Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 User Manual

Download

Page 1

Network and Security Manager

Configuring ScreenOS Devices Guide

Release

2010.4

Published: 2010-11-17

Revision 01

Page 2

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net

This productincludes the Envoy SNMP Engine, developed by Epilogue Technology,an Integrated Systems Company.Copyright ©1986-1997, Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright © 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright © 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright © 1991, D. L. S. Associates.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Network and Security Manager Configuring ScreenOS Devices Guide

Revision History 18 November 2010—01

The information in this document is current as of the date listed in the revision history.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. The Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

Page 3

END USER LICENSE AGREEMENT

READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE.

BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER)CONSENT TO BE BOUNDBY THIS AGREEMENT.IF YOUDO NOTOR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.

1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (ifthe Customer’sprincipal officeis located outsidethe Americas) (such applicable entitybeing referred to herein as“Juniper”),and (ii) the person or organization thatoriginally purchased from Juniperor an authorized Juniperreseller the applicable license(s) for use of the Software (“Customer”) (collectively, the “Parties”).

2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customer purchased from Juniper or an authorized Juniper reseller. “Software” also includes updates, upgrades and new releases of such software. “Embedded Software” means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacements which are subsequently embedded in or loaded onto the equipment.

3. License Grant. Subject to payment of the applicable fees and thelimitations andrestrictions setforth herein,Juniper grantsto Customer a non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:

a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper or an authorized Juniper reseller.

b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are physically contained on a single chassis.

c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limitsto Customer’s useof the Software. Suchlimits may restrictuse to amaximum numberof seats, registered endpoints, concurrent users, sessions, calls, connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features, functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing, temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software to be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable licenses.

d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customer may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial period by re-installing the Software after the 30-day trial period.

e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network. Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any commercial network access services.

The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable license(s) for the Software from Juniper or an authorized Juniper reseller.

4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software,in any form, toany thirdparty; (d)remove any proprietarynotices, labels,or marks on orin any copy of the Softwareor any product in which the Software is embedded; (e) distribute any copy of the Software to any third party, including as may be embedded in Juniper equipment sold inthe secondhand market; (f)use any ‘locked’ orkey-restricted feature,function, service, application, operation, orcapability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper to any third party; (h) use the

Page 4

Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that the Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.

5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish such records to Juniper and certify its compliance with this Agreement.

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes restricting access to the Software to Customer employees and contractors having a need to use the Software for Customer’s internal business purposes.

7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.

8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statementthat accompaniesthe Software (the“Warranty Statement”).Nothing inthis Agreement shallgive riseto any obligation to support the Software. Support services may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTSOR PROCUREMENTOF SUBSTITUTEGOODS ORSERVICES,OR FOR ANY SPECIAL,INDIRECT,OR CONSEQUENTIALDAMAGES ARISING OUTOF THIS AGREEMENT,THE SOFTWARE,OR ANY JUNIPEROR JUNIPER-SUPPLIEDSOFTWARE. INNO EVENT SHALLJUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the Parties.

9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’s possession or control.

10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation showing Customer’s payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to any liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under this Section shall survive termination or expiration of this Agreement.

11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license.

Page 5

12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS

227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.

13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any. Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable terms and conditions upon which Juniper makes such information available.

14. Third Party Software. Any licensor of Juniper whose software is embeddedin the Software and anysupplier of Juniper whoseproducts or technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor shall have the right to enforce this Agreement in itsown name asif it were Juniper. In addition, certain third party software may be provided with the Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License (“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of the LGPL

at http://www.gnu.org/licenses/lgpl.html .

15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris tout avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be in the English language)).

Page 6

Page 7

Table of Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii

Part 1 Configuring

Chapter 1 NSM User Interface and NSM Key Management Features . . . . . . . . . . . . . . . 3

NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Security Integration Management Using NSM Overview . . . . . . . . . . . . . . . . . . . . . 4

Complete Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Network Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Role-Based Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Centralized Device Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Migration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Managing Devices in a Virtual Environment Using NSM . . . . . . . . . . . . . . . . . . . . . . 6

Device Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Rapid Deployment (RD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Policy-Based Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Error Prevention, Recovery, and Audit Management Using NSM . . . . . . . . . . . . . . . 8

Device Configuration Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Policy Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Atomic Configuration and Updating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Device Image Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Administering ScreenOS Devices Using NSM Complete System

Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

VPN Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Integrated Logging and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Monitoring Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Job Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

NSM User Interface Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Configuring UI Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Understanding NSM User Interface Menus and Toolbars . . . . . . . . . . . . . . . . . . . . 12

Working with Multiple NSM Administrators Overview . . . . . . . . . . . . . . . . . . . . . . . 13

NSM Modules Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Navigation Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Main Display Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Page 8

Configuring ScreenOS Devices Guide

Chapter 2 Device Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Chapter 3 Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Investigate Task Modules in the NSM User Interface Overview . . . . . . . . . . . . . . . 14

Log Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Report Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Log Investigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Realtime Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Security Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Audit Log Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Configure Task Modules in the NSM User Interface Overview . . . . . . . . . . . . . . . . 16

Device Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

VPN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Object Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Administer Task Modules in the NSM User Interface Overview . . . . . . . . . . . . . . . 20

Server Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Job Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Action Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Understanding Validation Icons and Validation Data in the NSM User

Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Understanding the Search Function in the NSM User Interface . . . . . . . . . . . . . . . 22

Device Configuration Settings Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

About Configuring Security Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

About Configuring Extranet Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Configuring Advanced Properties for ScreenOS Device Details . . . . . . . . . . . . . . . 26

Configuring a Blacklisted Entry (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 27

Enabling ALGs (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Understanding Device Configurations Running ScreenOS 5.4 FIPS and Later

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

About Configuring Devices Running Future Releases of ScreenOS . . . . . . . . 29

Configuring Extranet Devices Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Configuring Extranet Devices Details (NSM Procedure) . . . . . . . . . . . . . . . . . . . . 30

Understanding Templates and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Using Global Device Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Using Device Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Configuring Network Settings Options and Descriptions . . . . . . . . . . . . . . . . . . . . 34

Configuring Zones and Zone Properties in ScreenOS Devices Overview . . . . . . . . 39

Predefined Screen Options Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Configuring Flood Defense Settings for Preventing Attacks . . . . . . . . . . . . . . . . . . 41

Configuring ICMP Flooding Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Configuring SYN Flooding Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Configuring UDP Flooding Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Example: Configuring UDP Flooding Protection (NSM Procedure) . . . . . . . . . . . . 43

HTTP Components and MS-Windows Defense Method . . . . . . . . . . . . . . . . . . . . 43

Protection Against Scans, Spoofs, and Sweeps . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

IP and TCP/IP Anomaly Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Prevention of Security Zones Using Denial of Service Attacks . . . . . . . . . . . . . . . . 47

Page 9

Table of Contents

Malicious URL Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Example: Enabling the Malicious URL Blocking Option (NSM Procedure) . . . . . . 50

Interface Types in ScreenOS Devices Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Configuring Physical and Function Zone Interfaces in ScreenOS Devices

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Setting Interface Properties Using the General Properties Screen . . . . . . . . . . . . 53

Setting WAN Properties Using the WAN Properties Screen . . . . . . . . . . . . . . . . . . 54

Setting Port Properties Using the Port Properties Screen . . . . . . . . . . . . . . . . . . . 54

Using MLFR and MLPPP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Setting Physical Link Attributes for Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Enabling Management Service Options for Interfaces . . . . . . . . . . . . . . . . . . . . . . 56

Setting DHCPv6 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Example: Assigning TCP/IP Settings for Hosts Using DHCP (NSM Procedure) . . 58

Configuring Custom DHCP Options (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . 59

Using Interface Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Using Interface Secondary IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Enabling ScreenOS Devices for Interface Monitoring . . . . . . . . . . . . . . . . . . . . . . . 61

Supporting Generic Routing Encapsulation Using Tunnel Interfaces . . . . . . . . . . 62

Interface Network Address Translation Methods . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Interface Network Address Translation Using MIPs . . . . . . . . . . . . . . . . . . . . . . . . 62

Example: Configuring MIPs (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Interface Network Address Translation Using VIPs . . . . . . . . . . . . . . . . . . . . . . . . 65

Mapping Predefined and Custom Services in a VIP . . . . . . . . . . . . . . . . . . . . . . . . 65

Example: Configuring VIPs (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Interface Network Address Translation Using DIPs . . . . . . . . . . . . . . . . . . . . . . . . . 67

Example: Enabling Multiple Hosts Using Port Address Translation (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Example: Translating Source IP Addresses into a Different Subnet (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Enabling Managed Devices Using Incoming DIP . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Example: Configuring Interface-Based DIP (NSM Procedure) . . . . . . . . . . . . . . . . 74

Example: Configuring DIP Pools on the Untrust Interface (NSM Procedure) . . . . 75

Example: Configuring an Aggregate Interface (NSM Procedure) . . . . . . . . . . . . . . 77

Example: Configuring a Multilink Interface (NSM Procedure) . . . . . . . . . . . . . . . . 78

Example: Configuring a Loopback Interface (NSM Procedure) . . . . . . . . . . . . . . . 79

Configuring Virtual Security Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Example: Configuring a Redundant Interface (NSM Procedure) . . . . . . . . . . . . . . 80

Example: Configuring a Subinterface (NSM Procedure) . . . . . . . . . . . . . . . . . . . . 84

Example: Configuring a WAN Interface (NSM Procedure) . . . . . . . . . . . . . . . . . . . 86

Configuring a Tunnel Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Using Numbered Tunnel Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Using Unnumbered Tunnel Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Configuring Maximum Transmission Unit Size . . . . . . . . . . . . . . . . . . . . . . . . 88

ADSL Interface in ScreenOS Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

ADSL, ADSL Interface, and ADSL Settings in ScreenOS Devices . . . . . . . . . . . . . 89

About ADSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

About the ADSL Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

ADSL Settings from the Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Page 10

Configuring ScreenOS Devices Guide

Chapter 4 Advanced Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Determining Physical Ports and Logical Interfaces and Zones Using ScreenOS

Devices Port Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Backup Connection Using the Untrusted Ethernet Port in ScreenOS Devices . . . 92 Example: Configuring NetScreen5GT Devices to Permit Internal Hosts (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Example: Configuring NetScreen5GT Devices to Connect to the Web Using the

PPPoA and ADSL Interfaces (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . 94

Example: Configuring NetScreen5GT Devices as a Firewall Using the PPPoE and

ADSL Interfaces (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Wireless Interface on ScreenOS Devices Overview . . . . . . . . . . . . . . . . . . . . . . . . 99

Configuring DSCP Options Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Example: Configuring DIP Groups (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . 100

DNS Server Configuration Using DNS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Configuring DNS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Configuring DNS Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Example: Configuring DNS Proxy Entries (NSM Procedure) . . . . . . . . . . . . . . . . . 105

Example: Configuring DDNS Settings (NSM Procedure) . . . . . . . . . . . . . . . . . . . 106

Advanced Network Settings Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Configuring ARP Cache Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Configuring VIP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Configuring DIP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Configuring Advanced Device Settings Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Example: Defining Forced Timeout (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . 112

Identifying Reasons for Session Close in NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Configuring Policy Schedules (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Configuring Timeouts for Predefined Services (NSM Procedure) . . . . . . . . . . . . . 115

Configuring Session Cache for Predefined Services (NSM Procedure) . . . . . . . . . 115

Configuring SIP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Configuring MGCP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Configuring H.323 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Allocating Network Bandwidth Using Traffic Shaping Options . . . . . . . . . . . . . . . 119

Enabling/Disabling Application Layer Gateway Protocols Overview . . . . . . . . . . 120

Using Packet Flow Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

ICMP Path MTU Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Allow DNS Reply Without Matched Request . . . . . . . . . . . . . . . . . . . . . . . . . 123

Allow MAC Cache for Management Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Allow Unknown MAC Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Skip TCP Sequence Number Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

TCP RST Invalid Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Check TCP SYN Bit Before Create Session . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Check TCP SYN Bit Before Create Session for Tunneled Packets . . . . . . . . . 125

Use SYN-Cookie for SYN Flood Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Enforce TCP Sequence Number Check on TCP RST Packet . . . . . . . . . . . . . 126

Use Hub-and-Spoke Policies for Untrust MIP Traffic . . . . . . . . . . . . . . . . . . . 126

Max Fragmented Packet Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Flow Initial Session Timeout (Seconds) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Multicast Flow Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Page 11

Table of Contents

TCP MSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

All TCP MSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

GRE In TCP MSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

GRE Out TCP MSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Aging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Early Ageout Time Before the Session’s Normal Ageout . . . . . . . . . . . . 129

Percentage of Used Sessions Before Early Aging Begins . . . . . . . . . . . . 129

Percentage of Used Sessions Before Early Aging Stops . . . . . . . . . . . . . 129

Configuring Features Unsupported in NSM Using Supplemental CLI Options

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Configuring ScreenOS with TFTP or FTP Servers Enabled Using TFTP/FTP

Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Configuring Hostnames and Domain Names Overview . . . . . . . . . . . . . . . . . . . . 130

Configuring NSGP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

NSGP Modules Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Example: Configuring NSGP on GTP and Gi Firewalls (NSM Procedure) . . . . . . . 132

Using the PPP Option to Configure Point-To-Point Protocol Connections . . . . . 134

About Configuring PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Example: Updating DNS Servers (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . 136

Example: Configuring Multiple PPPoE Sessions on a Single Interface (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Configuring a PPPoA Client Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Configuring a NetScreen Address Change Notification . . . . . . . . . . . . . . . . . . . . . 141

Interface Failover in ScreenOS Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Example: Configuring Modem Connections (NSM Procedure) . . . . . . . . . . . . . . . 142

Example: Creating Modem Settings (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . 143

Example: Creating ISP Connection Settings (NSM Procedure) . . . . . . . . . . . . . . 144

Setting ISP Priority for Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Chapter 5 Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Device Administration Options for ScreenOS Devices Overview . . . . . . . . . . . . . 148

Importing Device Administrators from a Physical Device Overview . . . . . . . . . . . 148

Device Administrator Authentication Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Device Administrator Account Configuration Overview . . . . . . . . . . . . . . . . . . . . 150

Configuring Privilege Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Configuring Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Admin Access Lock Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Roles for Device Administrator Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Supporting Admin Accounts for Dialup Connections . . . . . . . . . . . . . . . . . . . . . . 153

Restricting Management Connections Using Permitted IPs . . . . . . . . . . . . . . . . . 154

Local Access Configuration Using CLI Management Overview . . . . . . . . . . . . . . . 155

File Formatting in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Port Numbers for SSH and Telnet Connections in NSM Overview . . . . . . . . . . . . 156

Limiting Login Attempts, Setting Dial-InAuthentication, and RestrictingPassword

Length in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Asset Recovery and Reset Hardware in NSM Overview . . . . . . . . . . . . . . . . . . . . . 157

Console-Only Connections in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Page 12

Configuring ScreenOS Devices Guide

Chapter 6 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Chapter 7 Planning and Preparing VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Secure Shell Server in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Using SSH Version 1 (SSHv1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Using SSH Version 2 (SSHv2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Configuring CLI Banners in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Configuring Remote Access Using Web Management Overview . . . . . . . . . . . . . 161

Configuring HTTP Administrative Connections in ScreenOS Devices Using NSM

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Configuring Secure Connections in ScreenOS Devices Using NSM Overview . . . 162 Configuring Network Time Protocol and NTP Backup Server in NSM

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Configuring Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Configuring an NTP Backup Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Setting ScreenOS Authentication Options Using General Auth Settings . . . . . . 165

Clearing RADIUS Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Assigning an Authentication Request Interface . . . . . . . . . . . . . . . . . . . . . . . 165

Setting ScreenOS Authentication Options Using Banners Overview . . . . . . . . . . 166

Setting ScreenOS Authentication Options Using Default Servers Overview . . . . 167

Setting ScreenOS Authentication Options Using Infranet Settings Overview . . . 167

General Report Settings for ScreenOS Devices Overview . . . . . . . . . . . . . . . . . . 168

Configuring Syslog Host Using NSM (NSM Procedure) . . . . . . . . . . . . . . . . . . . . 169

Configuring SNMPv3 in ScreenOS Devices (NSM Procedure) . . . . . . . . . . . . . . . 170

Classification of Security Options Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Classification of Antivirus Scanning Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

External Antivirus Scanner Settings Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Internal Antivirus Scan Manager Settings Overview . . . . . . . . . . . . . . . . . . . . . . . 178

Internal Antivirus HTTP Webmail Settings Overview . . . . . . . . . . . . . . . . . . . . . . 181

Antivirus Scanner Settings Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Classification of Deep Inspection Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Attack Object Database Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Using Attack Objects Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Antispam Settings in ScreenOS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Configuring Antispam Settings in ScreenOS (NSM Procedure) . . . . . . . . . . . . . . 187

Configuring IDP Security Module Settings in ScreenOS Overview . . . . . . . . . . . . 189

Load-Time Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Run-Time Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Protocol Thresholds and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Configuring Integrated Web Filtering in ScreenOS (NSM Procedure) . . . . . . . . . 190

Example: Configuring Integrated Web Filtering (NSM Procedure) . . . . . . . . . . . . 190

Redirect Web Filtering in ScreenOS Using NSM Overview . . . . . . . . . . . . . . . . . . 192

Example: Configuring Redirect Web Filtering in ScreenOS (NSM Procedure) . . . 193

Adding Proxy Addresses Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

System-Level and Device-Level VPN Using NSM Overview . . . . . . . . . . . . . . . . . 196

System-Level VPN with VPN Manager Overview . . . . . . . . . . . . . . . . . . . . . . . . . 196

Device-Level VPN in Device Manager Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 197

VPN Configuration Supported Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Planning Your VPN Using NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Page 13

Table of Contents

Defining VPN Members and Topology Using NSM . . . . . . . . . . . . . . . . . . . . . . . . 200

Traffic Protection Using Tunneling Protocol in NSM Overview . . . . . . . . . . . . . . 202

Traffic Protection Using IPsec Tunneling Protocol Overview . . . . . . . . . . . . . . . . 203

Using Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Using Encapsulating Security Payload (ESP) . . . . . . . . . . . . . . . . . . . . . . . . 203

Traffic Protection Using L2TP Tunneling Protocol Overview . . . . . . . . . . . . . . . . 205

VPN Tunnel Types Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

About Policy-Based VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

About Route-Based VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Defining VPN Checklist Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Defining Members and Topology in NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Defining Traffic Types for Data Protection in NSM . . . . . . . . . . . . . . . . . . . . . . . . 207

Defining VPN Traffic Using Security Protocols in NSM . . . . . . . . . . . . . . . . . . . . . 208

Defining Tunnel Creation Methods in NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Using VPN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Creating Device-Level VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Preparing Basic VPN Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Preparing Required Policy-Based VPN Components Overview . . . . . . . . . . . . . . . 211

Policy-Based VPN Creation Using Address Objects and Protected Resources

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Configuring Address Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Configuring Protected Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Policy-Based VPN Creation Using Shared NAT Objects Overview . . . . . . . . . . . . 212

Policy-Based VPN Creation Using Remote Access Server Users Overview . . . . . 213

Authenticating RAS Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Configuring Group IKE IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Configuring Required Routing-Based VPN Components Overview . . . . . . . . . . . 215

Routing-Based VPN Support Using Tunnel Interfaces and Tunnel Zones

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Routing-Based VPN Support Using Static and Dynamic Routes Overview . . . . . 216

Preparing Optional VPN Components Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Optional VPN Support Using Authentication Servers Overview . . . . . . . . . . . . . . 217

Optional VPN Support Using Certificate Objects Overview . . . . . . . . . . . . . . . . . 217

Configuring Local Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Configuring CA Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Configuring CRL Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Chapter 8 Configuring VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Device Level VPN Types and Supported Configurations Overview . . . . . . . . . . . . 221

Device Level AutoKey IKE VPN: Using Gateway Configuration Overview . . . . . . . 221

ScreenOS Devices Gateway Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

ScreenOS Devices IKE IDs or XAuth Identification Number . . . . . . . . . . . . . 224

Security Methods for ScreenOS Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Device Level AutoKey IKE VPN: Using Routes Configuration Overview . . . . . . . . 227

Device-Level AutoKey IKE VPN: Using VPN Configuration Overview . . . . . . . . . . 227

Device-Level AutoKey IKE VPN Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

ScreenOS Security Measures Using VPN Configuration . . . . . . . . . . . . . . . . 228

Binding/ProxyID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Monitor Management on ScreenOS Devices Using AutoKey IKE VPN . . . . . 230

Page 14

Configuring ScreenOS Devices Guide

Device-Level AutoKey IKE VPN: Using VPN Rule Configuration Overview . . . . . 230

Device-Level Manual Key VPN: Using XAuth Users Overview . . . . . . . . . . . . . . . . 231

Device-Level Manual Key VPN: Using Routing-Based VPN Overview . . . . . . . . . 231

Device-Level Manual Key VPN: Using VPN Configuration Overview . . . . . . . . . . 232

Device-Level Manual Key VPN Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Monitor Management on ScreenOS Devices Using Manual Key VPN . . . . . . 233

Device Level Manual Key VPN: Using VPN Rule Configuration Overview . . . . . . 234

Device Level L2TP VPN: Using L2TP Users Configuration Overview . . . . . . . . . . 235

Device Level L2TP VPN: Using L2TP Configuration Overview . . . . . . . . . . . . . . . 235

Device Level L2TP VPN: Using VPN Rule Configuration Overview . . . . . . . . . . . . 236

Creating Device Level L2TP-over-Autokey IKE VPNs Overview . . . . . . . . . . . . . . 237

Adding VPN Rules to a Security Policy Overview . . . . . . . . . . . . . . . . . . . . . . . . . 237

Configuring the VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Configuring the Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Assigning and Installing the Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . 238

Example: Creating Device Level VPN Type 1 (NSM Procedure) . . . . . . . . . . . . . . 238

Example: Creating Device Level VPN Type 2 (NSM Procedure) . . . . . . . . . . . . . . 243

Example: Creating Device Level VPN Type 3 (NSM Procedure) . . . . . . . . . . . . . . 245

L2TP and Xauth Local Users Configuration Overview . . . . . . . . . . . . . . . . . . . . . 247

Configuring L2TP Local Users (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 247

XAuth Users Authentication Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Vsys Configurations in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Virtual Router Configurations for Root and Vsys Overview . . . . . . . . . . . . . . . . . . 251

Zone Configurations for Root and Vsys Overview . . . . . . . . . . . . . . . . . . . . . . . . . 251

Interface Configurations for Root and Vsys Overview . . . . . . . . . . . . . . . . . . . . . . 252

Viewing Root and Vsys Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Managing Inter-Vsys Traffic with Shared DMZ Zones . . . . . . . . . . . . . . . . . . . . . . 253

Example: Routing Traffic to Vsys Using VLAN IDs (NSM Procedure) . . . . . . . . . . 254

Example: Routing Traffic to Vsys Using IP Classification (NSM Procedure) . . . . 256

Layer 2 Vsys Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Assigning L2V VLAN IDs (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

L2V VLAN Groups in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

Predefined L2V Zones in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

L2V Interface Management in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Configuring L2V VLAN Management Interfaces . . . . . . . . . . . . . . . . . . . . . . . 261

Configuring L2V Aggregate Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Converting L2V to VLAN Trunking (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . 262

Configuring Crypto-Policy Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Certificate Authentication Support in NSM Overview . . . . . . . . . . . . . . . . . . . . . 267

Self-Signed Certificates in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Local Certificate Validation of ScreenOS Devices Overview . . . . . . . . . . . . . . . . 268

Generating Certificate Requests to ScreenOS Devices (NSM Procedure) . . . . . 269

Loading Local Certificate into NSM Management System . . . . . . . . . . . . . . . . . . 270

Installing Local Certificates Using SCEP in NSM . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Manual Installation of Local Certificates in NSM . . . . . . . . . . . . . . . . . . . . . . . . . 272

Certificate Authority Configuration in NSM Overview . . . . . . . . . . . . . . . . . . . . . . 272

Installing CA Certificates Using SCEP in NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Manual Installation of CA Certificates in NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Page 15

Table of Contents

Configuring Certificate Revocation Lists (NSM Procedure) . . . . . . . . . . . . . . . . . 274

Imported Certificates in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

PKI Default Settings Configuration in NSM Overview . . . . . . . . . . . . . . . . . . . . . . 276

Configuring X509 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

Configuring Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

Configuring Simple Certificate Enrollment Protocol . . . . . . . . . . . . . . . . . . . 277

Chapter 9 Voice Over Internet Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

SCCP Support in ScreenOS Devices Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Configuring SCCP ALG in ScreenOS Devices (NSM Procedure) . . . . . . . . . . . . . 280

SIP ALG Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

SIP Request Methods Supported in ScreenOS Devices . . . . . . . . . . . . . . . . . . . . 282

Types of SIP Response Classes Supported in ScreenOS Devices . . . . . . . . . . . . 284

ALG Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Configuring SIP ALG in ScreenOS Devices (NSM Procedure) . . . . . . . . . . . . . . . 287

SDP Session Description Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Pinhole Creation in ScreenOS Devices Overview . . . . . . . . . . . . . . . . . . . . . . . . . 289

Session Inactivity Timeout in ScreenOS Devices Overview . . . . . . . . . . . . . . . . . 290

Chapter 10 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

Configuring Virtual Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Route Types Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Virtual Routers Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Configuring Virtual Routers (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Virtual Router General Properties Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Access List Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Example: Configuring Access Lists (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . 299

Route Map Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Export and Import Rules in a Virtual Router Overview . . . . . . . . . . . . . . . . . . . . . 302

Example: Configuring Export Rules in a Virtual Router (NSM Procedure) . . . . . . 303

Routing Table Entries Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Destination-Based Routes Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Source-Based Routes Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

Example: Configuring Source-Based Routes (NSM Procedure) . . . . . . . . . . . . . 308

Source Interface-Based Routes Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Example: Source-Interface-Based Routing (NSM Procedure) . . . . . . . . . . . . . . . 310

Configuring Route Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Dynamic Routing Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

OSPF Protocol Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

Enabling OSPF (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

Global OSPF Settings Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Configuring OSPF Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Configuring OSPF Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Configuring OSPF Summary Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Configuring OSPF Redistribution Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Configuring OSPF Virtual Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Configuring OSPF Interface Parameters Overview . . . . . . . . . . . . . . . . . . . . . . . . 317

Configuring OSPF Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Configuring OSPF Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Configuring OSPF (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

Page 16

Configuring ScreenOS Devices Guide

Chapter 11 Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

RIP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Configuring RIP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Global RIP Settings Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Configuring RIP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Configuring RIP Redistribution Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Configuring RIP Summary Import (ScreenOS 5.1 and later only) . . . . . . . . . 325

RIP Interface Parameters Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Configuring RIP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

BGP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

Route-Refresh Capabilities Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

Configuring BGP Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Configuring Aggregate Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Configuring Neighbors and Peer Groups Overview . . . . . . . . . . . . . . . . . . . . . . . . 330

Configuring a BGP Routing Instance (NSM Procedure) . . . . . . . . . . . . . . . . . . . . 331

Configuring NHRP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

Configuring OSPFv3 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

OSPFv3 Support in Virtual Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

OSPFv3 Support in Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

OSPFv3 Area Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

Redistribution Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

OSPFv3 Interface Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

OSPFv3 Route Preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Configuring RIPng Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

RIPng Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

Redistribution Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Multicast Route Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Configuring IGMP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Configuring IGMP Proxy (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

Configuring PIM Sparse Mode (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 341

Configuring a Rendezvous Point to Group Mappings (NSM Procedure) . . . . . . . 342

Configuring Acceptable Groups (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . 343

Example: Configuring Proxy RP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

Multicast Routing Table Entries Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

Multicast Routing Table Preferences Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 346

Configuring Multicast Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Example: Configuring Multicast Static Routes (NSM Procedure) . . . . . . . . . . . . 347

IRDP Support Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Example: Configuring ICMP Router Discovery Protocol (NSM Procedure) . . . . . 349

Disabling IRDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Policy-Based Routing Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Example: Configuring Policy-Based Routing (NSM Procedure) . . . . . . . . . . . . . . 352

Vsys DHCP Enhancement Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

Vsys Limitations Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356

Example: Configuring Vsys Resource Limits (NSM Procedure) . . . . . . . . . . . . . . 357

Vsys Session Limit Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

Example: Configuring Vsys Session Limit (NSM Procedure) . . . . . . . . . . . . . . . . 358

Vsys CPU Limit Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Page 17

Table of Contents

Example: Configuring CPU Limit (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . 360

Chapter 12 User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

IEEE 802.1x Support Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

Supported EAP Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

Chapter 13 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

NSRP Clusters Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Creating an NSRP Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Configuring Active/Passive Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

Example: Configuring Active/Passive Cluster (NSM Procedure) . . . . . . . . . . . . . 367

Active/Active Configurations Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

Configuring an Active/Active Cluster (NSM Procedure) . . . . . . . . . . . . . . . . . . . . 371

Synchronizing Virtual Router Configurations and RunTime Objects (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

Synchronizing Virtual Router Configurations . . . . . . . . . . . . . . . . . . . . . . . . . 372

Configuring the Virtual Router Synchronization Settings . . . . . . . . . . . . . . . . 372

Synchronizing Runtime Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Changing VSD Group Member States (NSM Procedure) . . . . . . . . . . . . . . . . . . . 373

Example: Changing VSD Group Member States (NSM Procedure) . . . . . . . . . . . 374

Configuring NSRP to Detect Interface and Zone Failure . . . . . . . . . . . . . . . . . . . . 375

Configuring Track IPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

Configuring Interface Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Configuring Zone Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Configuring Monitor Threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Vsys Clusters Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Exporting and Importing Device Configurations (NSM Procedure) . . . . . . . . . . . 379

Chapter 14 WAN, ADSL, Dial, and Wireless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Wireless Settings in a Security Device Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Configuring General Wireless Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

Configuring Antennas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Configuring Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Configuring Operation Mode Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

Configuring Transmission Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

Configuring Advanced Wireless Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Configuring Aging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Configuring Beacons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

Configuring Burst and Fragment Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

Configuring Control Frame Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

Configuring Short Slots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

Configuring Preambles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

Configuring Wireless MAC Access Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Configuring MAC Access Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Configuring MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Configuring Wireless General SSID Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390

Configuring SSID Authentication and Encryption . . . . . . . . . . . . . . . . . . . . . . . . . 391

Configuring Wired Equivalent Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

Configuring WEP Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Page 18

Configuring ScreenOS Devices Guide

Chapter 15 General Packet Radio Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Using Wi-Fi Protected Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

Reactivating Wireless Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Conducting a Site Survey for Detecting Access Points . . . . . . . . . . . . . . . . . . . . . 397

Network, Interface, and Security Modules Supported in Security Devices . . . . . 397

Configuring the Network Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397

Slot Information in Security Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Physical Interface Modules Supported by SSG520 and SSG550 Security

Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Interface Modules (Copper) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

10/100 Mbps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

10/100/1000 Mbps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Interface Modules (Fiber) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Secure Port Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Chassis Information Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

WPA2, Extended Range, and Super G Support on NetScreen5GT Wireless

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Wi-Fi Protected Access Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Configuring Wi-Fi Protected Access (NSM Procedure) . . . . . . . . . . . . . . . . . . . . 402

Super G Methods Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

Configuring Atheros XR (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404

3GPP R6 Information Elements Support Overview . . . . . . . . . . . . . . . . . . . . . . . 407

Radio Access Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Routing Area Identity and User Location Information . . . . . . . . . . . . . . . . . 408

APN Restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

IMSI Prefix Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

IMEI-SV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Configuring Access Point Name Restriction (NSM Procedure) . . . . . . . . . . . . . . 409

Configuring IMSI Prefix Filter (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 409

DHCP Relay Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

Part 2 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

Page 19

About This Guide

•

Objectives on page xix

•

Audience on page xix

•

Conventions on page xix

•

Documentation on page xxi

•

Requesting Technical Support on page xxii

Objectives

The Network and Security Manager (NSM) is a software application that centralizes control andmanagement of your Juniper Networks devices. With NSM, Juniper Networks delivers integrated, policy-based security and network management for all security devices.

NSM uses the technology developed for Juniper Networks ScreenOS to enable and simplify management support forprevious and future versions of ScreenOS. By integrating management of all JuniperNetworks security devices, NSMenhances theoverall security of the Internet gateway.

This guide explainshow toconfigure NSM ScreenOSdevices. For detailedNSM IDP device configuration, see the Configuring Intrusion Detection and Prevention Devices Guide. Use this guide in conjunction with the Network and Security Manager Administration Guide, Network and Security Manager Installation Guide, and Network and Security Manager Online Help.

Audience

This guide is intended for system administrators responsible for the securityinfrastructure of their organization. Specifically, this book discusses concepts of interest to firewall and VPN administrators, network/security operations center administrators; and system administrators responsible for user permissions on the network.

Conventions

The sample screens used throughout this guide are representations of the screens that appear when you install and configure the NSM software. The actual screens may differ.

All examples show default file paths. If you do not accept the installation defaults, your paths will vary from the examples.

Page 20

Configuring ScreenOS Devices Guide

Table 1 on page xx defines notice icons used in this guide.

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Table 2 on page xx defines text conventions used in this guide.

Table 2: Text Conventions

Bold typeface

fixed-width font

Keynames linkedwith a plus (+) sign

Italics

•

Represents commands and keywords in text.

•

Represents keywords

•

Represents UI elements

Represents information as displayed on the terminal screen.

keys simultaneously.

•

Emphasizes words

•

Identifies variables

•

Identifies chapter, appendix, and book names

ExamplesDescriptionConvention

•

Issue the clock source command.

•

Specify the keyword exp-msg.

•

Click User Objects

user inputRepresents text that the user must type.Bold sans serif typeface

host1#

show ip ospf

Routing Process OSPF 2 with Router ID 5.5.0.250 Router is an area Border Router (ABR)

Ctrl + dIndicates that you must press two or more

•

The product supports two levels of access, user and privileged.

•

clusterID, ipAddress.

•

Appendix A, System Specifications.

The angle bracket (>)

Table 3 on page xxi defines syntax conventions used in this guide.

Indicates navigation paths through the UI by clicking menu options and links.

Object Manager > User Objects > Local Objects

Page 21

Table 3: Syntax Conventions

About This Guide

ExamplesDescriptionConvention

terminal lengthRepresent keywordsWords in plain text

mask, accessListNameRepresent variablesWords in italics

Words separated by the pipe ( | ) symbol

Words enclosed in brackets followed by and asterisk ( [ ]*)

Documentation

Table 4 on page xxi describes documentation for the NSM.

Table 4: Network and Security Manager Publications

Network and Security Manager Installation Guide

variable to the left or right of this symbol. The keywordor variable canbe optional or required.

can be entered more than once.

Represent required keywords or variables.Words enclosed in braces ( { } )

DescriptionBook

Details the stepsto installthe NSMmanagement system on asingle server or on separate servers. It also includes information on how to install and run the NSM user interface. This guide is intended for IT administrators responsible for the installation and/or upgrade to NSM.

diagnostic | lineRepresent a choice to select one keyword or

[ internal | external ]Represent optional keywords or variables.Words enclosed in brackets ( [ ] )

[ level1 | level2 | 11 ]*Represent optional keywords or variables that

{ permit | deny } { in |out } { clusterId | ipAddress }

Network and Security Manager Administration Guide

Network and Security Manager ScreenOS and IDP Devices Guide

describes how to use and configure key management features in the NSM. Itprovides conceptual information, suggested workflows, and examples where applicable. This guide is best used in conjunction with the Network and Security Manager Online Help, which provides step-by-step instructions for performing management tasks in the NSM UI.

This guide is intended for application administrators or those individuals responsible for owning the server and security infrastructure and configuring the product for multi-user systems. It is also intended for device configuration administrators, firewall and VPN administrators, and network security operation center administrators.

Describes NSM features that relate to device configuration and management. It also explains how to configure basic andadvanced NSM functionality, including deploying new device configurations, managing Security Policies and VPNs, and general device administration.

Page 22

Configuring ScreenOS Devices Guide

Table 4: Network and Security Manager Publications (continued)

DescriptionBook

Network and Security Manager Online Help

Network and Security Manager API Guide

Network and Security Manager Release Notes

Requesting Technical Support

Technical productsupport is availablethrough theJuniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need postsales technical support, you can access our tools and resources online or open a case with JTAC.

•

JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at

http://www.juniper.net/customers/support/downloads/710059.pdf.

Provides task-oriented procedures describing how to perform basic tasks in the NSM user interface. It also includes a brief overview of the NSM system and a description of the GUI elements.

Provides complete syntax and description of the SOAP messaging interface to the Network and Security Manager.

Provides the latest information about features, changes, known problems, resolved problems, and system maximum values. If the information in the Release Notesdiffers from the information found in the documentation set, follow the Release Notes.

Release notes are included on the corresponding software CD and are available onthe Juniper Networks Website. The documentation is also available on the Internet. You can order a set of printed documents from your Juniper Networks sales representative.

•

Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

•

JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

•

Find CSC offerings: http://www.juniper.net/customers/support/

•

Search for known bugs: http://www2.juniper.net/kb/

•

Find product documentation: http://www.juniper.net/techpubs/

•

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

•

Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

Page 23

About This Guide

•

Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

•

Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

•

Open a case online in the CSC Case Manager: http://www.juniper.net/cm/

To verifyservice entitlement byproduct serial number,use our Serial Number Entitlement (SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/.

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

•

Use the Case Manager tool in the CSC at http://www.juniper.net/cm/ .

•

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visit us at

http://www.juniper.net/support/requesting-support.html.

Page 24

Configuring ScreenOS Devices Guide

Page 25

PART 1

Configuring

•

NSM User Interface and NSM Key Management Features on page 3

•

Device Configuration on page 25

•

Network Settings on page 37

•

Advanced Network Settings on page 111

•

Administration on page 147

•

Security on page 175

•

Planning and Preparing VPNs on page 195

•

Configuring VPNs on page 219

•

Voice Over Internet Protocol on page 279

•

Routing on page 293

•

Virtual Systems on page 355

•

User Authentication on page 361

•

High Availability on page 363

•

WAN, ADSL, Dial, and Wireless on page 381

•

General Packet Radio Service on page 407

Page 26

Configuring ScreenOS Devices Guide

Page 27

CHAPTER 1

NSM User Interface and NSM Key Management Features

Juniper Network and Security Manager (NSM) provides IT departments with an easy-to-use solution that controls all aspects of the Juniper Networks firewall, VPN, and IDP devices including device configuration, network settings, and security policy. NSM enables IT departments to control the entire device lifecycle with a single, centralized solution. Using NSM, you can configure all your Juniper Networks security devices from one location, at one time.

For details on ScreenOS functionality, see the Concepts & Examples ScreenOS Reference Guide.

This chapter contains the following topics:

•

NSM Overview on page 4

•

Security Integration Management Using NSM Overview on page 4

•

Managing Devices in a Virtual Environment Using NSM on page 6

•

Error Prevention, Recovery, and Audit Management Using NSM on page 8

•

AdministeringScreenOS Devices UsingNSM Complete System Managementon page 10

•

NSM User Interface Overview on page 12

•

Understanding NSM User Interface Menus and Toolbars on page 12

•

Working with Multiple NSM Administrators Overview on page 13

•

NSM Modules Overview on page 13

•

Investigate Task Modules in the NSM User Interface Overview on page 14

•

Configure Task Modules in the NSM User Interface Overview on page 16

•

Administer Task Modules in the NSM User Interface Overview on page 20

•

Understanding Validation Icons and Validation Data in the NSM User Interface on page 21

•

Understanding the Search Function in the NSM User Interface on page 22

Page 28

Configuring ScreenOS Devices Guide

NSM Overview

At its foundation, a management system integrates your individual security devices into a single, effective security system that you control from a central location. With NSM, you can manage your network at the system level, using policy-based central management, as well as at the device level, managing all device parameters for devices.

NSM is designed to work with networks of all sizes and complexity. You can add a single device, or create device templates to help you deploy multiple devices; you can create new policies, or edit existing policies forsecurity devices. The managementsystem tracks and logs each administrative change in real-time, providing you with a complete administrative record and helping you perform fault management.

NSM also simplifies control of your network with an intuitive UI. Making all changes to your devices from a single, easy-to-use interface can reduce deployment costs, simplify network complexity, speed configuration, and minimize troubleshooting time.

Documentation

NSM User Interface Overview on page 12•

• NSM Modules Overview on page 13

• Understanding NSM User Interface Menus and Toolbars on page 12

Security Integration Management Using NSM Overview

True security integration occurs when you can control every security device on your network and see every security event in real-time from one location. In NSM, this location is the NSM GUI, a graphical user interface that contains a virtual representation of every security device on your network. The idea behind this virtual-physical abstraction is that you can access your entire network from one location—use this console to view your network, the devices runningon it, the policies controlling access to it, and the traffic that is flowing through it.

The following topics are the security integration management features of NSM:

•

Complete Support on page 4

•

Network Organization on page 5

•

Role-Based Administration on page 5

•

Centralized Device Configuration on page 5

•

Migration Tools on page 6

Complete Support

You can create and manage device configurations for security devices or systems. NSM provides support for ScreenOS configuration commands, so you can retain complete control over your devices when using system-level management features like VPNs.

Page 29

Network Organization

With NSM, you can use domains to segment your network functionally or geographically to define specific network areas that multiple administrators can manage easily.

A domain logically groups devices, their policies, and their access privileges. Use a single domain for small networks with a few security administrators, or use multiple domains for enterprise networks to separate large, geographically distant or functionally distinct systems, control administrative access to individual systems, or obfuscate systems for service provider deployments.

With multiple domains, you can create objects, policies, and templates in the global domain, and then create subdomains that automatically inherit these definitions from the global domain.

Role-Based Administration

Control access to management with NSM—define strategicroles for your administrators, delegate management tasks, and enhance existing permission structures with new task-based functionality.

Chapter 1: NSM User Interface and NSM Key Management Features

Use NSM to create a security environment that reflects your current offline administrator roles and responsibilities. Because management is centralized, it’s easy to configure multiple administrators for multiple domains. By specifying the exact tasks your NSM administrators can perform within a domain, you minimize the probability of errors and security violations, and enable a clear audit trail for every management event.

Initially, when you log in to NSM as the super administrator, you have full access to all functionality within the global domain.From theglobal domain,you canadd thefollowing NSM administrators, configure their roles, and specify the subdomains to which they have access:

•

Activities and Roles—An activity is a predefined task performed in the NSM system, and a role is a collection of activities that defines an administrative function. Use activities to create custom roles for your NSM administrators.

•

Administrators—An administrator is a user of NSM or IDP; each administrator has a specific level of permissions. Create multiple administrators with specific roles to control access to the devices in each domain.

•

Default Roles—Use the predefined roles System Administrator, Read-Only System Administrator, Domain Administrator, Read-Only Domain Administrator, IDP Administrator, or Read-Only IDP Administrator to quickly create permissions for your administrators.

Centralized Device Configuration

No network is too large—because you manage your security devices from one location, you can use the following system management mechanisms to help you quickly and efficiently create or modify multiple device configurations at one time:

Page 30

Configuring ScreenOS Devices Guide

•

Templates—A template is a predefined device configuration that helps you reuse specific information. Create a device template that defines specific configuration values, and then apply that template to devices to quickly configure multiple devices at one time. For more flexibility, you can combine and apply multiple device templates to a single device configuration(63 maximum).In addition,you canmake global-domain templates available for reference in subdomains.

Shared Objects—An object is an NSM definition that is valid in the global domain and all subdomains. Any object created in the global domain is a shared object that is shared by all subdomains; the subdomain automatically inherits any shared objects defined in the global domain. You will not see global objects in the Object Manager of a subdomain. Although, you can use the objects when selecting objects in a policy.

The global domain is a good location for security devices and systems that are used throughout your organization, address book entries for commonly used network components, or other frequently used objects.A subdomain, alternatively, enables you to separate firewalls, systems, and address objects from the global domain and other subdomains, creating a private area to which you can restrict access.

Grouping—A group is a collection of similar devices or objects. Use device groups and object groups to update multiple devices simultaneously, simplify rule creation and deployment, and enablegroup-specific reporting.You can even link groupsusing Group Expressions to create a custom group.

Migration Tools

If you have existing security devices deployed on your network or are using a previous Juniper Networks management system, you can use the NSM migration tools to quickly import your existing security devices and their configurations, address books, service objects, policies, VPNs, andadministrator privileges. As NSM importsyour existingdevice configurations, it automatically creates your virtual network based on the configuration information.

You can import device configurations directly from your security device, or from your Juniper Networks Global PRO or Global PRO Express system. Import all your security devices at one time, or, if your network is large, import one domain at a time. When importing from Global PRO or Global PRO Express, NSM automatically transfers your existing domain structure.

For details on migrating from a previous management system, see the NSM Migration Guide.

Documentation

AdministeringScreenOS Devices UsingNSM Complete System Managementon page 10•

• Managing Devices in a Virtual Environment Using NSM on page 6

• Error Prevention, Recovery, and Audit Management Using NSM on page 8

Managing Devices in a Virtual Environment Using NSM

A production network is a living entity, constantly evolving to adapt to the needs of your organization. As your network grows, you might need to add new devices, reconfigure

Page 31

Device Modeling

Chapter 1: NSM User Interface and NSM Key Management Features

existing devices, update software versions on older devices, or integrate a new network to work with your existing network. NSM helps you take control of your network by providing a virtual environment in which to first model, verify, and then update your managed devices with changes.

The following topics are the device management features in NSM:

•

Device Modeling on page 7

•

Rapid Deployment (RD) on page 7

•

Policy-Based Management on page 7

Using your virtual network to change, review, and test your network configuration before deploying it to your physical network can help you discover problems like routing issues, IP conflicts, and version mismatches across your entire network before they actually occur. NSM includes configuration validation to help you identify device configuration errors and missing information, andthen points you tothe troublespot so you can quickly fix the problem. Whenyou have designeda virtual configuration that works, you can push this configuration to your devices with a single update.

With NSM, you can implement a new routing protocol across your network, design and deploy a new security policy with traffic shaping, or create a VPN tunnel that connects a branch office to your corporate network—then deploy all changes with a single click.

Rapid Deployment (RD)

Rapid Deployment enables deployment of multiple security devices in a large networked environment with minimal user involvement. Rapid Deployment is designed to simplify the staging and configuration of security devices in non-technical environments, enabling the secure and efficient deployment of a large number of devices.

To use Rapid Deployment, the NSM administrator creates a small file (called a configlet) in NSM, and then sends that configlet to an onsite administrator that has local access to the security device. With the help of the Rapid Deployment wizard, the onsite administrator installs the configlet on the device, which automatically contacts NSM and establishes a secure connection for device management.

Rapid Deployment is ideal for quickly bringing new security devices under NSM management for initial configuration. You can model and verify your deviceconfigurations for undeployed devices, and then install the completed device configuration when the device contacts NSM.

Policy-Based Management

You can create simplified and efficient security policies for your managed devices using the Policy-Based Management feature. Table 5 on page 8 describes the different policy-based management features:

Page 32

Configuring ScreenOS Devices Guide

Table 5: Policy-Based Management Options

DescriptionOption

Groups

Zone Exceptions

Scheduling

Documentation

Group yourdevices byplatform,ScreenOS version, location, or function, and then add them to your security policies.

Simplify your rules, by defining a common To Zone and From Zone for all devices in the rule, and then specifyzone exceptionsto change the To andFrom zones for specific devices.Zone exceptions add flexibility to your firewall rules, enabling you to manage more devices in a single rule.

Filter on From and To Zones to see rules between zones.Filtering

Schedule a period during which a securitypolicy is ineffect onthe devices in a rule. Create schedule objects as one-time, recurring, or both; you can even select multiple schedule objects in a firewall rule.

Configure a rule to look for attacks, viruses, or specific URLs (devices running ScreenOS 5.x only).Security and Protection

Use your firewall rules to control the amount of traffic permitted through your security devices.Traffic Shaping

Device Configuration Settings Overview on page 25•

• Working with Multiple NSM Administrators Overview on page 13

• Administering ScreenOS Devices Using NSM Complete System Management onpage 10

Error Prevention, Recovery, and Audit Management Using NSM

Persistent management control is essential when managing large networks. You need to be sure that configuration and policies you send to your managed devices are correct before you install them on your devices.

Using NSM’s error prevention and recovery features, you can ensure that you are consistently sending stable configurations to your devices, and that your device remains connected to NSM. Additionally, you can track each change made by an NSM administrator to help you identify when, how, and what changes were made to your managed devices.

The following topics are the error prevention, recovery, and audit management features in NSM:

•

Device Configuration Validation on page 9

•

Policy Validation on page 9

•

Atomic Configuration and Updating on page 9

•

Device Image Updates on page 9

•

Auditing on page 9

Page 33

Device Configuration Validation

NSM automatically alerts you to configuration errors while you work in the UI. Each field that has incorrect or incomplete data displays a icon— move your mouse cursor over the icon to getdetails on the missing data.For moredetails on validation,see “Understanding Validation Icons and Validation Data in the NSM User Interface” on page 21.

Policy Validation

The policy validation tool checksyour security policiesand alertsyou to possible problems before you install that policy on your managed devices.

Atomic Configuration and Updating

On devices running ScreenOS 5.x, if the configuration deployment fails for any reason, the device automatically uses the last installed stable configuration. Additionally, if the configurationdeploymentsucceeds, but the device loses connectivity to the management system, the device restores the last installed configuration. This minimizes downtime and ensures that NSM always maintains a stable connection to the managed device.

Chapter 1: NSM User Interface and NSM Key Management Features

Device Image Updates

Auditing

Devices running ScreenOS 5.1 and later also support atomic updating, which enables the device to receive the entire modeled configuration (all commands) before executing those commands (instead of executing commands as they are received from the management system). Because the device no longer needs to maintain a constant connection to the management system during updating, you can configure changes to the management connection from the NSM UI.

You can update the software that runs on your devices by installing a new ScreenOS image on all your security devices. The image updates are as follows:

•

NSM updates—Use NSM to upload the new image file to multiple security devices with a single click.

•

RMA updates—Replace failed devices, by setting the device to the RMA state, which enables NSM to retain the device configuration without a serial number or connection statistics. When you install the replacement device, activate the device with the serial number of the replacement unit.

Use the Audit Log Viewer to track administrative actions so you will always know exactly when andwhat changes weremade usingthe management system. The Audit LogViewer displays log entries in the order generated, and it includes:

•

Date and time the administrative action occurred

•

NSM administrator who performed the action

•

Action performed

Page 34

Configuring ScreenOS Devices Guide

•

The detail view of the Audit Log Viewer displays changes from the previous version.

Domain (global or a subdomain) in which the action occurred

Object type and name

Documentation

AdministeringScreenOS Devices UsingNSM Complete System Managementon page 10•

• Security Integration Management Using NSM Overview on page 4

• Managing Devices in a Virtual Environment Using NSM on page 6

Administering ScreenOS Devices Using NSM Complete System Management

NSM provides the tools and features you need to manage your devices as a complete system, as well as individual networks and devices. The following features are supported in administering ScreenOS devices:

•

To manage an individual device, create a single device configuration, define a security policy for that device, and monitor the device status.

•

To manage a network, create multiple device configurations,define and install policies for multiple devices, and view the status of all devices in the same UI.

•

To manage at the system level, create templates and use them to quickly configure multiple policies and VPNs that control the flow of traffic through your network, view system-wide log information for network security events, and monitor the status of NetScreen Redundancy Protocol (NSRP).

The following topics describe about how to administer ScreenOS devices using the complete system management feature in NSM:

VPN Abstraction

•

VPN Abstraction on page 10

•

Integrated Logging and Reporting on page 11

•

Monitoring Status on page 11

•

Job Management on page 11

Use VPNManager to design a systemlevelVPN and automaticallyset upall connections, tunnels, and rules for all devices in the VPN. Instead of configuring each device as a VPN member and then creating the VPN, start from a system perspective: Determine which users and networks need access to each other, and then add those components to the VPN.

Using AutoKey IKE, you can create the following VPNs with VPN Manager:

•

Dynamic, route-based VPNs—Provide resilient, always-on access across your network. Add firewall rules on top of route-based VPNs to control traffic flow.

•

Policy-based VPNs—Connect devices, remote access server (RAS) users, and control traffic flow (traffic flow can also be controlled using L2TP VPNs).

Page 35

•

Mixed-mode VPNs—Connect route-based VPNs with policy-based VPNs, giving you flexibility.

Integrated Logging and Reporting

You use the security devices on your network for multiple reasons: to control access to and from your network, to detect and prevent intrusions, and to record security events so you can monitor the important activities occurring on your network. You can use NSM to monitor, log, and report on network activity in real-time to help you understand what is happening on your network. For example, you can:

•

View traffic log entries generated by network traffic events, configuration log entries generated by administrativechanges, orcreatecustom views to see specific information in the Log Viewer.

•

Create detailed reports from traffic log information in the Report Manager.

•

Inspect suspicious events by correlating log information in the Log Investigator.

Monitoring Status

Chapter 1: NSM User Interface and NSM Key Management Features

Job Management

NSM keeps you up-to-date on the health of your network. You can view the following monitoring statuses on your network:

•

View critical information about your devices and IDP sensors in the Device Monitor:

•

Configuration and connection status of your security devices

•

Individual device details, such as memory usage and active sessions

•

Device statistics

•

View the status of each individual VPN tunnel in the VPN Monitor.

•

View redundant devices status in the NSRP Monitor.

•

View the status of your IDP clusters in the IDP Cluster Monitor.

•

View the health of the NSM system itself, including CPU utilization, memory usage, and swap status in the Server Monitor.

You canview theprogress of communication to and fromyour devices inthe JobManager. NSM sends commands to managed devices at your request, typically to import, update, or reboot devices, and view configuration and delta configuration summaries. When you send a command to a device or group of devices, NSM creates a job for that command and displays information about that job in the Job Manager module.

Job Manager tracks the progress of the command as it travels to the device and back to the management system. Each job contains the following:

•

Name of the command

•

Date and time the command was sent

Page 36

Configuring ScreenOS Devices Guide

•

Completion status for each device that received the command

Detailed description of command progress

Command output, such as a configuration list or CLI changes on the device

NOTE: Job Manager configuration summaries and job information details

do not display passwords in the list of CLI commands for administrators that do not have the assigned activity “View Device Passwords”. By default, only the super administrator has this assigned activity.

Documentation

NSM Modules Overview on page 13•

• Error Prevention, Recovery, and Audit Management Using NSM on page 8

• Device Configuration Settings Overview on page 25

NSM User Interface Overview

The NSM user interface (UI) is used to control the NSM system. Using the UI, you can configure NSM administrators, add devices, edit policies, and view reports—access the full functionality of the NSM system.

NOTE: For step-by-step instructions on using the User Interface, click the

Help icon in the menu bar of the UI to accessthe Network and Security Manager Online Help.

Configuring UI Preferences

You can configure preferences for UI behavior, such as appearance, external tool use, polling statistics, and UI timeout. For details on configuring these settings, see the topics under “NSM User Interface” in the Network and Security Manager Online Help.

Documentation

NSM Modules Overview on page 13•

• Understanding NSM User Interface Menus and Toolbars on page 12

• Understanding the Search Function in the NSM User Interface on page 22

Understanding NSM User Interface Menus and Toolbars

The NSM user interface (UI) appears after you log in, and it displays a set of menus and toolbar icons at the top of the UI window. Depending on the component displayed, right-click menus are available to perform various tasks.

Documentation

NSM Modules Overview on page 13•

• Understanding the Search Function in the NSM User Interface on page 22

Page 37

Chapter 1: NSM User Interface and NSM Key Management Features

• Understanding Validation Icons and Validation Data in the NSM User Interface on

page 21

Working with Multiple NSM Administrators Overview

When multiple NSM administrators are accessing the NSM system at the same time, NSM ensures that all edits are synchronized by locking an active object. Only one administrator at a time can edit existing values for an object, but multiple administrators can still view the existing values for that object.

NSM administrators must know the following guidelines:

•

When anNSM administrator begins editing an object, the UI locks that object to prevent other administrators from editing the object’s value.

•

During lockout, NSM makes “lazy” saves of all edits made and stores them in an in-memory database. If NSM crashes during a lazy save, edits made since the last lazy save are lost, and NSM prompts the NSM administrator to roll back to the last lazy save.

•

When the NSM administrator completes and saves the edit, that object is unlocked, enabling other administrators to edit it.However, because theUI does notimmediately refresh the object values, you must manually refresh the UI to view the most recent versions.

When you attempt to open a locked object, a warning message appears indicating that the object is locked and can be opened only as a read-only object. The warning message also contains the name of the NSM administrator who is currently editing the object. Depending on your administrator privileges, you can locate contact information for the administrator in the Manage Administrators and Domains area of the UI (from the File menu, select Tools > Manage Administrators and Domains). For details on working with administrators anddomains, seethe Network and Security Manager Administration Guide.

For example, let’s say Bob and Carol are both NSM administrators with the same roles. If both administrators view the same object, but Bob also edits and saves the object, NSM does not notify Carol that a newer version of the object exists. To see the newest version, Carol must first close, and then open the object again or refresh the console.

Documentation

NSM Modules Overview on page 13•

• Device Configuration Settings Overview on page 25

NSM Modules Overview

The navigation tree contains11 top-levelmodules that containspecific NSM functionality, as detailed in the following topics. There are three containers in the left UI pane that contains the 11 modules. They are Investigate, Configure, and Administer.

•

Navigation Tree on page 14

•

Main Display Area on page 14

Page 38

Configuring ScreenOS Devices Guide

Navigation Tree

The navigation tree displays the 11 NSM modules in the left pane of the NSM window. Double-click a module to display its contents in a hierarchical tree format. For details about each module, see the “NSM Modules Overview” on page 13.

Main Display Area

The main display area displays content for the selected module or module contents. They are as follows:

•

Menu Bar—The menu bar contains clickable commands. You can access many menu bar commands using keyboard shortcuts such as add, edit, delete. For a complete list of keyboards shortcuts, see the Network and Security Manager Online Help.

ToolBar—The toolbar contains buttons for common tasks. The buttons displayed in the toolbar are determined by the selected module.

Status Bar—The status bar displays additional information for a selected module.

Documentation

NSM User Interface Overview on page 12•

• Understanding NSM User Interface Menus and Toolbars on page 12

• Working with Multiple NSM Administrators Overview on page 13

Investigate Task Modules in the NSM User Interface Overview

The Investigate task includes the following top-level modules:

•

Log Viewer on page 14

•

Report Manager on page 15

•

Log Investigator on page 15

•

Realtime Monitor on page 15

•

Security Monitor on page 16

•

Audit Log Viewer on page 16

Log Viewer

The Log Viewer displays log entries that your security devices generate based on criteria that you defined in your security policies, on the GUI server, and in the device configuration. Log entries appear in table format; each row contains a single log entry, and each column defines specific information for a log entry.

You can customize the view (which log entries and what log information is shown) using log filters or by changing the column settings.

Use the Log Viewer to:

Page 39

Report Manager

Chapter 1: NSM User Interface and NSM Key Management Features

•

View summarized information about security events and alarms

•

View information about a specific log entry

•

Show, hide, or move columns to customize the Log Viewer

•

Filter log entries by column headings

•

Create and save custom views that display your filters/column settings

•

Set flags on Log Viewer entries to indicate a specific priority or action

For more details on using the Log Viewer, see the Network and Security Manager Administration Guide.

The Report Manager contains summary, graphs, and charts that detail specific security events that occur on your network. NSM generates reports to visually represent the information contained in your log entries. You can use reports to quickly summarize security threats to your network, analyze traffic behavior, and determine the efficiency of NSM. To share reports or to use report information in other application, you can print or export report data.

Log Investigator

The Log Investigator contains tools for analyzing your log entries in depth. Use the Log Investigator to:

•

Manipulate and change constraints on log information

•

Correlate log entries visually and rapidly

•

Filter log entries while maintaining the broader picture

Realtime Monitor

Realtime Monitor provides a graphical view of the current status of all devices managed by NSM.Table 6 onpage 15describes the monitoring statusof all NSM managed devices.

Table 6: Monitoring Status of NSM Managed Devices

Monitoring StatusNSM Managed Devices

Device Monitor

Tracks the connection state and configuration state of your security devices and IDP sensors. You can also view device details to see CPU utilization and memory usage for each device, or check device statistics.

Tracks the status of all VPN tunnels.VPN Monitor

Tracks the status of security devices in clusters.NSRP Monitor

You can customize Realtime Monitor to display only the information you want to see, as well as update information at specified time periods. You can also set alarm criteria for

Tracks the status of IDP clusters.IDP Cluster Monitor

Page 40

Configuring ScreenOS Devices Guide

a device or process. For more details on Realtime Monitor, see “Realtime Monitoring“ in the Network and Security Manager Administration Guide.

Security Monitor

Security Monitor provides access to the Dashboard, Profiler, and Security Explorer. These tools enable you to track, correlate, and visualize aspects about your internal network, enabling you to create more effective security policies and minimize unnecessary log records. For more details, refer to “Analyzing Your Network” in the Network and Security Manager Administration Guide.

Audit Log Viewer

The Audit Log Viewer contains a log entryfor every change made by anNSM administrator. For more details on Audit Log Viewer, see “Using the Audit Log Viewer” in the Network and Security Manager Administration Guide.

Documentation

Configure Task Modules in the NSM User Interface Overview on page 16•

• Administer Task Modules in the NSM User Interface Overview on page 20

• NSM Modules Overview on page 13

Configure Task Modules in the NSM User Interface Overview

The Configure task includes the following top-level modules:

•

Device Manager on page 16

•

Security Policies on page 17

•

VPN Manager on page 17

•

Object Manager on page 18

Device Manager

The Device Manager contains the device objects that represent your security devices. Table 7 on page 16 describes the objects that you can create in Device Manger.

Table 7: Device Objects in Device Manager

DescriptionDevice Object

Security devices and systems

The devices you use to enable access to your network and to protect your network against malicious traffic.

A vsys is a virtual device that exists within a physical security device.Vsys devices

Clusters

A cluster is two security devices joined together in a high availability configuration to ensure continued network uptime.

A vsys cluster device is a vsys device that has a cluster as its root device.Vsys cluster

Firewalls or VPN devices that are not Juniper Networks security devices.Extranet devices

Page 41

Chapter 1: NSM User Interface and NSM Key Management Features

Table 7: Device Objects in Device Manager (continued)

DescriptionDevice Object

Templates

Security Policies

A template is apartial device configuration that you can define once and then use for multiple devices.

A device group is a user-defined collection of devices.Device Groups

Security policies contain the firewall, multicast, and VPN rules that control traffic on your network. Using a graphical, easy-to-use rule building platform, you can quickly create and deploy new policies to your security devices.

Use security policies to:

•

Add or modify existing security policies

•

Add or modify existing VPN rules

•

Add or modify existing IDP rules

•

Create policies based on existing policies

•

Install policies on one or multiple security devices

•

Delete policies

NOTE: Devices running ScreenOS 6.3, support IPv6 in policy rulebases, IDP,

address objects, and attack objects. You can also configure IPv6 host, network, and multicast addresses. For more information on IPv6 support, see the Network and Security Manager Administration Guide..

If the device configurations that you imported from your security devices contained policies, security policies display those imported policies. For details on editing those imported polices or creating policies, see Chapter 9, “Configuring Security Policies”, or Chapter 10, “Configuring VPNs”, of the Network and Security Manager Administration Guide.

VPN Manager

The VPN Manager contains the VPN abstractions that control the VPN tunnels between your managed devices andremote users. Using VPN objects, such as protected resources and IKE Pproposals, you can create multiple VPNs for use in your security policies.

Use the VPN Manager to:

•

Define the protected resources on your network. Protected resources represent the network resources you want to protect in a VPN.

•

Create custom IKE phase 1 and 2 proposals.

Page 42

Configuring ScreenOS Devices Guide

•

Object Manager

The Object Manager contains objects, which are reusable, basic NSM building blocks that contain specific information. You useobjects tocreatedevice configurations, policies, and VPNs. All objects are shared, meaning they can be shared by all devices and policies in the domain.

NOTE: In ScreenOS 6.1 or later, users can set “group 14” for phase 1 and 2

proposals.

Configure AutoKey IKE, L2TP, and L2TP-over-AutoKey IKE VPNs in policy-based or route-based modes. You can also create an AutoKey IKE mixed mode VPN to connect policy-based VPN members with route-based VPNs members.

Configure AutoKey IKE and L2TP policy-based VPNs for remote access server (RAS) and include multiple users.

NOTE: In ScreenOS 6.1 or later, AutoKey IKE VPN and AutoKey IKE RAS

VPN are supported in IKEv2 parameters.

Table 8 on page 18 describes the objects that you can create in NSM.

Table 8: Objects in Object Manager

DescriptionObjects

Address Objects

QoS Profiles

Schedule Objects

DI Objects

Represent components of your network (hosts, networks, servers). On devices running ScreenOS 6.3, he new policy appears in the security policy list and supports IPv6 in policy rule bases, IDP, address and attack objects. After you have created a security policy, you can add rules to the new policy. Rules include IPv4, IPv6, VPN, and also VPN link. For more information, see the IDP Concepts & Examples guide. A rule with combination of IPv4 or IPv6 address objects is not allowed.

Represent the resource reservation control mechanisms rather than the achieved service quality. You can provide different priority to different applications, users, or data flows, or to guarantee a certain level of performance to a data flow. You can configure QoS into a policy role, using role options. There are two types of QoS profiles and they are DSCP and IP precedence.

Represent specific dates and times. You can use schedule objects in firewall rules to specify a time or time period that the rule is in effect.

Define the attack signature patterns, protocol anomalies, and the action you want a security device to take against matching traffic. On devices running ScreenOS 6.3, you can also set IPv6 version signature information while editing IP settings and header matches of a custom attack.

Page 43

Table 8: Objects in Object Manager (continued)

DescriptionObjects

Chapter 1: NSM User Interface and NSM Key Management Features

IDP Attack Objects

ICAP Objects

Web Filtering Objects (Web Profiles)

Service Objects

SCTP Objects

User Objects

Represent attack patterns that detect known and unknown attacks. You use IDP attack objects within IDP rules. On devices running ScreenOS 6.3, you can also set IPv6 version signature information while editing IP settings andheader matches of a custom attack. When you select the IPv6 option, the Protocol tab displays the ICMP6 Packet Header Fields value, and then you can also modify the respective configurable parameters.

Represent the AV servers, software, and profiles available to devices managed by NSM.AV Objects

Represent the Internet Content Adaptation Protocol (ICAP) servers and server groups used in ICAP AV objects.

Define theURLs, the Web categories, and the actionyou want asecurity device to take against matching traffic.

Represent services running on your network, such as FTP, HTTP, and Telnet. NSM contains a database of Service Objects for well-known services; you can also create Service Objects to represent the custom services you are running on your network.

Providea reliabletransport service that supports datatransferacross thenetwork, in sequence and without errors. s of ScreenOS 6.3, the existing SCTP stateful firewall supports protocol filtering.

NOTE: You can configure the security device to perform stateful inspection on all SCTP traffic without performing deep inspection (DI). If you enable stateful inspection of SCTP traffic, the SCTP ALG drops any anomalous SCTP packets.

Represent the remote users that access the network protected by the security device. To provide remote users with access, create a user object for each user, and then create a VPN that includes those user objects.

IP Pools

Authentication Servers

Remote Settings

Represent a range of IP addresses. You use IP pools when you configure a DHCP server for your managed devices.

Represent external authentication servers, such as RADIUS and SecureID servers. You can use an authentication server object to authenticate NSM administrators (RADIUS only), XAuth users, IKE RAS users, L2TP users, and IKEv2 EAP users. NSM provides configuration support for Authentication Manager version 5 or later. This provision has introduced the concept of a primary server with up to 10 replica servers. In the Primary/Replica version, each server can process authentication requests. The more current agents will send to the server, the faster the responder.

Are OR, AND, and NOT statements that set conditions for authentication requirements.Group Expressions

Represent DNS and WINS servers. You use remote settings object when configuring XAuth or L2TP authentication in a VPN.

Represent MIPs, VIPs, and DIPs.NAT Objects

Represent GTP client connections.GTP Objects

Represent the certificate authority’s certificate.CA Objects

Page 44

Configuring ScreenOS Devices Guide

Table 8: Objects in Object Manager (continued)

DescriptionObjects

Represent the certificate authority’s certificate revocation list.CRL Objects

You can use the object Manager to:

•

View and/or edit the object properties

•

Create, edit, or delete objects

•

Create custom groups of Objects

For more details on objects, see Chapter 8, “Configuring Objects,” of the Network and Security Manager Administration Guide.

Documentation

Investigate Task Modules in the NSM User Interface Overview on page 14•

• Administer Task Modules in the NSM User Interface Overview on page 20

• NSM Modules Overview on page 13

Administer Task Modules in the NSM User Interface Overview

The Administer task includes the following top-level modules:

•

Server Manager on page 20

•

Job Manager on page 20

•

Action Manager on page 20

Server Manager

Server Manager contains server objects that represent your management system components. Use Server Manager tomanage and monitorthe individualserver processes that comprise your NSM system.

Job Manager

Job Manager contains the status of commands (also called directives) that NSM sends to your managed devices. You can view summaries or details for active jobs and completed jobs. For more details on Job Manager, refer to “Tracking Device Updates” in the Network and Security Manager Administration Guide.

Action Manager

The Action Manager enables you to forward logs on a per domain basis. For more details on using the Action Manager, refer to “Using the Action Manager to Forward Logs by Domain” in the Network and Security Manager Administration Guide.

Documentation

Investigate Task Modules in the NSM User Interface Overview on page 14•

• Configure Task Modules in the NSM User Interface Overview on page 16

Page 45

Chapter 1: NSM User Interface and NSM Key Management Features

• NSM Modules Overview on page 13

Understanding Validation Icons and Validation Data in the NSM User Interface

NSM uses automatic validation to help you identify the integrity of a configuration or specific parameter ata glance. Validation anddata origination icons show the user where field data originates. These are implemented as additional types of validation messages (beyond the current error and warning messages), including Template Value, Override, and From Object messages. Each has its own icon and text color in the tool tips.Table 9 on page 21 lists the validation signs and validation and data origination icons that may appear as you work in the UI.

From Object messages only appear when viewing template objects to help find fields set in the template.

When more thanone typeof icon appears within a panel, the highestpriority icon appears next to the icon in the tree and the panel title bar.

Table 9: Validation Status, Validation, and Data Origination Icons for ScreenOS Devices

Validation Status and Icons

Validation Status

Error

Warning

Needs Validation

Validation and Data Origination Icons

Override

Description

Indicates that a configuration or parameter is not configured correctly in the NSM UI. Updating a device with this modeled configuration causes problems on the device. This is the highest priority validation icon.

Indicates that a configuration or parameter is not configured correctly in the NSM UI. Updating a device with this modeled configuration might cause problems on the device.

Indicates that a configuration or parameter has not been validated. Although NSM automatically validates all parameters when entered, this icon might appear for a template-driven value after you have changed a template. We highly recommend that you validate all parameters before updating a device.

Indicates that a configuration or parameter is configured correctly in the NSM UI.Valid

Indicates that the displayed value was set manually and that the value overrides whatever value might come from a template. The icon can also indicate an override of a VPN-provided value or a cluster-provided value.

Template Value

From Object

Indicates that the displayed value was set manually. Changes to the same field in the template will be applied to the device when it is updated.

Indicates that the displayed value came from the device when the device was imported. Changes to a template will not change this value unless you selected Remove conflicted device values in the template Operations dialog box. This is the lowest priority validation and data origination icon.

Page 46

Configuring ScreenOS Devices Guide

Documentation

Understanding NSM User Interface Menus and Toolbars on page 12•

• Understanding the Search Function in the NSM User Interface on page 22

• NSM Modules Overview on page 13

Understanding the Search Function in the NSM User Interface

You can use the integrated search feature in NSM to quickly locate a specific setting within a UI screen or dialog box.

To locate a word, begin entering the word and the search window automatically appears in the top left of the selected screen or dialog box. The UI attempts to match your entry to an existing value; as you enter more characters, the UIcontinues to search for a match. Use the arrow keys to move between each matching value. If your entry appears in red, no matching value was found within the selected screen or dialog box.

To locate a different datatype, suchas anIP address, change thesearch mode. To display all availablesearch modes, press the backslash key (\). The search modewindow appears.

Press the key that represents the search mode you want to use, and then begin entering the search criteria. Switching to another view or pressing the ESC key ends the search operation and closes the tool window. Table 10 on page 22 describes the detail sections in each search mode.

Table 10: Search Functions in the NSM UI

Contains String [C] Search Mode

Starts with [S] Search Mode

Use to locate a pattern anywhere in a string.

Use to locate a pattern at the beginning of a string.

Your ActionFunctionSearch Mode

For example, to locate the pattern “RPC” in service objects:

1. Inthe NSM navigation tree, select Object Manager > Service Objects > Predefined Service Objects, and then select the Service Object icon at the top of the Service Tree tab.

2. Enter C, andthen enter RPC. The UI automatically highlights the first match, MS-RPC-ANY.

For example, to locate the pattern “OR” in security devices:

1. In the NSM navigation tree, select Device Manager > Devices > Predefined Service Objects, then select the Service Object icon at the top of the Device Tree tab.

2. Enter S, then enter OR. The UI automatically highlights the first match, OR_EU_208.

Page 47

Chapter 1: NSM User Interface and NSM Key Management Features

Table 10: Search Functions in the NSM UI (continued)

Your ActionFunctionSearch Mode

Regular Expression [R] Search Mode

Use to locate a value using a regular expression.

Use to locate an IP address.IP [I] Search Mode

For example, to locate all attack objects that detect denial-of-service attacks:

1. Inthe NSM navigationtree, select Object Manager > Attack Objects, and then select the Predefined Attacks tab.

2. Select the first entry in the Name column, and then press the backslash key (\) to display the search mode window.

3. Enter R, and then enter the following characters: DoS|.enial.

The UI automatically highlights the first match; click the Down Arrow key to highlight the next match.

NOTE: The regular expression searchmode supportsall commonregular expressions. For more information about regular expressions, refer to a dedicated resource, such as Mastering Regular Expressions, 2nd Edition, by Jeffrey E. F. Friedl.

For example, to locate the IP address 5.5.5.50 and 5.5.5.51 in Address Objects:

1. In the NSM navigation tree, select Object Manager > Address Objects, and then select the Address Table tab.

2. Select the first entry in the Name columnIP/Domain, and then press the backslash key (\) to display the search mode window.

3. Enter I, and then enter 5.5.5.*. The UI automatically highlights the first match, 5.5.5.50. Click the Down Arrow key to highlight the next match, 5.5.5.51.

Documentation

When searching in a table, your search criteria is applied only to the selected column. If you select a different column, such as Name, and perform the same search, your results differ.

• Understanding Validation Icons and Validation Data in the NSM User Interface on

page 21

• NSM Modules Overview on page 13

• NSM User Interface Overview on page 12

Page 48

Configuring ScreenOS Devices Guide

Page 49

CHAPTER 2

Device Configuration

Security devices are the Juniper Networks security components that you use to enable accessto yournetwork components and to protect your network against malicious traffic. When you use NSM to manage your security devices, you are creating a virtual network that represents your physical network. Using this virtual network, you can create, control, and maintain the security of your physical network at a system-level.

This chapter provides a brief overview on how best to create your virtual network and simplify management tasks. For detailed information, see the Network and Security Manager Administration Guide.

This chapter contains the following topics:

•

Device Configuration Settings Overview on page 25

•

Configuring Advanced Properties for ScreenOS Device Details on page 26

•

Configuring a Blacklisted Entry (NSM Procedure) on page 27

•

Enabling ALGs (NSM Procedure) on page 28

•

Understanding Device Configurations Running ScreenOS 5.4 FIPS and Later Overview on page 29

•

Configuring Extranet Devices Overview on page 30

•

Configuring Extranet Devices Details (NSM Procedure) on page 30

•

Understanding Templates and Groups on page 32

•

Configuring Network Settings Options and Descriptions on page 34

Device Configuration Settings Overview

Device configuration contains the configuration settings for a managed device, such as interface, routing, and authentication settings. You can edit configurations after you add or import a managed device, or create configurations when you model a device. When you are satisfied with your changes, you can then update the managed device with the modeled device configuration to make your changes take effect.

Page 50

Configuring ScreenOS Devices Guide

NOTE: When you open a device for viewing or editing, the NSM UI loads the

entire device configuration into memory to enhance UI performance while configuring the device. When you close a device to which you made changes, the UI unloads some of the device configuration from the client memory. Althoughthis memory optimization occurs quickly,you might see the following message appear: “Optimizing client memory usage for device.”

NSM does not support all device configuration settings. You may need to make some changes to the device directly using a Web UI or CLI. Additionally, some changes can affect the management connection between the NSM device server and the managed device.

About Configuring Security Devices

A security device provides perimeter and boundary protection using data encryption, authentication, access control, and some attack detection and prevention. Firewalls and virtual private networks (VPNs) are designed for high speed operation at the Network Layer.

While firewalls provide protection, there are attacks contained within the allowed traffic that firewalls are not designed to detect.

About Configuring Extranet Devices

NSM also enables you to configure an existing extranet device (that is, a third-party router). Youcan do this by creating ascript toperform the required actions onthe extranet device.

Add the extranetdevice in the Device Manager, and thenconfigure the requiredmetadata in a shared object in the Object Manager under “Extranet Policies.” This data may include: credential information (user/password), IP address, interface list, comments, action script, and other additional data. When you update the device, the specified script is invoked. The device update job displays the XML output.

Documentation

Configuring Advanced Properties for ScreenOS Device Details on page 26•

• Understanding Device Configurations Running ScreenOS 5.4 FIPS and Later Overview

on page 29

• Understanding Templates and Groups on page 32

• Configuring Extranet Devices Details (NSM Procedure) on page 30

Configuring Advanced Properties for ScreenOS Device Details

When a denial-of-service (DoS) attack occurs, the CPU recognizes the attack and drops the traffic. A DoS attack can cause high CPU utilization and cause the security device to drop all packets. To prevent high CPU utilization during a DoS attack,the packet dropping feature was moved to the application-specific integrated circuit (ASIC) in ScreenOS 6.0.

Page 51

Chapter 2: Device Configuration

Network traffic is categorized as critical and noncritical. Critical traffic includes management traffic such as Telnet and SSH. When a DoS attack occurs, CPU usage increasesand when it reachesthe throttlingthreshold,it triggersthe droppingof noncritical traffic, which is not blacklisted. To prevent this, you can configure the security device to drop malicious packets within the device that processed them. In this mechanism, you create a blacklist with source and destination network addresses from which malicious traffic reaches the security device.

When a packet reaches the security device, the packets are checked against a list of configured blacklisted entries. If a match occurs, the device drops that packet. If the packet does not match the blacklisted entry, the device passes the packet to the next stage that prioritizes the packet. For each entry in the blacklist, the security device maintains a drop counter to record the number of packets dropped against that entry.

Documentation

Device Configuration Settings Overview on page 25•

• Enabling ALGs (NSM Procedure) on page 28

• Understanding Device Configurations Running ScreenOS 5.4 FIPS and Later Overview

on page 29

Configuring a Blacklisted Entry (NSM Procedure)

To configure a blacklisted entry:

1. In the NSM navigation tree, click Device Manager > Devices.

2. Select an ISG1000, ISG2000, NetScreen–5200, or NetScreen–5400 device.

3. Click the Edit icon to edit the device. The Device dialog box for the selected device

appears.

4. In the device navigation tree, click Advanced > CPU > Blacklist/ThrottlingThreshold.

Click the Add icon. The New Blacklist Entry dialog box appears.

5. Modify the settings as described in Table 11 on page 27. Click OK.

Table 11: Blacklist Configuration Fields

DescriptionField

Source Port

Destination Port

The ID of the blacklist is generated automatically.ID

The source IP address from which the DoS attack traffic originated.Source IP

The destination IP address.Destination IP

The source port in a TCP or UDP session. Set this to 0 to match all ports.

The destination port in a TCP or UDP session. Set this to 0 to match all ports.

Page 52

Configuring ScreenOS Devices Guide

Table 11: Blacklist Configuration Fields (continued)

DescriptionField

Protocol

Destination IP Mask

NOTE: A blacklist with 0 timeout will not expire.

Documentation

Enabling ALGs (NSM Procedure) on page 28•

• Configuring Extranet Devices Details (NSM Procedure) on page 30

• Configuring Network Settings Options and Descriptions on page 34

Enabling ALGs (NSM Procedure)

In ScreenOS 6.0, the following modifications were made to prevent high CPU utilization.

•

Some existing Application Layer Gateways (ALGs) are disabled by default onhigh-end platforms (ISG1000, ISG2000, NetScreen 2000line, andNetScreen line). The affected ALGs are H.323, SIP, MGCP, SCCP, MSRPC, SunRPC, and SQL. ALGs included in ScreenOS 6.1 are PAT for PPTP, SCTP, and Apple iChat. As of ScreenOS 6.3, the DNS Inhibit AAAA (IPv6) ALG is supported but disabled by default.

The source port and destination port are valid only when you have set the protocol as UDP or TCP. Setthis value to0 to match any protocol.

The range is 0-32. Set this field to 0 to match all source IP addresses.Source IP Net Mask

The range is 0-32. Set this field to 0 to match all destination IP addresses.

•

ALGs included in ScreenOS 6.0 or later are enabled by default. They are FTP, DNS, Real, Rlogin, RSH, TALK, TFTP, and XING.

For efficient CPU utilization, you can enable or disable the ALGs.

To enable or disable the ALGs:

1. In the NSM navigation tree, click Device Manager > Devices.

2. Select a device or a model device

3. Click the Edit icon to edit the device. The relevant device dialog box appears.

4. In the device navigation tree, click Advanced > ALGs.

5. ALGs are listed depending on the type of device you selected and the OS version.

ALGs can be enabled or disabled by checking or clearing their check boxes. See Table 12 on page 29.

Page 53

Table 12: ALGs Default Status

Chapter 2: Device Configuration

StatusALGs

Disabled by default on ISG1000, ISG2000, NetScreen–2000 line, and NetScreen–5000 line running ScreenOS 6.0 or later.

Enabled by default ona device runningScreenOS

6.0 or later.

Documentation

H.323, SIP, MGCP, SCCP, MSRPC, SunRPC, SQL, PPTP, and DNS Inhibit AAAA(IPv6).

FTP, DNS, Real, Rlogin, RSH, TALK, TFTP, XING, and SCTP

Configuring Advanced Properties for ScreenOS Device Details on page 26•

• Configuring a Blacklisted Entry (NSM Procedure) on page 27

• Device Configuration Settings Overview on page 25

Understanding Device Configurations Running ScreenOS 5.4 FIPS and Later Overview

The following features are disabled on security devices running the Federal Information Processing Standards (FIPS) certified release of ScreenOS (ScreenOS 5.4 FIPS):

•

SNMP management

•

MD5 algorithm

•

Group 5 Phase 2 IKE proposals

For more information about FIPS-enabled security devices, refer to the ScreenOS 5.0 FIPS Reference Note.

NOTE: To configure and manage security devices running ScreenOS5.0 FIPS

using NSM, you must first configure a VPN tunnel between the device and the NSM GUI server. After establishing this tunnel, you cannot reconfigure tunnel parameters in NSM.

About Configuring Devices Running Future Releases of ScreenOS

You can use NSM to configure security devices running future releases of ScreenOS in one of three levels of support:

•

Forward Support (Basic)—When a new version of ScreenOS is available, you can download a schema patch that includes changes to the DCF and schema files, as well as the firmware tables, enabling you to manage devices using a previously known version of ScreenOS.

•

Forward Support (Blended)—When a new version of ScreenOS is available, you can download a schema patch, enabling you to manage devices using the new ScreenOS version. You cannot, however, manage the new features in ScreenOS with this level of support.

Page 54

Configuring ScreenOS Devices Guide

•

The support level is indicated in the Information screen for the device in the Device Manager.

Full Support—When a new version of ScreenOS is available, you can download a schema patch, enabling you to manage devices using the new ScreenOS version. In addition, you can manage all the new features in that version of ScreenOS.

Documentation

Device Configuration Settings Overview on page 25•

• Configuring Network Settings Options and Descriptions on page 34

• Configuring Zones and Zone Properties in ScreenOS Devices Overview on page 39

Configuring Extranet Devices Overview

NSM also enables you to configure an existing extranet device (a third-party router). You can do this by creating a script to perform the required actions on the extranet device. These scripts are saved by default on the GUI Server at:

GuiSvr/var/scripts

Add the extranetdevice in the Device Manager, and thenconfigure the requiredmetadata in a shared object in the Object Manager under Extranet Policies. This data might include: credential information (user/password), IP address, interface list, comments, action script and other additional data. When you update the device, the specified script is invoked. The device update job displays the XML output.

Documentation

Configuring Extranet Devices Details (NSM Procedure) on page 30•

• Configuring Network Settings Options and Descriptions on page 34

Configuring Extranet Devices Details (NSM Procedure)

This example shows how to update an existing ruleon a third-party router to deny certain HTTP traffic with integer fields matching 1-10.

This process involves first creating a script that updates the policy on the router. For example, the script can contain certain validation instructions for the policy. It can also include instructions on sending alerts or messages in the event that the policy update succeeds or fails. When you are done creating the script, save it in the appropriate directory.

Next, use the Object Manager to create a custom policy field object that contains the specific integer fields that you are referencing in the extranet policy (for example, integer fields matching 1-10).

To create a custom policy field:

1. In the NSM navigation tree, click Object Manager > Custom Policy Fields.

2. Select the Field Definition tab, and then click New. The New Custom Policy Fields

Meta Data window appears.

Page 55

Chapter 2: Device Configuration

3. Configure the Custom Policy Field:

•

Enter a name for the field: enter ID.

•

Click the Required check box.

•

Select Integer from the Field Type list.

•

Enter a value in the Validation String box.

•

Enter any appropriate comments.

•

Click OK. A folder for the ID custom policy field object appears.

•

In the Objects tab, click on the ID folder. Click New. The New Custom Policy Fields Data window appears.

•

Enter a value in the Data Value field: enter 1. Click OK. The new value appears in the ID folder.

•

Repeat this step for all ten integer values.

In the Object Manager, create the Extranet Policy object with the appropriate rules.

To create an Extranet Policy object:

1. In the NSM navigation tree, click Object Manager > Extranet Policies. Then click Add

Policy and the New ExtranetPolicyObject window appears.

2. Enter the name of the Extranet Policy: enter Extranet Policy1. Add a comment in the

Comments field.

3. Configure the Extranet Policy object:

•

Click Add Rule. The New - Rule window appears.

•

Specify an ID for the rule.

•

Add a comment for the rule.

•

Click Deny in the Action field.

•

Select a source address in the Source tab.

•

Select a destination address in the Destination tab.

•

Select services in the Service tab.

•

Select the integer IDs that you created in the Custom Policy Field object in the Options tab.

4. Click OK.

Create the router as an extranet device in the Device Manager. You will need to configure the IP address of the device, any interfaces, and then bind the extranet policy to the appropriate interface.

Page 56

Configuring ScreenOS Devices Guide

To create an Extranet Device:

1. In the NSM navigation tree, click Device Manager > Devices.

2. Click New, and select Extranet Device. The New Extranet Device window appears.

3. Configure the extranet device:

•

Enter a name for the device: enter Cisco Router1.

•

Select a color to represent the device.

•

Enter the IP address for the device.

•

Click Show in the Supplemental Data area. Additional fields appear, allowing you to configure supplemental information for the device, including the netmask, interfaces, and device root administrator.

•

Click the Add icon in the Interfaces field. The New Extranet Device Interface window appears.

•

Configure the interface. Enter a name for the interface, and add an IP address, and an interface mask. Then assign an extranet policy to it: for example, assign the Extranet Policy1 object you configured previously. Click OK.

•

Configure the device root administrator. Enter the administrator user name, and password, and specify the script you created previously in the Action field. Click OK.

When you update the device,NSM invokes the scriptyou created. Any XMLoutput appears in the Job Information window.

Documentation

Device Configuration Settings Overview on page 25•

• Configuring Advanced Properties for ScreenOS Device Details on page 26

Understanding Templates and Groups

Use templates to definea commondevice configuration andthen reusethat configuration informationacross multiple devices. In a template, you can define onlythose configuration parameters that you want to set; you do not need to specify a complete device configuration. Templates provide two benefits:

•

You can configure parameter values for a device by referring to one or more templates when configuring the device.

•

When you change a parameter value in a template and save the template, the value also changes for all device configurations that refer to that template.

When you apply a template to a device, NSM applies the template settings to the device. For example, you can create a template that specifies the IP address of the NTP server to which all managed security devices synchronize their clocks. You can apply this template to the configuration of each device in your domain so that all devices use the same NTP server. You can apply the same template to different types of security devices, from NetScreen-5XT appliances to NetScreen-5200 systems.

Page 57

Chapter 2: Device Configuration

A template contains all possible fields for all possible devices. Not all devices have all fields. You can apply a template to any device. NSM will ignore any fields that do not apply to the given device.

A template can refer to other templates, enabling you to combine multiple templates into a single template. When you make changes to any of the referenced templates, those changes are propagated through the combined template.

NOTE: For more information on using templates, template limitations, and

exporting and importing devicetemplates,see Networkand SecurityManager Administration Guide. For instructions on creating and applying templates,

see the Network and Security Manager Online Help topics “Adding Device Templates” and “Applying Templates.”

•

Using Global Device Templates on page 33

•

Using Device Groups on page 33

Using Global Device Templates

In NSM, you can make global-domain templates available for reference in subdomains. However, if an administrator disables the Allow use of global templates in subdomains flag in the preferences, the administrator must also identify and remove all uses of the global templates in the subdomains. You can do this by removing the template from subdomain devices with the template operations directive in each relevant subdomain.

Using Device Groups

Use device groups to organize your managed devices, makingit easierfor you to configure and manage devices within a domain. You can group devices by type (such as all the NetScreen-5GTs in a domain), by physical location (such as all the security devices in the SanJose office),or logically (such asall the security devices insales offices throughout western Europe).

Groups enable you to execute certain NSM operations on multiple security devices at the same time. For example, if you have a group of the same type of devices running similar ScreenOS versions, you can upload the firmware on all devices in the group at the same time. You can also add devices to the NSM UI, place the devices in a group, and then import the device configurations for all devices in the group at one time.

The devices that you add to a group must exist; that is, you must have previously added or modeled the devices in the domain. You can group devices before configuring them. You can add a device to more thanone group. You can also add a group to another group.

Page 58

Configuring ScreenOS Devices Guide

NOTE: You cannot apply a template to a group. You must apply templates

to individual devices in a group. If you need to apply the same set of templates to multiple devices, you can create a single template that includes all the templates that are to be applied to a device, and then apply the combined template to each device. For examples on creating a device group or configuring device information, see Network and Security Manager Administration Guide.

Documentation

Device Configuration Settings Overview on page 25•

• Configuring Advanced Properties for ScreenOS Device Details on page 26

• NSM User Interface Overview on page 12

• Understanding NSM User Interface Menus and Toolbars on page 12

Configuring Network Settings Options and Descriptions

The Network screenscontain theoptions that enable thedevice to connect to and operate in the network. In the NSM navigation tree, click Device Manager > Devices, and then select a device. In the Device navigation tree, select Network to see the network settings options.

Table 13 on page 34 describes the detailed configuration methods available for network settings.

Table 13: Network Settings Options

DescriptionNetwork Settings Options

“Vsys DHCP Enhancement Overview” on page 355

This optionis available onlyfor NetScreen-5GT Wireless security devices running ScreenOS

5.0.0-WLAN; this device can act as a wireless access point (WAP). The wireless settings specify how the WAP connects multiple wireless networks or a wireless network to a wired network.

“Network, Interface, and Security Modules Supported in Security Devices” on page 397 (Slot and Chassis)

“Configuring Virtual Routers Overview” on page 294

“Configuring Zones and Zone Properties in ScreenOS Devices Overview” on page 39

This option is only available for security device systems, such as the NetScreen 5000 line, ISG1000, ISG2000, SSG520M, and SSG550M, that contain a motherboard or physical slots in which you can install optional modules. You can view or edit the type of network module installed in each available slot in the physical device.

A virtual router (VR) supports static routes, dynamic routing protocols, and multicast protocols. The virtual router configuration includes the configuration for dynamic routing protocols and multicast protocols. As of ScreenOS 6.2, on high-end platforms you can change the management zone virtual router to an existing virtual router that is no longer bound to the trust-vr. The management zone virtual router supports out-of-band management and segregates firewall management traffic away from production traffic.

A security zone is a specific network segment for which you can control inbound and outbound traffic. You can configure predefined zones orcreate user-defined security zones. You can also create a tunnel zone, which is a logical segment to which a VPN tunnel interface is bound.

Page 59

Table 13: Network Settings Options (continued)

DescriptionNetwork Settings Options

Chapter 2: Device Configuration

“Interface Types in ScreenOS Devices Overview” on page 50

“Example: Configuring DIPGroups (NSM Procedure)” on page 100

“About Configuring PPPoE” on page 135

“Using the PPP Option to Configure Point-To-Point Protocol Connections” on page 134

“Configuring a PPPoA Client Instance” on page 141

“Configuring aNetScreen Address Change Notification” on page 141

“Interface Failover in ScreenOS Devices” on page 142

You bind interfaces to predefined or user-defined security zones or to tunnel zones to permit traffic to pass into or out of the zone. For an interface in Route or NAT mode, you assign an IP address to the interface.

You can configure a range of IP addresses from which security device can take addresses when performing NAT on the source IP address of outgoing or incoming IP packets.

This option is only available for some security devices. You can configure PPPoE to enable the security device to connect to remote sites.

This option is only available for some security devices. You can configure PPP to enable the security device to connect to remote sites.

On the ADSL interface (available on the NetScreen-5GT ADSL security device), you can configure a PPPoA client instance with a username, password, and other parameters, and then bind the instance to the ADSL interface (or subinterface) to enable Internet access for an internal network.

This option is only available for security devices running ScreenOS 5.x. You configure NetScreen Address Change Notification to enable the security device to alert NSM of any change in the IP address assigned by a DHCP or PPPoE server.

This option is only available for some security devices. When there are both primary and backup interfaces to the Untrust zone, you can configure failover traffic from the primary to the backup interface, and from the backup to the primary interface.

“Example: Configuring Modem Connections (NSM Procedure)” on page 142

“DNS Server Configuration Using DNS Settings” on page 103

Overview” on page 108

Documentation

• Configuring Zones and Zone Properties in ScreenOS Devices Overview on page 39

• Interface Types in ScreenOS Devices Overview on page 50

• Configuring Physical and Function Zone Interfaces in ScreenOS Devices Overview on

• Interface Network Address Translation Using DIPs on page 67

This option is only available for some security devices. You can connect and configure an external modem to the RS-232 serial port as a backup dialup interface for traffic to the Untrust zone.

Before the security device can use DNS for domain name andaddress resolution, you must configure the addresses for the primary and secondary DNS servers.

This option contains additional network settings you can configure.“Advanced Network Settings

page 52

Page 60

Configuring ScreenOS Devices Guide

Page 61

CHAPTER 3

Network Settings

The Device Manager module in Network and Security Manager (NSM) enables you to configure the managed Juniper Networks security devices in your network. You can edit configurations after you add or import a managed device, or create configurations when you model a device. For details about adding, importing, or modeling a device, see the Network and Security Manager Administration Guide.

This chapter details the device configuration parameters, and provides configuration examples when possible. For instructions on configuring specific device settings, see the Network and Security Manager Online Help.

After you edit or create a configuration for a device, you must update the configuration on the managed device for your changes to take effect. For details on updating devices, see the Network and Security Manager Administration Guide.

Use security policies to configure firewall and VPN rules that control traffic on your network. Use the VPN Manager to configure VPNs.

•

Configuring Zones and Zone Properties in ScreenOS Devices Overview on page 39

•

Predefined Screen Options Overview on page 40

•

Configuring Flood Defense Settings for Preventing Attacks on page 41

•

Example: Configuring UDP Flooding Protection (NSM Procedure) on page 43

•

HTTP Components and MS-Windows Defense Method on page 43

•

Protection Against Scans, Spoofs, and Sweeps on page 44

•

IP and TCP/IP Anomaly Detection on page 45

•

Prevention of Security Zones Using Denial of Service Attacks on page 47

•

Malicious URL Protection on page 49

•

Example: Enabling the Malicious URL Blocking Option (NSM Procedure) on page 50

•

Interface Types in ScreenOS Devices Overview on page 50

•

Configuring Physical and Function Zone Interfaces in ScreenOS Devices Overview on page 52

•

Setting Interface Properties Using the General Properties Screen on page 53

•

Setting WAN Properties Using the WAN Properties Screen on page 54

•

Setting Port Properties Using the Port Properties Screen on page 54

Page 62

Configuring ScreenOS Devices Guide

•

Using MLFR and MLPPP Options on page 55

Setting Physical Link Attributes for Interfaces on page 55

Enabling Management Service Options for Interfaces on page 56

Setting DHCPv6 Overview on page 57

Example:Assigning TCP/IP Settings for Hosts UsingDHCP (NSMProcedure)on page58

Configuring Custom DHCP Options (NSM Procedure) on page 59

Using Interface Protocol on page 61

Using Interface Secondary IP on page 61

Enabling ScreenOS Devices for Interface Monitoring on page 61

Supporting Generic Routing Encapsulation Using Tunnel Interfaces on page 62

Interface Network Address Translation Methods on page 62

Interface Network Address Translation Using MIPs on page 62

Example: Configuring MIPs (NSM Procedure) on page 63

Interface Network Address Translation Using VIPs on page 65

Mapping Predefined and Custom Services in a VIP on page 65

Example: Configuring VIPs (NSM Procedure) on page 66

Interface Network Address Translation Using DIPs on page 67

Example: Enabling Multiple Hosts Using Port Address Translation (NSM Procedure) on page 68

Example: Translating Source IP Addresses into a Different Subnet (NSM Procedure) on page 69

Enabling Managed Devices Using Incoming DIP on page 73

Example: Configuring Interface-Based DIP (NSM Procedure) on page 74

Example: Configuring DIP Pools on the Untrust Interface (NSM Procedure) on page 75

Example: Configuring an Aggregate Interface (NSM Procedure) on page 77

Example: Configuring a Multilink Interface (NSM Procedure) on page 78

Example: Configuring a Loopback Interface (NSM Procedure) on page 79

Configuring Virtual Security Interfaces on page 80

Example: Configuring a Redundant Interface (NSM Procedure) on page 80

Example: Configuring a Subinterface (NSM Procedure) on page 84

Example: Configuring a WAN Interface (NSM Procedure) on page 86

Configuring a Tunnel Interface on page 87

ADSL Interface in ScreenOS Devices on page 88

ADSL, ADSL Interface, and ADSL Settings in ScreenOS Devices on page 89

Determining Physical Ports and Logical Interfaces and Zones Using ScreenOS Devices Port Mode on page 91

Backup Connection Usingthe UntrustedEthernet Port in ScreenOS Devices onpage 92

Page 63

Chapter 3: Network Settings

•

Example: Configuring NetScreen5GT Devices to Permit Internal Hosts (NSM Procedure) on page 93

•

Example: Configuring NetScreen5GT Devices to Connect to the Web Using the PPPoA and ADSL Interfaces (NSM Procedure) on page 94

•

Example: Configuring NetScreen5GT Devices as a Firewall Using the PPPoE and ADSL Interfaces (NSM Procedure) on page 96

•

Wireless Interface on ScreenOS Devices Overview on page 99

•

Configuring DSCP Options Overview on page 99

•

Example: Configuring DIP Groups (NSM Procedure) on page 100

•

DNS Server Configuration Using DNS Settings on page 103

•

Example: Configuring DNS Proxy Entries (NSM Procedure) on page 105

•

Example: Configuring DDNS Settings (NSM Procedure) on page 106

•

Advanced Network Settings Overview on page 108

Configuring Zones and Zone Properties in ScreenOS Devices Overview

The Zone screen is where you can configure predefined zones or create user-defined security zones. You can also create a tunnel zone, which is a logical segment to which a VPN tunnel interface is bound.

A security device supports two types of zones:

•

Security zone—A Layer 3 security zone binds to NAT or Route mode interfaces; a Layer 2 security zone binds to Transparent mode interfaces.

NOTE: When you add a device and configure it to operate in Transparent

mode, the L2 zone names appear in the NSM UI without the “ V1-” prefix. When you update the configuration on the device from the UI, the correct L2 zone names are configured.

•

Tunnel zone—A zone that binds to a carrier zone.

To add a zone to a security device, in the device navigation tree, select Network > Zone and add the desired zone. For Security Zones, you might define the name of the zone and the virtual router in which you want to place the zone; For tunnel zones, you must also specify the carrier zone, which is the security zone with which the tunnel zone is logically associated. A carrier zone provides firewall protection to the encapsulated traffic.

For more information about zones on security devices, refer to the Concepts & Examples ScreenOS Reference Guide: Fundamentals.

You can configure general properties and SCREEN attack protection for predefined or custom Security Zones.

Zone General Properties

Page 64

Configuring ScreenOS Devices Guide

For predefined zones, some general properties are already configured for you, such as the Name and Virtual Router settings. For custom security zones, you can enter a name and select the virtual router that handles traffic to and from the new zone.

For both predefined and custom zones, you can configure the settings as described in Table 14 on page 40.

Table 14: Zone General Properties

DescriptionCustom Zone Settings

TCP/IP Reassembly for ALG

TCP-RST

Asymmetric VPN

Documentation

Predefined Screen Options Overview on page 40•

• Interface Types in ScreenOS Devices Overview on page 50

• Setting Interface Properties Using the General Properties Screen on page 53

Select this option when using Application Layer Gateway (ALG) filtering on the security device. By reassembling fragmented IP packets and TCP segments, the security device can accurately filter traffic.

Select this option to block traffic between hosts within the security zone.Block Intrazone Traffic

Select this option to return a TCP segment with the RESET flag set to 1 when a TCP segment with a flag other than SYN is received.

In asymmetrical encryption, one key in a pair is used to encrypt and the other to decrypt VPNtraffic. When configuringmultiple VPN tunnels to enabletunnel failover, enable this option for the Trust zones on each security device in the VPN so that if an existing session established on one VPN tunnel transfers to another, the security device at the other end of the tunnel does not reject it.

Predefined Screen Options Overview

Typically, a network forwarding device such as a router or switch does not reassemble fragmented packets that it receives. It is the responsibility of the destination host to reconstruct the fragmented packets when they all arrive. Because the purpose of forwarding devices is the efficient delivery of traffic, queuing fragmented packets, reassembling them, refragmenting them, and then forwarding them is unnecessary and inefficient. However, passing fragmented packets through a firewall is insecure. An attacker can intentionally break up packets to conceal traffic strings that the firewall otherwise would detect and block.

You can enable predefined screen options that detect and block various kinds of traffic that the security device determines to be potentially harmful. To secure all connection attempts, security devices use a dynamic packet filtering method known as stateful inspection. Using this method, the device notes various components in a packet header, such as source and destination IP addresses, source and destination port numbers, and packet sequence numbers. The device uses this information to maintain the state of each session traversing the firewall.

Page 65

Chapter 3: Network Settings

A security device uses stateful inspection to secure a zone by inspecting, and then permitting or denying, all connection attempts that require crossing an interface from and to that zone. To protect against attacks from other zones, you can enable defense mechanisms known as screen attack protections, which detect and deflect TCP, UDP, IP, and ICMP packet attacks. Common screen attacks are SYN floods, packet fragments, and SYN and FIN bits set. When screen attack protections are enabled, the device generates a screen alarm log entry for each violation.

To configure Screen attack protections, open a device configuration and select Network > Zone to display the Zone configuration. Double-click a zone to display the Predefined Zone dialog box and select SCREEN.

NOTE: For instructions for configuring the SCREEN options, see the Network

and Security Manager Online Help topic “ Configuring SCREEN Options.” For information about the SCREEN alarm log entries that enabling these options can generate, see the Network and Security Manager Administration Guide.

Documentation

Configuring Flood Defense Settings for Preventing Attacks on page 41•

• Example: Configuring UDP Flooding Protection (NSM Procedure) on page 43

• HTTP Components and MS-Windows Defense Method on page 43

Configuring Flood Defense Settings for Preventing Attacks

Configure flood defense settings to prevent denial-of-service (DoS) attacks from overwhelming the security device with large numbers or floods of certain packet types. You can protect targets in the security zone from ICMP, SYN, and UDP floods.

•

Configuring ICMP Flooding Protection on page 41

•

Configuring SYN Flooding Protection on page 41

•

Configuring UDP Flooding Protection on page 42

Configuring ICMP Flooding Protection

An ICMP flood occurs when incoming ICMP echo requests overload a target system with so many requests that the system expends all its resources responding until it can no longer process valid network traffic. You can protect targets in the security zone from ICMP floods by setting apacket-per-secondthreshold for ICMPrequests (default setting: 1000 packets per second). When the ICMP packet flow exceeds the defined threshold, the security device ignores further ICMP echo requests for the remainder of that second and the next second.

Configuring SYN Flooding Protection

A SYN flood occurs when a target becomes so overwhelmed by SYN segments initiating invalid connection requests that it can no longer process legitimate connection requests.You can configure thresholds for the zone that, when exceeded, prompt the security device to begin acknowledging incoming SYNsegments andqueuing incomplete

Page 66

Configuring ScreenOS Devices Guide

connection requests. Incomplete connection requests remain in the queue until the connection completes or the request times out.

To protect targets in the security zone from SYN floods, enable SYN Flood Protection and configure the thresholds for SYN segments passing through the zone as described in Table 15 on page 42.

Table 15: Thresholds for SYN segments

Your ActionThreshold Types

Threshold

Alarm Threshold

Source Threshold

Destination Threshold

Timeout Value

Queue Size

Configure the number of SYN packets (TCP segments with the SYN flag set) per second required for the security device to begin SYN proxy. This threshold is the total number of packets passing through the zone, from all sources to all destinations.

Configure the number of proxied TCP connection requests required to generate an alarm in an alarm log entry for the event.

Configure the number of SYN packets per second from a single IP address required for the security device to begin rejecting new connection requests from that source.

Configure the number of SYN packets per second to a single IP address required for the security device to begin rejecting new connection requests to that destination.

Configure the number ofseconds the securitydevice holds an incomplete TCP connection attempt in the proxied connection queue.

Configure the number of proxied TCP connection requests held in the proxied connection queue before the security device begins rejecting new connection requests.

Configuring UDP Flooding Protection

Security devices currently support UDP for incoming SIP calls. To protect targets in the security zone against UDP flooding by incoming SIP traffic, enable UDP Flooding Protection.The securitydevice canlimit the number of UDP packets that can be received by an IP address, preventing incoming SIP calls from overwhelming a target.

SIP signalingtraffic consists of request and response messages between client and server and uses transport protocols such as UDP or TCP. The media stream carries the data (for example, audio data), and uses Application Layerprotocols such as RTP(Real-Time Transport Protocol) over UDP.

Documentation

Predefined Screen Options Overview on page 40•

• HTTP Components and MS-Windows Defense Method on page 43

• Protection Against Scans, Spoofs, and Sweeps on page 44

NOTE: UDP Flood Protection appears only for devices running ScreenOS 5.1 and later.

Page 67

Example: Configuring UDP Flooding Protection (NSM Procedure)

In this example, enable UDP Flooding Protection and set a threshold of 80,000 per second for the number of UDP packets that can be received on IP address 1.1.1.5 in the Untrust zone. When this limit is reached, the device generates an alarm and drops subsequent packets for the remainder of that second.

1. Add a NetScreen-208 security device. Choose Model when adding the device and

configure the device as running ScreenOS 5.1 or later.

2. In the device navigation tree, select Network > Zone. Double-click the Untrust zone.

The General Properties screen appears.

3. In the zone navigation tree, select Screen > Flood Defense, and then click the UDP

Flood Defense tab.

4. Select UDP Flood Protection and ensure that the threshold is set to 1000.

5. Click OK.

Chapter 3: Network Settings

6. Click the Add icon to display the New Destination IP based UDP Flood Protection

dialog box. Configure the following options, and then click OK:

•

For Destination IP, enter 1.1.1.5.

•

For Threshold, enter 80000.

•

Click OKto save your changesto the zone,and thenclick OKagain to save your changes to the device.

Documentation

Configuring Flood Defense Settings for Preventing Attacks on page 41•

• Predefined Screen Options Overview on page 40

• Interface Types in ScreenOS Devices Overview on page 50

HTTP Components and MS-Windows Defense Method

Attackers might use HTTP to send ActiveX controls, Java applets, .zip files, or .exe files to a targetsystem, enabling them to loadand control applications on hosts in a protected network. You can configure the security device to block the components (the device monitors incoming HTTP headers for blocked content types) as described in Table 16 on page 43.

Table 16: HTTP Components

DescriptionHTTP Components

Java

Java applets enable Web pages to interact with other programs. The applet runs by downloading itself to the Java Virtual Machine (VM) on a target system. Because attackers can program Java applets to operate outside the VM you might want to block them from passing through the security device.

Page 68

Configuring ScreenOS Devices Guide

Table 16: HTTP Components (continued)

DescriptionHTTP Components

ActiveX

ZIP files

EXE files

Microsoft’s ActiveX enables differentprograms to interact with each other and might contain Java applets, .exe files, or .zip files. Web designers use ActiveX to create dynamic and interactiveWeb pagesthat function similarly across different operating systems andplatforms. However, attackers might use ActiveX to gain control over a target computer system. When blocking ActiveX components, the security devicealso blocks Java applets, .exe files, and .zip files whether they are contained within an ActiveX control or not.

Files with .zip extensions contain one or more compressed files, some of which might be .exe files or other potentially malicious files. You can configure the security device to block all .zip files from passing through the zone.

Files with .exeextensions might containmalicious code.You canconfigure the security device to block all .exe files from passing through the zone.

MS-Windows Defense

Microsoft Windows contains the WinNuke vulnerability, which can be exploited using a DoS attack targeting any computer on the Internet running MicrosoftWindows. Attackers can send a TCP segment (usually to NetBIOS port 139 with the urgent (URG) flag set to a host with an established connection; this packet causes a NetBIOS fragment overlap that can crash Windows systems.

To protect targets in the security zone from WinNuke attacks, configure the security device to scan incoming Microsoft NetBIOS session service (port 139) packets for set URG flags. If such a packet is detected, the security device unsets the URG flag, clears the URG pointer, forwards the modified packet, and generates a log entry for the event.

Documentation

Protection Against Scans, Spoofs, and Sweeps on page 44•

• IP and TCP/IP Anomaly Detection on page 45

• Prevention of Security Zones Using Denial of Service Attacks on page 47

Protection Against Scans, Spoofs, and Sweeps

Attackers often perform address sweeps and/or port scans to gain targeted information about a network. After they have identified trusted addresses or ports, they might launch an attack against the network by spoofing a trusted IP address. To protect targets in the zone from sweeps, scans, and spoofing attempts, configure the detection and blocking settings as described in Table 17 on page 45.

Page 69

Table 17: Detection and Blocking Settings

DescriptionDetection and Blocking Settings

Chapter 3: Network Settings

IP Address Spoof Protection

IP Address Sweep Protection

Port Scan Protection

Attackers can insert a bogus source address in a packet header to make the packet appear to come from a trusted source. When the interfaces in the zone operate in Route or NAT mode, the security device relies on route table entries to identify IP spoofing attempts. When the interfaces in the zone operate in Transparent mode, the security device relies on address book entries to identify IP spoofing attempts.

•

To enable interface-based IP spoofing protection, configure the security device to drop packets that have source IP addresses that do not appear in the route table.

•

To enable zone-based IP spoofing protection (supported on devices running ScreenOS 5.2), configure the security device to drop packets whose source IP addresses do not appear in the selected zone. If you are routing traffic between two interfaces in the same zone, you should leave this option disabled (unchecked).

An address sweep occurs when one source IP address sends 10 ICMP packets to different hosts within a defined interval. If a host responds with an echo request, attackers have successfully discovered a target IP address. You can configure the security device to monitor ICMP packets from one remote source to multiple addresses. For example, ifa remotehost sends ICMP traffic to 10 addressesin 0.005 seconds (5000 microseconds), the security device rejects the 11th and all further ICMP packets from that host for the remainder of that second.

A port scan occurs when one source IP address sends IP packets containing TCP SYN segments to 10 different ports at the same destination IP address within a defined interval (5000 microseconds is the default). If a port responds with an available service, attackers have discovered a service to target. You can configure the securitydevice to monitor TCP SYN segments fromone remote source to multiple addresses. For example, if a remote host scans 10 ports in 0.005 seconds (5000 microseconds),the securitydevice rejects allfurther packets from the remotesource for the remainder of that second.

Documentation

Configuring Flood Defense Settings for Preventing Attacks on page 41•

• IP and TCP/IP Anomaly Detection on page 45

• Prevention of Security Zones Using Denial of Service Attacks on page 47

IP and TCP/IP Anomaly Detection

The Internet Protocol standard RFC 791, Internet Protocol specifies a set of eight options that provide special routing controls, diagnostic tools, and security. Attackers can misconfigure IP options toevade detection mechanisms and/or performreconnaissance on a network.

To detect (and block) anomalous IP fragments as they pass through the zone, configure the settings as described in Table 18 on page 46.

Page 70

Configuring ScreenOS Devices Guide

Table 18: IP Setting Options

Your ActionIP Setting Options

Block Bad IP Options

Timestamp IP Option Detection

Security IP Option Detection

Stream IP Option Detection

Record Route IP Option Detection

Loose Source IP Option Detection

Select this option to block packets with an IP datagram header that contains an incomplete or malformed list of IP options.

Select this option to block packets in which the IP option list includes option 4 (Internet Timestamp). The timestamp option records the time when each network device receives the packet during its trip from the point of origin to its destination, as well as the IP address of each network device and the transmission duration of each one. If the destination host has been compromised, attackers can discover the network topology and addressing scheme through which the packet passed.

Select this option for hosts to send security, compartmentation, TCC (closed user group) parameters, and Handling Restriction Codes compatible with U.S. Department of Defense requirements.

Select this option to block packets in which the IP option is 8 (Stream ID). Packets must use the 16-bit SATNET stream identifier to be carried through networks that do not support the stream concept.

Select this option to block packets in which the IP option is 7 (Record Route). Attackers might use this option to record the series of Internet addresses through which a packet passes, enabling them to discover network addressing schemes and topologies.

Select this option to block packets in which the IP option is 3 (Loose Source Routing). The Loose Source Routing option enables the packet to supply routing information used by the gateways when forwarding the packet to the destination; the gateway or host IP can use any number of routes from other intermediate gateways to reach the next address in the route.

Strict Source IP Option Detection

Source Route IP Option Filter

Select this option to block packets in which the IP option is 9 (Strict Source Routing). The Strict Source Routing enables the packet to supply routing information used by the gateways when forwarding the packet tothe destination; thegateway or hostIP mustsend the datagram directly to the next address in the source route, and only through the directly connected network indicated in the next address to reach the next gateway or host specified in the route.

Select this option to block all IP traffic that contains the Source Route option. The Source Route option enables the IP header to contain routing information that specifies a different source than the header source. Attackers can use the Source Route option to send a packet with a phony source IP address; all responses to the packet are sent to the attacker’s real IP address.

Attackers can craft malicious packets (and packet fragments) that contain anomalies designed to bypassdetection mechanisms andgain targeted information about anetwork. Because different operating systems (OS) respond differently to anomalous packets, attackers can determine the OS running on a target by examining the target’s response to the packet. To protect targetsin the security zonefrom thesereconnaissance attempts, you can configure the settings as described in Table 19 on page 47.

Page 71

Table 19: TCP/IP Setting Options

Your ActionTCP Setting Options

Chapter 3: Network Settings

SYN Fragment Detection

Drop Packetwithout TCP Flags Set

Block SYN with FIN TCP Segments

Block FIN without ACK TCP Segments

Drop Packets withan Unknown Protocol

Documentation

Selectthis optionto detect TCPfragments that containa SYN flag. A SYNflag in TCPsegment initiates a connection but does not usually contain a payload. Because the packet is small, it should not be fragmented.

Select this option to detect TCP segment headers that do not have at least one flag control set.

Select this option to detect packets in which both the SYN and FIN flags are set. The SYN flag synchronizes sequence numbers to initiate a TCP connection and the FIN flag indicates the end of data transmission to finish a TCP connection, so both flags should never be set in the same packet.

Select this option to detect packets in which the FIN flag is set, but the ACK flag is not. The FIN flag signals the conclusion of a session and terminates the connection; normally the ACK flag is also set to acknowledge the previous packet received.

Select this option to drop packets in which the protocol field is set to 101 or greater. Protocol types 101 and higher are currently reserved and undefined.

Prevention of Security Zones Using Denial of Service Attacks on page 47•

• Malicious URL Protection on page 49

• Example: Enabling the Malicious URL Blocking Option (NSM Procedure) on page 50

Prevention of Security Zones Using Denial of Service Attacks

Attackers use denial-of-service (DoS) attacks to overwhelm a target with traffic from a single source IP, preventing the target from processing legitimate traffic. A more advance version of a DoSattack is a distributed DoS (DDoS)attack, in which attackersuse multiple source addresses. Typically, attackers use a spoofed IP address or a previously compromised IP address as the source address to avoid detection.

To protecttargets in the security zone fromDoS and DDoS attacks, configure thesettings as described in Table 20 on page 47.

Table 20: Security Zones Prevention using DoS

Security Zones Setting Options

Ping of Death Attack Protection

Your Action

Select this option to reject oversized and irregular ICMP packets. Attackers might send a maliciously crafted ping (ICMP packet) that is larger than the allowed size of 65,507 bytes to cause a DoS.

Page 72

Configuring ScreenOS Devices Guide

Table 20: Security Zones Prevention using DoS (continued)

Security Zones Setting Options

Your Action

Teardrop Attack Protection

Block ICMP Fragments

Block Large ICMP Packets

Block IP Packet Fragments

Land Attack Protection

Select this option to send teardrop attack packets, designed to exploit vulnerabilities in the reassembly of fragmented IP packets. In the IP header, the fragment offset field indicates the starting position, or “offset,” of the data contained in a fragmented packet relative to the data of the original unfragmented packet. When the sum of the offset and size of one fragmented packet differ from that of the next fragmented packet, the packets overlap, and the server attempting to reassemble the packet can crash.

Select this option to block ICMP packets with the More Fragments flag set or with an offset value in the offset field. ICMP packets are typically very short messages containing error reports or network probe information. Because ICMP packets do not carry large payloads, they should not be fragmented.

Select this option to block ICMP packets larger than 1024 bytes. ICMP packets are typically very short messages containing error reports or network probe information; a large ICMP packet is suspicious.

Select this option to block IP fragments destined for interfaces in the security zone. As packetstraversedifferent networks, it is sometimes necessary to break apacketinto smaller pieces (fragments) based upon the maximum transmission unit (MTU) of each network. Attackers can use IP fragments to exploit vulnerabilities in the packet reassembly code of specific IP stack implementations.

Select this option to block SYN floods and IP spoofing combinations. Attackers can initiate a land attack by sending spoofed SYN packets that contain the IP address of the target as both the destination and source IP address. The target responds by sending the SYN-ACK packet to itself, creating an empty connection that lasts until the idle timeout value is reached; in time, these empty connections overwhelm the system.

SYN-ACK-ACK Proxy Protection

Source IP-Based Session Limit

Destination IP-Based Session Limit

Documentation

• Protection Against Scans, Spoofs, and Sweeps on page 44

• Predefined Screen Options Overview on page 40

Selectthis optionand configure athreshold to prevent SYN-ACK-ACKsessions from flooding the securitydevice session table. After successfully receiving alogin prompt fromthe security device, attackerscan continueinitiating SYN-ACK-ACK sessions,flooding thesecurity device session table and causing the device to reject legitimate connection requests. When proxy protection is enabled and the number of connections from the same IP address reaches the SYN-ACK-ACK proxy threshold, the security device rejects further connection requests from that IP address. By default, the thresholdis 512 connections fromany singleIP address; you can customize this threshold (1 to 250,000) to meet your networking requirements.

Select this option andconfigure athreshold to limit thenumber of concurrent sessions from the same source IP address. The default threshold is 128 sessions; you can customize this threshold to meet your networking requirements.

Select this option and configure a threshold to limit the number of concurrent sessions to the same destination IP address. The default threshold is 128 sessions; you can customize this threshold to meet your networking requirements.

IP and TCP/IP Anomaly Detection on page 45•

Page 73

Malicious URL Protection

Enable malicious URL protection on a security device to drop incoming HTTP packets that reference URLs with specificuser-defined patterns. You can define up to 48 malicious URL stringpatterns per zone, each of which can be up to 64 characters long, for malicious URL protection at the zone level. When the malicious URL blocking feature is selected, the security device examines the data payload of all HTTP packets. If it locates a URL and detects that the beginning of its string—up to a specified number of characters—matches the pattern you defined,the device blocks that packetfrom passing the firewall.

A resourceful attacker, realizing that the string is known and might be guarded against, can deliberately fragment the IP packets or TCP segments to make the pattern unrecognizable during a packet-by-packet inspection. However, security devices use Fragment Reassembly to buffer fragments in a queue, reassemble them into a complete packet, and then inspect that packet for a malicious URL. Depending on the results of this reassembly process and subsequent inspection, the device performs one of the following steps:

Chapter 3: Network Settings

•

If the device discovers a malicious URL, it drops the packet and enters the event in the log.

•

If the device cannot complete the reassembly process, a time limit is imposed to age out and discard fragments.

•

If the device determines that the URL is not malicious but the reassembled packet is too big to forward, thedevice fragments that packet into multiple packets and forwards them.

•

If the device determines that the URL is not malicious and does not need to fragment it, it then forwards the packet.

To configure a malicious URL string, you must specify the following properties:

•

Malicious URL ID—Enter the ID that you want to use to identify the URL string.

•

HTTP Header Pattern—Enter the malicious URL string (also called a pattern) that you want the security device to match.

•

Minimum Length Before CRLF—Enter the number of characters in the URL string (pattern)that mustbe presentin a URL—starting fromthe firstcharacter—fora positive match (not every character is required for a match). CRLF represents “carriage return/line feed” ; HTTP uses a CR or LF character to mark the end of a code segment.

For more information about malicious URLs on security devices, refer to the Concepts & Examples ScreenOS Reference Guide: Attack Detection and Defense Mechanisms.

Documentation

Example: Enabling the Malicious URL Blocking Option (NSM Procedure) on page 50•

• Predefined Screen Options Overview on page 40

• Interface Types in ScreenOS Devices Overview on page 50

Page 74

Configuring ScreenOS Devices Guide

Example: Enabling the Malicious URL Blocking Option (NSM Procedure)

In this example, you define three malicious URL strings and enable the malicious URL blocking option. Then, enable fragment reassembly for the detection of the URLs in fragmented HTTP traffic arriving at an Untrust zone interface.

1. Add a NetScreen-5GT security device. Choose Model when adding the device and

configure the device as running ScreenOS 5.x.

2. In the device navigation tree, select Network > Zone. Double-click the Untrust zone.

The General Properties screen appears.

3. Select TCP/IP Reassembly for ALG.

4. In the Zone navigation tree, select Mal-URL. Configure three malicious URL strings:

a. Click the Add icon to display the new Malicious URL ID dialog box. Configure the

following and click OK:

•

For Malicious URL ID, enter Perl.

Documentation

•

For HTTP Header Pattern, enter scripts/perl.exe.

•

For Minimum Length Before CRLF, enter 14.

b. Click the Add icon to display the new Malicious URL ID dialog box. Configure the

following options, and then click OK:

•

For Malicious URL ID, enter CMF.

•

For HTTP Header Pattern, enter cgi-bin/phf.

•

For Minimum Length Before CRLF, enter 11.

c. Click the Add icon to display the new Malicious URL ID dialog box. Configure the

following options, and then click OK:

•

For Malicious URL ID, enter DLL.

•

For HTTP Header Pattern, enter 210.1.1.5/msadcs.dll.

•

For Minimum Length Before CRLF, enter 18.

•

Click OK to save your changes to the zone, and then click OK again to save the device configuration.

Predefined Screen Options Overview on page 40•

• Malicious URL Protection on page 49

Interface Types in ScreenOS Devices Overview

The Interface screen displays the physical interfaces available on the security device. Some security devices support functional zone interfaces, which are either a separate

Page 75

Chapter 3: Network Settings

physical MGMT interface for management traffic or a high availability (HA) interface used to link two devices together to form a redundant group or cluster.

Interfaces and subinterfaces enable traffic to enter and exit a security zone. To enable network traffic to flow in and out of a security zone, you must bind an interface to that zone and, if it is a Layer 3 zone, assign it an IP address. You can assign multiple interfaces to a zone, but you cannot assign a single interface to multiple zones.

NOTE: Not all devices support all features described in this guide. For

device-specific datasheets that include an updated feature list for each device, go to: http://www.juniper.net/products/integrated/dsheet/. This link is provided for your convenience and may change without notice. You can also find this information by going to the Juniper website (http://www.juniper.net/).

Interface Types

You can add the interfaces on a security device as described in Table 21 on page 51.

Table 21: Interface Types

Aggregate interface

Multilink interface

Virtual security interfaces (VSIs)

Redundant interface

Subinterface

Tunnel interface

DescriptionInterface Types

A logical interface that combines two or more physical interfaces on the device, for the purpose of sharing the traffic load to a single IP address. This type of interface is only supported on certain security device systems.

On available devices, you configure and access multiple serial links called a bundle, through a virtual interface called a multilink interface. The multilink interface emulates a physical interface for the transport of frames.

A logical interface that emulates a physical interface and is always in the up state.Loopback interface

The virtual interfaces that two security devices share when forming a virtual security device (VSD) in a high availability cluster.

Two physical interfaces bound to the same security zone. One of the two physical interfaces acts as the primary interface and handles all the traffic directed to the redundant interface; the other physical interface acts as a backup.

A logicaldivision of a physical interface. A subinterface borrows the bandwidth it needs from the physical interface.

Acts as a doorway to a VPN tunnel. Traffic enters and exits a VPN tunnel through a tunnel interface. When you configure a tunnel interface, you can also encapsulate IP multicast packets in GREv1 unicast packets.

ADSL interface

A NetScreen-5GT ADSL security device uses ATM as its Transport Layer. The interface can support multiple permanent virtual circuits (PVCs) on a single physical line. Before you can configure theadsl1 interface,however, you mustobtain the DSLAMconfiguration details for the ADSL connection from the service provider.

Page 76

Configuring ScreenOS Devices Guide

Table 21: Interface Types (continued)

DescriptionInterface Types

WAN subinterface

ISDN BRI interface

Wireless interface

A logical division of a physical WAN interface. This type of interface is only supported on available devices.

Integrated Services Digital Network (ISDN) is an internationalcommunicationsstandard for sending voice, video, and data over digital telephone lines. ISDN in NSM supports Basic Rate Interface (BRI).

A NetScreen-5GT Wireless security device interface handles wireless traffic to and from that wireless access point (WAP).

For information about configuring specific interface types, see “Example: Configuring an Aggregate Interface (NSM Procedure)” on page 77.

Documentation

Configuring Physical and Function Zone Interfaces in ScreenOS Devices Overview on

•

page 52

• Setting Interface Properties Using the General Properties Screen on page 53

• Setting Physical Link Attributes for Interfaces on page 55

Configuring Physical and Function Zone Interfaces in ScreenOS Devices Overview

In the Interface screens, you can configure the physical interfaces and, if available, the function zone interfaces. Double-click the interface in the Interface screen. For physical and function zone interfaces, you can configure the following settings:

•

Interface General Properties

•

WAN Properties

•

Port Properties

•

Interface Advanced Properties

•

Interface Service Options

•

Dynamic Host Configuration Protocol

•

Interface Protocol

•

For information about configuring dynamic routing protocols (BGP, RIP, OSPF, OSPFv3) inthe virtual router andon the interfaces, see “OSPF Protocol Configuration Overview” on page 313.

•

For information about configuring multicast routing protocols (PIM-SIM, IGMP, IGMP-Proxy) andmulticastroute entries,see “Multicast Route Overview” onpage 337.

•

Interface Secondary IP

•

Interface Monitoring

Page 77

Chapter 3: Network Settings

•

Generic Routing Encapsulation

•

Interface Network Address Translation

For more information about interfaces on security devices, see the “ Fundamentals” volume in the Concepts & Examples ScreenOS Reference Guide.

Documentation

Interface Types in ScreenOS Devices Overview on page 50•

• Setting Physical Link Attributes for Interfaces on page 55

• Setting Interface Properties Using the General Properties Screen on page 53

Setting Interface Properties Using the General Properties Screen

Use the General Properties screen to configure the following properties on an interface:

•

Name of the interface.

•

Subinterface type.

•

Zone to which the interface is bound

•

VLAN tag

•

Bundle into—Configures virtual interfaces on a Multilink Frame Relay (MLFR) for a user-to-network iterface (UNI) on available devices.

•

Encapsulation Type—Configures the following encapsulation protocols on WAN interfaces: Frame Relay, Multilink Frame Relay (MLFR), Point-to-Point Protocol (PPP), Multilink PPP (MLPPP), and Cisco High-Level Data Link Control (HDLC) on available devices.

•

Loopback interface group to which the interface belongs.

•

Redundant interface group to which the interface belongs.

•

IP address, netmask, and gateway of the interface.

NOTE: NSM does not permit you to unset the management IP aAddress.

You can, however, still do this on each separate device out of band, using the CLI, the Web UI, or the supplemental CLI . See “Configuring Features Unsupported in NSM Using Supplemental CLI Options Overview” on page 129.

•

Mode of the interface (NAT or route)

•

Full support of IPv6 features for VLAN and loopback interfaces on ISG Series devices. See the Concepts & Examples ScreenOS Reference Guide: IPv6 Configuration.

•

DNS proxy (for details, see“DNS ServerConfigurationUsing DNSSettings” on page 103).

•

PPP settings.

Page 78

Configuring ScreenOS Devices Guide

•

On ADSL interfaces, you can configure ADSL options such as VPI and VCI, multiplexing mode as part of the General Properties. See “ADSL Interface in ScreenOS Devices” on page 88.

On wireless interfaces, you also shut down the interface by selecting the Shutdown Interface option.

Some interfaces, such as the VLAN1 or serial interface, accept service option settings as part of the General Properties for the interface. For information about service options, see “Enabling Management Service Options for Interfaces” on page 56.

Deny routing to this interface.

Routing to ACVPN-dynamic.

Documentation

Configuring Physical and Function Zone Interfaces in ScreenOS Devices Overview on

•

page 52

• Setting Physical Link Attributes for Interfaces on page 55

Setting WAN Properties Using the WAN Properties Screen

Use the WAN Properties screen to configure the following WAN properties for port cards on available devices:

•

Clocking

•

Hold time (Up)

•

Hold time (Down)

For more information about configuring WAN properties for port cards, refer to the ScreenOS Wide Area Network Interfaces and Protocols Reference.

Documentation

Setting Interface Properties Using the General Properties Screen on page 53•

• Setting Port Properties Using the Port Properties Screen on page 54

• Using MLFR and MLPPP Options on page 55

Setting Port Properties Using the Port Properties Screen

Use the Port Properties screen to configure the following properties for port cards on available devices:

•

Port Configuration (Serial, E1, T1, or DS3)

•

DCE options

•

DTE options

•

Line encoding

Page 79

Chapter 3: Network Settings

•

Loopback mode

•

Encapsulation support

For more information about configuring properties, refer to the ScreenOS Wide Area Network Interfaces and Protocols Reference.

Documentation

Using MLFR and MLPPP Options on page 55•

• Setting Interface Properties Using the General Properties Screen on page 53

• Setting Physical Link Attributes for Interfaces on page 55

Using MLFR and MLPPP Options

Use theMLFR andMLPPP screens to change thedefault Frame Relay andPPP properties on a multilink interface. For more information about configuring Frame Relay properties, refer to the ScreenOS Wide Area Network Interfaces and Protocols Reference.

Documentation

Setting Port Properties Using the Port Properties Screen on page 54•

• Setting Physical Link Attributes for Interfaces on page 55

Setting Physical Link Attributes for Interfaces

Set attributes of the physical link for the interface:

•

Physical Settings.

•

ExtendedBandwidth Settings—Use theEgress Bandwidth options to setthe minimum (or guaranteed) and maximum bandwidth allowed to pass through the security device. Be careful not to allocate more bandwidth than the interface can support because you might lose data if the guaranteed bandwidth on contending policies surpasses the traffic bandwidth set on the interface.

For security devices running ScreenOS 5.3, you canalso manage the flow oftraffic through the security device by limitingbandwidth atthe pointof ingress.To configure the maximum amount of traffic allowed at the point of ingress interface, set the number of kilobits per second (kbps) using the Ingress Minimum Bandwidth field.

For more information about configuring traffic shaping parameters, see “Allocating Network Bandwidth Using Traffic Shaping Options” on page 119.

•

Holddown Time—Use this option to configure the amount of time (in milliseconds) that the security device uses to bring the interface up or down after detecting a change in the link status.

•

Bring Down Link—Select this option to bring down the physical link to the interface.

•

Link and MTU Size.

•

WebAuth

Page 80

Configuring ScreenOS Devices Guide

•

Enable Webauth—Select thisoption toenable device administrators to authenticate management connections to the device using WebAuth.

•

WebAuth IP—Enter the IP address of the WebAuth service on the interface.

•

Allow Webauth via SSL only (ScreenOS 5.1 and later only)—Select this option to require WebAuth users to use SSL when connecting to the WebAuth IP address on a device running ScreenOS 5.1 and later. When this option is disabled, device administrators can access the WebAuth IP address of the interface using clear text.

NOTE: When you enable WebAuth, you must also enable SSL as a service

option for the interface. For details, see “Enabling Management Service Options for Interfaces” on page 56.

•

Gratuitous ARP—To avoid G-ARP attacks by allowing users to enable or disable G-ARP on devices running on ScreenOS 6.1 or later.

Deny Routing.

•

Port Settings.

•

Proxy ARP Entry—Import ARP traffic to the correct VSI by allowing the administrator to set the proxy ARP entry with lower and upper IP addresses. By adding a proxy ARP entry onan interface, ScreenOS imports thetraffic that is destined to the IP range using this interface.

Documentation

Interface Network Address Translation Using VIPs on page 65•

• Interface Network Address Translation Using DIPs on page 67

Enabling Management Service Options for Interfaces

Enable management serviceoptions forthe interface as described in Table 22on page56.

Table 22: Management Service Options

Your ActionService Options

Web

Telnet

Select this option to enable the interface to receive HTTP traffic for management from the Web UI.

Select this option to enable Telnet manageability. A terminal emulation program for TCP/IP networks such as the Internet, Telnet is a common way to remotely control network devices.

SSH

Administer the security device from an Ethernet connection or a dial-in modem using SSH. You musthave anSSH client thatis compatible SSHv1.5. These clients areavailable for Windows 95 and later, Windows NT, Linux, and UNIX. The security device communicates withthe SSHclient throughits built-inSSH server,which provides device configuration and management services. Selecting this option enables SSH manageability.

Page 81

Table 22: Management Service Options (continued)

Your ActionService Options

Chapter 3: Network Settings

SNMP

SSL

Ping

Ident-Reset

NSGP

Documentation

Select this option to enable SNMP manageability. The security device supports both SNMPv1 andSNMPv2c, andall relevant Management Information Base II(MIB II)groups, as defined in RFC1213.

Select this option to enable the interface to receive HTTPS traffic for secure management of the security device using the Web UI. Additionally, when this option is enabled, you can also require WebAuth users to use SSL when connecting to the WebAuth IP address on a device running ScreenOS 5.1 and later.

Select this option to enable the interface to receive NSM traffic.Global Pro (Security Manager)

Select this option to enable the interface to respond to an ICMP echo request, or ping, which determines whether a specific IP address is accessible over the network.

Select this option to restore access that has been blocked by an unacknowledged identification request. Services like Mail and FTP send identification requests. If they receive no acknowledgement, they send the request again. While the request is processing, there is no user access. The Ident-reset option sends a TCP reset announcement in response to an IDENT request to port 113.

Select this option to enable the interface to handle NSGP traffic. When enabled, you can also select to enforce IPsec authentication for NSGP traffic.

Setting Interface Properties Using the General Properties Screen on page 53•

• Setting Physical Link Attributes for Interfaces on page 55

Setting DHCPv6 Overview

An IPv6 router can only be a DHCPv6 server and an IPv6 host can only be a DHCP client. As a DHCPv6 client, the interface can makethe following requestsfrom a DHCPv6 server:

•

Delegation of long-lived prefixes across an administrative boundary—The server does not have to know the topology of the targeted local network. For example, an ISP can use DHCPv6 to assign prefixes to downstream networks through downstream DHCP clients. To speed up the client/server interaction, the client can request rapid commit (if enabled). Rapid commit reduces the number of messages from four to two.

•

IP addresses of available DNS servers—The interface can also request DNS search-list information. This list contains partial domain names, which assist DNS searches by concatenating entered usernames to the domain names.

As a DHCPv6 server, the interface can provide both of these services to a DHCPv6 client. To speed up prefix delegation, an IPv6 router configured to be a DHCPv6 server can support a rapid commit option. You can also set a server preference option.

In the DHCPv6 screen, you can configure options such as a device-unique identification (DUID), an identity association for prefix delegation identification (IAPD-ID), prefix

Page 82

Configuring ScreenOS Devices Guide

features, a server preference, a DHCPv6 server, a DHCPv6 client, and a DHCPv6 relay agent

Documentation

Configuring Custom DHCP Options (NSM Procedure) on page 59•

• Using Interface Protocol on page 61

Example: Assigning TCP/IP Settings for Hosts Using DHCP (NSM Procedure)

The Dynamic Host Configuration Protocol (DHCP) automatically assigns TCP/IP settings for the hosts on the network. Different security devices support different DHCP roles:

•

DHCP clients receive a dynamically assigned IP address.

•

DHCP servers allocate dynamic IP addresses to clients.

•

DHCP relay agents receive information from a DHCP server and relay that information to clients.

Some devices can simultaneously act as a DHCP client, server, and relay agent.

To assign TCP/IP settings to hosts using DHCP:

1. In the NSM navigation tree, select Device Manager > Devices.

2. Select a security device and then double-click the device on which you want to define

forced timeout. The device configuration appears.

3. In the device navigation tree, select Network > Interface.

4. Double-click a trust interface. The General Properties screen appears.

5. Select DHCP in the navigation tree, and for the DHCP Mode, select Server.

6. Configure the server settings as follows:

•

For DHCP Server Auto Processing, select Enable DHCP Server.

•

For DNS #1, #2, and #3, enter 1.1.1.1.

•

For Domain Name, enter acme.com.

•

For Client Gateway, enter 1.1.1.1.

•

For Lease Time (Minutes), the default is 4320 minutes.

•

For Netmask, the default is 0.

•

For NetInfo Server #1 and Server #2, enter 1.1.1.1.

•

For POP3, enter 1.1.1.1.

•

For SMTP, enter 1.1.1.1.

•

For WINS#1 and WINS#2, enter 1.1.1.1.

•

Select Enable Next Server IP.

•

Click OK to apply the settings.

Page 83

Chapter 3: Network Settings

Documentation

Setting Interface Properties Using the General Properties Screen on page 53•

• Interface Types in ScreenOS Devices Overview on page 50

• Configuring Custom DHCP Options (NSM Procedure) on page 59

Configuring Custom DHCP Options (NSM Procedure)

When configuring a DHCP server, you can also configure custom DHCP options to handle address assignment for voice-over-IP (VoIP) phones.

NOTE: Custom DHCP options are not supported on the NetScreen-500, the

NetScreen-5200, the NetScreen-5400, the ISG1000 and the ISG2000.

A custom DHCP option contains:

•

Option Name—A user-defined, unique name that identifies the custom option.

•

Code—An arbitrary integer that represents the option type. Use the option code to represent the custom option you want to configure. For each DHCP server, you can configure an unlimited number of custom DHCP options; however, the option code for each custom option must be unique, and cannot match the option code fora predefined option (DHCP contains several predefined option codes). Table 23 on page 59 lists the predefined option codes and associated RFC 2132 terms:

Table 23: DHCP Option Codes

1Netmask

3Gateway

6DNS1, DNS2, DNS3

15Domain Name

44WINS1, WINS2

51Lease

69SMTP

70POP3

71News

112NIS1, NIS2

113NISTAG

Page 84

Configuring ScreenOS Devices Guide

•

Your network recently added support for VoIP, and you now need to support DHCP for VoIP phones. You edit the existing DHCP server configuration to send the following custom options to IP phones acting as DHCP clients:

•

The example assumes that you have already configured a security device to act as a DHCP server.

In addition to predefined option codes, the codes 0, 255, and 53 cannot be used to create a custom DHCP option. All other integers between 2 and 254 are valid.

Data Type—The type of data required for the option code. Available data types are string, IP address, and integer.

Value—The value of the option code. When the data type is string, the acceptable length is 1-128 characters.

Option code 444, containing string “Server 4”

Option code 66, containing IP address 1.1.1.1

Option code 160, containing integer 2004

To customize your DHCP options:

1. Inthe NSM navigation tree, select Device Manager > Devices. Double-click the device

currently handling your DHCP assignments.

2. In the device navigation tree, select Network > Interface. Double-click an interface.

The General Properties screen appears.

3. In the interface navigation tree, select DHCP, set the DHCP mode to Server, and then

select the Custom Options tab.

4. Click theAdd icon to add the first custom option. Configurethe following options, and

then click OK:

•

For Option Name, enter IP Address.

•

For Code, enter 66.

•

For Data Type, select IP ADDR.

•

For Value, enter 1.1.1.1.

•

Click the Add icon to add the second custom option. Configure the options as mentioned in Step 4, and then click OK:

5. Click OK to save your changes to the interface, and then click OK again to save your

changes to the device.

Documentation

Example:Assigning TCP/IP Settings for Hosts UsingDHCP (NSMProcedure)on page58•

• Enabling Management Service Options for Interfaces on page 56

Page 85

Using Interface Protocol

You can enable and configure dynamicrouting protocol and multicast protocol operations on the interface:

•

For information about dynamic routing protocols (BGP, RIP, OSPF) in the virtual router and on the interfaces, see “OSPF Protocol Configuration Overview” on page 313.

•

For information about multicast routing protocols (PIM-SIM, IGMP, IGMP-Proxy) and multicast route entries, see “Multicast Route Overview” on page 337.

•

You can also configure RIPng protocol to the interface protocol list. For more information, see the Concepts & Examples ScreenOS Reference Guide.

Chapter 3: Network Settings

Documentation

Using Interface Secondary IP on page 61•

• Enabling ScreenOS Devices for Interface Monitoring on page 61

• Setting Interface Properties Using the General Properties Screen on page 53

Using Interface Secondary IP

This option is not available for interfaces in the Untrust zone. Each interface has a single, unique primary IP address. You can also set one or more secondary IP addresses for the interface.

Documentation

Setting Interface Properties Using the General Properties Screen on page 53•

• Example: Assigning TCP/IP Settings for HostsUsing DHCP (NSM Procedure) onpage 58

• Using Interface Protocol on page 61

Enabling ScreenOS Devices for Interface Monitoring

You can enable the security device to monitor the reachability of certain IP addresses through the interface to determine interface failure. For each IP address to be tracked, specify the following:

•

Interval at which pings are sent to the tracked address

•

Number of consecutive unsuccessful ping attempts before the connection to the address is considered failed

•

Weight of the failed IP connection

•

Timeout for the track IP

The Failover Threshold is compared to the sum of the weights of failed IP connections. Instead of tracking specific IP addresses, you can alternatively set the device to track the interface’s default gateway.

Page 86

Configuring ScreenOS Devices Guide

Documentation

Using Interface Protocol on page 61•

• Using Interface Secondary IP on page 61

• Setting Interface Properties Using the General Properties Screen on page 53

Supporting Generic Routing Encapsulation Using Tunnel Interfaces

You can configure a tunnel interface to support Generic Routing Encapsulation version 1 (GREv1) encapsulation. When enabled, the interface encapsulates IP packets in the tunnel in IPv4 packets using GREv1. You must specify the key parameter to append the value to outgoing packets (incoming packets must have this value too).

You can use GRE to forward multicast packets through non-multicast aware routers and devices.

Documentation

Setting Interface Properties Using the General Properties Screen on page 53•

• Configuring Physical and Function Zone Interfaces in ScreenOS Devices Overview on

page 52

Interface Network Address Translation Methods

You can configure the following address translation methods on the security device:

•

MIPs

•

VIPs

•

Mapping services and ports

•

DIPs

•

Port Address Translation

•

DIP with extended Interface

•

Incoming DIP for SIP traffic

Documentation

Interface Network Address Translation Using MIPs on page 62•

• Interface Network Address Translation Using VIPs on page 65

• Interface Network Address Translation Using DIPs on page 67

Interface Network Address Translation Using MIPs

A mapped IP (MIP) is a direct one-to-one mapping of one IP address to another. The security device forwards incoming traffic destined for a MIP to the host with the address to which the MIP points. A MIP is a static destination address translation that maps the destination IP address in an IP packet header to another static IP address, enabling inbound traffic to reach private addresses in a zone whose interface is in NAT mode. When a MIP host initiates outbound traffic, the security device translates the source IP

Page 87

Chapter 3: Network Settings

address of the host to that of the MIP address. You can map an address-to-address or subnet-to-subnet relationship (the netmask applies to both the mapped IP subnet and the original IP subnet).

You can also use a MIP to handle overlapping address spaces at two sites connected by a VPNtunnel (an overlapping address spaceis when the IP address range in two networks are partially or completely the same).

However, devices running ScreenOS 6.1 or later remove the overlap restriction between the MIP and the VIP.

The zone you configure the MIP in determines the subnet of IP address that you can assign the MIP:

•

When defining a MIP in a tunnel zone or security zone other than untrust, you must use the same subnet as a tunnel interface with an IP address and netmask, or in the same subnet as the IP address and netmask of an interface bound to a Layer 3 (L3) security zone.

•

When defining a MIP in an interface in the Untrust zone, you can use a different subnet than the Untrust zone interface IP address. However, you must add a route on the external router pointing to an Untrust zone interface so that incoming traffic can reach the MIP. You must also define a static route that associates the MIP with the interface that hosts it.

•

With devices running ScreenOS 6.1 or later, you can assign a MIP the same address as an interface on any platform. However, you cannot use that MIP address in a DIP pool.

You can use a MIP as the destination addresses in rules between any two zones or in a Global rule. For the destination zone, use either the Global zone or the zone with the address to which the MIP points.

Documentation

Interface Network Address Translation Methods on page 62•

• Example: Configuring MIPs (NSM Procedure) on page 63

• Interface Network Address Translation Using VIPs on page 65

Example: Configuring MIPs (NSM Procedure)

In this example, you create a MIP to handle inbound traffic to your Web server. After configuring the MIP, you create a Global MIP to represent the MIP you created for the device, and then use the Global MIP object in a Security Policy rule that permits HTTP traffic from any address in the Untrust zone to the MIP—and to the host with the address to which the MIP points—in the Trust zone. All security zones are in the trust-vr routing domain.

To configure a MIP:

1. Add a NetScreen-50 security device. Choose Model when adding the device and

configure the device as running ScreenOS 5.x.

2. Configure the Trust interface for ethernet1.

Page 88

Configuring ScreenOS Devices Guide

3. Configure the Untrust interface for ethernet2.

4. Configure the IP address as 1.1.1.1 and the netmask as 24. Leave all other settings as

5. In the interface navigation tree, select NAT > MIP to display the MIP screen.

•

In the device navigation tree, select Network > Interface.

•

Double-click ethernet1 (trust interface). The General Properties screen appears.

•

Configure the IP address as 10.1.1.1 and the Netmask as 24. Leave all other settings as default.

•

Click OK to save your changes.

•

In the device navigation tree, select Network > Interface.

•

Double-click ethernet2 (untrust interface). The General Properties screen appears.

default.

•

Click OK to save your changes.

Documentation

6. Click the Add icon and configure the following:

•

For Mapped IP, enter 1.1.1.5.

•

For Netmask, enter 32.

•

For Host IP, enter 10.1.1.5.

•

For virtual router, select trust-vr.

•

Click OK to save the MIP.

7. Click OK to saveyour changesto the interface, and then click OK to saveyour changes

to the device.

8. Create a Global MIP to reference the MIP you created for the device. You use a Global

MIP when configuring NAT in a Security Policy rule; the Global MIP references the MIP for an individual device, enabling you to use one object (the Global MIP object) to represent multiple MIPs in a single rule.

9. In the navigation tree, select Object Manager > NAT Objects > MIP.

10. Click the Add icon to display the new Global MIP dialog box.

11. Configure the Global MIP.

12. Configure a firewall rule to route inbound HTTP traffic to the MIP address.

Interface Network Address Translation Using MIPs on page 62•

• Interface Network Address Translation Using DIPs on page 67

• Interface Network Address Translation Methods on page 62

Page 89

Interface Network Address Translation Using VIPs

A virtual IP (VIP) address maps traffic received at one IP address to another address based on the destination port number in theTCP or UDP segment header. The destination IP addresses are the same, and the destination port numbers determine the host that receives the traffic. The security device forwards incoming traffic destined for a VIP to the host with the address to which the VIP points. When a VIP host initiates outbound traffic, the security device translates the source IP address of the host to that of the VIP address.

You can set a VIP only on an interface in the Untrust zone, and you must assign the VIP an IP address that is in the same subnet as an interface in the Untrust zone. However, in devices running ScreenOS 6.1 or later, you can set an interface in a Layer 3 security zone, removing the restriction of setting an Untrust zone interface. Some security devices also support:

•

Assigning the VIP the exactsame address as the interface. However, in devices running ScreenOS 6.1 or later, you can set a VIP as you would an interface IP in any platform, removing the restriction of some devices.

Chapter 3: Network Settings

•

Assigning the VIP to a dynamic IP address. When using a VIP with an interface in the Untrust zone that receives its IP address dynamically through DHCP or PPPoE, select Same as the untrusted interface IP address when setting up the VIP.

Additionally, the host to which the security device maps VIP traffic must be reachable from the trust-vr. If the host is in a routing domain other than that of the trust-vr, you must define a route to reach it.

You can use a VIP as the destination address in rules between any two zones or in a Global rule. For the destination zone, use either the Global zone or the zone with the address to which the VIP points.

Documentation

Mapping Predefined and Custom Services in a VIP on page 65•

• Interface Network Address Translation Methods on page 62

Mapping Predefined and Custom Services in a VIP

You can use virtual port numbers for well-known services when running multiple server processes on a single machine. For example, you can run two FTP servers on the same machine, one server onport 21 and the otheron port 2121. Only users who know the virtual port number can append it to the IP address in the packet header to gain access to the second FTP server.

You can map predefined and custom services in a VIP. A single VIP can support custom services with:

•

The same source and destination port numbers but different transports.

•

Single port entries (by default).

Page 90

Configuring ScreenOS Devices Guide

•

Multiple port entries, when creating multiple service entries under a VIP (one service entry in the VIP for each port entry in the service).

Any destination port number or number range from 1 to 65,535, not just from 1024 to 65,535.

Documentation

Interface Network Address Translation Using VIPs on page 65•

• Example: Configuring VIPs (NSM Procedure) on page 66

• Interface Network Address Translation Methods on page 62

Example: Configuring VIPs (NSM Procedure)

In this example, you create a VIP to handle inbound traffic to your Web server. After configuring the VIP, you create a Global VIP to represent the VIP you created for the device, and then use the Global VIP object in a Security Policy rule that permits HTTP traffic on port 80 from any address in the Untrust zone to the MIP—and to the host with the address and port to which the MIP points—in the Trust zone. All security zones are in the trust-vr routing domain.

Because the VIP is in the same subnet as the Untrust zone interface, you do not need to define a route for traffic from the Untrust zone to reach it. (To route HTTP traffic from a security zone other than the Untrust zone to the VIP, you must set a route for 1.1.1.10 on the router in the other zone to point to an interface bound to that zone.)

1. Add a NetScreen-204 security device. Choose Model when adding the device and

configure the device as running ScreenOS 5.x.

2. Configure the Trust interface for ethernet1.

3. In the device navigation tree, select Network > Interface.

4. Double-click ethernet1 (trust interface). The General Properties screen appears.

5. Configure the IP address as 10.1.1.1 and the netmask as 24. Leave all other settings as

default.

6. Click OK to save your changes.

7. Configure the Untrust interface for ethernet3.

8. In the device navigation tree, select Network > Interface.

9. Double-click ethernet3 (untrust interface). The General Properties screen appears.

10. Configure the IP address as 1.1.1.1 and the netmask as 24. Leave all other settings as

default.

11. Click OK to save your changes.

12. Configure the VIP for ethernet3:

•

Double-click ethernet3. The General Properties screen appears.

•

In the interface navigation tree, select NAT > VIP to display the VIP screen.

Page 91

Chapter 3: Network Settings

•

Click the Add icon to display the Virtual IP dialog box. Enter the Virtual IP as 1.1.1.10.

13. Click the Add icon to display the VIP mapping dialog box. Configure the following

options:

•

For Virtual Port, enter 80.

•

For Mapped IP, enter 10.1.1.10.

•

For Mapped Service, enter HTTP.

•

Click OK to save the VIP mapping, and then click OK to save the VIP.

•

Click OK to save your changes to the interface, and then click OK to save your changes to the device.

14. In the navigation tree, select Object Manager > NAT Objects > VIP.

15. Click the Add icon to display the new Global VIP dialog box.

16. Configure the Global VIP.

17. Configure a firewall rule to route inbound HTTP traffic on port 80 to the VIP address.

Documentation

Interface Network Address Translation Using VIPs on page 65•

• Interface Network Address Translation Methods on page 62

• Mapping Predefined and Custom Services in a VIP on page 65

Interface Network Address Translation Using DIPs

A dynamic IP (DIP) pool is a range of IP addresses. The security device can dynamically or deterministicallyuse theseIP addresses when performing network address translation on the source IP address (NAT-src) in IP packet headers.

•

If the range of addresses in a DIP poolis in the same subnet as the interface IP address, the pool must exclude the interface IP address, router IP addresses, and any mapped IP (MIP) or virtual IP (VIP) addresses that might also be in that subnet.

•

If therange ofaddresses is in thesubnet of an extended interface, the pool must exclude the extended interface IP address.

You can assign DIP pools to physical interfaces and subinterfaces for network and VPN traffic, and tunnel interfaces for VPN tunnels only.

Dip pools can now be defined on VLAN interface when the device running on ScreenOS

6.2 is in Transparent mode.

Documentation

Example: Enabling Multiple Hosts Using Port Address Translation (NSM Procedure)

•

on page 68

• Example: Translating Source IP Addresses into a Different Subnet (NSM Procedure)

on page 69

Page 92

Configuring ScreenOS Devices Guide

• Enabling Managed Devices Using Incoming DIP on page 73

Example: Enabling Multiple Hosts Using Port Address Translation (NSM Procedure)

Use Port Address Translation (PAT) to enable multiple hosts (up to 64,500) to share the same IP address. The security device maintains a list of assigned port numbers to distinguish which session belongs to which host. Use PAT in conjunction with a MIP and a DIP pool to resolve the problem of overlapping address spaces.

Some applications, such as NetBIOS Extended User Interface (NetBEUI) and Windows Internet Naming Service (WINS), require specific port numbers and do not work with PAT. For these applications, you cannot use PAT; you must configure the DIP pool to use a fixed port (numbered IP). For fixed-port DIP, the security device hashes and saves the original host IP address in its host hash table, enabling the device to associate the right session with each host.

In this example, you want to create a VPN tunnel for users at one site to reach an FTP server at another site. However, the internal networks at both sites use the same private address space of 10.1.1.0/24.

On the first device, an NetScreen-HSC, you create a tunnel interface in the Untrust zone with IP address 10.10.1.1/24, and associate it with a DIP pool containing the IP address range 10.10.1.2–10.10.1.2 (addresses in the neutral address space of 10.10.1.0/24). You enable port address translation for the DIP pool. Onthe seconddevice, an NetScreen-208, you create a tunnel interface with an IP address in a neutral address space and set up a mapped IP (MIP) address to its FTP server. This example provides details on configuring the NetScreen-HSC to use a DIP pool with PAT; details on configuring the second device in the VPN are not provided.

1. Add a NetScreen-HSC security device. Choose Model when adding the device and

configure the device as running ScreenOS5.x and ScreenOS 6.2 in Transparent mode.

2. Configure the tunnel/vlan interface:

•

In the device navigation tree, select Network > Interface.

•

Click theAdd icon and select New > Tunnelor VlanInterface.The General Properties screen appears.

3. Configure the DIP pool:

•

In the interface navigation tree, select NAT > DIP to display the DIP screen.

•

Click the Add icon to display the New Dynamic IP dialog box.

4. Enter the DIP ID.

5. Add multiple DIP ranges for a particular DIP ID as follows:

•

Select the Multiple DIP Range check box.

•

Click the Add icon. The New Dynamic IP dialog box appears.

•

For Rang ID, enter 1.

Page 93

Chapter 3: Network Settings

•

For Lower IP, enter 10.10.1.2.

•

For Upper IP, enter 10.10.1.2.

6. For Start, enter 10.10.1.1.

7. For End, enter 10.10.1.1.

8. For Netmask, enter 24.

9. Click OK to save your changes to the interface, and then click OK to saveyour changes

to the device.

Documentation

Example: Translating Source IP Addresses into a Different Subnet (NSM Procedure)

•

on page 69

• Enabling Managed Devices Using Incoming DIP on page 73

• Interface Network Address Translation Using DIPs on page 67

Example: Translating Source IP Addresses into a Different Subnet (NSM Procedure)

If circumstances require that the source IP address in outbound firewall traffic be translated to an address in a different subnet from that of egress interface, you can use the extended interface option. This option enables you to graft a second IP address and an accompanying DIP pool onto an interface that is in a different subnet. You can then enable NAT ona per-policy basis andspecify the DIPpool built on the extended interface for the translation.

In this example, two branch offices have leased lines to a central office. The central office requires them to use only the authorized IP addresses it has assigned them. However, the offices receive different IP addresses from their ISPs for Internet traffic. For communicationwith the central office, youuse theextended interface option to configure the security device in each branch office to translate the source IP address in packets it sends to the central office to the authorized address. Table 24 on page 69 lists the authorized and assigned IP addresses for branch offices A and B.

Table 24: Sample Branch Office Addresses

Office A

Office B

The security devices at both sites have a Trust zone and an Untrust zone. All security zones are in the trust-vr routing domain. You bind ethernet1 to the Trust zone and assign it IP address 10.1.1.1/24. You bind ethernet3 to the Untrust zone and give it the IP address assigned by the ISPs: 195.1.1.1/24 for Office A and 201.1.1.1/24 for Office B. You then create an extended interface with a DIP pool containing theauthorized IP address on ethernet3:

•

Office A—extended interface IP 211.10.1.10/24; DIP pool 211.10.1.1 – 211.10.1.1;PAT enabled

•

Office B—extended interface IP 211.20.1.10/24; DIP pool211.20.1.1– 211.20.1.1; PAT enabled

211.10.1.1/24195.1.1.1/24

211.20.1.1/24201.1.1.1/24

Page 94

Configuring ScreenOS Devices Guide

You set the Trust zoneinterfacein NAT mode. It uses theUntrust zoneinterface IPaddress as its source address in all outbound traffic except for traffic sent to the central office. You configure a policy to the central office that translates the source address to an address in the DIP pool inthe extended interface. (The DIP pool ID number is 5.It contains one IP address, which, with port address translation, can handle sessions for ~64,500 hosts.) The MIP address that the central office uses for inbound traffic is 200.1.1.1, which you enter as “ HQ” in the Untrust zone address book on each security device.

Each ISP must set up a route for traffic destined to a site at the end of a leased line to use that leased line. The ISPs route any other traffic they receive from a local security device to the Internet.

1. Add the devices:

2. Configure ethernet1 (Trust Zone) for Office A:

•

For Office A, add a NetScreen-208 security device.

•

For Office B, add a NetScreen-204 security device.

•

Double-click Office A device toopen the device configuration. In thedevice navigation tree, select Network > Interface.

•

Double-click ethernet1. The General Properties screen appears.

3. Configure IP address/netmask as 10.1.1.1/24 and Interface Mode as NAT.

4. Click OK to save your changes.

5. Configure ethernet3 (Untrust Zone) for Office A:

•

In the device navigation tree, select Network > Interface.

•

Double-click ethernet3. The General Properties screen appears.

•

Configure IP address/netmask as 195.1.1.1/24 and Interface Mode as Route.

6. In the interface navigation tree, select NAT > DIP. Click the Add icon to display the

New Dynamic IP dialog box. Configure the DIP, and then click OK:

7. Enter the DIP ID.

8. Add multiple DIP ranges for a particular DIP ID as follows:

•

Select the Multiple DIP Range check box.

•

Click the Add icon. The New MultiRange of DIP dialog box appears.

•

For Rang ID, enter 1.

•

For Lower IP, enter 210.10.1.1.

•

For Upper IP, enter 210.10.1.1.

9. For Start, enter 210.10.1.1.

10. For End, enter 210.10.1.1.

11. For Shift From, enter 10.10.1.2.

Page 95

Chapter 3: Network Settings

12. For Scale-Size, enter 1.

13. Select the Fixed Port check box.

NOTE: The Fixed Port is enabled by default while adding multiple DIP

range for a DIP ID.

14. For Extended IP, enter 211.10.1.10.

15. For Netmask, enter 24.

16. Add the route to the Corporate Office on the trust-vr of Office A:

•

In thedevice navigation tree, select Network > Routing. Double-click trust-vr router. The General Properties screen appears.

17. In the trust-vr navigation tree, select Routing Table. Click the Add icon and configure

the new route:

•

Set the IP address/netmask to 0.0.0.0/0.

•

For Next Hop, select Gateway, and the gateway options appear.

•

For Interface, select ethernet3.

•

For Gateway IP Address, enter 195.1.1.254.

18. Leave all other defaults, and then click OK to save the route.

19. Click OK to save your changes to the trust-vr, and then click OK to save your changes

and close the Office A device configuration.

20. Configure ethernet1 (Trust Zone) for Office B:

•

Double-click Office B device toopen the device configuration. In thedevice navigation tree, select Network > Interface.

•

Double-click ethernet1. The General Properties screen appears.

21. Configure IP address/netmask as 10.1.1.1/24 and Interface Mode as NAT.

•

Click OK to save your changes.

22. Configure ethernet3 (Untrust Zone) for Office B:

•

In the device navigation tree, select Network > Interface.

•

Double-click ethernet3. The General Properties screen appears.

•

Configure IP address/netmask as 201.1.1.1/24 and Interface Mode as Route.

23. In the interface navigation tree, select NAT > DIP. Click the Add icon to display the

New Dynamic IP dialog box. Configure the DIP, and then click OK.

24. Enter the DIP ID.

25. To add multiple DIP ranges for a particular DIP ID:

Page 96

Configuring ScreenOS Devices Guide

26. For Start, enter 210.10.1.1.

27. For End, enter 210.10.1.1.

28. For Shift From, enter 10.10.1.2.

29. For Scale-Size, enter 1.

30.Enable the Fixed Port check box.

•

Enable the Multiple DIP Range check box.

•

Click the Add icon to display the New MultiRange of DIP dialog box.

•

For Rang ID, enter 1.

•

For Lower IP, enter 10.10.1.2.

•

For Upper IP, enter 10.10.1.2.

NOTE: The Fixed Port is enabled by default while adding multiple DIP

range for a DIP ID.

31. For Extended IP, enter 211.10.1.10.

32. For Netmask, enter 24.

33. Add the route to the Corporate Office on the trust-vr of Office B:

•

In thedevice navigation tree, select Network > Routing. Double-click trust-vr router. The General Properties screen appears.

34. In the trust-vr navigation tree, select Routing Table. Click the Add icon and configure

the new route:

•

Set the IP address/netmask to 0.0.0.0/0.

•

For Next Hop, select Gateway, and the gateway options appear.

•

For Interface, select ethernet3.

•

For Gateway IP Address, enter 201.1.1.254.

•

Leave all other defaults, and then click OK to save the route.

•

Click OK to save your changes to the trust-vr, then click OK to save your changes and close the Office A device configuration.

35. Add the Address Object that represents HQ:

•

In the main navigation tree, select Object Manager > Address Objects. Click the Add icon and select Host. The New Host dialog box appears.

36. Configure the Host as detailed below, and then click OK:

•

For Name, enter Central Office HQ.

•

Select IP, and then enter the IP Address 200.1.1.1.

Page 97

Chapter 3: Network Settings

37. Create a Global DIP to reference the DIP pool on each device. You use a Global DIP

when configuring NAT in a firewall rule; the Global DIP references the DIP pool for an individual device, enabling you to use one object (the Global DIP object) to represent multiple DIP pools in a single rule.

•

In the navigation tree, select Object Manager > NAT Objects > DIP.

•

Click the Add icon to display the new Global DIP dialog box. Configure the Global DIP and then click OK:

38. Configure two firewall rules, one which uses the Global DIP object for NAT translation.

Documentation

Example: Enabling Multiple Hosts Using Port Address Translation (NSM Procedure)

•

on page 68

• Interface Network Address Translation Using DIPs on page 67

Enabling Managed Devices Using Incoming DIP

Use anincoming DIP to enable the managed device tohandle incoming SessionInitiation Protocol (SIP) calls. SIP is an Internet Engineering Task Force (IETF)-standard protocol for initiating, modifying, and terminating multimedia sessions (such as conferencing, telephony, or multimedia) over the Internet. SIP is used to distribute the session description, to negotiate and modify the parameters of an existing session, and to terminate a multimedia session.

NOTE: SIP is a predefined service that uses port 5060 as the destination

port. To specify the SIP service in the Service column of a firewall rule, you must select the predefined service group VoIP, which includes the H.323 and SIP service objects.

To use SIP, a caller must register with the registrar before SIP proxies and location servers can identify where the caller wants to be contacted. A caller can register one or more contact locations by sending a REGISTER message to the registrar. The REGISTER message contains the address-of-record URI and one or more contact URIs. When the registrar receives the message, it creates bindings in a location service that associates the address-of-record with the contact addresses.

The security device monitors outgoing REGISTER messages from SIP users, performs NAT on these addresses, and stores the information in an incoming DIP table. When the device receives an INVITE message from the external network, it uses the incoming DIP table to identify which internal host to route the INVITE message to.

To enable the device to perform NAT on incoming SIP calls, you must configure an interface DIP or DIP pool on the egress interface of the device. A single interface DIP is adequate for handling incoming calls in a small office; a DIP pool is recommended for larger networks or an enterprise environment.

Page 98

Configuring ScreenOS Devices Guide

NOTE: SIP uses UDP as its transport protocol. When using your managed

device to handle SIP traffic, you might also want to enable UDP Flood Protection.For details on configuring UDP Flood Protection, see “Configuring Flood Defense Settings for Preventing Attacks” on page 41.

Documentation

Example: Translating Source IP Addresses into a Different Subnet (NSM Procedure)

•

on page 69

• Example: Enabling Multiple Hosts Using Port Address Translation (NSM Procedure)

on page 68

• Interface Network Address Translation Using DIPs on page 67

Example: Configuring Interface-Based DIP (NSM Procedure)

In this example, you configure an interface-based DIP on the Untrust interface of the security device, and then configurea firewall rule that permits SIPtraffic from the Untrust zone to the Trust zone and references the interface DIP. You also configure a rule that permits SIP traffic from the Trust to the Untrust zone using NAT source, which enables hosts in the Trust zone to register with the proxy in the Untrust zone.

1. Add a NetScreen-208 device namedOffice A.Choose Modelwhen addingeach device

and configure as running ScreenOS 5.1.

2. Configure ethernet1 (Trust Zone) for Office A:

•

Double-click Office A device to open the device configuration. In the device navigation tree, select Network > Interface.

•

Double-click ethernet1. The General Properties screen appears.

•

Configure IP address/netmask as 10.1.1.1/24 and Interface mode as NAT.

•

Click OK to save your changes.

3. Configure ethernet3 (Untrust Zone) for Office A:

•

Double-click ethernet3. The General Properties screen appears.

•

Configure IP address/netmask as 1.1.1.1/24.

•

In the interface navigation tree, select NAT > DIP, and then click the Interface DIP tab.

•

Select Incoming NAT.

4. Click OK to save your changes to the interface, and then click OK again to save your

changes to the device.

5. Create a Global DIP to reference the Interface DIP on Office A. You use a Global DIP

when configuring NAT in a firewall rule; the Global DIP references the Interface DIP for an individual device.

Page 99

Chapter 3: Network Settings

6. In the navigation tree, select Object Manager > NAT Objects > DIP.

7. Click the Add icon to display the new Global DIP dialog box.

8. Configure the Global DIP.

9. Configure firewall rules:

•

Rule 1 handles outgoing SIP traffic, and uses the outgoing interface to perform NAT.

•

Rule 2 handles incoming SIP traffic, and uses the Interface DIP as the destination to perform NAT.

NOTE: SIP is a predefined service that uses port 5060 as the destination

port. To specify the SIP service in the Service column of a firewall rule, you must select the predefined service group VoIP, which includes the H.323 and SIP service objects.

Documentation

Enabling Managed Devices Using Incoming DIP on page 73•

• Example: Translating Source IP Addresses into a Different Subnet (NSM Procedure)

on page 69

• Interface Network Address Translation Using DIPs on page 67

Example: Configuring DIP Pools on the Untrust Interface (NSM Procedure)

In this example, you configure a DIP pool on the Untrust interface to perform NAT on incoming SIP calls. After creating the DIP pool and Global DIP object, you configure a firewall rule to permit SIP traffic from the Untrust zone to the Trust zone and reference the DIP pool. You also configure a rule to permit SIP traffic from the Trust to the Untrust zone, which enables hosts in the Trust zone to register with the proxy in the Untrust zone.

1. Add a NetScreen-204 device namedOffice B.Choose Modelwhen addingeach device

and configure as running ScreenOS 5.1.

2. Configure ethernet1 (Trust Zone) for Office B:

•

Double-click Office B device to open the device configuration. In the device navigation tree, select Network > Interface.

•

Double-click ethernet1. The General Properties screen appears.

•

Configure IP address/netmask as 10.1.1.1/24 and Interface mode as NAT.

•

Click OK to save your changes.

3. Configure ethernet3 (Untrust Zone) for Office B:

•

Double-click ethernet3. The General Properties screen appears.

•

Configure IP address/netmask as 1.1.1.1/24.

Page 100

Configuring ScreenOS Devices Guide

4. In the interface navigation tree, select NAT > DIP, and then click the Add icon. The

5. Enter the DIP ID.

6. Add multiple DIP ranges for a particular DIP ID:

7. For Start, enter 1.1.1.20.

8. For End, enter 1.1.1.40.

9. For Shift From, enter 1.1.1.20.

new DIP Pool dialog box appears. Configure as detailed below:

•

Enable the Multiple DIP Range check box.

•

Click the Add icon to display the New MultiRange of DIP dialog box.

•

Enter the identification range for Rang ID.

•

For Lower IP, enter the same IP address as the subnet interface IP address.

•

For Upper IP, enter the same IP address as the subnet interface IP address.

10. For Scale-Size, enter 1.

11. Select the Fixed Port check box.

NOTE: The Fixed Port is enabled by default while adding multiple DIP

range for a DIP ID.

12. For Extended IP, enter 211.10.1.10.

13. For Netmask, enter 24.

14. Select Incoming NAT.

15. Click OK.

16. Create a Global DIP to reference the Incoming NAT DIP on Office B. You use a Global

DIP when configuring NAT in a firewall rule; the Global DIP references the Incoming NAT DIP for an individual device.

•

In the navigation tree, select Object Manager > NAT Objects > DIP.

•

Click the Add icon to display the new Global DIP dialog box.

17. Configure the Global DIP.

18. Configure firewall rules:

•

Rule 1 handles outgoing SIP traffic and uses the outgoing interface to perform NAT.

•

Rule 2 handles incoming SIP traffic and uses the interface DIP to perform NAT.

Documentation

Example: Configuring Interface-Based DIP (NSM Procedure) on page 74•

• Interface Network Address Translation Using DIPs on page 67

Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual