Juniper Networks ISG 2000 User Manual

NETSCREEN-ISG 2000

User’s Guide

Version 5.0 P/N 093-1488-000 Rev. A

Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo are registered trademarks of Juniper Networks, Inc. NetScreen-5GT, NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of Juniper Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies.

Information in this document is subject to change without notice.

No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from:

Juniper Networks, Inc.

ATTN: General Counsel

1194 N. Mathilda Ave.

Sunnyvale, CA 94089-1206

FCC Statement

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.

The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with NetScreen’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.

If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

• Reorient or relocate the receiving antenna.

• Increase the separation between the equipment and receiver.

• Consult the dealer or an experienced radio/TV technician for help.

• Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.

Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.

Disclaimer

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR NETSCREEN REPRESENTATIVE FOR A COPY.

Language Contents

English ..................................................................................................................... 1

French ...................................................................................................................53

NetScreen-ISG 2000 iii

Language Contents

iv User’s Guide

Preface....................................................................................................................1

Guide Organization .................................................................................... 1

Command Line Interface (CLI) Conventions ............................................... 2

Juniper Networks NetScreen Publications ................................................... 2

Chapter 1 Overview ...............................................................................................3

The Front Panel ........................................................................................... 4

LED Dashboard................................................................................................ 4

Interface Modules ........................................................................................... 6

10/100 Mbps Interface Module....................................................................... 6

The Mini-GBIC Interface Connector Module ...............................................7

Compact Flash................................................................................................ 8

Management Interfaces ................................................................................. 8

High Availability Interfaces .............................................................................. 9

The Fan Module............................................................................................... 9

The Rear Panel .......................................................................................... 10

Power Supplies .............................................................................................. 10

The DC Power Supply ................................................................................11

The AC Power Supply ................................................................................11

Chapter 2 Installing the Device ............................................................................ 13

General Installation Guidelines ................................................................ 14

Equipment Rack Mounting ....................................................................... 14

Equipment Rack Installation Guidelines ........................................................ 14

Equipment Rack Accessories and Required Tools......................................... 15

Mid-Mount ..................................................................................................... 16

Rear-and-Front Mount ................................................................................... 17

Installing and Connecting the AC Power Supply ...................................... 18

Installing and Wiring a DC Power Supply .................................................. 18

Chapter 3 Configuring the Device ....................................................................... 21

Operational Modes .................................................................................. 22

Transparent Mode ......................................................................................... 22

Route Mode................................................................................................... 22

The NetScreen-ISG 2000 Interfaces .......................................................... 23

Configurable Interfaces ................................................................................ 23

The Ethernet Interfaces .................................................................................. 23

Interfaces to Change During Initial Configuration......................................... 24

Connecting the Device to a Network ....................................................... 24

Connecting the NetScreen-ISG 2000 as a Single Security System................. 25

Connecting the NetScreen-ISG 2000 for High Availability ............................. 26

Performing Initial Connection and Configuration ..................................... 29

Establishing a Terminal Emulator Connection................................................ 29

Changing Your Admin Name and Password ................................................. 30

Setting Port and Interface IP Addresses ......................................................... 31

NetScreen-ISG 2000 v

Contents

Viewing Current Interface Settings ............................................................31

Setting the IP Address of the Management Interface ...............................31

Setting the IP Address for the Trust Zone Interface .....................................31

Setting the IP Address for the Untrust Zone Interface .................................32

Allowing Outbound Traffic .........................................................................32

Configuring the Device for Telnet and WebUI Sessions ............................. 33

Starting a Console Session Using Telnet ......................................................... 33

Starting a Console Session Using Dialup ........................................................ 34

Establishing a WebUI Management Session .................................................. 34

Configuring the Chassis Alarm....................................................................... 35

Using CLI Commands to Reset the Device ................................................ 35

Chapter 4 Servicing the Device............................................................................37

Removing and Inserting Interface Modules .............................................. 38

Removing Interface Modules ........................................................................ 38

Inserting Interface Modules ........................................................................... 39

Installing Power Supplies ........................................................................... 40

Wiring the DC Power Supplies........................................................................ 40

Replacing a DC Power Supply ...................................................................... 41

Replacing an AC Power Supply .................................................................... 41

Replacing the Fan Module ....................................................................... 42

Replacing the Fan Tray Filter ......................................................................... 43

Connecting and Disconnecting Gigabit Ethernet Cables ........................ 44

Removing and Installing a Mini-GBIC Transceiver ..................................... 45

Appendix A Specifications ....................................................................................47

NetScreen-ISG 2000 Attributes .................................................................. 48

Electrical Specification ............................................................................. 48

Environmental ........................................................................................... 48

NEBS Certifications .................................................................................... 48

Safety Certifications .................................................................................. 48

EMI Certifications ...................................................................................... 49

Connectors ............................................................................................... 49

Index......................................................................................................................51

vi User’s Guide

Preface

The Juniper Networks NetScreen-ISG 2000 is a purpose-built, high-performance security system designed to provide a flexible solution to medium and large enterprise central sites and service providers. The NetScreen-ISG 2000 security system integrates firewall, deep inspection, VPN, and traffic management functionality in a low-profile, modular chassis.

The NetScreen-ISG 2000 is built around NetScreen's custom, third-generation purposebuilt GigaScreen NetScreen-ISG 2000 supports flexible interface configuration with 4-port and 8-port 10/100 and 2-port gigabit modules.

This manual introduces the NetScreen-ISG 2000, describes how to install and service the device, and shows how to perform initial configuration. It also lists device requirements and performance specifications.

UIDE

This manual has four chapters and one appendix.

Chapter 1, "Overview" provides a detailed overview of the system and its modules, power supplies, and fan tray.

Chapter 2, "Installing the Device" provides instructions for you to rack mount the NetScreen-ISG 2000, connect the power supplies, and connect the modules to the network in addition to providing desktop site requirements and guidelines for rack mounting.

Chapter 3, "Configuring the Device" provides instructions for you to obtain an IP address for an interface and how to aggregate ports on one of the modules.

Chapter 4, "Servicing the Device" provides procedures on how to replace your modules and power supplies.

Appendix A, "Specifications" provides a list of physical specifications about the NetScreen-ISG 2000, the modules, and power supplies.

RGANIZATION

ASIC, which provides accelerated encryption algorithms. The

NetScreen-ISG 2000 1

Preface

OMMAND LINE INTERFACE

The following conventions are used when presenting the syntax of a command line interface (CLI) command:

• Anything inside square brackets [ ] is optional.

• Anything inside braces { } is required.

• If there is more than one choice, each choice is separated by a pipe ( | ). For

example,

set interface { ether1/1 | ether1/2 | ether2/2 } manage

means “set the management options for the ether1/1, ether1/2, or ether2/2 interface”.

• Variables appear in italic. For example:

set admin user name1 password xyz

When a CLI command appears within the context of a sentence, it is in bold (except for variables, which are always in italic). For example: “Use the get system command to display the serial number of a NetScreen device.”

Note: When typing a keyword, you only have to type enough letters to identify the word

uniquely. For example, typing set adm u joe j12fmt54 is enough to enter the command

set admin user joe j12fmt54. Although you can use this shortcut when entering

commands, all the commands documented here are presented in their entirety.

(CLI) C

ONVENTIONS

UNIPER NETWORKS NETSCREEN PUBLICATIONS

To obtain technical documentation for any Juniper Networks NetScreen product, visit

www.juniper.net/techpubs/

For technical support, open a support case using the Case Manager link at http://

www.juniper.net/support/ or call 1-888-314-JTAC (within the United States) or 1-408-745-

9500 (outside the United States).

If you find any errors or omissions in the following content, please contact us at the e-mail address below:

techpubs-comments@juniper.net

2 User’s Guide

Chapter 1

Overview

This chapter provides detailed descriptions of the NetScreen-ISG 2000 chassis. Topics in this chapter include:

• “The Front Panel” on page 4

– “LED Dashboard” on page 4

– “Interface Modules” on page 6

– “Compact Flash” on page 8

– “Management Interfaces” on page 8

– “High Availability Interfaces” on page 9

– “The Fan Module” on page 9

• “The Rear Panel” on page 10

– “Power Supplies” on page 10

NetScreen-ISG 2000 3

Chapter 1 Overview

THE F

RONT PANEL

The front panel of the NetScreen-ISG 2000 has the following:

• An LED dashboard

• Four removable, replaceable interface modules

• A compact flash card slot

• Management, console, and modem ports

• A fan module

LED Dashboard

The LED dashboard displays up-to-date information about critical NetScreen-ISG 2000 functions.

4 User’s Guide

The Front Panel

The LEDs in the dashboard are as follows:

LED Purpose Color Meaning

POWER Power Supply green Power supply is functioning correctly.

off System is not receiving power.

red There is a problem with the power.

ALARM System Alarm blinking red • Continuous blinking indicates a self-test

failure during the ScreenOS bootup. May also occur due to certain algorithm and ACL failures.

• Blinks once for each software attack.

amber One of the following failures has occurred:

• Power supply is turned off.

• Hardware failure.

• Error with software module.

off No alarm condition present.

TEMP Temperature green Temperature is within safety range.

orange Temperature is outside normal alarm range.

>132°F or 56°C

red Temperature is outside severe alarm range.

>150°F or 66°C

STATUS System Status blinking green The system is active.

amber The system is booting.

off The system is off.

HA High Availability

Status

FAN Fan Status green All fans functioning properly.

MOD1 green Security module is installed.

green Unit is master.

amber Unit is a backup.

red HA has been defined, but unit is not the

backup system.

off No HA activity defined.

red One or more fans failed or fan subsystem is

not receiving power.

off No card installed.

MOD2 green Security module is installed.

off No card installed.

NetScreen-ISG 2000 5

Chapter 1 Overview

LED Purpose Color Meaning

MOD3 green Security module is installed.

off No card installed.

FLASH Compact Flash

Status

Note: To change the Alarm LED from red to green but keep the alarm message(s) in the

menu system, use the CLI command clear led alarm.

When you turn on the NetScreen-ISG 2000, the Status LED changes from off to blinking green. Startup takes around 90 seconds to complete. If you want to turn the NetScreenISG 2000 off and on again, wait a few seconds between shutting it down and powering it back up.

green PC card is installed in compact flash slot.

blinking green Read-write activity is detected.

off Compact flash slot is empty.

Interface Modules

The front of the NetScreen-ISG 2000 has four interface module bays. Each interface module has two, four, or eight ports, and each port has a pair of LEDs.

Note: You can use both 10/100 and GBIC cards simultaneously for the same

NetScreen-ISG 2000; there are no combination restrictions. However, the cards are not hot-swappable.

10/100 Mbps Interface Module

The 10/100 Mbps interface module is appropriate for a 10/100 Base-T LAN. Connect the ports using a twisted pair cable with RJ-45 connectors. (See “Connecting the Device to a

Network” on page 24 for cabling guidelines.)

Note: The NetScreen-ISG 2000 supports a maximum port count of 28. If there are

8-port 10/100 modules in each I/O slot, then ports five through eight, in slot 4, are disabled. Under this circumstance, these ports are unavailable for firewall and HA functions.

6 User’s Guide

The Front Panel

TX/RX LED:

Dark: Not Active Orange: Active

Link LED:

Dark: Not Linked Green: Linked

Link Activity Link Status

The Mini-GBIC Interface Connector Module

The mini-GBIC interface module provides connectivity to fiber-based, gigabit ethernet LANs. Connect the module using an optical single mode or multi mode cable.

Link LED:

Dark: Not Linked Green: Linked

TX/RX LED:

Dark: Not Active Green: Active

NetScreen-ISG 2000 7

Chapter 1 Overview

Compact Flash

The compact flash slot is for downloading or uploading system software or configuration files, and for saving log files to a compact flash card.

To download or upload, execute the CLI command save:

save

{ software | config }

from { flash | slot1 filename } to

{ flash | slot1 filename }

where flash refers to internal flash memory, slot1 refers to the compact flash slot, and filename is the name of the software or configuration file on the card.

For example, the following command downloads the current device configuration to a file named ns2000_config on a card in the compact flash slot:

save config from flash to slot1 ns2000_config

Management Interfaces

The NetScreen-ISG 2000 offers three management interfaces:

Port Description

Console This RJ-45 serial port is for local configuration and administration using the CLI.

Connect the console port to your workstation using an RJ-45 female to DB-9 male straight-through serial cable.

Modem This RJ-45 serial port is for connecting to a modem, allowing the user to control the

device remotely. (For security reasons, it is advisable to use a modem only for troubleshooting or for a one-time configuration, not for regular remote administration.)

10/100 MGT This management port has a fixed 10/100 Base-T interface and provides a dedicated,

out-of-band connection for management traffic. It has a separate IP address and netmask, configurable with the CLI or WebUI. (For security reasons, do not pass session traffic through this interface.) The MGT port is not capable of routing traffic to other interfaces. This port is only to be used for management purposes. The default IP address for the MGT port is 192.168.1.1.

8 User’s Guide

The Front Panel

High Availability Interfaces

There are no dedicated High Availability (HA) interfaces on the NetScreen-ISG 2000; therefore, you must select and configure the HA ports once the system is running. The HA ports allow you to cable two devices together, and configure them to work as a redundant group. A redundant group consists of a master device and one backup device. If the master device fails, the backup device takes over as the new master, thus avoiding interruption of services. Any number and type of interfaces, from the four interface modules, can be used as an HA port.

Note: It is recommended that you use mini-GBIC interface modules when possible. Do not

mix mini-GBIC and 10/100 Mbps ports as HA ports. If you do not have a mini-GBIC interface module, you should use at least two 10/100 Mbps interfaces. For more information on HA configuration, see the NetScreen Concepts & Examples ScreenOS

Reference Guide.

For information on cabling for High Availability, see “Connecting the NetScreen-ISG 2000

for High Availability” on page 26.

The Fan Module

The NetScreen-ISG 2000 has a three-fan module, which you can access on the left front side of the chassis.

Fan Front

Fan Lever

Warning: If a fan stops operating due to failure or removal, the system continues to run.

Be sure that the fan tray is not empty for more than two minutes; otherwise, heat failure or permanent damage can occur.

Fan Module

NetScreen-ISG 2000 9

Chapter 1 Overview

THE R

EAR PANEL

The rear panel of the NetScreen-ISG 2000 contains the power supplies.

Power Supplies

The NetScreen-ISG 2000 supports two redundant, fault-tolerant and auto-switching power supplies. The power supplies are hot-swappable, so you can remove or replace one power supply without interrupting device operation.

You can order the NetScreen-ISG 2000 with one or two power supplies: DC and AC. Although the NetScreen-ISG 2000 can run with one power supply, it is advisable to install two. This practice minimizes the chance of system failure due to an individual power supply failure.

Important: Do not mix the power supply types because it could seriously damage the

device.

When the NetScreen-ISG 2000 contains two power supplies, they share the power load equally. If one power supply fails, the other assumes the full load automatically and the device sends a system alarm. The Power LED only displays two colors: green, indicating that the power supply is functioning correctly and red, which indicates that the power supply has failed.

10 User’s Guide

The Rear Panel

The DC Power Supply

The DC power supply weighs about three pounds. The faceplate contains a power LED, a power switch, a cooling fan vent, and three DC power terminal blocks that connect to power cables.

The following figure shows the NetScreen-ISG 2000 DC power supply.

Thumbscrew

Terminal

Power LED

Hex Nut

Blocks

Power Switch

The AC Power Supply

The AC power supply weighs about three pounds. The faceplate contains a power LED, a power switch, a cooling fan vent, and a male power outlet.

The figure below shows the NetScreen-ISG 2000 AC power supply.

Power LED

Thumbscrew

Power

Outlet

Power

Switch

NetScreen-ISG 2000 11

Chapter 1 Overview

12 User’s Guide

Chapter 2

Installing the Device

This chapter describes how to install a NetScreen-ISG 2000 in an equipment rack. Topics in this chapter include:

• “General Installation Guidelines” on page 14

• “Equipment Rack Mounting” on page 14

– “Equipment Rack Installation Guidelines” on page 14

– “Equipment Rack Accessories and Required Tools” on page 15

– “Mid-Mount” on page 16

– “Rear-and-Front Mount” on page 17

• “Installing and Connecting the AC Power Supply” on page 18

• “Installing and Wiring a DC Power Supply” on page 18

Note: For safety warnings and instructions, please refer to the NetScreen Safety Guide.

The instructions in this guide warn you about situations that could cause bodily injury. Before working on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents.

NetScreen-ISG 2000 13

Chapter 2 Installing the Device

ENERAL INSTALLATION

Observing the following precautions can prevent injuries, equipment failures, and shutdowns.

• Never assume that the power supply is disconnected from a power source. Always check first.

• Room temperature might not be sufficient to keep equipment at acceptable temperatures without an additional circulation system. Ensure that the room in which you operate the device has adequate air circulation.

• Do not work alone if potentially hazardous conditions exist.

• Look carefully for possible hazards in your work area, such as moist floors,

ungrounded power extension cables, frayed power cords, and missing safety grounds.

Important: Although you can place the device on a desktop for operation, it is not

advisable to deploy a NetScreen-ISG 2000 in this manner. The best deployment technique is equipment rack mounting, described below.

Warning: To prevent abuse and intrusion by unauthorized personnel, install the

NetScreen-ISG 2000 in a locked-room environment.

UIDELINES

QUIPMENT RACK

The NetScreen-ISG 2000 comes with accessories for mounting the device in a standard 19-inch equipment rack.

OUNTING

Equipment Rack Installation Guidelines

The location of the chassis, the layout of the equipment rack, and the security of your wiring room are crucial for proper system operation.

Use the following guidelines while configuring your equipment rack.

• Enclosed racks must have adequate ventilation. Such ventilation requires louvered sides and a fan to provide cooling air.

• When mounting a chassis in an open rack, be sure that the rack frame does not block the intake or exhaust ports. If you install the chassis on slides, check the position of the chassis when it is seated all the way into the rack.

• In an enclosed rack with a ventilation fan in the top, equipment higher in the rack can draw heat from the lower devices. Always provide adequate ventilation for equipment at the bottom of the rack.

• Baffles can isolate exhaust air from intake air. The best placement of the baffles depends on the airflow patterns in the rack.

14 User’s Guide

Equipment Rack Mounting

Equipment Rack Accessories and Required Tools

Rack mounting requires the following accessories and tools:

• 1 Phillips-head screwdriver (not provided)

• 4 screws to match the rack (if the thread size of the screws provided in the

NetScreen-ISG 2000 product package do not fit the thread size of the rack)

• The included rear slide mount kit (for the rear-and-front-mount method)

Rear Slide Mount Kit

Slides (2)

Rear mount brackets (2)

10-32 x ½” Screws (8)

M4 Screws (6)

There are two ways to rack mount the NetScreen-ISG 2000:

• Mid-mount

• Rear-and-front mount

Note: NetScreen strongly recommends the rear-and-front rack mount configuration.

NetScreen-ISG 2000 15

Chapter 2 Installing the Device

Mid-Mount

To mid-mount the NetScreen-ISG 2000:

1. Screw the left and right plates to the middle of each side of the NetScreen-ISG 2000 chassis.

2. Slide the NetScreen-ISG 2000 in the rack.

3. Screw the left and right plates to the rack.

16 User’s Guide

Equipment Rack Mounting

Rear-and-Front Mount

To mount the NetScreen-ISG 2000 with support from the rear and front, use the rear slide mount kit.

1. Screw the left and right plates to the front of each side of the NetScreen-ISG 2000 chassis.

2. Screw the rear mount bracket to the rear rack posts.

3. With the indented groove that runs the length of each slide facing outward, screw the slides to the middle of each side of the NetScreen-ISG 2000 chassis.

Note: Depending on the depth of your equipment rack, you can attach the slides

along the length of the sides or extend them over the rear of the chassis.

4. Slip the slides into the rear mount brackets.

5. Push the NetScreen-ISG 2000 forward until the left and right plates contact the front rack posts.

6. Screw the left and right plates to the rack.

NetScreen-ISG 2000 17

Chapter 2 Installing the Device

NSTALLING AND

To install and connect the AC power supply to the NetScreen-ISG 2000:

1. Slide the power supply into one of the power compartments in the back of the system.

2. Fasten the power supply to the system by tightening the corner screws into the eyelets on the sides of the power supply. (If you want to install two power supplies, repeat steps 1 and 2 for the other power supply.)

3. Connect the female end of a standard power cord to the male connector on the back of each power supply.

4. Connect each power cord to a standard 100-240-volt power outlet.

Note: Whenever you deploy two power supplies to a NetScreen-ISG 2000, connect

each to a different power source. Each power supply is intended to receive power from separate feeds.

5. Turn on the power switch.

Note: If there are multiple power supplies in the NetScreen-ISG 2000 and any of

them are off, the Alarm LED on the management module glows red. This warning indicates that maximum system reliability requires all installed power supplies to be operational.

ONNECTING THE

AC P

OWER SUPPLY

NSTALLING AND

To install and connect the DC power supply to the NetScreen-ISG 2000:

1. Slide the power supply into one of the power compartments in the back of the system.

2. Fasten the power supply to the system by tightening the corner screws into the eyelets on the sides of the power supply.

3. If you want to install two power supplies, repeat steps 1 and 2 for the remaining power supply.

4. Turn on the power switch.

The DC power supply, ON/OFF switch, grounding screw, and terminal blocks are located on the faceplate of the power supply unit.

Warning: You must shut off current to the DC feed wires before connecting the wires to the

power supplies. Also, make sure that the ON/OFF switch is in the off position.

To connect the DC power supply to a grounding point at your site:

1. Remove the hex nut on the grounding screw.

2. Place the ground lug on the screw and tighten the hex nut securely.

IRING A

DC P

OWER SUPPLY

18 User’s Guide

Installing and Wiring a DC Power Supply

3. Connect the other end of the grounding lug wire to a grounding point at your site.

To connect DC power feeds to the terminal blocks:

1. Loosen the retaining screws on each terminal block.

2. Insert the 0V DC (positive voltage) return wire into the center COM connector and the -48V DC power feed wire into either the left or right connector.

3. Fasten the screws over the connectors.

4. Turn on the power switch.

Note: If there are multiple power supplies in the NetScreen-ISG 2000 and any of

them are off, the Alarm LED on the management module glows red. This warning indicates that maximum system reliability requires all installed power supplies to be operational.

NetScreen-ISG 2000 19

Chapter 2 Installing the Device

20 User’s Guide

Chapter 3

Configuring the Device

This chapter describes how to connect a NetScreen-ISG 2000 to your network and perform initial configuration on the device. Topics in this chapter include:

• “Operational Modes” on page 22

– “Transparent Mode” on page 22

– “Route Mode” on page 22

• “The NetScreen-ISG 2000 Interfaces” on page 23

– “Configurable Interfaces” on page 23

– “The Ethernet Interfaces” on page 23

– “Interfaces to Change During Initial Configuration” on page 24

• “Connecting the Device to a Network” on page 24

– “Connecting the NetScreen-ISG 2000 as a Single Security System” on

page 25

– “Connecting the NetScreen-ISG 2000 for High Availability” on page 26

• “Performing Initial Connection and Configuration” on page 29

– “Establishing a Terminal Emulator Connection” on page 29

– “Changing Your Admin Name and Password” on page 30

– “Setting Port and Interface IP Addresses” on page 31

• “Configuring the Device for Telnet and WebUI Sessions” on page 33

– “Starting a Console Session Using Telnet” on page 33

– “Starting a Console Session Using Dialup” on page 34

– “Establishing a WebUI Management Session” on page 34

– “Configuring the Chassis Alarm” on page 35

• “Using CLI Commands to Reset the Device” on page 35

Note: You must register your product at www.netscreen.com/cso

services, such as Deep Inspection Signature Service, can be activated on the device. After registering your product, use the WebUI or CLI to obtain the subscription for the service. For more information about registering your product and obtaining subscriptions for specific services, see Volume 2 in the NetScreen Concepts & Examples ScreenOS Reference Guide.

NetScreen-ISG 2000 21

so that certain ScreenOS

Chapter 3 Configuring the Device

PERATIONAL

The NetScreen-ISG 2000 supports two device modes: Transparent mode and Route mode. The default mode is Route.

Note: Because you enable NAT capability by configuring interfaces and creating security

policies, NAT is not considered a device mode. To configure your device for NAT, the device must be in Route mode.

ODES

Transparent Mode

In Transparent mode, the NetScreen-ISG 2000 operates as a Layer-2 bridge. Because the device cannot translate packet IP addresses, it cannot perform Network Address Translation (NAT). Consequently, any IP address in your trusted (local) networks must be public, routable, and accessible from untrusted (external) networks.

In Transparent mode the NetScreen device is invisible to the network. However, the device can still perform firewall, VPN, and traffic management according to configured security policies.

Route Mode

In Route mode, the NetScreen-ISG 2000 operates at Layer 3. Because you can configure each interface using an IP address and subnet mask, you can configure individual interfaces to perform NAT.

• When the interface performs NAT services, the device translates the source IP address of each outgoing packet into the IP address of the untrusted port. It also replaces the source port number with a randomly-generated value. You can also perform translations using either Mapped IP (MIP) or Virtual IP (VIP) addresses.

• When the interface does not perform NAT services, the source IP address and port number in each packet header remain unchanged. Therefore, your local hosts must have public IP addresses.

For more information on NAT, see the NetScreen Concepts and Examples ScreenOS Reference Guide.

22 User’s Guide

The NetScreen-ISG 2000 Interfaces

THE NETS

The NetScreen-ISG 2000 provides physical ports, each of which can serve as a physical interface. In addition, you can configure Ethernet ports to serve as virtual (logical) interfaces.

CREEN

-ISG 2000 I

Configurable Interfaces

The interfaces available on the NetScreen-ISG 2000 are as follows:

Interface Type Description

Ethernet interfaces ethernetn1/n2 specifies a physical Ethernet interface, denoted by an

interface module in a slot (n1) and a physical port (n2) on the module.

ethernetn1/n2.n3 specifies a logical interface, denoted by an interface module in a slot (n1), a physical port (n2) on the module, and a logical interface number ( .n3). You create logical interfaces using the set interface command.

Layer-2 interfaces vlan1 specifies the interface used for VPNs while the NetScreen device is in

Transparent mode.

Tunnel interfaces tunnel.n specifies a tunnel interface. Use this interface for VPN traffic.

Function interfaces mgt specifies an interface bound to the MGT zone. The default IP address of

this interface is 192.168.1.1.

NTERFACES

The Ethernet Interfaces

The ethernet interfaces are located on the interface modules (see “Interface Modules” on

page 6). The interface names are as follows:

ethernet1/1

ethernet2/1

ethernet1/2 ethernet3/1

ethernet2/2

ethernet4/1 ethernet4/2

. . . . . .

ethernet3/8

NetScreen-ISG 2000 23

Chapter 3 Configuring the Device

Interfaces to Change During Initial Configuration

The default IP address and subnet mask settings for NetScreen-ISG 2000 interfaces are

0.0.0.0 and 0.0.0.0, respectively. The exception is MGT, a special interface used only for device management. The default IP address and subnet mask settings for the MGT interface are 192.168.1.1 and 255.255.255.0, respectively.

• For all operational modes, it is advisable to change the IP address and subnet mask for the MGT interface, and to use it exclusively for out of band management.

• To access the vlan1 interface in Transparent mode, you must change the IP address and subnet mask of vlan1 to match your current network.

• In Transparent mode, only the MGT and vlan1 interfaces may have a new IP address and subnet mask. All others must keep their default IP address and subnet mask settings (0.0.0.0 and 0.0.0.0, respectively).

• In Route mode (with or without NAT), at least two Ethernet interfaces must have new IP addresses and subnet masks.

Note: For more information on setting IP addresses, see “Setting Port and Interface IP

Addresses” on page 31

CONNECTING THE DEVICE TO A NETWORK

The NetScreen-ISG 2000 has four interface module bays, which can contain the following types of modules:

• 10/100 Mbps interface module, for 10/100 Base-T connections (4 and 8 ports)

• Mini-GBIC interface module, for fiber-optic connections (2 ports)

The type of network used by your organization determines the kind of interface needed to connect the NetScreen-ISG 2000. (For more information on interface modules, see

“Interface Modules” on page 6.)

Note: Because of the wide variety of available routers, hubs, and switches, the cabling

configuration presented here might not satisfy your network connection requirements. If the cabling suggested in this chapter does not work, try other cable configurations until a link light indicates an active link.

24 User’s Guide

+ 84 hidden pages