Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 User Manual

Network and Security Manager

Configuring ScreenOS Devices Guide

Release

2010.4

Published: 2010-11-17

Revision 01

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net

This productincludes the Envoy SNMP Engine, developed by Epilogue Technology,an Integrated Systems Company.Copyright ©1986-1997, Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright © 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright © 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright © 1991, D. L. S. Associates.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Network and Security Manager Configuring ScreenOS Devices Guide

Revision History 18 November 2010—01

The information in this document is current as of the date listed in the revision history.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. The Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE.

BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER)CONSENT TO BE BOUNDBY THIS AGREEMENT.IF YOUDO NOTOR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.

1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (ifthe Customer’sprincipal officeis located outsidethe Americas) (such applicable entitybeing referred to herein as“Juniper”),and (ii) the person or organization thatoriginally purchased from Juniperor an authorized Juniperreseller the applicable license(s) for use of the Software (“Customer”) (collectively, the “Parties”).

2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customer purchased from Juniper or an authorized Juniper reseller. “Software” also includes updates, upgrades and new releases of such software. “Embedded Software” means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacements which are subsequently embedded in or loaded onto the equipment.

3. License Grant. Subject to payment of the applicable fees and thelimitations andrestrictions setforth herein,Juniper grantsto Customer a non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:

a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper or an authorized Juniper reseller.

b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are physically contained on a single chassis.

c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limitsto Customer’s useof the Software. Suchlimits may restrictuse to amaximum numberof seats, registered endpoints, concurrent users, sessions, calls, connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features, functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing, temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software to be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable licenses.

d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customer may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial period by re-installing the Software after the 30-day trial period.

e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network. Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any commercial network access services.

The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable license(s) for the Software from Juniper or an authorized Juniper reseller.

4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software,in any form, toany thirdparty; (d)remove any proprietarynotices, labels,or marks on orin any copy of the Softwareor any product in which the Software is embedded; (e) distribute any copy of the Software to any third party, including as may be embedded in Juniper equipment sold inthe secondhand market; (f)use any ‘locked’ orkey-restricted feature,function, service, application, operation, orcapability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper to any third party; (h) use the

Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that the Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.

5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish such records to Juniper and certify its compliance with this Agreement.

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes restricting access to the Software to Customer employees and contractors having a need to use the Software for Customer’s internal business purposes.

7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.

8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statementthat accompaniesthe Software (the“Warranty Statement”).Nothing inthis Agreement shallgive riseto any obligation to support the Software. Support services may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTSOR PROCUREMENTOF SUBSTITUTEGOODS ORSERVICES,OR FOR ANY SPECIAL,INDIRECT,OR CONSEQUENTIALDAMAGES ARISING OUTOF THIS AGREEMENT,THE SOFTWARE,OR ANY JUNIPEROR JUNIPER-SUPPLIEDSOFTWARE. INNO EVENT SHALLJUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the Parties.

9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’s possession or control.

10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation showing Customer’s payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to any liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under this Section shall survive termination or expiration of this Agreement.

11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license.

12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS

227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.

13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any. Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable terms and conditions upon which Juniper makes such information available.

14. Third Party Software. Any licensor of Juniper whose software is embeddedin the Software and anysupplier of Juniper whoseproducts or technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor shall have the right to enforce this Agreement in itsown name asif it were Juniper. In addition, certain third party software may be provided with the Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License (“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of the LGPL

at http://www.gnu.org/licenses/lgpl.html .

15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris tout avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be in the English language)).

Table of Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii

Part 1 Configuring

Chapter 1 NSM User Interface and NSM Key Management Features . . . . . . . . . . . . . . . 3

NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Security Integration Management Using NSM Overview . . . . . . . . . . . . . . . . . . . . . 4

Complete Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Network Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Role-Based Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Centralized Device Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Migration Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Managing Devices in a Virtual Environment Using NSM . . . . . . . . . . . . . . . . . . . . . . 6

Device Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Rapid Deployment (RD) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Policy-Based Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Error Prevention, Recovery, and Audit Management Using NSM . . . . . . . . . . . . . . . 8

Device Configuration Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Policy Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Atomic Configuration and Updating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Device Image Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Administering ScreenOS Devices Using NSM Complete System

Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

VPN Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Integrated Logging and Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Monitoring Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Job Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

NSM User Interface Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Configuring UI Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Understanding NSM User Interface Menus and Toolbars . . . . . . . . . . . . . . . . . . . . 12

Working with Multiple NSM Administrators Overview . . . . . . . . . . . . . . . . . . . . . . . 13

NSM Modules Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Navigation Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Main Display Area . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Configuring ScreenOS Devices Guide

Chapter 2 Device Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Chapter 3 Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Investigate Task Modules in the NSM User Interface Overview . . . . . . . . . . . . . . . 14

Log Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Report Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Log Investigator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Realtime Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Security Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Audit Log Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Configure Task Modules in the NSM User Interface Overview . . . . . . . . . . . . . . . . 16

Device Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

VPN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Object Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Administer Task Modules in the NSM User Interface Overview . . . . . . . . . . . . . . . 20

Server Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Job Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Action Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Understanding Validation Icons and Validation Data in the NSM User

Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Understanding the Search Function in the NSM User Interface . . . . . . . . . . . . . . . 22

Device Configuration Settings Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

About Configuring Security Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

About Configuring Extranet Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Configuring Advanced Properties for ScreenOS Device Details . . . . . . . . . . . . . . . 26

Configuring a Blacklisted Entry (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 27

Enabling ALGs (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Understanding Device Configurations Running ScreenOS 5.4 FIPS and Later

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

About Configuring Devices Running Future Releases of ScreenOS . . . . . . . . 29

Configuring Extranet Devices Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Configuring Extranet Devices Details (NSM Procedure) . . . . . . . . . . . . . . . . . . . . 30

Understanding Templates and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Using Global Device Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Using Device Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Configuring Network Settings Options and Descriptions . . . . . . . . . . . . . . . . . . . . 34

Configuring Zones and Zone Properties in ScreenOS Devices Overview . . . . . . . . 39

Predefined Screen Options Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Configuring Flood Defense Settings for Preventing Attacks . . . . . . . . . . . . . . . . . . 41

Configuring ICMP Flooding Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Configuring SYN Flooding Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Configuring UDP Flooding Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Example: Configuring UDP Flooding Protection (NSM Procedure) . . . . . . . . . . . . 43

HTTP Components and MS-Windows Defense Method . . . . . . . . . . . . . . . . . . . . 43

Protection Against Scans, Spoofs, and Sweeps . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

IP and TCP/IP Anomaly Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Prevention of Security Zones Using Denial of Service Attacks . . . . . . . . . . . . . . . . 47

Table of Contents

Malicious URL Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Example: Enabling the Malicious URL Blocking Option (NSM Procedure) . . . . . . 50

Interface Types in ScreenOS Devices Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Configuring Physical and Function Zone Interfaces in ScreenOS Devices

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Setting Interface Properties Using the General Properties Screen . . . . . . . . . . . . 53

Setting WAN Properties Using the WAN Properties Screen . . . . . . . . . . . . . . . . . . 54

Setting Port Properties Using the Port Properties Screen . . . . . . . . . . . . . . . . . . . 54

Using MLFR and MLPPP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Setting Physical Link Attributes for Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Enabling Management Service Options for Interfaces . . . . . . . . . . . . . . . . . . . . . . 56

Setting DHCPv6 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Example: Assigning TCP/IP Settings for Hosts Using DHCP (NSM Procedure) . . 58

Configuring Custom DHCP Options (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . 59

Using Interface Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Using Interface Secondary IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Enabling ScreenOS Devices for Interface Monitoring . . . . . . . . . . . . . . . . . . . . . . . 61

Supporting Generic Routing Encapsulation Using Tunnel Interfaces . . . . . . . . . . 62

Interface Network Address Translation Methods . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Interface Network Address Translation Using MIPs . . . . . . . . . . . . . . . . . . . . . . . . 62

Example: Configuring MIPs (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Interface Network Address Translation Using VIPs . . . . . . . . . . . . . . . . . . . . . . . . 65

Mapping Predefined and Custom Services in a VIP . . . . . . . . . . . . . . . . . . . . . . . . 65

Example: Configuring VIPs (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Interface Network Address Translation Using DIPs . . . . . . . . . . . . . . . . . . . . . . . . . 67

Example: Enabling Multiple Hosts Using Port Address Translation (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Example: Translating Source IP Addresses into a Different Subnet (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Enabling Managed Devices Using Incoming DIP . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Example: Configuring Interface-Based DIP (NSM Procedure) . . . . . . . . . . . . . . . . 74

Example: Configuring DIP Pools on the Untrust Interface (NSM Procedure) . . . . 75

Example: Configuring an Aggregate Interface (NSM Procedure) . . . . . . . . . . . . . . 77

Example: Configuring a Multilink Interface (NSM Procedure) . . . . . . . . . . . . . . . . 78

Example: Configuring a Loopback Interface (NSM Procedure) . . . . . . . . . . . . . . . 79

Configuring Virtual Security Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Example: Configuring a Redundant Interface (NSM Procedure) . . . . . . . . . . . . . . 80

Example: Configuring a Subinterface (NSM Procedure) . . . . . . . . . . . . . . . . . . . . 84

Example: Configuring a WAN Interface (NSM Procedure) . . . . . . . . . . . . . . . . . . . 86

Configuring a Tunnel Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Using Numbered Tunnel Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Using Unnumbered Tunnel Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Configuring Maximum Transmission Unit Size . . . . . . . . . . . . . . . . . . . . . . . . 88

ADSL Interface in ScreenOS Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

ADSL, ADSL Interface, and ADSL Settings in ScreenOS Devices . . . . . . . . . . . . . 89

About ADSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

About the ADSL Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

ADSL Settings from the Service Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Configuring ScreenOS Devices Guide

Chapter 4 Advanced Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Determining Physical Ports and Logical Interfaces and Zones Using ScreenOS

Devices Port Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Backup Connection Using the Untrusted Ethernet Port in ScreenOS Devices . . . 92 Example: Configuring NetScreen5GT Devices to Permit Internal Hosts (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Example: Configuring NetScreen5GT Devices to Connect to the Web Using the

PPPoA and ADSL Interfaces (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . 94

Example: Configuring NetScreen5GT Devices as a Firewall Using the PPPoE and

ADSL Interfaces (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Wireless Interface on ScreenOS Devices Overview . . . . . . . . . . . . . . . . . . . . . . . . 99

Configuring DSCP Options Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Example: Configuring DIP Groups (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . 100

DNS Server Configuration Using DNS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Configuring DNS Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Configuring DNS Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Example: Configuring DNS Proxy Entries (NSM Procedure) . . . . . . . . . . . . . . . . . 105

Example: Configuring DDNS Settings (NSM Procedure) . . . . . . . . . . . . . . . . . . . 106

Advanced Network Settings Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Configuring ARP Cache Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Configuring VIP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Configuring DIP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Configuring Advanced Device Settings Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Example: Defining Forced Timeout (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . 112

Identifying Reasons for Session Close in NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

Configuring Policy Schedules (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Configuring Timeouts for Predefined Services (NSM Procedure) . . . . . . . . . . . . . 115

Configuring Session Cache for Predefined Services (NSM Procedure) . . . . . . . . . 115

Configuring SIP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Configuring MGCP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Configuring H.323 Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Allocating Network Bandwidth Using Traffic Shaping Options . . . . . . . . . . . . . . . 119

Enabling/Disabling Application Layer Gateway Protocols Overview . . . . . . . . . . 120

Using Packet Flow Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

ICMP Path MTU Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Allow DNS Reply Without Matched Request . . . . . . . . . . . . . . . . . . . . . . . . . 123

Allow MAC Cache for Management Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Allow Unknown MAC Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Skip TCP Sequence Number Check . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

TCP RST Invalid Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Check TCP SYN Bit Before Create Session . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Check TCP SYN Bit Before Create Session for Tunneled Packets . . . . . . . . . 125

Use SYN-Cookie for SYN Flood Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Enforce TCP Sequence Number Check on TCP RST Packet . . . . . . . . . . . . . 126

Use Hub-and-Spoke Policies for Untrust MIP Traffic . . . . . . . . . . . . . . . . . . . 126

Max Fragmented Packet Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Flow Initial Session Timeout (Seconds) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Multicast Flow Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Table of Contents

TCP MSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

All TCP MSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

GRE In TCP MSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

GRE Out TCP MSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Aging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Early Ageout Time Before the Session’s Normal Ageout . . . . . . . . . . . . 129

Percentage of Used Sessions Before Early Aging Begins . . . . . . . . . . . . 129

Percentage of Used Sessions Before Early Aging Stops . . . . . . . . . . . . . 129

Configuring Features Unsupported in NSM Using Supplemental CLI Options

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Configuring ScreenOS with TFTP or FTP Servers Enabled Using TFTP/FTP

Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Configuring Hostnames and Domain Names Overview . . . . . . . . . . . . . . . . . . . . 130

Configuring NSGP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

NSGP Modules Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Example: Configuring NSGP on GTP and Gi Firewalls (NSM Procedure) . . . . . . . 132

Using the PPP Option to Configure Point-To-Point Protocol Connections . . . . . 134

About Configuring PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Example: Updating DNS Servers (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . 136

Example: Configuring Multiple PPPoE Sessions on a Single Interface (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Configuring a PPPoA Client Instance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Configuring a NetScreen Address Change Notification . . . . . . . . . . . . . . . . . . . . . 141

Interface Failover in ScreenOS Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Example: Configuring Modem Connections (NSM Procedure) . . . . . . . . . . . . . . . 142

Example: Creating Modem Settings (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . 143

Example: Creating ISP Connection Settings (NSM Procedure) . . . . . . . . . . . . . . 144

Setting ISP Priority for Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Chapter 5 Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Device Administration Options for ScreenOS Devices Overview . . . . . . . . . . . . . 148

Importing Device Administrators from a Physical Device Overview . . . . . . . . . . . 148

Device Administrator Authentication Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Device Administrator Account Configuration Overview . . . . . . . . . . . . . . . . . . . . 150

Configuring Privilege Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Configuring Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Admin Access Lock Setting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152

Roles for Device Administrator Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Supporting Admin Accounts for Dialup Connections . . . . . . . . . . . . . . . . . . . . . . 153

Restricting Management Connections Using Permitted IPs . . . . . . . . . . . . . . . . . 154

Local Access Configuration Using CLI Management Overview . . . . . . . . . . . . . . . 155

File Formatting in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Port Numbers for SSH and Telnet Connections in NSM Overview . . . . . . . . . . . . 156

Limiting Login Attempts, Setting Dial-InAuthentication, and RestrictingPassword

Length in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Asset Recovery and Reset Hardware in NSM Overview . . . . . . . . . . . . . . . . . . . . . 157

Console-Only Connections in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Configuring ScreenOS Devices Guide

Chapter 6 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Chapter 7 Planning and Preparing VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Secure Shell Server in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Using SSH Version 1 (SSHv1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Using SSH Version 2 (SSHv2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159

Configuring CLI Banners in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Configuring Remote Access Using Web Management Overview . . . . . . . . . . . . . 161

Configuring HTTP Administrative Connections in ScreenOS Devices Using NSM

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Configuring Secure Connections in ScreenOS Devices Using NSM Overview . . . 162 Configuring Network Time Protocol and NTP Backup Server in NSM

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Configuring Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Configuring an NTP Backup Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Setting ScreenOS Authentication Options Using General Auth Settings . . . . . . 165

Clearing RADIUS Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Assigning an Authentication Request Interface . . . . . . . . . . . . . . . . . . . . . . . 165

Setting ScreenOS Authentication Options Using Banners Overview . . . . . . . . . . 166

Setting ScreenOS Authentication Options Using Default Servers Overview . . . . 167

Setting ScreenOS Authentication Options Using Infranet Settings Overview . . . 167

General Report Settings for ScreenOS Devices Overview . . . . . . . . . . . . . . . . . . 168

Configuring Syslog Host Using NSM (NSM Procedure) . . . . . . . . . . . . . . . . . . . . 169

Configuring SNMPv3 in ScreenOS Devices (NSM Procedure) . . . . . . . . . . . . . . . 170

Classification of Security Options Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

Classification of Antivirus Scanning Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

External Antivirus Scanner Settings Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Internal Antivirus Scan Manager Settings Overview . . . . . . . . . . . . . . . . . . . . . . . 178

Internal Antivirus HTTP Webmail Settings Overview . . . . . . . . . . . . . . . . . . . . . . 181

Antivirus Scanner Settings Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Classification of Deep Inspection Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Attack Object Database Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Using Attack Objects Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Antispam Settings in ScreenOS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Configuring Antispam Settings in ScreenOS (NSM Procedure) . . . . . . . . . . . . . . 187

Configuring IDP Security Module Settings in ScreenOS Overview . . . . . . . . . . . . 189

Load-Time Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Run-Time Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Protocol Thresholds and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Configuring Integrated Web Filtering in ScreenOS (NSM Procedure) . . . . . . . . . 190

Example: Configuring Integrated Web Filtering (NSM Procedure) . . . . . . . . . . . . 190

Redirect Web Filtering in ScreenOS Using NSM Overview . . . . . . . . . . . . . . . . . . 192

Example: Configuring Redirect Web Filtering in ScreenOS (NSM Procedure) . . . 193

Adding Proxy Addresses Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

System-Level and Device-Level VPN Using NSM Overview . . . . . . . . . . . . . . . . . 196

System-Level VPN with VPN Manager Overview . . . . . . . . . . . . . . . . . . . . . . . . . 196

Device-Level VPN in Device Manager Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 197

VPN Configuration Supported Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Planning Your VPN Using NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Table of Contents

Defining VPN Members and Topology Using NSM . . . . . . . . . . . . . . . . . . . . . . . . 200

Traffic Protection Using Tunneling Protocol in NSM Overview . . . . . . . . . . . . . . 202

Traffic Protection Using IPsec Tunneling Protocol Overview . . . . . . . . . . . . . . . . 203

Using Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Using Encapsulating Security Payload (ESP) . . . . . . . . . . . . . . . . . . . . . . . . 203

Traffic Protection Using L2TP Tunneling Protocol Overview . . . . . . . . . . . . . . . . 205

VPN Tunnel Types Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

About Policy-Based VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

About Route-Based VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Defining VPN Checklist Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Defining Members and Topology in NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Defining Traffic Types for Data Protection in NSM . . . . . . . . . . . . . . . . . . . . . . . . 207

Defining VPN Traffic Using Security Protocols in NSM . . . . . . . . . . . . . . . . . . . . . 208

Defining Tunnel Creation Methods in NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Using VPN Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Creating Device-Level VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Preparing Basic VPN Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Preparing Required Policy-Based VPN Components Overview . . . . . . . . . . . . . . . 211

Policy-Based VPN Creation Using Address Objects and Protected Resources

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Configuring Address Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Configuring Protected Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Policy-Based VPN Creation Using Shared NAT Objects Overview . . . . . . . . . . . . 212

Policy-Based VPN Creation Using Remote Access Server Users Overview . . . . . 213

Authenticating RAS Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Configuring Group IKE IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Configuring Required Routing-Based VPN Components Overview . . . . . . . . . . . 215

Routing-Based VPN Support Using Tunnel Interfaces and Tunnel Zones

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Routing-Based VPN Support Using Static and Dynamic Routes Overview . . . . . 216

Preparing Optional VPN Components Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Optional VPN Support Using Authentication Servers Overview . . . . . . . . . . . . . . 217

Optional VPN Support Using Certificate Objects Overview . . . . . . . . . . . . . . . . . 217

Configuring Local Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Configuring CA Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Configuring CRL Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Chapter 8 Configuring VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Device Level VPN Types and Supported Configurations Overview . . . . . . . . . . . . 221

Device Level AutoKey IKE VPN: Using Gateway Configuration Overview . . . . . . . 221

ScreenOS Devices Gateway Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

ScreenOS Devices IKE IDs or XAuth Identification Number . . . . . . . . . . . . . 224

Security Methods for ScreenOS Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Device Level AutoKey IKE VPN: Using Routes Configuration Overview . . . . . . . . 227

Device-Level AutoKey IKE VPN: Using VPN Configuration Overview . . . . . . . . . . 227

Device-Level AutoKey IKE VPN Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

ScreenOS Security Measures Using VPN Configuration . . . . . . . . . . . . . . . . 228

Binding/ProxyID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Monitor Management on ScreenOS Devices Using AutoKey IKE VPN . . . . . 230

Configuring ScreenOS Devices Guide

Device-Level AutoKey IKE VPN: Using VPN Rule Configuration Overview . . . . . 230

Device-Level Manual Key VPN: Using XAuth Users Overview . . . . . . . . . . . . . . . . 231

Device-Level Manual Key VPN: Using Routing-Based VPN Overview . . . . . . . . . 231

Device-Level Manual Key VPN: Using VPN Configuration Overview . . . . . . . . . . 232

Device-Level Manual Key VPN Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Monitor Management on ScreenOS Devices Using Manual Key VPN . . . . . . 233

Device Level Manual Key VPN: Using VPN Rule Configuration Overview . . . . . . 234

Device Level L2TP VPN: Using L2TP Users Configuration Overview . . . . . . . . . . 235

Device Level L2TP VPN: Using L2TP Configuration Overview . . . . . . . . . . . . . . . 235

Device Level L2TP VPN: Using VPN Rule Configuration Overview . . . . . . . . . . . . 236

Creating Device Level L2TP-over-Autokey IKE VPNs Overview . . . . . . . . . . . . . . 237

Adding VPN Rules to a Security Policy Overview . . . . . . . . . . . . . . . . . . . . . . . . . 237

Configuring the VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Configuring the Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

Assigning and Installing the Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . 238

Example: Creating Device Level VPN Type 1 (NSM Procedure) . . . . . . . . . . . . . . 238

Example: Creating Device Level VPN Type 2 (NSM Procedure) . . . . . . . . . . . . . . 243

Example: Creating Device Level VPN Type 3 (NSM Procedure) . . . . . . . . . . . . . . 245

L2TP and Xauth Local Users Configuration Overview . . . . . . . . . . . . . . . . . . . . . 247

Configuring L2TP Local Users (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 247

XAuth Users Authentication Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Vsys Configurations in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Virtual Router Configurations for Root and Vsys Overview . . . . . . . . . . . . . . . . . . 251

Zone Configurations for Root and Vsys Overview . . . . . . . . . . . . . . . . . . . . . . . . . 251

Interface Configurations for Root and Vsys Overview . . . . . . . . . . . . . . . . . . . . . . 252

Viewing Root and Vsys Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Managing Inter-Vsys Traffic with Shared DMZ Zones . . . . . . . . . . . . . . . . . . . . . . 253

Example: Routing Traffic to Vsys Using VLAN IDs (NSM Procedure) . . . . . . . . . . 254

Example: Routing Traffic to Vsys Using IP Classification (NSM Procedure) . . . . 256

Layer 2 Vsys Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Assigning L2V VLAN IDs (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

L2V VLAN Groups in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

Predefined L2V Zones in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

L2V Interface Management in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Configuring L2V VLAN Management Interfaces . . . . . . . . . . . . . . . . . . . . . . . 261

Configuring L2V Aggregate Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Converting L2V to VLAN Trunking (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . 262

Configuring Crypto-Policy Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Certificate Authentication Support in NSM Overview . . . . . . . . . . . . . . . . . . . . . 267

Self-Signed Certificates in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Local Certificate Validation of ScreenOS Devices Overview . . . . . . . . . . . . . . . . 268

Generating Certificate Requests to ScreenOS Devices (NSM Procedure) . . . . . 269

Loading Local Certificate into NSM Management System . . . . . . . . . . . . . . . . . . 270

Installing Local Certificates Using SCEP in NSM . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Manual Installation of Local Certificates in NSM . . . . . . . . . . . . . . . . . . . . . . . . . 272

Certificate Authority Configuration in NSM Overview . . . . . . . . . . . . . . . . . . . . . . 272

Installing CA Certificates Using SCEP in NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Manual Installation of CA Certificates in NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

Table of Contents

Configuring Certificate Revocation Lists (NSM Procedure) . . . . . . . . . . . . . . . . . 274

Imported Certificates in NSM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

PKI Default Settings Configuration in NSM Overview . . . . . . . . . . . . . . . . . . . . . . 276

Configuring X509 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

Configuring Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

Configuring Simple Certificate Enrollment Protocol . . . . . . . . . . . . . . . . . . . 277

Chapter 9 Voice Over Internet Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

SCCP Support in ScreenOS Devices Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Configuring SCCP ALG in ScreenOS Devices (NSM Procedure) . . . . . . . . . . . . . 280

SIP ALG Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

SIP Request Methods Supported in ScreenOS Devices . . . . . . . . . . . . . . . . . . . . 282

Types of SIP Response Classes Supported in ScreenOS Devices . . . . . . . . . . . . 284

ALG Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286

Configuring SIP ALG in ScreenOS Devices (NSM Procedure) . . . . . . . . . . . . . . . 287

SDP Session Description Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Pinhole Creation in ScreenOS Devices Overview . . . . . . . . . . . . . . . . . . . . . . . . . 289

Session Inactivity Timeout in ScreenOS Devices Overview . . . . . . . . . . . . . . . . . 290

Chapter 10 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

Configuring Virtual Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

Route Types Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Virtual Routers Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Configuring Virtual Routers (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Virtual Router General Properties Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Access List Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Example: Configuring Access Lists (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . 299

Route Map Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Export and Import Rules in a Virtual Router Overview . . . . . . . . . . . . . . . . . . . . . 302

Example: Configuring Export Rules in a Virtual Router (NSM Procedure) . . . . . . 303

Routing Table Entries Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Destination-Based Routes Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Source-Based Routes Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

Example: Configuring Source-Based Routes (NSM Procedure) . . . . . . . . . . . . . 308

Source Interface-Based Routes Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

Example: Source-Interface-Based Routing (NSM Procedure) . . . . . . . . . . . . . . . 310

Configuring Route Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Dynamic Routing Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

OSPF Protocol Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

Enabling OSPF (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

Global OSPF Settings Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Configuring OSPF Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Configuring OSPF Areas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Configuring OSPF Summary Import . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Configuring OSPF Redistribution Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Configuring OSPF Virtual Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Configuring OSPF Interface Parameters Overview . . . . . . . . . . . . . . . . . . . . . . . . 317

Configuring OSPF Neighbors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Configuring OSPF Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Configuring OSPF (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

Configuring ScreenOS Devices Guide

Chapter 11 Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

RIP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Configuring RIP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Global RIP Settings Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Configuring RIP Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Configuring RIP Redistribution Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Configuring RIP Summary Import (ScreenOS 5.1 and later only) . . . . . . . . . 325

RIP Interface Parameters Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Configuring RIP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

BGP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

Route-Refresh Capabilities Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328

Configuring BGP Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Configuring Aggregate Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Configuring Neighbors and Peer Groups Overview . . . . . . . . . . . . . . . . . . . . . . . . 330

Configuring a BGP Routing Instance (NSM Procedure) . . . . . . . . . . . . . . . . . . . . 331

Configuring NHRP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

Configuring OSPFv3 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

OSPFv3 Support in Virtual Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

OSPFv3 Support in Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

OSPFv3 Area Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

Redistribution Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

OSPFv3 Interface Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

OSPFv3 Route Preference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335

Configuring RIPng Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

RIPng Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

Redistribution Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Multicast Route Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337

Configuring IGMP (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338

Configuring IGMP Proxy (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

Configuring PIM Sparse Mode (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . 341

Configuring a Rendezvous Point to Group Mappings (NSM Procedure) . . . . . . . 342

Configuring Acceptable Groups (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . 343

Example: Configuring Proxy RP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

Multicast Routing Table Entries Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

Multicast Routing Table Preferences Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 346

Configuring Multicast Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Example: Configuring Multicast Static Routes (NSM Procedure) . . . . . . . . . . . . 347

IRDP Support Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348

Example: Configuring ICMP Router Discovery Protocol (NSM Procedure) . . . . . 349

Disabling IRDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350

Policy-Based Routing Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

Example: Configuring Policy-Based Routing (NSM Procedure) . . . . . . . . . . . . . . 352

Vsys DHCP Enhancement Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355

Vsys Limitations Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356

Example: Configuring Vsys Resource Limits (NSM Procedure) . . . . . . . . . . . . . . 357

Vsys Session Limit Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

Example: Configuring Vsys Session Limit (NSM Procedure) . . . . . . . . . . . . . . . . 358

Vsys CPU Limit Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Table of Contents

Example: Configuring CPU Limit (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . 360

Chapter 12 User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

IEEE 802.1x Support Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361

Supported EAP Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362

Chapter 13 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

NSRP Clusters Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Creating an NSRP Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Configuring Active/Passive Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

Example: Configuring Active/Passive Cluster (NSM Procedure) . . . . . . . . . . . . . 367

Active/Active Configurations Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370

Configuring an Active/Active Cluster (NSM Procedure) . . . . . . . . . . . . . . . . . . . . 371

Synchronizing Virtual Router Configurations and RunTime Objects (NSM

Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

Synchronizing Virtual Router Configurations . . . . . . . . . . . . . . . . . . . . . . . . . 372

Configuring the Virtual Router Synchronization Settings . . . . . . . . . . . . . . . . 372

Synchronizing Runtime Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Changing VSD Group Member States (NSM Procedure) . . . . . . . . . . . . . . . . . . . 373

Example: Changing VSD Group Member States (NSM Procedure) . . . . . . . . . . . 374

Configuring NSRP to Detect Interface and Zone Failure . . . . . . . . . . . . . . . . . . . . 375

Configuring Track IPs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376

Configuring Interface Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Configuring Zone Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

Configuring Monitor Threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Vsys Clusters Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Exporting and Importing Device Configurations (NSM Procedure) . . . . . . . . . . . 379

Chapter 14 WAN, ADSL, Dial, and Wireless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Wireless Settings in a Security Device Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Configuring General Wireless Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 382

Configuring Antennas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Configuring Channels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Configuring Operation Mode Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

Configuring Transmission Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384

Configuring Advanced Wireless Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Configuring Aging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 385

Configuring Beacons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

Configuring Burst and Fragment Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

Configuring Control Frame Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387

Configuring Short Slots . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

Configuring Preambles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388

Configuring Wireless MAC Access Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Configuring MAC Access Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Configuring MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Configuring Wireless General SSID Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390

Configuring SSID Authentication and Encryption . . . . . . . . . . . . . . . . . . . . . . . . . 391

Configuring Wired Equivalent Privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

Configuring WEP Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 393

Configuring ScreenOS Devices Guide

Chapter 15 General Packet Radio Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Using Wi-Fi Protected Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395

Reactivating Wireless Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Conducting a Site Survey for Detecting Access Points . . . . . . . . . . . . . . . . . . . . . 397

Network, Interface, and Security Modules Supported in Security Devices . . . . . 397

Configuring the Network Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397

Slot Information in Security Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Physical Interface Modules Supported by SSG520 and SSG550 Security

Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

Interface Modules (Copper) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

10/100 Mbps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

10/100/1000 Mbps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Interface Modules (Fiber) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Secure Port Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Chassis Information Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

WPA2, Extended Range, and Super G Support on NetScreen5GT Wireless

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Wi-Fi Protected Access Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Configuring Wi-Fi Protected Access (NSM Procedure) . . . . . . . . . . . . . . . . . . . . 402

Super G Methods Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403

Configuring Atheros XR (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404

3GPP R6 Information Elements Support Overview . . . . . . . . . . . . . . . . . . . . . . . 407

Radio Access Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Routing Area Identity and User Location Information . . . . . . . . . . . . . . . . . 408

APN Restriction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

IMSI Prefix Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

IMEI-SV . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Configuring Access Point Name Restriction (NSM Procedure) . . . . . . . . . . . . . . 409

Configuring IMSI Prefix Filter (NSM Procedure) . . . . . . . . . . . . . . . . . . . . . . . . . . 409

DHCP Relay Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

Part 2 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

About This Guide

•

Objectives on page xix

•

Audience on page xix

•

Conventions on page xix

•

Documentation on page xxi

•

Requesting Technical Support on page xxii

Objectives

The Network and Security Manager (NSM) is a software application that centralizes control andmanagement of your Juniper Networks devices. With NSM, Juniper Networks delivers integrated, policy-based security and network management for all security devices.

NSM uses the technology developed for Juniper Networks ScreenOS to enable and simplify management support forprevious and future versions of ScreenOS. By integrating management of all JuniperNetworks security devices, NSMenhances theoverall security of the Internet gateway.

This guide explainshow toconfigure NSM ScreenOSdevices. For detailedNSM IDP device configuration, see the Configuring Intrusion Detection and Prevention Devices Guide. Use this guide in conjunction with the Network and Security Manager Administration Guide, Network and Security Manager Installation Guide, and Network and Security Manager Online Help.

Audience

This guide is intended for system administrators responsible for the securityinfrastructure of their organization. Specifically, this book discusses concepts of interest to firewall and VPN administrators, network/security operations center administrators; and system administrators responsible for user permissions on the network.

Conventions

The sample screens used throughout this guide are representations of the screens that appear when you install and configure the NSM software. The actual screens may differ.

All examples show default file paths. If you do not accept the installation defaults, your paths will vary from the examples.

Configuring ScreenOS Devices Guide

Table 1 on page xx defines notice icons used in this guide.

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Table 2 on page xx defines text conventions used in this guide.

Table 2: Text Conventions

Bold typeface

fixed-width font

Keynames linkedwith a plus (+) sign

Italics

•

Represents commands and keywords in text.

•

Represents keywords

•

Represents UI elements

Represents information as displayed on the terminal screen.

keys simultaneously.

•

Emphasizes words

•

Identifies variables

•

Identifies chapter, appendix, and book names

ExamplesDescriptionConvention

•

Issue the clock source command.

•

Specify the keyword exp-msg.

•

Click User Objects

user inputRepresents text that the user must type.Bold sans serif typeface

host1#

show ip ospf

Routing Process OSPF 2 with Router ID 5.5.0.250 Router is an area Border Router (ABR)

Ctrl + dIndicates that you must press two or more

•

The product supports two levels of access, user and privileged.

•

clusterID, ipAddress.

•

Appendix A, System Specifications.

The angle bracket (>)

Table 3 on page xxi defines syntax conventions used in this guide.

Indicates navigation paths through the UI by clicking menu options and links.

Object Manager > User Objects > Local Objects

Table 3: Syntax Conventions

About This Guide

ExamplesDescriptionConvention

terminal lengthRepresent keywordsWords in plain text

mask, accessListNameRepresent variablesWords in italics

Words separated by the pipe ( | ) symbol

Words enclosed in brackets followed by and asterisk ( [ ]*)

Documentation

Table 4 on page xxi describes documentation for the NSM.

Table 4: Network and Security Manager Publications

Network and Security Manager Installation Guide

variable to the left or right of this symbol. The keywordor variable canbe optional or required.

can be entered more than once.

Represent required keywords or variables.Words enclosed in braces ( { } )

DescriptionBook

Details the stepsto installthe NSMmanagement system on asingle server or on separate servers. It also includes information on how to install and run the NSM user interface. This guide is intended for IT administrators responsible for the installation and/or upgrade to NSM.

diagnostic | lineRepresent a choice to select one keyword or

[ internal | external ]Represent optional keywords or variables.Words enclosed in brackets ( [ ] )

[ level1 | level2 | 11 ]*Represent optional keywords or variables that

{ permit | deny } { in |out } { clusterId | ipAddress }

Network and Security Manager Administration Guide

Network and Security Manager ScreenOS and IDP Devices Guide

describes how to use and configure key management features in the NSM. Itprovides conceptual information, suggested workflows, and examples where applicable. This guide is best used in conjunction with the Network and Security Manager Online Help, which provides step-by-step instructions for performing management tasks in the NSM UI.

This guide is intended for application administrators or those individuals responsible for owning the server and security infrastructure and configuring the product for multi-user systems. It is also intended for device configuration administrators, firewall and VPN administrators, and network security operation center administrators.

Describes NSM features that relate to device configuration and management. It also explains how to configure basic andadvanced NSM functionality, including deploying new device configurations, managing Security Policies and VPNs, and general device administration.

Configuring ScreenOS Devices Guide

Table 4: Network and Security Manager Publications (continued)

DescriptionBook

Network and Security Manager Online Help

Network and Security Manager API Guide

Network and Security Manager Release Notes

Requesting Technical Support

Technical productsupport is availablethrough theJuniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need postsales technical support, you can access our tools and resources online or open a case with JTAC.

•

JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at

http://www.juniper.net/customers/support/downloads/710059.pdf.

Provides task-oriented procedures describing how to perform basic tasks in the NSM user interface. It also includes a brief overview of the NSM system and a description of the GUI elements.

Provides complete syntax and description of the SOAP messaging interface to the Network and Security Manager.

Provides the latest information about features, changes, known problems, resolved problems, and system maximum values. If the information in the Release Notesdiffers from the information found in the documentation set, follow the Release Notes.

Release notes are included on the corresponding software CD and are available onthe Juniper Networks Website. The documentation is also available on the Internet. You can order a set of printed documents from your Juniper Networks sales representative.

•

Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

•

JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

•

Find CSC offerings: http://www.juniper.net/customers/support/

•

Search for known bugs: http://www2.juniper.net/kb/

•

Find product documentation: http://www.juniper.net/techpubs/

•

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

•

Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

About This Guide

•

Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

•

Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

•

Open a case online in the CSC Case Manager: http://www.juniper.net/cm/

To verifyservice entitlement byproduct serial number,use our Serial Number Entitlement (SNE) Tool located at https://tools.juniper.net/SerialNumberEntitlementSearch/.

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

•

Use the Case Manager tool in the CSC at http://www.juniper.net/cm/ .

•

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visit us at

http://www.juniper.net/support/requesting-support.html.

Configuring ScreenOS Devices Guide

PART 1

Configuring

•

NSM User Interface and NSM Key Management Features on page 3

•

Device Configuration on page 25

•

Network Settings on page 37

•

Advanced Network Settings on page 111

•

Administration on page 147

•

Security on page 175

•

Planning and Preparing VPNs on page 195

•

Configuring VPNs on page 219

•

Voice Over Internet Protocol on page 279

•

Routing on page 293

•

Virtual Systems on page 355

•

User Authentication on page 361

•

High Availability on page 363

•

WAN, ADSL, Dial, and Wireless on page 381

•

General Packet Radio Service on page 407

Configuring ScreenOS Devices Guide

CHAPTER 1

NSM User Interface and NSM Key Management Features

Juniper Network and Security Manager (NSM) provides IT departments with an easy-to-use solution that controls all aspects of the Juniper Networks firewall, VPN, and IDP devices including device configuration, network settings, and security policy. NSM enables IT departments to control the entire device lifecycle with a single, centralized solution. Using NSM, you can configure all your Juniper Networks security devices from one location, at one time.

For details on ScreenOS functionality, see the Concepts & Examples ScreenOS Reference Guide.

This chapter contains the following topics:

•

NSM Overview on page 4

•

Security Integration Management Using NSM Overview on page 4

•

Managing Devices in a Virtual Environment Using NSM on page 6

•

Error Prevention, Recovery, and Audit Management Using NSM on page 8

•

AdministeringScreenOS Devices UsingNSM Complete System Managementon page 10

•

NSM User Interface Overview on page 12

•

Understanding NSM User Interface Menus and Toolbars on page 12

•

Working with Multiple NSM Administrators Overview on page 13

•

NSM Modules Overview on page 13

•

Investigate Task Modules in the NSM User Interface Overview on page 14

•

Configure Task Modules in the NSM User Interface Overview on page 16

•

Administer Task Modules in the NSM User Interface Overview on page 20

•

Understanding Validation Icons and Validation Data in the NSM User Interface on page 21

•

Understanding the Search Function in the NSM User Interface on page 22

Configuring ScreenOS Devices Guide

NSM Overview

At its foundation, a management system integrates your individual security devices into a single, effective security system that you control from a central location. With NSM, you can manage your network at the system level, using policy-based central management, as well as at the device level, managing all device parameters for devices.

NSM is designed to work with networks of all sizes and complexity. You can add a single device, or create device templates to help you deploy multiple devices; you can create new policies, or edit existing policies forsecurity devices. The managementsystem tracks and logs each administrative change in real-time, providing you with a complete administrative record and helping you perform fault management.

NSM also simplifies control of your network with an intuitive UI. Making all changes to your devices from a single, easy-to-use interface can reduce deployment costs, simplify network complexity, speed configuration, and minimize troubleshooting time.

Documentation

NSM User Interface Overview on page 12•

• NSM Modules Overview on page 13

• Understanding NSM User Interface Menus and Toolbars on page 12

Security Integration Management Using NSM Overview

True security integration occurs when you can control every security device on your network and see every security event in real-time from one location. In NSM, this location is the NSM GUI, a graphical user interface that contains a virtual representation of every security device on your network. The idea behind this virtual-physical abstraction is that you can access your entire network from one location—use this console to view your network, the devices runningon it, the policies controlling access to it, and the traffic that is flowing through it.

The following topics are the security integration management features of NSM:

•

Complete Support on page 4

•

Network Organization on page 5

•

Role-Based Administration on page 5

•

Centralized Device Configuration on page 5

•

Migration Tools on page 6

Complete Support

You can create and manage device configurations for security devices or systems. NSM provides support for ScreenOS configuration commands, so you can retain complete control over your devices when using system-level management features like VPNs.

Network Organization

With NSM, you can use domains to segment your network functionally or geographically to define specific network areas that multiple administrators can manage easily.

A domain logically groups devices, their policies, and their access privileges. Use a single domain for small networks with a few security administrators, or use multiple domains for enterprise networks to separate large, geographically distant or functionally distinct systems, control administrative access to individual systems, or obfuscate systems for service provider deployments.

With multiple domains, you can create objects, policies, and templates in the global domain, and then create subdomains that automatically inherit these definitions from the global domain.

Role-Based Administration

Control access to management with NSM—define strategicroles for your administrators, delegate management tasks, and enhance existing permission structures with new task-based functionality.

Chapter 1: NSM User Interface and NSM Key Management Features

Use NSM to create a security environment that reflects your current offline administrator roles and responsibilities. Because management is centralized, it’s easy to configure multiple administrators for multiple domains. By specifying the exact tasks your NSM administrators can perform within a domain, you minimize the probability of errors and security violations, and enable a clear audit trail for every management event.

Initially, when you log in to NSM as the super administrator, you have full access to all functionality within the global domain.From theglobal domain,you canadd thefollowing NSM administrators, configure their roles, and specify the subdomains to which they have access:

•

Activities and Roles—An activity is a predefined task performed in the NSM system, and a role is a collection of activities that defines an administrative function. Use activities to create custom roles for your NSM administrators.

•

Administrators—An administrator is a user of NSM or IDP; each administrator has a specific level of permissions. Create multiple administrators with specific roles to control access to the devices in each domain.

•

Default Roles—Use the predefined roles System Administrator, Read-Only System Administrator, Domain Administrator, Read-Only Domain Administrator, IDP Administrator, or Read-Only IDP Administrator to quickly create permissions for your administrators.

Centralized Device Configuration

No network is too large—because you manage your security devices from one location, you can use the following system management mechanisms to help you quickly and efficiently create or modify multiple device configurations at one time:

Configuring ScreenOS Devices Guide

•

Templates—A template is a predefined device configuration that helps you reuse specific information. Create a device template that defines specific configuration values, and then apply that template to devices to quickly configure multiple devices at one time. For more flexibility, you can combine and apply multiple device templates to a single device configuration(63 maximum).In addition,you canmake global-domain templates available for reference in subdomains.

Shared Objects—An object is an NSM definition that is valid in the global domain and all subdomains. Any object created in the global domain is a shared object that is shared by all subdomains; the subdomain automatically inherits any shared objects defined in the global domain. You will not see global objects in the Object Manager of a subdomain. Although, you can use the objects when selecting objects in a policy.

The global domain is a good location for security devices and systems that are used throughout your organization, address book entries for commonly used network components, or other frequently used objects.A subdomain, alternatively, enables you to separate firewalls, systems, and address objects from the global domain and other subdomains, creating a private area to which you can restrict access.

Grouping—A group is a collection of similar devices or objects. Use device groups and object groups to update multiple devices simultaneously, simplify rule creation and deployment, and enablegroup-specific reporting.You can even link groupsusing Group Expressions to create a custom group.

Migration Tools

If you have existing security devices deployed on your network or are using a previous Juniper Networks management system, you can use the NSM migration tools to quickly import your existing security devices and their configurations, address books, service objects, policies, VPNs, andadministrator privileges. As NSM importsyour existingdevice configurations, it automatically creates your virtual network based on the configuration information.

You can import device configurations directly from your security device, or from your Juniper Networks Global PRO or Global PRO Express system. Import all your security devices at one time, or, if your network is large, import one domain at a time. When importing from Global PRO or Global PRO Express, NSM automatically transfers your existing domain structure.

For details on migrating from a previous management system, see the NSM Migration Guide.

Documentation

AdministeringScreenOS Devices UsingNSM Complete System Managementon page 10•

• Managing Devices in a Virtual Environment Using NSM on page 6

• Error Prevention, Recovery, and Audit Management Using NSM on page 8

Managing Devices in a Virtual Environment Using NSM

A production network is a living entity, constantly evolving to adapt to the needs of your organization. As your network grows, you might need to add new devices, reconfigure

+ 414 hidden pages

Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual