Juniper Networks 200 User Manual

NETSCREEN-200 SERIES

User’s Guide

Version 5.0 P/N 093-1253-000 Rev. B

Copyright Notice

are registered trademarks of Juniper Networks, Inc. NetScreen-5GT, NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of Juniper Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies.

Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any

purpose, without receiving written permission from: Juniper Networks, Inc.

ATTN: General Counsel 1194 N. Mathilda Ave. Sunnyvale, CA 94089-1206

FCC Statement

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users w ill be required to correct the interference at their own expense.

The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with NetScreen’s installation instructions, it may cause interference with radio and television reception. This equipmen t has been tes ted and fo und to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.

If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

• Reorient or relocate the receiving antenna.

• Increase the separation between the equipment and receiver.

• Consult the dealer or an experienced radio/TV technician for help.

• Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.

Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.

Disclaimer

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.

Preface...............................................................................................................................................v

Guide Organization .................................................................................. ...... ...... ....v

Command Line Interface (CLI) Conventions ............................................................vi

Juniper Networks NetScreen Publications ................................................................ vi

Chapter 1 Overview......................................................................................................................... 1

NetScreen-200 Systems .............................................................................................2

NetScreen-204 Device.................................................................................... 2

NetScreen-208 Device.................................................................................... 2

The Front Panel .........................................................................................................3

System Status LED Display................................................................................ 3

Asset Recovery Pinhole.................................................................................... 4

Console and Modem Ports.............................................................................. 5

Compact Flash Card Slot................................................................................ 5

Ethernet Interfaces............................................................................ ...... ...... ... 6

The Rear Panel ..........................................................................................................6

Power Supplies ................................................................................................ 6

Power Fuse ...................................................................................................... 7

Chapter 2 Installing the Device........................................................................................................ 9

General Installation Guidelines ...............................................................................10

Performing Equipment-Rack Installation .................................................................10

Equipment Rack Installation Guidelines........................................................ 10

Front Mount ................................................................................................... 11

Mid-Mount..................................................................................................... 11

Connecting the Power ............................................................................................11

Wiring a DC Power Supply ......................................................................................12

Connecting the NetScreen-200 Device to Other Devices ......................................13

Chapter 3 Configuring the Device................................................................................................. 15

Operational Modes ................................................................................................16

Transparent Mode......................................................................................... 16

Route Mode................................................................................................... 16

The NetScreen-200 Series Device Interfaces ..........................................................17

Connecting the Device as a Single Security Gateway ...........................................18

Connectivity Examples..................................................................... ...... ...... . 18

Performing Device Connection..................................................................... 19

Establishing an HA Connection Between Devices ...................................................20

Performing Initial Connection and Configuration ...................................................22

NetScreen-200 Series iii

Contents

Establishing a Terminal Emulator Connection................................................ 22

Changing Your Admin Name and Password................................................. 23

Setting Port and Interface IP Addresses......................................................... 23

Viewing Current Interface Settings ............................................................23

Setting the IP Address of the Management Interface ...............................24

Setting the IP Address for the Untrust Zone Interface .................................24

Allowing Outbound Traffic .........................................................................25

Configuring the Device for Telnet and WebUI Sessions ...........................................25

Starting a Console Session Using Telnet......................................................... 25

Starting a Console Session Using Dialup........................................................ 26

Establishing a GUI Management Session....................................................... 26

Asset Recovery ........................................................................................................28

Using CLI Commands to Reset the Device.................................................... 28

Using the Asset Recovery Pinhole to Reset the Device .................................. 29

Appendix A Specifications..........................................................................................................A-I

NetScreen-200 Attributes .........................................................................A-II

Electrical Specification ............................................................................A-II

Environmental .......................................................................................... A-II

NEBS Certifications ............................................................. ......................A-II

Safety Certifications .................................................................................A-II

EMI Certifications .....................................................................................A-II

Index.....................................................................................................................IX-I

iv User’s Guide

Preface

The Juniper Networks NetScreen-200 Series consists of versatile, purpose-built, highperformance security systems that provide IPSec VPN and firewall services for medium and large enterprise offices, e-business sites, data centers, and carrier infrastructures.

The NetScreen-200 Series includes the following device models:

• The NetScreen-204, which has four 10/100 Base-T interface ports and performs firewall functions at 400 Mbps

• The NetScreen-208, which has eight 10/100 Base-T interfa ce ports and p erforms firewall functions at 550 Mbps

All NetScreen-200 Series 10/100 Base-T ports perform auto-speed sensing and autopolarity correction.

GUIDE ORGANIZATION

This manual has three chapters and one appendix. Chapter 1, "Overview"provides a detailed overview of the system and its components. Chapter 2, "Installing the Device"describes how to rack-mount the NetScreen-200

systems and connect the systems to other devices. Chapter 3, "Configuring the Device"details how to connect the NetScreen-200 device to

the network and perform initial configuration. Appendix A, "Specifications" provides a list of physical specifications about the

NetScreen-200 Series, the modules, and power supplies.

NetScreen-200 Series v

Preface

COMMAND LINE INTERFACE (CLI) CONVENTIONS

The following conventions are used when presenting the syntax of a command line interface (CLI) command:

• Anything inside square brackets [ ] is optional.

• Anything inside braces { } is required.

• If there is more than one choice, each choice is separated by a pipe ( | ). For

example,

set interface { ethernet1 | ethernet2 | ethernet3 } manage

means “set the management options for the ethernet1, ethernet2, or ethernet3 interface”.

• Variables appear in italic. For example:

set admin user name1 password xyz

When a CLI command appears within the context of a sentence, it is in bold (except for variables, which are always in italic). For example: “Use the get system command to display the serial number of a NetScreen device.”

Note: When typing a keyword, you only have to type enough letters to identify the word

uniquely. For example, typing set adm u joe j12fmt54 is enough to enter the command

set admin user joe j12fmt54. Although you can use this shortcut when entering

commands, all the commands documented here are presented in their entirety.

JUNIPER NETWORKS NETSCREEN PUBLICATIONS

To obtain technical documentation for any Juniper Networks NetScreen product, visit

www.juniper.net/techpubs/

For technical support, open a support case using the Case Manager link at http://

www.juniper.net/support/ or call 1-888-314-JTAC (within the United States) or 1-408-7 45-

9500 (outside the United States). If you find any errors or omissions in the following content, please contact us at the e-mail

address below:

techpubs-comments@juniper.net

vi User’s Guide

Chapter 1

Overview

This chapter provides detailed descriptions of the NetScreen-200 Series system devices and their components.

Topics in this chapter include:

• “NetScreen-200 Systems” on page 2

– “NetScreen-204 Device” on page 2 – “NetScreen-208 Device” on page 2

• “The Front Panel” on page 3

– “System Status LED Display” on page 3 – “Asset Recovery Pinhole” on page 4 – “Console and Modem Ports” on page 5 – “Compact Flash Card Slot” on page 5 – “Ethernet Interfaces” on page 6

• “The Rear Panel” on page 6

– “Power Supplies” on page 6 – “Power Fuse” on page 7

Note: For safety warnings and instructions, please refer to the NetScreen Safety Guide.

The instructions in this guide warn you about situations that could cause bodily injury. Before working on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents.

NetScreen-200 Series 1

Chapter 1 Overview

NETSCREEN-200 SYSTEMS

This NetScreen-200 Series currently includes the NetScreen-204 device and the NetScreen-208 device.

NetScreen-204 Device

The NetScreen-204 is a chassis-based, rack-mountable network security device with four ethernet 10/100 Base-T interface ports. The figure below shows a NetScreen-204 device.

System Status LEDs Asset Recovery

Pinhole

Console Port

Modem Port

Compact Flash Card Slot

Ethernet Interfaces

NetScreen-208 Device

The NetScreen-208 is a chassis-based, rack-mountable network security device with eight ethernet 10/100 Base-T interface ports. The figure below shows a NetScreen-208 device.

System Status LEDs Asset Recovery

Pinhole

Console Port

Modem Port

Compact Flash Card Slot

Ethernet Interfaces

2 User’s Guide

THE FRONT PANEL

The features shared in common by NetScreen-204 and NetScreen-208 devices include:

• A System Status LED display

• An Asset Recovery Pinhole

• A Console port

• A Modem port

• A Compact Flash Card Slot

• Ethernet interfaces

System Status LED Display

The front panel of each NetScreen-200 Series device has a System Status display, which contains six LEDs.

Status LED

The Front Panel

Power LED

Alarm LED

Session LED

HA LED

Flash LED

The information revealed by each LED is as follows:

LED Name

Power Power Supply green Power supply is functioning correctly.

Status System Status amber At initial power up.

HA High Availability

Purpose Color Meaning

off The device is not receiving power.

green At startup and while performing diagnostics. blinking green Normal operation. blinking red Error detected green Unit is the primary (master) device.

Status

blinking green Connection not found. amber Unit is the secondary (backup) device. off HA not enabled.

NetScreen-200 Series 3

Chapter 1 Overview

Alarm System Alarm red Critical alarm:

• Failure of hardware component or software module (such as a cryptographic algorithm).

• Firewall attacks detected.

amber Major alarm:

• Low memory (less than 10% remaining).

• High CPU utilization (more than 90% in use).

• Session full.

• Maximum number of VPN tunnels reached.

• HA status changed or redundant group member not found.

off No alarms.

Session Session

Utilization

Flash Memory Card

Status

amber Session utilization is between 70% and 90%. red Session utilization is greater than 90%. off Normal operation. green The card is installed. blinking green Read-write activity is detected. off Flash card slot is empty.

Asset Recovery Pinhole

The Asset Recovery Pinhole is a button that resets the device to its original default settings. To use this button, insert a stiff wire (such as a straightened paper clip) into the pinhole.

Warning: Because resetting the device restores it to the original default configuration, any

new configuration settings are lost, and the firewall and all VPN service become inoperative.

4 User’s Guide

The Front Panel

Console and Modem Ports

The Console port is an RJ-45 serial console port connector, for vt100 terminal emulator programs to perform local configuration and administration.

The Modem port is an RJ-45 serial console port connector, for establishing remote console sessions using dialup connections through a 9600 bps modem connected via an RS-232 cable. Dialing into the modem establishes the dialup console connection.

The table below lists the RJ-45 to DB-9 adapter connection definitions. To employ a standard UART port, both the console and the modem ports use this configuration.

DB9 Signal Abbreviation DTE DCE RJ-45

1 Data Carrier Detect DCD In Out NC 2 Received Data RD In Out 3 3 Transmitted Data TD Out In 6 4 Data Terminal Ready DTR Out In 7 5 Signal Ground SGND N/A N/A 4 6 Data Set Ready DSR In Out 2 7 Request To Send RTS Out In 8 8 Clear To Send CTS In Out 1 9 Ring Indicator RI In Out NC

Compact Flash Card Slot

The NetScreen-200 Series supports CompactFlash™ cards with a variety of memory capacities. NetScreen has tested SanDisk 96MB and 512MB cards. The NetScreen device automatically detects the presence of a flash card and records the system log to it.

NetScreen-200 Series 5

Chapter 1 Overview

Ethernet Interfaces

Each Ethernet port is a 10/100 auto-sensing interface with two link LEDs. The left LED indicates network traffic, and the right LED indicates an active network link.

Network Traffic: Blinking = link activity

THE REAR PANEL

The figure below shows the rear panel of a NetScreen-200 Series device (with an AC power supply).

Network Link: On = link is up Off = link is down

Power Outlet

Power Switch

Note: Certain export restrictions may apply to international customers. Check with your

sales representative.

Fuse Cover

Power Supplies

A NetScreen-200 Series device can have an AC power supply or a DC power supply. The DC power supply can operate on one or two DC feeds ranging from -3 6V to -60V.

When you use two feeds, they share the load. If one feed fails, the other automatically assumes the full load.

The internal fuse for the DC power supply is a 3.15A/250V, fast-acting fuse. This is not replaceable.

6 User’s Guide

+ 28 hidden pages