH connectivity from NSM Server1 to NSM Server2, type the following command: ssh root@<IP ADDRESS of Secondary Server> Copyright © 2010, Juniper Networks, Inc.
Page 108: Installing Nsm 2010.4 On The Primary Server
Load the installer software onto the server where you want to use NSM. You can run the installer directly from the NSM installation CD, copy the installer to a directory on the server, or download the installer from the Juniper Networks Customer Services Online Web site.
Page 109 Checking for PostgreSQL........ok Checking if user is root........ok Checking if user nsm exists.........ok Checking if iptables is running......ok Checking if system meets RAM requirement....ok Checking for sufficient disk space......ok Noting OS name..........ok Stopping any running servers Copyright © 2010, Juniper Networks, Inc.
Page 110 Use the installation ID to obtain a license key file from the LMS system and save it on your local drive as described in “Generating the License Key for a High Availability NSM Installation” on page 14. b. Enter the license key file path. Copyright © 2010, Juniper Networks, Inc.
Page 111 The installer prompts you to specify the management IP address for the server. d. Type the management IP address for the server. This address should be the same IP address as the server that you are installing on. The installer sets the IP address Copyright © 2010, Juniper Networks, Inc.
Page 112 The installer next prompts if you want the server processes to be restarted automatically on failure. NOTE: The CFM passwords for NSM and for UNIX must be identical, although NSM does not check that they are the same. Configure the HA cluster as follows: Copyright © 2010, Juniper Networks, Inc.
Page 113 Designate a directory location for locally storing the NSM database with HA backup. Press Enter to accept the default location /var/netscreen/dbbackup m. Type the full path where the rsync utility is located. n. Enter the full path to the ssh executable. Copyright © 2010, Juniper Networks, Inc.
Page 114 The installer prompts you to configure the Device Server database. Configure the Device Server database as follows: a. Enter a port number for the Device Server database. Copyright © 2010, Juniper Networks, Inc.
Page 115: Viewing The Management System Installation Log
If you did not specify the installer to start the servers when finished, then you must manually start the management system processes. You can start all the management system processes by starting the HA Server process. Copyright © 2010, Juniper Networks, Inc.
Page 116: Validating Management System Status
1;do netstat -n grep 192.168.0.;done Continually displays the command after the word “do.” This command is useful if you are waiting for a server connection attempt of data sync. clear Clears the screen Copyright © 2010, Juniper Networks, Inc.
Page 117: Installing Nsm 2010.4 On The Secondary Server
IP Address of the secondary HA server is 10.150.41.10 IP Address outside the HA Cluster is 10.150.47.254 Daily local database backup Daily remote database backup Heartbeat link sent over remote replications/backups Figure 7 on page 96 shows this configuration. Copyright © 2010, Juniper Networks, Inc.
Page 118: Primary Gui Server And Device Server Installation
2) Install GUI Server only 3) Install both Device Server and GUI Server Enter selection (1-3) []> 3 Do you want to do NSM installation with base license? (y/n) [y]> Enter base directory location for management servers [/usr/netscreen]> Copyright © 2010, Juniper Networks, Inc.
Page 119 Setting GUI Server address and port to 10.150.41.9:7801 for Device Server Please enter a password for the 'super' user Enter password (password will not display as you type)> Please enter again for verification Enter password (password will not display as you type)> Copyright © 2010, Juniper Networks, Inc.
Page 120 Enter a time interval (seconds) between heartbeat messages [15]> Enter number of missing heartbeat messages before automatic switchover occurs [4]> An IP address outside the HA cluster is needed to monitor this server's network connection. Copyright © 2010, Juniper Networks, Inc.
Page 121 - Install GUI Server - Install High Availability Server - Store base directory for management servers as /usr/netscreen - This machine will have base license with maximum 25 devices - This machine participates in an HA cluster Copyright © 2010, Juniper Networks, Inc.
Page 122 ----- Setting up PostgreSQL for DevSvr ----- Setting up PostgreSQL for DevSvr......ok Installation of Device Server complete. ----- INSTALLING GUI Server ----- Looking for existing RPM package......ok Removing existing GUI Server RPM......ok Installing GUI Server RPM........ok Installing JRE..........ok Installing GCC..........ok Copyright © 2010, Juniper Networks, Inc.
Page 123: Secondary Gui Server And Device Server Installation Script
Creating staging directory...ok Running preinstallcheck... Checking if platform is valid.......ok Checking for correct intended platform......ok Checking for CPU architecture.......ok Checking if all needed binaries are present....ok Checking for platform-specific binaries.....ok Checking for platform-specific packages.....ok Copyright © 2010, Juniper Networks, Inc.
Page 124 The GUI Server stores all of the user data under a single directory. By default, this directory is /var/netscreen/GuiSvr. Because the user data (including database data and policies) can grow to be quite large, it is sometimes desirable to place this data in another Copyright © 2010, Juniper Networks, Inc.
Page 125 Enter password (password will not display as you type)> Please enter again for verification Enter password (password will not display as you type)> Enter number of Heartbeat links between the primary and secondary machines [1]> Copyright © 2010, Juniper Networks, Inc.
Page 126 Will this machine require local database backups? (y/n) [y]> Enter hour of day to start the database backup (00 = midnight, 02 = 2am, 14 = 2pm ...)[02]> Will daily backups need to be sent to a remote machine? (y/n) [n]> Copyright © 2010, Juniper Networks, Inc.
Page 127 - Daily backups will not be sent to a remote machine - Number of database backups to keep: 7 - HA rsync command backup timeout: 3600 - Postgres DevSvr Db Server port: 5432 - Postgres DevSvr Db super user: nsm Copyright © 2010, Juniper Networks, Inc.
Page 128 Disabling GUI Server start script......ok Enabling HA Server start script......ok ########## PERFORMING POST-INSTALLATION TASKS ########## Running nacnCertGeneration........ok Running idpCertGeneration........ok Running webproxy Cert Generation......ok Removing staging directory........ok NOTES: - Installation log is stored in /usr/netscreen/DevSvr/var/errorLog/netmgtInstallLog.20080902154907 Copyright © 2010, Juniper Networks, Inc.
Page 129: Installing The User Interface
Edit icon or right-click on the GUI Server and select Edit to view all information available on the GUI Server. Use the Server Type list to select GUI Server Cluster. The HA and Email Notification tabs become available. Copyright © 2010, Juniper Networks, Inc.
Page 130: Figure 8: Configuring The Ha Gui Server Cluster
Click the plus + button to add recipients of the e-mail notification. The New Add/Edit E-mail Address window appears enabling you to enter an e-mail address. Click OK when you are done. Copyright © 2010, Juniper Networks, Inc.
Page 131: Figure 9: Configuring The Ha Device Server Cluster
Figure 10 on page 110: a. Enter the IP Address of the SMTP Server. b. Enter the e-mail address referenced in the e-mail notification in the From Email field. Address Copyright © 2010, Juniper Networks, Inc.
Page 132: Installing Nsm In An Extended Ha Configuration
Use the system parameters referred to in “Extended HA Configuration Parameters” on page 83 to configure HA on both servers. If you are using a shared disk, you will also need to configure the system parameters referred to in “Shared Disk Parameters” on page 83. Copyright © 2010, Juniper Networks, Inc.
Page 133: Example: Installing Nsm In An Extended Ha Configuration
IP Address of the secondary Device Server is 10.150.41.8 IP Address outside the HA Cluster is 10.150.47.254 Daily local database backup No daily remote database backup Heartbeat link sent over remote replications/backups Figure 11 on page 112 depicts the configuration example above: Copyright © 2010, Juniper Networks, Inc.
Page 134: Primary Gui Server Installation Script
Checking if system meets RAM requirement....ok Checking for sufficient disk space......ok Noting OS name..........ok Stopping any running servers ########## EXTRACTING PAYLOADS ########## Extracting and decompressing payload......ok Extracting license manager package......ok ########## GATHERING INFORMATION ########## 1) Install Device Server only Copyright © 2010, Juniper Networks, Inc.
Page 135 Please enter again for verification Enter password (password will not display as you type)> Will a Statistical Report Server be used with this GUI Server? (y/n) [n]> ==> CFM user is set to 'cfmuser' Copyright © 2010, Juniper Networks, Inc.
Page 136 An IP address outside the HA cluster is needed to monitor this server's network connection. Enter an IP address outside of the cluster []> 10.150.47.254 Enter the rsync replication timeout [3600]> Enter HA directory [/var/netscreen/dbbackup]> The HA server(s) requires that you have previously installed the rsync program. Copyright © 2010, Juniper Networks, Inc.
Page 137 - IP address for the peer's primary heartbeat link: 10.150.42.10 - IP address for remote HA replications: 10.150.41.10 - Port for HA heartbeat communication: 7802 - Seconds between heartbeat messages: 15 - Missing heartbeat messages: 4 - Outside pingable IP address: 10.150.47.254 Copyright © 2010, Juniper Networks, Inc.
Page 138 - Installation log is stored in /usr/netscreen/GuiSvr/var/errorLog/netmgtInstallLog.20080902163033 - This is the GUI Server fingerprint: 1C:67:DF:06:51:A4:C4:5B:CF:A9:19:B4:BA:98:79:01:0C:F2:63:4F You will need this for verification purposes when logging into the GUI Server. Please make a note of it. Copyright © 2010, Juniper Networks, Inc.
Page 139: Secondary Gui Server Installation
########## GUI SERVER SETUP DETAILS ########## Will the GUI Server data directory be located on a shared disk partition? (y/n) [n]> The GUI Server stores all of the user data under a single directory. Copyright © 2010, Juniper Networks, Inc.
Page 140 Please enter shared password that will be used for Heartbeat authentication Enter password (password will not display as you type)> Please enter again for verification Enter password (password will not display as you type)> Copyright © 2010, Juniper Networks, Inc.
Page 141 Will this machine require local database backups? (y/n) [y]> Enter hour of day to start the database backup (00 = midnight, 02 = 2am, 14 = 2pm ...)[02]> Will daily backups need to be sent to a remote machine? (y/n) [n]> Copyright © 2010, Juniper Networks, Inc.
Page 142 ########## PERFORMING INSTALLATION TASKS ########## ----- INSTALLING GUI Server ----- Looking for existing RPM package......ok Removing existing GUI Server RPM......ok Installing GUI Server RPM........ok Installing JRE..........ok Installing GCC..........ok Creating var directory........ok Creating /var/netscreen/dbbackup......ok Putting NSROOT into start scripts......ok Copyright © 2010, Juniper Networks, Inc.
Page 143: Primary Device Server Installation
Checking if user is root........ok Checking if user nsm exists.........ok Checking if iptables is running......ok Checking if system meets RAM requirement....ok Checking for sufficient disk space......ok Noting OS name..........ok Stopping any running servers ########## EXTRACTING PAYLOADS ########## Copyright © 2010, Juniper Networks, Inc.
Page 144 Please enter shared password that will be used for Heartbeat authentication Enter password (password will not display as you type)> Please enter again for verification Enter password (password will not display as you type)> Copyright © 2010, Juniper Networks, Inc.
Page 145 Will this machine require local database backups? (y/n) [y]> Enter hour of day to start the database backup (00 = midnight, 02 = 2am, 14 = 2pm ...)[02]> Will daily backups need to be sent to a remote machine? (y/n) [n]> Copyright © 2010, Juniper Networks, Inc.
Page 146 - Postgres DevSvr Db super user: nsm - Postgres DevSvr Db password set for 'nsm' - Start High Availability daemon processes when finished: No Are the above actions correct? (y/n)> y ########## PERFORMING INSTALLATION TASKS ########## Copyright © 2010, Juniper Networks, Inc.
Page 147: Secondary Device Server Installation
Checking for platform-specific binaries.....ok Checking for platform-specific packages.....ok Checking in System File for PostgreSQL and XDB parameters...ok Checking for PostgreSQL........ok Checking if user is root........ok Checking if user nsm exists.........ok Checking if iptables is running......ok Copyright © 2010, Juniper Networks, Inc.
Page 148 Enter the IP address for the primary HA Server []> 10.150.41.7 Enter the IP address for the secondary HA Server [10.150.41.8]> NOTE: Please make sure the heartbeat PASSWORD is the same for primary and Copyright © 2010, Juniper Networks, Inc.
Page 149 Please reset the trust relationship with 'nsm' user. Here are sample commands: cd /home/nsm su nsm ssh-keygen -t rsa chmod 0700 .ssh -- then copy .ssh/id_rsa.pub to the peer machines' .ssh/authorized_keys ########## BACKUP SETUP DETAILS ########## Copyright © 2010, Juniper Networks, Inc.
Page 150 - Daily backups will not be sent to a remote machine - Number of database backups to keep: 7 - HA rsync command backup timeout: 3600 - Postgres DevSvr Db Server port: 5432 - Postgres DevSvr Db super user: nsm Copyright © 2010, Juniper Networks, Inc.
Page 151: Next Steps
Refer to the Network and Security Manager Administration Guide and Network and Security Manager Online Help for information describing how to plan and implement NSM for your network. Copyright © 2010, Juniper Networks, Inc.
Page 153: Upgrading To Nsm 2010.4 From An Earlier Version
Download the NSM management system and User Interface installer software from the NSM installation CD or the Juniper Networks corporate Web site. Run the NSM management system installer on the system where the management system is currently installed. Specify that you want to upgrade both the GUI Server and Device Server.
Page 154: Defining System Parameters
By default, the GUI Server stores data in: /var/netscreen/GuiSvr/ CAUTION: Do not place your data directory in /usr/netscreen . That path normally contains binary files and should not be used for data. Copyright © 2010, Juniper Networks, Inc.
Page 155 The GUI Server completes the daily backup process within the hour specified every day. By default, the GUI Server performs the daily backup within an hour after 2 AM. Copyright © 2010, Juniper Networks, Inc.
Page 156: Distributed Configuration Parameters
By default, the GUI Server replicates the database every 60 minutes. Heartbeat links Number of heartbeat communication paths between between primary and the primary and secondary machine. secondary machine By default, only one communication link exists between the primary and secondary machines. Copyright © 2010, Juniper Networks, Inc.
Page 157 The default path is: /usr/bin/ Remote Backup IP address of the machine where remote backups are Machine IP Address sent. By default, the installer sets this to the IP address of the secondary HA Server. Copyright © 2010, Juniper Networks, Inc.
Page 158: Shared Disk Parameters
The command to check the integrity on the shared data integrity of the shared partition. data partition The default command is: /sbin/fsck Directory path for the Directory path of the shared disk mount point. shared disk Copyright © 2010, Juniper Networks, Inc.
Page 159: Prerequisite Steps
If you are upgrading NSM on a Solaris server, ensure that all required locales have been installed and that the necessary edits to the files have been /etc/default/init made. See “Preparing a Solaris Server for NSM” on page 140 for details. Copyright © 2010, Juniper Networks, Inc.
Page 160: Running The System Update Utility
Both the GUI and Device Server require that you modify the operating system shared memory in order to start and run. On Solaris systems, you can do this by adding/updating the following in /etc/system set shmsys:shminfo_shmmax= 402653184 set shmsys:shminfo_shmmin=1 Copyright © 2010, Juniper Networks, Inc.
Page 161: Setting The Rsysnc Timeout Values
/etc/system Edit the OS kernel parameters by adding the following lines. set shmsys:shminfo_shmmax=402653184 set shmsys:shminfo_shmmin=1 set shmsys:shminfo_shmmni=256 set shmsys:shminfo_shmseg=256 set semsys:seminfo_semmap=256 set semsys:seminfo_semmni=512 set semsys:seminfo_semmns=512 set semsys:seminfo_semmsl=32 Save the file. Restart your system. Copyright © 2010, Juniper Networks, Inc.
Page 162: Preparing A Solaris Server For Nsm
Edit the file to include the following lines: /etc/default/init LC_COLLATE=en_US.UTF-8 LC_CTYPE=en_US.UTF-8 LC_MESSAGES=C LC_MONETARY=en_US.UTF-8 LC_NUMERIC=en_US.UTF-8 LC_TIME=en_US.UTF-8 Reboot the Solaris server. /usr/sbin/reboot Upgrading NSM in a Standalone Configuration To upgrade to NSM 2010.4 on a standalone system: Copyright © 2010, Juniper Networks, Inc.
Page 163 You can also copy the installer to a directory on the server, or you can download the installer from the Juniper Networks Customer Services Online Web site. Unless installing from CD, navigate to the directory where you saved the management...
Page 164 The installer extracts the software payloads and prompts you to install NSM with the base license. ########## EXTRACTING PAYLOADS ########## Extracting payload..........ok Decompressing payload........ok Extracting license manager package......ok ########## GATHERING INFORMATION ########## Checking device count........ok Copyright © 2010, Juniper Networks, Inc.
Page 165 Use the installation ID to obtain a license key file from the LMS system and save it on your local drive as described in “Generating the License Key for an NSM Software-Only Upgrade” on page 15. b. Enter the license key file path. Copyright © 2010, Juniper Networks, Inc.
Page 166 Verify your settings. If they are correct, enter y to proceed. If you enter n, the installer returns you to the original selection prompt. The upgrade proceeds automatically. The installer proceeds to perform the following actions: Copyright © 2010, Juniper Networks, Inc.
Page 167: Typical Output For A Standalone Upgrade
Checking if installed HA Server is newer....ok Checking if system meets RAM requirement....ok Checking for sufficient disk space......ok Noting OS name..........ok Stopping any running servers ########## EXTRACTING PAYLOADS ########## Extracting and decompressing payload......ok Extracting license manager package......ok Copyright © 2010, Juniper Networks, Inc.
Page 168 Will daily backups need to be sent to a remote machine? (y/n) [n]> ==> Set to n Enter number of database backups to keep. The default value will keep the last seven backups. The oldest backup copy will be overwritten by the new backup copy [7]> Copyright © 2010, Juniper Networks, Inc.
Page 169 ########## PERFORMING INSTALLATION TASKS ########## ----- UPGRADING Device Server ----- Upgrading DevSvr RPM........ok Creating /var/netscreen/dbbackup......ok Putting NSROOT into start scripts......ok Installing JRE..........ok Installing GCC..........ok ----- Setting up PostgreSQL for DevSvr ----- Setting up PostgreSQL for DevSvr......ok Copyright © 2010, Juniper Networks, Inc.
Page 170: Starting Server Processes Manually
If you did not specify the installer to start the servers when finished, then you must manually start the management system processes. You can start all the management system processes by starting the HA Server process. To start the HA Server process manually, enter the following command: Copyright © 2010, Juniper Networks, Inc.
Page 171: Validating Management System Status
Follow the directions in the wizard to complete the installation. Connect to the server again using the new client. The NSM login dialog box appears. Enter your username and password to establish a connection with the server. Copyright © 2010, Juniper Networks, Inc.
Page 172: Downloading And Installing The Ui Client Manually
NAT mode interfaces. Click OK when you are done. Upgrading NSM in a Distributed Configuration The process for upgrading the management system on separate servers (in the distributed configuration) is as follows: Copyright © 2010, Juniper Networks, Inc.
Page 173: Upgrading Nsm With Ha Enabled
Enter the number of HA replications. Enter the number of heartbeat links between the primary and secondary machines. Enter the IP address for this machine’s primary heartbeat link. Enter the IP address for the peer’s primary heartbeat link. Copyright © 2010, Juniper Networks, Inc.
Page 174 Do you want to do NSM installation with base license? (y/n) [y]> n Will server(s) need to be reconfigured during the refresh? (y/n) [n]> The installation ID for this system is: 2000032C62E52 Number of Devices managed by NSM is: 25 Copyright © 2010, Juniper Networks, Inc.
Page 175: Upgrading The Database Backup Files
Perform a clean installation of NSM. Refer to the appropriate version of NSM documentation for more information about installing your version of NSM. Restore your configuration and log data from backup. See “Archiving and Restoring Logs and Configuration Data” on page 178 for more information. Copyright © 2010, Juniper Networks, Inc.
Page 176: Next Steps
Refer to the Network and Security Manager Administration Guide and Network and Security Manager Online Help for information describing how to plan and implement NSM for your network. Copyright © 2010, Juniper Networks, Inc.
Page 177: Upgrading Nsm Appliances To Nsm 2010.4
Copy this file onto your NSM appliance using FTP or SCP. Log in as the admin user, and enter n when prompted to run the setup wizard. Enter sudo su - and the admin password to gain root access. Copyright © 2010, Juniper Networks, Inc.
Page 179 This file is saved by default in the subdirectory. /usr/netscreen/DevSvr/var/errorLog After the successful installation, copy the installer file nsm2010.4_servers_linux_x86.sh to the directory and enter the following commands: /var/install rm -f NSM-RS chmod 755 nsm2010.4_servers_linux_x86.sh ln -s nsm2010.4_servers_linux_x86.sh NSM-RS Copyright © 2010, Juniper Networks, Inc.
Page 180: Upgrading To Nsm 2010.4 Release On An Nsm Central Manager Appliance (Online Mode)
All the necessary software binaries are present. You correctly logged in as root. You have installed a version of NSM earlier than the current version you are installing. The system has sufficient disk space and RAM. Copyright © 2010, Juniper Networks, Inc.
Page 181 Enter to return to the original selection prompt. The upgrade proceeds automatically. The installer performs the following actions: Extracts and decompresses the software payloads. Upgrades Central Manager. Installs the HA Server. Copyright © 2010, Juniper Networks, Inc.
Page 182: Upgrading To Nsm 2010.4 Release On An Nsm Appliance (Offline Mode)
NSM Software Download page. Use the following command to install this utility: rpm –i unzip-5.51-9.EL4.5.i386.rpm Navigate to the directory where you saved the downloaded files, which is typically subdirectory. /tmp/ Copyright © 2010, Juniper Networks, Inc.
Page 183 NSM. The installer next prompts you to configure additional options specific to your installation during the upgrade. These options can include: Configuring high availability Configuring interoperability with NetScreen Statistical Report Server Copyright © 2010, Juniper Networks, Inc.
Page 184: Upgrading To Nsm Release 2010.4 On An Nsm Central Manager Appliance (Offline Mode)
NSM Central Manager Appliance software. The downloaded file will have the name nsm2010.4_servers_upgrade_cm.zip From the NSM Software Download page, click the Offline Server upgrade link to download the NSM CM appliance offline upgrade software. The downloaded file will have the name nsm2010.4_offline_upgrade.zip Copyright © 2010, Juniper Networks, Inc.
Page 185 All the necessary software binaries are present. You correctly logged in as root. You have installed a version of NSM earlier than the current version you are installing. The system has sufficient disk space and RAM. Copyright © 2010, Juniper Networks, Inc.
Page 186 Enter to return to the original selection prompt. The upgrade proceeds automatically. The installer performs the following actions: Extracts and decompresses the software payloads. Upgrades the Central Manager. Installs the HA server. Copyright © 2010, Juniper Networks, Inc.
Page 187: Migrating Data To An Nsm Regional Server Appliance
These commands assume that /var/netscreen/GuiSvr is your GUI Server data directory. If not, then replace with the path to your GUI Server data /var/netscreen/GuiSvr directory. Use these commands to run the exporter: rm -f /tmp/xdbExporter.pid Copyright © 2010, Juniper Networks, Inc.
Page 188: On The Nsm Appliance
Change the IP address in the server table to that of the NSM appliance: Option 70.server.00.server.1 [nsm@NSMXpress ~]$ /usr/netscreen/GuiSvr/utils/.xdbViewEdit.sh Start XDB View Editor in read-only mode? [y]/n: n. Please enter path to editor [/usr/bin/vi]: /bin/vi xdb editor set to /bin/vi Hit ENTER or return to continue... Copyright © 2010, Juniper Networks, Inc.
Page 189: Data Migration From A Linux Server To An Nsm Regional Server Appliance
The versions of NSM are the same on the current Linux installation and the NSM appliance. If the versions are different, you must upgrade the Linux server to the NSM version that is running on the NSM appliance before migrating your data. Copyright © 2010, Juniper Networks, Inc.
Page 190: On The Linux Server
- Stop the NSM server processes: /usr/netscreen/HaSvr/bin/haSvr.sh stop /usr/netscreen/GuiSvr/bin/guiSvr.sh stop /usr/netscreen/DevSvr/bin/devSvr.sh stop To avoid conflicts between the NSM appliance database and the database in , delete the subdirectory: Guidb.tar cd /var/netscreen rm -rf GuiSvr/xdb/ Copyright © 2010, Juniper Networks, Inc.
Page 191: User Privileges On An Nsm Appliance
NSM-specific command, such as starting or stopping a service manually or running a CLI command. Log in as admin and execute the sudo su - command any time you want to reboot or shut down. Copyright © 2010, Juniper Networks, Inc.
Page 192 Password: [admin password] Change user privileges to admin by entering the following command at the prompt. [nsm@NSMXpress ~]$exit Change to root by entering the following command at the prompt. [admin@NSMXpress ~]$sudo su - Password:[admin password] Copyright © 2010, Juniper Networks, Inc.
Page 193: Maintaining Nsm
Viewing Management System Commands To view the manual commands that you can send to the GUI Server: Navigate to the GUI Server bin subdirectory. For example: cd /usr/netscreen/GuiSvr/bin Run the following command: Copyright © 2010, Juniper Networks, Inc.
Page 194: Common Management System Commands
/usr/netscreen/HaSvr/bin/haSvr.sh start The HA Server process automatically starts the GUI Server and Device Server processes. NSM server processes always run with nsm user permissions, even if you have root user permissions when you start them. Copyright © 2010, Juniper Networks, Inc.
Page 195: Starting Gui Server And Device Server Processes Manually
Configuring Disk Space Management on the Device Server on page 175 Configuring Disk Space Management on the GUI Server on page 176 Configuring Connection Timing on page 177 Setting Core File Naming on Solaris on page 177 Copyright © 2010, Juniper Networks, Inc.
Page 196: Changing The Management System Ip Address
/usr/netscreen/GuiSvr/utils ./.xdbUpdate /usr/netscreen/GuiSvr/var/xdb server 0 1/__/ip <IP Address> Note that the 1 represents the Device Server. You can view this ID using the Server Manager in the NSM UI. Restart the GUI Server. Copyright © 2010, Juniper Networks, Inc.
Page 197: Changing The Gui Server Ip Address
Server starts to purge log records after crossing storageManager.threshold. Edit the value (in megabytes) for the storageManager.alert parameter. This parameter sets the minimum threshold for available disk space at which the Device Server sends Copyright © 2010, Juniper Networks, Inc.
Page 198: Configuring Disk Space Management On The Gui Server
GUI Server. By doing this, the GUI Server will not shut down as the Device Server attempts to free up some disk space by purging logs. Copyright © 2010, Juniper Networks, Inc.
Page 199: Configuring Connection Timing
This procedure also ensures that Solaris does not overwrite the names of multiple core files. To set core file naming on Solaris: Log into the GUI Server computer as root. Run the following command: coreadm -i core.%f.%p Restart the server. Copyright © 2010, Juniper Networks, Inc.
Page 200: Archiving And Restoring Logs And Configuration Data
1 root root 21 Apr 11 15:02 /usr/netscreen/DevSvr/var -> /var/netscreen/DevSvr Run the appropriate backup command on your Solaris or Linux platform to backup the GUI Server data. For example: tar -cvf /netscreen_backup/db-data.tar /var/netscreen/GuiSvr gzip db-data.tar Copyright © 2010, Juniper Networks, Inc.
Page 201: Restoring Logs And Configuration Data
Use the mv command to move data from the “var” directories (for example, ) to a safe location. /var/netscreen/GuiSrv /var/netscreen/DevSrv Untar or place your backups into the var directories. Start the HA Server, GUI Server, and then the Device Server. Copyright © 2010, Juniper Networks, Inc.
Page 202: Configuring High Availability Options
-HUP <process id> Use the haStatus command to identify the highAvail process ID. Sending a HUP signal to the highAvail process restarts the HA Server process. You do not need to restart the server manually. Copyright © 2010, Juniper Networks, Inc.
Page 203: Configuring Other High Availability Options
Stop the running server processes. Navigate to the HA Server utilities subdirectory ( by default). /usr/netscreen/HaSvr/utils Run the replicate database shell archive script. You can do so by running the following command as nsm user: Copyright © 2010, Juniper Networks, Inc.
Page 204: Restoring The Database
Validating the Database Recovery Process If you are using the local database backup option on a network where the GUI Server and Device Server are installed on separate systems and you did not install the local database Copyright © 2010, Juniper Networks, Inc.
Page 205: Changing The Ha Server Ip Address
-cvf devsvrdb.tar /var/netscreen/DevSvr/logs gzip devsvrdb.tar Installing NSM On a New System See “Installing NSM in a Standalone Configuration” on page 21 for more information on installing NSM on the same server machine. Copyright © 2010, Juniper Networks, Inc.
Page 206: Moving The Databases To The New System
Run xdbViewEdit using the command: /usr/netscreen/GuiSvr/utils/.xdbViewEdit.sh Set the path of vi editor to /bin/vi if prompted. Open in read-write mode. Select (option 7). <0.shadow_server.1> View and make note of the client one-time password in the table. shadow_server Copyright © 2010, Juniper Networks, Inc.
Page 207: Installing A Trivial File Transfer Protocol Server
Trivial File Transfer Protocol (TFTP) server on the system that is running the Device Server. The TFTP server is required to enable certificate management for security devices running ScreenOS versions 5.0.x. Copyright © 2010, Juniper Networks, Inc.
Page 208: Installing A Tftp Server On Linux
By default, Solaris installs the TFTP service on your machine but leaves it disabled. To configure and enable the TFTP service on Solaris: Open the file in any text editor. /etc/inetd.conf Uncomment the line that begins with “tftp” or “#tftp” . Copyright © 2010, Juniper Networks, Inc.
Page 209: Modifying Timeout Values On The Device Server
Start the HA Server process: /usr/netscreen/HaSvr/bin/haSvr.sh start If HA Server process is not configured to start the GUI Server and the Device Server when it starts, star the GUI Server, and then start the Device Server: /usr/netscreen/GuiSvr/bin/guiSvr.sh start Copyright © 2010, Juniper Networks, Inc.
Page 210: Downgrade Procedures
-e netscreen-DevSvr rpm -e netscreen-GuiSvr rpm -e netscreen-HaSvr rm -rf netscreen b. Navigate to the subdirectory, and remove all the files in the netscreen /var subdirectory. Copyright © 2010, Juniper Networks, Inc.
Page 211 Remove the actual scripts. For example, run the following commands: cd ../init.d etc/init.d root# ls *Svr devSvr guiSvr haSvr etc/init.d root# rm -f *Svr etc/init.d root# Remove the nsm user and group: userdel nsm groupdel nsm Copyright © 2010, Juniper Networks, Inc.
Page 212: Uninstalling The User Interface
Click the Uninstall button to uninstall the UI. The uninstaller proceeds to uninstall all the UI software files, shortcuts, folders, and registry entries. When the uninstaller has finished, a window appears indicating that all files were successfully uninstalled. Click Done to exit the uninstaller. Copyright © 2010, Juniper Networks, Inc.
Page 213: Appendixes
PART 2 Appendixes Technical Overview of the NSM Architecture on page 193 Hardware Recommendations on page 201 Profiler Performance Tuning Recommendations on page 209 Copyright © 2010, Juniper Networks, Inc.
Page 215: Appendix A Technical Overview Of The Nsm Architecture
About the Management System on page 194 About the NSM User Interface on page 195 About Managed Devices on page 195 Server Communications on page 195 Using the Secure Server Protocol on page 197 Copyright © 2010, Juniper Networks, Inc.
Page 216: About The Management System
NSM manages 3000 low-end devices, and no more than 25 UI clients connected to it when NSM manages 300 high-end devices. This limit is the maximum number of UI clients supported in this release of NSM. Copyright © 2010, Juniper Networks, Inc.
Page 217: Device Server
VPN services required to secure your network environment. Server Communications As you plan your installation, it helps to understand how NSM establishes communication among the UI, Management System, and managed devices. Copyright © 2010, Juniper Networks, Inc.
Page 218: Communication Ports And Protocols
Device Server on this port. 7808 From release 2008.2 onwards, the GUI client connects with the GUI Server on this port. 8443 Optional; this port is used to download the GUI client from the NSM server. Copyright © 2010, Juniper Networks, Inc.
Page 219: Using The Secure Server Protocol
If configured through NSM, a firewall uses this port for integrated surf control for Web filtering. Using the Secure Server Protocol NSM uses the Secure Server Protocol (SSP) to provide secure communication between management system components (GUI Server and Device Server), as well as between Copyright © 2010, Juniper Networks, Inc.
Page 220: Communications With Devices Running Screenos 5.X And Later
ScreenOS 5.0 and later, enabling you to set the NSM agent. The agent enables the device to communicate back to the Device Server using SSP port 7800. Security devices running ScreenOS 5.0 and later, also support SSH v2. Copyright © 2010, Juniper Networks, Inc.
Page 221: Communications With Device Management Interface-Compatible Devices
We recommend that you isolate the NSM management system from the rest of your network traffic. You should send management traffic on a separate management network, and deploy a firewall to enforce access policies on the management network. Copyright © 2010, Juniper Networks, Inc.
Page 222 For management of devices, we recommend that you use SSP on the untrust interface, as this configuration reduces the possibility of losing access to the device due to an invalid configuration update. Copyright © 2010, Juniper Networks, Inc.
Page 223: Appendix B Hardware Recommendations
200 devices, small device configuration sizes (for example, large number of NS-5GTs with a few larger systems), and fewer than 1000 logs per second from all devices. For larger networks, we recommend distributing the GUI Server and Device Server. Copyright © 2010, Juniper Networks, Inc.
Page 224: Network Card Requirements
Table 26 on page 202 to determine the estimated RAM required: Table 26: GUI Server RAM Requirements Total Config Size GUI Server RAM Required Less than 2 MB 4 GB Between 2 and 10 MB 4 GB Copyright © 2010, Juniper Networks, Inc.
Page 225: Device Server
Device Server RAM Required 1 through 3 4 GB 4 through 8 6 GB 9 through 30 8 GB After the installation, Juniper recommends that you make the following change on the server machine/(s): Copyright © 2010, Juniper Networks, Inc.
Page 226: Ui Client
To enable summary audit logging, set guiSvrManager.auditlog_flag=1 and guiSvrManager.auditlog_detail_flag=0. To enable detailed audit logging, set guiSvrManager.auditlog_flag=1 and guiSvrManager.auditlog_detail_flag=1. With audit logging enabled, more auditable events require mode disk space as shown in Table 29 on page 205. Copyright © 2010, Juniper Networks, Inc.
Page 227: Error Log
For every 1 MB of aggregate device configuration, NSM needs up to 200 MB of disk space. For example, 100 devices with 10 KB configuration may need: (10 KB * 100) * 200 = 200 MB of disk space. Copyright © 2010, Juniper Networks, Inc.
Page 228: Nightly Backup
/ to avoid log files filling /var up your root partition and crashing your server. In situations calling for high volume logging, we recommend you mount /var on a locally attached high speed SCSI drive or similar Copyright © 2010, Juniper Networks, Inc.
Page 229: Processor Speed Requirements
Regular backups mitigate that risk. Disable atime filesystem feature by mounting the noatime option. Use secondary 7200 RPM or better SATA hard drive for /var/netscreen on both GUI Server and Device Server. Copyright © 2010, Juniper Networks, Inc.
Page 230 You should set values in both the storageManager.minimumFreeSpace and storageManager.alert parameters to the same value (in MB). Recommended is 2 or more days' space for logs. Copyright © 2010, Juniper Networks, Inc.
Page 231: Appendix C Profiler Performance Tuning Recommendations
GUI Server and Device Server (Profiler DB) running on the same machine Physical Memory Required 1 GB 1 Fast Disk space reserved for Profiler 8 GB UI System Preferences Purge profiler database if size exceeds 1000 MB Copyright © 2010, Juniper Networks, Inc.
Page 232: Medium-Size Configuration (3 To 8 Idp Profiling Devices)
Disk space reserved for Profiler. 12 GB *High-end SCSI drives preferred UI System Preferences Purge profiler database if size exceeds 3000 MB Max profiler database size after purging 2200 MB PostgreSQL Settings shared_buffers 32768 KB Copyright © 2010, Juniper Networks, Inc.
Page 233: High-End Configuration (9 To 20 Idp Profiling Devices)
*High-end SCSI drives preferred UI System Preferences Purge profiler database if size exceeds 8000 MB Max profiler database size after purging 6000 MB PostgreSQL Settings shared_buffers 262143 KB work_mem 512000 KB maintenance_work_mem 32768 KB Copyright © 2010, Juniper Networks, Inc.
Page 234: Setting Preferences To Improve Profiler Performance
The SQL query timesout when this interval is 120 seconds seconds) elapsed, irrespective of whether the entire database is searched or not. In the event of a timeout, the result available so far is returned. Copyright © 2010, Juniper Networks, Inc.
Page 235: Postgresql Server
Six bytes of shared memory are consumed for each page slot. checkpoint_segments Maximum distance between automatic checkpoints maintained by postgresql, in log file segments. checkpoint_timeout Maximum time between automatic 600 seconds checkpoints, in seconds. Copyright © 2010, Juniper Networks, Inc.
Page 236: Shared Memory
Table 38: Device Server Settings Default Parameter Description Value profilerMgr.printLevel For debugging, info is most useful, but Notice will potentially generate lots of logs. profilerMgr.receiver.pktIntTimeoutInSec A profiler session times out of time exceeds this configured value. seconds Copyright © 2010, Juniper Networks, Inc.
Page 237: Nsm Generated Logs' Impact On Performance
, “New Protocol” , and “New Port” detected check boxes in the IDP device editor, and save the data. Excessive messages indicating “Could not write the whole buffer to FIFO” could indicate that Device Server performance is affected by these NSM generated logs. Copyright © 2010, Juniper Networks, Inc.
Page 238: Gui Server
If you need more memory, change the BDB config to increase the exiting limit. Increase the parameters listed below in the file. /var/netscreen/GuiSvr/xdb/data/DB_CONFIG set_data_dir . set_lg_dir ../log set_lg_regionmax 600000 set_lk_max_lockers 200000 set_lk_max_locks 200000 set_lk_max_objects 200000 set_cachesize 0 1024000000 1 Copyright © 2010, Juniper Networks, Inc.
Page 241: Index
GUI Server, described......23, 51, 80, 132 described................74 data migration................165 heartbeat links database described................81 backup options..............10 high availability replicating.................181 configuring manually..........180 restoring................182 installing................72 defining system parameters......22, 50, 79, 132 overview................9 Demo Mode................47 Copyright © 2010, Juniper Networks, Inc.
Page 242 UI..............4 installing on separate servers........78 restarting................172 replicating starting................172 database................181 status.................172 restarting management system........172 stopping................172 restoring uninstalling..............188 database................182 upgrading................131 logs and configuration data........179 Copyright © 2010, Juniper Networks, Inc.
Page 243 50, 79, 132 system update utility described................5 running..............25, 138 technical support contacting JTAC...............xx TFTP server installing on Linux............186 installing on Solaris.............186 timeout bulk cli modification............187 typical configuration option..........8 Copyright © 2010, Juniper Networks, Inc.

This manual is also suitable for:

Network and security manager 2010.4

Juniper NETWORK AND SECURITY MANAGER 2010.4 - INSTALLATION GUIDE REV1 Installation Manual

Chapter 1 Introduction

Chapter 2 Generating the NSM License Key File

Chapter 3 Installing NSM in a Standalone Configuration

Chapter 4 Installing NSM in a Distributed Configuration

Chapter 5 Installing NSM with High Availability

Chapter 6 Upgrading to NSM 2010.4 from an Earlier Version

Chapter 7 Upgrading NSM Appliances to NSM 2010.4

Chapter 8 Maintaining NSM

Appendix A Technical Overview of the NSM Architecture

Appendix A Technical Overview of the NSM Architecture

Appendix A Technical Overview of the NSM Architecture

Appendix B Hardware Recommendations

Appendix B Hardware Recommendations

Appendix C Profiler Performance Tuning Recommendations

Quick Links

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Juniper NETWORK AND SECURITY MANAGER 2010.4 - INSTALLATION GUIDE REV1

Summary of Contents for Juniper NETWORK AND SECURITY MANAGER 2010.4 - INSTALLATION GUIDE REV1