Juniper networks NSMXPRESS REV 1, NSM3000 REV 1 User Manual

Juniper Networks Network and Security Manager

NSMXpress and NSM3000 User Guide

Release

2010.4

Published: 2010-11-17

Revision 1

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net

This productincludes the Envoy SNMPEngine, developed by Epilogue Technology,an Integrated Systems Company.Copyright ©1986-1997, Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright © 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright © 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright © 1991, D. L. S. Associates.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

NSMXpress and NSM3000 User Guide

Revision History November 17, 2010—Revision 1

The information in this document is current as of the date listed in the revision history.

END USER LICENSE AGREEMENT

READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE.

BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER)CONSENT TO BE BOUNDBY THIS AGREEMENT.IF YOUDO NOTOR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE, AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.

1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks (Cayman) Limited (ifthe Customer’sprincipal officeis located outsidethe Americas) (such applicable entitybeing referred to herein as“Juniper”),and (ii) the person or organization thatoriginally purchasedfrom Juniperor an authorized Juniperreseller the applicable license(s) for use of the Software (“Customer”) (collectively, the “Parties”).

2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for which Customer has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customer purchased from Juniper or an authorized Juniper reseller. “Software” also includes updates, upgrades and new releases of such software. “Embedded Software” means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacements which are subsequently embedded in or loaded onto the equipment.

3. License Grant. Subject topayment of the applicablefees andthe limitations and restrictions set forth herein, Juniper grants toCustomer a non-exclusive and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:

a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper or an authorized Juniper reseller.

b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether such computers or virtualizations are physically contained on a single chassis.

c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limitsto Customer’s useof the Software. Suchlimits may restrictuse to amaximum numberof seats, registered endpoints, concurrent users, sessions, calls, connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features, functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing, temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software to be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable licenses.

d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customer may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial period by re-installing the Software after the 30-day trial period.

e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network. Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any commercial network access services.

The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable license(s) for the Software from Juniper or an authorized Juniper reseller.

4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software,in any form, toany thirdparty; (d)remove any proprietarynotices, labels,or marks on orin any copy of the Softwareor any product in which the Software is embedded; (e) distribute any copy of the Software to any third party, including as may be embedded in Juniper equipment sold inthe secondhand market; (f)use any ‘locked’ orkey-restricted feature,function, service, application, operation, orcapability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper to any third party; (h) use the

Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that the Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to any third party without the priorwritten consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.

5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish such records to Juniper and certify its compliance with this Agreement.

6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer shall exercise allreasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes restricting access to the Software to Customer employees and contractors having a need to use the Software for Customer’s internal business purposes.

7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software, associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.

8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statementthat accompaniesthe Software (the“Warranty Statement”).Nothing inthis Agreement shallgive riseto any obligation to support the Software. Support services may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTSOR PROCUREMENTOF SUBSTITUTEGOODS ORSERVICES,OR FOR ANY SPECIAL,INDIRECT,OR CONSEQUENTIALDAMAGES ARISING OUTOF THIS AGREEMENT,THE SOFTWARE,OR ANY JUNIPEROR JUNIPER-SUPPLIEDSOFTWARE. INNO EVENT SHALLJUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW, JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION, OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whether in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss), and that the same form an essential basis of the bargain between the Parties.

9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’s possession or control.

10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase of the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper with valid tax receipts and other required documentation showing Customer’s payment of any withholding taxes; completing appropriate applications that would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder. Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related to any liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under this Section shall survive termination or expiration of this Agreement.

11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption or other capabilities restricting Customer’s ability to export the Software without an export license.

12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS

227.7201 through 227.7202-4, FAR 12.212, FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.

13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any. Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable terms and conditions upon which Juniper makes such information available.

14. Third Party Software. Any licensor of Juniper whose softwareis embedded in the Software and any supplier of Juniper whose products or technology are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor shall have the right to enforce this Agreement in itsown name asif it wereJuniper. In addition, certain thirdparty software may be provided with the Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License (“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate) available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194 N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and a copy of the LGPL

at http://www.gnu.org/licenses/lgpl.html .

15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris tout avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be in the English language)).

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Part 1 Using the NSM Appliance

Chapter 1 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

About the NSM Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Installation and Configuration Workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Hardware Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

NSM Appliance Ports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Installing the NSMXpress Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Installing the NSM3000 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Initial Setup Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Boot the NSM Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Set Up Your Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

CLI Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Web Interface Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Chapter 2 Installing and Configuring NSM from the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Navigating the Menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

General Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Using nsm_setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Configuring the NSM Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Configuring a Regional Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Configuring Typical Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Configuring Custom Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Configuring High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Configuring Advanced Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Configuring the Central Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Configuring High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Configuring Advanced Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Enabling and Configuring Remote Replication of the Database . . . . . . . 24

NSMXpress and NSM3000 User Guide

Chapter 3 Configuring NSM from the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Configuring Standard Configuration Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Changing the Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Setting Interface Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Setting Routing Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Changing the NSM Appliance Hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Adding DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Setting the System Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Forwarding Local Status E-mails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Updating System Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Saving Setup Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

The NSM Appliance Default Restoration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Configuring the NSM Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Configuring Basic Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Configuring High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Advanced Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Enabling and Configuring Remote Replication of the Database . . . . . . . 37

Enabling and Configuring SRS (Regional Server Only) . . . . . . . . . . . . . . 38

Installing NSM Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Managing NSM Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Changing the Superuser Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Downloading NSM MIBS (Regional Server Only) . . . . . . . . . . . . . . . . . . . . . . 40

Exporting Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Exporting Device Logs (Regional Server Only) . . . . . . . . . . . . . . . . . . . . . . . . 40

Generating Reports (Regional Server Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Modifying NSM Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Backing Up the NSM Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Changing the NSM Management IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Scheduling Security Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Managing System Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Rebooting or Shutting Down the NSM Appliance . . . . . . . . . . . . . . . . . . . . . . 44

Changing the User Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Configuring the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Routing and Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Hostname and DNS Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Host Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Managing RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Adding a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Changing the Priority of RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . 49

Deleting a RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Editing RADIUS Server Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Monitoring with SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

SNMP Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

SNMP System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

SNMP Trap Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Table of Contents

Forwarding Syslog Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Viewing Syslog Receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Adding and Configuring Syslog Receivers . . . . . . . . . . . . . . . . . . . . . . . . . 54

Editing Syslog Receiver Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Deleting Syslog Receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Changing the System Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Installing Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Managing Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Creating New NSM Appliance Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Deleting a User . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Editing User Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Understanding User Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Configuring the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Maintaining NSM Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Viewing System Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

CPU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Log Rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

CPU Load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Memory Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Network Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Process Count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Disk Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Tile All Graphs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Upgrading the Recovery Partition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Auditing User Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Error Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Network Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

IP Subnet Calculator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Tech Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Viewing System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Part 2 Appendixes

Appendix A NSMXpress LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

NSMXpress LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Part 3 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

NSMXpress and NSM3000 User Guide

List of Figures

Part 1 Using the NSM Appliance

Chapter 1 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Figure 1: Front Panel of NSMXpress . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Figure 2: Rear Panel of NSM3000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Figure 3: Front Panel of NSM3000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Chapter 3 Configuring NSM from the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Figure 4: Regional Server Configuration Main Menu . . . . . . . . . . . . . . . . . . . . . . . . 32

Figure 5: Central Manager Configuration Main Menu . . . . . . . . . . . . . . . . . . . . . . . 33

Figure 6: High Availability Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Figure 7: Shared Disk Options for Regional Servers . . . . . . . . . . . . . . . . . . . . . . . . 35

Figure 8: Shared Disk Options for Central Managers . . . . . . . . . . . . . . . . . . . . . . . 35

Figure 9: HA Links Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Figure 10: Redundant Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Figure 11: HA Advanced Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Figure 12: Advanced Options Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Figure 13: Remote Replication of Database Options . . . . . . . . . . . . . . . . . . . . . . . . 37

Figure 14: SRS Menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Figure 15: Change Superuser Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Figure 16: Download NSM MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Figure 17: Export Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Figure 18: Export Device Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Figure 19: Generate Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Figure 20: NSM Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Figure 21: Database Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Figure 22: Change Management IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Figure 23: Schedule Security Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Figure 24: ReBoot or Shut Down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Figure 25: Change User Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Figure 26: Network Interfaces Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Figure 27: Network Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Figure 28: Routes and Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Figure 29: DNS Client Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Figure 30: Host Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Figure 31: RADIUS Servers Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Figure 32: Add RADIUS Server Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Figure 33: Edit RADIUS Server Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Figure 34: Configuring SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Figure 35: Configuring SNMP System Information . . . . . . . . . . . . . . . . . . . . . . . . . 51

Figure 36: Configuring SNMP Traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

NSMXpress and NSM3000 User Guide

Figure 37: Configuring a Syslog Receiver . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Figure 38: NSMXpress Users Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Figure 39: Create NSMXpress User Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Figure 40: NSMXpress Users Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Figure 41: Web Interface Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Figure 42: System Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Figure 43: NSMXpress Actions Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Figure 44: Search Results Dialog Box . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Figure 45: Review Error Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Figure 46: Error Log Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Figure 47: Network Utilities Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Figure 48: Ping Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Figure 49: Traceroute Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Figure 50: Lookup Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Figure 51: IP Subnet Calculator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Figure 52: Juniper Tech Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Figure 53: System Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

List of Tables

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv

Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Table 2: Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvi

Table 3: Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

Table 4: Network and Security Manager Publications . . . . . . . . . . . . . . . . . . . . . . xvii

Part 1 Using the NSM Appliance

Chapter 1 Getting Started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Table 5: Required Ports on an NSM Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Table 6: Ethernet Port LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Chapter 3 Configuring NSM from the Web Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Table 7: Viewing Syslog Receivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Table 8: NSM Appliance WebUI User Profiles and Permissions . . . . . . . . . . . . . . 59

Part 2 Appendixes

Appendix A NSMXpress LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Table 9: NSMXpress LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

NSMXpress and NSM3000 User Guide

About This Guide

About This Guide contains the following sections:

•

Objectives on page xv

•

Audience on page xv

•

Conventions on page xv

•

Documentation on page xvii

•

Documentation Feedback on page xviii

•

Requesting Technical Support on page xviii

Objectives

Juniper Networks NSMXpress and NSM3000 are appliance versions of Network and SecurityManager (NSM),a software application that centralizes control andmanagement of your Juniper Networks devices. With NSM, Juniper Networks delivers integrated, policy-based security and network management for network and security devices. NSMXpress and NSM3000 run NSM 2010.4.

NSM appliances simplify the complexity of device administration by providing single, integrated management interfaces that control device parameters. Each appliance is preconfigured as either a regional server or central manager.

Audience

Conventions

This guidedescribes how you can install NSM onto your NSM appliances. In addition, this guide describes how to manage the appliance using the NSM command-line interface (CLI) or the Web interface.

This guide is intended for system administrators responsible for the securityinfrastructure of their organization. Specifically, this book provides procedures for firewall and VPN administrators, network/security operations center administrators, and system administrators responsible for user permissions on the network.

The sample screens used throughout this guide are representations of the screens that appear when you install and configure the NSM software. The actual screens you see may differ.

NSMXpress and NSM3000 User Guide

All examples show default file paths. If you do not accept the installation defaults, your paths will vary from the examples.

Table 1 on page xvi defines notice icons used in this guide.

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you to the risk of personal injury or death.Warning

Table 2 on page xvi defines text conventions used in this guide.

Table 2: Text Conventions

Bold typeface like this

fixed-width font

Keynames linkedwith a plus (+) sign

Alerts you to the risk of personal injury from a laser.Laser warning

•

Represents commands and keywords in text.

•

Represents keywords

•

Represents UI elements

Represents information as displayed on the terminal screen.

keys simultaneously.

ExamplesDescriptionConvention

•

Issue the clock source command.

•

Specify the keyword exp-msg.

•

Click User Objects

user inputRepresents text that the user must type.Bold typeface like this

host1#

show ip ospf

Routing Process OSPF 2 with Router ID 5.5.0.250 Router is an area Border Router (ABR)

Ctrl + dIndicates that you must press two or more

Italics

The angle bracket (>)

•

Emphasizes words

•

Identifies variables

Indicates navigation paths through the UI by clicking menu options and links.

•

The product supports two levels of access, user and privileged.

•

clusterID, ipAddress.

Object Manager > User Objects > Local Objects

Table 3 on page xvii defines syntax conventions used in this guide.

Table 3: Syntax Conventions

About This Guide

ExamplesDescriptionConvention

terminal lengthRepresent keywordsWords in plain text

mask, accessListNameRepresent variablesWords in italics

Words separated by the pipe ( | ) symbol

Words enclosed in brackets followed by and asterisk ( [ ]*)

Documentation

Table 4 on page xvii describes documentation for NSM.

Table 4: Network and Security Manager Publications

Network and Security Manager Installation Guide

variable to the left or right of this symbol. The keywordor variable canbe optional or required.

can be entered more than once.

Represent required keywords or variables.Words enclosed in braces ( { } )

DescriptionBook

Describes the steps to install the NSM management system on a single server or on separate servers. It also includes information on how to install and run the NSMuser interface.This guideis intended for IT administrators responsible for the installation or upgrade of NSM.

diagnostic | lineRepresent a choice to select one keyword or

[ internal | external ]Represent optional keywords or variables.Words enclosed in brackets ( [ ] )

[ level1 | level2 | 11 ]*Represent optional keywords or variables that

{ permit | deny } { in |out } { clusterId | ipAddress }

Network and Security Manager Administration Guide

Network and Security Manager Configuring ScreenOS Devices Guide

Describes how to use and configure key management features in the NSM. Itprovides conceptual information, suggested workflows, and examples. This guide is best used in conjunction with the NSM Online Help,which provides step-by-step instructions for performing management tasks in the NSM user interface (UI).

This guide is intended for application administrators or those individuals responsible for owning the server and security infrastructure and configuring the product for multiuser systems. It is also intended for device configuration administrators, firewall and VPN administrators, and network security operation center administrators.

Describes NSM features related to device configuration and management. It also explains how to configure basic andadvanced NSM functionality, including deploying new device configurations, managing security policies and VPNs, and general device administration.

NSMXpress and NSM3000 User Guide

Table 4: Network and Security Manager Publications (continued)

DescriptionBook

Network and Security Manager Online Help

Network and Security Manager API Guide

Network and Security Manager Release Notes

NSMXpress and NSM3000 User Guide

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. You can send your comments to

techpubs-comments@juniper.net, or fill out the documentation feedback form at

https://www.juniper.net/cgi-bin/docbugreport/. If you are using e-mail, be sure to include

the following information with your comments:

Provides procedures for basic tasks in the NSM user interface. It also includes a brief overview of the NSM system and a description of the GUI elements.

Provides complete syntax and a description of the Simple Object Access Protocol (SOAP) messaging interface to NSM.

Provides the latest information about features, changes, known problems, resolved problems, and system maximum values. If the information in the Release Notesdiffers from the information found in the documentation set, follow the Release Notes.

Release Notes are included on the corresponding software CD and are available on the Juniper Networks Website.

Describes how to set up andmanage an NSM appliance asa central manager or regional server.

•

Document name

•

Document part number

•

Page number

•

Software release version (not required for Network Operations Guides [NOGs])

Requesting Technical Support

Technical productsupport isavailablethrough theJuniper Networks Technical Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support contract, or are covered under warranty, and need postsales technical support, you can access our tools and resources online or open a case with JTAC.

•

JTAC policies—For a complete understanding of our JTAC procedures and policies, review the JTAC User Guide located at

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .

•

Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/ .

•

JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day, 7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features:

•

Find CSC offerings: http://www.juniper.net/customers/support/

•

Find product documentation: http://www.juniper.net/techpubs/

•

Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

•

Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

•

Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

•

Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

•

Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

About This Guide

To verifyservice entitlement byproduct serial number,use our Serial Number Entitlement (SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

•

Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

•

Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visit us at

http://www.juniper.net/support/requesting-support.html

NSMXpress and NSM3000 User Guide

PART 1

Using the NSM Appliance

Part 1 contains the following chapters:

•

Getting Started on page 3

•

Installing and Configuring NSM from the CLI on page 13

•

Configuring NSM from the Web Interface on page 31

NSMXpress and NSM3000 User Guide

CHAPTER 1

Getting Started

This version of the NSM appliance comes preconfigured as a regional server or central manager.

This chapter contains the following sections:

•

About the NSM Appliances on page 3

•

Hardware Installation on page 4

•

Initial Setup Configuration on page 8

About the NSM Appliances

NSMXpress and NSM3000 are appliance versions of Network and Security Manager (NSM) and run NSM 2010.4. NSM appliances simplify the complexity of network administrationby providing single, integrated management interfaces thatcontrol device parameters.

These robust hardware management systems install in minutes with full high availability (HA) support, making it easy to scale and deploy. Enterprise customers with limited resources can benefit significantly from NSM appliances because it eliminates the need to have dedicated resources for maintaining anetwork and security management solution.

NSM appliances make it easy for administrators to control device configuration, network settings, and security policy settings for multiple families of Juniper Networks devices including:

•

IDP Series IntrusionDetection and PreventionAppliances andFirewall and VPN devices running ScreenOS.

•

Devices running Junos OS, such as J Series Services Routers, SRX Series Services Gateways, EX Series Ethernet Switches, M Series Multiservice Edge Routers, and MX Series Ethernet Services routers.

•

SA Series SSL VPN Appliances

•

IC Series Unified Access Control Appliances

For a complete list of supported device families and platforms, see the Network and Security Manager Administration Guide.

Up to 10 administrators can log into an NSM appliance concurrently.

NSMXpress and NSM3000 User Guide

Installation and Configuration Workflow

This guide explains the steps for installing and configuring an NSM appliance and for configuring NSM.

1. Install the NSM appliance hardware.

2. Set up the NSM appliance using the serial port.

3. Configure the NSM appliance software using either the CLI or the Web interface.

4. Configure the NSM software which is preinstalled in the NSM appliance, with

site-specific parameters.

Hardware Installation

We recommend that you install the NSM appliance on your LAN to ensure that it can communicate withyour applicable resources,such asauthentication servers, DNSservers, internal Web servers through HTTP/HTTPS, external Web sites through HTTP/HTTPS (optional), the Juniper update server via HTTP, Network File System (NFS) file servers (optional), and client/server applications (optional).

NSM Appliance Ports

NOTE: If you decide to install an NSM appliance in your DMZ, ensure that it can connect to your internal resources.

Table 5 on page 5 provides required port information on the NSM appliances.

Table 5: Required Ports on an NSM Appliance

Chapter 1: Getting Started

Depends on ConfigurationInternetLANDescriptionPortDirection

NoNoYesSSH command-line management22In

443

8443

7800

7808

7802

7803

7804

22Out

NoNoYesWeb interface for administrator

YesYesLANWebinterfacefor listening for NSM

API messages.

NoYesYesConnections from managed

devices to the NSM appliance

NoNoYesConnections from the NSM GUI

Client to NSM

YesNoYesHeartbeat between peers in anHA

cluster

YesYesYesConnections from managed IDP

devices to NSM

YesYesYesConnections from devices running Junos, Secure Access devices, or Infranet Controller devices

NoYesYesSSH connection to new managed device

YesNoYesTelnet connection to new managed device

123

For more information on ports, refer to the Network and Security Manager Installation Guide.

Installing the NSMXpress Hardware

Follow these steps to unpack the NSMXpress appliance and connect it to your network.

NoNoYesDNS lookups53

YesYesNoSystem Security Updates from Juniper Networks

YesNoYesShared Disk portmap lookup111

YesYesYesNetworkTime Protocol (NTP) time synchronization

YesNoYesShared Disk NFS connection2049

NSMXpress and NSM3000 User Guide

To install NSMXpress:

1. Place the shipping container on a flat surface and remove the hardware components

with care.

2. Remove the NSMXpress device from the shipping container and place it on a flat

surface.

3. Mount NSMXpress in your server rack using the attached mounting brackets.

4. Plug the power cord into the AC receptacle on the rear panel.

If your NSMXpress contains two power supplies, plug a power cord into each AC receptacle.

5. Plug the other end of the power cord into a wall socket.

If yourNSMXpress containstwo power supplies, plug each power cord intoa separate power circuit to ensure that the NSMXpress continues to receive power if one of the power circuits fails.

6. Plug the Ethernet cable into the port marked ETH0 on the front panel. See Figure 3

on page 8.

Figure 1: Front Panel of NSMXpress

7. Plug the null modem serial cable into the console port. See Figure 3 on page 8.

This cable was shipped with your NSMXpress. If you do not have this cable, use any other null modem serial cable.

8. Push the power button in the upper left corner of the front panel.

The green LED below the power button turns on. The NSMXpress hard disk LED turns on whenever the appliance reads data from or writes data toan NSMXpresshard disk.

The internal port uses two LEDs to indicate the LAN connection status, which is described in Table 6 on page 6.

Hardware installation is now complete. The next step is to set up the software, as described in “Initial Setup Configuration” on page 8.

Table 6 on page 6 provides LED information for the Ethernet ports.

Table 6: Ethernet Port LEDs

LED2LED 1LAN Status

OffOff10 Mbps connection

Table 6: Ethernet Port LEDs (continued)

g040042

Power supply

AC Power supply receptacle

AC Power Blank power

supply tray

switch

Fan 0 Fan 1

Installing the NSM3000 Hardware

Follow these steps to unpack the NSM3000 appliance and connect it to your network.

To install NSM3000:

1. Place the shipping container on a flat surface and remove the hardware components

with care.

Chapter 1: Getting Started

LED2LED 1LAN Status

OffGreen100 Mbps connection

OffOrange1000 Mbps connection

BlinkingOrange, Green, or OffData is being transferred

OffOffNo connection

2. Remove the NSM appliance from the shipping container and place it on a flatsurface.

3. Mount the NSM appliance in your server rack using the attached mounting brackets.

4. Plug the power cord into the AC receptacle on the rear panel.

Figure 2: Rear Panel of NSM3000

If your NSM appliance contains two power supplies, plug a power cord into each AC receptacle.

5. Plug the other end of the power cord into a wall socket.

If your NSM appliance contains two power supplies, plug each power cord into a separate power circuit to ensure that the NSM appliance continues to receive power if one of the power circuits fails.

6. Plug the Ethernet cable into the port marked ETH0 on the front panel.

CONSOLE ETH3 ETH2 ETH1 ETH0

g040041

Power LED

Hardware LED

Hard disk LED

Console port

Ethernet ports

USB port

Hard disk

Activity LED

Hard disk

Failure LED

NSMXpress and NSM3000 User Guide

Figure 3: Front Panel of NSM3000

7. Plug the null modem serial cable into the console port.

This cable was shipped with your NSM3000. If you do not have this cable, use any other null modem serial cable.

8. Push the power button in the upper left corner of the front panel.

The green LED below the power button turns on. The NSM3000 hard disk LED turns on whenever the appliance reads data from or writes data to an NSM3000 hard disk.

The internal port uses twoLEDs to indicate theLAN connectionstatus, which is described in Table 6 on page 6.

Table 6 on page 6 provides LED information for the Ethernet ports.

Initial Setup Configuration

When you first turn on an unconfigured NSM appliance, you need to enter basic network and machine information through the serial console to make your appliance accessible to the network. After entering these settings, you can continue configuring the appliance using the CLI or the Web interface. You are not prompted for the initial setup information again.

This section describes the requiredserial console setupand the tasks you need to perform when connecting to your NSM appliance for the first time:

•

Boot the NSM Appliance on page 8

•

Set Up Your Appliance on page 9

Boot the NSM Appliance

To configure the NSM appliance for the first time, you must attach your NSM appliance to a console terminal running an emulation utility such as HyperTerminal.

1. Configure a console terminal or terminal emulation utility to use the following serial

connection parameters:

•

9600 bits per second

•

8-bit no parity (8N1)

Chapter 1: Getting Started

•

1 stop bit

•

No flow control

2. Connect the terminal or laptop to the null modem serial cable plugged into the NSM

appliance console port.

3. Turn on the NSM appliance.

When the NSM appliance is powered on, the serial console displays diagnostic information before proceeding to the boot countdown. When complete, the serial console displays the login prompt terminal emulator.

NSMXpress.juniper.net login:

4. Enter admin as your default login name.

5. Enter abc123 as your default password.

6. Change your default password when prompted. Enter the default password first,

followed by your new password. All passwords are case-sensitive.

Set Up Your Appliance

This section provides the minimuminformation necessary tomake your appliance active on the network.

To set up your appliance either as a regional server or a central manager, follow these steps:

1. Enter the IP address for interface eth0 and press Enter.

2. Enter the subnet mask for interface eth0 and press Enter.

3. Enter the default route or default gateway address for interface eth0 and press Enter.

Your NSMXpress is now active on the network. To configure your system via a web browser, connect to: https://10.150.43.205/administration

To configure your system via command line, type: nsm_setup

For operation of NSM server, switch to user “nsm”. Please consult NSM product documentation for details.

[admin@NSMXpress ~]$

NSMXpress and NSM3000 User Guide

To complete the setup process using the CLI, go to “CLI Configuration” on page 10. To complete the setup process usingthe Webinterface, go to “Web Interface Configuration” on page 11.

CLI Configuration

To finish initial setup from the CLI, use the following steps. If you are logged in, enter nsm_setup at the command prompt.

If you are not logged on, follow these steps:

1. Enter your admin username, and then press Enter.

2. Enter your password and then press Enter.

Juniper NSMXpress OS build 2.105498 NSM 2010.4Kernel 2.6.9–55.0.2.ELsmp on an i686

NSMXpress.Juniper.net login: admin Password: Last login: Tue May 27 17:20:25 on ttyS0 Run NSMXpress system setup? [y/N]

3. Enter y to run the system setup program from the CLI.

NOTE: These values are not case-sensitive. However, the uppercase N

indicates it is the default value. Any keystroke, including Enter but not y or Y, accepts the default value.

4. Go to “Installing and Configuring NSM from the CLI” on page 13 for information about

how to install and configure NSM on your NSM appliance from the CLI.

NSM Appliance Users

An NSM appliance has three user levels. All users log in as the “admin” user. To use the command line to administer NSM, change tothe “nsm”user. For advancedadministration, change to the “root” user.

The following users are available to manage an appliance.

•

“admin” user—Logs into the NSM appliance setup program and changesto “nsm” user or “root” user from the command line.

•

“nsm” user—Administers NSM services. To change to the “nsm” user from the “admin” user, go to the $ prompt, enter sudo su - nsm for the $ nsm prompt, then enter the “admin” password you set when logging into the NSM appliance. To return to the “admin” user, enter exit at the $ prompt.

•

“root” user—Administers advanced system settings. To change to “root” user from the “admin” user, go to the $ prompt, enter sudosu - root for the # root prompt, then enter the “admin” password you set when logging into the NSM appliance. To return to the “admin” user, enter exit from the # prompt.

+ 70 hidden pages