Juniper Networks NETSCREEN 200 User Manual

NETSCREEN-200 SERIES

User’s Guide

Version 5.0 P/N 093-1253-000 Rev. C

Copyright Notice

Copyright © 2007 Juniper Networks, Inc. All rights reserved.

Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo
are registered trademarks of Juniper Networks, Inc. NetScreen-5GT, NetScreen-5XP, NetScreen-5XT, NetScreen-25,
NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400,
NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN
Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and
NetScreen ScreenOS are trademarks of Juniper Networks, Inc. All other trademarks and registered trademarks are the
property of their respective companies.

Information in this document is subject to change without notice.

No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without receiving written permission from:

Juniper Networks, Inc.
ATTN: General Counsel
1194 N. Mathilda Ave.
Sunnyvale, CA 94089-1206

FCC Statement

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply
with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide
reasonable protection against harmful interference when the equipment is operated in a commercial environment. The
equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the
instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a
residential area is likely to cause harmful interference, in which case users will be required to correct the interference at
their own expense.

The following information is for FCC compliance of Class B devices: The equipment described in this manual generates
and may radiate radio-frequency energy. If it is not installed in accordance with NetScreen’s installation instructions, it
may cause interference with radio and television reception. This equipment has been tested and found to comply with the
limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are
designed to provide reasonable protection against such interference in a residential installation. However, there is no
guarantee that interference will not occur in a particular installation.

If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the
equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

• Reorient or relocate the receiving antenna.

• Increase the separation between the equipment and receiver.

• Consult the dealer or an experienced radio/TV technician for help.

• Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.

Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.

Disclaimer

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH
IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY
THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.

Contents

Preface...............................................................................................................................................v

Guide Organization ..................................................................................................v

Command Line Interface (CLI) Conventions ............................................................ vi

Juniper Networks NetScreen Publications ................................................................ vi

Chapter 1 Overview ......................................................................................................................... 1

NetScreen-200 Systems .............................................................................................2

NetScreen-204 Device .................................................................................... 2

NetScreen-208 Device .................................................................................... 2

The Front Panel .........................................................................................................3

System Status LED Display ................................................................................ 3

Asset Recovery Pinhole.................................................................................... 4

Console and Modem Ports.............................................................................. 5

Compact Flash Card Slot ................................................................................ 5

Ethernet Interfaces........................................................................................... 6

The Rear Panel ..........................................................................................................6

Power Supplies ................................................................................................ 6

Power Fuse ...................................................................................................... 7

Chapter 2 Installing the Device........................................................................................................ 9

General Installation Guidelines ...............................................................................10

Performing Equipment-Rack Installation .................................................................10

Equipment Rack Installation Guidelines ........................................................ 10

Front Mount ................................................................................................... 11

Mid-Mount ..................................................................................................... 11

Connecting the Power ............................................................................................11

Wiring a DC Power Supply ......................................................................................12

Connecting the NetScreen-200 Device to Other Devices ......................................13

Chapter 3 Configuring the Device................................................................................................. 15

Operational Modes ................................................................................................16

Transparent Mode ......................................................................................... 16

Route Mode................................................................................................... 16

The NetScreen-200 Series Device Interfaces ..........................................................17

Connecting the Device as a Single Security Gateway ...........................................18

Connectivity Examples .................................................................................. 18

Performing Device Connection ..................................................................... 19

Establishing an HA Connection Between Devices ...................................................20

Performing Initial Connection and Configuration ...................................................22

NetScreen-200 Series iii

Contents

Establishing a Terminal Emulator Connection................................................ 22

Changing Your Admin Name and Password ................................................. 23

Setting Port and Interface IP Addresses ......................................................... 23

Viewing Current Interface Settings ............................................................23

Setting the IP Address of the Management Interface ...............................24

Setting the IP Address for the Untrust Zone Interface .................................24

Allowing Outbound Traffic .........................................................................25

Configuring the Device for Telnet and WebUI Sessions ...........................................25

Starting a Console Session Using Telnet......................................................... 25

Starting a Console Session Using Dialup........................................................ 26

Establishing a GUI Management Session....................................................... 26

Asset Recovery ........................................................................................................28

Using CLI Commands to Reset the Device .................................................... 28

Using the Asset Recovery Pinhole to Reset the Device .................................. 29

Appendix A Specifications..........................................................................................................A-I

NetScreen-200 Attributes ......................................................................... A-II

Electrical Specification ............................................................................ A-II

Environmental .......................................................................................... A-II

NEBS Certifications ................................................................................... A-II

Safety Certifications ................................................................................. A-II

EMI Certifications ..................................................................................... A-II

Index..................................................................................................................... IX-I

iv User’s Guide

Preface

The Juniper Networks NetScreen-200 Series consists of versatile, purpose-built, high­performance security systems that provide IPSec VPN and firewall services for medium
and large enterprise offices, e-business sites, data centers, and carrier infrastructures.

The NetScreen-200 Series includes the following device models:

• The NetScreen-204, which has four 10/100 Base-T interface ports and performs
firewall functions at 400 Mbps

• The NetScreen-208, which has eight 10/100 Base-T interface ports and performs
firewall functions at 550 Mbps

All NetScreen-200 Series 10/100 Base-T ports perform auto-speed sensing and auto­polarity correction.

GUIDE ORGANIZATION

This manual has three chapters and one appendix.

Chapter 1, "Overview"provides a detailed overview of the system and its components.

Chapter 2, "Installing the Device"describes how to rack-mount the NetScreen-200
systems and connect the systems to other devices.

Chapter 3, "Configuring the Device"details how to connect the NetScreen-200 device to
the network and perform initial configuration.

Appendix A, "Specifications" provides a list of physical specifications about the
NetScreen-200 Series, the modules, and power supplies.

NetScreen-200 Series v

Preface

COMMAND LINE INTERFACE (CLI) CONVENTIONS

The following conventions are used when presenting the syntax of a command line
interface (CLI) command:

• Anything inside square brackets [ ] is optional.

• Anything inside braces { } is required.

• If there is more than one choice, each choice is separated by a pipe ( | ). For

example,

set interface { ethernet1 | ethernet2 | ethernet3 }
manage

means “set the management options for the ethernet1, ethernet2, or ethernet3
interface”.

• Variables appear in italic. For example:

set admin user name1 password xyz

When a CLI command appears within the context of a sentence, it is in bold (except for
variables, which are always in italic). For example: “Use the get system command to
display the serial number of a NetScreen device.”

Note: When typing a keyword, you only have to type enough letters to identify the word

uniquely. For example, typing set adm u joe j12fmt54 is enough to enter the command

set admin user joe j12fmt54. Although you can use this shortcut when entering

commands, all the commands documented here are presented in their entirety.

JUNIPER NETWORKS NETSCREEN PUBLICATIONS

To obtain technical documentation for any Juniper Networks NetScreen product, visit

www.juniper.net/techpubs/

For technical support, open a support case using the Case Manager link at http://

www.juniper.net/support/ or call 1-888-314-JTAC (within the United States) or 1-408-745-

9500 (outside the United States).

If you find any errors or omissions in the following content, please contact us at the e-mail
address below:

.

techpubs-comments@juniper.net

vi User’s Guide

Chapter 1

Overview

This chapter provides detailed descriptions of the NetScreen-200 Series system devices
and their components.

Topics in this chapter include:

• “NetScreen-200 Systems” on page 2

– “NetScreen-204 Device” on page 2

– “NetScreen-208 Device” on page 2

• “The Front Panel” on page 3

– “System Status LED Display” on page 3

– “Asset Recovery Pinhole” on page 4

– “Console and Modem Ports” on page 5

– “Compact Flash Card Slot” on page 5

– “Ethernet Interfaces” on page 6

• “The Rear Panel” on page 6

– “Power Supplies” on page 6

– “Power Fuse” on page 7

1

Note: For safety warnings and instructions, please refer to the NetScreen Safety Guide.

The instructions in this guide warn you about situations that could cause bodily injury.
Before working on any equipment, be aware of the hazards involved with electrical
circuitry and be familiar with standard practices for preventing accidents.

NetScreen-200 Series 1

Chapter 1 Overview

NETSCREEN-200 SYSTEMS

This NetScreen-200 Series currently includes the NetScreen-204 device and the
NetScreen-208 device.

NetScreen-204 Device

The NetScreen-204 is a chassis-based, rack-mountable network security device with four
ethernet 10/100 Base-T interface ports. The figure below shows a NetScreen-204 device.

System Status LEDs Asset Recovery

Pinhole

Console
Port

Modem
Port

Compact Flash
Card Slot

Ethernet Interfaces

NetScreen-208 Device

The NetScreen-208 is a chassis-based, rack-mountable network security device with eight
ethernet 10/100 Base-T interface ports. The figure below shows a NetScreen-208 device.

System Status LEDs Asset Recovery

Pinhole

Console
Port

Modem
Port

Compact Flash
Card Slot

Ethernet Interfaces

2 User’s Guide

THE FRONT PANEL

The features shared in common by NetScreen-204 and NetScreen-208 devices include:

• A System Status LED display

• An Asset Recovery Pinhole

• A Console port

• A Modem port

• A Compact Flash Card Slot

• Ethernet interfaces

System Status LED Display

The front panel of each NetScreen-200 Series device has a System Status display, which
contains six LEDs.

Status LED

The Front Panel

Power LED

Alarm LED

Session LED

HA LED

Flash LED

The information revealed by each LED is as follows:

LED
Name

Power Power Supply green Power supply is functioning correctly.

Status System Status amber At initial power up.

HA High Availability

Purpose Color Meaning

off The device is not receiving power.

green At startup and while performing diagnostics.

blinking green Normal operation.

blinking red Error detected

green Unit is the primary (master) device.

Status

blinking green Connection not found.

amber Unit is the secondary (backup) device.

off HA not enabled.

NetScreen-200 Series 3

Chapter 1 Overview

Alarm System Alarm red Critical alarm:

• Failure of hardware component or software
module (such as a cryptographic algorithm).

• Firewall attacks detected.

• HA status changed

amber Major alarm:

• Low memory (less than 10% remaining).

• High CPU utilization (more than 90% in use).

• Session full.

• Maximum number of VPN tunnels reached.

• HA redundant group member not found.

off No alarms.

Status Session

Utilization

Flash Memory Card

Status

amber Session utilization is between 70% and 90%.

red Session utilization is greater than 90%.

off Normal operation.

green The card is installed.

blinking green Read-write activity is detected.

off Flash card slot is empty.

Asset Recovery Pinhole

The Asset Recovery Pinhole is a button that resets the device to its original default
settings. To use this button, insert a stiff wire (such as a straightened paper clip) into the
pinhole.

Warning: Because resetting the device restores it to the original default configuration, any

new configuration settings are lost, and the firewall and all VPN service become
inoperative.

4 User’s Guide

The Front Panel

Console and Modem Ports

The Console port is an RJ-45 serial console port connector, for vt100 terminal emulator
programs to perform local configuration and administration.

The Modem port is an RJ-45 serial console port connector, for establishing remote console
sessions using dialup connections through a 9600 bps modem connected via an RS-232
cable. Dialing into the modem establishes the dialup console connection.

The table below lists the RJ-45 to DB-9 adapter connection definitions. To employ a
standard UART port, both the console and the modem ports use this configuration.

DB9 Signal Abbreviation DTE DCE RJ-45

1 Data Carrier Detect DCD In Out NC

2 Received Data RD In Out 3

3 Transmitted Data TD Out In 6

4 Data Terminal Ready DTR Out In 7

5 Signal Ground SGND N/A N/A 4

6 Data Set Ready DSR In Out 2

7 Request To Send RTS Out In 8

8 Clear To Send CTS In Out 1

9 Ring Indicator RI In Out NC

Compact Flash Card Slot

The NetScreen-200 Series supports CompactFlash™ cards with a variety of memory
capacities. NetScreen has tested SanDisk 96MB and 512MB cards. The NetScreen device
automatically detects the presence of a flash card and records the system log to it.

NetScreen-200 Series 5

Chapter 1 Overview

Ethernet Interfaces

Each Ethernet port is a 10/100 auto-sensing interface with two link LEDs. The left LED
indicates network traffic, and the right LED indicates an active network link.

Network Traffic:
Blinking = link activity

THE REAR PANEL

The figure below shows the rear panel of a NetScreen-200 Series device (with an AC
power supply).

Network Link:
On = link is up
Off = link is down

Power Outlet

Power Switch

Note: Certain export restrictions may apply to international customers. Check with your

sales representative.

Fuse Cover

Power Supplies

A NetScreen-200 Series device can have an AC power supply or a DC power supply.

The DC power supply can operate on one or two DC feeds ranging from -36V to -60V.
When you use two feeds, they share the load. If one feed fails, the other automatically
assumes the full load.

The internal fuse for the DC power supply is a 3.15A/250V, fast-acting fuse. This is not
replaceable.

6 User’s Guide