Juniper NETWORK AND SECURITY MANAGER 2010.4 - INSTALLATION GUIDE REV1, NETWORK AND SECURITY MANAGER 2010.4 Installation Manual

Juniper Networks Network and Security Manager

Installation Guide

Release

2010.4

Published: 2010-11-17

Revision 1

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net

This productincludes the Envoy SNMP Engine, developed by Epilogue Technology,an Integrated Systems Company.Copyright ©1986-1997, Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright © 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright © 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright © 1991, D. L. S. Associates.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Network and Security Manager Installation Guide

Revision History November 17, 2010—Revision 1

The information in this document is current as of the date listed in the revision history.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. The Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE.

BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER)CONSENT TO BE BOUNDBY THIS AGREEMENT.IF YOUDO NOTOR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.

1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (ifthe Customer’sprincipal officeis located outsidethe Americas) (such applicable entitybeing referred to herein as“Juniper”),and (ii) the person or organization thatoriginally purchased from Juniperor an authorized Juniperreseller the applicable license(s) for use of the Software (“Customer”) (collectively, the “Parties”).

2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customer purchased from Juniper or an authorized Juniper reseller. “Software” also includes updates, upgrades and new releases of such software. “Embedded Software” means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacements which are subsequently embedded in or loaded onto the equipment.

3. License Grant. Subject to payment of the applicable fees and thelimitations andrestrictions setforth herein,Juniper grantsto Customer a non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:

a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper or an authorized Juniper reseller.

b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are physically contained on a single chassis.

c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limitsto Customer’s useof the Software. Suchlimits may restrictuse to amaximum numberof seats, registered endpoints, concurrent users, sessions, calls, connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features, functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing, temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software to be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable licenses.

d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customer may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial period by re-installing the Software after the 30-day trial period.

e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network. Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any commercial network access services.

The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable license(s) for the Software from Juniper or an authorized Juniper reseller.

4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software,in any form, toany thirdparty; (d)remove any proprietarynotices, labels,or marks on orin any copy of the Softwareor any product in which the Software is embedded; (e) distribute any copy of the Software to any third party, including as may be embedded in Juniper equipment sold inthe secondhand market; (f)use any ‘locked’ orkey-restricted feature,function, service, application, operation, orcapability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper to any third party; (h) use the

Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that the Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.

5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish such records to Juniper and certify its compliance with this Agreement.

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes restricting access to the Software to Customer employees and contractors having a need to use the Software for Customer’s internal business purposes.

7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.

8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statementthat accompaniesthe Software (the“Warranty Statement”).Nothing inthis Agreement shallgive riseto any obligation to support the Software. Support services may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTSOR PROCUREMENTOF SUBSTITUTEGOODS ORSERVICES,OR FOR ANY SPECIAL,INDIRECT,OR CONSEQUENTIALDAMAGES ARISING OUTOF THIS AGREEMENT,THE SOFTWARE,OR ANY JUNIPEROR JUNIPER-SUPPLIEDSOFTWARE. INNO EVENT SHALLJUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the Parties.

9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’s possession or control.

10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation showing Customer’s payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to any liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under this Section shall survive termination or expiration of this Agreement.

11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license.

12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS

227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.

13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any. Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable terms and conditions upon which Juniper makes such information available.

14. Third Party Software. Any licensor of Juniper whose software is embeddedin the Software and any supplier of Juniper whose products or technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor shall have the right to enforce this Agreement in itsown name asif it were Juniper. In addition, certain third party software may be provided with the Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License (“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of the LGPL

at http://www.gnu.org/licenses/lgpl.html .

15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris tout avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be in the English language)).

Table of Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Part 1 Network and Security Manager Installation Procedures

Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Installation Process Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Management System Installation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

User Interface Installation Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Installation Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Minimum System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

System Requirements—Management System . . . . . . . . . . . . . . . . . . . . . . . . . 5

System Requirements—User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Choosing Standalone, Distributed, or High Availability Configurations . . . . . . . . . . 7

Standalone Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Distributed Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Simple High Availability Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Extended High Availability Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Other Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Local/Remote Database Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

NetScreen-Statistical Report Server Interoperability . . . . . . . . . . . . . . . . . . . 10

Device Server Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Chapter 2 Generating the NSM License Key File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Installing NSM for the First Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

NSM Trial Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Generating the License Key for an NSM Software-Only Installation . . . . . . . . 14

Generating the License Key for an NSM Appliance Installation . . . . . . . . . . . . 14

Generating the License Key for a High Availability NSM Installation . . . . . . . . 14

Upgrading to an NSM Release that Requires a License . . . . . . . . . . . . . . . . . . . . . . 15

Generating the License Key for an NSM Software-Only Upgrade . . . . . . . . . . 15

Generating the License Key for an NSM Appliance Upgrade Installation . . . . 16

Generating the License Key File for an NSM 2007.3 or Later High Availability

Upgrade Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Network and Security Manager Installation Guide

Example of an NSM License File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Installing the License Key File in Various Configurations . . . . . . . . . . . . . . . . . . . . . 18

Upgrading the License Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Viewing License Key Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Enforcing Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Licensing FAQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 3 Installing NSM in a Standalone Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 21

Suggested Standalone Configuration Installation Order . . . . . . . . . . . . . . . . . . . . . 21

Defining System Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Prerequisite Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Running the System Update Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Configuring Shared Memory Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Establishing a Trust Relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Preparing a Solaris Server for NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Installing NSM 2010.4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Typical Output for a Standalone Installation . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Starting Server Processes Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Validating Management System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Installing the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Running the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Validating the NSM Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Running the User Interface in Demo Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Chapter 4 Installing NSM in a Distributed Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 49

Suggested Distributed Configuration Installation Order . . . . . . . . . . . . . . . . . . . . 49

Defining System Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Installing the GUI Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Typical Output for Installing a GUI Server in a Distributed Configuration . . . . 59

Installing the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Adding the Device Server in the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Installing the Device Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Typical Output for Installing a Device Server in a Distributed

Starting Server Processes Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Validating Management System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Chapter 5 Installing NSM with High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

High Availability Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

HA Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

HA Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Communication Between Physical Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Inter-server Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

HA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Database Synchronization and Remote Replication . . . . . . . . . . . . . . . . 73

HA Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Restoring Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Table of Contents

Using a Shared Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Creating a Trust Relationship Between Servers . . . . . . . . . . . . . . . . . . . . 76

Server Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Checking HA Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Viewing HA Error Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

HA Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Suggested Simple HA Installation Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Suggested Extended HA Installation Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Defining System Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Simple HA Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Extended HA Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Shared Disk Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Verifying That Shared Partitions Are Mounted Properly . . . . . . . . . . . . . . . . . 84

Verifying That All Required System Binaries Are Available . . . . . . . . . . . . . . . 84

Verifying That Clocks Are Synchronized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Establishing an SSH Trust Relationship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Installing NSM 2010.4 on the Primary Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Viewing the Management System Installation Log . . . . . . . . . . . . . . . . . . . . . 93

Starting Server Processes Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Validating Management System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Other Useful Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Installing NSM 2010.4 on the Secondary Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Example: Installing NSM in a Simple HA Configuration . . . . . . . . . . . . . . . . . . . . . 95

Primary GUI Server and Device Server Installation . . . . . . . . . . . . . . . . . . . . . 96

Secondary GUI Server and Device Server Installation Script . . . . . . . . . . . . . 101

Installing the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Configuring the HA Cluster in the UI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Installing NSM In an Extended HA Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Example: Installing NSM in an Extended HA Configuration . . . . . . . . . . . . . . . 111

Primary GUI Server Installation Script . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Secondary GUI Server Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Primary Device Server Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Secondary Device Server Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Chapter 6 Upgrading to NSM 2010.4 from an Earlier Version . . . . . . . . . . . . . . . . . . . . . 131

Upgrade Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131

Defining System Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Standalone Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Distributed Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

HA Configuration Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Shared Disk Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Prerequisite Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Running the System Update Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Configuring Shared Memory Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Setting the rsysnc Timeout Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Increasing Shared Memory Segment Maximum Size . . . . . . . . . . . . . . . . . . 139

Preparing a Solaris Server for NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Network and Security Manager Installation Guide

Upgrading NSM in a Standalone Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Typical Output for a Standalone Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Starting Server Processes Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Validating Management System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Upgrading the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Downloading and Installing the UI Client Automatically . . . . . . . . . . . . . . . . 149

Downloading and Installing the UI Client Manually . . . . . . . . . . . . . . . . . . . . 150

Validating the Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Upgrading NSM in a Distributed Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Upgrading NSM with HA Enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Upgrading the Database Backup Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Restoring Data if the Upgrade Fails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Next Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Chapter 7 Upgrading NSM Appliances to NSM 2010.4 . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Upgrading NSM Regional Server and NSMCM Appliances . . . . . . . . . . . . . . . . . . 155

Upgrading to NSM Release 2010.4 on an NSM Regional Server Appliance

Upgrading to NSM 2010.4 Release on an NSM Central Manager Appliance

Upgrading to NSM 2010.4 Release on an NSM Appliance (Offline Mode) . . 160 Upgrading to NSM Release 2010.4 on an NSM Central Manager Appliance

Migrating Data to an NSM Regional Server Appliance . . . . . . . . . . . . . . . . . . . . . 165

Data Migration from a Solaris Server to an NSM Regional Server

Data Migration from a Linux Server to an NSM Regional Server

User Privileges on an NSM Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Chapter 8 Maintaining NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Controlling the Management System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Viewing Management System Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Common Management System Commands . . . . . . . . . . . . . . . . . . . . . . . . . 172

Starting All Server Processes Using the HA Server . . . . . . . . . . . . . . . . . . . . . 172

Starting GUI Server and Device Server Processes Manually . . . . . . . . . . . . . 173

Stopping Server Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Configuring Server Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Changing the Management System IP Address . . . . . . . . . . . . . . . . . . . . . . . 174

Changing the Device Server IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Changing the GUI Server IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Configuring Disk Space Management on the Device Server . . . . . . . . . . . . . 175

Configuring Disk Space Management on the GUI Server . . . . . . . . . . . . . . . . 176

Configuring Connection Timing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Setting Core File Naming on Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

(Online mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

(Online mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

(Offline Mode) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162

Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

On the Solaris server: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

On the NSM appliance: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

On the Linux Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

On the NSMAppliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Table of Contents

Archiving and Restoring Logs and Configuration Data . . . . . . . . . . . . . . . . . . . . . 178

Archiving Logs and Configuration data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Restoring Logs and Configuration Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Configuring High Availability Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Enabling and Disabling High Availability Processes . . . . . . . . . . . . . . . . . . . 180

Configuring Other High Availability Options . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Backing Up the Database Locally . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Restoring the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Validating the Database Recovery Process . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Changing the HA Server IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Relocating the Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Archiving the GUI Server Database and Device Server Log Database . . . . . . 183

Installing NSM On a New System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183

Moving the Databases to the New System . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Installing a Trivial File Transfer Protocol Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Installing a TFTP Server on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Installing a TFTP Server on Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Modifying Timeout Values on the Device Server . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Downgrade Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Removing the Management System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Uninstalling the User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190

Part 2 Appendixes

Appendix A Technical Overview of the NSM Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 193

About the Management System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

GUI Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Device Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

HA Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

About the NSM User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

About Managed Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Server Communications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Communication Ports and Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Using the Secure Server Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Communications with Devices Running ScreenOS 5.X and Later . . . . . . . . . . . . 198

Communications with Device Management Interface-Compatible Devices . . . . 199

Creating a Separate Management Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Appendix B Hardware Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Standalone or Distributed System for GUI Server and Device Server . . . . . . . . . . 201

Network Card Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Configuring Multiple Network Interface Cards . . . . . . . . . . . . . . . . . . . . . . . . 202

Memory Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

GUI Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Device Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

UI Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Storage Space Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

GUI Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Audit Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Error Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Network and Security Manager Installation Guide

Device Server Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Processor Speed Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

GUI Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Device Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Device Server Managing IDP Standalone Devices Running Profiler . . . . . . . 207

Recommendations for Large-Scale Installations . . . . . . . . . . . . . . . . . . . . . . . . . 207

Appendix C Profiler Performance Tuning Recommendations . . . . . . . . . . . . . . . . . . . . . 209

Performance Tuning Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Recommendations for Low-End Configurations: . . . . . . . . . . . . . . . . . . . . . 209

Medium-Size Configuration (3 to 8 IDP Profiling Devices) . . . . . . . . . . . . . . 210

High-End Configuration (9 to 20 IDP Profiling Devices) . . . . . . . . . . . . . . . . . 211

Setting Preferences to Improve Profiler Performance . . . . . . . . . . . . . . . . . . . . . . 212

UI System Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

PostgreSQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Shared Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Device Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

GUI Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Device Configuration Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Nightly Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

NSM Generated Logs’ Impact on Performance . . . . . . . . . . . . . . . . . . . . 215

Part 3 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

List of Figures

Part 1 Network and Security Manager Installation Procedures

Chapter 3 Installing NSM in a Standalone Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 21

Figure 1: UI Installer Introduction Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Figure 2: UI Installation—Choose Install Folder . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Figure 3: UI Installation—Choose Shortcut Folder . . . . . . . . . . . . . . . . . . . . . . . . . 43

Figure 4: UI Installation—Preinstallation Summary . . . . . . . . . . . . . . . . . . . . . . . . 44

Figure 5: Validating the NSM Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Chapter 5 Installing NSM with High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Figure 6: Simple HA Management System Configuration . . . . . . . . . . . . . . . . . . . . 72

Figure 7: HA Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Figure 8: Configuring the HA GUI Server Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Figure 9: Configuring the HA Device Server Cluster . . . . . . . . . . . . . . . . . . . . . . . 109

Figure 10: Configuring e-mail Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110

Figure 11: Extended HA Configuration Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Part 2 Appendixes

Appendix A Technical Overview of the NSM Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 193

Figure 12: NSM Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Figure 13: NSM Management System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

Network and Security Manager Installation Guide

List of Tables

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

Table 2: Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

Table 3: Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Table 4: Network and Security Manager Publications . . . . . . . . . . . . . . . . . . . . . . xix

Part 1 Network and Security Manager Installation Procedures

Chapter 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Table 5: NSM Installation Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Table 6: Minimum System Requirements—Management System on Same

Table 7: Minimum System Requirements—Management System on Separate

Table 8: Minimum System Requirements—User Interface . . . . . . . . . . . . . . . . . . . . 7

Chapter 2 Generating the NSM License Key File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Table 9: Licensing FAQ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 3 Installing NSM in a Standalone Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 21

Table 10: Common System Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Chapter 4 Installing NSM in a Distributed Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 49

Table 11: Distributed Configuration—System Parameters . . . . . . . . . . . . . . . . . . . 50

Chapter 5 Installing NSM with High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Table 12: HA Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Table 13: Simple HA Configuration—System Parameters . . . . . . . . . . . . . . . . . . . 80

Table 14: Extended HA Configuration—System Parameters . . . . . . . . . . . . . . . . . 83

Table 15: Shared Disk System Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Table 16: Useful Installation and Troubleshooting Commands . . . . . . . . . . . . . . . 94

Chapter 6 Upgrading to NSM 2010.4 from an Earlier Version . . . . . . . . . . . . . . . . . . . . . 131

Table 17: Standalone Configuration—System Parameters . . . . . . . . . . . . . . . . . . 132

Table 18: Distributed Configuration — System Parameters . . . . . . . . . . . . . . . . . . 134

Table 19: HA Configuration — System Parameters . . . . . . . . . . . . . . . . . . . . . . . . 134

Table 20: Shared Disk Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Chapter 8 Maintaining NSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Table 21: Management System Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Part 2 Appendixes

Appendix A Technical Overview of the NSM Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 193

Network and Security Manager Installation Guide

Table 22: Inbound ports on the NSM Management System . . . . . . . . . . . . . . . . . 196

Table 23: Outbound ports on the NSM Management System . . . . . . . . . . . . . . . 197

Table 24: Management System Communications With Devices Running

ScreenOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198

Table 25: Management System Communications With DMI-Compatible

Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Appendix B Hardware Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Table 26: GUI Server RAM Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Table 27: Device Server RAM Requirements for Firewall/VPN or Junos

Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Table 28: Device Server RAM Requirements for IDP, Secure Access, or Infranet

Controller Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Table 29: Audit Log Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

Table 30: Storage Requirements for Device Server Managing Firewall/VPN

Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Table 31: Storage Requirements for Device Server Managing IDP (w/Profiler)

Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Table 32: CPU Requirements for Device Server Managing IDP (w/Profiler)

Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Appendix C Profiler Performance Tuning Recommendations . . . . . . . . . . . . . . . . . . . . . 209

Table 33: Performance Turning Recommendations for Low-End

Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Table 34: Performance Turning Recommendations for Medium-Sized

Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Table 35: Performance Turning Recommendations for High-End

Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Table 36: Profiler Settings in UI System Preferences . . . . . . . . . . . . . . . . . . . . . . . 212

Table 37: PostgreSQL Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Table 38: Device Server Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

About This Guide

•

Objectives on page xvii

•

Audience on page xvii

•

Conventions on page xvii

•

Documentation on page xix

•

Requesting Technical Support on page xx

Objectives

This Network and Security Manager Installation Guide describes how you can install an initial working Network and Security Manager (NSM) system.

Audience

This guide is intended primarily for IT administrators who are responsible for installing, upgrading, and maintaining NSM.

Conventions

The sample screens used throughout this guide are representations of the screens that appear when you install and configure the NSM software. The actual screens may differ.

All examples show default file paths. If you do not accept the installation defaults, your paths will vary from the examples.

Table 1 on page xviii defines notice icons used in this guide.

Network and Security Manager Installation Guide

Table 1: Notice Icons

Table 2 on page xviii defines text conventions used in this guide.

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Alerts you to the risk of personal injury from a laser.Laser warning

Table 2: Text Conventions

Bold typeface like this

fixed-width font

Keynames linkedwith a plus (+) sign

Italics

The angle bracket (>)

•

Represents commands and keywords in text.

•

Represents keywords

•

Represents UI elements

Represents information as displayed on the terminal screen.

keys simultaneously.

•

Emphasizes words

•

Identifies variables

Indicates navigation paths through the UI by clicking menu options and links.

ExamplesDescriptionConvention

•

Issue the clock source command.

•

Specify the keyword exp-msg.

•

Click User Objects

user inputRepresents text that the user must type.Bold typeface like this

host1#

show ip ospf

Routing Process OSPF 2 with Router ID 5.5.0.250 Router is an area Border Router (ABR)

Ctrl + dIndicates that you must press two or more

•

The product supports two levels of access, user and privileged.

•

clusterID, ipAddress.

Object Manager > User Objects > Local Objects

Table 3 on page xix defines syntax conventions used in this guide.

Table 3: Syntax Conventions

About This Guide

ExamplesDescriptionConvention

terminal lengthRepresent keywordsWords in plain text

mask, accessListNameRepresent variablesWords in italics

Words separated by the pipe ( | ) symbol

Words enclosed in brackets followed by an asterisk ( [ ]*)

Documentation

Table 4 on page xix describes documentation for NSM.

Table 4: Network and Security Manager Publications

Network and Security Manager Installation Guide

variable to the left or right of this symbol. The keywordor variable canbe optional or required.

can be entered more than once.

Represent required keywords or variables.Words enclosed in braces ( { } )

DescriptionBook

Describes the steps to install the NSM management system on a single server or on separate servers. It also includes information on how to install and run the NSMuser interface.This guideis intended for IT administrators responsible for the installation or upgrade of NSM.

diagnostic | lineRepresent a choice to select one keyword or

[ internal | external ]Represent optional keywords or variables.Words enclosed in brackets ( [ ] )

[ level1 | level2 | 11 ]*Represent optional keywords or variables that

{ permit | deny } { in |out } { clusterId | ipAddress }

Network and Security Manager Administration Guide

Network and Security Manager Configuring ScreenOS Devices Guide

Network and Security Manager Configuring Intrusion Detection and Prevention Devices Guide

Describes how to use and configure key management features in the NSM. Itprovides conceptual information, suggested workflows, and examples. This guide is best used in conjunction with the NSM Online Help,which provides step-by-step instructions for performing management tasks in the NSM UI.

This guide is intended for application administrators or those individuals responsible for owning the server and security infrastructure and configuring the product for multi-user systems. It is also intended for device configuration administrators, firewall and VPN administrators, and network security operation center administrators.

Provides details about configuring device features for all supported ScreenOS platforms.

Provides details about configuring device features for all supported Intrusion Detection and Prevention (IDP) platforms.

Network and Security Manager Installation Guide

Table 4: Network and Security Manager Publications (continued)

DescriptionBook

Network and Security Manager Online Help

Network and Security Manager API Guide

Network and Security Manager Release Notes

Network and Security Manager Configuring Infranet Controllers Guide

Network and Security Manager Configuring Secure Access Devices Guide

Network and Security Manager Configuring EX Series Switches Guide

Provides procedures for basic tasks in the NSM user interface. It also includes a brief overview of the NSM system and a description of the GUI elements.

Provides complete syntax and description of the SOAP messaging interface to NSM.

Provides the latest information about features, changes, known problems, resolved problems, and system maximum values. If the information in the Release Notesdiffers from the information found in the documentation set, follow the Release Notes.

Release notes are included on the corresponding software CD and are available on the Juniper Networks website.

Provides details about configuring the device features for all supported Infranet Controllers.

Provides details about configuring the device features for all supported Secure Access Devices.

Provides details about configuring the device features for all supported EX Series platforms.

Network and Security Manager Configuring J Series Services Routers and SRX Series Services Gateways Guide

Network and Security Manager M Series and MX Series Devices Guide

Requesting Technical Support

Technical productsupport is availablethrough theJuniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need postsales technical support, you can access our tools and resources online or open a case with JTAC.

•

JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .

•

Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/ .

Provides details about configuring the device features for all supported J Series Services Routers and SRX Series Services Gateways.

Provides details about configuring the device features for M Series and MX Series platforms.

•

JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

•

Find CSC offerings: http://www.juniper.net/customers/support/

•

Find product documentation: http://www.juniper.net/techpubs/

•

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

•

Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

•

Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

•

Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

About This Guide

•

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verifyservice entitlement byproduct serial number,use our Serial Number Entitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

•

Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

•

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visit us at

http://www.juniper.net/support/requesting-support.html

Network and Security Manager Installation Guide

PART 1

Network and Security Manager Installation Procedures

•

Introduction on page 3

•

Generating the NSM License Key File on page 13

•

Installing NSM in a Standalone Configuration on page 21

•

Installing NSM in a Distributed Configuration on page 49

•

Installing NSM with High Availability on page 71

•

Upgrading to NSM 2010.4 from an Earlier Version on page 131

•

Upgrading NSM Appliances to NSM 2010.4 on page 155

•

Maintaining NSM on page 171

Network and Security Manager Installation Guide

CHAPTER 1

Introduction

This chapter provides you with the information you need to install Network and Security Manager (NSM) and integrate it into your network. It provides an overview of the NSM installation process. It also reviews minimum hardware and software requirements and options for configuring the management system to provide enhanced functionality, performance, and scalability.

This chapter contains the following sections:

•

Installation Process Overview on page 3

•

Installation Package on page 4

•

Minimum System Requirements on page 5

•

Choosing Standalone, Distributed, or High Availability Configurations on page 7

•

Other Configuration Options on page 9

•

Next Steps on page 11

Installation Process Overview

NSM is softwarethat enables youto integrateand centralize managementof your Juniper Networks environment.

You need to install two main software components that you need to install to run NSM: the NSM management system and the NSM user interface (UI).

The overall process for installing NSM is as follows:

•

Management System Installation Process on page 3

•

User Interface Installation Process on page 4

Management System Installation Process

The management system installer enables you to install all the software required to run each component of the NSM management system.

The management system installer is a shell archive script that you can run on any of the following dedicated platforms that meets minimum requirements:

•

Solaris 10 (for SPARC)

Network and Security Manager Installation Guide

•

Red Hat Enterprise Linux (RHEL) ES/AS 4.0 or ES/AS 5.0 (Minimal and Full Install)

See “Minimum System Requirements” on page 5 for more information on the minimum required hardware and software that you need to install the NSM management system. To plan for larger deployments, refer to “Hardware Recommendations” on page 201.

NOTE: NSM 2008.1 and later no longer support installations on servers

running Solaris 8 or 9. If you plan to install the management system on a server running Solaris 8 or 9, you must upgrade the system to Solaris 10. Similarly, NSM 2008.1 and later no longer support installations on RHEL ES/AS 3.0. If you plan to install the management system on a server running RHEL ES/AS 3.0, you must upgrade the system to either RHEL ES/AS 4.0 or RHEL ES/AS 5.0.

RHEL and Solaris installations use different installer scripts. When you launch the management system installer, the script guides you through all the steps required to install and configure each management system component.

User Interface Installation Process

The NSM user interface (UI) installer launches an InstallAnywhere wizard that you can run onany Windows or Linux-basedcomputer that meetsminimum system requirements. See Table 8 on page 7 for more information on the minimum required hardware and software that you need to install the NSM UI.

The InstallAnywhere wizard guides you through all the steps required to configure and install the UI. After you install the UI, you can connect it to the management system.

Installation Package

All the software files required to install NSM are located on the NSM installation CD or on the Internet at the Juniper Networks corporate support web site. We recommend you download these files to the computers on which you plan toinstall NSM before youbegin the installation process.

Table 5 on page 4 describes the contents of the NSM installation CD.

Table 5: NSM Installation Files

DescriptionFilename

Installer for the NSM UI (for Windows-based computers).nsm2010.4_ui_win_x86.exe

Installer for the NSM UI (for Linux-based computers).nsm2010.4_ui_linux_x86.bin

Installer for the NSM management system for Linux.nsm2010.4_servers_linux_x86.sh

Installer for the NSM management system for Solaris.nsm2010.4_servers_sol_sparc.sh

Table 5: NSM Installation Files (continued)

DescriptionFilename

Chapter 1: Introduction

nsm2010.4-systemupdate-linuxES_4.tar

nsm2010.4-systemupdate-linuxES_5.tar

nsm2010.4-systemupdate-solaris10.tar

Minimum System Requirements

The following minimum hardware and software requirements must be met to properly install and run NSM.

System Requirements—Management System

Table 6 on page 5 describes the minimum requirements that must be met for the GUI Server and Device Server on the same server.

Table 6: Minimum System Requirements—ManagementSystemon Same Server

Minimum RequirementsComponent

Operating System

Solaris 10 operating system with End User Solaris Software Group package, or

Systemupdate utility forRHEL ES4.0. Use this file toupdate files onyour system required forthe installerto run properly.

Systemupdate utility forRHEL ES5.0. Usethis file toupdate files onyour system required forthe installerto run properly.

System update utility for Solaris 10. Use this file to update files onyour system required forthe installerto run properly.

CPU

Storage

RHEL 32-bitES/AS 4.0-Update7 or 32-bit ES/AS 5.0-Update 3(Minimal and Full Install)

Only Sun Microsystems UltraSPARC III (Cu) 1.2 GHz or UltraSPARC T2, or

Linux 2 GHz (x86) processor (or higher)

4 GBRAM

4 GB for both GUI Server and Device ServerSwap Space

Hard diskdrive with 7200RPM (minimum); 15,000RPM (recommended); 40 GB disk space (minimum); 80 GB disk space (recommended)

By directory:

•

/usr—7 GB minimum

•

/var—10 GB min

•

/tmp—2 GB minimum

100 Mbps(minimum) Ethernetadapter; higher speeds arerecommendedNetwork Connection

Network and Security Manager Installation Guide

Table 6: Minimum System Requirements—ManagementSystemon Same Server (continued)

Minimum RequirementsComponent

Other

Server must be dedicated to running NSM.

NSM should not be installed on virtual systems such as VMWare and Microsoft VM Server due to high system I/O requirements.

Table 7 on page 6 describes the minimum requirements that must be met for each server when the GUI Server and Device Server are installed on separate servers.

Table 7: Minimum System Requirements—Management System on Separate Servers

Minimum RequirementsComponent

Operating System

CPU

Solaris 10 operating system with End User Solaris Software Group package, or

RHEL 32-bit ES/AS 4.0-Update 7 or 32-bit ES/AS 5.0-Update 3 (Minimal and Full Install)

NOTE: Both servers must be runningthe same operatingsystem version. For example, you cannot run the GUI Server on a server running Linux, and the Device Server on a server running Solaris.

Only Sun Microsystems UltraSPARC IIi 1GHz (or higher), OR

Linux 2 GHz (x86) processor (or higher)

Storage

bandwidth to NSM

Other

4 GBRAM

2GB for the GUI Server, 2 GB for the Device ServerSwap Space

Hard diskdrive with 7200RPM (minimum); 15,000RPM (recommended); 40 GB disk space (minimum); 80 GB disk space (recommended)

By directory:

•

/usr—7 GB minimum

•

/var—10 GB min

•

/tmp—2 GB minimum

100 Mbps(minimum) Ethernetadapter; higher speeds arerecommendedNetwork Connection

56 Kbps (minimum)Device Connection

Each server must be dedicated to running NSM.

NSM should not be installed on a virtual system such as VMWare and Microsoft VM Server due to high system I/O requirements.

NOTE: You can extend systemperformance and data capacity by expanding

the minimum requirements specified for each component. See “Hardware Recommendations” on page 201 for more information about the hardware and software appropriate for your specific network.

System Requirements—User Interface

Table 8 on page 7 describes the minimum system requirements that must be met for the User Interface.

Table 8: Minimum System Requirements—User Interface

Chapter 1: Introduction

Minimum RequirementComponent

Software

Hardware

Microsoft Windows Vista, or

Microsoft Windows XP, or

RHEL 32-bit ES 4.0 or 32-bit ES 5.0, RHEL 32-bit AS 4.0 or RHEL 32-bit AS

5.0 (Minimal and Full Install) US English versions only

IBM compatible PC

Pentium 4 or equivalent

RAM: 2 GB. For managing large scale setups (for example, with more than 1000 devices on the NSM server), Juniper recommends a minimum of 4 GB RAM.

384 Kbps (DSL) or LAN connection — minimum bandwidth required to connect to the NSM management system.

Choosing Standalone, Distributed, or High Availability Configurations

The two most important installation considerations are:

•

Scale — The size of the network.

The NSM management system is designed to scale from the management of a few devices to huge networks of up to 3000 devices. For smaller networks, you can install the entire system on a single Linux or Solaris server. For larger networks, you can distribute the NSM management system by installing the Device Server and GUI Server on separate machines, and by using external shared disk systems.

•

Failure tolerance — The effect on the organization upon failure of an NSM component and the downtime during repair.

You can increase fault tolerance by installing a standby management system on a single server for smaller installations, or on distributed servers for larger installations.

Network and Security Manager Installation Guide

Some of the factors to consider include, but are not limited to:

•

Number of devices managed

•

Size of devices managed (for example, a NetScreen 5200 firewall/VPN system might have a larger impact than a NetScreen 5GT firewall appliance)

•

Impact on the organization to temporary loss of logs during server failure (if not using multiple Device Servers the logs from firewalls would be lost until the single server is repaired)

•

Amount of log data stored (this is a combination of the number of logs per day sent from the devices and the number of days the logs are required to remain on the management system)

•

Customer's Linux/Solaris knowledge/skills

•

Industry regulations governing the customer that might dictate the efforts they must go to in order to protect continuous log collection

•

Main reason for using NSM (for example, firewall configuration only with occasional logging; heavy logging)

•

Budget

•

Future expansion of firewall network (future proofing)

For more information about recommended hardware for various types of networks, see “Hardware Recommendations” on page 201.

You can design and implement NSM to scale to small, medium, and large enterprises, as well asservice provider deployments. There are fourmain optionsfor configuring NSM:

•

Standalone Configuration on page 8

•

Distributed Configuration on page 8

•

Simple High Availability Configuration on page 9

•

Extended High Availability Configuration on page 9

Standalone Configuration

The most straightforward implementation of the NSM management system is to install both components of the management system—GUI Server and Device Server—on the same server. This configuration is appropriate for most small firewall networks (recommended for no more than 100 devices, considerably less for networks containing large firewalls). It has the advantage of low cost and simplicity. Local backup for disaster recovery and external data storage are options for this configuration.

The NSM appliances can run as standalone configurations. See the NSMXpress and NSM3000 User Guide for details.

Distributed Configuration

For large enterprise networks that generate and store many traffic logs, we recommend that you install the GUI Server and Device Server on separate servers. The distributed system enables greater processing power per service. In addition, a failure of the GUI

+ 214 hidden pages

Juniper NETWORK AND SECURITY MANAGER 2010.4 - INSTALLATION GUIDE REV1, NETWORK AND SECURITY MANAGER 2010.4 Installation Manual

Specifications and Main Features

Frequently Asked Questions

User Manual