View
95
Download
5
Category
Preview:
DESCRIPTION
this documents contain example for configuring juniper nestscreen
Citation preview
NetScreen Concepts & Exampleside
ScreenOS 5.1.0
P/N 093-1367-000
Rev. B
ScreenOS Reference Gu
Volume 2: Fundamentals
compliance of Class B devices: The enerates and may radiate radio-frequency nce with NetScreen�s installation e with radio and television reception. This d to comply with the limits for a Class B specifications in part 15 of the FCC rules. provide reasonable protection against allation. However, there is no guarantee rticular installation.
interference to radio or television y turning the equipment off and on, the e interference by one or more of the
ing antenna.
en the equipment and receiver.
ienced radio/TV technician for help.
utlet on a circuit different from that to d.
o this product could void the user's device.
ITED WARRANTY FOR THE ET FORTH IN THE INFORMATION PRODUCT AND ARE INCORPORATED OU ARE UNABLE TO LOCATE THE
WARRANTY, CONTACT YOUR OR A COPY.
Copyright NoticeCopyright © 2004 Juniper Networks, Inc. All rights reserved.Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo are registered trademarks of Juniper Networks, Inc. NetScreen-5GT, NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of Juniper Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies.Information in this document is subject to change without notice.No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from: Juniper Networks, Inc.ATTN: General Counsel1194 N. Mathilda Ave.Sunnyvale, CA 94089-1206
FCC StatementThe following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.
The following information is for FCC equipment described in this manual genergy. If it is not installed in accordainstructions, it may cause interferencequipment has been tested and foundigital device in accordance with the These specifications are designed tosuch interference in a residential instthat interference will not occur in a pa
If this equipment does cause harmfulreception, which can be determined buser is encouraged to try to correct thfollowing measures:
� Reorient or relocate the receiv
� Increase the separation betwe
� Consult the dealer or an exper
� Connect the equipment to an owhich the receiver is connecte
Caution: Changes or modifications twarranty and authority to operate this
DisclaimerTHE SOFTWARE LICENSE AND LIMACCOMPANYING PRODUCT ARE SPACKET THAT SHIPPED WITH THEHEREIN BY THIS REFERENCE. IF YSOFTWARE LICENSE OR LIMITEDNETSCREEN REPRESENTATIVE F
Contents
i
..............................................33 a Tunnel Interface .................................................. 34
ones and Tunnel Zones..........35................................................... 35
................................................... 36
................................................... 37
..............................................38................................................... 38
................................................... 38
................................................... 38
................................................... 38
................................................... 38
..............................................39................................................... 45Work Port Mode ......................... 46
and Combined ................................................... 47Work Zones ................................ 49
..........................................51
..............................................53ces ............................................. 53................................................... 53................................................... 53aces........................................... 54faces .......................................... 54terfaces..................................... 54
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
ContentsPreface ........................................................................ vii
Conventions .............................................................viiiCLI Conventions..........................................................viii
WebUI Conventions...................................................... ix
Illustration Conventions ................................................ xi
Naming Conventions and Character Types ................xii
Juniper Networks NetScreen Documentation ........... xiii
Chapter 1 ScreenOS Architecture.................................1
Security Zones ............................................................2
Security Zone Interfaces .............................................3Physical Interfaces ........................................................3
Subinterfaces................................................................4
Virtual Routers .............................................................5
Policies .......................................................................6
VPNs............................................................................9
Virtual Systems ..........................................................11
Packet Flow Sequence.............................................12Example (Part 1): Enterprise with Six Zones............15Example (Part 2): Interfaces for Six Zones .............17Example (Part 3): Two Routing Domains................21Example (Part 4): Policies......................................23
Chapter 2 Zones .........................................................29
Security Zones ..........................................................32Global Zone................................................................32
SCREEN Options ..........................................................32
Tunnel Zones...............Example: Bindingto a Tunnel Zone
Configuring Security ZCreating a Zone......
Modifying a Zone....
Deleting a Zone ......
Function Zones ...........Null Zone .................
MGT Zone ................
HA Zone...................
Self Zone..................
VLAN Zone ...............
Port Modes .................Setting Port Modes...
Example: Home-
Zones in Home-WorkPort Modes ..............
Example: Home-
Chapter 3 Interfaces ........
Interface Types ...........Security Zone Interfa
Physical .............Subinterface .....Aggregate InterfRedundant InterVirtual Security In
Contents
ii
a Loopback Interface.............. 76 a Loopback Interface .............. 76ack Interface rface .......................................... 77
es ..........................................78 Monitoring ................................ 80
s ................................................. 80acking ........................................ 81uring Interface ................................................... 83
................................................... 87onitored Interfaces ..................... 89ce Monitoring Loop.................... 90
ring............................................ 94
Traffic Flow ............................... 95ress Interface............................. 96ress Interface............................ 99
s ......................................103
............................................104................................................. 105................................................. 105r 2 Zones .................................. 105
................................................. 106
tions ......................................... 107................................................. 108 Method ................................... 110 Interface t................................................ 114arent Mode.............................. 117
............................................122und NAT Traffic ......................... 124
................................................. 125
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Function Zone Interfaces ............................................55Management Interface........................................55HA Interface .........................................................55
Tunnel Interfaces ........................................................56Deleting Tunnel Interfaces....................................59Example: Deleting a Tunnel Interface ..................59
Viewing Interfaces ....................................................61Interface Table .....................................................61
Configuring Security Zone Interfaces .......................63Binding an Interface to a Security Zone .....................63
Example: Binding an Interface .............................63
Addressing a L3 Security Zone Interface.....................64Public IP Addresses ...............................................64Private IP Addresses ..............................................65Example: Addressing an Interface .......................66
Unbinding an Interface from a Security Zone.............67Example: Unbinding an Interface.........................67
Modifying Interfaces ...................................................68Example: Modifying Interface Settings .................69
Creating Subinterfaces...............................................70Example: Subinterface in the Root System ...........70
Deleting Subinterfaces................................................71Example: Deleting a Security Zone Interface...............................................................71
Secondary IP Addresses ...........................................72Secondary IP Address Properties.................................72
Example: Creating a Secondary IP Address.........73
Loopback Interfaces ................................................74Example: Creating a Loopback Interface............74
Using Loopback Interfaces .........................................75Example: Loopback Interface for Management ..................................................75
Example: BGP onExample: VSIs onExample: Loopbas a Source Inte
Interface State ChangPhysical Connection
Tracking IP AddresseConfiguring IP TrExample: ConfigIP Tracking.........
Interface MonitoringExample: Two MExample: Interfa
Security Zone Monito
Down Interfaces andFailure on the EgFailure on the Ing
Chapter 4 Interface Mode
Transparent Mode ......Zone Settings ...........
VLAN Zone.........Predefined Laye
Traffic Forwarding....
Unknown Unicast OpFlood Method ...ARP/Trace-RouteExample: VLAN1for ManagemenExample: Transp
NAT Mode...................Inbound and Outbo
Interface Settings ....
Contents
iii
cedure Call teway ..................................... 159
................................................. 160roups...................................... 163
s for MS RPC............................ 163
Protocol teway ..................................... 165
thods ....................................... 167s .............................................. 169
Server in Private Domain ......... 171 Server in Public Domain .......... 174
ice-over-IP............................... 177eper in the Trust Zone oute Mode) ............................. 177eper in the Untrust Zone oute Mode) ............................. 179ing Calls with NAT ..................... 182ing Calls with NAT ..................... 187eper in the Untrust Zone
................................................. 191
ocol (SIP) .................................. 196ods.......................................... 197sponses.................................... 199n-Layer Gateway..................... 200................................................. 201................................................ 202 Timeout ................................... 205tion .......................................... 206tect Deny ................................. 206ng and Media ts .............................................. 207oding Protection..................... 207
nnection Maximum .................. 208
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: NAT Mode ...........................................126
Route Mode............................................................130Interface Settings ......................................................131
Example: Route Mode........................................132
Chapter 5 Building Blocks for Policies .......................137
Addresses ...............................................................139Address Entries ..........................................................140
Example: Adding Addresses...............................140Example: Modifying Addresses...........................141Example: Deleting Addresses .............................142
Address Groups ........................................................142Example: Creating an Address Group................144Example: Editing an Address Group Entry ..........145Example: Removing a Member and a Group ......................................................146
Services ..................................................................147Predefined Services ..................................................147
Custom Services .......................................................149Example: Adding a Custom Service ...................149Example: Modifying a Custom Service...............151Example: Removing a Custom Service...............151
Service Timeouts .......................................................152Example: Setting a Service Timeout....................153
ICMP Services ...........................................................154Example: Defining an ICMP Service ...................155
RSH ALG ....................................................................156
Sun Remote Procedure Call Application Layer Gateway......................................156
Typical RPC Call Scenarios.................................156Sun RPC Services ................................................157Example: Sun RPC Services ................................158
Microsoft Remote ProApplication Layer Ga
MS RPC ServicesMS RPC Service GExample: Service
Real Time StreamingApplication Layer Ga
RTSP Request MeRTSP Status CodeExample: MediaExample: Media
H.323 Protocol for VoExample: Gateke(Transparent or RExample: Gateke(Transparent or RExample: OutgoExample: IncomExample: Gatekewith NAT.............
Session Initiation ProtSIP Request MethClasses of SIP ReALG � ApplicatioSDP....................Pinhole CreationSession InactivitySIP Attack ProtecExample: SIP ProExample: SignaliInactivity TimeouExample: UDP FloExample: SIP Co
Contents
iv
................................................. 273
nd DIP ..................................... 274IP in a Different Subnet ........... 274
and DIP.................................... 282 a Loopback Interface............. 283
................................................. 288up........................................... 290
............................................292ing Schedule............................ 292
........................................297
............................................299
............................................300................................................. 300
................................................. 301
................................................. 301
............................................302
............................................303................................................. 303
................................................. 305
................................................. 306
................................................. 306
................................................. 306
................................................. 306
................................................. 307
................................................. 308
................................................. 308
................................................. 308
................................................. 309................................................ 309 Top of the Policy List .............. 310ranslation ................................ 310
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
SIP with Network Address Translation .........................209Outgoing Calls ...................................................210Incoming Calls ...................................................210Forwarded Calls .................................................211Call Termination .................................................211Call Re-INVITE Messages.....................................211Call Session Timers..............................................211Call Cancellation ...............................................212Forking................................................................212SIP Messages ......................................................212SIP Headers.........................................................213SIP Body..............................................................216SIP NAT Scenario .................................................216Incoming SIP Call Support Using the SIP Registrar.........................................219Example: Incoming Call (Interface DIP)..............221Example: Incoming Call (DIP Pool) .....................225Example: Incoming Call with MIP .......................229Example: Proxy in the Private Zone.....................232Example: Proxy in the Public Zone......................236Example: Three-Zone, Proxy in the DMZ..............240Example: Untrust Intrazone .................................246Example: Trust Intrazone .....................................252Example: Full-Mesh VPN for SIP ...........................256
Bandwidth Management for VoIP Services ...............264
Service Groups .........................................................266Example: Creating a Service Group...................267Example: Modifying a Service Group.................268Example: Removing a Service Group.................269
DIP Pools .................................................................270Port Address Translation ......................................271Example: Creating a DIP Pool with PAT ...............271Example: Modifying a DIP Pool...........................273
Sticky DIP Addresses
Extended Interface aExample: Using D
Loopback Interface Example: DIP on
DIP Groups ..............Example: DIP Gro
Schedules...................Example: Recurr
Chapter 6 Policies ............
Basic Elements............
Three Types of PoliciesInterzone Policies.....
Intrazone Policies.....
Global Policies ........
Policy Set Lists .............
Policies Defined..........Policies and Rules....
Anatomy of a PolicyID ......................Zones ................Addresses..........Services.............Action................Application .......Name................VPN Tunneling ...L2TP Tunneling...Deep InspectionPlacement at theSource Address T
Contents
v
s ..........................................355 Queuing.................................. 356
ters ..................................363
Support...............................365................................................. 366
................................................. 367rver
edule........................................ 368 a DNS Refresh Interval ............ 369
................................................. 370etup for dyndns Server............ 371etup for ddo Server................. 372
litting ...................................... 373g DNS Requests ........................ 374
............................................376................................................. 378een Device ................................................. 378tions.......................................... 384
DHCP Server Options ............. 385n NSRP Cluster ......................... 385ection ...................................... 386 On DHCP Server ................................................. 387 Off DHCP Server ................................................. 387
................................................. 388een Device gent......................................... 389
................................................. 394een Device ................................................. 394
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Destination Address Translation ..........................310User Authentication.............................................311HA Session Backup .............................................313URL Filtering ........................................................313Logging ..............................................................314Counting ............................................................314Traffic Alarm Threshold........................................314Schedules...........................................................314Antivirus Scanning ..............................................315Traffic Shaping....................................................315
Policies Applied......................................................317Viewing Policies ........................................................317
Policy Icons ........................................................317
Creating Policies.......................................................319Policy Location ...................................................319Example: Interzone Policies Mail Service............320Example: Interzone Policy Set.............................325Example: Intrazone Policies ................................332Example: Global Policy ......................................335
Entering a Policy Context..........................................336
Multiple Items per Policy Component.......................337
Address Negation .....................................................338Example: Destination Address Negation ............338
Modifying and Disabling Policies..............................342
Policy Verification .....................................................343
Reordering Policies ...................................................344
Removing a Policy....................................................345
Chapter 7 Traffic Shaping.........................................347
Applying Traffic Shaping ........................................348Managing Bandwidth at the Policy Level .................348
Example: Traffic Shaping....................................349
Setting Service PrioritieExample: Priority
Chapter 8 System Parame
Domain Name SystemDNS Lookup.............
DNS Status Table......Example: DNS Seand Refresh SchExample: Setting
Dynamic DNS ..........Example: DDNS SExample: DDNS S
Proxy DNS Address SpExample: Splittin
DHCP ..........................DHCP Server ............
Example: NetScras DHCP Server .DHCP Server OpExample: CustomDHCP Server in aDHCP Server DetExample: TurningDetection ..........Example: TurningDetection ..........
DHCP Relay Agent...Example: NetScras DHCP Relay A
DHCP Client.............Example: NetScras DHCP Client ..
Contents
vi
d Configuration........................ 437
anual Configuration ................................................. 438
onfiguration File ..................... 439
ration File ................................. 440
nts to File ........................................... 441
urity Manager Bulk-CLI ........443
............................................444
ding User Capacity .................. 445
ation s ..........................................446
................................................. 446
DI Bundled ................................................. 447
DI Upgrade ................................................ 448
................................................. 449
............................................450
................................................. 450
................................................. 450
................................................. 451
ers............................................ 451
djustment ................................ 452
................................................. 452
uring NTP Servers Time Adjustment Value ........... 453
rs ............................................. 454
......................................... IX-I
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
TCP/IP Settings Propagation ......................................396Example: Forwarding TCP/IP Settings ..................397
PPPoE......................................................................399Example: Setting Up PPPoE .................................399Example: Configuring PPPoE on Primary and Backup Untrust Interfaces............................404
Multiple PPPoE Sessions over a Single Interface........405Untagged Interfaces ..........................................406Example: Multiple PPPoE Instances.....................407
PPPoE and High Availability.......................................410
Upgrading and Downgrading Firmware.................411Requirements to Upgrade and Downgrade Device Firmware ...................................412
NetScreen-Security Manager Server Connection ........................................................413
Downloading New Firmware.....................................413Uploading New Firmware ...................................416Using the Boot/OS Loader ...................................418
Upgrading NetScreen Devices in an NSRP Configuration..........................................420
Upgrading Devices in an NSRP Active/Passive Configuration ..............................420Upgrading Devices in an NSRP Active/Active Configuration................................425
Authenticating Firmware and DI Files........................431Obtaining the Authentication Certificate ...........431Loading the Authentication Certificate ..............432Authenticating ScreenOS Firmware ....................433Authenticating a DI Attack Object Database File .....................................................434
Downloading and Uploading Configurations.........435Saving and Importing Configurations .......................435
Configuration Rollback.............................................437
Last-Known-Goo
Automatic and MRollback............
Loading a New C
Locking the Configu
Adding Commea Configuration
Setting NetScreen-Sec
License Keys ...............
Example: Expan
Registration and Activof Subscription Service
Temporary Service ..
AV, URL Filtering, andwith a New Device ..
AV, URL Filtering, andto an Existing Device
DI Upgrade Only .....
System Clock ..............
Date and Time ........
Time Zone................
NTP ..........................
Multiple NTP Serv
Maximum Time A
NTP and NSRP....
Example: Configand a Maximum
Secure NTP Serve
Index..................................
vii
cluding examples for
ecurity interfaces (VSIs),
ss Translation (NAT), Route,
e elements that are used to services
TCP/IP settings
nd from a NetScreen device
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Preface
Volume 2, “Fundamentals” describes the ScreenOS architecture and its elements, inconfiguring various elements. This volume describes the following:
• A general overview of the ScreenOS architecture
• Security, tunnel, and function zones
• Various interface types, such as physical interfaces, subinterfaces, virtual sredundant interfaces, aggregate interfaces, and VPN tunnel interfaces
• Interface modes in which NetScreen interfaces can operate: Network Addreand Transparent
• Policies, which are used to control the traffic flow across an interface, and thcreate policies and virtual private networks, such as addresses, users, and
• Traffic management concepts
• System parameters for the following functions:
– Domain Name System (DNS) addressing
– Dynamic Host Configuration Protocol (DHCP) for assigning or relaying
– URL filtering
– Uploading and downloading of configuration settings and software to a
– License keys to expand the capabilities of a NetScreen device
– System clock configuration
Preface Conventions
viii
llowing sections:
nterface (CLI) command:
r example,
manage
t3 interface”.
for variables, which are always of a NetScreen device.”
ord uniquely. For example, e j12fmt54. Although you can
e presented in their entirety.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CONVENTIONS
This document contains several types of conventions, which are introduced in the fo
• “CLI Conventions”
• “WebUI Conventions” on page ix
• “Illustration Conventions” on page xi
• “Naming Conventions and Character Types” on page xii
CLI ConventionsThe following conventions are used when presenting the syntax of a command line i
• Anything inside square brackets [ ] is optional.
• Anything inside braces { } is required.
• If there is more than one choice, each choice is separated by a pipe ( | ). Fo
set interface { ethernet1 | ethernet2 | ethernet3 }
means “set the management options for the ethernet1, ethernet2, or etherne
• Variables appear in italic. For example:
set admin user name password
When a CLI command appears within the context of a sentence, it is in bold (exceptin italic). For example: “Use the get system command to display the serial number
Note: When typing a keyword, you only have to type enough letters to identify the wtyping set adm u joe j12fmt54 is enough to enter the command set admin user jouse this shortcut when entering commands, all the commands documented here ar
Preface Conventions
ix
I by clicking menu options and Objects > Addresses > List >
ble appears.
nfiguration dialog box
4
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI ConventionsThroughout this book, a chevron ( > ) is used to indicate navigation through the WebUlinks. For example, the path to the address configuration dialog box is presented as New. This navigational sequence is shown below.
1. Click Objects in the menu column.The Objects menu option expands to reveal a subset of options for Objects.
2. (Applet menu) Hover the mouse over Addresses .(DHTML menu) Click Addresses .The Addresses option expands to reveal a subset of options for Addresses.
3. Click List .The address book ta
4. Click the New link.The new address coappears.
1
2
3
Preface Conventions
x
ox where you can then define parts: a navigational path and to the address configuration
Note: Because there are no instructions for the Comment field, leave it as it is.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
To perform a task with the WebUI, you must first navigate to the appropriate dialog bobjects and set parameters. The set of instructions for each task is divided into two configuration details. For example, the following set of instructions includes the pathdialog box and the settings for you to configure:
Objects > Addresses > List > New: Enter the following, and then click OK :Address Name: addr_1IP Address/Domain Name:
IP/Netmask: (select), 10.2.2.5/32Zone: Untrust
Zone: Untrust
Click OK .
Address Name: addr_1
IP Address Name/Domain Name:
IP/Netmask: (select), 10.2.2.5/32
Preface Conventions
xi
out this book:
ocal Area Network (LAN) ith a Single Subnet
example: 10.1.1.0/24)
nternet
esktop Computer
erver
eneric Network Deviceexamples: NAT server, ccess Concentrator)
aptop Computer
ynamic IP (DIP) Pool
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Illustration ConventionsThe following graphics make up the basic set of images used in illustrations through
Generic NetScreen Device
Security Zone
Security Zone InterfacesWhite = Protected Zone Interface(example: Trust Zone)Black = Outside Zone Interface(example: Untrust Zone)
Router Icon
Switch Icon
Virtual Routing Domain
VPN Tunnel
Lw(
I
D
S
G(A
Tunnel Interface
L
D
Preface Conventions
xii
as addresses, admin users, creenOS configurations.
osed within double quotes ( “ );
tes; for example, “ local LAN ”
ensitive. For example, “local
. Examples of SBCS are ASCII, e character sets (DBCS)—are
quotes ( “ ), which have special ludes spaces.
h SBCS and MBCS, depending
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Naming Conventions and Character TypesScreenOS employs the following conventions regarding the names of objects—suchauth servers, IKE gateways, virtual systems, VPN tunnels, and zones—defined in S
• If a name string includes one or more spaces, the entire string must be enclfor example, set address trust “local LAN” 10.1.1.0/24.
• NetScreen trims any spaces leading or trailing text within a set of double quobecomes “local LAN” .
• NetScreen treats multiple consecutive spaces as a single space.
• Name strings are case sensitive, although many CLI key words are case insLAN” is different from “local lan”.
ScreenOS supports the following character types:
• Single-byte character sets (SBCS) and multiple-byte character sets (MBCS)European, and Hebrew. Examples of MBCS—also referred to as double-bytChinese, Korean, and Japanese.
• ASCII characters from 32 (0x20 in hexidecimals) to 255 (0xff), except doublesignificance as an indicator of the beginning or end of a name string that inc
Note: A console connection only supports SBCS. The WebUI supports boton the character sets that your Web browser supports.
Preface Juniper Networks NetScreen Documentation
xiii
t www.juniper.net/techpubs/.
w.juniper.net/support/ or call tates).
-mail address below:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
JUNIPER NETWORKS NETSCREEN DOCUMENTATION
To obtain technical documentation for any Juniper Networks NetScreen product, visi
For technical support, open a support case using the Case Manager link at http://ww1-888-314-JTAC (within the United States) or 1-408-745-9500 (outside the United S
If you find any errors or omissions in the following content, please contact us at the e
techpubs-comments@juniper.net
Preface Juniper Networks NetScreen Documentation
xiv
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals1
1
Chapter 1
signing the layout of your ate numerous security zones e or more interfaces to each n a per-zone basis. Essentially, ires, assign the number of
ents:
you can see the flow sequence
for a NetScreen device using
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
ScreenOS Architecture
The Juniper Networks NetScreen ScreenOS architecture offers great flexibility in denetwork security. On NetScreen devices with more than two interfaces, you can creand configure policies to regulate traffic between and within zones. You can bind onzone and enable a unique set of management and firewall attack screening options oScreenOS allows you to create the number of zones your network environment requinterfaces each zone requires, and design each interface to your specifications.
This chapter presents an overview of ScreenOS, covering the following key compon
• “Security Zones” on page 2
• “Security Zone Interfaces” on page 3
• “Virtual Routers” on page 5
• “Policies” on page 6
• “VPNs” on page 9
• “Virtual Systems” on page 11
Furthermore, to better understand the ScreenOS mechanism for processing traffic, for an incoming packet in “Packet Flow Sequence” on page 12.
The chapter concludes with a four-part example that illustrates a basic configurationScreenOS:
• “Example (Part 1): Enterprise with Six Zones” on page 15
• “Example (Part 2): Interfaces for Six Zones” on page 17
• “Example (Part 3): Two Routing Domains” on page 21
• “Example (Part 4): Policies” on page 23
Chapter 1 ScreenOS Architecture Security Zones
2
tion of inbound and outbound hich one or more interfaces are es, the exact number of which can also use the predefined V1-DMZ (for Layer 2 lso ignore the predefined zones s—predefined and a network design that best
lobal Zone” on page 32.) Additionally, egments.
ity zone, you also automatically delete
t
etScreen device
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
SECURITY ZONESA security zone is a collection of one or more network segments requiring the regulatraffic via policies (see “Policies” on page 6)1. Security zones are logical entities to wbound. With many types of NetScreen devices, you can define multiple security zonyou determine based on your network needs. In addition to user-defined zones, youzones: Trust, Untrust, and DMZ (for Layer 3 operation), or V1-Trust, V1-Untrust, andoperation)2. If you want, you can continue using just the predefined zones. You can aand use user-defined zones exclusively3. Optionally, you can use both kinds of zoneuser-defined—side by side. This flexibility for zone configuration allows you to createsuits your specific needs.
1. The one security zone that requires no network segment is the global zone. (For more information, see Global zone “Gany zone without an interface bound to it nor any address book entries can also be said not to contain any network s
2. If you upgrade from an earlier version of ScreenOS, all your configurations for these zones remain intact.
3. You cannot delete a predefined security zone. You can, however, delete a user-defined zone. When you delete a securall addresses configured for that zone.
PolicyEngine
DMZ
Untrus
Trust
Finance
Eng
A network configured with 5 security zones�3 default zones (Trust, Untrust, DMZ), and 2 user-defined zones (Finance, Eng)
Traffic (indicated by black lines) passes from one security zone to another only if a policy permits it.
N
Chapter 1 ScreenOS Architecture Security Zone Interfaces
3
IP traffic can pass between that
direction or in both4. With the r must use. Because you can ffic to the interfaces of your
r an interface in Route or NAT o common interface types are s (that is, a layer 2
ces”.
een device. The interface e, a physical interface is . For example, the interface econd port (ethernet1/2).
urity equivalency. ScreenOS requires
ser’s Guide for that device.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
SECURITY ZONE INTERFACESAn interface for a security zone can be thought of as a doorway through which TCP/zone and any other zone.
Through the policies you define, you can permit traffic between zones to flow in oneroutes that you define, you specify the interfaces that traffic from one zone to anothebind multiple interfaces to a zone, the routes you chart are important for directing trachoice.
To permit traffic to flow from zone to zone, you bind an interface to the zone and—fomode (see Chapter 4, “Interface Modes”)—assign an IP address to the interface. Twphysical interfaces and—for those devices with virtual system support—subinterfacesubstantiation of a physical interface). For more information, see Chapter 3, “Interfa
Physical InterfacesA physical interface relates to components that are physically present on the NetScrnaming convention differs from device to device. On the NetScreen-500, for examplidentified by the position of an interface module and an ethernet port on that moduleethernet1/2 designates the interface module in the first bay (ethernet1/2) and the s
4. For traffic to flow between interfaces bound to the same zone, no policy is required because both interfaces have secpolicies for traffic between zones, not within a zone.
Note: To see the naming convention for a specific NetScreen device, refer to the U
1/1 1/2 3/1 3/2
2/1 2/2 4/1 4/2
Physical Interface Assignments
Chapter 1 ScreenOS Architecture Security Zone Interfaces
4
erface into several virtual ace from which it stems. A distinguished by 802.1Q VLAN via its IP address and VLAN s the subinterface number. For efers to the interface module in /2.3).
the zone to which you bind it is e subinterface ethernet1/2.3 to which you bind ethernet1/2.2 . interface does not imply that its
rnet frame formats used to indicate
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
SubinterfacesOn devices that support virtual LANs (VLANs), you can logically divide a physical intsubinterfaces, each of which borrows the bandwidth it needs from the physical interfsubinterface is an abstraction that functions identically to a physical interface and is tagging5. The NetScreen device directs traffic to and from a zone with a subinterfacetag. For convenience, administrators usually use the same number for a VLAN tag aexample, the interface ethernet1/2 using VLAN tag 3 is named ethernet1/2.3. This rthe first bay, the second port on that module, and subinterface number 3 (ethernet1
Note that although a subinterface shares part of its identity with a physical interface,not dependent on the zone to which you bind the physical interface. You can bind tha different zone than that to which you bind the physical interface ethernet1/2, or to Similarly, there are no restrictions in terms of IP address assignments. The term subaddress be in a subnet of the address space of the physical interface.
5. 802.1Q is an IEEE standard that defines the mechanisms for the implementation of virtual bridged LANs and the etheVLAN membership via VLAN tagging.
Subinterface Assignments
1/1.11/1.2
1/2.11/2.2
2/1.12/1.2
2/2.12/2.2
4/1.14/1.2
4/2.14/2.2
3/1.13/1.23/1.3
3/2.13/2.23/2.3
1/1 1/2 3/1 3/2
2/1 2/2 4/1 4/2
Chapter 1 ScreenOS Architecture Virtual Routers
5
st and multicast routing tables. s the NetScreen device to
g information in one virtual n with untrusted parties and n for the protected zones is the surreptitious extraction of
forwarded between zones that affic to pass between virtual in one VR that defines the other e 6 “Routing”.
vr routing domain
te: The castle icon represents an rface for a security zone.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
VIRTUAL ROUTERSA virtual router (VR) functions as a router. It has its own interfaces and its own unicaIn ScreenOS, a NetScreen device supports two predefined virtual routers. This allowmaintain two separate unicast and multicast routing tables and to conceal the routinrouter from the other. For example, the untrust-vr is typically used for communicatiodoes not contain any routing information for the protected zones. Routing informatiomaintained by the trust-vr. Thus, no internal network information can be gleaned by routes from the untrust-vr.
When there are two virtual routers on a NetScreen device, traffic is not automaticallyreside in different VRs, even if there are policies that permit the traffic. If you want trrouters, you need to either export routes between the VRs or configure a static route VR as the next-hop. For more information about using two virtual routers, see Volum
untrust-
Route Forwarding
Finance
Trust
Eng
Untrust
DMZ
trust-vr routing domain
Nointe
Chapter 1 ScreenOS Architecture Policies
6
l connection attempts that
n of policies, you can then ass from specified sources to ds of traffic from any source in the narrowest level, you can e and another specified host in
but denies all inbound traffic from the
P service a mail M to 7:00 PM
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
POLICIESNetScreen devices secure a network by inspecting, and then allowing or denying, alrequire passage from one security zone to another.
By default, a NetScreen device denies all traffic in all directions6. Through the creatiocontrol the traffic flow from zone to zone by defining the kinds of traffic permitted to pspecified destinations at scheduled times. At the broadest level, you can allow all kinone zone to any destination in all other zones without any scheduling restrictions. Atcreate a policy that allows only one kind of traffic between a specified host in one zonanother zone during a scheduled period of time.
6. Some NetScreen devices ship with a default policy that allows all outbound traffic from the Trust to the Untrust zone Untrust zone to the Trust zone.
Broadly defined Internet Access: Any service from any point in the Trust zone to any point in the Untrust zone at any time
Narrowly defined Internet Access: SMTfrom a mail server in the Trust zone toserver in the Untrust zone from 5:00 A
Trust Zone
Untrust Zone
Trust Zone
Untrust Zone
Chapter 1 ScreenOS Architecture Policies
7
faces bound to the same zone, see “Policy Set Lists” on page one A to zone B—you must
w the other way, you must ss from one zone to another,
st be a policy to permit traffic to
untrust-vr routing domain
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Every time a packet attempts to pass from one zone to another or between two interthe NetScreen device checks its policy set lists for a policy that permits such traffic (302). To allow traffic to pass from one security zone to another—for example, from zconfigure a policy that permits zone A to send traffic to zone B. To allow traffic to floconfigure another policy permitting traffic from zone B to zone A. For any traffic to pathere must be a policy that permits it. Also, if intrazone blocking is enabled, there mupass from one interface to another within that zone.
Note: For information about policies, see Chapter 6, “Policies”.
PolicyEngine
Finance
Trust
Eng
Untrust
DMZNote: The black lines represent traffic
between security zones.
Route Forwarding
trust-vr routing domain
Chapter 1 ScreenOS Architecture Policies
8
e multicast policies. By default, t control traffic are the
st (PIM). Multicast policies multicast) to pass between
, see “Multicast Policies” on
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
If you configure multicast routing on a NetScreen device, you might have to configura NetScreen device does not permit multicast control traffic between zones. Multicasmessages transmitted by multicast protocols, such as Protocol Independent Multicacontrol the flow of multicast control traffic only. To allow data traffic (both unicast andzones, you must configure firewall policies. (For information about multicast policiespage 6 -204.)
Chapter 1 ScreenOS Architecture VPNs
9
two main types are as follows:
device encapsulates. Policies licy permits the traffic and the en device also encapsulates it.
of VPN tunnels. Once ute between one security zone
device encapsulates when the n.
an be apply multiple policies to r dialup VPN configurations t a route.
VPN configuration:
destination or end entity), g interface. (The IP address for gateway.)
ne7.
ust use tunnel.1 .
n access a tunnel interface if a route
Destination Zone
Packet arrives
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
VPNSScreenOS supports several virtual private network (VPN) configuration options. The
• Route-based VPN – A route lookup determines which traffic the NetScreeneither permit or deny traffic to the destination specified in the route. If the poroute references a tunnel interface bound to a VPN tunnel, then the NetScreThis configuration separates the application of policies from the application configured, such tunnels exist as available resources for securing traffic en roand another.
• Policy-based VPN – A policy lookup determines which traffic the NetScreenpolicy references a particular VPN tunnel and specifies “tunnel” as the actio
A route-based VPN is good choice for site-to-site VPN configurations because you ctraffic passing through a single VPN tunnel. A policy-based VPN is a good choice fobecause the dialup client might not have an internal IP address to which you can se
The following steps provide a sense of the main elements involved in a route-based
1. While configuring the VPN tunnel (for example, vpn-to-SF, where SF is thespecify a physical interface or subinterface on the local device as the outgointhis interface is what the remote peer must use when configuring its remote
2. Create a tunnel interface (for example, tunnel.1), and bind it to a security zo
3. Bind the tunnel interface tunnel.1 to the VPN tunnel vpn-to-SF.
4. To direct traffic through this tunnel, set up a route stating that traffic to SF m
7. You do not have to bind the tunnel interface to the same zone for which VPN traffic is destined. Traffic to any zone capoints to that interface.
Routing Table
------------------------------------------------
VPN tunnelSource Zone TunnelInterface
Packet sent
PolicyEngine
vpn-to-SFtunnel.1
Chapter 1 ScreenOS Architecture VPNs
10
s book entries, such as “Trust different types of traffic from a
VPN Tunnelvpn-to-SF
LAN.2.0/24
efault Gateway:1.1.1.250
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
At this point, the tunnel is ready for traffic bound for SF . You can now create addresLAN” (10.1.1.0/24) and “SF LAN” (10.2.2.0/24) and set up policies to permit or blockspecified source, such as “Trust LAN”, to a specified destination, such as “SF LAN”.
Note: For detailed information about VPNs, see Volume 5, “VPNs”.
Trust Zoneeth3/2�10.1.1.1/24
To Reach Use10.1.1.0/24 eth3/2
0.0.0.0/0 untrust-vr
SF10.2
To Reach Use1.1.1.0/24 eth1/2
10.2.2.0/24 tunnel.10.0.0.0/0 1.1.1.250
Local Device
The local NetScreen device routes traffic from the Trust zone to �SF LAN� in the Untrust zone through the tunnel.1 interface. Because tunnel.1 is bound to the VPN tunnel �vpn-to-SF�, the NetScreen device encrypts the traffic and sends it through that tunnel to the remote peer.
Untrust ZoneOutgoing Interfaceeth1/2, 1.1.1.1/24
Interface: tunnel.1
untrust-vr routing domain
trust-vr routing domain
D
Chapter 1 ScreenOS Architecture Virtual Systems
11
ision of the main system that each other and from the root
stems involves the coordination ration presents a conceptual evels.
ces, and virtual routers within
Eng
vsys1
t-vsys2
vsys3
vsys1-vr
vsys2-vr
vsys3-vr
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
VIRTUAL SYSTEMSSome NetScreen devices support virtual systems (vsys). A virtual system is a subdivappears to the user to be a stand-alone entity. Virtual systems reside separately fromsystem within the same NetScreen device. The application of ScreenOS to virtual syof three main components: zones, interfaces, and virtual routers. The following illustoverview of how ScreenOS integrates these components at both the root and vsys l
Note: For further information on virtual systems and the application of zones, interfathe context of virtual systems, see Volume 9, “Virtual Systems”.
vsys1
vsys2
vsys3
root sys
DMZMail
Untrust
Finance
Trust
Trust-
Trus
Trust-
physical interface dedicated to vsys3
subinterfacededicated to
vsys2
shared interface for root and vsys1
untrust-vr
trust-vr
Note: The castle icon represents a security zone interface.
Chapter 1 ScreenOS Architecture Packet Flow Sequence
12
low.
nd -Src )
8
Create Session
Session Tableid 977 vsys id 0, flag 000040/00, pid -1, did 0, time 18013 (01) 10.10.10.1/1168 -> 211.68.1.2/80, 6, 002be0c0066b, subif 0, tun 0
�
9
Perform Operation
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
PACKET FLOW SEQUENCEIn ScreenOS, the flow sequence of an incoming packet progresses as presented be
4
If network traffic, source zone = security zone to which interface or subinterface is bound.
If VPN traffic to tunnel interface in a tunnel zone, source zone = carrier zone
SourceZone
IncomingInterface
MIP/VIPHost IP
RouteLookup
Forwarding Table10.10.10.0/24 eth1/10.0.0.0/0 untrust-vr
�
PolicyLookup
Policy Set Listsrc dst service action
�
( ) NAT-Dst athen/or NAT(
Destination Interface� and �
Destination Zone
Permit = Forward packetDeny = Drop packetReject = Drop packet and send TCP RST to source
Tunnel = Use specified tunnel for VPN encryption
1 5 6 7
If destination zone = security zone, use that zone for policy lookup.
If destination zone = tunnel zone, use its carrier zone for policy lookup
Incoming Packet
SecurityZones
TunnelZone
3
SessionLookup
If packet does not match an existing session, perform steps 4-9.
If it does match, go directly to step 9.
If VPN traffic to tunnel interface bound to VPN tunnel, source zone = security zone in which tunnel interface is configured
2
SCREENFilter
Chapter 1 ScreenOS Architecture Packet Flow Sequence
13
e source zone to which the
to which the incoming interface
tunnel, the source zone is the
e, the source zone is the for that tunnel zone.
evice activates the SCREEN ree results:
nfigured to block the packet, nt log.
nfigured to record the event but REEN counters list for the
reen device proceeds to the
cket with an existing session.
rms First Packet Processing, a
ast Processing, using the ast Processing bypasses steps een obtained during the
g module resolves the MIP or
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
1. The interface module identifies the incoming interface and, consequently, thinterface is bound.
The source zone determination is based on the following criteria:
– If the packet is not encapsulated, the source zone is the security zone or subinterface is bound.
– If the packet is encapsulated and the tunnel interface is bound to a VPNsecurity zone in which the tunnel interface is configured.
– If the packet is encapsulated and the tunnel interface is in a tunnel zoncorresponding carrier zone (a security zone that carries a tunnel zone)
2. If you have enabled SCREEN options for the source zone, the NetScreen dmodule at this point. SCREEN checking can produce one of the following th
– If a SCREEN mechanism detects anomalous behavior for which it is cothe NetScreen device drops the packet and makes an entry in the eve
– If a SCREEN mechanism detects anomalous behavior for which it is conot block the packet, the NetScreen device records the event in the SCingress interface and proceeds to the next step.
– If the SCREEN mechanisms detect no anomalous behavior, the NetScnext step.
3. The session module performs a session lookup, attempting to match the pa
If the packet does not match an existing session, the NetScreen device perfoprocedure involving the following steps 4 through 9.
If the packet matches an existing session, the NetScreen device performs Finformation available from the existing session entry to process the packet. F4 through 8 because the information generated by those steps has already bprocessing of the first packet in the session.
4. If a mapped IP (MIP) or virtual IP (VIP) address is used, the address-mappinVIP so that the routing table can search for the actual host address.
Chapter 1 ScreenOS Architecture Packet Flow Sequence
14
ss. In so doing, the interface
y lookup. is used for the policy lookup.ocking is disabled for that zone, step 8). If intrazone blocking is
esses in the identified source
oes with the packet:
packet to its destination.ket.cket and—if the protocol is
packet to the VPN module, tunnel settings.
T module translates the original
cy-based NAT-src), the NAT ing it either to its destination or
n device first performs NAT-dst
results of steps 1 through 7.ntry when processing
n and encryption, decryption,
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
5. The route table lookup finds the interface that leads to the destination addremodule identifies the destination zone to which that interface is bound.
The destination zone determination is based on the following criteria:
– If the destination zone is a security zone, that zone is used for the polic– If the destination zone is a tunnel zone, the corresponding carrier zone– If the destination zone is the same as the source zone and intrazone bl
the NetScreen device bypasses steps 6 and 7 and creates a session (enabled, then the NetScreen device drops the packet.
6. The policy engine searches the policy set lists for a policy between the addrand destination zones.
The action configured in the policy determines what the NetScreen firewall d
– If the action is permit, the NetScreen device determines to forward the– If the action is deny, the NetScreen device determines to drop the pac– If the action is reject , the NetScreen device determines to drop the pa
TCP—to send a reset (RST) to the source IP address.– If the action is tunnel, the NetScreen device determines to forward the
which encapsulates the packet and transmits it using the specified VPN7. If destination address translation (NAT-dst) is specified in the policy, the NA
destination address in the IP packet header to a different address.
If source address translation is specified (either interface-based NAT or polimodule translates the source address in the IP packet header before forwardto the VPN module.
(If both NAT-dst and NAT-src are specified in the same policy, the NetScreeand then NAT-src.)
8. The session module creates a new entry in the session table containing theThe NetScreen device then uses the information maintained in the session esubsequent packets of the same session.
9. The NetScreen device performs the operation specified in the session.Some typical operations are source address translation, VPN tunnel selectioand packet forwarding.
Chapter 1 ScreenOS Architecture Packet Flow Sequence
15
e concepts covered in the t, see “Example (Part 2): an enterprise:
, Eng, and Mail zones. By t have to specify a virtual router u must also specify that it be in
ust and DMZ zones from the
untrust-vr routing domain
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example (Part 1): Enterprise with Six ZonesThis is the first of a four-part example, the purpose of which is to illustrate some of thprevious sections. For this second part, in which the interfaces for each zone are seInterfaces for Six Zones” on page 17. Here you configure the following six zones for
The Trust, Untrust, and DMZ zones are preconfigured. You must define the Financedefault, a user-defined zone is placed in the trust-vr routing domain. Thus, you do nofor the Finance and Eng zones. However, in addition to configuring the Mail zone, yothe untrust-vr routing domain. You must also shift virtual router bindings for the Untrtrust-vr to the untrust-vr8.
� Finance� Trust
� Eng� Mail
� Untrust� DMZ
8. For more information on virtual routers and their routing domains, see Volume 6, “Dynamic Routing.”
Finance
Trust
Eng
Untrust
DMZ
trust-vr routing domain
Chapter 1 ScreenOS Architecture Packet Flow Sequence
16
Name drop-down list, and then
ame drop-down list, and then
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
Network > Zones > New: Enter the following, and then click OK :
Zone Name: Finance
Virtual Router Name: trust-vr
Zone Type: Layer 3: (select)
Network > Zones > New: Enter the following, and then click OK :
Zone Name: Eng
Virtual Router Name: trust-vr
Zone Type: Layer 3: (select)
Network > Zones > New: Enter the following, and then click OK :
Zone Name: Mail
Virtual Router Name: untrust-vr
Zone Type: Layer 3: (select)
Network > Zones > Edit (for Untrust): Select untrust-vr in the Virtual Routerclick OK .
Network > Zones > Edit (for DMZ): Select untrust-vr in the Virtual Router Nclick OK .
CLI
set zone name financeset zone name engset zone name mailset zone mail vrouter untrust-vrset zone untrust vrouter untrust-vrset zone dmz vrouter untrust-vrsave
Chapter 1 ScreenOS Architecture Packet Flow Sequence
17
nes are configured, see in which virtual routers are part of the example address and various
Untrust.1.1.1/24eth1/2
1.3.3.1/24eth1/1
1.4.4.1/24VLAN tag 2
eth1/1.2
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example (Part 2): Interfaces for Six ZonesThis is the second part of an ongoing example. For the first part, in which zo“Example (Part 1): Enterprise with Six Zones” on page 15. For the next part,configured, see “Example (Part 3): Two Routing Domains” on page 21. Thisdemonstrates how to bind interfaces to zones and configure them with an IPmanagement options.
Finance10.1.2.1/24VLAN tag 1
eth3/2.1
Trust10.1.1.1/24
eth3/2
Eng10.1.3.1/24
eth3/1
DMZ1.2.2.1/24
eth2/2
1
Chapter 1 ScreenOS Architecture Packet Flow Sequence
18
lick OK :
, SSH (select)
lick OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
1. Interface ethernet3/2Network > Interfaces > Edit (for ethernet3/2): Enter the following, and then c
Zone Name: Trust
Static IP: (select this option when present)
IP Address/Netmask: 10.1.1.1/24
Manageable: (select)
Management Services: WebUI, Telnet, SNMP
Other Services: Ping (select)
2. Interface ethernet3/2.1Network > Interfaces > Sub-IF New: Enter the following, and then click OK :
Interface Name: ethernet3/2.1
Zone Name: Finance
Static IP: (select this option when present)
IP Address/Netmask: 10.1.2.1/24
VLAN Tag: 1
Other Services: Ping (select)
3. Interface ethernet3/1Network > Interfaces > Edit (for ethernet3/1): Enter the following, and then c
Zone Name: Eng
Static IP: (select this option when present)
IP Address/Netmask: 10.1.3.1/24
Other Services: Ping (select)
Chapter 1 ScreenOS Architecture Packet Flow Sequence
19
lick OK :
lick OK:
lick OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
4. Interface ethernet1/1Network > Interfaces > Edit (for ethernet1/1): Enter the following, and then c
Zone Name: Mail
Static IP: (select this option when present)
IP Address/Netmask: 1.3.3.1/24
5. Interface ethernet1/1.2Network > Interfaces > Sub-IF New: Enter the following, and then click OK :
Interface Name: ethernet1/1.2
Zone Name: Mail
Static IP: (select this option when present)
IP Address/Netmask: 1.4.4.1/24
VLAN Tag: 2
6. Interface ethernet1/2Network > Interfaces > Edit (for ethernet1/2): Enter the following, and then c
Zone Name: Untrust
Static IP: (select this option when present)
IP Address/Netmask: 1.1.1.1/24
Manageable: (select)
Management Services: SNMP (select)
7. Interface ethernet2/2Network > Interfaces > Edit (for ethernet2/2): Enter the following, and then c
Zone Name: DMZ
Static IP: (select)
IP Address/Netmask: 1.2.2.1/24
Chapter 1 ScreenOS Architecture Packet Flow Sequence
20
Juniper Networks NetScreen Concepts & Examples � Volume 2: FundamentalsCLI
1. Interface ethernet3/2set interface ethernet3/2 zone trustset interface ethernet3/2 ip 10.1.1.1/24set interface ethernet3/2 manage pingset interface ethernet3/2 manage webuiset interface ethernet3/2 manage telnetset interface ethernet3/2 manage snmpset interface ethernet3/2 manage ssh
2. Interface ethernet3/2.1set interface ethernet3/2.1 tag 1 zone financeset interface ethernet3/2.1 ip 10.1.2.1/24set interface ethernet3/2.1 manage ping
3. Interface ethernet3/1set interface ethernet3/1 zone engset interface ethernet3/1 ip 10.1.3.1/24set interface ethernet3/1 manage ping
4. Interface ethernet1/1set interface ethernet1/1 zone mailset interface ethernet1/1 ip 1.3.3.1/24
5. Interface ethernet1/1.2set interface ethernet1/1.2 tag 2 zone mailset interface ethernet1/1.2 ip 1.4.4.1 /24
6. Interface ethernet1/2set interface ethernet1/2 zone untrustset interface ethernet1/2 ip 1.1.1.1/24set interface ethernet1/2 manage snmp
7. Interface ethernet2/2set interface ethernet2/2 zone dmzset interface ethernet2/2 ip 1.2.2.1/24save
Chapter 1 ScreenOS Architecture Packet Flow Sequence
21
s for the various security zones xt part, in which the polices are onfigure a route for the default n device when you create the
then click OK:
st-vr
Untrust1.1.1.1/24th1/2, Route
Z.1/24, Route
1.1.1.254
ToInternet
untrust-vr routing domain
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example (Part 3): Two Routing DomainsThis is the third part of an ongoing example. For the previous part, in which interfaceare defined, see “Example (Part 2): Interfaces for Six Zones” on page 17. For the neset, see “Example (Part 4): Policies” on page 23. In this example, you only have to cgateway to the Internet. The other routes are automatically created by the NetScreeinterface IP addresses.
WebUINetwork > Routing > Routing Entries > trust-vr New: Enter the following, and
Network Address/Netmask: 0.0.0.0/0
Next Hop Virtual Router Name: (select); untru
Finance10.1.2.1/24VLAN tag 1
eth3/2.1, NAT
Trust10.1.1.1/24eth3/2, NAT
Eng10.1.3.1/24eth3/1, NAT
e
DM1.2.2
eth2/2
1.3.3.1/24eth1/1, Route
1.4.4.1/24VLAN tag 2
eth1/1.2, Route
Route Forwarding
trust-vr routing domain
Chapter 1 ScreenOS Architecture Packet Flow Sequence
22
nd then click OK :
gateway 1.1.1.254
Note: These are the only user-configured entries.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Network > Routing > Routing Entries > untrust-vr New: Enter the following, a
Network Address/Netmask: 0.0.0.0/0
Gateway: (select)
Interface: ethernet1/2
Gateway IP Address: 1.1.1.254
CLIset vrouter trust-vr route 0.0.0.0/0 vrouter untrust-vrset vrouter untrust-vr route 0.0.0.0/0 interface eth1/2 save
The NetScreen device automatically creates the following routes (in black):
trust-vrTo Reach: Use Interface: Use Gateway/Vrouter:
0.0.0.0/0 n/a untrust-vr
10.1.3.0/24 eth3/1 0.0.0.0
10.1.1.0/24 eth3/2 0.0.0.0
10.1.2.0/24 eth3/2.1 0.0.0.0
untrust-vrTo Reach: Use Interface: Use Gateway/Vrouter:
1.2.2.0/24 eth2/2 0.0.0.0
1.1.1.0/24 eth1/2 0.0.0.0
1.4.4.0/24 eth1/1.2 0.0.0.0
1.3.3.0/24 eth1/1 0.0.0.0
0.0.0.0/0 eth1/2 1.1.1.254
Chapter 1 ScreenOS Architecture Packet Flow Sequence
23
wo Routing Domains” on page
d to create new service groups.
ress Any for all hosts within
Untrust
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example (Part 4): PoliciesThis is the last part of an ongoing example. The previous part is “Example (Part 3): T21. This part of the example demonstrates how to configure new policies.
For the purpose of this example, before you begin configuring new policies, you nee
Note: When you create a zone, the NetScreen device automatically creates the addthat zone. This example makes use of the address Any for the hosts.
Finance
Trust
Eng DMZ
PolicyEngine
Route Forwarding
Chapter 1 ScreenOS Architecture Packet Flow Sequence
24
at service from the Available lumn.
hat service from the Available lumn.
that service from the Available lumn.
ve that service from the mbers column.
OK:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
1. Service GroupsObjects > Services > Groups > New: Enter the following, and then click OK:
Group Name: Mail-Pop3
Select Mail and use the << button to move thMembers column to the Group Members co
Select Pop3 and use the << button to move tMembers column to the Group Members co
Object > Services > Groups > New: Enter the following, and then click OK :
Group Name: HTTP-FTPGet
Select HTTP and use the << button to move Members column to the Group Members co
Select FTP-Get and use the << button to moAvailable Members column to the Group Me
2. PoliciesPolicies > (From: Finance, To: Mail) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Any
Service: Mail-Pop3
Action: Permit
Chapter 1 ScreenOS Architecture Packet Flow Sequence
25
K :
:
OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Policies > (From: Trust, To: Mail) New: Enter the following, and then click O
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Any
Service: Mail-Pop3
Action: Permit
Policies > (From: Eng, To: Mail) New: Enter the following, and then click OK
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Any
Service: Mail-Pop3
Action: Permit
Policies > (From: Untrust, To: Mail) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Any
Service: Mail
Action: Permit
Chapter 1 ScreenOS Architecture Packet Flow Sequence
26
lick OK :
k OK :
OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Policies > (From: Finance, To: Untrust) New: Enter the following, and then c
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Any
Service: HTTP-FTPGet
Action: Permit
Policies > (From: Finance, To: DMZ) New: Enter the following, and then clic
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Any
Service: HTTP-FTPGet
Action: Permit
Policies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Any
Service: HTTP-FTPGet
Action: Permit
Chapter 1 ScreenOS Architecture Packet Flow Sequence
27
K :
:
:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Policies > (From: Trust, To: DMZ) New: Enter the following, and then click O
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Any
Service: HTTP-FTPGet
Action: Permit
Policies > (From: Eng, To: DMZ) New: Enter the following, and then click OK
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Any
Service: HTTP-FTPGet
Action: Permit
Policies > (From: Eng, To: DMZ) New: Enter the following, and then click OK
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Any
Service: FTP-Put
Action: Permit
Chapter 1 ScreenOS Architecture Packet Flow Sequence
28
OK:
ermittmit
t
t
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Policies > (From: Untrust, To: DMZ) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Any
Service: HTTP-FTPGet
Action: Permit
CLI
1. Service Groupsset group service mail-pop3 add mailset group service mail-pop3 add pop3set group service http-ftpget add httpset group service http-ftpget add ftp-get
2. Policiesset policy from finance to mail any any mail-pop3 permitset policy from trust to mail any any mail-pop3 permitset policy from eng to mail any any mail-pop3 permitset policy from untrust to mail any any mail permitset policy from finance to untrust any any http-ftpget pset policy from finance to dmz any any http-ftpget permiset policy from trust to untrust any any http-ftpget perset policy from trust to dmz any any http-ftpget permitset policy from eng to untrust any any http-ftpget permiset policy from eng to dmz any any http-ftpget permitset policy from eng to dmz any any ftp-put permitset policy from untrust to dmz any any http-ftpget permisave
2
29
Chapter 2
(a security zone), a logical al or logical entity that performs articular emphasis given to the
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Zones
A zone can be a segment of network space to which security measures are applied segment to which a VPN tunnel interface is bound (a tunnel zone), or either a physica specific function (a function zone). This chapter examines each type of zone, with psecurity zone, and is organized into the following sections:
• “Security Zones” on page 32
– “Global Zone” on page 32
– “SCREEN Options” on page 32
• “Tunnel Zones” on page 33
• “Configuring Security Zones and Tunnel Zones” on page 35
– “Creating a Zone” on page 35
– “Modifying a Zone” on page 36
– “Deleting a Zone” on page 37
• “Function Zones” on page 38
– “Null Zone” on page 38
– “MGT Zone” on page 38
– “HA Zone” on page 38
– “Self Zone” on page 38
– “VLAN Zone” on page 38
• “Port Modes” on page 39
– “Setting Port Modes” on page 45
– “Zones in Home-Work and Combined Port Modes” on page 47
Chapter 2 Zones
30
zones. In the WebUI, click mand.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
When you first boot up a NetScreen device, you can see a number of preconfiguredNetwork > Zones in the menu column on the left. In the CLI, use the get zone com
Chapter 2 Zones
31
hese zones provide ackward compatibility when pgrading from a release prior
o ScreenOS 3.1.0�the upper for devices in NAT or Route ode, the lower 3 for devices
n Transparent mode.
he root and virtual systems hare these zones.
hese zones do not and annot have an interface.
Untrust-Tun n upgrading, .)
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
The output of the get zone command:
The preconfigured zones shown above can be grouped into three different types:
Security Zones: Untrust, Trust, DMZ, Global, V1-Untrust, V1-Trust, V1-DMZ
Tunnel Zone: Untrust-Tun
Function Zones: Null, Self, MGT, HA, VLAN
Tbut3mi
Ts
Tc
By default, VPN tunnel interfaces are bound to thezone, whose carrier zone is the Untrust zone. (Wheexisting tunnels are bound to the Untrust-Tun zone
Zone ID numbers 7�9 and 15 are reserved for future use.
ns500-> get zoneTotal of 13 zones in vsys root------------------------------------------------------------------------ID Name Type Attr VR Default-IF VSYS0 Null Null Shared untrust-vr null Root1 Untrust Sec(L3) Shared trust-vr ethernet1/2 Root2 Trust Sec(L3) trust-vr ethernet3/2 Root3 DMZ Sec(L3) trust-vr ethernet2/2 Root4 Self Func trust-vr self Root5 MGT Func trust-vr mgt Root6 HA Func trust-vr ha1 Root10 Global Sec(L3) trust-vr null Root11 V1-Untrust Sec(L2) trust-vr v1-untrust Root12 V1-Trust Sec(L2) trust-vr v1-trust Root13 V1-DMZ Sec(L2) trust-vr v1-dmz Root14 VLAN Func trust-vr vlan1 Root16 Untrust-Tun Tun trust-vr null Root------------------------------------------------------------------------
Chapter 2 Zones Security Zones
32
the network into segments to At a minimum, you must define ome NetScreen platforms, you esign— and without deploying
ed in policies. The Global zone zones have—an interface. The esses. The predefined Global in the Global zone. Because s not require an interface for
about global policies, see
all connection attempts that MGT zone, you can enable a the NetScreen device ptions available, see Volume 4,
r traffic shaping.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
SECURITY ZONESOn a single NetScreen device, you can configure multiple security zones, sectioningwhich you can apply various security options to satisfy the needs of each segment. two security zones, basically to protect one area of the network from the other. On scan define many security zones, bringing finer granularity to your network security dmultiple security appliances to do so.
Global ZoneYou can identify a security zone because it has an address book and can be referencsatisfies these criteria. However, it does not have one element that all other securityGlobal zone serves as a storage area for mapped IP (MIP) and virtual IP (VIP) addrzone address “Any” applies to all MIPs, VIPs, and other user-defined addresses set traffic going to these addresses is mapped to other addresses, the Global zone doetraffic to flow through it.
The Global zone also contains addresses for use in global policies. For information “Global Policies” on page 301.
SCREEN OptionsA NetScreen firewall secures a network by inspecting, and then allowing or denying,require passage from one security zone to another. For every security zone, and theset of predefined SCREEN options that detect and block various kinds of traffic that determines as potentially harmful. For more information about the many SCREEN o“Attack Detection and Defense Mechanisms”.
Note: Any policy that uses the Global zone as its destination cannot support NAT o
Chapter 2 Zones Tunnel Zones
33
l zone is conceptually affiliated “parent”, which you can also ffic. The tunnel zone provides dresses and netmasks that can icy-based NAT services.
ic to the tunnel endpoint. The n create other tunnel zones and ne per virtual system1.
unnel zone into another routing
ces are bound by default to the st security zone. You can bind zone to another tunnel zone.
rust-Tun zone.
ne
ity zone interface.e tunnel interface.
terface of the security zone hosting nnel zone provides firewall ction for the encapsulated traffic.
VPN Tunnel
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
TUNNEL ZONESA tunnel zone is a logical segment that hosts one or more tunnel interfaces. A tunnewith a security zone in a “child-parent” relationship. The security zone acting as the conceive of as a carrier zone, provides the firewall protection to the encapsulated trapacket encapsulation/decapsulation, and—by supporting tunnel interfaces with IP adhost mapped IP (MIP) addresses and dynamic IP (DIP) pools—can also provide pol
The NetScreen device uses the routing information for the carrier zone to direct traffdefault tunnel zone is Untrust-Tun, and it is associated with the Untrust zone. You cabind them to other security zones, with a maximum of one tunnel zone per carrier zo
By default, a tunnel zone is in the trust-vr routing domain, but you can also move a tdomain.
When upgrading from a version of ScreenOS earlier than 3.1.0, existing tunnel interfapreconfigured Untrust-Tun tunnel zone, which is a “child” of the preconfigured Untrumultiple tunnel zones to the same security zone; however, you cannot bind a tunnel
1. The root system and all virtual systems can share the Untrust zone. However, each system has its own separate Unt
Tunnel Zone
Security Zone
Tunnel Interface Security Zo
Interface
Outbound traffic enters the tunnel zone via the tunnel interface, is encapsulated, and exits via the securInbound traffic enters via the security zone interface, is decapsulated in the tunnel zone, and exits via th
The inthe tuprote
Traffic to or from a VPN tunnel
The tunnel interface�which when bound to a tunnel zone must have an IP address/netmask�supports policy-based NAT for pre-encapsulated and post-decapsulated VPN traffic.
Chapter 2 Zones Tunnel Zones
34
Untrust-Tun zone, and assign nslating 3.3.3.5 to 10.1.1.5, e carrier zone for the
K:
and then click OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Binding a Tunnel Interface to a Tunnel ZoneIn this example, you create a tunnel interface and name it tunnel.3. You bind it to theit IP address 3.3.3.3/24. You then define a mapped IP (MIP) address on tunnel.3, trawhich is the address of a server in the Trust zone. Both the Untrust zone, which is thUntrust-Tun zone, and the Trust zone are in the trust-vr routing domain.
WebUI
1. Tunnel InterfaceNetwork > Interfaces > New Tunnel IF: Enter the following, and then click O
Tunnel Interface Name: tunnel.3
Zone (VR): Untrust-Tun (trust-vr)
Fixed IP: (select)
IP Address / Netmask 3.3.3.3/24
2. MIPNetwork > Interfaces > Edit (for tunnel.3) > MIP > New: Enter the following,
Mapped IP: 3.3.3.5
Netmask: 255.255.255.255
Host IP Address: 10.1.1.5
Host Virtual Router Name: trust-vr
CLI
1. Tunnel Interfaceset interface tunnel.3 zone Untrust-Tunset interface tunnel.3 ip 3.3.3.3/24
2. MIPset interface tunnel.3 mip 3.3.3.5 host 10.1.1.5save
Chapter 2 Zones Configuring Security Zones and Tunnel Zones
35
nel zones are quite similar.
I or CLI:
in whose routing domain you
o which you can bind interfaces reate a zone to which you can t Tunnel Out Zone when rrier zone, and then select a
t.
block traffic between hosts ntra-zone blocking is disabled.
lthough you can edit them.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CONFIGURING SECURITY ZONES AND TUNNEL ZONESThe creation, modification and deletion of Layer 3 or Layer 2 security zones and tun
Creating a ZoneTo create a Layer 3 or Layer 2 security zone, or a tunnel zone, use either the WebU
WebUINetwork > Zones > New: Enter the following, and then click OK :
Zone Name: Type a name for the zone2.
Virtual Router Name: Select the virtual routerwant to place the zone.
Zone Type: Select Layer 3 to create a zone tin NAT or Route mode. Select Layer 2 to cbind interfaces in Transparent mode. Seleccreating a tunnel zone and binding it to a caspecific carrier zone from the drop-down lis
Block Intra-Zone Traffic: Select this option to within the same security zone. By default, i
CLI
set zone name zone [ l2 vlan_id_num3 | tunnel sec_zone ]set zone zone blockset zone zone vrouter name_str
Note: You cannot delete predefined security zones or the predefined tunnel zone, a
2. The name of a Layer 2 security zone must begin with “L2-”; for example, “L2-Corp” or “L2-XNet”.
3. When creating a Layer 2 security zone, the VLAN ID number must be 1 (for VLAN1).
Chapter 2 Zones Configuring Security Zones and Tunnel Zones
36
for a tunnel zone, you must first a-zone blocking option and the
e name you want to change, or
.
n click OK .
owing, and then click OK:
, select the virtual router into e zone.
check box. To disable, clear it.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Modifying a ZoneTo modify the name of a security zone or tunnel zone, or to change the carrier zone delete the zone4, and then create it again with the changes. You can change the intrvirtual router5 on an existing zone.
WebUI
1. Modifying the Zone NameNetwork > Zones: Click Remove (for the security zone or tunnel zone whosfor the tunnel zone whose carrier zone you want to change).
When the prompt appears, asking for confirmation of the removal, click Yes
Network > Zones > New: Enter the zone settings with your changes, and the
2. Changing the Intra-Zone Blocking Option or Virtual RouterNetwork > Zones > Edit (for the zone that you want to modify): Enter the foll
Virtual Router Name: From the drop-down listwhose routing domain you want to move th
Block Intra-Zone Traffic: To enable, select the
CLI
1. Modifying the Zone Nameunset zone zoneset zone name zone [ l2 vlan_id_num | tunnel sec_zone ]
2. Changing the Intra-Zone Blocking Option or Virtual Router{ set | unset } zone zone blockset zone zone vrouter name_str
4. Before you can remove a zone, you must first unbind all interfaces bound to it.
5. You must first remove any interfaces bound to a zone before changing its virtual router.
Chapter 2 Zones Configuring Security Zones and Tunnel Zones
37
.
ee “Binding an Interface to a Security
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Deleting a ZoneTo delete a security zone or tunnel zone, do either of the following6:
WebUI
Network > Zones: Click Remove (for the zone you want to delete).
When the prompt appears, asking for confirmation of the removal, click Yes
CLI
unset zone zone
6. Before you can remove a zone, you must first unbind all interfaces bound to it. To unbind an interface from a zone, sZone” on page 63.
Chapter 2 Zones Function Zones
38
ingle purpose, as explained
other zone.
ptions on this zone to protect rewall options, see Volume 4,
interfaces for the HA zone, the
ct to the NetScreen device via
inate VPN traffic when the ect the VLAN1 interface from
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
FUNCTION ZONESThe five function zones are Null, MGT, HA, Self, and VLAN. Each zone exists for a sbelow.
Null ZoneThis zone serves as temporary storage for any interfaces that are not bound to any
MGT ZoneThis zone hosts the out-of-band management interface, MGT. You can set firewall othe management interface from different types of attacks. For more information on fi“Attack Detection and Defense Mechanisms”.
HA ZoneThis zone hosts the high availability interfaces, HA1 and HA2. Although you can setzone itself is not configurable.
Self ZoneThis zone hosts the interface for remote management connections. When you conneHTTP, SCS, or Telnet, you connect to the Self zone.
VLAN ZoneThis zone hosts the VLAN1 interface, which you use to manage the device and termdevice is in Transparent mode. You can also set firewall options on this zone to protvarious attacks.
Chapter 2 Zones Port Modes
39
tically sets different port, 5GT, you can configure one of
ng port, interface, and zone
nd to the Untrust security zone
ackup interface to the Untrust
und to the Trust security zone
nced by their labels: Untrusted, 1-4, Each port can be bound to only one
creen device, and requires a
-5GT.
Trust Zone
Trust Interface
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
PORT MODESYou can select a port mode for some NetScreen appliances. The port mode automainterface, and zone bindings7 for the device. On the NetScreen-5XT and NetScreen-the following port modes:
• Trust-Untrust mode is the default port mode. This mode provides the followibindings:
– Binds the Untrusted Ethernet port to the Untrust interface, which is bou
– Binds the Modem port to the serial interface, which you can bind as a bsecurity zone
– Binds the Ethernet ports 1 through 4 to the Trust interface, which is bo
7. In the port mode context, port refers to a physical interface on the back of the NetScreen device. The ports are refereConsole, or Modem. The term interface refers to a logical interface that can be configured through the WebUI or CLI.interface, but multiple ports can be bound to an interface.
Warning: Changing the port mode removes any existing configurations on the NetSsystem reset.
Note: The Initial Configuration Wizard is slightly different for the NetScreen
Untrust Zone
The Untrust interface is the primary interface to the Untrust zone. You can bind the serial interface (shown in gray) as a backup interface to the Untrust zone.
Untrust Interface
Chapter 2 Zones Port Modes
40
ome and Work security zones. ach zone. In this mode, default one, but do not allow traffic r traffic from the Home zone to bindings:
und to the Work security zone
und to the Home security zone
ound to the Untrust security
ackup interface to the Untrust
information about configuring
Work Zone
ethernet1
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
• Home-Work mode binds interfaces to the Untrust security zone and to new HThe Work and Home zones allow you to segregate users and resources in epolicies allow traffic flow and connections from the Work zone to the Home zfrom the Home zone to the Work zone. By default, there are no restrictions fothe Untrust zone. This mode provides the following port, interface, and zone
– Binds the Ethernet ports 1 and 2 to the ethernet1 interface, which is bo
– Binds the Ethernet ports 3 and 4 to the ethernet2 interface, which is bo
– Binds the Untrusted Ethernet port to the ethernet3 interface, which is bzone
– Binds the Modem port to the serial interface, which you can bind as a bsecurity zone
See “Zones in Home-Work and Combined Port Modes” on page 47 for moreand using Home-Work mode.
Untrust Zone Home Zone
ethernet2
The ethernet3 interface is the primary interface to the Untrust zone. You can bind the serial interface (shown in gray) as a backup interface to the Untrust zone.
ethernet3
Chapter 2 Zones Port Modes
41
rust security zone. The primary up interface is used only when port, interface, and zone
ound to the Untrust security
ackup interface to the Untrust trust security zone)
bound to the Trust security
d using Dual Untrust mode.
st Zone
ethernet1
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
• Dual Untrust mode binds two interfaces, a primary and a backup, to the Untinterface is used to pass traffic to and from the Untrust zone, while the backthere is a failure on the primary interface. This mode provides the following bindings:
– Binds the Untrusted Ethernet port to the ethernet3 interface, which is bzone
– Binds Ethernet port 4 to the ethernet2 interface, which is bound as a bsecurity zone (the ethernet3 interface is the primary interface to the Un
– Binds the Ethernet ports 1, 2, and 3 to the ethernet1 interface, which iszone
See Volume 10, “High Availability” for more information about configuring an
Note: The serial interface is not available in Dual Untrust port mode.
Untrust Zone Tru
The ethernet3 interface is the primary interface to the Untrust zone. The ethernet2 interface (shown in gray) is a backup interface to the Untrust zone.
ethernet2ethernet3
Chapter 2 Zones Port Modes
42
nd the segregation of users and
ound to the Untrust zone
ackup interface to the Untrust urity zone)
und to the Home zone
Work zone
d Port Modes” on page 47 for
n the NetScreen-5XT Elite th the Initial Configuration ds.
Work Zone
et2 ethernet1
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
• Combined mode allows both primary and backup interfaces to the Internet aresources in Work and Home zones.
This mode provides the following port, interface, and zone bindings:
– Binds the Untrusted Ethernet port to the ethernet4 interface, which is b
– Binds Ethernet port 4 to the ethernet3 interface, which is bound as a bzone (the ethernet4 interface is the primary interface to the Untrust sec
– Binds the Ethernet ports 3 and 2 to the ethernet2 interface, which is bo
– Binds Ethernet port 1 to the ethernet1 interface, which is bound to the
See Volume 10, “High Availability” and “Zones in Home-Work and Combinemore information about configuring and using the Combined mode.
Note: For the NetScreen-5XT, the Combined port mode is supported only o(unrestricted users) platform. You cannot configure the Combined mode wiWizard. This mode can only be configured using the WebUI or CLI comman
Note: The serial interface is not available in Combined port mode.
Untrust Zone Home Zone
ethern
The ethernet4 interface is the primary interface to the Untrust zone.The ethernet3 interface (shown in gray) is the backup interface to the Untrust zone. ethernet4 ethernet3
Chapter 2 Zones Port Modes
43
nd DMZ security zones, internal network.
und to the Trust security zone
und to the DMZ security zone
ound to the Untrust security
ackup interface to the Untrust
n-5GT Extended platform. You This mode can only be
Trust Zone
ethernet1
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
• Trust/Untrust/DMZ (Extended) mode binds interfaces to the Untrust, Trust aallowing you to segregate web, e-mail or other application servers from the
This mode provides the following port, interface, and zone bindings:
– Binds the Ethernet ports 1 and 2 to the ethernet1 interface, which is bo
– Binds the Ethernet ports 3 and 4 to the ethernet2 interface, which is bo
– Binds the Untrusted Ethernet port to the ethernet3 interface, which is bzone
– Binds the Modem port to the serial interface, which you can bind as a bsecurity zone
Note: The Trust/Untrust/DMZ port mode is supported only on the NetScreecannot configure the Combined mode with the Initial Configuration Wizard. configured using the WebUI or CLI commands.
Untrust Zone DMZ Zone
ethernet2
The ethernet3 interface is the primary interface to the Untrust zone. You can bind the serial interface as a backup interface to the Untrust zone.
ethernet3
Chapter 2 Zones Port Modes
44
urity zones, allowing you to
und to the Trust security zone
the DMZ security zone
the Untrust security zone
nd to the Untrust security zone
-5GT Extended platform.
o enable failover, instead of
Trust Zone
ethernet1
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
• DMZ/Dual Untrust mode binds interfaces to the Untrust, Trust, and DMZ secpass traffic simultaneously from the internal network.
This mode provides the following port, interface, and zone bindings:
– Binds the Ethernet ports 1 and 2 to the ethernet1 interface, which is bo
– Binds the Ethernet port 3 to the ethernet2 interface, which is bound to
– Binds the Ethernet port 4 to the ethernet3 interface, which is bound to
– Binds the Untrust Ethernet port to the ethernet4 interface, which is bou
Note: The DMZ/Dual Untrust port mode is supported only on the NetScreen
Note: The serial interface is not available in DMZ/Dual Untrust port mode. Tpassing traffic simultaneously, use the set failover enable command.
Untrust Zone DMZ Zone
The ethernet3 and ethernet4 interfaces are active simultaneously. In this diagram, the two interfaces are bound to the Untrust zone to allow for load balancing.
ethernet2ethernet4 ethernet3
Chapter 2 Zones Port Modes
45
the NetScreen ScreenOS port
st
one trust
ust
ust
ust
trust
A
ntrust
onentrust
rust
rust
MZ
ntrust
/A
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Setting Port ModesThe following tables summarizes the port, interface, and zone bindings provided by modes:
Port*
* As labeled on the NetScreen appliance chassis.
Trust-Untrust Mode�
† Default port mode
Home-Work Mode
Dual UntruMode
Interface Zone Interface Zone Interface ZUntrusted Untrust Untrust ethernet3 Untrust ethernet3 Un
1 Trust Trust ethernet1 Work ethernet1 Tr
2 Trust Trust ethernet1 Work ethernet1 Tr
3 Trust Trust ethernet2 Home ethernet1 Tr
4 Trust Trust ethernet2 Home ethernet2 Un
Modem serial Null serial Null N/A N/
Port*
* As labeled on the NetScreen appliance chassis.
Combined Mode Trust/Untrust/DMZ Mode
DMZ/Dual UMode
Interface Zone Interface Zone Interface ZUntrusted ethernet4 Untrust ethernet3 Untrust ethernet4 U
1 ethernet1 Work ethernet1 Trust ethernet1 T
2 ethernet2 Home ethernet1 Trust ethernet1 T
3 ethernet2 Home ethernet2 DMZ ethernet2 D
4 ethernet3 Untrust ethernet2 DMZ ethernet3 U
Modem N/A N/A serial Null N/A N
Chapter 2 Zones Port Modes
46
e CLI. Before setting the port
een device and requires a
the NetScreen device. For ode back to the default nfiguration but does not set the
de.
own list, and then click Apply.
ice, continue?
onfiguration and reboot box
n device and requires a system
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
You change the port mode setting on the NetScreen device through the WebUI or thmode, note the following:
• Changing the port mode removes any existing configurations on the NetScrsystem reset.
• Issuing the unset all CLI command does not affect the port mode setting onexample, if you want to change the port mode setting from the Combined mTrust-Untrust mode, issuing the unset all command removes the existing codevice to the Trust-Untrust mode.
Example: Home-Work Port ModeIn this example, you set the port mode on the NetScreen-5XT to the Home-Work mo
WebUI
Configuration > Port Mode > Port Mode: Select Home-Work from the drop-d
At the following prompt, click OK :
Operational mode change will erase current configuration and reset the dev
CLI
exec port-mode home-work
At the following prompt, enter y (for yes):
Change port mode from <trust-untrust> to <home-work> will erase system c
Are you sure y/[n] ?
Note: Changing the port mode removes any existing configurations on the NetScreereset.
Chapter 2 Zones Port Modes
47
come commonplace. The home back door to a corporate , such as servers and networks,
ork and Home zones. This in both Home and Work zones
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
To see the current port mode setting on the NetScreen device:
WebUI
Configuration > Port Mode
CLI
get system
Zones in Home-Work and Combined Port ModesSecurity conflicts can arise as both employee telecommuting and home networks benetwork used by both telecommuters and family members can become a dangerousnetwork, carrying threats such as worms and allowing access to corporate resourcesby non-employees.
The Home-Work and Combined port modes8 bind ScreenOS interfaces to special Wallows segregation of business and home users and resources, while allowing usersaccess to the Untrust zone.
8. You can set port modes only on certain NetScreen appliances. See “Port Modes” on page 39.
Chapter 2 Zones Port Modes
48
u can bind as a backup terface as a backup interface to
ckup the Untrust security port. the Untrust zone. For more security zone, see Volume 10,
P) server, allocating dynamic IP server, see “DHCP Server” on
Zone
Work Zone
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
The Home-Work port mode also binds the Modem port to a serial interface, which yointerface to the Untrust security zone. For more information about using the serial inthe Untrust security zone, see Volume 10, “High Availability”.
The Combined port mode also binds the Ethernet port 4 to the Untrusted zone to baThe backup interface is used only when there is a failure on the primary interface to information about using the ethernet3 interface as a backup interface to the Untrust “High Availability”.
By default, the NetScreen-5XT acts as a Dynamic Host Configuration Protocol (DHCaddresses to DHCP clients in the Work zone. (For more information about the DHCPpage 378.)
Untrust Zone Home Zone Work
Home-Work
Untrust Zone Home Zone
Combined
Chapter 2 Zones Port Modes
49
m the Work zone only. You anagement services, including (ethernet1) is 192.168.1.1/24.
ing traffic control between
his policy)
the Home zone to the Untrust olicies that allow all traffic from m the Work zone to the Home one to the Work zone.
You then configure a policy to lt policy that allows all traffic
llows traffic from any source
creen device and requires a
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
You can configure the NetScreen device using a Telnet connection or the WebUI frocannot configure the NetScreen device from the Home zone. You cannot use any mping, on the Home zone interface. The default IP address of the Work zone interface
The default policies in the Home-Work and Combined port modes provide the followzones:
• Allow all traffic from the Work zone to the Untrust zone
• Allow all traffic from the Home zone to the Untrust zone
• Allow all traffic from the Work zone to the Home zone
• Block all traffic from the Home zone to the Work zone (you cannot remove t
You can create new policies for traffic from the Work zone to the Untrust zone, fromzone, and from the Work zone to the Home zone. You can also remove the default pthe Work zone to the Untrust zone, from the Home zone to the Untrust zone, and frozone. Note, however, that you cannot create a policy to allow traffic from the Home z
Example: Home-Work ZonesIn this example, you first set a NetScreen-5XT appliance in Home-Work port mode. allow only FTP traffic from the Home zone to the Untrust zone and remove the defaufrom the Home zone to the Untrust zone. In this example, the default policy, which aaddress to any destination address for any service, has an ID of 2.
Warning: Changing the port mode removes any existing configurations on the NetSsystem reset.
Chapter 2 Zones Port Modes
50
own list, and then click Apply .
e device, continue?
lick OK .
igure column for the policy with
will erase system
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
Configuration > Port Mode > Port Mode: Select Home-Work from the drop-d
At the following prompt, click OK :
Operational mode change will erase current configuration and reset th
At this point, the system reboots, you log in, and then do the following:
Policies > (From: Home, To: Untrust) > New: Enter the following, and then c
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Any
Service: FTP
Action: Permit
Policies: In the “From Home to Untrust” policy list, click Remove in the ConfID 2.
CLI
exec port-mode home-work
At the following prompt, enter y (for yes):Change port mode from <trust-untrust> to <home-work>
configuration and reboot boxAre you sure y/[n] ?
set policy from home to untrust any any ftp permitunset policy 2save
3
51
Chapter 3
security zone. To allow network d, if it is a Layer 3 zone, assign ce to interface between zones. e to multiple zones.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Interfaces
Physical interfaces and subinterfaces, like doorways, allow traffic to enter and exit a traffic to flow in and out of a security zone, you must bind an interface to that zone anit an IP address. Then, you must configure policies to allow traffic to pass from interfaYou can assign multiple interfaces to a zone, but you cannot assign a single interfac
This chapter contains the following sections:
• “Interface Types” on page 53
– “Security Zone Interfaces” on page 53
– “Function Zone Interfaces” on page 55
– “Tunnel Interfaces” on page 56
• “Viewing Interfaces” on page 61
• “Configuring Security Zone Interfaces” on page 63
– “Binding an Interface to a Security Zone” on page 63
– “Addressing a L3 Security Zone Interface” on page 64
– “Unbinding an Interface from a Security Zone” on page 67
– “Modifying Interfaces” on page 68
– “Creating Subinterfaces” on page 70
– “Deleting Subinterfaces” on page 71
• “Secondary IP Addresses” on page 72
– “Secondary IP Address Properties” on page 72
• “Loopback Interfaces” on page 74
Chapter 3 Interfaces
52
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals• “Interface State Changes” on page 78
– “Physical Connection Monitoring” on page 80
– “Tracking IP Addresses” on page 80
– “Interface Monitoring” on page 87
– “Security Zone Monitoring” on page 94
– “Down Interfaces and Traffic Flow” on page 95
Chapter 3 Interfaces Interface Types
53
ation on how to view a table of
h which network traffic can
f the interface is predefined. me NetScreen devices), and es” on page 3). You can bind a ffic enters and exits the zone.
he physical ethernet interfaces Z. Which interface is bound to e “Security Zones” on page 2.)
rs and exits a security zone. virtual subinterface borrows the an extension of the physical Interfaces” on page 3.)
one as its physical interface, or o a Security Zone” on page 63
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
INTERFACE TYPESThis section describes security zone, function zone, and tunnel interfaces. For informall these interfaces, see “Viewing Interfaces” on page 61.
Security Zone InterfacesThe purpose of physical interfaces and subinterfaces is to provide an opening througpass between zones.
PhysicalEach port on your NetScreen device represents a physical interface, and the name oThe name of a physical interface is composed of the media type, slot number (for soport number, for example, ethernet3/2 or ethernet2 (see also “Security Zone Interfacphysical interface to any security zone where it acts as a doorway through which traWithout an interface, no traffic can access the zone or leave it.
On NetScreen devices that support changes to interface-to-zone bindings, three of tare pre-bound to specific Layer 2 security zones—V1-Trust, V1-Untrust, and V1-DMwhich zone is specific to each platform. (For more information on security zones, se
SubinterfaceA subinterface, like a physical interface, acts as a doorway through which traffic enteYou can logically divide a physical interface into several virtual subinterfaces. Each bandwidth it needs from the physical interface from which it stems, thus its name is interface name, for example, ethernet3/2.1 or ethernet2.1. (See also “Security Zone
You can bind a subinterface to any zone. You can bind a subinterface to the same zyou can bind it to a different zone. (For more information, see “Binding an Interface tand “Defining Subinterfaces and VLAN Tags” on page 9 -23.)
Chapter 3 Interfaces Interface Types
54
s the accumulation of two or ress of the aggregate interface
ount of bandwidth available to mber or members can continue
ich you can then bind to a andles all the traffic directed to and stands by in case the fails over to the secondary s provides a first line of
s forming a virtual security traffic use the IP address and
e, subinterface, or redundant are operating in HA mode, you the event of a device failover to he result is a virtual security
” on page 10 -59.
” on page 10 -59.
ter, see Volume 10, “High
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Aggregate InterfacesThe NetScreen-5000 series supports aggregate interfaces. An aggregate interface imore physical interfaces, each of which shares the traffic load directed to the IP addequally among themselves. By using an aggregate interface, you can increase the ama single IP address. Also, if one member of an aggregate interface fails, the other meprocessing traffic—although with less bandwidth than previously available.
Redundant InterfacesYou can bind two physical interfaces together to create one redundant interface, whsecurity zone. One of the two physical interfaces acts as the primary interface and hthe redundant interface. The other physical interface acts as the secondary interfaceactive interface experiences a failure. If that occurs, traffic to the redundant interfaceinterface, which becomes the new primary interface. The use of redundant interfaceredundancy before escalating a failover to the device level.
Virtual Security InterfacesVirtual security interfaces (VSIs) are the virtual interfaces that two NetScreen devicedevice (VSD) share when operating in high availability (HA) mode. Network and VPNvirtual MAC address of a VSI. The VSD then maps the traffic to the physical interfacinterface to which you have previously bound the VSI. When two NetScreen devicesmust bind security zone interfaces that you want to provide uninterrupted service in one or more virtual security devices (VSDs). When you bind an interface to a VSD, tinterface (VSI).
Note: For more information about aggregate interfaces, see “Interface Redundancy
Note: For more information about redundant interfaces, see “Interface Redundancy
Note: For more information on VSIs and how they function with VSDs in an HA clusAvailability”.
Chapter 3 Interfaces Interface Types
55
al interface—the Management ic. Separating administrative agement bandwidth.
n devices that have dedicated ant group, or cluster. In a and traffic-shaping functions, ions should the master unit fail. ter to be master and backup for fully in Volume 10, “High
lability (HA) interface provides ly used for HA traffic, the Virtual e same procedure for binding a o a security zone (see “Binding
ion” on page 3 -1.
on page 10 -39.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Function Zone InterfacesFunction zone interfaces, such as Management and HA, serve a special purpose.
Management InterfaceOn some NetScreen devices, you can manage the device through a separate physic(MGT) interface—moving administrative traffic outside the regular network user trafftraffic from network user traffic greatly increases security and assures constant man
HA InterfaceThe HA interface is a physical port used exclusively for HA functions. With NetScreeHigh Availability (HA) interfaces, you can link two devices together to form a redundredundant group, one unit acts as the master, performing the network firewall, VPN,while the other unit acts as a backup, basically waiting to take over the firewall functThis is an active/passive configuration. You can also set up both members of the cluseach other. This is an active/active configuration. Both configurations are explained Availability”.
Virtual HA Interface
On NetScreen devices without a dedicated HA interface, a Virtual High Avaithe same functionality. Because there is no separate physical port exclusiveHA interface must be bound to one of the physical ethernet ports. You use thnetwork interface to the HA zone as you do for binding a network interface tan Interface to a Security Zone” on page 63).
Note: For information on configuring the device for administration, see “Administrat
Note: For more information about HA interfaces, see “Dual HA Interfaces”
Chapter 3 Interfaces Interface Types
56
tunnel via a tunnel interface.
rface in a route to a specific oach, you can finely control the ffic. When there is no tunnel
choose tunnel as the action. om a VPN tunnel.
amic IP (DIP) addresses in the a tunnel interface is to avoid IP
device can route traffic to and mbered (with IP ce is unnumbered, you must Screen device only uses the traffic—such as OSPF an interface in the same same routing domain.
ered tunnel interfaces to one loopback interface bound to the er-defined zone named “VPN” nd to the VPN zone. The VPN esses to which the tunnels lead your policies control VPN traffic
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Tunnel InterfacesA tunnel interface acts as a doorway to a VPN tunnel. Traffic enters and exits a VPN
When you bind a tunnel interface to a VPN tunnel, you can reference that tunnel intedestination and then reference that destination in one or more policies. With this apprflow of traffic through the tunnel. It also provides dynamic routing support for VPN trainterface bound to a VPN tunnel, you must specify the tunnel in the policy itself and Because the action tunnel implies permission, you cannot specifically deny traffic fr
You can perform policy-based NAT on outgoing or incoming traffic using a pool of dynsame subnet as the tunnel interface. A typical reason for using policy-based NAT onaddress conflicts between the two sites on either end of the VPN tunnel.
You must bind a route-based VPN tunnel to a tunnel interface so that the NetScreenfrom it. You can bind a route-based VPN tunnel to a tunnel interface that is either nuaddress/netmask) or unnumbered (without IP address/netmask). If the tunnel interfaspecify an interface from which the tunnel interface borrows an IP address. The Netborrowed IP address as a source address when the NetScreen device itself initiatesmessages—through the tunnel. The tunnel interface can borrow the IP address fromsecurity zone or from an interface in a different one as long as both zones are in the
You can achieve very secure control of VPN traffic routing by binding all the unnumbzone, which is in its own virtual routing domain, and borrowing the IP address from a same zone. For example, you can bind all the unnumbered tunnel interfaces to a usand configure them to borrow an IP address from the loopback.1 interface, also bouzone is in a user-defined routing domain named “vpn-vr”. You put all destination addrin the VPN zone. Your routes to these addresses point to the tunnel interfaces, and between other zones and the VPN zone.
Chapter 3 Interfaces Interface Types
57
ance for the failure of a VPN, ect traffic intended for tunneling out how to avoid such a
IP address. The purpose of icy-based VPN tunnels1.
in the same subnet as an interface.
Untrust Zone
.5
hernet31.1.1/24
external router
1.1.1.250
Note: The VPN tunnel itself is not shown.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Putting all the tunnel interfaces in such a zone is very secure because there is no chwhich causes the route to the associated tunnel interface to become inactive, to redirto use a non-tunneled route—such as the default route. (For several suggestions abproblem, see “Route-Based VPN Security Considerations” on page 5 -91.)
You can also bind a tunnel interface to a tunnel zone. When you do, it must have anbinding a tunnel interface to a tunnel zone is to make NAT services available for pol
1. Network address translation (NAT) services include dynamic IP (DIP) pools and mapped IP (MIP) addresses defined
Trust Zone
VPN Zonetunnel.1
unnumbered dst-110.2.2
src-1 10.1.1.5
et1.
ethernet110.1.1.1/24 trust-vr
vpn-vr
set vrouter name vpn-vrset zone name vpn vrouter vpn-vrset interface loopback.1 zone vpnset interface loopback.1 ip 172.16.1.1/24set interface tunnel.1 zone vpnset interface tunnel.1 ip unnumbered loopback.1
Configure addresses for src-1 and dst-1.Configure a VPN tunnel and bind it to tunnel.1.
set vrouter trust-vr route 10.2.2.5/32 vrouter vpn-vrset vrouter trust-vr route 0.0.0.0/0 interface ethernet3
gateway 1.1.1.250set vrouter vpn-vr route 10.2.2.5 interface tunnel.1
set policy from trust to vpn scr-1 dst-1 any permit
loopback.1 172.16.1.1/24
The NetScreen device sends traffic destined for 10.2.2.5/32 from the trust-vr to the vpn-vr. If tunnel.1 becomes disabled, the NetScreen device drops the packet. Because the default route (to 0.0.0.0/0) is only in the trust-vr, the NetScreen device does not attempt to send the packet in plain text out ethernet3.
Chapter 3 Interfaces Interface Types
58
om the local device to remote always there, available for use
port one or more dynamic IP s for destination address e “VPN Sites with Overlapping d netmask in either a security
, the tunnel interface must have an e DIP pools and MIP addresses on l zone, you cannot also bind it to a
a policy-based VPN configuration.
u must bind a VPN tunnel to the route-based VPN configuration.bered. If it is unnumbered, the default interface of the security l interface with an IP address and
ty zone and is the only interface in one interface. In this case, the nterface, but no other kind of traffic.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Conceptually, you can view VPN tunnels as pipes that you have laid. They extend frgateways, and the tunnel interfaces are the openings to these pipes. The pipes are whenever the routing engine directs traffic to one of their interfaces.
Generally, assign an IP address to a tunnel interface if you want the interface to sup(DIP) pools for source address translation (NAT-src) and mapped IP (MIP) addressetranslation (NAT-dst). For more information about VPNs and address translation, seAddresses” on page 5 -201. You can create a tunnel interface with an IP address anzone or a tunnel zone.
When a tunnel interface is bound to a tunnel zoneIP address and netmask. This allows you to definthat interface. If you bind a VPN tunnel to a tunnetunnel interface. In such cases, you must create
When a tunnel interface is in a security zone, yotunnel interface. Doing so allows you to create aThe tunnel interface can be numbered or unnumtunnel interface borrows the IP address from thezone in which you created it. Note: Only a tunnenetmask can support policy-based NAT.
When a numbered tunnel interface is in a securithat zone, you do not need to create a security zsecurity zone supports VPN traffic via the tunnel i
Security
Zone
Tunnel Zone
Tunnel Interfaces
Security Zone Interfaces
VPN Tunnel
VPN Tunnel
VPN Tunnel
Numbered or Unnumbered
Security
Zone
Numbered
Numbered
Chapter 3 Interfaces Interface Types
59
ration does not require the mbered. You must bind an You must also specify an zone to which the unnumbered at interface.
eric Routing Encapsulation NetScreen devices support ion on GRE, see “Generic
IPs) or Dynamic IP (DIP) u must first delete any policies
erface. Also, if a route-based guration before you can delete
ced in a policy (ID 10) for VPN o remove the tunnel interface, ), and then the DIP pool. Then, d on the tunnel interface, you
te-based VPN examples in
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
If the tunnel interface does not need to support address translation, and your configutunnel interface to be bound to a tunnel zone, you can specify the interface as unnuunnumbered tunnel interface to a security zone; you cannot bind it to a tunnel zone.interface with an IP address that is in the same virtual routing domain as the securityinterface is bound. The unnumbered tunnel interface borrows the IP address from th
If you are transmitting multicast packets through a VPN tunnel, you can enable Gen(GRE) on the tunnel interfaces to encapsulate multicast packets in unicast packets. GREv1 for encapsulating IP packets in IPv4 unicast packets. For additional informatRouting Encapsulation” on page 6 -201.
Deleting Tunnel InterfacesYou cannot immediately delete a tunnel interface that hosts mapped IP addresses (Maddress pools. Before you delete a tunnel interface hosting any of these features, yothat reference them. Then you must delete the MIPs and DIP pools on the tunnel intVPN configuration references a tunnel interface, you must first delete the VPN confithe tunnel interface.
Example: Deleting a Tunnel InterfaceIn this example, tunnel interface tunnel.2 is linked to DIP pool 8. DIP pool 8 is referentraffic from the Trust zone to the Untrust zone through a VPN tunnel named vpn1. Tyou must first delete the policy (or remove the reference to DIP pool 8 from the policyyou must unbind tunnel.2 from vpn1. After removing all the configurations that depencan then delete it.
Note: For examples showing how to bind a tunnel interface to a tunnel, see the rou“Site-to-Site VPNs” on page 5 -101 and “Dialup VPNs” on page 5 -231.
Chapter 3 Interfaces Interface Types
60
.
to: Tunnel Interface drop-down
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
1. Deleting Policy 10, Which References DIP Pool 8Policies (From: Trust, To: Untrust): Click Remove for Policy ID 10.
2. Deleting DIP Pool 8, Which Is Linked to Tunnel.2Network > Interfaces > Edit (for tunnel.2) > DIP: Click Remove for DIP ID 8
3. Unbinding tunnel.2 from vpn1VPNs > AutoKey IKE > Edit (for vpn1) > Advanced: Select None in the Bindlist, click Return, and then click OK.
4. Deleting Tunnel.2Network > Interfaces: Click Remove for tunnel.2.
CLI
1. Deleting Policy 10, Which References DIP Pool 8unset policy 10
2. Deleting DIP Pool 8, Which Is Linked to Tunnel.2unset interface tunnel.2 dip 8
3. Unbinding tunnel.2 from vpn1unset vpn vpn1 bind interface
4. Deleting Tunnel.2unset interface tunnel.2save
Chapter 3 Interfaces Viewing Interfaces
61
y are predefined, physical and tunnel interfaces are only
ify the types of interfaces to
interface.
ndant, aggregate, VSI.
wn).
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
VIEWING INTERFACESYou can view a table that lists all interfaces on your NetScreen device. Because theinterfaces are listed regardless of whether or not you configure them. Subinterfaces listed once you create and configure them.
To view the interface table in the WebUI, click Network > Interfaces . You can specdisplay from the List Interfaces drop-down list.
To view the interface table in the CLI, use the get interface command.
Interface TableThe interface table displays the following information on each interface:
• Name: This field identifies the name of the interface.
• IP/Netmask: This field identifies the IP address and netmask address of the
• Zone: This field identifies the zone to which the interface is bound.
• Type: This field indicates if the interface type: Layer 2, Layer 3, tunnel, redu
• Link: This field identifies whether the interface is active (Up) or inactive (Do
• Configure: This field allows you modify or remove interfaces.
Chapter 3 Interfaces Viewing Interfaces
62
Juniper Networks NetScreen Concepts & Examples � Volume 2: FundamentalsWebUI Interface Table
CLI Interface Table
Chapter 3 Interfaces Configuring Security Zone Interfaces
63
aces:
a subinterface only to a L3 n IP address to an interface
e drop-down list, and then click
pter 7, “Traffic Shaping”. For per interface, see “Controlling
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CONFIGURING SECURITY ZONE INTERFACESThis section describes how to configure the following aspects of security zone interf
• Binding and unbinding an interface to a security zone
• Assigning an address to a Layer 3 (L3) security zone interface
• Modifying physical interfaces and subinterfaces
• Creating subinterfaces
• Deleting subinterfaces
Binding an Interface to a Security ZoneYou can bind any physical interface to either a L2 or L3 security zone. You can bindsecurity zone because a subinterface requires an IP address. You can only assign aafter you have bound it to a L3 security zone.
Example: Binding an InterfaceIn this example, you bind ethernet5 to the Trust zone.
WebUINetwork > Interfaces > Edit (for ethernet5): Select Trust from the Zone NamOK.
CLIset interface ethernet5 zone trustsave
Note: For information on setting traffic bandwidth for an interface, see Chamore information on the management and other services options available Administrative Traffic” on page 3 -36.
Chapter 3 Interfaces Configuring Security Zone Interfaces
64
n it an IP address and netmask. ode as NAT or Route. (If the ute mode.)
s assignments are as follows:
public network like the Internet
rivate network and which other
f a L3 security zone in the in Route mode, then all the blic addresses. Public IP
ce Modes” on page 103.
a an ARP request to make sure ust be up at the time.) If the IP
nge55, .255
.255
55.255
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Addressing a L3 Security Zone InterfaceWhen defining a Layer 3 (L3) security zone interface or subinterface, you must assigIf you bind the interface to a zone in the trust-vr, you can also specify the interface mzone to which you bind the interface is in the untrust-vr, the interface is always in Ro
The two basic types of IP addresses to be considered when making interface addres
• Public addresses, which Internet service providers (ISPs) supply for use on aand which must be unique
• Private addresses, which a local network administrator assigns for use on a padministrators can assign for use on other private networks too
Public IP AddressesIf an interface connects to a public network, it must have a public IP address. Also, iuntrust-vr connects to a public network and the interfaces of zones in the trust-vr areaddresses in the zones in the trust-vr—for interfaces and for hosts—must also be puaddresses fall into three classes, A, B, and C2, as shown below:
Note: For examples of NAT and Route mode configurations, see Chapter 4, “Interfa
Note: When you add an IP address to an interface, the NetScreen device checks vithat the IP address does not already exist on the local network. (The physical link maddress already exists, a warning is displayed.
Address Class Address Range Excluded Address RaA 0.0.0.0 � 127.255.255.255 10.0.0.0 � 10.255.255.2
127.0.0.0 � 127.255.255
B 128.0.0.0 � 191.255.255.255 172.16.0.0 � 172.31.255
C 192.0.0.0 � 223.255.255.255 192.168.0.0 � 192.168.2
2. There are also D and E class addresses, which are reserved for special purposes.
Chapter 3 Interfaces Configuring Security Zone Interfaces
65
address, the first 8 bits indicate s B address, the first 16 bits n a class C address, the first 24 .hhh).
orks. A netmask essentially ID. For example, the 24-bit 010) identify the network
octets—002.003) identify the e host portion of the address. atly increases the efficient
n it any address, although it is —10.0.0.0/8, 172.16.0.0 – rivate Internets”.
bound to zones in the trust-vr nd for hosts—can be private
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
An IP address is composed of four octets, each octet being 8 bits long. In a class A the network ID, and the final 24 bits indicate the host ID (nnn.hhh.hhh.hhh). In a clasindicate the network ID, and the final 16 bits indicate the host ID (nnn.nnn.hhh.hhh). Ibits indicate the network ID, and the the final 8 bits indicate the host ID (nnn.nnn.nnn
Through the application of subnet masks (or netmasks), you can further divide netwmasks part of the host ID so that the masked part becomes a subnet of the network mask3 in the address 10.2.3.4/24 indicates that the first 8 bits (that is, the first octet—portion of this private class A address, the next 16 bits (that is, the second and third subnetwork portion of the address, and the last 8 bits (the last octet—004) identify thUsing subnets to narrow large network address spaces into smaller subdivisions gredelivery of IP datagrams.
Private IP AddressesIf an interface connects to a private network, a local network administrator can assigconventional to use an address from the range of addresses reserved for private use172.31.255.255, 192.168.0.0/16— as defined in RFC 1918, “Address Allocation for P
If a L3 security zone in the untrust-vr connects to a public network and the interfacesare in NAT mode, then all the addresses in the zones in the trust-vr—for interfaces aaddresses.
3. The dotted-decimal equivalent of a 24-bit mask is 255.255.255.0.
Chapter 3 Interfaces Configuring Security Zone Interfaces
66
nage IP address 210.1.1.5. interface IP address.) Finally, default interfaces4 bound to the
k OK:
terface for a zone, see the Default IF d in the CLI.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Addressing an InterfaceIn this example, you assign ethernet5 the IP address 210.1.1.1/24 and give it the Ma(Note that the Manage IP address must be in the same subnet as the security zone you set the interface in NAT mode, which translates all internal IP addresses to the other security zones.
WebUI
Network > Interfaces > Edit (for ethernet5): Enter the following, and then clic
IP Address/Netmask: 210.1.1.1/24
Manage IP: 210.1.1.5
CLI
set interface ethernet5 ip 210.1.1.1/24set interface ethernet5 manage-ip 210.1.1.5save
4. The default interface in a security zone is the first interface bound to the zone. To learn which interface is the default incolumn on the Network > Zones page in the WebUI, or the Default-If column in the output from the get zone comman
Chapter 3 Interfaces Configuring Security Zone Interfaces
67
o another. If an interface is nbind it from one security zone
st zone. You set its IP address
k OK:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Unbinding an Interface from a Security ZoneIf an interface is unnumbered, you can unbind it from one security zone and bind it tnumbered, you must first set its IP address and netmask to 0.0.0.0. Then, you can uand bind it to another one, and (optionally) reassign it an IP address/netmask.
Example: Unbinding an InterfaceIn this example, ethernet3 has the IP address 210.1.1.1/24 and is bound to the Untruand netmask to 0.0.0.0/0 and bind it to the Null zone.
WebUI
Network > Interfaces > Edit (for ethernet3): Enter the following, and then clic
Zone Name: Null
IP Address/Netmask: 0.0.0.0/0
CLI
set interface ethernet3 ip 0.0.0.0/0set interface ethernet3 zone nullsave
Chapter 3 Interfaces Configuring Security Zone Interfaces
68
, an aggregate interface, or a ould the need arise:
or Route
ing” on page 347)
it (MTU) size
, including traffic between a with the CLI set interface
of the link to be down or up. By e cable from the interface port.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Modifying InterfacesAfter you have configured a physical interface, a subinterface, a redundant interfaceVirtual Security Interface (VSI), you can later change any of the following settings sh
• IP address and netmask
• Manage IP address
• (L3 zone interfaces) Management and network services
• (Subinterface) Subinterface ID number and VLAN tag number
• (Interfaces bound to L3 security zones in the trust-vr) Interface mode—NAT
• (Physical interface) Traffic bandwidth settings (see Chapter 7, “Traffic Shap
• (Physical, redundant, and aggregate interfaces) Maximum Transmission Un
• (L3 interfaces) Block traffic from coming in and going out the same interfaceprimary and secondary subnet or between secondary subnets (this is done command with the route-deny option)
For physical interfaces on some NetScreen devices, you can force the physical stateforcing the physical state of the link to be down, you can simulate a disconnect of th(This is done with the CLI set interface command with the phy link-down option.)
Chapter 3 Interfaces Configuring Security Zone Interfaces
69
e Trust zone. You change the strative traffic, you also change WebUI.
, and then click OK :
lear) Telnet, WebUI
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Modifying Interface SettingsIn this example, you make some modifications to ethernet1, an interface bound to thManage IP address from 10.1.1.2 to 10.1.1.12. To enforce tighter security of adminithe management services options, enabling SCS and SSL and disabling Telnet and
WebUI
Network > Interfaces > Edit (for ethernet1): Make the following modifications
Manage IP: 10.1.1.12
Management Services: (select) SSH, SSL; (c
CLI
set interface ethernet1 manage-ip 10.1.1.12set interface ethernet1 manage sshset interface ethernet1 manage sslunset interface ethernet1 manage telnetunset interface ethernet1 manage websave
Chapter 3 Interfaces Configuring Security Zone Interfaces
70
l system. A subinterface makes rfaces. Note that although a needs, you can bind a . Additionally, the IP address of al interfaces and subinterfaces.
configure the subinterface on ined zone named “accounting”, VLAN tag ID 3. The interface
on of a subinterface on a redundant
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Creating SubinterfacesYou can create a subinterface on any physical interface5 in the root system or virtuause of VLAN tagging to distinguish traffic bound for it from traffic bound for other intesubinterface stems from a physical interface, from which it borrows the bandwidth it subinterface to any zone, not necessarily that to which its “parent” interface is bounda subinterface must be in a different subnet from the IP addresses of all other physic
Example: Subinterface in the Root SystemIn this example, you create a subinterface for the Trust zone in the root system. Youethernet1, which is bound to the Trust zone. You bind the subinterface to a user-defwhich is in the trust-vr. You assign it subinterface ID 3, IP address 10.2.1.1/24, and mode is NAT.
WebUI
Network > Interfaces > New Sub-IF: Enter the following, and then click OK :
Interface Name: ethernet1.3
Zone Name: accounting
IP Address/Netmask: 10.2.1.1/24
VLAN Tag: 3
CLI
set interface ethernet1.3 zone accountingset interface ethernet1.3 ip 10.2.1.1/24 tag 3save
5. You can also configure subinterfaces on redundant interfaces and VSIs. For an example that includes the configuratiinterface, see “Virtual System Failover” on page 10 -130.
Chapter 3 Interfaces Configuring Security Zone Interfaces
71
s), virtual IP addresses (VIPs), these features, you must first IPs, VIPs, and DIP pools on
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Deleting SubinterfacesYou cannot immediately delete a subinterface that hosts mapped IP addresses (MIPor Dynamic IP (DIP) address pools. Before you delete a subinterface hosting any of delete any policies or IKE gateways that reference them. Then you must delete the Mthe subinterface.
Example: Deleting a Security Zone InterfaceIn this example, you delete the subinterface ethernet1:1.
WebUI
Network > Interfaces: Click Remove for ethernet1:1.
A system message prompts you to confirm the removal.
Click Yes to delete the subinterface.
CLI
unset interface ethernet1:1save
Chapter 3 Interfaces Secondary IP Addresses
72
situations demand that an tional IP address assignments n might have more network ed to a LAN. To solve such user-defined zone.
h addresses. These properties
resses. In addition, there can net on the NetScreen device.
address always has the same ot specify a separate
utomatically creates a , the device automatically
e in the routing table. For rops any packets directed from
zone.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
SECONDARY IP ADDRESSESEach NetScreen interface has a single, unique primary IP address. However, some interface have multiple IP addresses. For example, an organization might have addiand might not wish to add a router to accommodate them. In addition, an organizatiodevices than its subnet can handle, as when there are more than 254 hosts connectproblems, you can add secondary IP addresses to an interface in the Trust, DMZ, or
Secondary IP Address PropertiesSecondary addresses have certain properties that affect how you can implement sucare as follows:
• There can be no subnet address overlap between any two secondary IP addbe no subnet address overlap between a secondary IP and any existing sub
• When you manage a NetScreen device through a secondary IP address, themanagement properties as the primary IP address. Consequently, you cannmanagement configuration for the secondary IP address.
• You cannot configure a gateway for a secondary IP address.
• Whenever you create a new secondary IP address, the NetScreen device acorresponding routing table entry. When you delete a secondary IP addressdeletes its routing table entry.
Enabling or disabling routing between two secondary IP addresses causes no changexample, if you disable routing between two such addresses, the NetScreen device done interface to the other, but no change occurs in the routing table.
Note: You cannot set multiple secondary IP addresses for interfaces in the Untrust
Chapter 3 Interfaces Secondary IP Addresses
73
, an interface that has IP
ing, and then click Add:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Creating a Secondary IP AddressIn this example, you set up a secondary IP address—192.168.2.1/24—for ethernet1address 10.1.1.1/24 and is bound to the Trust zone.
WebUI
Network > Interfaces > Edit (for ethernet1) > Secondary IP: Enter the follow
IP Address/Netmask: 192.168.2.1/24
CLI
set interface ethernet1 ip 192.168.2.1/24 secondarysave
Chapter 3 Interfaces Loopback Interfaces
74
etScreen device. However, he device on which it resides is eater than or equal to 16 and st assign an IP address to a
of its group. Traffic can reach a e type can be a member of a nt interface, or VSI.
Untrust zone, and assign the IP
OK :
sts that reside in other zones.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
LOOPBACK INTERFACESA loopback interface is a logical interface that emulates a physical interface on the Nunlike a physical interface, a loopback interface is always in the up state as long as tup. Loopback interfaces are named loopback.id_num, where id_num is a number grdenotes a unique loopback interface on the device. Like a physical interface, you muloopback interface and bind it to a security zone.
After defining a loopback interface, you can then define other interfaces as membersloopback interface if it arrives through one of the interfaces in its group. Any interfacloopback interface group—physical interface, subinterface, tunnel interface, redunda
Example: Creating a Loopback InterfaceIn the following example, you create the loopback interface loopback.1, bind it to the address 1.1.1.27/24 to it.
WebUI
Network > Interfaces > New Loopback IF: Enter the following, and then click
Interface Name: loopback.1
Zone: Untrust (select)
IP Address/Netmask: 1.1.1.27./24
CLIset interface loopback.1 zone untrustset interface loopback.1 ip 1.1.1.27save
6. The maximum id_num value you can specify is platform-specific.
Note: The loopback interface is not directly accessible from networks or hoYou must define a policy to permit traffic to and from the interface.
Chapter 3 Interfaces Loopback Interfaces
75
his section shows examples of
y a group of interfaces; this interface with MIPs, see “MIP
erface or the manage IP
s a management interface for
s, and then click OK.
loopback interface for layer 2 features on loopback
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Using Loopback InterfacesYou can use a loopback interface in many of the same ways as a physical interface. Tthe ways you can configure loopback interfaces.
You can define a MIP on a loopback interface. This allows the MIP to be accessed bcapability is unique to loopback interfaces. For information about using the loopbackand the Loopback Interface” on page 7 -105.
You can manage the NetScreen device using either the IP address of a loopback intaddress that you assign to a loopback interface.
Example: Loopback Interface for ManagementIn the following example, you configure the previously-defined loopback.1 interface athe device.
WebUI
Network > Interfaces > loopback.1 > Edit: Select all the management option
CLI
set interface loopback.1 managesave
Note: You cannot bind a loopback interface to a HA zone, nor can you configure a operation or as a redundant/aggregate interface. You cannot configure the followinginterfaces: NTP, DNS, VIP, secondary IP, track IP, or Webauth.
Chapter 3 Interfaces Loopback Interfaces
76
reen device. In the following
lick OK.
e. The physical state of the VSI g upon the state of the VSD
ce for the virtual router in which devices, See Volume 6,
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: BGP on a Loopback InterfaceThe loopback interface can support the BGP dynamic routing protocol on the NetScexample, you enable BGP on the loopback.1 interface.
WebUI
Network > Interfaces > loopback.1 > Edit: Select Protocol BGP, and then c
CLI
set interface loopback.1 protocol bgpsave
Example: VSIs on a Loopback InterfaceYou can configure Virtual Security Interfaces (VSIs) for NSRP on a loopback interfacon the loopback interface is always up. The interface can be active or not, dependingroup to which the interface belongs.
WebUI
Network > Interfaces > New VSI IF: Enter the following, and then click OK:
Interface Name: VSI Base: loopback.1
VSD Group: 1
IP Address/Netmask: 1.1.1.1/24
Note: To enable BGP on the loopback interface, you must first create a BGP instanyou plan to bind the interface. For information about configuring BGP on NetScreen“Routing”.
Chapter 3 Interfaces Loopback Interfaces
77
tes from the NetScreen device. address is used instead of the
g example, you specify that the g packets.
Apply :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
set interface loopback.1:1 ip 1.1.1.1/24save
Example: Loopback Interface as a Source InterfaceYou can use a loopback interface as a source interface for certain traffic that origina(When you define a source interface for an application, the specified source interfaceoutbound interface address to communicate with an external device.) In the followinNetScreen device uses the previously-defined loopback.1 interface for sending syslo
WebUI
Configuration > Report Settings > Syslog: Enter the following, and then click
Enable Syslog Messages: (select)
Source interface: loopback.1 (select)
Syslog Servers:
No.: 1 (select)
IP/Hostname: 10.1.1.1
Traffic Log: (select)
Event Log: (select)
CLI
set syslog config 10.1.1.1 log allset syslog src-interface loopback.1set syslog enablesave
Chapter 3 Interfaces Interface State Changes
78
(Transparent mode) or Layer 3 ce is physically up when it is
ces, redundant interfaces, and h that interface is able to reach
nother network device or when physically down with the
h that interface cannot reach
e can be physically up and—at own, its logical state becomes
active and usable. When the interface—although, depending an interface whose state is ss of routes caused by the loss
cause, a state change from up te from down to up. To
up { logically |
monitoring interface into a e state of the monitoring
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
INTERFACE STATE CHANGESAn interface can be in one of the following states:
• Physically Up – For physical ethernet interfaces operating at either Layer 2(Route Mode) in the Open Systems Interconnection (OSI) model. An interfacabled to another network device and can establish a link to that device.
• Logically Up – For both physical interfaces and logical interfaces (subinterfaaggregate interfaces). An interface is logically up when traffic passing througspecified devices (at tracked IP addresses) on a network.
• Physically Down – An interface is physically down when it is not cabled to ait is cabled but cannot establish a link. You can also force an interface to befollowing CLI command: set interface interface phy link-down.
• Logically Down – An interface is logically down when traffic passing througspecified devices (at tracked IP addresses) on a network.
The physical state of an interface takes precedence over its logical state. An interfacthe same time—be either logically up or logically down. If an interface is physically dirrelevant.
When the state of an interface is up, all routes that make use of that interface remainstate of an interface is down, the NetScreen device deactivates all routes using that on whether the interface is physically or logically down, traffic might still flow throughdown (see “Down Interfaces and Traffic Flow” on page 95). To compensate for the loof an interface, you can configure alternate routes using an alternate interface.
Depending on how you set up the action that an observed interface state change canto down in a monitored interface can cause the monitoring interface to change its staconfigure this behavior, you can use the following CLI command:
set interface interface monitor threshold number action physically }
When you enter the above command, the NetScreen device automatically forces thedown state. If the monitored object (tracked IP address, interface, zone) fails, then thinterface becomes up—either logically or physically, per your configuration.
Chapter 3 Interfaces Interface State Changes
79
se events by itself or in wn and from down to up:
ing again succeeds), then the e the monitored object
wn, �
onitoring goes down.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
An interface can monitor objects for one or more of the following events. Each of thecombination can cause the state of the monitoring interface to change from up to do
• Physical disconnection/reconnection
• IP tracking failure/success
• Failure/Success of a monitored interface
• Failure/Success of a monitored security zone
If, after failing, a monitored object succeeds (the interface is reconnected or IP trackmonitoring interface comes back up. There is about a one-second delay from the timsucceeds and when the monitoring interface re-activates itself.
Each of the above events is presented in the following sections.
✗
If a monitored object fails �
Physical Disconnection
IP Tracking Failure
Monitored Interface Failure
Monitored Zone Failure
and the weight for that object ≥ the monitor failure threshold, �
and the action is set to do
then the minterface
No Replies to ICMP Echo Requests
All interfaces in the same zone go down.
Security Zone
Interface becomes disconnected.
IP Tracking failures exceed threshold.
Monitoring Interface
Chapter 3 Interfaces Interface State Changes
80
ection to other network devices. evice, its state is physically up
rface command and in the Link
and and on the Network > ive. If there is no asterisk, it is
when one or more of them h that interface, even if the creen device regains contact
, to monitor the reachability of irectly to a router, you can track en you configure IP tracking on r target IP addresses at ives a response. If there is no be unreachable. Failure to elicit routes associated with that then redirects traffic to use the
e as the interface on which IP tracking
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Physical Connection MonitoringAll physical interfaces on a NetScreen device monitor the state of their physical connWhen an interface is connected to and has established a link with another network dand all routes that use that interface are active.
You can see the state of an interface in the State column in the output of the get intecolumn on the Network > Interfaces page in the WebUI. It can be up or down.
You can see the state of a route in the status field of the get route id number commRouting > Routing Entries page in the WebUI. If there is an asterisk, the route is actinactive.
Tracking IP AddressesThe NetScreen device can track specified IP addresses through an interface so thatbecome unreachable, the NetScreen device can deactivate all routes associated witphysical link is still active7. A deactivated route becomes active again after the NetSwith those IP addresses.
NetScreen uses layer 3 path monitoring, or IP tracking, similar to that used for NSRPspecified IP addresses through an interface. For example, if an interface connects dthe next-hop address on the interface to determine if the router is still reachable. Whan interface, the NetScreen device sends ping requests on the interface to up to fouuser-defined intervals. The NetScreen device monitors these targets to see if it receresponse from a target for a specified number of times, that IP address is deemed to a response from one or more targets can cause the NetScreen device to deactivate interface. If another route to the same destination is available, the NetScreen devicenew route.
7. For some ScreenOS appliances, this action also causes a failover to the backup interface that is bound to the same zonis configured (see “Determining Interface Failover” on page 10 -72).
Chapter 3 Interfaces Interface State Changes
81
a manage IP address:
es)
an belong to the root system or only set it at the root level8.
ice to track. On a single device, ses whether they are for sys level.
. For each IP address to be
the IP address is considered
IP connections crosses a ated).
(Route mode).
nterface, it cannot be a member
. However, from within a vsys, you
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Configuring IP TrackingYou can define IP tracking on the following interfaces for which you have configured
• Physical interface bound to a security zone (not the HA or MGT function zon
• Subinterface
• Redundant interface
• Aggregate interface
On devices that support virtual systems, the interface on which you set IP tracking cto a virtual system (vsys). However, to set IP tracking on a shared interface, you can
For each interface, you can configure up to four IP addresses for the NetScreen devyou can configure up to 64 track IP addresses. That total includes all track IP addresinterface-based IP tracking, for NSRP-based IP tracking, at the root level, or at the v
The tracked IP addresses do not have to be in the same subnetwork as the interfacetracked, you can specify the following:
• Interval, in seconds, at which the pings are sent to the specified IP address.
• Number of consecutive unsuccessful ping attempts before the connection tofailed.
• Weight of the failed IP connection (once the sum of the weights of all failed specified threshold, routes that are associated with the interface are deactiv
Note: The interface can operate at Layer 2 (Transparent mode) or Layer 3
Note: Although the interface can be a redundant interface or an aggregate iof a redundant or aggregate interface.
8. From a vsys, you can set interface monitoring to monitor a shared interface from an interface that belongs to the vsyscannot set interface monitoring from a shared interface. For more information, see “Interface Monitoring” on page 87.
Chapter 3 Interfaces Interface State Changes
82
rface that is a PPPoE or DHCP ynamic or (WebUI) Network > d: Select Dynamic.
utive failures to elicit a ping IP address. Not exceeding the eeding the threshold indicates ue between 1 and 200. The
mulative failed attempts to nterface to be deactivated. You 1, which means a failure to interface to be deactivated.
nce of connectivity to that ely greater weights to relatively ote that the assigned weights ched. For example, if the failure ith a weight of 3 meets the the interface to be deactivated. re threshold for IP tracking on
Screen device does not add a
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
You can also configure the NetScreen device to track the default gateway for an inteclient. To do that, use the “Dynamic” option: (CLI) set interface interface monitor dInterfaces > Edit (for the DHCP or PPPoE client interface) > Monitor > Track IP > Ad
There are two types of thresholds in configuring tracking IP addresses:
• Failure threshold for a specific tracked IP address — The number of consecresponse from a specific IP address that constitutes a failure in reaching thethreshold indicates an acceptable level of connectivity with the address; excan unacceptable level. You set this threshold for each IP address at any valdefault value is 3.
• Failure threshold for IP tracking on the interface — The total weight of the cureach IP addresses on the interface that causes routes associated with the ican set this threshold at any value between 1 and 255. The default value is reach any configured tracked IP address causes routes associated with the
By applying a weight, or a value, to a tracked IP address, you can adjust the importaaddress in relation to reaching other tracked addresses. You can assign comparativmore important addresses, and less weight to relatively less important addresses. Nonly come into play when the failure threshold for a specific tracked IP address is reathreshold for IP tracking on an interface is 3, failure of a single tracked IP address wfailure threshold for IP tracking on the interface, which causes routes associated withThe failure of a single tracked IP address with a weight of 1 would not meet the failuthe interface and routes associated with the interface would remain active.
Note: When you configure an IP address for the Netscreen device to track, the Nethost route for that IP address to the routing table.
Chapter 3 Interfaces Interface State Changes
83
igned the network address The ethernet3 interface is . The ethernet4 interface is .
ce with the router address e router address 2.2.2.250 as
ethernet3 is the preferred route ing output from the get route asterisk). The default route ce it is less preferred.
Untrust Zone
Internet
uter.250
uter.250
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Configuring Interface IP TrackingIn the following example, the interface ethernet1 is bound to the Trust zone and ass10.1.1.1/24. The interfaces ethernet3 and ethernet4 are bound to the Untrust zone. assigned the network address 1.1.1.1/24 and is connected to the router at 1.1.1.250assigned the network address 2.2.2.1/24 and is connected to the router at 2.2.2.250
There are two default routes configured: one uses ethernet3 as the outbound interfa1.1.1.250 as the gateway; the other uses ethernet4 as the outbound interface with ththe gateway and is configured with a metric value of 10. The default route that uses since it has a lower metric (the default metric value for static routes is 1). The followcommand shows four active routes for the trust-vr (active routes are denoted with anthrough ethernet3 is active, while the default route through ethernet4 is not active sin
Trust Zone
10.1.1.0/24
ethernet110.1.1.1/24
ethernet31.1.1.1/24
Ro1.1.1
ethernet42.2.2.1/24 Ro
2.2.2
Chapter 3 Interfaces Interface State Changes
84
t4 becomes active. You enable 1.1.250. If IP tracking fails to n the NetScreen device. As a
n able to reach 1.1.1.250, the ute through ethernet4 becomes
res IP tracking on the ethernet3 0.
----------------------, R - RIP
----------------------P Pref Mtr Vsys----------------------S 20 1 RootC 0 0 RootS 20 10 RootC 0 1 RootC 20 1 Root
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
If the route through ethernet3 becomes unavailable, the default route through etherneand configure IP tracking on the ethernet3 interface to monitor the router address 1.reach 1.1.1.250, all routes associated with the ethernet3 interface become inactive oresult, the default route through ethernet4 becomes active. When IP tracking is agaidefault route through ethernet3 becomes active and, at the same time, the default roinactive, because it is less preferred than the default route through ethernet3.
The following enables IP tracking with an interface failure threshold of 5 and configuinterface to monitor the router IP address 1.1.1.250, which is assigned a weight of 1
ns-> get routeuntrust-vr (0 entries)----------------------------------------------------------C - Connected, S - Static, A - Auto-Exported, I - ImportediB - IBGP, eB - EBGP, O - OSPF, E1 - OSPF external type 1E2 - OSPF external type 2trust-vr (4 entries)---------------------------------------------------------- ID IP-Prefix Interface Gateway ----------------------------------------------------------* 4 0.0.0.0/0 eth3 1.1.1.250 * 2 1.1.1.0/24 eth3 0.0.0.0 3 0.0.0.0/0 eth4 2.2.2.250 * 6 2.2.2.0/24 eth4 0.0.0.0 * 5 10.1.1.0/24 eth1 0.0.0.0
Chapter 3 Interfaces Interface State Changes
85
d then click Apply :
and then click Add :
ight 10
of 3. That is, if the target does failure threshold for IP tracking weight of 10 causes routes
and get interface ethernet3
l-count success-rate 46%
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
Network > Interfaces > Edit (for ethernet3) > Monitor: Enter the following, an
Enable Track IP: (select)
Threshold: 5
> Monitor Track IP ADD: Enter the following,
Static: (select)
Track IP: 1.1.1.250
Weight: 10
CLI
set interface ethernet3 monitor track-ip ip 1.1.1.250 weset interface ethernet3 monitor track-ip threshold 5set interface ethernet3 monitor track-ipsave
In the example, the failure threshold for the target address is set to the default valuenot return a response to three consecutive pings, a weight of 10 is applied toward theon the interface. Because the failure threshold for IP tracking on the interface is 5, aassociated with the interface to be deactivated on the NetScreen device.
You can verify the status of the IP tracking on the interface by issuing the CLI commtrack-ip, as shown in the following:
ns-> get interface ethernet3 track-ipip address interval threshold wei gateway fai1.1.1.250 1 1 10 0.0.0.0 343threshold: 5, failed: 1 ip(s) failed, weighted sum = 10
Chapter 3 Interfaces Interface State Changes
86
e, while all routes through
uses the routes associated with ing is again able to reach n device. At the same time, the default route through ethernet3.
--------------------- R - RIP
--------------------- Pref Mtr Vsys--------------------- 20 1 Root 0 0 Root 20 10 Root 0 1 Root 20 1 Root
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
The get route command shows that the default route through ethernet4 is now activethernet3 are no longer active.
Note that even though the routes through ethernet3 are no longer active, IP tracking ethernet3 to continue sending ping requests to the target IP address. When IP track1.1.1.250, the default route through ethernet3 again becomes active on the NetScreedefault route through ethernet4 becomes inactive, since it is less preferred than the
ns-> get routeuntrust-vr (0 entries)-----------------------------------------------------------C - Connected, S - Static, A - Auto-Exported, I - Imported,iB - IBGP, eB - EBGP, O - OSPF, E1 - OSPF external type 1E2 - OSPF external type 2trust-vr (4 entries)----------------------------------------------------------- ID IP-Prefix Interface Gateway P----------------------------------------------------------- 4 0.0.0.0/0 eth3 1.1.1.250 S 2 1.1.1.0/24 eth3 0.0.0.0 C* 3 0.0.0.0/0 eth4 2.2.2.250 S* 6 2.2.2.0/24 eth4 0.0.0.0 C* 5 10.1.1.0/24 eth1 0.0.0.0 C
Chapter 3 Interfaces Interface State Changes
87
take action based on observed , the following can occur:
nother interface monitoring lso go down. You can
econd interface to be
face going physically down, going physically down
failover. An NSRP device occur as a result of a an interface.
nother interface that is t down to also go down. wn logically, you can
own state of the second al.
State Change for ethernet2If� the weight of the failure of
ethernet3 ≥ the monitor failure threshold, and
� the failure action is a change from up to down,
then ethernet2 changes its state from up to down.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Interface MonitoringA NetScreen device can monitor the physical and logical state of interfaces and thenchanges. For example, if the state of a monitored interface changes from up to down
If Thenthe physical state of an interface changes from up to down the state change might trigger a
the one that just went down to aspecify whether you want the sphysically or logically down.
The state change of either interor the combined weight of bothtogether, might trigger an NSRPor VSD group failover can only change to the physical state of
the logical state of an interface changes from up to down as the result of an IP tracking failure
the state change might trigger amonitoring the one that just wenAlthough the first interface is dospecify whether you want the dinterface to be logical or physic
Using IP tracking, ethernet3 monitors the router at 1.1.1.250.
ethernet3IP 1.1.1.1
ethernet2IP 2.1.1.1
Using interface monitoring, ethernet2 monitors ethernet3.
State Change for ethernet3If� the number of unsuccessful ping
attempts to 1.1.1.250 exceeds the failure threshold for that tracked IP address,
� the track IP weight for 1.1.1.250 ≥track object failure threshold,
� the track object weight ≥ monitorfailure threshold, and
� the failure action is a change fromup to down,
then ethernet3 changes its state from up to down.
One Interface Monitoring Another Interface
Chapter 3 Interfaces Interface State Changes
88
Monitor > Edit Interface: Enter
want to be monitored.
weight number ]
55.
changes state, the other
pport a configuration in which
Second State ChangeIf� the weight of the failure of
the first interface ≥ the monitor failure threshold of the second interface, and
� the failure action is a change from up to down,
then the second interface also changes its state from up to down.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
To set interface monitoring, do either of the following:
WebUINetwork > Interfaces > Edit (for the interface you want to do the monitoring) >the following, and then click Apply :
Interface Name: Select the interface that you
Weight: Enter a weight between 1 and 255.
CLIset interface interface1 monitor interface interface2 [
If you do not set a weight, the NetScreen device applies the default value: 2
If two interfaces monitor each other, they form a loop. In that case, if either interfaceinterface in the loop also changes state.
Note: An interface can only be in one loop at a time. Juniper Networks does not suone interface belongs to multiple loops.
Using IP tracking, both interfaces monitor routers.
ethernet3IP 1.1.1.1
ethernet2IP 2.1.1.1
Using interface monitoring, they also monitor each other.
First State ChangeIf� the number of unsuccessful ping
attempts to either router exceedsthe failure threshold for that tracked IP address,
� the weight of the failed track IP ≥the track object failure threshold,
� the track object weight ≥ monitorfailure threshold, and
� the failure action is a change fromup to down,
then that interface changes its statefrom up to down.
Loop � Two Interfaces Monitoring Each Other
Chapter 3 Interfaces Interface State Changes
89
ernet2. Because the weight for et1 and ethernet must fail (and ge its state from up to down)9.
following, and then click Apply:
r Threshold field, and then click
rnet2 interfaces (see “Tracking ernet2 might fail is if they
ain links with those devices.
failure of either ethernet1 or ethernet2
t2. Because the monitor both interfaces combined, to cause ethernet3 to fail.
7 8
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Two Monitored InterfacesIn this example, you configure ethernet3 to monitor two interfaces—ethernet1 and etheach monitored interface (8 + 8) equals the monitor failure threshold (16), both ethernchange their state from up to down) concurrently to cause ethernet3 to fail (and chan
WebUINetwork > Interfaces > Edit (for ethernet3) > Monitor > Edit Interface: Enter the
ethernet1: (select); Weight: 8
ethernet2: (select); Weight: 8
Network > Interfaces > Edit (for ethernet3) > Monitor: Enter 16 in the MonitoApply .
Note: This example omits the configuration of IP tracking on the ethernet1 and etheIP Addresses” on page 80). Without IP tracking, the only way that ethernet1 and ethbecome physically disconnected from other network devices or if they cannot maint
9. If you set the monitor failure threshold to 8—or leave it at 16 and set the weight of each monitored interface to 16—the can cause ethernet3 to fail.
ethernet3 monitors ethernet1 and ethernefailure threshold (F-T) = the weights (W) ofboth of the monitored interfaces must fail
W = 8 W = 8Monitored Interfaces:ethernet1, weight 8ethernet2, weight 8
Monitor Failure Threshold: 16
F-T: 16
NetScreen Device Interfaces
ethernet1 � ethernet82 3 5 61 4
Chapter 3 Interfaces Interface State Changes
90
ht 8ht 8
ernet3. Then you configure s likewise. Finally, you define second set has the same
t egress interfaces (ethernet2 e first set of interfaces fails, the trust-vr routing domain.
7 8
down, the routes referencing The NetScreen device then gh ethernet2 and ethernet4.
ethernet1 gateway 10.1.1.250 metricethernet2 gateway 10.1.2.250 metrichernet3 gateway 1.1.1.250 metric 10hernet4 gateway 1.1.2.250 metric 12
rnet3 perform IP tracking. e internal router at 10.1.1.250. e external router at 1.1.1.250.
hreshold: 10
ht: 8reshold: 8
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLIset interface ethernet3 monitor interface ethernet1 weigset interface ethernet3 monitor interface ethernet2 weigset interface ethernet3 monitor threshold 16save
Example: Interface Monitoring LoopIn this example, you first configure IP tracking for two interfaces—ethernet1 and eththese interfaces to monitor each other so that if one changes its state, the other doetwo sets of routes. The first set forwards traffic through ethernet1 and ethernet3. Thedestination addresses, but these routes have lower ranked metrics and use differenand ethernet4) and different gateways from the first set. With this configuration, if thNetScreen device can reroute all traffic through the second set. All zones are in the
NetScreen Device Interfaces
ethernet1 � ethernet82 3 5 6
ethernet1 and ethernet3 monitor each other. Because the monitored interface weight = the monitor failure threshold, the failure of either interface causes the other to fail as well.
Monitoring Interface Loop:ethernet1 and ethernet3
Monitored Interface Weight: 8Monitor Failure Threshold: 8
41
If ethernet1 and ethernet3 becomethose interfaces become inactive. uses routes forwarding traffic throu
10.1.1.1/24Trust Zone
10.1.2.1/24Trust Zone
1.1.1.1/24Untrust Zone
1.1.2.1/24Untrust Zone
Internal Router10.1.1.25010.1.2.250
External Router1.1.1.2501.1.2.250
Routes
set route 10.1.0.0/16 interface set route 10.1.0.0/16 interface set route 0.0.0.0/0 interface etset route 0.0.0.0/0 interface et
ethernet1 and etheethernet1 tracks thethernet3 tracks thTrack IP Failure TTrack IP Weight: 8Track Object WeigMonitor Failure Th
To Trust Zone Hosts
To the Internet
Chapter 3 Interfaces Interface State Changes
91
d then click Apply .
and then click Add :
d then click Apply .
and set interface interface monitor e other than the Null zone can be
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
1. IP TrackingNetwork > Interfaces > Edit (for ethernet1) > Monitor: Enter the following, an
Enable Track IP: (select)
Monitor Threshold: 810
Track IP Option: Threshold: 8
Weight: 8
> Monitor Track IP ADD: Enter the following,
Static: (select)
Track IP: 10.1.1.250
Weight: 8
Interval: 3 Seconds
Threshold: 10
Network > Interfaces > Edit (for ethernet3) > Monitor: Enter the following, an
Enable Track IP: (select)
Monitor Threshold: 8
Track IP Option: Threshold: 8
Weight: 8
10. To control whether the state of an interface becomes logically or physically down (or up), you must use the CLI commthreshold number action { down | up } { logically | physically }. Only physical interfaces bound to any security zonphysically up or down.
Chapter 3 Interfaces Interface State Changes
92
and then click Add :
following, and then click Apply:
following, and then click Apply:
then click OK :
then click OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
> Monitor Track IP ADD: Enter the following,
Static: (select)
Track IP: 1.1.1.250
Weight: 8
Interval: 3 Seconds
Threshold: 10
2. Interface MonitoringNetwork > Interfaces > Edit (for ethernet1) > Monitor > Edit Interface: Enter the
ethernet3: (select); Weight: 8
Network > Interfaces > Edit (for ethernet3) > Monitor > Edit Interface: Enter the
ethernet1: (select); Weight: 8
3. RoutesNetwork > Routing > Routing Entries > trust-vr New: Enter the following, and
Network Address/Netmask: 10.1.0.0/16
Gateway: (select)
Interface: ethernet1
Gateway IP Address: 10.1.1.250
Metric: 10
Network > Routing > Routing Entries > trust-vr New: Enter the following, and
Network Address/Netmask: 10.1.0.0/16
Gateway: (select)
Interface: ethernet2
Gateway IP Address: 10.1.2.250
Metric: 12
Chapter 3 Interfaces Interface State Changes
93
then click OK :
then click OK :
ht 8physicallyht 8
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Network > Routing > Routing Entries > trust-vr New: Enter the following, and
Network Address/Netmask: 0.0.0.0/0
Gateway: (select)
Interface: ethernet3
Gateway IP Address: 1.1.1.250
Metric: 10
Network > Routing > Routing Entries > trust-vr New: Enter the following, and
Network Address/Netmask: 0.0.0.0/0
Gateway: (select)
Interface: ethernet4
Gateway IP Address: 1.1.2.250
Metric: 12
CLI
1. IP Trackingset interface ethernet1 track-ip ip 10.1.1.250 weight 8set interface ethernet1 track-ip threshold 8set interface ethernet1 track-ip weight 8set interface ethernet1 track-ip
set interface ethernet3 track-ip ip 1.1.1.250 weight 8set interface ethernet3 track-ip threshold 8set interface ethernet3 track-ip weight 8set interface ethernet3 track-ip
2. Interface Monitoringset interface ethernet1 monitor interface ethernet3 weigset interface ethernet1 monitor threshold 8 action down set interface ethernet3 monitor interface ethernet1 weig
Chapter 3 Interfaces Interface State Changes
94
physically
t1 gateway 10.1.1.250
t2 gateway 10.1.2.250
gateway 1.1.1.250
gateway 1.1.2.250
ces in a security zone—any ound to that zone must fail. As ers the entire zone to be up.
Monitor > Edit Zone: Enter the
be monitored.
r ]
55.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
set interface ethernet3 monitor threshold 8 action down
3. Routesset vrouter trust-vr route 10.1.0.0/16 interface etherne
metric 10set vrouter trust-vr route 10.1.0.0/16 interface etherne
metric 12set vrouter trust-vr route 0.0.0.0/0 interface ethernet3
metric 10set vrouter trust-vr route 0.0.0.0/0 interface ethernet4
metric 12save
Security Zone MonitoringIn addition to monitoring individual interfaces, an interface can monitor all the interfasecurity zone other than its own. For an entire security zone to fail, every interface blong as one interface bound to a monitored zone is up, the NetScreen device consid
To configure an interface to monitor a security zone, do either of the following:
WebUINetwork > Interfaces > Edit (for the interface you want to do the monitoring) >following, and then click Apply :
Zone Name: Select the zone that you want to
Weight: Enter a weight between 1 and 255.
CLIset interface interface monitor zone zone [ weight numbe
If you do not set a weight, the NetScreen device applies the default value: 2
Chapter 3 Interfaces Interface State Changes
95
ic through a different interface if le the NetScreen device might interface can remain physically s to process incoming traffic for led. Also, the NetScreen device ine if the targets again become cking has failed and for which ssion traffic on such an
erface for a session, session ill processes them.
terface for a session, applying ute session replies to another
ession replies through the deactivated routes using that
en it receives the initial packet the NetScreen device does not forms an ARP lookup when the ARP table, the NetScreen device sends an ARP request to its ARP table. The ccurs.
egress interface and on the and set arp always-on-dest .
how those changes can affect GT. For these devices, an IP t Interfaces” on page 10 -69.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Down Interfaces and Traffic FlowConfiguring IP tracking on an interface allows the NetScreen to reroute outgoing traffcertain IP addresses become unreachable through the first interface. However, whideactivate routes associated with an interface because of an IP tracking failure, the active and still send and receive traffic. For example, the NetScreen device continuean existing session that might arrive on the original interface on which IP tracking faicontinues to use the interface to send ping requests to target IP addresses to determreachable. In these situations, traffic still passes through an interface on which IP trathe NetScreen device has deactivated routes. How the NetScreen device handles seinterface depends upon the following:
• If the interface on which you configure IP tracking functions as an egress intreplies might continue to arrive at the interface and the NetScreen device st
• If the interface on which you configure IP tracking functions as an ingress inthe set arp always-on-dest command causes the NetScreen device to rerointerface. If you do not set this command, the NetScreen device forwards sinterface on which IP tracking failed even though the NetScreen device has interface. (By default, this command is unset.)
By default, a NetScreen device caches a session initiator’s MAC address whfor a new session. If you enter the CLI command set arp always-on-dest , cache a session initiator’s MAC address. Instead, the NetScreen device perprocessing the reply to that initial packet. If the initiator’s MAC address is in device uses that. If the MAC address is not in the ARP table, the NetScreenfor the destination MAC address and then adds the MAC address it receivesNetScreen device performs another ARP lookup whenever a route change o
The following section describes separate scenarios in which IP tracking fails on the ingress interface; and, in the case of the latter, what occurs when you use the comm
Note: The following section describes how IP tracking triggers routing changes andthe packet flow through all NetScreen devices other than the NetScreen-5XT and -5tracking failure triggers an interface failover. For more information, see “Dual Untrus
Chapter 3 Interfaces Interface State Changes
96
interface for sessions from host low.
t be in the same zone so that
trust Zone
Host B2.2.2.2
.1).
ession. If it belongs to
et in a session, and reach 0.0.0.0/0, send
ne traffic from Host A sending.1.254.til Host B receives it.
Gateways:1.1.1.2541.1.2.254
4
IP tracking is enabled from ethernet2.
Responder
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Failure on the Egress InterfaceIn the following scenario, you configure IP tracking on ethernet2, which is the egress A to host B. Host A initiates the session by sending a packet to host B, as shown be
Note: You must first create two routes to host B and both the egress interfaces musthe same policy applies to traffic before and after the rerouting occurs.
Host A10.1.1.5
Trust Zone Un
10.1.1.0/24
Ingress Interfaceethernet1
10.1.1.1/24
First Egress Interfaceethernet21.1.1.1/24
Second Egress Interfaceethernet31.1.2.1/24
1. Host A at 10.1.1.5 sends a packet destined for Host B at 2.2.2.2 to ethernet1 (10.1.12. The NetScreen device performs the following tasks:
2.1 Session Lookup � If this is the first packet, the NetScreen device creates a san existing session, it refreshes the session table entry.
2.2 Route Lookup � The NetScreen device does a route lookup for the first packagain if the route changes. The route lookup results in the following route: Tothe packet out interface ethernet2 to gateway 1.1.1.254.
2.3 Policy Lookup � The NetScreen device enforces security policies on interzoin the Trust zone to Host B in the Untrust zone for the type of traffic Host A is
3. The NetScreen device forwards the packet through ethernet2 to the gateway at 1.1.4. The gateway at 1.1.1.254 forwards the packet to its next hop. Routing continues un
Session Lookup
Route Lookup
Policy Lookup
Traffic Flow from Host A to Host B � Request (Session Initiation)
1
2
3
Initiator
Chapter 3 Interfaces Interface State Changes
97
e NetScreen device, as shown
trust Zone
Host B2.2.2.2
for purposes of clarity). 1.1.1.1, the IP address
reen device matches it
its MAC address, the
1
IP tracking from ethernet2 succeeds.
Gateways:1.1.1.2541.1.2.254
Responder
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
When host B replies to host A, the return traffic follows a similar path back through thbelow.
Host A10.1.1.5
Trust Zone Un
10.1.1.0/24
Ingress Interfaceethernet1
10.1.1.1/24
First Egress Interfaceethernet21.1.1.1/24
1. Host B at 2.2.2.2 replies with a packet destined for Host A at 10.1.1.5 (omitting NAT 2. When the gateway at 1.1.1.254 receives the reply, it forwards it to its next hop, which is
of ethernet2.3. The NetScreen device performs a session lookup. Because this is a reply, the NetSc
with an existing session and refreshes the session table entry.4. By using the cached MAC address for host A or by doing an ARP lookup to discover
NetScreen device forwards the packet through ethernet1 to host A.
Session Lookup
Traffic Flow from Host A to Host B � Reply
2
3
4
Second Egress Interfaceethernet31.1.2.1/24
Initiator
Chapter 3 Interfaces Interface State Changes
98
hernet2 and uses ethernet3 for either ethernet2 or ethernet3
trust Zone
Host B2.2.2.2
sks:t2. It does a route 54 with a route using
ies that use ethernet2
e performs a session rrive at, the NetScreen
IP tracking from ethernet2 fails.
Gateways:1.1.1.2541.1.2.254
Responder
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
If IP tracking on ethernet2 fails, the NetScreen device deactivates routes that use etoutbound traffic to host B. However, replies from host B to host A can arrive throughand the NetScreen device forwards them through ethernet1 to host A.
Host A10.1.1.5
Trust Zone Un
10.1.1.0/24
Ingress Interfaceethernet1
10.1.1.1/24
First Egress Interfaceethernet21.1.1.1/24
1. When IP tracking on ethernet2 fails, the NetScreen device performs the following ta1.1 Route Change � The NetScreen device deactivates all routes using etherne
lookup and replaces the route to 2.2.2.2 using ethernet2 and gateway 1.1.1.2ethernet3 and gateway 1.1.2.254.
1.2 Session Update � The NetScreen device scans the session table for all entrand reroutes them through ethernet3 to gateway 1.1.2.254.
2. The NetScreen device now redirects traffic from host A out ethernet3 to 1.1.2.254.3. The replies from host B might arrive at ethernet2 or ethernet3. The NetScreen devic
lookup and matches the packets with an existing session. Whichever interface they adevice forwards the packets through ethernet1 to host A.
4. The NetScreen device forwards the packet through ethernet1 to host A.
Session Update
Traffic Flow from Host A to Host B � IP Tracking Failure Triggers Rerouting
1
2
3
Route Change
4
Note: Outgoing traffic uses ethernet3 only, but incoming traffic can use either ethernet2 or ethernet3.
Second Egress Interfaceethernet31.1.2.1/24
Initiator
Chapter 3 Interfaces Interface State Changes
99
ethernet2 is the ingress s the session by sending a
Untrust Zone
Host B2.2.2.2
r purposes of clarity).g tasks: new session table entry)
.5.
1
IP tracking is enabled from ethernet2.
e Gateways:1.1.1.2541.1.2.254
Initiator
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Failure on the Ingress InterfaceIn the following scenario, you again configure IP tracking on ethernet2, but this time interface on the NetScreen device for sessions from host B to host A. Host B initiatepacket to host A, as shown below.
Host A10.1.1.5
Trust Zone
10.1.1.0/24
Ingress Interfaceethernet1
10.1.1.1/24
First Egress Interfaceethernet21.1.1.1/24
1. Host B at 2.2.2.2 sends a packet destined for Host A at 10.1.1.5 (omitting NAT fo2. When the packet reaches ethernet2, the NetScreen device performs the followin
2.1 Session lookup (and because this is the first packet in a session, creates a2.2 Route lookup2.3 Policy lookup
3. The NetScreen device forwards the packet through ethernet1 to host A at 10.1.1
Policy Lookup
Route Lookup
Session Lookup
Traffic Flow from Host B to Host A � Request (Session Initiation)
2
3
Second Egress Interfacethernet31.1.2.1/24
Responder
Chapter 3 Interfaces Interface State Changes
100
e NetScreen device, as shown
hernet2 and uses ethernet3 for rough ethernet2 and the requests from host B to host A host A can take one of two nd.
trust Zone
Host B2.2.2.2
IP tracking from ethernet2 succeeds .
.1.1.1.en device matches
kup to discover its way.ontinues until Host
4
Gateways:1.1.1.2541.1.2.254
Initiator
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
When host A replies to host B, the return traffic follows a similar path back through thbelow.
If IP tracking on ethernet2 fails, the NetScreen device deactivates routes that use etoutbound traffic to host B. However, requests from host B to host A can still arrive thNetScreen device still forwards them to host A through ethernet1. The data flow for looks the same after an IP tracking failure as it did before. However, the replies fromdifferent paths, depending on the application of the set arp always-on-dest comma
Host A10.1.1.5
Trust Zone Un
10.1.1.0/24
Ingress Interfaceethernet1
10.1.1.1/24
First Egress Interfaceethernet21.1.1.1/24
Session Lookup
Traffic Flow from Host B to Host A � Reply
1
2
3
1. Host A at 10.1.1.5 sends a reply packet destined for Host B (2.2.2.2) to ethernet1 at 102. The NetScreen device performs a session lookup. Because this is a reply, the NetScre
it with an existing session and refreshes the session table entry.3. By using the cached MAC address for the gateway at 1.1.1.254 or by doing an ARP loo
MAC address, the NetScreen device forwards the packet through ethernet2 to the gate4. When the gateway at 1.1.1.254 receives the reply, it forwards it to its next hop. Routing c
B receives it.
Second Egress Interfaceethernet31.1.2.1/24
Responder
Chapter 3 Interfaces Interface State Changes
101
RP request for the destination ute change occurs. (When this s and uses that when
using ethernet2 and then does way at 1.1.2.254. It then scans always-on-dest command t from host A because it is in a s from host B arrive, the way at 1.1.2.254.
trust Zone
Host B2.2.2.2
IP tracking from ethernet2 fails .
places the route to 2.2.2.2 1.1.2.254.hat use ethernet2 and
ct them to ethernet3. The ssion.s an ARP lookup for host
Initiator
Gateways:1.1.1.2541.1.2.254
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
If you set the command set arp always-on-dest , the NetScreen device sends an AMAC address when processing the reply to the first packet in a session or when a rocommand is unset, the NetScreen device caches the session initiator’s MAC addresprocessing replies. By default, this command is unset).
When IP tracking on ethernet2 fails, the NetScreen device first deactivates all routesa route lookup. It finds another route to reach host B through ethernet3 and the gateits session table and redirects all sessions to the new route. If you have the set arp enabled, the NetScreen device does an ARP lookup when it receives the next packesession affected by the route change. Despite the ingress interface on which packetNetScreen device sends all further replies from host A through ethernet3 to the gate
Host A10.1.1.5
Trust Zone Un
10.1.1.0/24
Ingress Interfaceethernet1
10.1.1.1/24
First Egress Interfaceethernet21.1.1.1/24
Traffic Flow from Host B to Host A � IP Tracking Failure Triggers Rerouting
2
1. When IP tracking on ethernet2 fails, the NetScreen device performs the following tasks:1.1 Route Change � The NetScreen device deactivates all routes using ethernet2. It re
using ethernet2 and gateway 1.1.1.254 with a route using ethernet3 and gateway1.2 Session Update � The NetScreen device scans the session table for all entries t
reroutes them through ethernet3 to gateway 1.1.2.254.2. The requests from host B might still arrive at ethernet2, or the routing fabric might redire
NetScreen device performs a session lookup and matches the packet with an existing se3. Because you entered the set arp always-on-dest command, the NetScreen device doe
A�s reply and sends it through ethernet3 to the gateway at 1.1.2.254.
Session Update
1
Route Change
Second Egress Interfaceethernet31.1.2.1/24
Responder
3
Chapter 3 Interfaces Interface State Changes
102
uration), the NetScreen device e initial session packet. The the IP tracking failure caused
eplaces the route to 2.2.2.2 1.1.2.254.
that use ethernet2 and tScreen device cached the for the replies from host A. a session lookup, matches 1.5.way at 1.1.1.254. Because in the session table from
st Zone
Host B2.2.2.2
IP tracking from ethernet2 fails.
4
ateways:1.1.1.2541.1.2.254
Initiator
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
If you have set the command unset arp always-on-dest (which is the default configuses the MAC address for the gateway at 1.1.1.1 that it cached when host B sent thNetScreen device continues to send session replies through ethernet2. In this case,no change in the flow of data through the NetScreen device.
Traffic Flow from Host B to Host A � IP Tracking Failure Triggers No Rerouting
1. When IP tracking on ethernet2 fails, the NetScreen device performs the following tasks:1.1 Route Change � The NetScreen device deactivates all routes using ethernet2. It r
using ethernet2 and gateway 1.1.1.254 with a route using ethernet3 and gateway1.2 Session Update � The NetScreen device scans the session table for all entries
reroutes them through ethernet3 to gateway 1.1.2.254. However, because the NeMAC address for the gateway at 1.1.1.254, it continues to use that MAC address
2. The requests from host B might still arrive at ethernet2. The NetScreen device performsthe packet with an existing session, and forwards it through ethernet1 to host A at 10.1.
3. When host A replies, the NetScreen device forwards the reply out ethernet2 to the gatethe set arp always-on-dest command is not set, the MAC address remains unchangedthe initial creation of the its entry.
Host A10.1.1.5
Trust Zone Untru
10.1.1.0/24
Ingress Interfaceethernet1
10.1.1.1/24
First Egress Interfaceethernet21.1.1.1/24
Session Lookup
1
2
3
Second Egress Interfaceethernet31.1.2.1/24
G
Responder
4
103
Chapter 4
, Route, and Transparent. If an mode for that interface as either st, v1-untrust, and v1-dmz operational mode when you
e only performs NAT on traffic passing ther than the Untrust zone. Also, note
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Interface Modes
Interfaces can operate in three different modes: Network Address Translation (NAT)interface bound to a Layer 3 zone has an IP address, you can define the operational NAT1 or Route. An interface bound to a Layer 2 zone (such as the predefined v1-truzones, or a user-defined Layer 2 zone) must be in Transparent mode. You select anconfigure an interface.
This chapter contains the following sections:
• “Transparent Mode” on page 104
– “Zone Settings” on page 105
– “Traffic Forwarding” on page 106
– “Unknown Unicast Options” on page 107
• “NAT Mode” on page 122
– “Inbound and Outbound NAT Traffic” on page 124
– “Interface Settings” on page 125
• “Route Mode” on page 130
– “Interface Settings” on page 131
1. Although you can define the operational mode for an interface bound to any Layer 3 zone as NAT, the NetScreen devicthrough that interface en route to the Untrust zone. NetScreen does not perform NAT on traffic destined for any zone othat NetScreen allows you to set an Untrust zone interface in NAT mode, but doing so activates no NAT operations.
Chapter 4 Interface Modes Transparent Mode
104
ersing the firewall without erfaces behave as though they witch or bridge. In Transparent
NetScreen device invisible, or
ind of server that mainly benefits:
ch protected servers
0.5
Trust Zone
Untrust Zone
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
TRANSPARENT MODEWhen an interface is in Transparent mode, the NetScreen device filters packets travmodifying any of the source or destination information in the IP packet header. All intare part of the same network, with the NetScreen device acting much like a Layer 2 smode, the IP addresses of interfaces are set at 0.0.0.0, making the presence of the “transparent,” to users.
Transparent mode is a convenient means for protecting Web servers, or any other kreceives traffic from untrusted sources. Using Transparent mode offers the following
• No need to reconfigure the IP settings of routers or protected servers
• No need to create Mapped or Virtual IP addresses for incoming traffic to rea
External Router
Public Address Space
Switch
209.122.30.1
209.122.30.2209.122.30.3
209.122.30.4
209.122.3
To Internet
Chapter 4 Interface Modes Transparent Mode
105
ity zones: V1-Trust, V1-Untrust,
n and management abilities as u use the VLAN1 interface for N1 interface to permit hosts in
AN1 interface IP address in the
LAN1 interface IP. You can set face IP solely for VPN tunnel
t, and V1-DMZ. These three f the zones, it gets added to the es must be on the same subnet
ou use the VLAN1 interface to ou must enable the ich the management traffic e. To enable hosts in other ich they belong.
ch NetScreen platform, refer to
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Zone SettingsBy default, ScreenOS creates one function zone, the VLAN zone, and three L2 securand V1-DMZ.
VLAN ZoneThe VLAN zone hosts the VLAN1 interface, which has the same configuratioa physical interface. When the NetScreen device is in Transparent mode, yomanaging the device and terminating VPN traffic. You can configure the VLAthe L2 security zones to manage the device. To do that, you must set the VLsame subnet as the hosts in the L2 security zones.
For management traffic, the VLAN1 Manage IP takes precedence over the Vthe VLAN1 Manage IP for management traffic and dedicate the VLAN1 intertermination.
Predefined Layer 2 ZonesScreenOS provides three L2 security zones by default: V1-Trust, V1-Untruszones share the same L2 domain. When you configure an interface in one oL2 domain shared by all interfaces in all the L2 zones. All hosts in the L2 zonto communicate.
As stated in the previous section, when the device is in transparent mode, ymanage the device. For management traffic to reach the VLAN1 interface, ymanagement options on the VLAN1 interface and on the zone(s) through whpasses. By default, all management options are enabled in the V1-Trust zonzones to manage the device, you must set those options on the zones to wh
Note: To see which physical interfaces are prebound to the L2 zones for eathe installer’s guide for that platform.
Chapter 4 Interface Modes Transparent Mode
106
-zone traffic unless there is a licies” on page 297. After you
vice can then receive and pass
t traffic, enter the unset
ace vlan1 bypass-non-ip
d non-ARP unicast traffic, enter
ays overwrites the unset n the configuration file. ass-non-ip-all command, and
ly the non-IP and non-ARP on-ip command to allow all et interface icast traffic.
inate it, use the set interface he IPSec traffic to pass through
tes for two purposes: to direct capsulating or decapsulating it.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Traffic ForwardingA NetScreen device operating at Layer 2 (L2) does not permit any inter-zone or intrapolicy configured on the device. For more information on how to set policies, see “Poconfigure a policy on the NetScreen device, it does the following:
• Allows or denies the traffic specified in the policy
• Allows ARP and L2 non-IP multicast and broadcast traffic. The NetScreen deL2 broadcast traffic for the spanning tree protocol.
• Continues to block all non-IP and non-ARP unicast traffic, and IPSec traffic
You can change the forwarding behavior of the device as follows:
• To block all L2 non-IP and non-ARP traffic, including multicast and broadcasinterface vlan1 bypass-non-ip-all command.
• To allow all L2 non-IP traffic to pass through the device, enter the set interfcommand.
• To revert to the default behavior of the device, which is to block all non-IP anthe unset interface vlan1-bypass-non-ip command.
– Note that the unset interface vlan1 bypass-non-ip-all command alwinterface vlan1 bypass-non-ip command when both commands are iTherefore, if you had previously entered the unset interface vlan1 bypyou now want the device to revert to its default behavior of blocking onunicast traffic, you should first enter the set interface vlan1 bypass-nnon-IP traffic to pass through the device. Then you must enter the unsvlan1-bypass-non-ip command to block only the non-IP, non-ARP un
• To allow a NetScreen device to pass IPSec traffic without attempting to termvlan1 bypass-others-ipsec command. The NetScreen device then allows tto other VPN termination points.
Note: A NetScreen device with interfaces in Transparent mode requires rouself-initiated traffic, such as SNMP traps, and to forward VPN traffic after en
Chapter 4 Interface Modes Transparent Mode
107
ted with the IP address of estor broadcasts an ARP query t the specified destination IP C address of the replier. When ddress and, because it is not rns an arp-r. After a device he.
notes the source MAC address tScreen device learns which ckets it receives. It then stores
zones unless there is a policy hen it is in Transparent mode,
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Unknown Unicast OptionsWhen a host or any kind of network device does not know the MAC address associaanother device, it uses the Address Resolution Protocol (ARP) to obtain it. The requ(arp-q) to all the other devices on the same subnet. The arp-q requests the device aaddress to send back an ARP reply (arp-r), which provides the requestor with the MAall the other devices on the subnet receive the arp-q, they check the destination IP atheir IP address, drop the packet. Only the device with the specified IP address retumatches an IP address with a MAC address, it stores the information in its ARP cac
As ARP traffic passes through a NetScreen device in Transparent mode, the device in each packet and learns which interface leads to that MAC address. In fact, the Neinterface leads to which MAC address by noting the source MAC addresses in all pathis information in its forwarding table.
Note: A NetScreen device in Transparent mode does not permit any traffic betweenconfigured on the device. For more information on how the device forwards traffic wsee “Traffic Forwarding” on page 106.
Chapter 4 Interface Modes Transparent Mode
108
C address, which it has in its or example, the NetScreen rding table with the CLI icast packet for which it has no
ource address is permitted, tinue using whichever interface
ts, which are ICMP echo erface at which the packet eives an ARP (or trace-route)
AC address in the initial packet. ion MAC address when the
switch maintains a forwarding he table also contains the very time a packet arrives with its forwarding table. It also
known to the switch, the switch h the packet arrived). It learns ith that MAC address arrives at
frame with a destination MAC t all interfaces.
more secure because the ial packet—out all interfaces.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
The situation can arise when a device sends a unicast packet with a destination MAARP cache, but which the NetScreen device does not have in its forwarding table. Fdevice clears its forwarding table every time it reboots. (You can also clear the forwacommand clear arp.) When a NetScreen device in Transparent mode receives a unentry in its forwarding table, it can follow one of two courses:
• After doing a policy lookup to determine the zones to which traffic from the sflood the initial packet out the interfaces bound to those zones, and then conreceives a reply. This is the Flood option, which is enabled by default.
• Drop the initial packet, flood ARP queries (and, optionally, trace-route packerequests with the time-to-live value set to 1) out all interfaces (except the intarrived), and then send subsequent packets through whichever interface recreply from the router or host whose MAC address matches the destination MThe trace-route option allows the NetScreen device to discover the destinatdestination IP address is in a nonadjacent subnet.
Flood MethodThe flood method forwards packets in the same manner as most Layer 2 switches. Atable that contains MAC addresses and associated ports for each Layer 2 domain. Tcorresponding interface through which the switch can forward traffic to each device. Ea new source MAC address in its frame header, the switch adds the MAC address totracks the interface at which the packet arrived. If the destination MAC address is unduplicates the packet and floods it out all interfaces (other than the interface at whicthe previously unknown MAC address and its corresponding interface when a reply wone of its interfaces.
When you enable the flood method and the NetScreen device receives an ethernet address that is not listed in the NetScreen device MAC table, it floods the packet ou
Note: Of the two methods—flood and ARP/trace-route—ARP/trace-route isNetScreen device floods ARP queries and trace-route packets—not the init
Chapter 4 Interface Modes Transparent Mode
109
ollowing:
ood , and then click OK.
NetScreen floods the packet out ethernet4, but receives no reply.
NetScreen floods the packet out ethernet3. When it receives a reply, it does the following:� Learns which interface
leads to the specified MAC address
� Stores the MAC/interface tuple in its forwarding table
� Continues to use ethernet3 for the remainder of the session
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
To enable the flood method for handling unknown unicast packets, do either of the f
WebUI
Network > Interface > Edit (for VLAN1): For the broadcast options, select Fl
CLI
set interface vlan1 broadcast floodsave
Packet arrives at ethernet1.
NetScreen floods the packet out ethernet2, but receives no reply.
L2-FinanceZone
V1-Trust Zone
V1-DMZZone
V1-Untrust Zone
CommonAddressSpace
Router
Router
Router
Flood Method ethernet1IP 0.0.0.0/0
ethernet4IP 0.0.0.0/0
ethernet2IP 0.0.0.0/0
ethernet3IP 0.0.0.0/0
Chapter 4 Interface Modes Transparent Mode
110
evice receives an ethernet en device performs the
et (and, if it is not already there, ing table).
ce-route (an ICMP echo ets out all interfaces except the echo requests, the NetScreen For arp-q packets, the
ith the MAC address for with ffff.ffff.ffff. For the AC addresses from the initial
ingress IP address3, the host ce through which the
Method” on page 112.)
the ingress IP address, the stination4, and more
st forward traffic destined for
d without the trace-route option. t if the destination IP address is in the
vice might be the source that sent the
matches the destination MAC address sequently, which interface to use to
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
ARP/Trace-Route MethodWhen you enable the ARP method with the trace-route option2 and the NetScreen dframe with a destination MAC address that is not listed in its MAC table, the NetScrefollowing series of actions:
1. The NetScreen device notes the destination MAC address in the initial packadds the source MAC address and its corresponding interface to its forward
2. The NetScreen device drops the initial packet.
3. The NetScreen device generates two packets—ARP query (arp-q) and a trarequest, or PING) with a time-to-live (TTL) field of 1—and floods those packinterface at which the initial packet arrived. For the arp-q packets and ICMPdevice uses the source and destination IP addresses from the initial packet.NetScreen device replaces the source MAC address from the initial packet wVLAN1, and it replaces the destination MAC address from the initial packet trace-route option, the NetScreen device uses the source and destination Mpacket in the ICMP echo requests that it broadcasts.
If the destination IP address belongs to a device in the same subnet as the returns an ARP reply (arp-r) with its MAC address, thus indicating the interfaNetScreen device must forward traffic destined for that address. (See “ARP
If the destination IP address belongs to a device in a subnet beyond that of trace-route returns the IP and MAC addresses of the router leading to the designificantly, indicates the interface through which the NetScreen device muthat MAC address. (See “Trace-Route” on page 113.)
2. When you enable the ARP method, the trace-route option is enabled by default. You can also enable the ARP methoHowever, this method only allows the NetScreen device to discover the destination MAC address for a unicast packesame subnet as the ingress IP address. (For more information about the ingress IP address, see the next footnote.)
3. The ingress IP address refers to the IP address of the last device to send the packet to the NetScreen device. This depacket or a router forwarding the packet.
4. Actually, the trace-route returns the IP and MAC addresses of all the routers in the subnet. The NetScreen device then from the initial packet with the source MAC address on the arp-r packets to determine which router to target, and conreach that target.
Chapter 4 Interface Modes Transparent Mode
111
the interface leading to that e.
orrect interface to the
ther of the following:
RP, and then click OK .
without the trace-route option, route. This command unsets nknown unicast packets.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
4. Combining the destination MAC address gleaned from the initial packet withMAC address, the NetScreen device adds a new entry to its forwarding tabl
5. The NetScreen device forwards all subsequent packets it receives out the cdestination.
To enable the ARP/trace-route method for handling unknown unicast packets, do ei
WebUI
Network > Interface > Edit (for VLAN1): For the broadcast options, select A
CLI
set interface vlan1 broadcast arpsave
Note: The trace-route option is enabled by default. If you want to use ARP enter the following command: unset interface vlan1 broadcast arp trace-the trace-route option but does not unset ARP as the method for handling u
Chapter 4 Interface Modes Transparent Mode
112
C when the destination IP
V1-DMZZone
V1-Untrust Zone
CommonAddressSpace
Router B210.1.1.200
00dd.11dd.11dd
Router A210.1.1.100
00cc.11cc.11cc
49ce
ethernet30.0.0.0/0
0010.db15.39ce
ethernet40.0.0.0/0
0010.db15.39ce
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
The following illustration shows how the ARP method can locate the destination MAaddress is in an adjacent subnet.
If the following packet
ethernet10.0.0.0/0
0010.db15.39ce
L2-FinanceZone
V1-Trust Zonearrives at ethernet1 and the forwarding table does not have an entry for MAC address 00bb.11bb.11bb, the NetScreen device floods the following arp-q packet out eth2, eth3, and eth4.
Ethernet Frame IP Datagram
dst src type src dst
11bb 11aa 0800 210.1.1.5 210.1.1.75
Ethernet Frame ARP Message
dst src type src dst
ffff 39ce 0806 210.1.1.5 210.1.1.75
When the NetScreen device receives the following arp-r at eth2,Ethernet Frame ARP Message
dst src type src dst
39ce 11bb 0806 210.1.1.75 210.1.1.5
it can now associate the MAC address with the interface leading to it.
ethernet20.0.0.0/0
0010.db15.39ce
PC A210.1.1.5
00aa.11aa.11aa
PC B210.1.1.75
00bb.11bb.11bb
Note: Only the relevant elements of the packet header and the last four digits in the MAC addresses are shown below.
ARP Method VLAN1210.1.1.1/2
0010.db15.3
Chapter 4 Interface Modes Transparent Mode
113
MAC when the destination IP
V1-DMZZone
V1-Untrust Zone
CommonAddressSpace
Server C195.1.1.5
00dd.22dd.22dd
Router A210.1.1.100
00cc.11cc.11ccethernet40.0.0.0/00.db15.39ce
ter B.1.200dd.11dd
ethernet30.0.0.0/00.db15.39ce
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
The following illustration shows how the trace-route option can locate the destinationaddress is in a nonadjacent subnet.
If the following packet
L2-FinanceZone
V1-Trust Zonearrives at ethernet1 and the forwarding table does not have an entry for MAC address 00dd.11dd.11dd, the NetScreen device floods the following trace-route packet out eth2, eth3, and eth4.
Ethernet Frame IP Datagram
dst src type src dst
11dd 11aa 0800 210.1.1.5 195.1.1.5
Ethernet Frame ICMP Message
dst src type src dst TTL
11dd 11aa 0800 210.1.1.5 195.1.1.5 1
When the NetScreen device receives the following response at eth3,Ethernet Frame ICMP Message
dst src type src dst msg
11aa 11dd 0800 210.1.1.200 210.1.1.5 Time Exceeded
it can now associate the MAC address with the interface leading to it.
Note: Only the relevant elements of the packet header and the last four digits in the MAC addresses are shown below.
Trace-Route
ethernet10.0.0.0/0
0010.db15.39ce
PC A210.1.1.5
00aa.11aa.11aa
VLAN1210.1.1.1/24
0010.db15.39ce
001
ethernet20.0.0.0/0
0010.db15.39ce
PC B210.1.1.75
00bb.11bb.11bb
Rou210.1
00dd.11
001
Chapter 4 Interface Modes Transparent Mode
114
nterface as follows:
st5 security zone.
st-vr routing domain) to enable ative workstation beyond the t-vr routing domain.
same management options for
g these options is included in this em manually.
V1-Untrust Zone
Internet
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: VLAN1 Interface for ManagementIn this example, you configure the NetScreen device for management to its VLAN1 i
• Assign the VLAN1 interface an IP address of 1.1.1.1/24.
• Enable Web, Telnet, SSH and Ping on both the VLAN1 interface and V1-Tru
• Add a route in the trust virtual router (all Layer 2 security zones are in the trumanagement traffic to flow between the NetScreen device and an administrimmediate subnet of the NetScreen device. All security zones are in the trus
Note: To manage the device from a Layer 2 security zone, you must set theboth the VLAN1 interface and the Layer 2 security zone.
5. By default, NetScreen enables the management options for the VLAN1 interface and V1-Trust security zone. Enablinexample for illustrative purposes only. Unless you have previously disabled them, you really do not need to enable th
VLAN11.1.1.1/24
Internal Router1.1.1.2511.1.2.250
Admin Workstation1.1.2.5
V1-Trust Zone
1.1.1.0/24Subnet
1.1.2.0/24Subnet
V1-Trust Interfaceethernet10.0.0.0/0
V1-Untrust Interfaceethernet30.0.0.0/0
Chapter 4 Interface Modes Transparent Mode
115
OK :
select)
K :
then click OK:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
1. VLAN1 InterfaceNetwork > Interfaces > Edit (for VLAN1): Enter the following, and then click
IP Address/Netmask: 1.1.1.1/24
Management Services: WebUI, Telnet, SSH (
Other Services: Ping (select)
2. V1-Trust ZoneNetwork > Zones > Edit (for V1-Trust): Select the following, and then click O
Management Services: WebUI, Telnet, SSH
Other Services: Ping
3. RouteNetwork > Routing > Routing Entries > trust-vr New: Enter the following, and
Network Address/Netmask: 1.1.2.0/24
Gateway: (select)
Interface: vlan1(trust-vr)
Gateway IP Address: 1.1.1.251
Metric: 1
Chapter 4 Interface Modes Transparent Mode
116
eway 1.1.1.251 metric 1
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
1. VLAN1 Interfaceset interface vlan1 ip 1.1.1.1/24set interface vlan1 manage webset interface vlan1 manage telnetset interface vlan1 manage sshset interface vlan1 manage ping
2. V1-Trust Zoneset zone v1-trust manage webset zone v1-trust manage telnetset zone v1-trust manage sshset zone v1-trust manage ping
3. Routeset vrouter trust-vr route 1.1.2.0/24 interface vlan1 gatsave
Chapter 4 Interface Modes Transparent Mode
117
a NetScreen device in ncoming SMTP services for the
r WebUI management from 80 the VLAN1 IP address—define addresses for the FTP 0, so that the NetScreen device st zone is also 1.1.1.250.)
parent Mode VPN” on page 5 -219.
Internet
trust Zone
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Transparent ModeThe following example illustrates a basic configuration for a single LAN protected byTransparent mode. Policies permit outgoing traffic for all hosts in the V1-Trust zone, imail server, and incoming FTP-GET services for the FTP server.
To increase the security of management traffic, you change the HTTP port number foto 5555, and the Telnet port number for CLI management from 23 to 4646. You use 1.1.1.1/24—to manage the NetScreen device from the V1-Trust security zone. You and Mail servers. You also configure a default route to the external router at 1.1.1.25can send outbound VPN traffic to it6. (The default gateway on all hosts in the V1-Tru
6. For an example of configuring a VPN tunnel for a NetScreen device with interfaces in Transparent mode, see “Trans
External Router1.1.1.250
VLAN1 IP1.1.1.1/24
Mail_Server1.1.1.10
V1-Trust Zone V1-Un
V1-Trust Interfaceethernet10.0.0.0/0
V1-Untrust Interfaceethernet30.0.0.0/0
1.1.1.0/24Address Space
FTP_Server1.1.1.5
Chapter 4 Interface Modes Transparent Mode
118
nd then click OK :
)
d then click Apply .
k OK:
k OK:
:
uthorized access to the configuration. 555.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
1. VLAN1 InterfaceNetwork > Interfaces > Edit (for the VLAN1 interface): Enter the following, a
IP Address/Netmask: 1.1.1.1/24
Management Services: WebUI, Telnet (select
Other Services: Ping (select)
2. HTTP PortConfiguration > Admin > Management: In the HTTP Port field, type 55557 an
3. InterfacesNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Zone Name: V1-Trust
IP Address/Netmask: 0.0.0.0/0
Network > Interfaces > Edit (for ethernet3): Enter the following, and then clic
Zone Name: V1-Untrust
IP Address/Netmask: 0.0.0.0/0
4. V1-Trust ZoneNetwork > Zones > Edit (for v1-trust): Select the following, and then click OK
Management Services: WebUI, Telnet
Other Services: Ping
7. The default port number is 80. Changing this to any number between 1024 and 32,767 is advised for discouraging unaWhen logging on to manage the device later, enter the following in the URL field of your Web browser: http://1.1.1.1:5
Chapter 4 Interface Modes Transparent Mode
119
then click OK:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
5. AddressesObjects > Addresses > List > New: Enter the following and then click OK:
Address Name: FTP _Server
IP Address/Domain Name:
IP/Netmask: (select), 1.1.1.5/32
Zone: V1-Trust
Objects > Addresses > List > New: Enter the following and then click OK:
Address Name: Mail_Server
IP Address/Domain Name:
IP/Netmask: (select), 1.1.1.10/32
Zone: V1-Trust
6. RouteNetwork > Routing > Routing Entries > trust-vr New: Enter the following, and
Network Address/Netmask: 0.0.0.0/0
Gateway: (select)
Interface: vlan1(trust-vr)
Gateway IP Address: 1.1.1.250
Metric: 1
Chapter 4 Interface Modes Transparent Mode
120
n click OK:
n click OK:
n click OK:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
7. PoliciesPolicies > (From: V1-Trust, To: V1-Untrust) New: Enter the following and the
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Any
Service: Any
Action: Permit
Policies > (From: V1-Untrust, To: V1-Trust) New: Enter the following and the
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Mail_Server
Service: Mail
Action: Permit
Policies > (From: V1-Untrust, To: V1-Trust) New: Enter the following and the
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), FTP_Server
Service: FTP-GET
Action: Permit
Chapter 4 Interface Modes Transparent Mode
121
eway 1.1.1.250 metric 1
tail permitp-get permit
uraging unauthorized access to the
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
1. VLAN1set interface vlan1 ip 1.1.1.1/24set interface vlan1 manage webset interface vlan1 manage telnetset interface vlan1 manage ping
2. Telnetset admin telnet port 46468
3. Interfacesset interface ethernet1 ip 0.0.0.0/0set interface ethernet1 zone v1-trustset interface ethernet3 ip 0.0.0.0/0set interface ethernet3 zone v1-untrust
4. V1-Trust Zoneset zone v1-trust manage webset zone v1-trust manage telnetset zone v1-trust manage ping
5. Addressesset address v1-trust FTP_Server 1.1.1.5/32set address v1-trust Mail_Server 1.1.1.10/32
6. Routeset vrouter trust-vr route 0.0.0.0/0 interface vlan1 gat
7. Policiesset policy from v1-trust to v1-untrust any any any permiset policy from v1-untrust to v1-trust any Mail_Server mset policy from v1-untrust to v1-trust any FTP_Server ftsave
8. The default port number for Telnet is 23. Changing this to any number between 1024 and 32,767 is advised for discoconfiguration. When logging on to manage the device later via Telnet, enter the following address: 1.1.1.1 4646.
Chapter 4 Interface Modes NAT Mode
122
reen device, acting like a Layer t destined for the Untrust zone: ource IP address of the e source port number with
mponents in the IP header of back to the original numbers.
Trust Zone
Untrust Zone
st Zone erface.1.1/24
st Zone erface.1.1/24
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
NAT MODEWhen an ingress interface is in Network Address Translation (NAT) mode, the NetSc3 switch (or router), translates two components in the header of an outgoing IP packeits source IP address and source port number. The NetScreen device replaces the soriginating host with the IP address of the Untrust zone interface. Also, it replaces thanother random port number generated by the NetScreen device.
When the reply packet arrives at the NetScreen device, the device translates two cothe incoming packet: the destination address and port number, which are translatedThe NetScreen device then forwards the packet to its destination.
Private Address Space
10.1.1.5
10.1.1.10 10.1.1.1510.1.1.20
10.1.1.25
TruInt
10.1
UntruInt
1.1
Internet
Public Address Space External Router
1.1.1.250
Chapter 4 Interface Modes NAT Mode
123
osts sending traffic through an hosts in the egress zone (such d the NetScreen device is Trust zone addresses are only the Trust zone addresses
zone in the trust-vr, and do not
dresses remain hidden when bound traffic. If you use only policies, the internal addresses
es are not available to provide IP addresses to have access to ss ranges are reserved for
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
NAT adds a level of security not provided in Transparent mode: The addresses of hingress interface in NAT mode (such as a Trust zone interface) are never exposed toas the Untrust zone) unless the two zones are in the same virtual routing domain anadvertising routes to peers through a dynamic routing protocol (DRP). Even then, thereachable if you have a policy permitting inbound traffic to them. (If you want to keephidden while using a DRP, then put the Untrust zone in the untrust-vr and the Trust export routes for internal addresses in the trust-vr to the untrust-vr.)
If the NetScreen device uses static routing and just one virtual router, the internal adtraffic is outbound, due to interface-based NAT. The policies you configure control inmapped IP (MIP) and virtual IP (VIP) addresses as the destinations in your inbound still remain hidden.
Also, NAT preserves the use of public IP addresses. In many environments, resourcpublic IP addresses for all devices on the network. NAT services allow many private Internet resources through one or a few public IP addresses. The following IP addreprivate IP networks and must not get routed on the Internet:
10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255
Chapter 4 Interface Modes NAT Mode
124
to the Untrust zone—assuming ce in NAT mode was unable to PN tunnel was set up for it9.
y zone—including the Untrust of addresses or if you are using still define a MIP, VIP, or VPN ot a concern, traffic from the
use of a MIP, VIP, or VPN.
. For more about VIPs, see
User-DefinedZone
ethernet210.1.2.1/24NAT Mode
ethernet31.1.1.1/24
Route ModeMIP 1.1.1.10 � 10.1.1.10MIP 1.1.1.20 � 10.1.2.20
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Inbound and Outbound NAT TrafficA host in a zone sending traffic through an interface in NAT mode can initiate traffic that a policy permits it. In releases prior to ScreenOS 5.0.0, a host behind an interfareceive traffic from the Untrust zone unless a Mapped IP (MIP), Virtual IP (VIP), or VHowever, in ScreenOS 5.0.0, traffic to a zone with a NAT-enabled interface from anzone—does not need to use a MIP, VIP, or VPN. If you want to preserve the privacy private addresses that do not occur on a public network such as the Internet, you canfor traffic to reach them. However, if issues of privacy and private IP addresses are nUntrust zone can reach hosts behind an interface in NAT mode directly, without the
9. You can define a virtual IP (VIP) address only on an interface bound to the Untrust zone.
Note: For more information about MIPs, see “Mapped IP Addresses” on page 7 -90“Virtual IP Addresses” on page 7 -115.
Untrust Zone
Trust Zone
ethernet110.1.1.1/24NAT Mode
1
1. Interface-based NAT on traffic from the Trust zone to the Untrust zone.
2. Interface-based NAT on traffic from the User-Defined zone to the Untrust zone.(Note: This is possible only if the User-Defined and Untrust zones are in different virtual routing domains.)
3. No interface-based NAT on traffic between the Trust and User-Defined zones.
4 and 5. You can use MIPs, VIPs, or VPNs for traffic from the Untrust zone to reach the Trust zone or the User-Defined zone, but they are not required.
6. MIPs and VPNs are also not required for traffic between the Trust and User-Defined zones.
2
36
4 5
NAT NAT
No NATMIPs are optional
MIPs are optional
Chapter 4 Interface Modes NAT Mode
125
represent numbers in an IP umber of a VLAN tag, zone
ubinterfaces
ress for administrative traffic when it is in a high availability
ute.
ddr1k: maskag: vlan_id_numame: zoneselect)
, the NetScreen device does
ddr1k: maskag: vlan_id_numame: zone
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Interface SettingsFor NAT mode, define the following interface settings, where ip_addr1 and ip_addr2address, mask represents the numbers in a netmask, vlan_id_num represents the nrepresents the name of a zone, and number represents the bandwidth size in kbps:
Zone Interfaces Settings Zone STrust, DMZ, and user-defined zones using NAT
IP: ip_addr1Netmask: maskManage IP*: ip_addr2Traffic Bandwidth�: numberNAT�: (select)
* You can set the manage IP address on a per interface basis. Its primary purpose is to provide an IP addseparate from network traffic. You can also use the manage IP address for accessing a specific device configuration.
† Optional setting for traffic shaping.
‡ Selecting NAT defines the interface mode as NAT. Selecting Route defines the interface mode as Ro
IP: ip_aNetmasVLAN TZone NNAT�: (
Untrust**
** Although you are able to select NAT as the interface mode on an interface bound to the Untrust zonenot perform any NAT operations on that interface.
IP: ip_addr1Netmask: maskManage IP*: ip_addr2Traffic Bandwidth�: number
IP: ip_aNetmasVLAN TZone N
Chapter 4 Interface Modes NAT Mode
126
et in the Trust zone. The LAN is l hosts in the Trust zone and ugh a Virtual IP address. Both
k Apply :
for interfaces bound to the Trust zone.
ter
Internet
Untrust Zone
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: NAT Mode
The following example illustrates a simple configuration for a LAN with a single subnprotected by a NetScreen device in NAT mode. Policies permit outgoing traffic for alincoming mail for the mail server. The incoming mail is routed to the mail server throthe Trust and Untrust zones are in the trust-vr routing domain.
WebUI
1. InterfacesNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Zone Name: Trust
Static IP: (select this option when present)
IP Address/Netmask: 10.1.1.1/24
Enter the following, and then click OK:
Interface Mode: NAT10
Note: Compare this example with that for Route mode on page 132.
10. By default, any interface that you bind to the Trust zone is in NAT mode. Consequently, this option is already enabled
External Rou1.1.1.250
Mail ServerVIP 1.1.1.5 ->
10.1.1.5 ethernet110.1.1.1/24NAT Mode
ethernet31.1.1.1/24
Route ModeTrust Zone
Chapter 4 Interface Modes NAT Mode
127
k OK:
en click Add :
he following, and then click OK:
then click OK:
and netmask fields empty and select he Create new PPPoE settings link,
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Network > Interfaces > Edit (for ethernet3): Enter the following, and then clic
Zone Name: Untrust
Static IP: (select this option when present)
IP Address/Netmask11: 1.1.1.1/24
Interface Mode: Route
2. VIP12
Network > Interfaces > Edit (for ethernet3) > VIP: Enter the following, and th
Virtual IP Address: 1.1.1.5
Network > Interfaces > Edit (for ethernet3) > VIP > New VIP Service: Enter t
Virtual Port: 25
Map to Service: Mail
Map to IP: 10.1.1.5
3. RouteNetwork > Routing > Routing Entries > trust-vr New: Enter the following, and
Network Address/Netmask: 0.0.0.0/0
Gateway: (select)
Interface: ethernet3
Gateway IP Address: 1.1.1.250
11. If the IP address in the Untrust zone on the NetScreen device is dynamically assigned by an ISP, leave the IP addressObtain IP using DHCP. If the ISP uses Point-to-Point Protocol over Ethernet, select Obtain IP using PPPoE , click tand enter the name and password.
12. For information about virtual IP (VIP) addresses, see “Virtual IP Addresses” on page 7 -115.
Chapter 4 Interface Modes NAT Mode
128
OK :
ck OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
4. PoliciesPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Any
Service: ANY
Action: Permit
Policies > (From: Untrust, To: Global) New: Enter the following, and then cli
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), VIP(1.1.1.5)
Service: MAIL
Action: Permit
Chapter 4 Interface Modes NAT Mode
129
gateway 1.1.1.250
permit
mmand: set interface untrust dhcp. rmation, see the NetScreen CLI
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 nat13
set interface ethernet3 zone untrust14 set interface ethernet3 ip 1.1.1.1/24set interface ethernet3 route
2. VIPset interface ethernet3 vip 1.1.1.5 25 mail 10.1.1.5
3. Routeset vrouter trust-vr route 0.0.0.0/0 interface ethernet3
4. Policiesset policy from trust to untrust any any any permitset policy from untrust to global any vip(1.1.1.5) mail save
13. The set interface ethernetn nat command determines that the NetScreen device operates in NAT mode.
14. If the IP address in the Untrust zone on the NetScreen device is dynamically assigned by an ISP, use the following coIf the ISP uses Point-to-Point Protocol over Ethernet, use the set pppoe and exec pppoe commands. For more infoReference Guide.
Chapter 4 Interface Modes Route Mode
130
erent zones without performing header remain unchanged as it ed IP (MIP) and virtual IP (VIP) e is in Route mode. Unlike
face level so that all source n zone interface. Instead, you to route and on which traffic to sses on either incoming or
Trust Zone
Untrust Zone
t Zone rface
2.1/24
st Zone rface
1.1/24
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
ROUTE MODE
When an interface is in Route mode, the NetScreen device routes traffic between diffsource NAT (NAT-src); that is, the source address and port number in the IP packet traverses the NetScreen device. Unlike NAT-src, you do not need to establish mappaddresses to allow inbound traffic to reach hosts when the destination zone interfacTransparent mode, the interfaces in each zone are on different subnets.
You do not have to apply source network address translation (“NAT-src”) at the interaddresses initiating outgoing traffic get translated to the IP address of the destinatiocan perform NAT-src selectively at the policy level. You can determine which traffic perform NAT-src by creating policies that enable NAT-src for specified source addre
1.2.2.5
1.2.2.10 1.2.2.151.2.2.20
1.2.2.25
TrusInte
1.2.
UntruInte
1.1.
Internet
Public Address Space
Public Address Space
External Router1.1.1.250
Chapter 4 Interface Modes Route Mode
131
destination zone interface from ce. For VPN traffic, NAT can
2 represent numbers in an IP umber of a VLAN tag, zone
etwork Address Translation” on
ubinterfaces
ress for administrative traffic when it is in a high availability
AT.
ddr1k: maskag: vlan_id_numame: zone: (select)
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
outgoing traffic. For network traffic, NAT can use the IP address or addresses of thea Dynamic IP (DIP) pool, which is in the same subnet as the destination zone interfause a tunnel interface IP address or an address from its associated DIP pool.
Interface SettingsFor Route mode, define the following interface settings, where ip_addr1 and ip_addraddress, mask represents the numbers in a netmask, vlan_id_num represents the nrepresents the name of a zone, and number represents the bandwidth size in kbps:
Note: For more information about configuring policy-based NAT-src, see “Source Npage 7 -15.
Zone Interfaces Settings Zone STrust, Untrust, DMZ, and user-defined zones
IP: ip_addr1Netmask: maskManage IP*: ip_addr2Traffic Bandwidth�: numberRoute�: (select)
* You can set the manage IP address on a per interface basis. Its primary purpose is to provide an IP addseparate from network traffic. You can also use the manage IP address for accessing a specific device configuration.
† Optional setting for traffic shaping.
‡ Selecting Route defines the interface mode as Route. Selecting NAT defines the interface mode as N
IP: ip_aNetmasVLAN TZone NRoute�
Chapter 4 Interface Modes Route Mode
132
zone LAN have private IP e network protected by a sses and that a MIP is in.
k Apply :
tering or exiting the Trust zone.
ter
Internet
Untrust Zone
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Route ModeIn the previous example, “Example: NAT Mode” on page 126, the hosts in the Trust addresses and a Mapped IP for the mail server. In the following example of the samNetScreen device operating in Route mode, note that the hosts have public IP addreunnecessary for the mail server. Both security zones are in the trust-vr routing doma
WebUI
1. InterfacesNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Zone Name: Trust
Static IP: (select this option when present)
IP Address/Netmask: 1.2.2.1/24
Enter the following, and then click OK :
Interface Mode: Route15
15. Selecting Route determines that the NetScreen device operates in Route mode, without performing NAT on traffic en
External Rou1.1.1.250
Mail Server1.2.2.5
ethernet11.2.2.1/24
Route Mode
ethernet31.1.1.1/24
Route ModeTrust Zone
Chapter 4 Interface Modes Route Mode
133
k OK:
then click OK:
and netmask fields empty and select he Create new PPPoE settings link,
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Network > Interfaces > Edit (for ethernet3): Enter the following, and then clic
Zone Name: Untrust
Static IP: (select this option when present)
IP Address/Netmask16: 1.1.1.1/24
2. AddressObjects > Addresses > List > New: Enter the following and then click OK:
Address Name: Mail Server
IP Address/Domain Name:
IP/Netmask: (select), 1.2.2.5/32
Zone: Trust
3. RouteNetwork > Routing > Routing Entries > trust-vr New: Enter the following, and
Network Address/Netmask: 0.0.0.0/0
Gateway: (select)
Interface: ethernet3
Gateway IP Address: 1.1.1.250
16. If the IP address in the Untrust zone on the NetScreen device is dynamically assigned by an ISP, leave the IP addressObtain IP using DHCP. If the ISP uses Point-to-Point Protocol over Ethernet, select Obtain IP using PPPoE , click tand enter the name and password.
Chapter 4 Interface Modes Route Mode
134
OK :
OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
4. PoliciesPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Any
Service: ANY
Action: Permit
Policies > (From: Untrust, To: Trust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Mail Server
Service: MAIL
Action: Permit
Chapter 4 Interface Modes Route Mode
135
gateway 1.1.1.250
rmit
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 1.2.2.1/24set interface ethernet1 route17
set interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24set interface ethernet3 route
2. Addressset address trust mail_server 1.2.2.5/24
3. Routeset vrouter trust-vr route 0.0.0.0/0 interface ethernet3
4. Policiesset policy from trust to untrust any any any permitset policy from untrust to trust any mail_server mail pesave
17. The set interface ethernetnumber route command determines that the NetScreen device operates in Route mode.
Chapter 4 Interface Modes Route Mode
136
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals5
137
Chapter 5
n policies. The specific topics
e 159
65
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Building Blocks for Policies
This chapter discusses the components, or building blocks, that you can reference idiscussed are:
• “Addresses” on page 139
– “Address Entries” on page 140
– “Address Groups” on page 142
• “Services” on page 147
– “Predefined Services” on page 147
– “Custom Services” on page 149
– “Service Timeouts” on page 152
– “ICMP Services” on page 154
– “RSH ALG” on page 156
– “Sun Remote Procedure Call Application Layer Gateway” on page 156
– “Microsoft Remote Procedure Call Application Layer Gateway” on pag
– “Real Time Streaming Protocol Application Layer Gateway” on page 1
– “H.323 Protocol for Voice-over-IP” on page 177
– “Session Initiation Protocol (SIP)” on page 196
– “SIP with Network Address Translation” on page 209
– “Bandwidth Management for VoIP Services” on page 264
– “Service Groups” on page 266
Chapter 5 Building Blocks for Policies
138
entication”.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
• “DIP Pools” on page 270
– “Sticky DIP Addresses” on page 273
– “Extended Interface and DIP” on page 274
– “Loopback Interface and DIP” on page 282
– “DIP Groups” on page 288
• “Schedules” on page 292
Note: For information about user authentication, see Volume 8, “User Auth
Chapter 5 Building Blocks for Policies Addresses
139
nd netmask. Each zone
tmask setting of
.0.0).
ual hosts and subnets, you s.
pplies to all devices physically
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
ADDRESSESThe NetScreen ScreenOS classifies the addresses of all other devices by location apossesses its own list of addresses and address groups.
Individual hosts have only a single IP address defined and therefore, must have a ne255.255.255.255 (which masks out all but this host).
Subnets have an IP address and a netmask (for example, 255.255.255.0 or 255.255
Before you can configure policies to permit, deny, or tunnel traffic to and from individmust make entries for them in NetScreen address lists, which are organized by zone
Note: You do not have to make address entries for “Any”. This term automatically alocated within their respective zones.
Chapter 5 Building Blocks for Policies Addresses
140
ures, you need to define the IP addresses or domain er-authenticated.
/24 as an address in the Trust
click OK :
click OK :
e names you create for
stem (DNS) services. For information
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Address EntriesBefore you can set up many of the NetScreen firewall, VPN, and traffic shaping feataddresses in one or more address lists. The address list for a security zone containsnames1 of hosts or subnets whose traffic is either allowed, blocked, encrypted, or us
Example: Adding AddressesIn this example, you add the subnet “Sunnyvale_Eng” with the IP address 10.1.10.0zone, and the address www.juniper.net as an address in the Untrust zone.
WebUI
Objects > Addresses > List > New: Enter the following information, and then
Address Name: Sunnyvale_Eng
IP Address/Domain Name:
IP/Netmask: (select), 10.1.10.0/24
Zone: Trust
Objects > Addresses > List > New: Enter the following information, and then
Address Name: Juniper
IP Address/Domain Name:
Domain Name: (select), www.juniper.net
Zone: Untrust
Note: For information regarding ScreenOS naming conventions—which apply to thaddresses—see “Naming Conventions and Character Types” on page xii.
1. Before you can use domain names for address entries, you must configure the NetScreen device for Domain Name Syon DNS configuration, see “Domain Name System Support” on page 365.
Chapter 5 Building Blocks for Policies Addresses
141
eflect that this department is
nd IP address to the following,
olicy, you cannot change the tion, you must first disassociate
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
set address trust Sunnyvale_Eng 10.1.10.0/24set address untrust Juniper www.juniper.netsave
Example: Modifying AddressesIn this example, you change the address entry for the address “Sunnyvale_Eng” to rspecifically for software engineering and has a different IP address—10.1.40.0/24.
WebUI
Objects > Addresses > List > Edit (for Sunnyvale_Eng): Change the name aand then click OK:
Address Name: Sunnyvale_SW_Eng
IP Address/Domain Name:
IP/Netmask: (select), 10.1.40.0/24
Zone: Trust
CLI
unset address trust Sunnyvale_Engset address trust Sunnyvale_SW_Eng 10.1.40.0/24save
Note: After you define an address—or an address group—and associate it with a paddress location to another zone (such as from Trust to Untrust). To change its locait from the underlying policy.
Chapter 5 Building Blocks for Policies Addresses
142
”.
nyvale_SW_Eng.
tries for individual hosts and w policies affect each address rge number of address entries, ied to each address entry in the
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Deleting AddressesIn this example, you remove the address entry for the address “Sunnyvale_SW_Eng
WebUI
Objects > Addresses > List: Click Remove in the Configure column for Sun
CLI
unset address trust “Sunnyvale_SW_Eng”save
Address GroupsThe previous section explained how you create, modify, and delete address book ensubnets. As you add addresses to an address list, it becomes difficult to manage hoentry. NetScreen allows you to create groups of addresses. Rather than manage a layou can manage a small number of groups. Changes you make to the group are applgroup.
1 Policy per Address 1 Policy per Address Group
Chapter 5 Building Blocks for Policies Addresses
143
address groups and later fill
ess book entry.
g individual policies for each een actually creates an internal for each user).3
e NetScreen device
used for an individual address
It can, however, be edited.
roup member individually, and l list (ACL). If you are not pecially if both the source and vice group.
Up VPN” to groups.
k when you add one group to another. t already contain B as its member.
having to create them one by one for
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
The address group option has the following features:
• You can create address groups in any zone.
• You can create address groups with existing users, or you can create emptythem with users.
• An address group can be a member of another address group2.
• You can reference an address group entry in a policy like an individual addr
• NetScreen applies policies to each member of the group by internally creatingroup member. While you only have to create one policy for a group, NetScrpolicy for each member in the group (as well as for each service configured
• When you delete an individual address book entry from the address book, thautomatically removes it from all groups to which it belonged.
The following constraints apply to address groups:
• Address groups can only contain addresses that belong to the same zone.
• Address names cannot be the same as group names. If the name “Paris” is entry, it cannot be used for a group name.
• If an address group is referenced in a policy, the group cannot be removed.
• When a single policy is assigned to an address group, it is applied to each gthe NetScreen device makes an entry for each member in the access controvigilant, it is possible to exceed the number of available policy resources, esdestination addresses are address groups and the specified service is a ser
• You cannot add the predefined addresses: “Any”, “All Virtual IPs,” and “Dial-
2. To ensure that a group does not accidentally contain itself as a member, the NetScreen device performs a sanity checFor example, if you add group A as a member to group B, the NetScreen device automatically checks that A does no
3. The automatic nature by which the NetScreen device applies policies to each address group member, saves you fromeach address. Furthermore, NetScreen writes these policies to ASIC which makes lookups run very fast.
Chapter 5 Building Blocks for Policies Addresses
144
anta Clara Eng” and “Tech st zone.
roup name, move the following
n to move the address from the mbers column.
move the address from the mbers column.
Eng”
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Creating an Address GroupIn the following example, you create a group named “HQ 2nd Floor” that includes “SPubs,” two addresses that you have already entered in the address book for the Tru
WebUI
Objects > Addresses > Groups > (for Zone: Trust) New: Enter the following gaddresses, and then click OK :
Group Name: HQ 2nd Floor
Select Santa Clara Eng and use the << buttoAvailable Members column to the Group Me
Select Tech Pubs and use the << button to Available Members column to the Group Me
CLI
set group address trust “HQ 2nd Floor” add “Santa Clara set group address trust “HQ 2nd Floor” add “Tech Pubs”save
Chapter 5 Building Blocks for Policies Addresses
145
address book) to the “HQ 2nd
ove the following address, and
ve the address from the mbers column.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Editing an Address Group EntryIn this example, you add “Support” (an address that you have already entered in theFloor” address group.
WebUI
Objects > Addresses > Groups > (for Zone: Trust) Edit (for HQ 2nd Floor): Mthen click OK:
Select Support and use the << button to moAvailable Members column to the Group Me
CLI
set group address trust “HQ 2nd Floor” add Supportsave
Chapter 5 Building Blocks for Policies Addresses
146
group, and delete “Sales”, an
e the following address, and
e the address from the Group column.
ure column for Sales.
have removed all names.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Removing a Member and a GroupIn this example, you remove the member “Support” from the HQ 2nd Floor address address group that you had previously created.
WebUI
Objects > Addresses > Groups > (for Zone: Trust) Edit (HQ 2nd Floor): Movthen click OK:
Select support and use the >> button to movMembers column to the Available Members
Objects > Addresses > Groups > (Zone: Trust): Click Remove in the Config
CLI
unset group address trust “HQ 2nd Floor” remove Supportunset group address trust Salessave
Note: The NetScreen device does not automatically delete a group from which you
Chapter 5 Building Blocks for Policies Services
147
nsport protocol and destination Telnet. When you create a s from the service book, or a
n use in a policy by viewing the et service command (CLI).
can find more detailed
creen device using the WebUI
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
SERVICESServices are types of traffic for which protocol standards exist. Each service has a traport number(s) associated with it, such as TCP/port 21 for FTP and TCP/port 23 for policy, you must specify a service for it. You can select one of the predefined servicecustom service or service group that you created. You can see which service you caService drop-down List on the Policy Configuration page (WebUI), or by using the g
Predefined ServicesScreenOS supports a great number of predefined services. Later in this section, youinformation on some of these, namely:
• “ICMP Services” on page 154
• “RSH ALG” on page 156
• “Sun Remote Procedure Call Application Layer Gateway” on page 156
• “Microsoft Remote Procedure Call Application Layer Gateway” on page 159
• “Real Time Streaming Protocol Application Layer Gateway” on page 165
• “H.323 Protocol for Voice-over-IP” on page 177
• “Session Initiation Protocol (SIP)” on page 196
You can view the list of predefined or custom services or service groups on the NetSor the CLI.
Using the WebUI:
Objects > Services > Predefined
Objects > Services > Custom
Objects > Services > Group
Using the CLI:
get service [ group | predefined | user ]
Chapter 5 Building Blocks for Policies Services
148
low:
the entire set of valid port ort outside of the range. If you m service. For information, see
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
The output from the get service pre-defined CLI is similar to that shown be
Name Proto Port Group Timeout (Minute) FlagANY 0 0/65535 other 1 Pre-defined
AOL 6 5190/5194 remote 30 Pre-defined
BGP 6 179 other 30 Pre-defined
DHCP-Relay 17 67 info seeking 1 Pre-defined
DNS 17 53 info seeking 1 Pre-defined
FINGER 6 79 info seeking 30 Pre-defined
FTP 6 21 remote 30 Pre-defined
FTP-Get 6 21 remote 30 Pre-defined
FTP-Put 6 21 remote 30 Pre-defined
GOPHER 6 70 info seeking 30 Pre-defined
H.323 6 1720 remote 2160 Pre-defined
--- more ---
Note: Each predefined service has a source port range of 1-65535, which includes numbers. This prevents potential attackers from gaining access by using a source pneed to use a different source port range for any predefined service, create a custo“Custom Services” on page 149.
Chapter 5 Building Blocks for Policies Services
149
n assign each custom service
a previously defined custom ecified transport protocol (TCP, om the default when a custom m service in the vsys and root
out in the root system.
ple: 23000 – 23000.
efined by the Internet
e names you create for custom
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Custom ServicesInstead of using predefined services, you can easily create custom services. You cathe following attributes:
• Name
• Transport protocol
• Source and destination port numbers for services using TCP or UDP
• Type and code values for services using ICMP
• Timeout value
If you create a custom service in a virtual system (vsys) that has the same name as service in the root system, the service in the vsys takes the default timeout for the spUDP, or ICMP). To define a custom timeout for a service in a vsys that is different frservice with the same name in the root system has its own timeout, create the custosystem in the following order:
1. First, create the custom service with a custom timeout in the vsys.
2. Then create another custom service with the same name but a different time
The following examples describe how to add, modify and remove a custom service.
Example: Adding a Custom ServiceTo add a custom service to the service book, you need the following information:
• A name for the service, in this example “cust-telnet”
• A range of source port numbers: 1 – 65535
• A range of destination port numbers to receive the service request, for exam
• Whether the service uses TCP or UDP protocol, or some other protocol as dspecifications. In this example, the protocol is TCP.
Note: For information regarding ScreenOS naming conventions—which apply to thservices—see “Naming Conventions and Character Types” on page xii.
Chapter 5 Building Blocks for Policies Services
150
:
t-port 23000-23000
ant a service to time out, enter never.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
Objects > Services > Custom > New: Enter the following, and then click OK
Service Name: cust-telnet
Service Timeout: Custom (select), 30 (type)
Transport Protocol: TCP (select)
Source Port Low: 1
Source Port High: 65535
Destination Port Low: 23000
Destination Port High: 23000
CLI
set service cust-telnet protocol tcp src-port 1-65535 ds
set service cust-telnet timeout 304
save
4. The timeout value is in minutes. If you do not set it, the timeout value of a custom service is 180 minutes. If you do not w
Chapter 5 Building Blocks for Policies Services
151
tion port range to 23230-23230.
stom service without removing
d then click OK :
23230-23230
ust-telnet”.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Modifying a Custom ServiceIn this example, you modify the custom service “cust-telnet” by changing the destina
Use the set service service_name clear command to remove the definition of a cuthe service from the service book:
WebUI
Objects > Services > Custom > Edit (for cust-telnet): Enter the following, an
Destination Port Low: 23230
Destination Port High: 23230
CLI
set service cust-telnet clearset service cust-telnet + tcp src-port 1-65535 dst-port save
Example: Removing a Custom ServiceIn this example, you remove the custom service “cust-telnet”.
WebUI
Objects > Services > Custom: Click Remove in the Configure column for “c
CLI
unset service cust-telnetsave
Chapter 5 Building Blocks for Policies Services
152
ou can use the service default
m timeout, the NetScreen
ed service ANY, the NetScreen rotocol (for TCP or UDP) + s in the following order,
2121 timeout 2000-2148 timeout 15
, the NetScreen device applies or ftp-1. This happens because ocols in tables—one for TCP service referenced in a service the timeout for the first service stination port numbers—is the e NetScreen device applies the 148) overlap those for ftp-1 p for a service with destination
services with overlapping self.
reen device applies the custom multiple services, the non-TCP or -UDP protocols.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Service TimeoutsYou can set the timeout threshold (in minutes) for a predefined or custom service. Ytimeout, specify a custom timeout, or use no timeout at all.
A few details about the behavior of service timeouts:
• When a policy references a single custom or predefined service with a custodevice applies that timeout.
• When a policy references a service group, multiple services, or the predefindevice applies the timeout for the last service configured that matches the pdestination port number. For example, if you define the following two service
set service ftp-1 protocol tcp src 0-65535 dst 2121-set service telnet-1 protocol tcp src 0-65535 dst 21
and you then reference ftp-1 together with other services in the same policythe 15-minute timeout defined for telnet-1 instead of the 20-minute timeout fthe NetScreen device stores timeouts for services using TCP and UDP protand another for UDP. When the NetScreen device looks up the timeout for agroup, a policy with multiple services, or the wildcard service ANY, it appliesit finds in the table, which—if there are multiple services with overlapping delatest service configured and entered into the table. In the above example, th15-minute timeout because the destination port numbers for telnet-1 (2100-2(2121), and you defined telnet-1 after you defined ftp-1. Therefore, the lookuport 2121 discovers the timeout for telnet-1 first and applies that.
To avoid the unintended application of a different timeout to a service, avoiddestination port numbers or apply the service defined earlier in a policy by it
• For services using ICMP or any protocol other than TCP or UDP, the NetSctimeout when a policy references just that service. When a policy referencesNetScreen device applies the default timeout (one minute) for services using
Chapter 5 Building Blocks for Policies Services
153
ere is a previously defined , the NetScreen device applies level.
t the vsys level. However, you m service in the vsys and then
rt number at the root level. To
otocol and destination port
75 minutes:
click OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
• When a policy in a virtual system (vsys) references a custom service and thservice with the same protocol + destination port number in the root systemthe timeout for the service defined at the root level to the service at the vsys
• You cannot explicitly define a custom timeout for a custom service created acan indirectly apply a custom timeout at the vsys level if you create the custoapply the custom timeout you want to a service with the same protocol + poaccomplish this, do the following in the following order:
1. Create a custom service in the vsys.
2. Then in the root system create another custom service with the same prnumbers, and with the timeout that you want to apply at the vsys level.
Example: Setting a Service TimeoutIn this example, you change the timeout threshold for the BGP predefined service to
WebUI
Objects > Services > Predefined > Edit (BGP): Enter the following and then
Service Timeout: Custom (select), 75 (type)
CLI
set service BGP timeout 75save
Chapter 5 Building Blocks for Policies Services
154
P messages, as predefined or and code5. There are different
ecific information on the
and Network
Host
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
ICMP ServicesScreenOS supports ICMP (Internet Control Message Protocol) as well as several ICMcustom services. When configuring a custom ICMP service, you must define a type message types within ICMP. For example:
type 0 = Echo Request message
type 3 = Destination Unreachable message
An ICMP message type can also have a message code. The code provides more spmessage. For example:
ScreenOS supports any type or code within the 0-255 range.
5. For more information on ICMP types and codes, refer to RFC 792, “Internet Control Message Protocol”.
Message Type Message Code5 = Redirect 0 = Redirect Datagram for the Network (or subnet)
1 = Redirect Datagram for the Host
2 = Redirect Datagram for the Type of Service
3 = Redirect Datagram for the Type of Service and
11 = Time Exceeded Codes 0 =Time to Live exceeded in Transit
1 = Fragment Reassembly Time Exceeded
Chapter 5 Building Blocks for Policies Services
155
as the transport protocol. The u set the timeout value at 2
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Defining an ICMP ServiceIn this example, you define a custom service named “host-unreachable” using ICMPtype is 3 (for Destination Unreachable) and the code is 1 (for Host Unreachable). Yominutes.
WebUI
Objects > Services > Custom: Enter the following, and then click OK :
Service Name: host-unreachable
Service Timeout: Custom (select), 2 (type)
Transport Protocol: ICMP (select)
ICMP Type: 3
ICMP Code: 1
CLI
set service host-unreachable protocol icmp type 5 code 0set service host-unreachable timeout 2save
Chapter 5 Building Blocks for Policies Services
156
n shell commands on remote nd NAT modes; but the devices
or a program running on one umber of RPC services and the d based on the service’s ping the RPC program number
affic based on a policy you een devices to handle the am number-based firewall sts, or to permit or deny by g and outgoing requests.
vice—in the case of TCP/UDP,
mote machine. The GETPORT of the remote service it wants
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
RSH ALGRSH ALG (Remote Shell application-layer gateway) allows authenticated users to ruhosts. NetScreen devices support the RSH service in Transparent (L2), Route (L3) ado not support port translation of RSH traffic.
Sun Remote Procedure Call Application Layer GatewaySun RPC—also known as Open Network Computing (ONC) RPC—provides a way fhost to call procedures in a program running on another host. Because of the large nneed to broadcast, the transport address of an RPC service is dynamically negotiateprogram number and version number. Several binding protocols are defined for mapand version number to a transport address.
NetScreen devices support Sun RPC as a predefined service, and allow and deny trconfigure. The application layer gateway (ALG) provides the functionality for NetScrdynamic transport address negotiation mechanism of Sun RPC, and to ensure progrpolicy enforcement. You can define a firewall policy to permit or deny all RPC requespecific program number. The ALG also supports Route and NAT mode for incomin
Typical RPC Call ScenariosWhen a client calls a remote service, it needs to find the transport address of the serthis is a port number. A typical procedure for this case is as follows:
1. The client sends the GETPORT message to the RPCBIND service on the remessage contains the program number, and version and procedure numberto call.
2. The RPCBIND service replies with a port number.
3. The client calls the remote service using the port number returned.
4. The remote service replies to the client.
Chapter 5 Building Blocks for Policies Services
157
knowing the port number of the
machine. The CALLIT ber of the remote service it
tains the call result and the
is TCP/UDP port based service, e other services in this table are
aemon
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
A client also can use the CALLIT message to call the remote service directly, withoutservice. In this case, the procedure is as follows:
1. The client sends a CALLIT message to the RPCBIND service on the remotemessage contains the program number, and the version and procedure numwants to call.
2. RPCBIND calls the service for the client.
3. RCPBIND replies to the client if the call has been successful. The reply conservices’s port number.
Sun RPC ServicesThe following table lists predefined Sun RPC services.
Name Program Number
Description
SUN-RPC-PORTMAPPER 100000 Sun RPC Portmapper Protocol, thisincluding TCP/UDP port 111. All thprogram number based.
SUN-RPC-ANY N/A Any Sun RPC service
SUN-RPC-MOUNTD 100005 Sun RPC Mount Daemon
SUN-RPC-NFS 100003100227
Sun RPC Network File System
SUN-RPC-NLOCKMGR 100021 Sun RPC Network Lock Manager
SUN-RPC-RQUOTAD 100011 Sun RPC Remote Quota Daemon
SUN-RPC-RSTATD 100001 Sun RPC Remote Status Daemon
SUN-RPC-RUSERD 100002 Sun RPC Remote User Daemon
SUN-RPC-SADMIND 100232 Sun RPC System Administration D
SUN-RPC-SPRAYD 100012 Sun RPC SPRAY Daemon
Chapter 5 Building Blocks for Policies Services
158
lar service objects based on rpc service objects using 27. The corresponding
sun-rpc-nfs service object that egotiated TCP/UDP ports, and
Network File System, which is
n click Apply :
e
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Sun RPC ServicesBecause Sun RPC services use dynamically negotiated ports, you can not use regufixed TCP/UDP ports to permit them in security policy. Instead, you must create sunprogram numbers. For example, NFS uses two program numbers: 100003 and 1002TCP/UDP ports are dynamic. In order to permit the program numbers, you create a contains these two numbers. The ALG maps the program numbers into dynamically npermits or denies the service based on a policy you configure.In this example, you create a service object called my-sunrpc-nfs to use the Sun RPCidentified by two Program IDs: 100003 and 100227.
WebUI
Objects > Services > Sun RPC Services > New: Enter the following, and the
Service Name: my-sunrpc-nfs
Service Timeout: (select)
Program ID Low: 100003
Program ID High: 100003
Program ID Low: 100227
Program ID High: 100227
SUN-RPC-STATUS 100024 Sun RPC STATUS
SUN-RPC-WALLD 100008 Sun RPC WALL Daemon
SUN-RPC-YPBIND 100007 Sun RPC Yellow Page Bind Servic
Name Program Number
Description
Chapter 5 Building Blocks for Policies Services
159
3-1000037
way(DCE) RPC. Like the Sun RPC C provides a way for a program se of the large number of RPC mically negotiated based on the protocol is defined in
ffic based on a policy you ynamic transport address ement. You can define a ID number. The ALG also
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
set service my-sunrpc-nfs protocol sun-rpc program 10000set service my-sunrpc-nfs + sun-rpc program 100227-10022save
Microsoft Remote Procedure Call Application Layer GateMS RPC is the Microsoft implementation of the Distributed Computing Environment (see “Sun Remote Procedure Call Application Layer Gateway” on page 156), MS RPrunning on one host to call procedures in a program running on another host. Becauservices and the need to broadcast, the transport address of an RPC service is dynaservice program’s Universal Unique IDentifier (UUID). The Endpoint Mapper bindingScreenOS to map the specific UUID to a transport address.
NetScreen devices support MS RPC as a predefined service, and allow and deny traconfigure. The ALG provides the functionality for NetScreen devices to handle the dnegotiation mechanism of MS RPC, and to ensure UUID-based firewall policy enforcfirewall policy to permit or deny all RPC requests, or to permit or deny by specific UUsupports Route and NAT mode for incoming and outgoing requests.
Chapter 5 Building Blocks for Policies Services
160
riptionsoft Remote Procedure Call ) Endpoint Mapper (EPM) col, a TCP/UDP port based e, including TCP/UDP port 135.
e other services in this table are based
icrosoft Remote Procedure Call ) Services
soft Active Directory Backup and re Services
soft Active Directory Replication ce
soft Active Directory DSROLE ce
soft Active Directory Setup ce
soft Distributed Transaction inator Service
soft Exchange Database Service
soft Exchange Directory Service
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
MS RPC ServicesThe following table lists predefined MS RPC services:
Name UUID DescMS-RPC-EPM e1af8308-5d1f-11c9-91a4-08002b14a0fa Micro
(RPCProtoservicAll thUUID
MS-RPC-ANY N/A Any M(RPC
MS-AD-BR ecec0d70-a603-11d0-96b1-00a0c91ece3016e0cf3a-a604-11d0-96b1-00a0c91ece30
MicroResto
MS-AD-DRSUAPI e3514235-4b06-11d1-ab04-00c04fc2dcd2 MicroServi
MS-AD-DSROLE 1cbcad78-df0b-4934-b558-87839ea501c9 MicroServi
MS-AD-DSSETUP 3919286a-b10c-11d0-9ba8-00c04fd92ef5 MicroServi
MS-DTC 906b0ce0-c70b-1067-b317-00dd010662da MicroCoord
MS-EXCHANGE-DATABASE 1a190310-bb9c-11cd-90f8-00aa00466520 Micro
MS-EXCHANGE-DIRECTORY f5cc5a18-4264-101a-8c59-08002b2f8426f5cc5a7c-4264-101a-8c59-08002b2f8426f5cc59b4-4264-101a-8c59-08002b2f8426
Micro
Chapter 5 Building Blocks for Policies Services
161
soft Exchange Information Store ce
soft Exchange MTA Service
soft Exchange Store Service
soft Exchange System Attendant ce
soft File Replication Service
soft Internet Information Server GUID/UUID Service
soft Internet Information Server 4 Service
soft Internet Information Server INFO Service
soft Internet Information Server Service
ription
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
MS-EXCHANGE-INFO-STORE 0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde1453c42c-0fa6-11d2-a910-00c04f990f3b10f24e8e-0fa6-11d2-a910-00c04f990f3b1544f5e0-613c-11d1-93df-00c04fd7bd09
MicroServi
MS-EXCHANGE-MTA 9e8ee830-4459-11ce-979b-00aa005ffebe38a94e72-a9bc-11d2-8faf-00c04fa378ff
Micro
MS-EXCHANGE-STORE 99e66040-b032-11d0-97a4-00c04fd6551d89742ace-a9ed-11cf-9c0c-08002be7ae86a4f1db00-ca47-1067-b31e-00dd010662daa4f1db00-ca47-1067-b31f-00dd010662da
Micro
MS-EXCHANGE-SYSATD 67df7c70-0f04-11ce-b13f-00aa003bac6cf930c514-1215-11d3-99a5-00a0c9b61b0483d72bf0-0d89-11ce-b13f-00aa003bac6c469d6ec0-0d87-11ce-b13f-00aa003bac6c06ed1d30-d3d3-11cd-b80e-00aa004b9c30
MicroServi
MS-FRS f5cc59b4-4264-101a-8c59-08002b2f8426d049b186-814f-11d1-9a3c-00c04fc9b232a00c021c-2be2-11d2-b678-0000f87a8f8e
Micro
MS-IIS-COM 70b51430-b6ca-11d0-b9b9-00a0c922e750a9e69612-b80d-11d0-b9b9-00a0c922e70
MicroCOM
MS-IIS-IMAP4 2465e9e0-a873-11d0-930b-00a0c90ab17c MicroIMAP
MS-IIS-INETINFO 82ad4280-036b-11cf-972c-00aa006887b0 MicroINET
MS-IIS-NNTP 4f82f460-0e21-11cf-909e-00805f48a135 MicroNNTP
Name UUID Desc
Chapter 5 Building Blocks for Policies Services
162
soft Internet Information Server Service
soft Internet Information Server Service
soft Inter-site Messaging Service
soft Messenger Service
soft Windows Message Queue gement Service
soft Netlogon Service
soft Scheduler Service
soft Windows DNS Server
soft WINS Service
ription
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
MS-IIS-POP3 1be617c0-31a5-11cf-a7d8-00805f48a135 MicroPOP3
MS-IIS-SMTP 8cfb5d70-31a4-11cf-a7d8-00805f48a135 MicroSMTP
MS-ISMSERV 68dcd486-669e-11d1-ab0c-00c04fc2dcd2130ceefb-e466-11d1-b78b-00c04fa32883
Micro
MS-MESSENGER 17fdd703-1827-4e34-79d4-24a55c53bb375a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc
Micro
MS-MQQM fdb3a030-065f-11d1-bb9b-00a024ea552576d12b80-3467-11d3-91ff-0090272f9ea31088a980-eae5-11d0-8d9b-00a02453c335b5b3580-b0e0-11d1-b92d-0060081e87f0 41208ee0-e970-11d1-9b9e-00e02c064c39
MicroMana
MS-NETLOGON 12345678-1234-abcd-ef00-01234567cffb Micro
MS-SCHEDULER 1ff70682-0a51-30e8-076d-740be8cee98b378e52b0-c0a9-11cf-822d-00aa0051e40f0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53
Micro
MS-WIN-DNS 50abc2a4-574d-40b3-9d66-ee4fd5fba076 Micro
MS-WINS 45f52c28-7f9f-101a-b52b-08002b2efabe811109bf-a4e1-11d1-ab54-00a0c91e9b45
Micro
Name UUID Desc
Chapter 5 Building Blocks for Policies Services
163
ar service objects based on S RPC service objects using UIDs:
exchange-info-store service namically negotiated TCP/UDP cy you configure. UUIDs for the MS Exchange
MS-AD-DRSUAPI,
ATABASE, -INFO-STORE, and MS-EXCHANGE-SYSATD
S-IIS-COM, MS-IIS-IMAP4, and MS-IIS-SMTP
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
MS RPC Service GroupsThe following table lists predefined MS RPC service groups.
Example: Services for MS RPCBecause MS RPC services use dynamically negotiated ports, you can not use regulfixed TCP/UDP ports to permit them in a security policy. Instead, you must create MUUIDs. The MS Exchange Info Store service, for example, uses the following four U
• 0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde
• 1453c42c-0fa6-11d2-a910-00c04f990f3b
• 10f24e8e-0fa6-11d2-a910-00c04f990f3b
• 1544f5e0-613c-11d1-93df-00c04fd7bd09
The corresponding TCP/UDP ports are dynamic. To permit them, you create an ms-object that contains these four UUIDs. The ALG maps the program numbers into dyports based on these four UUIDs, and permits or denies the service based on a poliIn this example, you create a service object called my-ex-info-store that includes theInfo Store service.
Name DescriptionMS-AD Microsoft Active Directory, including MS-AD-BR,
MS-AD-DSROLE and MS-AD-DSSETUP
MS-EXCHANGE Microsoft Exchange, including MS-EXCHANGE-DMS-EXCHANGE-DIRECTORY, MS-EXCHANGEMS-EXCHANGE-MTA, MS-EXCHANGE-STORE
MS-IIS Microsoft Internet Information Server, including MMS-IIS-INETINFO, MS-IIS-NNTP, MS-IIS-POP3
Chapter 5 Building Blocks for Policies Services
164
de
3b
b
09
-11d2-a910-00c04f990f3b-11d2-a910-00c04f990f3b-11d1-93df-00c04fd7bd09
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
Objects > Services > MS RPC: Enter the following, and then click Apply :
Service Name: my-ex-info-store
UUID: 0e4a0156-dd5d-11d2-8c2f-00c04fb6bc
UUID: 1453c42c-0fa6-11d2-a910-00c04f990f
UUID: 10f24e8e-0fa6-11d2-a910-00c04f990f3
UUID: 1544f5e0-613c-11d1-93df-00c04fd7bd
CLI
set service my-ex-info-store protocol ms-rpc uuid 0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde
set service my-ex-info-store + ms-rpc uuid 1453c42c-0fa6set service my-ex-info-store + ms-rpc uuid 10f24e8e-0fa6set service my-ex-info-store + ms-rpc uuid 1544f5e0-613csave
Chapter 5 Building Blocks for Policies Services
165
onized streams of multimedia, tself—interleaving the of “network remote control” for
annels, such as UDP, multicast col (RTP). RTSP may also use viding information to the client ers, and non-aggregate control data can be live feeds or stored
on a policy you configure. The nveyed in the packet payload igned port numbers and opens
ranslates IP addresses and ode, and in both
ssion (when the user clicks the RTSP server on port 554, then audio and video features the ame and version of the server, , see “SIP Request Methods”
it wants. The server responds e client then sends the SETUP amed media, for example , the RTSP ALG keeps track of ethod and select one of the
media transport. The client then
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Real Time Streaming Protocol Application Layer GatewayRTSP is an application-layer protocol used to control delivery of one or more synchrsuch as audio and video. Although RTSP is capable of delivering the data streams icontinuous media streams with the control stream—it is more typically used as a kindmultimedia servers. The protocol was designed as a means for selecting delivery chUDP, and TCP, and for selecting delivery mechanism based on the Real Time Protothe Session Description Protocol (SDP) (see “SDP” on page 201) as a means of profor aggregate control of a presentation composed of streams from one or more servof a presentation composed of multiple streams from a single server. The sources of clips.
NetScreen devices support RTSP as a service, and allow or deny RTSP traffic basedALG is needed because RTSP uses dynamically assigned port numbers that are coduring control connection establishment. The ALG keeps track of the dynamically asspinholes accordingly (see “Pinhole Creation” on page 202). In NAT mode, the ALG tports if necessary. NetScreen devices support RTSP in Route mode, Transparent minterface-based and policy-based NAT mode.
The following illustration diagrams a typical RTSP session. The client initiates the sePlay button on a RealPlayer, for example) and establishes a TCP connection to the sends the OPTIONS message (messages are also called methods), to find out whatserver supports. The server responds to the OPTIONS message by specifying the nand a session identifier, for example, 24256-1. (For more information about methodson page 197, and RFC 2326, section 11).
The client then sends the DESCRIBE message with the URL of the actual media fileto the DESCRIBE message with a description of the media using the SDP format. Thmessage, which specifies the transport mechanisms acceptable to the client for streRTP/RTCP or RDT, and the ports on which it will receive the media. When using NATthese ports and translates them as necessary. The server responds to the SETUP mtransport protocols, and in this way both client and server agree on a mechanism for sends the PLAY method, and the server begins streaming the media to the client.
Chapter 5 Building Blocks for Policies Services
166
Real Media ServerPort 554
-1 created)
dia presentation)
-1 from port 9086)
Port 9086
ion specified)ver
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
RealPlayer ClientPort 3408
NetScreen Device
1. SYN (port 3408 to RTSP port 554)2. SYN ACK)
3. ACK4. OPTIONS (what is supported)
5. RTSP OK (session 24256
6. DESCRIBE (media presentation)7. RTSP OK (with SDP of me8. SDP (continued)
9. SETUP (client listens on on 6970 for media)10. RTSP OK (session 2456
Port 6970
11. SET_PARAM 12. RTSP OK
13. PLAY 14. RTSP OK (RTP informat15. RTP data sent from ser
16. Occasional RTCP data
17. TEARDOWN 17. RSTP OK
17. TCP RST
Chapter 5 Building Blocks for Policies Services
167
t), the direction or directions in onal. Presentation refers to more streams presented to the udio or video, as well as all
entrver required
lient optional
ded
ded
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
RTSP Request MethodsThe following table lists methods that can be performed on a resource (media objecwhich information flows, and whether the method is required, recommended, or optiinformation such as network addresses, encoding, and content about a set of one orclient as a complete media feed. A Stream is a single media instance, for example apackets created by a source within the session.
Method Direction Object Requirem
OPTIONSClient to Serve Presentation, Stream Client to Se
Server to Client Presentation, Stream Server to C
DESCRIBE Client to Server Presentation, Stream Recommen
ANNOUNCEClient to Server Presentation, Stream
OptionalServer to Client Presentation, Stream
SETUP Client to Server Stream Required
GET_PARAMETERClient to Server
Presentation, Stream OptionalServer to Client
SET_PARAMETERClient to Server
Presentation, Stream OptionalServer to Client
PLAY Client to Server Presentation, Stream Required
PAUSE Client to Server Presentation, Stream Recommen
RECORD Client to Server Presentation, Stream Optional
REDIRECT Server to Client Presentation, Stream Optional
TEARDOWN Client to Server Presentation, Stream Required
Note: Additional methods might be defined in future.
Chapter 5 Building Blocks for Policies Services
168
upports, as well as such things
rates, color tables, and any stream. Typically the client escription of the media in SDP
ion or media object identified by tion in real-time.
h as the ports on which it will
eter specified in the URI. This ng can also be used to test for
r for a presentation or stream sed to set transport
cified in SETUP. The Client server queues PLAY requests request is completed. PLAY a time parameter—specified in used to synchronize streams
URL specifies a particular acks is maintained when
f PAUSE is for the duration l queued PLAY requests.
description. A UTC timestamp es in the presentation
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Methods are defined as follows:
• OPTIONS—Client queries the server about what audio or video features it sas the name and version of the server, and session ID.
• DESCRIBE—For exchange of media initialization information, such as clocktransport-independent information the client needs for playback of the mediasends the URL of the of file it is requesting, and the server responds with a dformat. (See “SDP” on page 201.)
• ANNOUNCE—Client uses this method to post a description of the presentatthe request URL. The server uses this method to update the session descrip
• SETUP—Client specifies acceptable transport mechanisms to be used, sucreceive the media stream, and the transport protocol.
• GET_PARAMETER—Retrieves the value of a presentation or stream parammethod can be used with no entity body to test client or server aliveness. Pialiveness.
• SET_PARAMETER—Client uses this method to set the value of a parametespecified by the URI. Due to firewall considerations, this method cannot be uparameters.
• PLAY—Instructs the server to begin sending data using the mechanism spedoes not issue PLAY requests until all SETUP requests are successful. Thein order, and delays executing any new PLAY request until an active PLAY requests may or may not contain a specified range. The range may contain Coordinated Universal Time (UTC)—for start of playback, which can also befrom different sources.
• PAUSE—Temporarily halts delivery of an active presentation. If the requeststream, for example audio, this is equivalent to muting. Synchronization of trplayback or recording is resumed, although servers may close the session ispecified in the timeout parameter in SETUP. A PAUSE request discards al
• RECORD—Initiates recording a range of media defined in the presentation indicates start and end times, otherwise the server uses the start and end timdescription.
Chapter 5 Building Blocks for Policies Services
169
tains location information and for this URI, the client must ew session.
es associated with it. Unless all est must be issued before the
tus codes include a at the client’s discretion
ed
and accepted
st
d
ason phrases. Reason phrases
Phrase-URI Too Large
rted Media Type
rted Media Type
ce Not Found
ugh Bandwidth
Not Found
Not Valid in This State
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
• REDIRECT—Informs the client it must connect to a different server, and conpossibly a range parameter for that new URL. To continue to receive mediaissue a TEARDOWN request for the current session and a SETUP for the n
• TEARDOWN—Stops stream delivery for the given URI and frees the resourctransport parameters are defined by the session description, a SETUP requsession can be played again.
RTSP Status CodesRTSP uses status codes to provide information about client and server requests. Stamachine-readable three digit result code, and a human-readable reason phrase. It iswhether to display the reason phrase. Status codes are classed as follows:
• Informational (100 to 199)—request has been received and is being process
• Success (200 to 299)—action has been received successfully, understood,
• Redirection (300 to 399)—further action is necessary to complete the reque
• Client Error (400 to 499)—request contains bad syntax and cannot be fulfille
• Server Error (500 to 599)—server failed to fulfill an apparently valid request
The following table lists all status codes defined for RTSP 1.0, and recommended recan be revised or redefined without impacting the operation of the protocol.
Status Code Reason Phrase Status Code Reason100 Continue 414 Request
200 OK 415 Unsuppo
201 Created 451 Unsuppo
250 Low on Storage Space 452 Conferen
300 Multiple Choices 453 Not Eno
301 Moved Permanently 454 Session
303 See Other 455 Method
Chapter 5 Building Blocks for Policies Services
170
ield Not Valid for Resource
ange
er is Read-Only
te operation not allowed
regate operation allowed
rted transport
ion unreachable
Server Error
emented
eway
Unavailable
Time-out
ersion not supported
ot supported
ng Protocol (RTSP)”.
Phrase
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
304 Not Modified 456 Header F
305 Use Proxy 457 Invalid R
400 Bad Request 458 Paramet
401 Unauthorized 459 Aggrega
402 Payment Required 460 Only agg
403 Forbidden 461 Unsuppo
404 Not Found 462 Destinat
405 Method Not Allowed 500 Internal
406 Not Acceptable 501 Not Impl
407 Proxy Authentication Required 502 Bad Gat
408 Request Time-out 503 Service
410 Gone 504 Gateway
411 Length Required 505 RTSP V
412 Precondition Failed 551 Option n
413 Request Entity Too Large
Note: For complete definitions of status codes, see RFC 2326, “Real Time Streami
Status Code Reason Phrase Status Code Reason
Chapter 5 Building Blocks for Policies Services
171
zone. You put a MIP on the w RTSP traffic to flow from the
k Apply :
Client1.1.1.5
Untrust
LAN
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Media Server in Private DomainIn this example, the media server is in the Trust zone and the client is in the Untrustethernet3 interface to the media server in the Trust zone, then create a policy to alloclient in the Untrust zone to the media server in the Trust zone.
WebUI
1. InterfacesNetwork > Interfaces > Edit (for ethernet1): Enter the following and then clic
Zone Name: Trust
Static IP: (select this option when present)
IP Address/Netmask: 10.1.1.1/24
Manage IP: 10.1.1.2
Media Server10.1.1.3
ethernet110.1.1.1
ethernet31.1.1.1
Virtual DeviceMip on Ethernet31.1.1.3 -> 10.1.1.3
Trust
LANNetScreen Device
Chapter 5 Building Blocks for Policies Services
172
k Apply :
and then click OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Network > Interfaces > Edit (for ethernet3): Enter the following and then clic
Zone Name: Untrust
Static IP: (select this option when present)
IP Address/Netmask: 1.1.1.1/24
Manage IP: 1.1.1.2
2. AddressesObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: media_server
IP Address/Domain Name:
IP/Netmask: (select), 10.1.1.3/24
Zone: Trust
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: client
IP Address/Domain Name:
IP/Netmask: (select), 1.1.1.5/24
Zone: Untrust
3. MIPNetwork > Interfaces > Edit (for ethernet3) > MIP > New: Enter the following
Mapped IP: 1.1.1.3
Host IP Address: 10.1.1.5
Chapter 5 Building Blocks for Policies Services
173
k OK :
p permit
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
4. PolicyPolicies > (From: Untrust, To: Trust) > New: Enter the following and then clic
Source Address:
Address Book Entry: (select), client
Destination Address:
Address Book Entry: (select), MIP(1.1.1.3)
Service: RTSP
Action: Permit
CLI
1. Interfacesset interface ethernet1 trustset interface ethernet1 ip 10.1.1.1
set interface ethernet3 untrustset interface ethernet3 ip 1.1.1.1
2. Addressesset address trust media_server 10.1.1.3/24set address untrust client 1.1.1.5
3. MIPset interface ethernet3 mip (1.1.1.3) host 10.1.1.3
4. Policyset policy from untrust to trust client mip(1.1.1.3) rtssave
Chapter 5 Building Blocks for Policies Services
174
one. You put a DIP pool on the the Untrust zone, then create a
k Apply :
k Apply :
Media Server1.1.1.3
Untrust
LAN
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Media Server in Public DomainIn this example, the media server is in the Untrust zone and the client is in the Trust zethernet3 interface to do NAT when the media server to responds to the client from policy to allow RTSP traffic to flow from the Trust zone to the Untrust zone.
WebUI
1. InterfaceNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Zone Name: Trust
Static IP: (select this option when present)
IP Address/Netmask: 10.1.1.1/24
Manage IP: 10.1.1.2
Network > Interfaces > Edit (for ethernet3): Enter the following, and then clic
Zone Name: Untrust
Static IP: (select this option when present)
IP Address/Netmask: 1.1.1.1/24
Manage IP: 1.1.1.2
ethernet110.1.1.1
ethernet31.1.1.1
Client10.1.1.3
DIP Poolon ethernet3
1.1.1.5 to 1.1.1.50
Trust
LANNetScreen Device
Chapter 5 Building Blocks for Policies Services
175
and then click OK:
ick OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
2. AddressesObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: client
IP Address/Domain Name:
IP/Netmask: (select), 10.1.1.3/24
Zone: Trust
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: media_server
IP Address/Domain Name:
IP/Netmask: (select), 1.1.1.3/24
Zone: Untrust
3. DIP PoolNetwork > Interfaces > Edit (for ethernet3) > DIP > New: Enter the following
ID: 5
IP Address Range: (select) 1.1.1.5 ~ 1.1.1.50
Port Translation: (select)
4. PolicyPolicies > (From: Trust, To: Untrust) > New: Enter the following, and then cl
Source Address:
Address Book Entry (select): client
Destination Address:
Address Book Entry (select): media_server
Service: RTSP
Action: Permit
Chapter 5 Building Blocks for Policies Services
176
k OK:
50)/port-xlate
p nat dip 5 permit
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
> Advanced: Enter the following, and then clicNAT:
Source Translation: (select)(DIP on): 5 (1.1.1.5-1.1.1.
CLI
1. Interfaceset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1
set interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24
2. Addressesset address trust client ip 10.1.1.3/24set address untrust media_server ip 1.1.1.3/24
3. DIP Poolset interface ethernet3 dip 5 1.1.5 1.1.1.50
4. Policyset policy from trust to untrust client media_server rtssave
Chapter 5 Building Blocks for Policies Services
177
inal hosts, such as IP phones all registration, admission, and same zone.
Mode)een IP phone hosts and a this example, the NetScreen t security zones are in the
is possible to make ia devices.
Untrust Zone
rnternet
ointone
2.5
nternet
one
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
H.323 Protocol for Voice-over-IPH.323 protocol lets you to secure Voice-over-IP (VoIP) communication between termand multimedia devices. In such a telephony system, gatekeeper devices manage ccall status for VoIP calls. Gatekeepers can reside in the two different zones, or in the
Example: Gatekeeper in the Trust Zone (Transparent or Route In the following example, you set up two policies that allow H.323 traffic to pass betwgatekeeper in the Trust zone, and an IP phone host (2.2.2.5) in the Untrust zone. In device can be in either Transparent mode or Route mode. Both the Trust and Untrustrust-vr routing domain.
Note: The examples that follow use IP phones for illustrative purposes, although it configurations for other hosts that use VoIP protocol, such as NetMeeting© multimed
Trust Zone
Gatekeeper GatekeepePermit
Endpoint Endpoint
I
Permit
Gatekeeper
EndpointEndp
IP PhonesIP Ph2.2.
I
Untrust ZTrust Zone
Chapter 5 Building Blocks for Policies Services
178
OK :
OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
1. AddressObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: IP_Phone
IP Address/Domain Name:
IP/Netmask: (select), 2.2.2.5/32
Zone: Untrust
2. PoliciesPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), IP_Phone
Service: H.323
Action: Permit
Policies > (From: Untrust, To: Trust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), IP_Phone
Destination Address:
Address Book Entry: (select), Any
Service: H.323
Action: Permit
Chapter 5 Building Blocks for Policies Services
179
itit
te Mode)y kind, NetScreen device ation for a gatekeeper in the
en IP phone hosts in the Trust ne. The device can be in st-vr routing domain.
Internet
IP_Phone2.2.2.5/32
Zone
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
1. Addressset address untrust IP_Phone 2.2.2.5/32
2. Policiesset policy from trust to untrust any IP_Phone h.323 permset policy from untrust to trust IP_Phone any h.323 permsave
Example: Gatekeeper in the Untrust Zone (Transparent or RouBecause Transparent mode and Route mode do not require address mapping of anconfiguration for a gatekeeper in the Untrust zone is usually identical to the configurTrust zone.
In the following example, you set up two policies to allow H.323 traffic to pass betwezone, and the IP phone at IP address 2.2.2.5 (and the gatekeeper) in the Untrust zoTransparent or Route mode. Both the Trust and Untrust security zones are in the tru
IP_Phones
Gatekeeper
UntrustTrust Zone
LAN
Chapter 5 Building Blocks for Policies Services
180
OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
1. AddressesObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: IP_Phone
IP Address/Domain Name:
IP/Netmask: (select), 2.2.2.5/32
Zone: Untrust
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: Gatekeeper
IP Address/Domain Name:
IP/Netmask: (select), 2.2.2.10/32
Zone: Untrust
2. PoliciesPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), IP_Phone
Service: H.323
Action: Permit
Chapter 5 Building Blocks for Policies Services
181
OK :
OK :
itrmititrmit
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Policies > (From: Untrust, To: Trust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), IP_Phone
Destination Address:
Address Book Entry: (select), Any
Service: H.323
Action: Permit
Policies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Gatekeeper
Service: H.323
Action: Permit
CLI
1. Addressesset address untrust IP_Phone 2.2.2.5/32set address untrust gatekeeper 2.2.2.10/32
2. Policiesset policy from trust to untrust any IP_Phone h.323 permset policy from trust to untrust any gatekeeper h.323 peset policy from untrust to trust IP_Phone any h.323 permset policy from untrust to trust gatekeeper any h.323 pesave
Chapter 5 Building Blocks for Policies Services
182
or endpoint device in the Trust s. When you set a NetScreen receive incoming traffic with a
d the gatekeeper device device to allow traffic between
t host IP_Phone2 in the Untrust
k Apply :
IP_Phone22.2.2.5
st Zone
Internet
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Outgoing Calls with NATWhen the NetScreen device uses NAT (Network Address Translation), a gatekeeperzone has a private address, and when it is in the Untrust zone it has a public addresdevice in NAT mode, you must map a public IP address to each device that needs toprivate address.
In this example, the devices in the Trust zone include the endpoint host (10.1.1.5) an(10.1.1.25). IP_Phone2 (2.2.2.5) is in the Untrust zone. You configure the NetScreenthe endpoint host IP_Phone1 and the gatekeeper in the Trust zone and the endpoinzone. Both the Trust and Untrust security zones are in the trust-vr routing domain.
WebUI
1. InterfacesNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Zone Name: Trust
Static IP: (select this option when present)
IP Address/Netmask: 10.1.1.1/24
Select the following, and then click OK:
Interface Mode: NAT
Gatekeeper10.1.1.25
IP_Phone110.1.1.5
ethernet110.1.1.1/24
ethernet3 1.1.1.1/24
Trust Zone Untru
MIP 1.1.1.25 -> 10.1.1.25MIP 1.1.1.5 -> 10.1.1.5
Gateway1.1.1.250
Chapter 5 Building Blocks for Policies Services
183
k OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Network > Interfaces > Edit (for ethernet3): Enter the following, and then clic
Zone Name: Untrust
Static IP: (select this option when present)
IP Address/Netmask: 1.1.1.1/24
2. AddressesObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: IP_Phone1
IP Address/Domain Name:
IP/Netmask: (select), 10.1.1.5/32
Zone: Trust
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: Gatekeeper
IP Address/Domain Name:
IP/Netmask: (select), 10.1.1.25/32
Zone: Trust
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: IP_Phone2
IP Address/Domain Name:
IP/Netmask: (select), 2.2.2.5/32
Zone: Untrust
Chapter 5 Building Blocks for Policies Services
184
, and then click OK:
, and then click OK :
then click OK:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
3. Mapped IP AddressesNetwork > Interfaces > Edit (for ethernet3) > MIP > New: Enter the following
Mapped IP: 1.1.1.5
Netmask: 255.255.255.255
Host IP Address: 10.1.1.5
Host Virtual Router Name: trust-vr
Network > Interfaces > Edit (for ethernet3) > MIP > New: Enter the following
Mapped IP: 1.1.1.25
Netmask: 255.255.255.255
Host IP Address: 10.1.1.25
Host Virtual Router Name: trust-vr
4. RouteNetwork > Routing > Routing Entries > trust-vr New: Enter the following, and
Network Address/Netmask: 0.0.0.0/0
Gateway: (select)
Interface: ethernet3
Gateway IP Address: 1.1.1.250
Chapter 5 Building Blocks for Policies Services
185
OK :
OK :
OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
5. PoliciesPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), IP_Phone1
Destination Address:
Address Book Entry: (select), IP_Phone2
Service: H.323
Action: Permit
Policies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Gatekeeper
Destination Address:
Address Book Entry: (select), IP_Phone2
Service: H.323
Action: Permit
Policies > (From: Untrust, To: Trust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), IP_Phone2
Destination Address:
Address Book Entry: (select), MIP(1.1.1.5)
Service: H.323
Action: Permit
Chapter 5 Building Blocks for Policies Services
186
OK :
)
gateway 1.1.1.250
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Policies > (From: Untrust, To: Trust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), IP_Phone2
Destination Address:
Address Book Entry: (select), MIP(1.1.1.25
Service: H.323
Action: Permit
CLI
1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 nat
set interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24
2. Addressesset address trust IP_Phone1 10.1.1.5/32set address trust gatekeeper 10.1.1.25/32set address untrust IP_Phone2 2.2.2.5/32
3. Mapped IP Addressesset interface ethernet3 mip 1.1.1.5 host 10.1.1.5set interface ethernet3 mip 1.1.1.25 host 10.1.1.25
4. Routeset vrouter trust-vr route 0.0.0.0/0 interface ethernet3
Chapter 5 Building Blocks for Policies Services
187
23 permit323 permith.323 permit) h.323 permit
NAT boundary. To do this, you differs from most
ce) when the DIP pool uses the tination addresses in policies, pport incoming calls.
ing” instructs the device to add
ust Zone
et
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
5. Policiesset policy from trust to untrust IP_Phone1 IP_Phone2 h.3set policy from trust to untrust gatekeeper IP_Phone2 h.set policy from untrust to trust IP_Phone2 mip(1.1.1.5) set policy from untrust to trust IP_Phone2 mip (1.1.1.25save
Example: Incoming Calls with NATIn this example, you configure the NetScreen device to accept incoming calls over acan create a DIP address pool for dynamically allocating destination addresses. Thisconfigurations, where a DIP pool provides source addresses only.
The name of the DIP pool can be DIP(id_num) for a user-defined DIP, or DIP(interfasame address as an interface IP address. You can use such address entries as destogether with the services H.323, SIP, or other VoIP (Voice-over-IP) protocols, to su
The following example uses DIP in an H.323 VoIP configuration. The keyword “incomthe DIP and interface addresses to the global zone.
Trust Zone Untr
DIP Pool ID 51.1.1.12 ~ 1.1.1.150
ethernet31.1.1.1/24
InternLAN
ethernet110.1.1.1/24
Chapter 5 Building Blocks for Policies Services
188
k Apply :
k OK:
and then click OK :
50
econdary IPs: (select)
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
1. InterfacesNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Zone Name: Trust
Static IP: (select this option when present)
IP Address/Netmask: 10.1.1.1/24
Enter the following, and then click OK :
Interface Mode: NAT
Network > Interfaces > Edit (for ethernet3): Enter the following, and then clic
Zone Name: Untrust
Static IP: (select this option when present)
IP Address/Netmask: 1.1.1.1/24
2. DIP with Incoming NATNetwork > Interface > Edit (for ethernet3) > DIP > New: Enter the following,
ID: 5
IP Address Range: (select), 1.1.1.12 ~ 1.1.1.1
Port Translation: (select)
In the same subnet as the interface IP or its s
Incoming NAT: (select)
Chapter 5 Building Blocks for Policies Services
189
click OK:
n click OK:
OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
3. AddressesObjects > Addresses > List > New (for Trust): Enter the following, and then
Address Name: IP_Phones1
IP Address/Domain Name:
IP/Netmask: (select), 10.1.1.5/24
Zone: Trust
Objects > Addresses > List > New (for Untrust): Enter the following, and the
Address Name: IP_Phone2
IP Address/Domain Name:
IP/Netmask: (select), 2.2.2.5/32
Zone: Untrust
4. PoliciesPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), IP_Phones1
Destination Address:
Address Book Entry: (select), Any
Service: H.323
Action: Permit
Chapter 5 Building Blocks for Policies Services
190
OK :
g
t src dip 5 permitpermit
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Policies > (From: Untrust, To: Trust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), IP_Phone2
Destination Address:
Address Book Entry: (select), DIP(5)
Service: H.323
Action: Permit
CLI
1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 natset interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24
2. DIP with Incoming NATset interface ethernet3 dip 5 1.1.1.12 1.1.1.150 incomin
3. Addressesset address trust IP_Phones1 10.1.1.5/24set address untrust IP_Phone2 2.2.2.5/32
4. Policiesset policy from trust to untrust IP_Phones1 any h.323 naset policy from untrust to trust IP_Phone2 dip(5) h.323 save
Chapter 5 Building Blocks for Policies Services
191
in the Untrust zone and host low traffic between host st zone. Both the Trust and
k Apply :
hone22.2.5
nternetne
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Gatekeeper in the Untrust Zone with NATIn this example, the gatekeeper device (2.2.2.25) and host IP_Phone2 (2.2.2.5) are IP_Phone1 (10.1.1.5) is in the Trust zone. You configure the NetScreen device to alIP_Phone1 in the Trust zone, and host IP_Phone2 (and the gatekeeper) in the UntruUntrust security zones are in the trust-vr routing domain.
WebUI
1. InterfacesNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Zone Name: Trust
Static IP: (select this option when present)
IP Address/Netmask: 10.1.1.1/24
Enter the following, and then click OK:
Interface Mode: NAT
ethernet31.1.1.1/24
Gateway 1.1.1.250
ethernet110.1.1.1/24NAT Mode
IP_Phone110.1.1.5
Gatekeeper2.2.2.25
IP_P2.
ITrust Zone Untrust Zo
MIP 1.1.1.5 -> 10.1.1.5
LAN
Chapter 5 Building Blocks for Policies Services
192
k OK:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Network > Interfaces > Edit (for ethernet3): Enter the following, and then clic
Zone Name: Untrust
Static IP: (select this option when present)
IP Address/Netmask: 1.1.1.1/24
2. AddressesObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: IP_Phone1
IP Address/Domain Name:
IP/Netmask: (select), 10.1.1.5/32
Zone: Trust
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: Gatekeeper
IP Address/Domain Name:
IP/Netmask: (select), 2.2.2.25/32
Zone: Untrust
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: IP_Phone2
IP Address/Domain Name:
IP/Netmask: (select), 2.2.2.5/32
Zone: Untrust
Chapter 5 Building Blocks for Policies Services
193
, and then click OK :
then click OK:
OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
3. Mapped IP AddressNetwork > Interfaces > Edit (for ethernet3) > MIP > New: Enter the following
Mapped IP: 1.1.1.5
Netmask: 255.255.255.255
Host IP Address: 10.1.1.5
4. RouteNetwork > Routing > Routing Entries > trust-vr New: Enter the following, and
Network Address/Netmask: 0.0.0.0/0
Gateway: (select)
Interface: ethernet3
Gateway IP Address: 1.1.1.250
5. PoliciesPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), IP_Phone1
Destination Address:
Address Book Entry: (select), IP_Phone2
Service: H.323
Action: Permit
Chapter 5 Building Blocks for Policies Services
194
OK :
OK :
OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Policies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), IP_Phone1
Destination Address:
Address Book Entry: (select), Gatekeeper
Service: H.323
Action: Permit
Policies > (From: Untrust, To: Trust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), IP_Phone2
Destination Address:
Address Book Entry: (select), MIP(1.1.1.5)
Service: H.323
Action: Permit
Policies > (From: Untrust, To: Trust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Gatekeeper
Destination Address:
Address Book Entry: (select), MIP(1.1.1.5)
Service: H.323
Action: Permit
Chapter 5 Building Blocks for Policies Services
195
gateway 1.1.1.250
23 permit323 permith.323 permit h.323 permit
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 nat
set interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24
2. Addressesset address trust IP_Phone1 10.1.1.5/32set address untrust gatekeeper 2.2.2.25/32set address untrust IP_Phone2 2.2.2.5/32
3. Mapped IP Addressesset interface ethernet3 mip 1.1.1.5 host 10.1.1.5
4. Routeset vrouter trust-vr route 0.0.0.0/0 interface ethernet3
5. Policiesset policy from trust to untrust IP_Phone1 IP_Phone2 h.3set policy from trust to untrust IP_Phone1 gatekeeper h.set policy from untrust to trust IP_Phone2 mip(1.1.1.5) set policy from untrust to trust gatekeeper mip(1.1.1.5)save
Chapter 5 Building Blocks for Policies Services
196
tandard protocol for initiating, ght include conferencing, vel mobility in network
denying it based on a policy he destination port.
, to negotiate and modify the
ssion description indicates the scription protocols to describe
ight include information such umber in the SDP header (the
receive the media streams, and they can be the same). See
uests from a server to a client ation that runs at the endpoints uests on behalf of the user, and they arrive. Examples of User
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Session Initiation Protocol (SIP)The Session Initiation Protocol (SIP) is an Internet Engineering Task Force (IETF)-smodifying, and terminating multimedia sessions over the Internet. Such sessions mitelephony, or multimedia, with features such as instant messaging and application-leenvironments.
NetScreen devices support SIP as a service and can screen SIP traffic, allowing andthat you configure. SIP is a predefined service in ScreenOS and uses port 5060 as t
Essentially, SIP is used to distribute the session description and, during the sessionparameters of the session. SIP is also used to terminate a multimedia session.
A user includes the session description either in an INVITE or an ACK request. A semultimedia type of the session, for example, voice or video. SIP can use different dethe session; NetScreen supports SDP (Session Description Protocol) only.
SDP provides information that a system can use to join a multimedia session. SDP mas IP addresses, port numbers, times and dates. Note that the IP address and port n“c=” and “m=” fields respectively) are the address and port where the client wants to not the IP address and port number from which the SIP request originates (although“SDP” on page 201 for more information.
SIP messages consist of requests from a client to a server and responses to the reqwith the purpose of establishing a session (or a call). A User Agent (UA) is an applicof the call and consists of two parts: the User Agent Client (UAC) that sends SIP reqa User Agent Server (UAS) that listens to the responses and notifies the user when Agents are SIP proxy servers and SIP phones.
Chapter 5 Building Blocks for Policies Services
197
ach of which contains a method types and response codes:
te in a session. The body of an e IP addresses in the Via:, odified as shown in the table in
confirm reception of the final ssion description, the ACK o:, Call-ID:, Contact:, Route:, Headers” on page 213.
pabilities of the SIP proxy. A rotocols, and message a UA outside NAT to a proxy
IP address in the To: field to the the proxy is outside NAT, the in “SIP Headers” on page 213.
om either user automatically o:, Call-ID:, Contact:, Route:, Headers” on page 213.
request. A CANCEL request se for the INVITE before it
o:, Call-ID:, Contact:, Route:, Headers” on page 213.
inform it of the current location EGISTER requests and makes AT mode, REGISTER requests
hen the SIP ALG receives the Request-URI. Incoming
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
SIP Request MethodsThe SIP transaction model includes a number of request and response messages, efield denoting the purpose of the message. ScreenOS supports the following method
• INVITE—A user sends an INVITE request to invite another user to participaINVITE request may contain the description of the session. In NAT mode, thFrom:, To:, Call-ID:, Contact:, Route:, and Record-Route: header fields are m“SIP Headers” on page 213.
• ACK—The user from whom the INVITE originated sends an ACK request toresponse to the INVITE. If the original INVITE request did not contain the serequest must include it. In NAT mode, the IP addresses in the Via:, From:, Tand Record-Route: header fields are modified as shown in the table in “SIP
• OPTIONS—Used by the User Agent (UA) to obtain information about the caserver responds with information about what methods, session description pencoding it supports. In NAT mode, when the OPTIONS request is sent frominside NAT, the SIP ALG translates the address in the Request-URI and the appropriate IP address of the internal client. When the UA is inside NAT andSIP ALG translates the From:, Via:, and Call-ID: fields as shown in the table
• BYE—A user sends a BYE request to abandon a session. A BYE request frterminates the session. In NAT mode, the IP addresses in the Via:, From:, Tand Record-Route: header fields are modified as shown in the table in “SIP
• CANCEL—A user can send a CANCEL request to cancel a pending INVITEhas no effect if the SIP server processing the INVITE had sent a final responreceived the CANCEL. In NAT mode, the IP addresses in the Via:, From:, Tand Record-Route: header fields are modified as shown in the table in “SIP
• REGISTER—A user sends a REGISTER request to a SIP registrar server toof the user. A SIP registrar server records all the information it receives in Rthis information available to any SIP server attempting to locate a user. In Nare handled as follows:
– REGISTER requests from an external client to an internal Registrar—Wincoming REGISTER request it translates the IP address, if any, in the
Chapter 5 Building Blocks for Policies Services
198
anslation is needed for the
hen the SIP ALG receives the From:, Via:, Call-ID:, and oming response.
naling path for the call. In NAT d Record-Route: header fields
ode. In NAT mode, the address ming from the external network tact:, Route:, and ders” on page 213.
er has a subscription. In NAT te IP address if the message is in the Via:, From:, To:, Call-ID:, the table in “SIP Headers” on
party by the contact information hanged to a private IP address . The IP addresses in the Via:, odified as shown in the table in
, to user C, who is also in the or user C so that user C can be rt mapping is stored in the ALG
:, From:, To:, Call-ID:, Contact:, in “SIP Headers” on page 213.
tus of a transaction. Header
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
REGISTER messages are allowed only to a MIP or VIP address. No troutgoing response.
– REGISTER requests from an internal client to an external Register—Woutgoing REGISTER request it translates the IP addresses in the To:, Contact: header fields. A backward translation is performed for the inc
• Info—Used to communicate mid-session signaling information along the sigmode, the IP addresses in the Via:, From:, To:, Call-ID:, Contact:, Route:, anare modified as shown in the table in “SIP Headers” on page 213.
• Subscribe—Used to request current state and state updates from a remote nin the Request-URI is changed to a private IP address if the messages is cointo the internal network. The IP addresses in Via:, From:, To:, Call-ID:, ConRecord-Route: header fields are modified as shown in the table in “SIP Hea
• Notify—Sent to inform subscribers of changes in state to which the subscribmode, the IP address in the Request-URI: header field is changed to a privacoming from the external network into the internal network. The IP address Contact:, Route:, and Record-Route: header fields are modified as shown inpage 213.
• Refer—Used to refer the recipient (identified by the Request-URI) to a third provided in the request. In NAT mode, the IP address in the Request-URI is cif the message is coming from the external network into the internal networkFrom:, To:, Call-ID:, Contact:, Route:, and Record-Route: header fields are m“SIP Headers” on page 213.
For example, if user A in a private network refers user B, in a public networkprivate network, the SIP ALG allocates a new IP address and port number fcontacted by user B. If user C is registered with a Registrar, however, its poNAT table and is reused to perform the translation.
• Update—Used to open pinhole for new or updated SDP information. The ViaRoute:, and Record-Route: header fields are modified as shown in the table
• 1xx,202, 2xx, 3xx, 4xx, 5xx, 6xx Response Codes—Used to indicate the stafields are modified as shown in the table in “SIP Headers” on page 213.
Chapter 5 Building Blocks for Policies Services
199
ed into the following classes:
est
ted
at this server
s all of them.
all is being forwarded
oved temporarily
ayment required
ethod not allowed
equest time-out
ength required
nsupported media type
all leg/transaction does not exist
ddress incomplete
equest cancelled
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Classes of SIP Responses
Response codes indicate the status of a SIP transaction, and consist of codes group
• Informational (100 to 199)—request received, continuing to process the requ
• Success (200 to 299)—action successfully received, understood, and accep
• Redirection (300 to 399)—further action required to complete the request
• Client Error (400 to 499)—request contains bad syntax or cannot be fulfilled
• Server Error (500 to 599)—server failed to fulfill an apparently valid request
• Global Failure (600 to 699)—request cannot be fulfilled at any server
The following is the complete list of current SIP response codes. Netscreen support
1xx 100 Trying 180 Ringing 181 C
182 Queued 183 Session progress
2xx 200 OK 202 Accepted
3xx 300 Multiple choices 301 Moved permanently 302 M
305 Use proxy 380 Alternative service
4xx 400 Bad request 401 Unauthorized 402 P
403 Forbidden 404 Not found 405 M
406 Not acceptable 407 Proxy authentication required 408 R
409 Conflict 410 Gone 411 L
413 Request entity too large 414 Request-URL too large 415 U
420 Bad extension 480 Temporarily not available 481 C
482 Loop detected 483 Too many hops 484 A
485 Ambiguous 486 Busy here 487 R
488 Not acceptable here
Chapter 5 Building Blocks for Policies Services
200
traffic consists of request and UDP or TCP. The media ls such as RTP (Real-time
reate a policy that permits SIP ffic, permitting or denying it. ge several times during the l the media traffic. In this case,
their SDP content and extracts stream traverse the NetScreen
oles based on the information it and responses (see “SIP can allow SIP transactions to his policy enables the or deny the traffic or enable the holes only for the SIP requests contain SDP, the NetScreen
ad gateway
IP version not supported
oes not exist anywhere
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
ALG � Application-Layer GatewayThere are two types of SIP traffic, the signaling and the media stream. SIP signalingresponse messages between client and server and uses transport protocols such asstream carries the data (for example, audio data), and uses application layer protocoTransport Protocol) over UDP.
NetScreen devices support SIP signaling messages on port 5060. You can simply cservice and the NetScreen device filters SIP signaling traffic like any other type of traThe media stream, however, uses dynamically assigned port numbers that can chancourse of a call. Without fixed ports, it is impossible to create a static policy to controthe NetScreen device invokes the SIP ALG. The SIP ALG reads SIP messages andthe port number information it needs to dynamically open pinholes6 and let the mediadevice.
The SIP ALG monitors SIP transactions and dynamically creates and manages pinhextracts from these transactions. The NetScreen SIP ALG supports all SIP methodsRequest Methods” on page 197 and “Classes of SIP Responses” on page 199). Youtraverse the NetScreen firewall by creating a static policy that permits SIP service. TNetScreen device to intercept SIP traffic and do one of the following actions: permit SIP ALG to open pinholes to pass the media stream. The SIP ALG needs to open pinand responses that contain media information (SDP). For SIP messages that do notdevice simply lets them through.
5xx 500 Server internal error 501 Not implemented 502 B
502 Service unavailable 504 Gateway time-out 505 S
6xx 600 Busy everywhere 603 Decline 604 D
606 Not acceptable
6. We refer to a pinhole as the limited opening of a port to allow exclusive traffic.
Chapter 5 Building Blocks for Policies Services
201
ts the information it requires to extracts information such as IP ALG uses the IP addresses ams to traverse the NetScreen
n session-level and media-level dia-level information applies to l information, which appears at omes after.
because they contain transport
ork type, “IP4” as the address ion) IP address.
holes using the IP address and
eives a SIP message in which s a log message informing the ract the information it needs ot traverse the NetScreen
ulticast with SIP.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
The SIP ALG intercepts SIP messages that contain SDP, and using a parser, extraccreate pinholes. The SIP ALG examines the SDP portion of the packet and a parseraddresses and port numbers, which the SIP ALG records in a pinhole table. The SIPand port numbers recorded in the pinhole table to open pinholes and allow media stredevice.
SDPAn SDP session description is text-based and consists of a set of lines. It can contaiinformation. The session-level information applies to the whole session, while the mea particular media stream. An SDP session description always contains session-levethe beginning of the description, and might contain media-level information7, which c
Of the many fields in the SDP description, two are particularly useful to the SIP ALGlayer information. The two fields are the following:
• c= for connection information
This field can appear at the session or media level. It displays in this format:
c=<network type><address type><connection address>
Currently, the NetScreen device supports only “IN” (for Internet) as the netwtype, and a unicast IP address8 or domain name as the destination (connect
If the destination IP address is a unicast IP address, the SIP ALG creates pinport numbers specified in the media description field m=.
Note: NetScreen devices do not support encrypted SDP. If a NetScreen device recSDP is encrypted, the SIP ALG permits it through the firewall anyway, but generateuser that it cannot process the packet. If SDP is encrypted, the SIP ALG cannot extfrom SDP to open pinholes. As a result, the media content that SDP describes canndevice.
7. In the SDP session description, the media-level information begins with the m= field.
8. Generally, the destination IP address can also be a multicast IP address, but NetScreen does not currently support m
Chapter 5 Building Blocks for Policies Services
202
ia. It displays in this format:
P” as the application layer tream (and not the origin of the n layer protocol that the media
and RTCP. Every RTP session . Therefore, whenever a media RTP and RTCP traffic. By
ddress. The IP address comes pear in either the session-level
s the IP address based on the
address in the media level. If it to create a pinhole for the
IP address from the c= field in edia. If the session description protocol stack and the
unication.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
• m= for media announcement
This field appears at the media level and contains the description of the med
m=<media><port><transport><fmt list>
Currently, the NetScreen device supports only “audio” as the media and “RTtransport protocol. The port number indicates the destination of the media smedia stream). The format list (fmt list) provides information on the applicatiouses.
In this release of ScreenOS, the NetScreen device opens ports only for RTPhas a corresponding RTCP9 (Real-time Transport Control Protocol) sessionstream uses RTP, the SIP ALG must reserve ports (create pinholes) for bothdefault, the port number for RTCP is one higher than the RTP port number.
Pinhole CreationBoth pinholes for the RTP and RTCP traffic share the same destination IP afrom the c= field in the SDP session description. Because the c= field can apor media-level portion of the SDP session description, the parser determinefollowing rules (in accordance with SDP conventions):
– First, the SIP ALG parser verifies if there is a c= field containing an IP there is one, the parser extracts that IP address and the SIP ALG usesmedia.
– If there is no c= field in the media level, the SIP ALG parser extracts thethe session level and the SIP ALG uses it to create a pinhole for the mdoes not contain a c= field in either level, this indicates an error in the NetScreen device drops the packet and logs the event.
9. RTCP provides media synchronization and information about the members of the session and the quality of the comm
Chapter 5 Building Blocks for Policies Services
203
his information comes from the
c= field in the media or session
TP from the m= field in the this formula: RTP port number
ich a pinhole is open to allow a e expires. When the lifetime
ediately after, the SIP ALG
s and how the SIP ALG creates the NetScreen device has a ages.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
The following lists the information the SIP ALG needs to create a pinhole. TSDP session description and parameters on the NetScreen device:
– Protocol: UDP
– Source IP: unknown
– Source port: unknown
– Destination IP: The parser extracts the destination IP address from thelevel.
– Destination port: The parser extracts the destination port number for Rmedia level and calculates the destination port number for RTCP using+ one.
– Lifetime: This value indicates the length of time (in seconds), during whpacket through. A packet must go through the pinhole before the lifetimexpires, the SIP ALG removes the pinhole.
When a packet goes through the pinhole within the lifetime period, immremoves the pinhole for the direction from which the packet came.
The following illustration describes a call setup between two SIP clientpinholes to allow RTP and RTCP traffic. The illustration assumes that policy that permits SIP, thus opening port 5060 for SIP signaling mess
Chapter 5 Building Blocks for Policies Services
204
SIP Client B2.2.2.2
ards the �INVITE� request
edia (RTP/RTCP traffic) to pinhole 1
the SIP proxy with a e
200 OK� response to the to the INVITE request (IP address:port number)
wards the �ACK� response
trust Zone
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
SIP Client A1.1.1.1
NetScreen DeviceSIP Proxy
1. Client A sends an �INVITE� request destined for Client B to the SIP proxy through port 5060 on the NetScreen deviceSDP: 1.1.1.1:2000 (IP address:port number)
3. The SIP proxy forwto Client B
11. Client B sends mclient A through
4. Client B replies to �Ringing� respons5. The SIP proxy forwards the �Ringing�
response from Client B to Client A through port 5060 on the NetScreen device
6. Client B sends a �SIP proxy in reply SDP: 2.2.2.2:30008. The SIP proxy forwards the �200 OK�
response from Client B to Client A through the NetScreen device
9. Client A sends an �ACK� response destined for Client B to the SIP proxy through port 5060 on the NetScreen device 10. The SIP proxy for
to Client B
UnTrust Zone2. Per the SDP, the SIP ALG creates a pinhole for 1.1.1.1:2000
7. Per the SDP, the SIP ALG creates a pinhole for 2.2.2.2:3000
Pinhole 1
12. Client A sends media (RTP/RTCP traffic) to client B through pinhole 2
Pinhole 2
Chapter 5 Building Blocks for Policies Services
205
e SIP ALG intercepts the BYE asons or problems preventing . In this case, the call might go t feature helps the NetScreen specific period of time.
or two media streams), one for ers the sessions in each voice posed to each session.
f time (in seconds) a call can ssage occurs within a call, this
me (in seconds) a call can time a RTP or RTCP packet
call from its table, thus
n the destination IP address is d, for example, during a SIP message in which the ny media until further notice. If
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Session Inactivity TimeoutTypically a call ends when one of the clients sends a BYE or a CANCEL request. Thor CANCEL request and removes all media sessions for that call. There could be reclients in a call from sending BYE or CANCEL requests, for example, a power failureon indefinitely, consuming resources on the NetScreen device. The inactivity timeoudevice to monitor the liveliness of the call and terminate it if there is no activity for a
A call can have one or more voice channels. Each voice channel has two sessions (RTP and one for RTCP. When managing the sessions, the NetScreen device considchannel as one group. Settings such as the inactivity timeout apply to a group as op
There are two types of inactivity timeouts that determine the lifetime of a group:
• Signaling Inactivity Timeout: This parameter indicates the maximum length oremain active without any SIP signaling traffic. Each time a SIP signaling metimeout resets. The default setting is 43200 seconds (12 hours).
• Media Inactivity Timeout: This parameter indicates the maximum length of tiremain active without any media (RTP or RTCP) traffic within a group. Eachoccurs within a call, this timeout resets. The default setting is 120 seconds.
If either of these timeouts expire, the NetScreen device removes all sessions for thisterminating the call.
Note: The SIP ALG does not create pinholes for RTP and RTCP traffic whe0.0.0.0, which indicates that the session is on hold. To put a session on holtelephone communication, a user (User A) sends the other user (User B) adestination IP address is 0.0.0.0. Doing so indicates to User B not to send aUser B sends media anyway, the NetScreen device drops the packets.
Chapter 5 Building Blocks for Policies Services
206
VITE requests, whether proxy server from being figure the NetScreen device to
4xx, or 5xx response code (see the request and the IP address requests against this table and, t match entries in the table. You xy server by specifying the
rver (1.1.1.3/24) from repeat eriod of five seconds, after s.
ted by INVITE requests.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
SIP Attack ProtectionThe ability of the SIP proxy server to process calls can be impacted by repeat SIP INmalicious or through client or server error, that it initially denied. To prevent the SIP overwhelmed by such requests, you can use the sip protect deny command to conmonitor INVITE requests and proxy server replies to them. If a reply contains a 3xx, “Classes of SIP Responses” on page 199), the ALG stores the source IP address ofof the proxy server in a table. Subsequently the NetScreen device checks all INVITE for a configurable number of seconds (the default is three), discards any packets thacan also configure the NetScreen device to monitor INVITE request to a specific prodestination IP address. SIP attack protection is configured globally.
Example: SIP Protect DenyIn this example, you configure the NetScreen device to protect a single SIP proxy seINVITE requests to which it has already denied service. Packets are dropped for a pwhich the NetScreen device resumes forwarding INVITE requests from those source
WebUI
CLI
set sip protect deny dst-ip 1.1.1.3/24set sip protect deny timeout 5save
Note: You must use the CLI to protect SIP proxy servers from being inunda
Chapter 5 Building Blocks for Policies Services
207
the media inactivity timeout to
address. In this example, you ived on IP address 1.1.1.5, in uent packets for the remainder
uts.
-specific. For more information d” on page 4 -65.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Signaling and Media Inactivity TimeoutsIn this example, you configure the signaling inactivity timeout to 30,000 seconds and90 seconds.
WebUI
CLI
set sip signaling-inactivity-timeout 30000set sip media-inactivity-timeout 90save
Example: UDP Flooding ProtectionYou can protect the NetScreen device against UDP flooding by zone and destinationset a threshold of 80000 per second for the number of UDP packets that can be recethe Untrust zone, before the NetScreen device generates an alarm and drops subseqof that second.
WebUI
Screening > Screen: Enter the following, and then click Apply :
Zone: Untrust
UDP Flood Protection (select)
Note: You must use the CLI to set SIP signaling and media inactivity timeo
Note: This example uses a general ScreenOS command, and is not necessarily SIPabout UDP flood protection and how to determine effective settings, see “UDP Floo
Chapter 5 Building Blocks for Policies Services
208
click the Back arrow in your uration page:
ld 80000
ntrust zone by setting a ce detects more than 20 pts until the number of sessions
:
-specific. For more information urce- and Destination-Based
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
> Destination IP: Enter the following, and thenweb browser to return to the Screen config
Destination IP: 1.1.1.5
Threshold: 80000
Add: (select)
CLI
set zone untrust screen udp-flood dst-ip 1.1.1.5 threshosave
Example: SIP Connection MaximumIn this example, you prevent flood attacks on the SIP network from attackers in the Umaximum of 20 concurrent sessions from a single IP address. If the NetScreen deviconnection attempts from the same IP address, it begins dropping subsequent attemdrops below the specified maximum.
WebUI
Screening > Screen (Zone: Untrust): Enter the following, and then click OK
Source IP Based Session Limit: (select)
Threshold: 20 Sessions
CLI
set zone untrust screen limit-session source-ip-based 20save
Note: This example uses a general ScreenOS command, and is not necessarily SIPabout source-based session limits and how to determine effective settings, see “SoSession Limits” on page 4 -40.
Chapter 5 Building Blocks for Policies Services
209
subnet to share a single public ddress of the host in the private erted back into the private
IP addresses in the SIP aller and the receiver, and the
SIP body contains the Session ers for transmission of the nd and receive the media.
direction of the message. For with the public IP address and of the firewall is replaced with
mation from the message t end point. When a new , and “Call-ID: fields against the s that matches the existing call,
eates a NAT mapping between eal Time Protocol (RTP) and dd ports. If it is unable to find a
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
SIP with Network Address TranslationThe Network Address Translation (NAT) protocol enables multiple hosts in a privateIP address to access the Internet. For outgoing traffic, NAT replaces the private IP asubnet, with the public IP address. For incoming traffic, the public IP address is convaddress and the message routed to the appropriate host in the private subnet.
Using NAT with the SIP service is more complicated because SIP messages containheaders as well as in the SIP body. The SIP headers contain information about the cNetScreen device translates this information to hide it from the outside network. TheDescription Protocol (SDP) information, which includes IP addresses and port numbmedia. The NetScreen device translates SDP information to allocate resources to se
How IP addresses and port numbers in SIP messages are replaced depends on thean outgoing message, the private IP address and port number of the client is replacedport number of the NetScreen firewall. For an incoming message, the public addressthe private address of the client.
When an INVITE message is sent out across the firewall, the SIP ALG collects inforheader into a call table, which it uses to forward subsequent messages to the correcmessage arrives, for example an ACK or 200 OK, the ALG compares the “From:, To:call table to identify the call context of the message. If a new INVITE message arrivethe ALG processes it as a REINVITE.
When a message containing SDP information arrives, the ALG allocates ports and crthem and the ports in the SDP. Because the SDP requires sequential ports for the RReal Time Control Protocol (RTCP) channels, the ALG provides consecutive even-opair of ports it discards the SIP message.
Chapter 5 Building Blocks for Policies Services
210
rnal network, NAT replaces the resses and port numbers to the resent, are also bound to the for SIP response messages.
en device on the dynamically d Record-Route: header fields. oute: IP addresses and ports. d Record-Route: SIP fields
sses, or to interface IP oint to internal hosts; interface
ges sent by internal hosts to the Registrar” on page 219.) When ards the payload of the packet
ormation in the SDP, opens performs NAT on the IP s have a short time-to-live, and
reads the IP addresses and ms NAT on the addresses and s in the inbound direction.
ssage contains SDP hanged from the previous media to pass through. The pinholes if it determines that
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Outgoing CallsWhen a SIP call is initiated with a SIP request message from the internal to the exteIP addresses and port numbers in the SDP and creates a binding to map the IP addNetScreen firewall. Via:, Contact:, Route:, and Record-Route: SIP header fields, if pfirewall IP address. The ALG stores these mappings for use in retransmissions and
The SIP ALG then opens pinholes in the firewall to allow media through the NetScreassigned ports negotiated based on information in the SDP and the Via:, Contact:, anThe pinholes also allow incoming packets to reach the Contact:, Via:, and Record-RWhen processing return traffic, the ALG inserts the original Contact:, Via:, Route:, anback into the packets.
Incoming CallsIncoming calls are initiated from the public network to public mapped IP (MIP) addreaddresses on NetScreen device. MIPs are statically configured IP addressees that pIP addresses are dynamically recorded by the ALG as it monitors REGISTER messaSIP Registrar. (For more information, see “Incoming SIP Call Support Using the SIP the NetScreen device receives an incoming SIP packet, it sets up a session and forwto the SIP ALG.
The ALG examines the SIP request message (initially an INVITE) and, based on infgates for outgoing media. When a 200 OK response message arrives, the SIP ALG addresses and ports and opens pinholes in the outbound direction. (The opened gatetime out if a 200 OK response message is not received quickly.)
When a 200 OK response arrives, the SIP proxy examines the SDP information andport numbers for each media session. The SIP ALG on the NetScreen device perforport numbers, opens pinholes for outbound traffic, and refreshes the timeout for gate
When the ACK arrives for the 200 OK, it also passes through the SIP ALG. If the meinformation, the SIP ALG ensures that the IP addresses and port numbers are not cINVITE—if they are, the ALG deletes old pinholes and creates new pinholes to allowALG also monitors the Via:, Contact:, and Record-Route: SIP fields and opens new these fields have changed.
Chapter 5 Building Blocks for Policies Services
211
the network, and user B from user A as a normal e network and notices that B l, because media will flow
a BYE message, it translates must be acknowledged by the for transmission of the 200 OK.
g existing media sessions. all and new address bindings
sessions are removed from a
r UPDATE message is not onse to the INVITE and uses n times out, it resets all timeout
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Forwarded CallsA forwarded call is when, for example, user A outside the network calls user B insideforwards the call to user C outside the network. The SIP ALG processes the INVITEincoming call. But when the ALG examines the forwarded call from B to C outside thand C are reached using the same interface, it does not open pinholes in the firewaldirectly between user A and user C.
Call TerminationThe BYE message is used to terminate a call. When the NetScreen device receivesthe header fields just as it does for any other message, But because a BYE messagereceiver with a 200 OK, the ALG delays call teardown for five seconds to allow time
Call Re-INVITE MessagesRe-INVITE messages are used to add new media sessions to a call, and to removinWhen new media sessions are added to a call, new pinholes are opened in the firewcreated. The process is identical to the original call setup. When one or more mediacall, pinholes are closed and bindings released just as with a BYE message.
Call Session TimersThe SIP ALG uses the Session-Expires value to time out a session if a Re-INVITE oreceived. The ALG gets the Session-Expires value, if present, from the 200 OK respthis value for signaling timeout. If the ALG receives another INVITE before the sessiovalues to this new INVITE or to default values, and the process is repeated.
Chapter 5 Building Blocks for Policies Services
212
um amount of time a call can g:
end a BYE message.
NCEL message, the SIP ALG ss bindings. Before releasing conds to allow time for the final , regardless of whether a 487 or
ns simultaneously. When the ut updates call information with
uest messages, the first line of I, and protocol version. In headers contain IP addresses
ion by a blank line, is reserved upport the Session Description transport the media.
e the information from the at is, port numbers where the
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
As a precautionary measure, the SIP ALG uses hard timeout values to set the maximexist. This ensures that the NetScreen device is protected in the event of the followin
• End systems crash during a call and a BYE message is not received.
• Malicious users never send a BYE in an attempt to attack a SIP ALG.
• Poor implementations of sip proxy fail to process Record-Route and never s
• Network failures prevent a BYE message from being received.
Call CancellationEither party can cancel a call by sending a CANCEL message. Upon receiving a CAcloses pinholes through the firewall—if any have been opened—and releases addrethe resources, the ALG delays the control channel age-out for approximately five se200 OK to pass through. The call is terminated when the five second timeout expiresnon-200 response arrives.
ForkingForking enables a SIP proxy to send a single INVITE message to multiple destinatiomultiple 200 OK response messages arrive for the single call, the SIP ALG parses bthe first 200 OK message it receives.
SIP MessagesThe SIP message format consists of a SIP header section, and the SIP body. In reqthe header section is the request line, which includes the method type, Request-URresponse messages, the first line is the status line, which contains a status code. SIPand port numbers used for signaling. The SIP body, separated from the header sectfor session description information, which is optional. NetScreen devices currently sProtocol (SDP) only. The SIP body contains IP addresses and port numbers used to
In NAT mode, the NetScreen device translates information in the SIP headers to hidoutside network. NAT is performed on SIP body information to allocate resources, thmedia is to be received.
Chapter 5 Building Blocks for Policies Services
213
header fields—shown in bold
message, which can be any of
or several of the header fields side the network. It must also e.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
SIP HeadersIn the following sample SIP request message, NAT replaces the IP addresses in thefont—to hide them from the outside network.
INVITE bob@10.150.20.5 SIP/2.0Via: SIP/2.0/UDP 10.150.20.3:5434From: alice@10.150.20.3To: bob@10.150.20.5Call-ID: a12abcde@10.150.20.3Contact: alice@10.150.20.3:5434Route: <sip:netscreen@10.150.20.3:5060>Record-Route: <sip:netscreen@10.150.20.3:5060>
How IP addresses translation is performed depends on the type and direction of thethe following:
• Inbound request
• Outbound response
• Outbound request
• Inbound response
The following table shows how NAT is performed in each of these cases. Note that fthe ALG must know more than just whether the messages comes from inside or outknow what client initiated the call, and whether the message is a request or respons
Chapter 5 Building Blocks for Policies Services
214
G address with local address
G address with local address
G address with local address
al address with ALG address
al address with ALG address
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Message Type Fields ActionInbound Request(from public to private)
To: Replace AL
From: None
Call-ID: None
Via: None
Request-URI: Replace AL
Contact: None
Record-Route: None
Route: None
Outbound Response(from private to public)
To: Replace AL
From: None
Call-ID: None
Via: None
Request-URI: N/A
Contact: Replace loc
Record-Route: Replace loc
Route: None
Chapter 5 Building Blocks for Policies Services
215
al address with ALG address
al address with ALG address
al address with ALG address
al address with ALG address
al address with ALG address
G address with local address
G address with local address
G address with local address
G address with local address
G address with local address
G address with local address
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Outbound Request(from private to public)
To: None
From: Replace loc
Call-ID: Replace loc
Via: Replace loc
Request-URI: None
Contact: Replace loc
Record-Route: Replace loc
Route: Replace AL
Outbound Response(from public to private)
To: None
From: Replace AL
Call-ID: Replace AL
Via: Replace AL
Request-URI: N/A
Contact: None
Record-Route: Replace AL
Route: Replace AL
Message Type Fields Action
Chapter 5 Building Blocks for Policies Services
216
channels for the media stream. d and receive the media.
for resource allocation.
ttaching multiple files to an erver might have the following
r a total of 12 channels per call.
IP addresses in the header
ive media. Note that the Media Contact Pinhole provides port
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
SIP BodyThe SDP information in the SIP body includes IP addresses the ALG uses to create Translation of the SDP section also allocates resources, that is, port numbers to sen
The following except from a sample SDP section shows the fields that are translated
o=user 2344234 55234434 IN IP4 10.150.20.3c=IN IP4 10.150.20.3m=audio 43249 RTP/AVP 0
SIP messages can contain more than one media stream. The concept is similar to ae-mail message. For example, an INVITE message sent from a SIP client to a SIP sfields:
c=IN IP4 10.123.33.4m=audio 33445 RTP/AVP 0
c=IN IP4 10.123.33.4m=audio 33447RTP/AVP 0
c=IN IP4 10.123.33.4m=audio 33449RTP/AVP 0
NetScreen devices support up to six SDP channels negotiated for each direction, foFor more information, see “SDP” on page 201.
SIP NAT ScenarioIn the following illustration, ph1 sends a SIP INVITE message to ph2. Note how the fields—shown in bold font—are translated by the NetScreen device.
The SDP section of the INVITE message indicates where the caller is willing to recePinhole contains two port numbers, 52002 and 52003, for RTCP and RTP. The Via/number 5060 for SIP signaling.
Chapter 5 Building Blocks for Policies Services
217
VITE message are reversed. ened to allow the media stream
twork
6.6.6.2 SIP ph2
6.6.2 SIP/2.06.6.1 : 1234.6.1
ation/sdp
IP4 6.6.6.1
/AVP 0
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Observe how, in the 200 OK response message, the translations performed in the INThe IP addresses in this message, being public, are not translated, but gates are opaccess to the private network.
.
NetScreen Device
SIP ph1 5.5.5.1
6.6.6.152002/52003
5.5.5.1
45002/45003
Media Pinhole
5.5.5.2 6.6.6.1
Internal Network External Ne
5.5.5.1
5060
Via/Contact Pinhole
INVITE Sip: ph2@6.6.6.2 SIP/2.0Via: SIP/2.0/UDP 5.5.5.1 :5060Call-ID: a1234@5.5.5.1From: ph1@5.5.5.1To: ph2@6.6.6.2CSeq 1 INVITEContent-type: application/sdpContent-Length: 98
V=Oo=ph1 3123 1234 IP IP4 5.5.5.1c=IN IP4 5.5.5.1m=audio 45002 RTP/AVP 0
INVITE Sip: ph2@6.Via: SIP/2.0/UDP 6.Call-ID: a1234@6.6From: ph1@6.6.6.1To: ph2@6.6.6.2CSeq 1 INVITEContent-type: applicContent-Length: 98
V=Oo=ph1 3123 1234 IPc=IN IP4 6.6.6.1m=audio 52002 RTP
Any IPAny Port
6.6.6.11234
Any IPAny Port
Chapter 5 Building Blocks for Policies Services
218
twork
6.6.6.2 SIP ph2
.6.2 SIP/2.0
P 6.6.6.1:1234@6.6.6.16.6.1.2
pplication/sdp: 98
6.6.6:5060
5642 IP IP4
2 RTP/AVP 0
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
NetScreen Device
SIP ph1 5.5.5.1 5.5.5.2 6.6.6.1
Internal Network External Ne
Any IPAny Port
Any IPAny Port
6.6.6.262002/62003
6.6.6.25060
Media Pinhole
Via/Contact Pinhole
ACK SIP:ph2@6.6.6.2 SIP/2.0. . . . ACK SIP:ph2@6.6
. . . .
SIP/2.0 200 OKVia: SIP/2.0/UDCall-ID: a1234From: ph1@6.To: ph2@6.6.6CSeq 1 INVITEContent-type: aContent-LengthContact: sip 6.
V=0o=ph2 5454 566.6.6.2c=IN IP4 6.6.6.m=audio 62002
SIP/2.0 200 OKVia: SIP/2.0/UDP 5.5.5.1 :5060Call-ID: a1234@5.5.5.1From: ph1@5.5.5.1To: ph2@6.6.6.2CSeq 1 INVITEContent-type: application/sdpContent-Length: 98
V=0o=ph2 5454 565642 IP IP4 6.6.6.2c=IN IP4 6.6.6.2m=audio 62002 RTP/AVP 0
Chapter 5 Building Blocks for Policies Services
219
rvers are able to identify the contact locations by sending a message contain the tration. Registration creates address or addresses.
hese addresses, and stores the m outside the network, the e the INVITE message to. You iguring interface DIP or DIP dling incoming calls in a small
se environment.
nd H.323 services only.
in name resolution is also following illustration.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Incoming SIP Call Support Using the SIP RegistrarSIP registration provides a discovery capability by which SIP proxies and location selocation or locations where users want to be contacted. A user registers one or moreREGISTER message to the registrar. The To: and Contact: fields in the REGISTER address-of-record URI and one or more contact URIs, as shown in the following illusbindings in a location service that associates the address-of-record with the contact
The NetScreen device monitors outgoing REGISTER messages, performs NAT on tinformation in a Incoming DIP table. Then, when an INVITE message is received froNetScreen device uses the Incoming DIP table to identify which internal host to routcan take advantage of SIP proxy registration service to allow incoming calls by confpools on egress interface of the NetScreen device. Interface DIP is adequate for hanoffice, while setting up DIP pools is recommended for larger networks or an enterpri
Note: Incoming call support using interface DIP or a DIP pool is supported for SIP a
For incoming calls, NetScreen devices currently support UDP and TCP only. Domacurrently not supported, therefore URIs must contain IP addresses, as shown in the
Chapter 5 Building Blocks for Policies Services
220
6.6.6.2
Registrar
ng DIP Table
.6.1 : 5555 3600
sip:6.6.6.2 SIP/2.06.6.6.1
.6.6.1ITEp: 6.6.6.1:5555>00
6.6.6.1.6.6.1ITEp: 6.6.6.1:5555>00
etwork
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Incomi
Add entry to Incoming DIP table
Update Timeout value
REGISTER sip: 6.6.6.2 SIP/2.0From: ph1@5.5.5.1 To: ph1@5.5.5.1CSeq 1 INVITEContact <sip: 5.5.5.1:1234>Expires: 7200
200 OKFrom: ph1@5.5.5.1To: ph1@5.5.5.1CSeq 1 INVITEContact <sip: 5.5.5.1:1234>Expires: 3600
NetScreen Device
SIP ph1 5.5.5.1 5.5.5.2 6.6.6.1
5.5.5.1 : 1234 6.6
Internal Network
REGISTERFrom: ph1@To: ph1@6CSeq 1 INVContact <siExpires: 72
200 OKFrom: ph1@To: ph1@6CSeq 1 INVContact <siExpires: 36
External N
Chapter 5 Building Blocks for Policies Services
221
nd the proxy server on on the ace to do NAT on incoming e, and reference that DIP in the zone using NAT Source. This n explanation of how incoming e SIP Registrar” on page 219.
k Apply :
phone21.1.1.4
Proxy Server1.1.1.3
Untrust
Internet
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Incoming Call (Interface DIP)In this example, phone1 is on the ethernet1 interface in the Trust zone and phone2 aethernet3 interface in the Untrust zone. You set Interface DIP on the ethernet3 interfcalls, then create a policy permitting SIP traffic from the Untrust zone to the Trust zonpolicy. You also create a policy that permits SIP traffic from the Trust to the Untrust enables phone1 in the Trust zone to register with the proxy in the Untrust zone. For aDIP works with the SIP registration service, see “Incoming SIP Call Support Using th
WebUI
1. InterfacesNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Zone Name: Trust
Static IP: (select this option when present)
IP Address/Netmask: 10.1.1.1/24
Enter the following, and then click OK :
Interface Mode: NAT
phone110.1.1.3
ethernet110.1.1.1/24
ethernet31.1.1.1/24
NetScreen DeviceTrust
LAN
Interface DIP on ethernet 3
Chapter 5 Building Blocks for Policies Services
222
k OK:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Network > Interfaces > Edit (for ethernet3): Enter the following, and then clic
Zone Name: Untrust
Static IP: (select this option when present)
IP Address/Netmask: 1.1.1.1/24
Interface Mode: Route
2. AddressesObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: phone1
IP Address/Domain Name:
IP/Netmask: (select), 10.1.1.3/24
Zone: Trust
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: phone2
IP Address/Domain Name:
IP/Netmask: (select), 1.1.1.4/24
Zone: Untrust
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: proxy
IP Address/Domain Name:
IP/Netmask: (select), 1.1.1.3/24
Zone: Untrust
Chapter 5 Building Blocks for Policies Services
223
NAT option, and then click OK.
OK :
k Return to set the advanced n page:
ss Interface IP)
OK :
3)
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
3. DIP with Incoming NATNetwork > Interface > Edit (for ethernet3) > DIP > New: Select the Incoming
4. PoliciesPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address
Address Book Entry: (select) phone1
Destination Address
Address Book Entry: (select) any
Service: SIP
Action: Permit
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
NAT:
Source Translation: (select)
(DIP on): None (Use Egre
Policies > (From: Untrust, To: Trust) New: Enter the following, and then click
Source Address
Address Book Entry: (select), Any
Destination Address
Address Book Entry: (select), DIP(ethernet
Service: SIP
Action: Permit
Chapter 5 Building Blocks for Policies Services
224
permitpermit
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 nat
set interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24set interface ethernet3 route
2. Addressesset address trust phone1 10.1.1.3/24set address untrust phone2 1.1.1.4/24set address untrust proxy 1.1.1.3/24
3. DIP with Incoming NATset interface ethernet3 dip interface-ip incomingset dip sticky
4. Policiesset policy from trust to untrust phone1 any sip nat src set policy from untrust to trust any dip(ethernet3) sip save
Chapter 5 Building Blocks for Policies Services
225
e Untrust zone. You set a DIP ting SIP traffic from the Untrust policy that permits SIP traffic ust zone to register with the tion service, see “Incoming SIP
k Apply :
Untrust
Internet
Proxy Server1.1.1.3
phone21.1.1.4
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Incoming Call (DIP Pool)This example, phone1 is in the Trust zone and phone2 and the proxy server are in thpool on the ethernet3 interface to do NAT on incoming calls, then set a policy permitzone to the Trust zone, and reference that DIP pool in the policy. You also create a from the Trust to the Untrust zone using NAT Source. This enables phone1 in the Trproxy in the Untrust zone. For an explanation of how DIP works with the SIP registraCall Support Using the SIP Registrar” on page 219.
WebUI
1. InterfacesNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Zone Name: Trust
Static IP: (select this option when present)
IP Address/Netmask: 10.1.1.1/24
Enter the following, and then click OK :
Interface Mode: NAT
NetScreen DeviceTrust
DIP Pool on ethernet31.1.1.20 -> 1.1.1.40
LAN
phone110.1.1.3
ethernet110.1.1.1/24
ethernet31.1.1.1/24
Chapter 5 Building Blocks for Policies Services
226
k OK:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Network > Interfaces > Edit (for ethernet3): Enter the following, and then clic
Zone Name: Untrust
Static IP: (select this option when present)
IP Address/Netmask: 1.1.1.1/24
Interface Mode: Route
2. AddressesObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: phone1
IP Address/Domain Name:
IP/Netmask: (select), 10.1.1.3/24
Zone: Trust
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: phone2
IP Address/Domain Name:
IP/Netmask: (select), 1.1.1.4/24
Zone: Untrust
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: proxy
IP Address/Domain Name:
IP/Netmask: (select), 1.1.1.3/24
Zone: Untrust
Chapter 5 Building Blocks for Policies Services
227
and then click OK :
0
econdary IPs: (select)
OK :
k Return to set the advanced n page:
.40)/port-xlate))
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
3. DIP Pool with Incoming NATNetwork > Interface > Edit (for ethernet3) > DIP > New: Enter the following,
ID: 5
IP Address Range: (select), 1.1.1.20 ~ 1.1.1.4
Port Translation: (select)
In the same subnet as the interface IP or its s
Incoming NAT: (select)
4. PoliciesPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address
Address Book Entry: (select), phone1
Destination Address
Address Book Entry: (select), Any
Service: SIP
Action: Permit
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
NAT:
Source Translation: (select)
(DIP on): 5 (1.1.1.20-1.1.1
Chapter 5 Building Blocks for Policies Services
228
OK :
dip 5 permit
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Policies > (From: Untrust, To: Trust) New: Enter the following, and then click
Source Address
Address Book Entry: (select) Any
Destination Address
Address Book Entry: (select) DIP(5)
Service: SIP
Action: Permit
CLI
1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 nat
set interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24set interface ethernet3 route
2. Addressesset address trust phone1 10.1.1.3/24set address untrust phone2 1.1.1.4/24set address untrust proxy 1.1.1.3/24
3. DIP Pool with Incoming NATset interface ethernet3 dip 5 1.1.1.20 1.1.1.40 incomingset dip sticky
4. Policiesset policy from trust to untrust phone1 any sip nat src set policy from untrust to trust any dip(5) sip permitsave
Chapter 5 Building Blocks for Policies Services
229
nd the proxy server are on the hone1, then create a policy that the policy. You also create a mple is similar to the previous
: Incoming Call (DIP Pool)” on ss in the Trust zone, while with resses.
k Apply :
Internet
Untrust
Proxy Serverphone21.1.1.4
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Incoming Call with MIPIn this example, phone1 is on the ethernet1 interface in the Trust zone and phone2 aethernet3 interface in the Untrust zone. You put a MIP on the ethernet3 interface to pallows SIP traffic from the Untrust zone to the Trust zone, and reference that MIP in policy allowing phone1 to register with the proxy server in the Untrust zone. This exatwo examples (“Example: Incoming Call (Interface DIP)” on page 221 and “Examplepage 225), except that with a MIP you need one public address for each private addreInterface DIP or a DIP pool a single interface address can serve multiple private add
WebUI
1. InterfacesNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Zone: Trust
Static IP: (select this option when present)
IP Address/Netmask: 10.1.1.1/24
Enter the following, and then click OK :
Interface Mode: NAT
ethernet1 10.1.1.1/24
ethernet3 1.1.1.1/24
Virtual DeviceMIP on ethernet3
1.1.1.1/24
Trust
LAN
NetScreen Device
phone110.1.1.3
Chapter 5 Building Blocks for Policies Services
230
k OK:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Network > Interfaces > Edit (for ethernet3): Enter the following, and then clic
Zone: Untrust
IP Address/Netmask: 1.1.1.1/24
Interface Mode: Route
2. AddressesObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: phone1
IP Address/Domain Name:
IP/Netmask: (select), 10.1.1.3/24
Zone: Trust
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: phone2
IP Address/Domain Name:
IP/Netmask: (select), 1.1.1.4/24
Zone: Untrust
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: proxy
IP Address/Domain Name:
IP/Netmask: (select), 1.1.1.3/24
Zone: Untrust
Chapter 5 Building Blocks for Policies Services
231
, and then click OK :
OK:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
3. MIPNetwork > Interfaces > Edit (for ethernet3) > MIP > New: Enter the following
Mapped IP: 1.1.1.3
Netmask: 255.255.255.255
Host IP Address: 10.1.1.3
4. PolicyPolicies > (From: Untrust, To: Trust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), any
Destination Address:
Address Book Entry: (select), MIP(1.1.1.3)
Service: SIP
Action: Permit
CLI
1. Interfaces set interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 natset interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24set interface ethernet3 route
Chapter 5 Building Blocks for Policies Services
232
rmit
he Trust (private) zone, and net3 interface to the proxy affic from the Untrust to the ust to the Untrust zone to allow
phone21.1.1.4
Untrust
Internet
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
2. Addressesset address trust phone1 10.1.1.3/24set address untrust phone2 1.1.1.4/24set address untrust proxy 1.1.1.3/24
3. MIPset interface ethernet3 mip 1.1.1.3 host 10.1.1.3
4. Policyset policy from untrust to trust any mip(1.1.1.3) sip pesave
Example: Proxy in the Private ZoneIn this example, phone1 and the SIP proxy server are on the ethernet1 interface in tphone2 is on the ethernet3 interface in the Untrust zone. You put a MIP on the etherserver to allow phone2 to register with the proxy, then create a policy allowing SIP trTrust zone and reference that MIP in the policy. You also create a policy from the Trphone1 to call out.
Trust
Proxy Server10.1.1.4
phone110.1.1.3
ethernet110.1.1.1/24
ethernet31.1.1.1/24
NetScreen DeviceLAN
Virtual DeviceMIP on ethernet31.1.1.2 -> 10.1.1.4
Chapter 5 Building Blocks for Policies Services
233
k OK:
k OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
1. InterfacesNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Zone: TrustStatic IP: (select this option when present)IP Address/Netmask: 10.1.1.1/24
Enter the following, and then click OK :
Interface Mode: NAT
Network > Interfaces > Edit (for ethernet3): Enter the following, and then clic
Zone: Untrust IP Address/Netmask: 1.1.1.1/24Interface Mode: Route
2. AddressesObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: phone1
IP Address/Domain Name:
IP/Netmask: (select), 10.1.1.3/24
Zone: Trust
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: phone2
IP Address/Domain Name:
IP/Netmask: (select), 1.1.1.4/24
Zone: Untrust
Chapter 5 Building Blocks for Policies Services
234
g, and then click OK :
OK :
k Return to set the advanced n page:
ss Interface IP)
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: proxy
IP Address/Domain Name:
IP/Netmask: (select), 10.1.1.4/24
Zone: Trust
3. MIPNetwork > Interfaces > Edit (for loopback.3) > MIP > New: Enter the followin
Mapped IP: 1.1.1.2
Netmask: 255.255.255.255
Host IP Address: 10.1.1.4
Host Virtual Router Name: trust-vr
4. PoliciesPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select) any
Destination Address:
Address Book Entry: (select) phone2
Service: SIP
Action: Permit
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
NAT: Source Translation: (select)
(DIP on): None (Use Egre
Chapter 5 Building Blocks for Policies Services
235
OK :
permit permit
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Policies > (From: Untrust, To: Trust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), phone2
Destination Address:
Address Book Entry: (select), MIP(1.1.1.2)
Service: SIP
Action: Permit
CLI
1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 nat
set interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24set interface ethernet3 route
2. Addressesset address trust phone1 10.1.1.3/24set address untrust phone2 1.1.1.4/24set address Trust proxy 10.1.1.4/24
3. MIPset interface ethernet3 mip 1.1.1.2 host 10.1.1.4
4. Policiesset policy from trust to untrust any phone2 sip nat src set policy from untrust to trust phone2 mip(1.1.1.2) sipsave
Chapter 5 Building Blocks for Policies Services
236
server and phone2 are on the ntrust interface, then create a at DIP in the policy. You also
r in the Untrust zone. This Call (DIP Pool)” on page 225, MIP” on page 229) and, as with
k Apply :
Proxy Server1.1.1.3
phone21.1.1.4
Untrust
Internet
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Proxy in the Public ZoneIn this example, phone1 is on the ethernet1 interface in the Trust zone and the proxyethernet3 interface in the Untrust (public) zone. You configure Interface DIP on the Upolicy permitting SIP traffic from the Untrust zone to the Trust zone, and reference thcreate a policy from Trust to Untrust to allow phone1 to register with the proxy serveexample is similar to the previous incoming call examples (see “Example: Incoming “Example: Incoming Call (DIP Pool)” on page 225 and “Example: Incoming Call with those examples, you can use DIP or MIP on the Untrust interface.
WebUI
1. InterfacesNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Zone: Trust
Static IP: (select this option when present)
IP Address/Netmask: 10.1.1.1/24
Enter the following, and then click OK :
Interface Mode: NAT
ethernet31.1.1.1/24
ethernet110.1.1.1/24
phone110.1.1.3
NetScreen Device
Trust
LAN
Interface DIPon ethernet 3
Chapter 5 Building Blocks for Policies Services
237
k OK:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Network > Interfaces > Edit (for ethernet3): Enter the following, and then clic
Zone: Untrust
IP Address/Netmask: 1.1.1.1/24
Interface Mode: Route
2. AddressesObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: phone1
IP Address/Domain Name:
IP/Netmask: (select), 10.1.1.3/24
Zone: Trust
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: phone2
IP Address/Domain Name:
IP/Netmask: (select), 1.1.1.4/24
Zone: Untrust
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: proxy
IP Address/Domain Name:
IP/Netmask: (select), 1.1.1.3/24
Zone: Untrust
Chapter 5 Building Blocks for Policies Services
238
check box.
OK :
k Return to set the advanced n page:
ss Interface IP)
OK :
)
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
3. Interface DIPNetwork > Interface > Edit (for ethernet3) > DIP: Select the Incoming NAT
4. PoliciesPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select) phone1
Destination Address:
Address Book Entry: (select) Any
Service: SIP
Action: Permit
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
NAT:
Source Translation: (select)
(DIP on): None (Use Egre
Policies > (From: Untrust, To: Trust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select) Any
Destination Address:
Address Book Entry: (select) DIP(ethernet3
Service: SIP
Action: Permit
Chapter 5 Building Blocks for Policies Services
239
permitpermit
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 nat
set interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24
2. Addressesset address trust phone1 10.1.1.3/24set address untrust phone2 1.1.1.4/24set address untrust proxy 1.1.1.3/24
3. Interface DIPset interface ethernet3 dip interface-ip incoming
4. Policiesset policy from trust to untrust phone1 any sip nat src set policy from untrust to trust any dip(ethernet3) sip save
Chapter 5 Building Blocks for Policies Services
240
the ethernet3 interface in the t a MIP on the ethernet2 zone, and reference that MIP in each of the zones. The arrows e places a call to phone1 in the
xy Server.2.2.4
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Three-Zone, Proxy in the DMZ In this example, phone1 is on the ethernet1 interface in the Trust zone, phone2 is onUntrust zone, and the proxy server is on the ethernet2 interface in the DMZ. You puinterface to phone1 in the Trust zone, and create a policy from the DMZ to the Trust the policy. In fact, with three zones you need to create bidirectional policies betweenin the following illustration show the flow of SIP traffic when phone2 in the Untrust zonTrust zone.
Untrust
DMZ
Trust
Pro2
ethernet310.1.1.1/24
ethernet110.1.1.1/24
NetScreen Device
phone21.1.1.4
Internet
LAN
Virtual DeviceMIP on ethernet22.2.2.3 -> 10.1.1.3
phone110.1.1.3
ethernet22.2.2.2/24
Chapter 5 Building Blocks for Policies Services
241
k Apply :
k OK:
k OK:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
1. InterfacesNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Zone: Trust
Static IP: (select when this option is present)
IP Address/Netmask: 10.1.1.1/24
Enter the following, and then click OK :
Interface Mode: NAT
Network > Interfaces > Edit (for ethernet2): Enter the following, and then clic
Zone Name: DMZ
Static IP: (select when this option is present)
IP Address/Netmask: 2.2.2.2/24
Network > Interfaces > Edit (for ethernet3): Enter the following, and then clic
Zone Name: Untrust
Static IP: (select when this option is present)
IP Address/Netmask: 1.1.1.1/24
2. AddressObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: phone1
IP Address/Domain Name:
IP/Netmask: (select), 10.1.1.3/24
Zone: Trust
Chapter 5 Building Blocks for Policies Services
242
, and then click OK :
K :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: phone2
IP Address/Domain Name:
IP/Netmask: (select), 1.1.1.4/24
Zone: Untrust
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: proxy
IP Address/Domain Name:
IP/Netmask: (select), 2.2.2.4/24
Zone: DMZ
3. MIPNetwork > Interfaces > Edit (for ethernet2) > MIP > New: Enter the following
Mapped IP: 2.2.2.3
Netmask: 255.255.255.255
Host IP Address: 10.1.1.3
4. PoliciesPolicies > (From: Trust, To: DMZ) New: Enter the following, and then click O
Source Address:
Address Book Entry: (select), phone1
Destination Address:
Address Book Entry: (select), proxy
Service: SIP
Action: Permit
Chapter 5 Building Blocks for Policies Services
243
k Return to set the advanced n page:
ss Interface IP)
OK:
OK :
OK:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
NAT:
Source Translation: Enable
(DIP on): None (Use Egre
Policies > (From: DMZ, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), proxy
Destination Address:
Address Book Entry: (select), phone2
Service: SIP
Action: Permit
Policies > (From: Untrust, To: Trust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), phone2
Destination Address:
Address Book Entry: (select), phone1
Service: SIP
Action: Permit
Policies > (From: Untrust, To: DMZ) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), phone2
Destination Address:
Address Book Entry: (select), proxy
Chapter 5 Building Blocks for Policies Services
244
K :
OK :
k Return to set the advanced n page:
ss Interface IP)
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Service: SIP
Action: Permit
Policies > (From: DMZ, To: Trust) New: Enter the following, and then click O
Source Address:
Address Book Entry: (select), proxy
Destination Address:
Address Book Entry: (select), MIP(2.2.2.3)
Service: SIP
Action: Permit
Policies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), phone1
Destination Address:
Address Book Entry: (select), phone2
Service: SIP
Action: Permit
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
NAT:
Source Translation: Enable
(DIP on): None (Use Egre
Chapter 5 Building Blocks for Policies Services
245
rmit
t
itrc permit
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 natset interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24set interface ethernet3 routeset interface ethernet2 zone dmzset interface ethernet2 ip 2.2.2.2/24set interface ethernet2 route
2. Addressesset address trust phone1 10.1.1.3/24set address untrust phone2 1.1.1.4/24set address dmz proxy 2.2.2.4
3. MIPset interface2 mip 2.2.2.3 host 10.1.1.3
4. Policiesset policy from trust to dmz phone1 proxy sip nat src peset policy from dmz to untrust proxy phone2 sip permitset policy from untrust to trust phone2 phone1 sip permiset policy from untrust to dmz phone2 proxy sip permitset policy from dmz to trust proxy mip(2.2.2.3) sip permset policy from trust to untrust phone1 phone2 sip nat ssave
Chapter 5 Building Blocks for Policies Services
246
in a subnet on the ethernet3 Trust zone. To allow intrazone ace, add ethernet2 and dress of the proxy server. the Trust zone. Because
intrazone communication. For face” on page 7 -105.
ne2 .2.4
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Untrust IntrazoneIn this example, phone2 is on the ethernet2 interface in the Untrust zone, phone3 is interface in the Untrust zone, and the proxy server is on the ethernet1 interface in theSIP traffic between the two phones in the Untrust zone, you create a loopback interfethernet3 to a loopback group, then put a MIP on the loopback interface to the IP adCreating a loopback interface enables you to use a single MIP for the proxy server inblocking is on by default in the Untrust zone, you must also turn off blocking to allowmore information about using loopback interfaces, see “MIP and the Loopback Inter
Trust
Untrust
ethernet1 10.1.1.1/24
ethernet3 1.1.2.1/24
ethernet4 1.1.1.1/24
phone11.1.1.4
pho1.1
proxy10.1.1.5
Internet
LAN
Loopback.11.1.4.1/24
MIP on Loopback.1 1.1.4.5 -> 10.1.1.5
Chapter 5 Building Blocks for Policies Services
247
k Apply :
k OK:
k OK:
OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
1. InterfacesNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Zone: Trust
Static IP: (select when this option is present)
IP Address/Netmask: 10.1.1.1/24
Enter the following, and then click OK :
Interface Mode: NAT
Network > Interfaces > Edit (for ethernet4): Enter the following, and then clic
Zone: Untrust
Static IP: (select when this option is present)
IP Address/Netmask: 1.1.1.1/24
Network > Interfaces > Edit (for ethernet3): Enter the following, and then clic
Zone: Untrust
Static IP: (select when this option is present)
IP Address/Netmask: 1.1.2.1/24
Network > Interfaces > New Loopback IF: Enter the following, and then click
Interface Name: loopback.1
Zone: Untrust (trust-vr)
IP Address/Netmask: 1.1.4.1/24
Chapter 5 Building Blocks for Policies Services
248
k OK:
ack.1
k OK:
ack.1
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
2. AddressesObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: proxy
IP Address/Domain Name:
IP/Netmask: (select), 10.1.1.5/32
Zone: Trust
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: phone1
IP Address/Domain Name:
IP/Netmask: (select), 1.1.1.4/32
Zone: Untrust
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: phone2
IP Address/Domain Name:
IP/Netmask: (select), 1.1.2.4/32
Zone: Untrust
3. Loopback GroupNetwork > Interfaces > Edit (for ethernet4): Enter the following, and then clic
As member of loopback group: (select) loopb
Zone Name: Untrust
Network > Interfaces > Edit (for ethernet3): Enter the following, and then clic
As member of loopback group: (select) loopb
Zone Name: Untrust
Chapter 5 Building Blocks for Policies Services
249
g, and then click OK :
:
OK :
k Return to set the advanced n page:
ss Interface IP)
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
4. MIPNetwork > Interfaces > Edit (for loopback.1) > MIP > New: Enter the followin
Mapped IP: 1.1.4.5
Netmask: 255.255.255.255
Host IP Address: 10.1.1.5
Host Virtual Router Name: trust-vr
5. BlockingNetwork > Zones > Edit (for Untrust): Enter the following, and then click OK
Block Intra-Zone Traffic: (clear)
6. PoliciesPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), proxy
Destination Address:
Address Book Entry: (select), Any
Service: SIP
Action: Permit
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
NAT:
Source Translation: Enable
(DIP on): None (Use Egre
Chapter 5 Building Blocks for Policies Services
250
OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Policies > (From: Untrust, To: Trust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), MIP(1.1.4.5)
Service: SIP
Action: Permit
CLI
1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 nat
set interface ethernet3 zone untrustset interface ethernet3 ip 1.1.2.1/24set interface ethernet1 route
set interface ethernet4 zone untrustset interface ethernet4 ip 1.1.1.1/24set interface ethernet4 route
set interface loopback.1 zone untrustset interface loopback.1 ip 1.1.4.1/24set interface loopback.1 route
2. Addressesset address trust proxy 10.1.1.5/32set address untrust phone1 1.1.1.4/32set address untrust phone2 1.1.2.4/32
Chapter 5 Building Blocks for Policies Services
251
ermitrmit
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
3. Loopback Groupset interface ethernet2 loopback-group loopback.1set interface ethernet3 loopback-group loopback.1
4. MIPset interface loopback.1 mip 1.1.4.5 host 10.1.1.5
5. Blocking
unset zone untrust block
6. Policiesset policy from trust to untrust proxy any sip nat src pset policy from untrust to trust any mip(1.1.4.5) sip pesave
Chapter 5 Building Blocks for Policies Services
252
n the ethernet2 interface in a trust interface. To allow both
IP on the ethernet3 interface to ffic between the Trust and the ou define).
k Apply :
Untrust
proxy server3.3.3.4
Internet
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Trust IntrazoneIn this example, phone1 is on the ethernet1 interface in the Trust zone, phone 2 is osubnet in the Trust zone, and the proxy server is on the ethernet3 interface in the Unphones in the Trust zone to communicate with each other, you configure interface Dallow them to contact the proxy server, then set policies to allow bidirectional SIP traUntrust zones. Blocking is off by default in the Trust zone (as it is in custom zones y
WebUI
1. InterfacesNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Zone: Trust
Static IP: (select when this option is present)
IP Address/Netmask: 10.1.1.1/24
Enter the following, and then click OK :
Interface Mode: NAT
phone110.1.1.3
NetScreen deviceTrust
ethernet110.1.1.1/24
ethernet210.1.2.1/24
ethernet33.3.3.3/24
LAN
phone210.1.2.2
Interface DIPon ethernet3
Chapter 5 Building Blocks for Policies Services
253
k Apply :
k OK:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Network > Interfaces > Edit (for ethernet2): Enter the following, and then clic
Zone: Trust
Static IP: (select when this option is present)
IP Address/Netmask: 10.1.2.1/24
Enter the following, and then click OK :
Interface Mode: NAT
Network > Interfaces > Edit (for ethernet3): Enter the following, and then clic
Zone: Untrust
Static IP: (select when this option is present)
IP Address/Netmask: 3.3.3.3/24
2. AddressesObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: phone1
IP Address/Domain Name:
IP/Netmask: (select), 10.1.1.3/24
Zone: Trust
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: phone2
IP Address/Domain Name:
IP/Netmask: (select), 10.1.2.2/24
Zone: Trust
Chapter 5 Building Blocks for Policies Services
254
and then click OK :
OK :
k Return to set the advanced n page:
ss Interface IP)
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: proxy
IP Address/Domain Name:
IP/Netmask: (select), 3.3.3.4/24
Zone: Untrust
3. DIP with Incoming NATNetwork > Interface > Edit (for ethernet3) > DIP > New: Enter the following,
Incoming NAT: (select)
4. PoliciesPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), proxy
Service: SIP
Action: Permit
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
NAT:
Source Translation: Enable
(DIP on): None (Use Egre
Chapter 5 Building Blocks for Policies Services
255
OK :
k Return to set the advanced
ss Interface IP)
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Policies > (From: Untrust, To: Trust) New: Enter the following, and then click
Source Address
Address Book Entry: (select) proxy
Destination Address
Address Book Entry: (select) Any
Service: SIP
Action: Permit
> Advanced: Enter the following, and then clicoptions:
NAT:
Source Translation: (select)
(DIP on): None (Use Egre
CLI
1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 nat
set interface ethernet2 zone trustset interface ethernet2 ip 10.1.2.1/24set interface ethernet2 nat
set interface ethernet3 zone untrustset interface ethernet3 ip 3.3.3.3/24set interface ethernet3 route
Chapter 5 Building Blocks for Policies Services
256
ermitp permit
PN. Each site has a single 1 is in the Trust zone at Branch necting the devices are in their ther device, to create a fully
urable interfaces available.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
2. Addressesset address trust phone1 10.1.1.3/24set address trust phone2 10.1.2.2/24set address untrust proxy 3.3.3.4/24
3. Interface DIP
set interface ethernet3 dip interface-ip incoming
4. Policiesset policy from trust to untrust any proxy sip nat src pset policy from untrust to trust proxy dip(ethernet3) sisave
Example: Full-Mesh VPN for SIPIn this example, the central office and two branch offices are linked by a full-mesh VNetScreen device. The proxy server is in the Trust zone at the Central Office, phoneOffice One, and phone2 is in the Trust zone at Branch Office Two. All interfaces conrespective Untrust zones. On each device, you configure two tunnels, one to each omeshed network.
Note: NetScreen devices used in this example must have four independently config
Chapter 5 Building Blocks for Policies Services
257
h-2
Trusteth1-10.1.2.1
Untrusteth3-2.2.2.2
Untrusteth2/2-1.1.2.1
phone210.1.2.3
tunnel.2 interfaceunnumbered
Gateway RouterTo central: 1.1.2.1To branch-2:2.2.2.
Branch Office Two
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Proxy10.1.3.3
VPN 3
VPN 1 VPN 2
Branch-1 Branc
Central
Trusteth1-10.1.1.1 Untrust
eth4-5.5.5.5Untrust
eth4-4.4.4.4
Untrusteth3-3-3.3.3.3
Trusteth2/8-10.1.3.1
Untrusteth2/1-1.1.1.1
Trust Zone
Trust Zone Trust Zone
Note: The Untrust zone for each device is not shown
phone110.1.1.3
tunnel.3 interfaceunnumbered
tunnel.3 interfaceunnumbered
tunnel.1 interfaceunnumbered
Gateway RouterTo branch-1: 4.4.4.4To branch-2: 5.5.5.5
Gateway RouterTo central: 1.1.1.1
To branch-1:3.3.3.3
tunnel.27.7.7.7
tunnel.16.6.6.6
Central Office
Branch Office One
Chapter 5 Building Blocks for Policies Services
258
to the pages necessary to any WebUI section, refer to the
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI (for Central)
1. InterfacesNetwork > Interfaces > Edit (for ethernet2/1)
Network > Interfaces > Edit (for ethernet2/2)
Network > Interfaces > Edit (for ethernet2/8)
Network > Interfaces > New Tunnel IF
2. AddressObjects > Addresses > List > New
3. VPNVPNs > AutoKey IKE > New: > Advanced
4. RoutingNetwork > Routing > Routing Entries > New
5. PoliciesPolicies > (From Untrust to Trust) New
Policies > (From Trust to Untrust) New
Note: In this example, each WebUI section lists only navigational paths, which leadconfigure the device. To see the specific parameters and values you need to set for CLI section that follows it.
Chapter 5 Building Blocks for Policies Services
259
-interface ethernet2/1
-interface ethernet2/2
idletime 0 sec-level
idletime 0 sec-level
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI (for Central)
1. Interfacesset interface ethernet2/1 zone untrustset interface ethernet2/1 ip 1.1.1.1/24
set interface ethernet2/2 zone untrustset interface ethernet2/2 ip 1.1.2.1/24
set interface ethernet2/8 zone trustset interface ethernet2/8 ip 10.1.1.1/24set interface ethernet2/8 nat
set interface tunnel.1 zone untrustset interface tunnel.1 ip 6.6.6.6/24
set interface tunnel.2 zone untrustset interface tunnel.2 ip 7.7.7.7/24
2. Addressset address trust proxy 10.1.3.3/32
3. VPNset ike gateway to-branch-1 address 3.3.3.3 main outgoing
preshare “netscreen” sec-level standardset ike gateway to-branch-2 address 2.2.2.2 main outgoing
preshare “netscreen” sec-level standardset vpn vpn_branch-1 gateway to-branch-1 no-reply tunnel
standardset vpn vpn-branch-1 id 1 bind interface tunnel.1set vpn vpn-branch-2 gateway to-branch-2 no-reply tunnel
standardset vpn vpn-branch-2 id 2 bind interface tunnel.2
Chapter 5 Building Blocks for Policies Services
260
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals4. Routingset route 10.1.2.0/24 interface tunnel.2set route 10.1.1.0/24 interface tunnel.1
5. Policiesset policy from untrust to trust any proxy sip permitset policy from trust to untrust proxy any sip permitsave
WebUI (for Branch Office 2)
1. InterfacesNetwork > Interfaces > Edit (for ethernet1)
Network > Interfaces > Edit (for ethernet2)
Network > Interfaces > Edit (for ethernet3)
Network > Interfaces > New Tunnel IF
2. AddressObjects > Addresses > List > New
3. VPNVPNs > AutoKey IKE > New: > Advanced
4. RoutingNetwork > Routing > Routing Entries > New
5. PoliciesPolicies > (From Untrust to Trust) New
Policies > (From Trust to Untrust) New
Chapter 5 Building Blocks for Policies Services
261
-interface ethernet3
terface ethernet4
dletime 0 sec-level
me 0 sec-level standard
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI (for Branch Office 2)
1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 nat
set interface ethernet3 zone untrustset interface ethernet3 ip 2.2.2.2/24
set interface ethernet4 zone untrustset interface ethernet4 ip 5.5.5.5/24
set interface tunnel.1 zone untrustset interface tunnel.1 ip unnumbered interface ethernet3
set interface tunnel.3 zone untrustset interface tunnel.3 ip unnumbered interface ethernet4
2. Addressset address trust phone1 10.1.1.3/32
3. VPNset ike gateway to-central address 1.1.1.1 Main outgoing
preshare "netscreen" sec-level standardset ike gateway to-ns50 address 5.5.5.5 Main outgoing-in
preshare "netscreen" sec-level standardset vpn vpncentral gateway to-central no-replay tunnel i
standardset vpn vpncentral id 4 bind interface tunnel.1set vpn vpn-ns50 gateway to-ns50 no-replay tunnel idletiset vpn vpn-ns50 id 5 bind interface tunnel.3
Chapter 5 Building Blocks for Policies Services
262
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals4. Routesset route 10.1.3.0/24 interface tunnel.1set route 10.1.2.0/24 interface tunnel.3
5. Policiesset policy from trust to untrust phone1 any sip permitset policy from untrust to trust any phone1 sip permitsave
WebUI (for Branch Office 1)
1. InterfacesNetwork > Interfaces > Edit (for ethernet1)
Network > Interfaces > Edit (for ethernet3)
Network > Interfaces > Edit (for ethernet4)
Network > Interfaces > New Tunnel IF
2. AddressObjects > Addresses > List > New
3. VPNVPNs > AutoKey IKE > New: > Advanced
4. RoutingNetwork > Routing > Routing Entries > New
5. PoliciesPolicies > (From Untrust to Trust) New
Policies > (From Trust to Untrust) New
Chapter 5 Building Blocks for Policies Services
263
-interface ethernet3
terface ethernet4
dletime 0 sec-level
me 0 sec-level standard
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI (for Branch Office 1)
1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 nat
set interface ethernet3 zone untrustset interface ethernet3 ip 3.3.3.3/24
set interface ethernet4 zone untrustset interface ethernet4 ip 4.4.4.4/24
set interface tunnel.2 zone untrustset interface tunnel.2 ip unnumbered interface ethernet3
set interface tunnel.3 zone untrustset interface tunnel.3 ip unnumbered interface ethernet4
2. Addressset address trust phone2 10.1.2.1/32
3. VPNset ike gateway to-central address 1.1.2.1 main outgoing
preshare "netscreen" sec-level standardset ike gateway to-ns50 address 4.4.4.4 main outgoing-in
preshare "netscreen" sec-level standardset vpn vpncentral gateway to-central no-replay tunnel i
standardset vpn vpncentral bind interface tunnel.2set vpn vpn-ns50 gateway to-ns50 no-replay tunnel idletiset vpn vpn-ns50 bind interface tunnel.3
Chapter 5 Building Blocks for Policies Services
264
rvices, using the standard
lity VoIP service, and still allow inimum bandwidth necessary
euing to the highest level. The is available, and other types of by VoIP.
on-VoIP traffic, you make the euing to the highest level for use additional bandwidth, even
—Guaranteeing bandwidth for ut on the NetScreen device.
stream, and to keep or change m router so that the next hop (QoS) in its DiffServ domain. arking from the inner header of e correct QoS on the encrypted , see �Traffic Shaping� on page
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
4. Routesset route 10.1.1.0/24 interface tunnel.3set route 10.1.3.0/24 interface tunnel.2
5. Policiesset policy from trust to untrust phone2 any sip permitset policy from untrust to trust any phone2 sip permitsave
Bandwidth Management for VoIP ServicesJuniper Networks recommends the following ways to manage bandwidth for VoIP seScreenOS traffic shaping mechanisms.
• Guarantee bandwidth for VoIP traffic—The most effective way to ensure quaother types of traffic on the interface, is to create a policy guaranteeing the mfor the amount of VoIP traffic you expect on the interface, and set priority quadvantage of this strategy is that VoIP can use additional bandwidth when ittraffic can use bandwidth not guaranteed for VoIP when it is not being used
• Limit bandwidth for non-VoIP traffic—By setting a maximum bandwidth for nremaining bandwidth available to VoIP traffic. You would also set priority quVoIP traffic. The disadvantage of this method is that non-VoIP traffic cannot when it is not being used by VoIP traffic.
• Use priority queuing and Differentiated Services Codepoint (DSCP) markingVoIP traffic, and limiting bandwidth for non-VoIP traffic both govern throughpDSCP marking enables you to preserve your priority queuing settings downthe received DSCP value set by the originating networking device or upstrearouter, typically the LAN or WAN edge router, can enforce Quality of ServiceBy default in VPN configurations, the NetScreen device copies the DSCP mthe IP packet to the outer header, so that the next hop router can enforce thtraffic. For information about how DSCP works with priority levels in policies315.
Chapter 5 Building Blocks for Policies Services
265
dwidth (gbw) and maximum s you have determined you f 512 Kbps), and occasionally
e traffic, and set maximum eates a 512 Kbps overlap of
s like with high office traffic h, unless it has a higher priority what bandwidth usage looks to a lower priority. For more page 347”.
2 M
bps
Tota
l Ban
dwid
th
l
VoIP
Offi
ce T
raffi
c
Juniper Networks NetScreen Concepts & Examples � Volume 2: FundamentalsThe following illustration shows how priority level settings can affect guaranteed banbandwidth (mbw) usage on an ethernet1 (2 Mbps) interface. The illustration assumeneed to support at least eight VoIP calls (8 x 64 Kbps bandwidth per call, for a total oas many as 16 calls. You have guaranteed the remaining bandwidth to general officbandwidth for your office traffic to include bandwidth not guaranteed to VoIP. This crmaximum bandwidth for VoIP and office traffic services, shown by the dashed lines.
The left side of the illustration shows what bandwidth usage with these settings lookusage on the interface, and low VoIP usage. If VoIP suddenly needs more bandwidtthan the office traffic services, it cannot get it. The right side of the illustration showslike in the same circumstance when you give VoIP high priority, and set office trafficinformation about configuring bandwidth and priority levels, see “Traffic Shaping” on
2 M
bps
Tota
l Ban
dwid
th
gbw 1024 Kbps
mbw 1024 Kbps
Using Priority Levels with Bandwidth Settings
Guaranteed and maximum bandwidth settings
Adding priority levesettings
VoIP Office Traffic
gbw 512 Kbps
mbw 1536 Kbps
VoIP
Offi
ce T
raffi
c
Chapter 5 Building Blocks for Policies Services
266
e. After you create a group s, thus simplifying
ntries.
ave a service named “FTP,”
nnot remove it until you have
lso removed from all the groups
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Service GroupsA service group is a set of services that you have gathered together under one namcontaining several services, you can then apply services at the group level to policieadministration.
The NetScreen service group option has the following features:
• Each service book entry can be referenced by one or more service groups.
• Each service group can contain predefined and user-defined service book e
Service groups are subject to the following limitations:
• Service groups cannot have the same names as services; therefore, if you hyou cannot have a service group named “FTP.”
• If a service group is referenced in a policy, you can edit the group but you cafirst removed the reference to it in the policy.
• If a custom service book entry is deleted from the service book, the entry is ain which it was referenced.
• One service group cannot contain another service group as a member.
• The all-inclusive service term “ANY” cannot be added to groups.
• A service can be part of only one group at a time.
Chapter 5 Building Blocks for Policies Services
267
d LDAP services.
the following services, and then
the service from the Available column.
the service from the Available column.
e the service from the Available column.
NetScreen device creates the emselves in the reference list.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Creating a Service GroupIn this example, you create a service group named grp1 that includes IKE, FTP, an
WebUI
Objects > Services > Groups > New: Enter the following group name, moveclick OK :
Group Name: grp1
Select IKE and use the << button to move Members column to the Group Members
Select FTP and use the << button to move Members column to the Group Members
Select LDAP and use the << button to movMembers column to the Group Members
CLI
set group service grp1set group service grp1 add ikeset group service grp1 add ftpset group service grp1 add ldapsave
Note: If you try to add a service to a service group that does not exist, thegroup. Also, ensure that groups referencing other groups do not include th
Chapter 5 Building Blocks for Policies Services
268
reated in “Example: Creating a TTP, FINGER, and IMAP.
and then click OK :
service from the Group column.
e service from the Group column.
the service from the Group column.
the service from the Available lumn.
the service from the Available lumn.
he service from the Available lumn.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Modifying a Service GroupIn this example, you change the members in the service group named grp1 that you cService Group” on page 267. You remove IKE, FTP, and LDAP services, and add H
WebUI
Objects > Services > Groups > Edit (for grp1): Move the following services,
Select IKE and use the >> button to move theMembers column to the Available Members
Select FTP and use the >> button to move thMembers column to the Available Members
Select LDAP and use the >> button to move Members column to the Available Members
Select HTTP and use the << button to move Members column to the Group Members co
Select Finger and use the << button to moveMembers column to the Group Members co
Select IMAP and use the << button to move tMembers column to the Group Members co
CLI
unset group service grp1 clearset group service grp1 add httpset group service grp1 add fingerset group service grp1 add imapsave
Chapter 5 Building Blocks for Policies Services
269
ich you have removed all
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Removing a Service GroupIn this example, you delete the service group named “grp1”.
WebUI
Objects > Services > Groups: Click Remove (for grp1).
CLI
unset group service grp1save
Note: The NetScreen device does not automatically delete a group from whmembers.
Chapter 5 Building Blocks for Policies DIP Pools
270
e can dynamically or on the source IP address
translation, see “NAT-Src from pool is in the same subnet as ddresses, and any mapped IP ddresses is in the subnet of an
al interfaces and subinterfaces
nel
1.2�1.20
.1.1/24
ces N
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
DIP POOLSA dynamic IP (DIP) pool is a range of IP addresses from which the NetScreen devicdeterministically take addresses to use when performing network address translation(NAT-src) in IP packet headers. (For information about deterministic source addressa DIP Pool with Address Shifting” on page 7 -24.) If the range of addresses in a DIP the interface IP address, the pool must exclude the interface IP address, router IP a(MIP) or virtual IP (VIP) addresses that might also be in that subnet. If the range of aextended interface, the pool must exclude the extended interface IP address.
There are three kinds of interfaces that you can link to Dynamic IP (DIP) pools: physicfor network and VPN traffic, and tunnel interfaces for VPN tunnels only.
ethernet1 ethernet2 ethernet3 Tunnel Tun
10.10.1.2�10.10.1.20
210.10.1.2�210.10.1.20
220.10.1.2�220.10.1.20
10.20.1.2�10.20.1.20
10.30.10.30.
10.10.1.1/24 210.10.1.1/24 220.10.1.1/24 10.20.1.1/24 10.30
DIP Pools
Interfaces
To DMZ Zone
To Untrust Zone
To Trust Zone
VPN Tunnels
NetScreen Firewall
The physical interfaces lead to networks or VPN
tunnels.
The tunnel interfalead only to VP
tunnels.
Chapter 5 Building Blocks for Policies DIP Pools
271
s, the NetScreen device hich host. With PAT enabled,
ws Internet Naming Service to them. For such applications, For fixed-port DIP, the able, thus allowing the
an FTP server at a remote site. 10.1.1.0/24. To solve the on the local NetScreen device, e address (10.10.1.2–
in a neutral address space, as 10.20.2.5 to host 10.1.1.5.
K:
companying DIP pool. For a ee “VPN Sites with Overlapping
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Port Address TranslationUsing Port Address Translation (PAT), multiple hosts can share the same IP addresmaintaining a list of assigned port numbers to distinguish which session belongs to wup to ~64,500 hosts can share a single IP address.
Some applications, such as NetBIOS Extended User Interface (NetBEUI) and Windo(WINS), require specific port numbers and cannot function properly if PAT is appliedyou can specify not to perform PAT (that is, to use a fixed port) when applying DIP. NetScreen device hashes the original host IP address and saves it in its host hash tNetScreen device to associate the right session with each host.
Example: Creating a DIP Pool with PATIn this example, you want to create a VPN tunnel for users at the local site to reach However, the internal networks at both sites use the same private address space of problem of overlapping addresses, you create a tunnel interface in the Untrust zoneassign it IP address 10.10.1.1/24, and associate it with a DIP pool with a range of on10.10.1.2) and port address translation enabled.
The admin at the remote site, must also create a tunnel interface with an IP addresssuch as 10.20.2.1/24, and set up a Mapped IP (MIP) address to its FTP server, such
WebUINetwork > Interfaces > New Tunnel IF: Enter the following, and then click O
Tunnel Interface Name: tunnel.1
Zone (VR): Untrust (trust-vr)
Fixed IP: (select)
IP Address / Netmask: 10.10.1.1/24
Note: This example includes only the configuration of the tunnel interface and its accomplete example showing all the configuration steps necessary for this scenario, sAddresses” on page 5 -201.
Chapter 5 Building Blocks for Policies DIP Pools
272
and then click OK :
econdary IPs: (select)
g it. To create the same DIP the following:
r the Port Translation check
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Network > Interfaces > Edit (for tunnel.1) > DIP > New: Enter the following,
ID: 510
IP Address Range: 10.10.1.2 ~ 10.10.1.2
Port Translation: (select)
In the same subnet as the interface IP or its s
CLI
set interface tunnel.1 zone untrust-tunset interface tunnel.1 ip 10.10.1.1/24set interface tunnel.1 dip 5 10.10.1.2 10.10.1.2save
10. You can use the ID number displayed, which is the next available number sequentially, or type a different number.
Note: Because PAT is enabled by default, there is no argument for enablinpool as defined above but without PAT (that is, with fixed port numbers), do
• (WebUI) Network > Interfaces > Edit (for tunnel.1) > DIP > New: Cleabox, and then click OK .
• (CLI) set interface tunnel.1 dip 5 10.10.1.2 10.10.1.2 fix-port
Chapter 5 Building Blocks for Policies DIP Pools
273
m 10.20.1.2 – 10.20.1.2 to e the DIP pool range through pool.
llowing, and then click OK :
translation (NAT) and is device assigns a different lematic for services that create
using the AOL Instant ch chat. For the AIM server to address of the login session mly assigned from a DIP pool
, you must first delete the policy
ssions from the same host.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Modifying a DIP PoolIn this example, you change the range of addresses in an existing DIP pool (ID 5) fro10.20.1.2 – 10.20.1.10. This DIP pool is associated with tunnel.1. Note that to changthe CLI, you must first remove (or unset) the existing dip pool and then create a new
WebUI
Network > Interfaces > Edit (for tunnel.1) > DIP > Edit (for ID 5): Enter the fo
IP Address Range: 10.20.1.2 ~ 10.20.1.10
CLI
unset interface tunnel.1 dip 5set interface tunnel.1 dip 5 10.20.1.2 10.20.1.10save
Sticky DIP AddressesWhen a host initiates several sessions that match a policy requiring network addressassigned an address from a DIP pool with port translation enabled11, the NetScreen source IP address for each session. Such random address assignment can be probmultiple sessions that require the same source IP address for each session.
For example, it is important to have the same IP address for multiple sessions whenMessaging (AIM) client. You create one session when you log in, and another for eaverify that a new chat belongs to an authenticated user, it must match the source IPwith that of the chat session. If they are different—possibly because they were randoduring the NAT process—the AIM server rejects the chat session.
Note: There are no policies using this particular DIP pool. If a policy uses a DIP poolor modify it to not use the DIP pool before you can modify the DIP pool.
11. For DIP pools that do not perform port translation, the NetScreen device assigns one IP address for all concurrent se
Chapter 5 Building Blocks for Policies DIP Pools
274
o a host for multiple concurrent and set dip sticky.
nslated to an address in a option. This option allows you in a different subnet. You can
d interface for the translation.
office requires them to use only rent IP addresses from their ed interface option to configure ets it sends to the central office ices A and B are as follows:
urity zones are in the trust-vr .1/24. You bind ethernet3 to the A and 201.1.1.1/24 for Office
IP address on ethernet3:
0.1.1; PAT enabled
0.1.1; PAT enabled
ed IP Addressentral Office)ne Extended Interface DIP10.1.1/24
20.1.1/24
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
To ensure that the NetScreen device assigns the same IP address from a DIP pool tsessions, you can enable the “sticky” DIP address feature by entering the CLI comm
Extended Interface and DIPIf circumstances require that the source IP address in outbound firewall traffic be tradifferent subnet from that of the egress interface, you can use the extended interfaceto graft a second IP address and an accompanying DIP pool onto an interface that isthen enable NAT on a per-policy basis and specify the DIP pool built on the extende
Example: Using DIP in a Different SubnetIn this example, two branch offices have leased lines to a central office. The central the authorized IP addresses it has assigned them. However, the offices receive diffeISPs for Internet traffic. For communication with the central office, you use the extendthe NetScreen device in each branch office to translate the source IP address in packto the authorized address. The authorized and assigned IP addresses for branch off
The NetScreen devices at both sites have a Trust zone and an Untrust zone. All secrouting domain. You bind ethernet1 to the Trust zone and assign it IP address 10.1.1Untrust zone and give it the IP address assigned by the ISPs: 195.1.1.1/24 for OfficeB. You then create an extended interface with a DIP pool containing the authorized
• Office A: extended interface IP 211.10.1.10/24; DIP pool 211.10.1.1 – 211.1
• Office B: extended interface IP 211.20.1.10/24; DIP pool 211.20.1.1 – 211.2
Assigned IP Address(from ISP)
Used for Untrust Zone Physical Interface
Authoriz(from C
Used for Untrust ZoOffice A 195.1.1.1/24 211.
Office B 201.1.1.1/24 211.
Chapter 5 Building Blocks for Policies DIP Pools
275
ddress as its source address in to the central office that . (The DIP pool ID number is 5.
s for ~64,500 hosts.) The MIP s “HQ” in the Untrust zone
ed line to use that leased line. ternet.
Trust Zone, ethernet110.1.1.1/24
Untrust Zone, ethernet3ISP assigns 201.1.1.1/24
(physical interface)HQ authorizes 211.20.1.1/24
(extended interface)Default Gateway 201.1.1.254
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
You set the Trust zone interface in NAT mode. It uses the Untrust zone interface IP aall outbound traffic except for traffic sent to the central office. You configure a policy translates the source address to an address in the DIP pool in the extended interfaceIt contains one IP address, which, with port address translation, can handle sessionaddress that the central office uses for inbound traffic is 200.1.1.1, which you enter aaddress book on each NetScreen device.
Note: Each ISP must set up a route for traffic destined to a site at the end of a leasThe ISPs route any other traffic they receive from a local NetScreen device to the In
Office A Office BTrust Zone, ethernet1
10.1.1.1/24Trust ZoneTrust Zone
Untrust ZoneUntrust Zone
I n t e r n e t
Central Office(HQ)
Untrust Zone, ethernet3ISP assigns 195.1.1.1/24
(physical interface)HQ authorizes 211.10.1.1/24
(extended interface)Default Gateway 195.1.1.254
Note: Leased lines connect branch offices A and B directly to the central office.
ISP ISP
ISP
Leased Line
Leased Line
200.1.1.1
Chapter 5 Building Blocks for Policies DIP Pools
276
k OK:
k OK:
, and then click OK :
55.0
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI (Branch Office A)
1. InterfacesNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Zone Name: Trust
Static IP: (select this option when present)
IP Address/Netmask: 10.1.1.1/24
Interface Mode: NAT
Network > Interfaces > Edit (for ethernet3): Enter the following, and then clic
Zone Name: Untrust
Static IP: (select this option when present)
IP Address/Netmask: 195.1.1.1/24
Interface Mode: Route
Network > Interfaces > Edit (for ethernet3) > DIP > New: Enter the following
ID: 5
IP Address Range: 211.10.1.1 ~ 211.10.1.1
Port Translation: (select)
Extended IP/Netmask: 211.10.1.10/255.255.2
2. AddressObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: HQ
IP Address/Domain Name:
IP/Netmask: (select), 200.1.1.1/32
Zone: Untrust
Chapter 5 Building Blocks for Policies DIP Pools
277
then click OK:
OK :
OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
3. RouteNetwork > Routing > Routing Entries > trust-vr New: Enter the following, and
Network Address/Netmask: 0.0.0.0/0
Gateway: (select)
Interface: ethernet3
Gateway IP address: 195.1.1.254
4. PoliciesPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Any
Service: ANY
Action: Permit
Policies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), HQ
Service: ANY
Action: Permit
Position at Top: (select)
Chapter 5 Building Blocks for Policies DIP Pools
278
k Return to set the advanced n page:
1.10.1.1)/X-late
k OK:
k OK:
, and then click OK :
55.0
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
NAT:
Source Translation: (select)
(DIP on): 5 (211.10.1.1-21
WebUI (Branch Office B)
1. InterfacesNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Zone Name: Trust
Static IP: (select this option when present)
IP Address/Netmask: 10.1.1.1/24
Interface Mode: NAT
Network > Interfaces > Edit (for ethernet3): Enter the following, and then clic
Zone Name: Untrust
Static IP: (select this option when present)
IP Address/Netmask: 201.1.1.1/24
Interface Mode: Route
Network > Interfaces > Edit (for ethernet3) > DIP > New: Enter the following
ID: 5
IP Address Range: 211.20.1.1 ~ 211.20.1.1
Port Translation: (select)
Extended IP/Netmask: 211.20.1.10/255.255.2
Chapter 5 Building Blocks for Policies DIP Pools
279
then click OK:
OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
2. AddressObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: HQ
IP Address/Domain Name:
IP/Netmask: (select), 200.1.1.1/32
Zone: Untrust
3. RouteNetwork > Routing > Routing Entries > trust-vr New: Enter the following, and
Network Address/Netmask: 0.0.0.0/0
Gateway: (select)
Interface: ethernet3
Gateway IP address: 201.1.1.254
4. PoliciesPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Any
Service: ANY
Action: Permit
Chapter 5 Building Blocks for Policies DIP Pools
280
OK :
k Return to set the advanced n page:
.1.1-211.20.1.1)/X-late
dip 5 211.10.1.1
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Policies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), HQ
Service: ANY
Action: Permit
Position at Top: (select)
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
NAT:
Source Translation: (select)
DIP On: (select), 5 (211.20
CLI (Branch Office A)
1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 nat
set interface ethernet3 zone untrustset interface ethernet3 ip 195.1.1.1/24set interface ethernet3 routset interface ethernet3 ext ip 211.10.1.10 255.255.255.0
2. Addressset address untrust hq 200.1.1.1/32
Chapter 5 Building Blocks for Policies DIP Pools
281
gateway 195.1.1.254
dip 5 permit
dip 5 211.20.1.1
gateway 201.1.1.254
dip 5 permit
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
3. Routeset vrouter trust-vr route 0.0.0.0/0 interface ethernet3
4. Policiesset policy from trust to untrust any any any permitset policy top from trust to untrust any hq any nat src save
CLI (Branch Office B)
1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 nat
set interface ethernet3 zone untrustset interface ethernet3 ip 201.1.1.1/24set interface ethernet3 routeset interface ethernet3 ext ip 211.20.1.10 255.255.255.0
2. Addressset address untrust hq 200.1.1.1/32
3. Routeset vrouter trust-vr route 0.0.0.0/0 interface ethernet3
4. Policiesset policy from trust to untrust any any any permitset policy top from trust to untrust any hq any nat src save
Chapter 5 Building Blocks for Policies DIP Pools
282
e device on which it resides is o that it can be accessed by the ming source address re in the same subnet as the ote that the addresses in the efined on the loopback
source addresses to the same interfaces.
Destination IP2.2.2.2 DATA
Destination IP2.2.2.2 DATA
NetScreen Device
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Loopback Interface and DIPA loopback interface is a logical interface that is always in the up state as long as thup12. You can create a pool of dynamic IP (DIP) addresses on a loopback interface sgroup of interfaces belonging to its associated loopback interface group when perfortranslation. The addresses that the NetScreen device draws from such a DIP pool aloopback interface IP address, not in the subnet of any of the member interfaces. (NDIP pool must not overlap with the interface IP address or any MIP addresses also dinterface.)
The primary application for putting a DIP pool on a loopback interface is to translateaddress or range of addresses although different packets might use different egress
12. For information about loopback interfaces, see “Loopback Interfaces” on page 74.
Loopback Interfaceloopback.11.3.3.1/30 DIP Pool
1.3.3.2 � 1.3.3.2
ethernet31.2.2.1/24
ethernet21.1.1.1/24
ethernet110.1.1.1/24
Host A10.1.1.5
Host B10.1.1.6
Source IP10.1.1.5
Destination IP2.2.2.2 DATA
Source IP1.3.3.2
Destination IP2.2.2.2 DATA
Source IP10.1.1.6
Source IP1.3.3.2
Source Address Translation Using a DIP Pool on a Loopback Interface
Regardless of the egress interface, the NetScreen device translates the source IP addresses to the address in the DIP pool defined on the loopback.1 interface.
Chapter 5 Building Blocks for Policies DIP Pools
283
ntrust zone interfaces from
dresses. You also bind
om the Trust zone to a remote .3.2) because the remote office y obtained the public IP addresses in addition to the
DIP pool of 1.3.3.2 – 1.3.3.2 on et2 members of the loopback
/32. You also define default nd ISP-2 respectively.
refer one route over the other, te13.
outbound traffic to the remote
alue closer to 1.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: DIP on a Loopback InterfaceIn this example, the NetScreen device receives the following IP addresses for two Udifferent Internet service providers (ISPs): ISP-1 and ISP-2:
• ethernet2, 1.1.1.1/24, ISP-1
• ethernet3, 1.2.2.1/24, ISP-2
You bind these interfaces to the Untrust zone and then assign them the above IP adethernet1 to the Trust zone and assign it IP address 10.1.1.1/24.
You want the NetScreen device to translate the source address in outbound traffic froffice in the Untrust zone. The translated address must be the same IP address (1.3has a policy permitting inbound traffic only from that IP address. You have previousladdresses 1.3.3.1 and 1.3.3.2 and have notified both ISPs that you are using these addresses that they assign the device.
You configure a loopback interface loopback.1 with the IP address 1.3.3.1/30 and a that interface. The DIP pool has ID number 10. You then make ethernet1 and etherngroup for loopback.1.
You define an address for the remote office named “r-office” with IP address 2.2.2.2routes for both ethernet1 and ethernet2 interfaces pointing to the routers for ISP-1 a
You define routes to two gateways for outbound traffic to use. Because you do not pyou do not include any metrics in the routes. Outbound traffic might follow either rou
Finally, you create a policy applying source network address translation (NAT-src) tooffice. The policy references DIP pool ID 10.
13. To indicate a route preference, include metrics in both routes, giving your preferred route a higher metric—that is, a v
Chapter 5 Building Blocks for Policies DIP Pools
284
OK :
k OK:
e
DIP Pool ID 10 (on Loopback.1)1.3.3.2 � 1.3.3.2
et3, 1.2.2.1/24ay 1.2.2.250
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
1. InterfacesNetwork > Interfaces > New Loopback IF: Enter the following, and then click
Interface Name: loopback.1
Zone: Untrust (trust-vr)
IP Address/Netmask: 1.3.3.1/30
Network > Interfaces > Edit (for ethernet1): Enter the following, and then clic
As member of loopback group: loopback.1
Zone Name: Trust
Static IP: (select this option when present)
IP Address/Netmask: 10.1.1.1/24
ISP-1 ISP-2
Loopback.1Untrust Zon
1.3.3.1/30
etherngatew
ethernet2, 1.1.1.1/24gateway 1.1.1.250
ethernet1, 10.1.1.1/24NAT Mode
10.1.1.0/24
r-office2.2.2.2
Untrust Zone
Trust Zone
Source IP10.1.1.X
Destination IP2.2.2.2 DATA
Source IP1.3.3.2
Destination IP2.2.2.2 DATA
The NetScreen device translates all source IP addresses in packets destined
for 2.2.2.2 from 10.1.1.X to 1.3.3.2, regardless of the egress interface.
Chapter 5 Building Blocks for Policies DIP Pools
285
k OK:
k OK:
g, and then click OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Interface Mode: NAT
Network > Interfaces > Edit (for ethernet2): Enter the following, and then clic
As member of loopback group: loopback.1
Zone Name: Untrust
Static IP: (select this option when present)
IP Address/Netmask: 1.1.1.1/24
Interface Mode: Route
Network > Interfaces > Edit (for ethernet3): Enter the following, and then clic
Zone Name: Untrust
Static IP: (select this option when present)
IP Address/Netmask: 1.2.2.1/24
Interface Mode: Route
2. DIP PoolNetwork > Interfaces > Edit (for loopback.1) > DIP > New: Enter the followin
ID: 5
IP Address Range: 1.3.3.2 ~ 1.3.3.2
Port Translation: (select)
3. AddressObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: r-office
IP Address/Domain Name:
IP/Netmask: (select), 2.2.2.2/32
Zone: Untrust
Chapter 5 Building Blocks for Policies DIP Pools
286
then click OK:
then click OK:
OK :
k Return to set the advanced page:
.2-1.3.3.2)/port-xlate
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
4. RoutesNetwork > Routing > Routing Entries > trust-vr New: Enter the following, and
Network Address/Netmask: 0.0.0.0/0
Gateway: (select)
Interface: ethernet2
Gateway IP address: 1.1.1.250
Network > Routing > Routing Entries > trust-vr New: Enter the following, and
Network Address/Netmask: 0.0.0.0/0
Gateway: (select)
Interface: ethernet3
Gateway IP address: 1.2.2.250
5. PolicyPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), r-office
Service: ANY
Action: Permit
> Advanced: Enter the following, and then clicoptions and return to the basic configuration
NAT:
Source Translation: (select)
DIP On: (select), 10 (1.3.3
Chapter 5 Building Blocks for Policies DIP Pools
287
gateway 1.1.1.250 gateway 1.2.2.250
c dip-id 10 permit
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
1. Interfacesset interface loopback.1 zone untrustset interface loopback.1 ip 1.3.3.1/30
set interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 nat
set interface ethernet2 zone untrustset interface ethernet2 ip 1.1.1.1/24set interface ethernet2 loopback-group loopback.1
set interface ethernet3 zone untrustset interface ethernet3 ip 1.2.2.1/24set interface ethernet3 loopback-group loopback.1
2. DIP Poolset interface loopback.1 dip 10 1.3.3.2 1.3.3.2
3. Addressset address untrust r-office 2.2.2.2/32
4. Routesset vrouter trust-vr route 0.0.0.0/0 interface ethernet2set vrouter trust-vr route 0.0.0.0/0 interface ethernet3
5. Policyset policy from trust to untrust any r-office any nat srsave
Chapter 5 Building Blocks for Policies DIP Pools
288
ilability (HA) in an active/active ultaneously. A problem can
DIP pool located on one VSI. VSD group to which the VSI is of that VSD group—cannot use
:14
Master VSD 1
ackup VSD 1
DIP Pool ID 71.1.1.101 � 1.1.1.150
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
DIP GroupsWhen you group two NetScreen devices into a redundant cluster to provide high avaconfiguration, both devices share the same configuration and both process traffic simarise when you define a policy to perform network address translation (NAT) using aBecause that VSI is active only on the NetScreen device acting as the master of thebound, any traffic sent to the other NetScreen device—the one acting as the backup that DIP pool and is dropped.
VSD Group: 0 VSD Group: 1
Untrust Zone
Trust Zone
Untrust Zone VSIs
Trust Zone VSIsethernet1
10.1.1.1/24ethernet110.1.1.2/2
ethernet21.1.1.1/24
ethernet3:11.1.1.2/24
Device B
Device A BMaster VSD 0
Backup VSD 0
Problematic use of a DIP pool in a policy when in an NSRP cluster: set policy name out-nat from trust to untrust any any any nat src dip-id 7 permit
Because the DIP pool is located on the Untrust zone VSI for VSD group 1 (of which Device B is the master), Device A (the backup of VSD group 1) drops traffic that it receives at ethernet1 (10.1.1.1/24) matching policy �out-nat�.
NSRP Cluster
Chapter 5 Building Blocks for Policies DIP Pools
289
for each VSD group—and ch VSI uses its own VSD pool
e 10, “High Availability”.
14
3:124
Master VSD 1
Backup VSD 1
DIP Pool ID 7.1.1.101 � 1.1.1.150
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
To solve this problem, you can create two DIP pools—one on the Untrust zone VSI combine the two DIP pools into one DIP group, which you reference in the policy. Eaeven though the policy specifies the DIP group.
Note: For more information about setting up NetScreen devices for HA, see Volum
VSD Group: 0 VSD Group: 1
Untrust Zone
Trust Zone
Untrust Zone VSIs
Trust Zone VSIs ethernet110.1.1.1/24
ethernet1:10.1.1.2/2
ethernet31.1.1.1/24
ethernet1.1.1.2/
Device B
Device AMaster VSD 0
Backup VSD 0
1
By combining the DIP pools located on both Untrust zone VSIs (for VSD groups 0 and 1) into one DIP group, Devices A and B can both process traffic matching policy �out-nat�, which references not an interface-specific DIP pool but the shared DIP group.
DIP Pool ID 81.1.1.151 � 210.1.1.200
DIP Group 9
Recommended use of a DIP group in a policy when in an NSRP cluster: set policy name out-nat from trust to untrust any any any nat dip-id 9 permit
NSRP Cluster
Chapter 5 Building Blocks for Policies DIP Pools
290
d B) in an active/active HA pair.
.30 – 1.1.1.39) on ethernet3:1. a policy.
luster, created VSD group 1 luster), and configured the
efer to Volume 10, “High
, and then click OK :
g, and then click OK :
he CLI.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: DIP GroupIn this example, you provide NAT services on two NetScreen devices (Devices A an
You create two DIP pools—DIP 5 (1.1.1.20 – 1.1.1.29) on ethernet3 and DIP 6 (1.1.1You then combine them into a DIP group identified as DIP 7, which you reference in
The VSIs for VSD groups 0 and 1 are as follows:
• Untrust zone VSI ethernet3 1.1.1.1/24 (VSD group 0)
• Untrust zone VSI ethernet3:1 1.1.1.2/24 (VSD group 1)
• Trust zone VSI ethernet1 10.1.1.1/24 (VSD group 0)
• Trust zone VSI ethernet1:1 10.1.1.1/24 (VSD group 1)
This example assumes that you have already set up Devices A and B in an NSRP c(NetScreen automatically creates VSD group 0 when you put a device in an NSRP cabove interfaces. (For information about configuring NetScreen devices for NSRP, rAvailability”.)
WebUI
1. DIP PoolsNetwork > Interfaces > Edit (for ethernet3) > DIP > New: Enter the following
ID: 5
IP Address Range: 1.1.1.20 – 1.1.1.29
Port Translation: (select)
Network > Interfaces > Edit (for ethernet3:1) > DIP > New: Enter the followin
ID: 6
IP Address Range: 1.1.1.30 – 1.1.1.39
Port Translation: (select)
Note: At the time of this release, you can only define a DIP group through t
Chapter 5 Building Blocks for Policies DIP Pools
291
OK :
k Return to set the advanced page:
-id 7 permit
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
2. PolicyPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Any
Service: ANY
Action: Permit
> Advanced: Enter the following, and then clicoptions and return to the basic configuration
NAT:
Source Translation: (select)
DIP On: (select), 7
CLI
1. DIP Pools
set interface ethernet3 dip 5 1.1.1.20 1.1.1.29set interface ethernet3:1 dip 6 1.1.1.30 1.1.1.39
2. DIP Groups
set dip group 7 member 5set dip group 7 member 6
3. Policyset policy from trust to untrust any any any nat src dipsave
Chapter 5 Building Blocks for Policies Schedules
292
to define when they are in enforce network security.
the Policy Configuration dialog e must be unique and is limited
asis.
d time. You can specify up to
es.
ny’s Internet access for can then associate with a policy f regular business hours.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
SCHEDULESA schedule is a configurable object that you can associate with one or more policieseffect. Through the application of schedules, you can control network traffic flow and
When you define a schedule, enter values for the following parameters:
Schedule Name: The name that appears in the Schedule drop-down list in box. Choose a descriptive name to help you identify the schedule. The namto 19 characters.
Comment: Any additional information that you want to add.
Recurring: Enable this when you want the schedule to repeat on a weekly b
Start and End Times: You must configure both a start time and an entwo time periods within the same day.
Once: Enable this when you want the schedule to start and end only once.
mm/dd/yyyy hh:mm: You must enter both start and stop dates and tim
Example: Recurring ScheduleIn this example, there is a short-term employee named Tom who is using the compapersonal pursuits after work. You create a schedule for non-business hours that you to deny outbound TCP/IP traffic from that worker’s computer (10.1.1.5/32) outside o
WebUI
1. ScheduleObjects > Schedules > New: Enter the following, and then click OK :
Schedule Name: After Hours
Comment: For non-business hours
Recurring: (select)
Chapter 5 Building Blocks for Policies Schedules
293
Juniper Networks NetScreen Concepts & Examples � Volume 2: FundamentalsPeriod 1:
Period 2:
Week Day Start Time End TimeSunday 00:00 23:59
Monday 00:00 06:00
Tuesday 00:00 06:00
Wednesday 00:00 06:00
Thursday 00:00 06:00
Friday 00:00 06:00
Saturday 00:00 23:59
Week Day Start Time End TimeSunday 17:00 23:59
Monday 17:00 23:59
Tuesday 17:00 23:59
Wednesday 17:00 23:59
Thursday 17:00 23:59
Friday 17:00 23:59
Saturday 17:00 23:59
Chapter 5 Building Blocks for Policies Schedules
294
OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
2. AddressObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: Tom
Comment: Temp
IP Address/Domain Name:
IP/Netmask: (select), 10.1.1.5/32
Zone: Trust
3. PolicyPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click
Name: No Net
Source Address:
Address Book Entry: (select), Tom
Destination Address:
Address Book Entry: (select), Any
Service: HTTP
Action: Deny
Schedule: After Hours
Chapter 5 Building Blocks for Policies Schedules
295
stop 23:59stop 06:00 start 17:00
stop 06:00 start 17:00
00 stop 06:00 start
0 stop 06:00 start
stop 06:00 start 17:00
0 stop 23:59 comment
ule “after hours”
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
1. Scheduleset schedule “after hours” recurrent sunday start 00:00 set schedule “after hours” recurrent monday start 00:00
stop 23:59set schedule “after hours” recurrent tuesday start 00:00
stop 23:59set schedule “after hours” recurrent wednesday start 00:
17:00 stop 23:59set schedule “after hours” recurrent thursday start 00:0
17:00 stop 23:59set schedule “after hours” recurrent friday start 00:00
stop 23:59set schedule “after hours” recurrent saturday start 00:0
“for non-business hours”
2. Addressset address trust tom 10.1.1.5/32 “temp”
3. Policyset policy from trust to untrust tom any http deny schedsave
Chapter 5 Building Blocks for Policies Schedules
296
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals6
297
Chapter 6
nes (interzone traffic)1 and—to the same zone (intrazone eate interzone policies that ssing a NetScreen device, you
a policy are related. It is
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Policies
The default behavior of a NetScreen device is to deny all traffic between security zoexcept for traffic within the Untrust zone—allow all traffic between interfaces bound traffic). To permit selected interzone traffic to cross a NetScreen device you must croverride the default behavior. Similarly, to prevent selected intrazone traffic from cromust create intrazone policies.
This chapter describes what policies do and how the various elements that comprisedivided into the following sections:
• “Basic Elements” on page 299
• “Three Types of Policies” on page 300
– “Interzone Policies” on page 300
– “Intrazone Policies” on page 301
– “Global Policies” on page 301
• “Policy Set Lists” on page 302
• “Policies Defined” on page 303
– “Policies and Rules” on page 303
– “Anatomy of a Policy” on page 305
• “Policies Applied” on page 317
– “Viewing Policies” on page 317
– “Creating Policies” on page 319
– “Entering a Policy Context” on page 336
1. By default, the NetScreen-5XP and NetScreen-5XT permit traffic from the Trust zone to the Untrust zone.
Chapter 6 Policies
298
onfigure multicast policies. For
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
– “Multiple Items per Policy Component” on page 337
– “Address Negation” on page 338
– “Modifying and Disabling Policies” on page 342
– “Policy Verification” on page 343
– “Reordering Policies” on page 344
– “Removing a Policy” on page 345
Note: If you configure multicast routing on a NetScreen device, you might have to cinformation about multicast policies, see “Multicast Policies” on page 6 -204.
Chapter 6 Policies Basic Elements
299
n two points. The type of traffic basic elements of a policy. stitute the core section of a
e zone to a destination zone)
fic meeting the first four criteria:
any address in the Trust zone
zone)
” stands for a predefined
ddress book)
all)
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
BASIC ELEMENTSA policy permits, denies, or tunnels2 specified types of traffic unidirectionally betwee(or “service”), the location of the two endpoints, and the invoked action compose theAlthough there can be other components, the required elements, which together conpolicy, are as follows:
• Direction – The direction of traffic between two security zones (from a sourc
• Source address – The address from which traffic initiates
• Destination address – The address to which traffic is sent
• Service – The type of traffic transmitted
• Action – The action that the NetScreen device performs when it receives trafdeny, permit, reject, or tunnel
For example, the policy stated in the following CLI command permits FTP traffic fromto an FTP server named “server1” in the DMZ zone:
set policy from trust to untrust any server1 ftp permit
• Direction: from trust to untrust (that is, from the Trust zone to the Untrust
• Source Address: any (that is, any address in the Trust zone. The term “anyaddress that applies to any address in a zone)
• Destination Address: server1 (a user-defined address in the Untrust zone a
• Service: ftp (File Transfer Protocol)
• Action: permit (that NetScreen device permits this traffic to traverse its firew
2. The “tunnel” action—(VPN or L2TP tunnel)—contains the concept of “permit” implicitly.
Chapter 6 Policies Three Types of Policies
300
c that you want to permit from
affic that you want to permit to
resses, regardless of their
ne policies to deny, permit, , a NetScreen device maintains replies to service requests. For to server B in the Untrust zone, creen device checks the TP request, the NetScreen t A in the Trust zone. To permit must create a second policy
Untrust ZoneServer B
HTTP replyHTTP request
device rejects the HTTP request e there is no policy permitting it.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
THREE TYPES OF POLICIESYou can control the flow of traffic through the following three kinds of policies:
• Through the creation of interzone policies, you can regulate the kind of traffione security zone to another.
• Through the creation of intrazone policies, you can also control the kind of trcross interfaces bound to the same zone.
• Through the creation of global policies, you can regulate traffic between addsecurity zones.
Interzone PoliciesInterzone policies provide traffic control between security zones. You can set interzoreject, or tunnel traffic from one zone to another. Using stateful inspection techniquesa table of active TCP sessions and active UDP “pseudo” sessions so that it can allowexample, if you have a policy allowing HTTP requests from host A in the Trust zone when the NetScreen device receives HTTP replies from server B to host A, the NetSreceived packet against its table. Finding the packet to be a reply to an approved HTdevice allows the packet from server B in the Untrust zone to cross the firewall to hostraffic initiated by server B to host A (not just replies to traffic initiated by host A), youfrom server B in the Untrust zone to host A in the Trust zone.
Trust ZoneHost A
set policy from trust to untrust �host A� �server B� http permit
HTTP requestNetScreen Device
Note: The NetScreenfrom server B becaus
Chapter 6 Policies Three Types of Policies
301
rity zone. The source and ces on the NetScreen device.
low traffic initiated at either end
(NAT-src) when it is set at the policy-based NAT-src and es a mapped IP (MIP) as the e 7, “Address Translation”.)
rce and destination zones. bal zone address “any”. These ess to or from multiple zones,
ses all addresses in all zones.
ess translation (NAT-src), VPN ation address in a global policy.
Server B10.1.2.30
4
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Intrazone PoliciesIntrazone policies provide traffic control between interfaces bound to the same secudestination addresses are in the same security zone, but reached via different interfaLike interzone policies, intrazone policies control traffic flowing unidirectionally. To alof a data path, you must create two policies—one policy for each direction.
Intrazone policies do not support VPN tunnels or source network address translationinterface level (set interface interface nat). However, intrazone policies do supportNAT-dst. They also support destination address translation when the policy referencdestination address. (For information about NAT-src, NAT-dst, and MIPs, see Volum
Global PoliciesUnlike interzone and intrazone policies, global policies do not reference specific souGlobal policies reference user-defined Global zone addresses or the predefined Gloaddresses can span multiple security zones. For example, if you want to provide accyou can create a global policy with the Global zone address “any”, which encompas
Note: At the time of this release, global policies do not support source network addrtunnels, or Transparent mode. You can, however, specify a MIP or VIP as the destin
Host A10.1.1.5
set policy from trust to trust �host A� �server B� any permitset policy from trust to trust �server B� �host A� any permit
LAN 110.1.1.0/24
LAN 210.1.2.0/24
ethernet110.1.1.1/24
ethernet410.1.2.1/2
Trust Zone
Layer 2 Switches
Chapter 6 Policies Policy Set Lists
302
wing kinds of policies:
otes the ingress interface, and e then performs a route lookup that interface is bound. Using
consulting the policy set lists in
rms a policy lookup in the
forms a policy lookup in the
d does not find a match, the
d does not find a match, the unset/set policy
d does not find a match, the the packet: unset/set zone
ou must position more specific Reordering Policies” on page
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
POLICY SET LISTSA NetScreen device maintains three different policy set lists, one for each of the follo
• Interzone policies
• Intrazone policies
• Global policies
When the NetScreen device receives a packet initiating a new session, the device nthereby learns the source zone to which that interface is bound. The NetScreen devicto determine the egress interface, and thus determines the destination zone to whichthe source and destination zones, the NetScreen device can perform a policy lookup,the following order:
1. If the source and destination zones are different, the NetScreen device perfointerzone policy set list.
(or)
If the source and destination zones are the same, the NetScreen device perintrazone policy set list.
2. If the NetScreen device performs the interzone or intrazone policy lookup anNetScreen device then checks the global policy set list for a match.
3. If the NetScreen device performs the interzone and global policy lookups anNetScreen device then applies the default permit/deny policy to the packet: default-permit-all.
(or)
If the NetScreen device performs the intrazone and global policy lookups anNetScreen device then applies the intrazone blocking setting for that zone tozone block .
The NetScreen device searches each policy set list from top to bottom. Therefore, ypolicies above less specific policies in the list. (For information on policy order, see “344.)
Chapter 6 Policies Policies Defined
303
all traffic must pass through this lists—for interzone policies,
nreachable message to the or the traffic attempting to cross and exit, and when and where
logical rule consists of a set of onsume memory resources.
on address, and service ly apparent from the creation of
gical rules
. The rules make use of the t produces 125 logical rules
ts
erated by the single policy. By ations, the NetScreen device with its components.
tem do not affect policies set in
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
POLICIES DEFINEDA firewall provides a network boundary with a single point of entry and exit. Because point, you can screen and direct that traffic through the implementation of policy set intrazone policies, and global policies.
Policies allow you to deny, permit, reject (deny and send a TCP RST or ICMP port usource host), encrypt and decrypt, authenticate, prioritize, schedule, filter, and monitfrom one security zone to another. You decide which users and what data can enterthey can go.
Policies and RulesA single user-defined policy produces one or more logical rules internally, and each components—source address, destination address, and service. The components cThe logical rules that reference the components do not.
Depending on the use of multiple entries or groups for the source address, destinaticomponents in a policy, the number of logical rules can be much larger than is readithe single policy. For example, the following policy produces 125 logical rules:
1 policy: 5 source addresses x 5 destination addresses x 5 services = 125 lo
However, the NetScreen device does not duplicate components for each logical rulesame set of components in various combinations. For example, the above policy tharesults in only 15 components:
5 source addresses + 5 destination addresses + 5 services = 15 componen
These 15 components combine in various ways to produce the 125 logical rules genallowing multiple logical rules to use the same set of components in different combinconsumes far fewer resources than if each logical rule had a one-to-one relationship
Note: For NetScreen devices that support virtual systems, policies set in the root sysvirtual systems.
Chapter 6 Policies Policies Defined
304
ents that the NetScreen device ts. Also, by allowing a large create more policies—and the dedicated components.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Because the installation time of a new policy is proportional to the number of componadds, removes, or modifies, policy installation becomes faster with fewer componennumber of logical rules to share a small set of components, NetScreen allows you toNetScreen device to create more rules—than would be possible if each rule required
Chapter 6 Policies Policies Defined
305
Juniper Networks NetScreen Concepts & Examples � Volume 2: FundamentalsAnatomy of a PolicyA policy must contain the following elements:
• ID (automatically generated, but can be user-defined in the CLI)• Zones (source and destination)• Addresses (source and destination)• Services• Action (deny, permit, reject, tunnel)
A policy can also contain the following elements:
• Application
• Name• VPN Tunneling• L2TP Tunneling• Deep Inspection• Placement at the Top of the Policy List• Source Address Translation• Destination Address Translation• User Authentication• HA Session Backup• URL Filtering• Logging• Counting• Traffic Alarm Threshold• Schedules• Antivirus Scanning• Traffic Shaping
The remainder of this section examines each of the above elements in turn.
Chapter 6 Policies Policies Defined
306
tomatically assigns it. You can t policy id number … After you modify the policy. (For more
(a security zone), a logical al or logical entity that performs rity zones (interzone policy) or ation, see “Zones” on page 29,
their location in relation to the 55.255.255.255, indicating that ask to indicate which bits are he relevant hosts and networks
r address book entries. When device applies the policy to ponents that comprise those
when you use address groups on page 303.)
as standard and accepted TCP The ScreenOS includes
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
IDEvery policy has an ID number, whether you define one or the NetScreen device auonly define an ID number for a policy through the set policy command in the CLI: seknow the ID number, you can enter the policy context to issue further commands to information about policy contexts, see “Entering a Policy Context” on page 336.)
ZonesA zone can be a segment of network space to which security measures are applied segment to which a VPN tunnel interface is bound (a tunnel zone), or either a physica specific function (a function zone). A policy allows traffic to flow between two secubetween two interfaces bound to the same zone (intrazone policy). (For more inform“Interzone Policies” on page 300, and “Intrazone Policies” on page 301.)
AddressesAddresses are objects that identify network devices such as hosts and networks by firewall—in one of the security zones. Individual hosts are specified using the mask 2all 32 bits of the address are significant. Networks are specified using their subnet msignificant. To create a policy for specific addresses, you must first create entries for tin the address book.
You can also create address groups and apply policies to them as you would to otheusing address groups as elements of policies, be aware that because the NetScreeneach address in the group, the number of available internal logical rules and the comrules can become depleted more quickly than expected. This is a danger especially for both the source and destination. (For more information, see “Policies and Rules”
ServicesServices are objects that identify application protocols using layer 4 information suchand UDP port numbers for application services like Telnet, FTP, SMTP, and HTTP. predefined core Internet services. Additionally, you can define custom services.
Chapter 6 Policies Policies Defined
307
, authenticated, logged, or
drops the packet and sends a destination unreachable, port ther than TCP and UDP, the is also what occurs when the
ckets. For an IPSec VPN L2TP tunnel to use. For
usly presented criteria: zones
an another RST.
col is TCP, the source IP ed) packet. When the ingress ress in the ICMP message is s interface is operating at Layer e is that of the ingress interface.
r the L2TP tunnel.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
You can define policies that specify which services are permitted, denied, encryptedcounted.
ActionAn action is an object that describes what the firewall does to the traffic it receives.
• Deny blocks the packet from traversing the firewall.
• Permit allows the packet to pass the firewall.
• Reject blocks the packet from traversing the firewall. The NetScreen deviceTCP reset (RST) segment to the source host for TCP traffic3 and an ICMP “unreachable” message (type 3, code 3) for UDP traffic. For types of traffic oNetScreen device drops the packet without notifying the source host, which action is “deny”.
• Tunnel encapsulates outgoing IP packets and decapsulates incoming IP patunnel, specify which VPN tunnel to use. For an L2TP tunnel, specify which L2TP-over-IPSec, specify both an IPSec VPN tunnel and an L2TP tunnel4.
The NetScreen device applies the specified action on traffic that matches the previo(source and destination), addresses (source and destination), and service.
3. The NetScreen device sends a TCP RST after receiving (and dropping) a TCP segment with any code bit set other th
Note: When the ingress interface is operating at Layer 2 or 3 and the protoaddress in the TCP RST is the destination IP address in the original (droppinterface is operating at Layer 2 and the protocol is UDP, the source IP addalso the destination IP address in the original packet. However, if the ingres3 and the protocol is UDP, then the source IP address in the ICMP messag
4. For L2TP-over-IPSec, the source and destination addresses for the IPSec VPN tunnel must be the same as those fo
Chapter 6 Policies Policies Defined
308
vice that you reference in a r, for custom services, you must n application layer gateway
source and destination ports
r the ALG that you want to apply
ustom Services to
ing its purpose.
nfigured. In the WebUI, the see all available tunnels with 01 and “Dialup VPNs” on page
AT, then the administrators of olicies in total). When the VPN
olicy configurations is the same ne policy and then select the
e names you create for
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
ApplicationThe application option specifies the Layer 7 application that maps to the Layer 4 serpolicy. A predefined service already has a mapping to a Layer 7 application. Howevelink the service to an application explicitly, especially if you want the policy to apply a(ALG5) or Deep Inspection to the custom service.
Applying an ALG to a custom service, involves the following two steps:
• Define a custom service with a name, timeout value, transport protocol, and
• When configuring a policy, reference that service and the application type fo
For information about applying Deep Inspection to a custom service, see “Mapping CApplications” on page 4 -173.
NameYou can give a policy a descriptive name to provide a convenient means for identify
VPN TunnelingYou can apply a single policy or multiple policies to any VPN tunnel that you have coVPN Tunnel option provides a drop-down list of all such tunnels. In the CLI, you canthe get vpn command. (For more information, see “Site-to-Site VPNs” on page 5 -15 -231.)
When the VPN configurations at both ends of a VPN tunnel are using policy-based-Nboth gateway devices each need to create an inbound and an outbound policy (four ppolicies constitute a matching pair (that is, everything in the inbound and outbound pexcept that the source and destination addresses are reversed), you can configure o
5. NetScreen supports ALGs for numerous services, including DNS, FTP, H.323, HTTP, RSH, SIP, telnet, and TFTP.
Note: For information regarding ScreenOS naming conventions—which apply to thpolicies—see “Naming Conventions and Character Types” on page xii.
Chapter 6 Policies Policies Defined
309
tomatically for the opposite s cleared by default. For the is selected by default, and any
(L2TP) tunnel that you have els. In the CLI, you can display ll available tunnels with the get have the same endpoints—to c.
Transport Layers by examining ayer6. The goal of Deep
ight be present in traffic that the
group (or groups) to use and Inspection” on page 4 -131.)
e are multiple entries for any of
the Application Layer is Layer 7. The n layers.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Modify matching bidirectional VPN policy check box to create a second policy audirection. For the configuration of a new policy, the matching VPN policy check box imodification of an existing policy that is a member of a matching pair, the check boxchanges made to one policy are propagated to the other.
L2TP TunnelingYou can apply a single policy or multiple policies to any Layer 2 Tunneling Protocol configured. In the WebUI, the L2TP option provides a drop-down list of all such tunnstatus of active L2TP tunnels with the get l2tp tunn_str active command, and see al2tp all command. You can also combine a VPN tunnel and an L2TP tunnel—if bothcreate a tunnel combining the characteristics of each. This is called L2TP-over-IPSe
Deep InspectionDeep Inspection is a mechanism for filtering the traffic permitted at the Network and not only these layers but the content and protocol characteristics at the Application LInspection is the detection and prevention any attacks or anomalous behavior that mNetScreen firewall permits.
To configure a policy for attack protection, you must make two choices: which attackwhich attack action to take if an attack is detected. (For more information, see “Deep
Note: This option is only available through the WebUI. It is not supported when therthe following policy components: source address, destination address, or service.
Note: A NetScreen device in Transparent mode does not support L2TP.
6. In the Open Systems Interconnection (OSI) model, the Network Layer is Layer 3, the Transport Layer is Layer 4, andOSI model is a networking industry standard model of network protocol architecture. The OSI model consists of seve
Chapter 6 Policies Policies Defined
310
ist. If you need to reposition the Policies” on page 344. To avoid u can select the Position at olicy top …) in the CLI.
c, you can translate the source dress can come from either a dress translation (PAT). To Translation” on page 7 -15.
T-dst, you can translate the t can also support destination tion Network Address
as network address translation e” on page 122.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Placement at the Top of the Policy ListBy default, NetScreen positions a newly created policy at the bottom of a policy set lpolicy, you can use either of the policy reordering methods explained in “Reordering the extra step of repositioning a newly created policy to the top of a policy set list, yoTop option in the WebUI, or use the keyword top in the set policy command (set p
Source Address TranslationYou can apply source address translation (NAT-src) at the policy level. With NAT-sraddress on either incoming or outgoing network and VPN traffic. The new source addynamic IP (DIP) pool or the egress interface. NAT-src also supports source port adlearn about all the NAT-src options that are available, see “Source Network Address
Destination Address TranslationYou can apply destination address translation (NAT-dst) at the policy level. With NAdestination address on either incoming or outgoing network and VPN traffic. NAT-dsport mapping. To learn about all the NAT-dst options that are available, see “DestinaTranslation” on page 7 -33.
Note: You can also perform source address translation at the interface level, known(NAT). For information about interface level NAT-src, or simply NAT, see “NAT Mod
Chapter 6 Policies Policies Defined
311
/her identity by supplying a user tunnel. The NetScreen device perform the authentication
er to log on when it receives d
g traffic through the NetScreen
e destination address, the
.
uth user and the destination
ntication is required for each IP
hen after the NetScreen device e NetScreen device without
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
User Authentication Selecting this option requires the auth user at the source address to authenticate hisname and password before traffic is allowed to traverse the firewall or enter the VPNcan use the local database or an external RADIUS, SecurID, or LDAP auth server tocheck.
NetScreen provides two authentication schemes:
• Run-time authentication, in which the NetScreen device prompts an auth usHTTP, FTP or Telnet traffic matching a policy that has authentication enable
• WebAuth, in which a user must authenticate himself or herself before sendindevice
Run-Time Authentication
The run-time authentication process proceeds as follows:
1. When the auth user sends an HTTP, FTP or Telnet connection request to thNetScreen device intercepts the packet and buffers it.
2. The NetScreen device sends the auth user a login prompt.
3. The auth user responds to this prompt with his/her user name and password
4. The NetScreen device authenticates the auth user’s login information.
If the authentication is successful, a connection is established between the aaddress.
Note: If a policy requiring authentication applies to a subnet of IP addresses, autheaddress in that subnet.
If a host supports multiple auth user accounts (as with a Unix host running Telnet), tauthenticates the first user, all other users from that host can pass traffic through thbeing authenticated, having inherited the privileges of the first user.
Chapter 6 Policies Policies Defined
312
ing services: Telnet, HTTP, or tication process. You can use
ore of the three services xample, you can create a .323 services. Then, when you
e policy are valid.
server.
.
r’s login information.
auth user to initiate traffic to uth method.
ervice.
rencing Auth Users in Policies”
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
For the initial connection request, a policy must include one or all of the three followFTP. Only a policy with one or all of these services is capable of initiating the authenany of the following services in a policy involving user authentication:
• Any (because “any” includes all three required services)
• Telnet, or FTP, or HTTP
• A service group that includes the service or services you want, plus one or mrequired to initiate the authentication process (Telnet, FTP, or HTTP). For ecustom service group named “Login” that supports FTP, Netmeeting, and Hcreate the policy, specify “Login” as the service.
For any connection following a successful authentication, all services specified in th
Pre-Policy Check Authentication (WebAuth)
The WebAuth authentication process proceeds as follows:
1. The auth user makes an HTTP connection to the IP address of the WebAuth
2. The NetScreen device sends the auth user a login prompt.
3. The auth user responds to this prompt with his/her user name and password
4. The NetScreen device or an external auth server authenticates the auth use
If the authentication attempt is successful, the NetScreen device permits thedestinations as specified in policies that enforce authentication via the WebA
Note: A policy with authentication enabled does not support DNS (port 53) as the s
Note: For more information about these two user authentication methods, see “Refeon page 8 -42.
Chapter 6 Policies Policies Defined
313
ecting a specific user group, s, see “Group Expressions” on UI, select the Allow Any
can specify which sessions to up, apply a policy with the HA
k box. In the CLI, use the evices in an NSRP cluster back
ss and prevent access to figure one of the following URL
request and then determines ring profile bound to the firewall
uest in a TCP connection to ermit access to different sites
which the auth user logs on. If uses a single IP address for all eceive the same privileges.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
You can restrict or expand the range of auth users to which the policy applies by sellocal or external user, or group expression. (For information about group expressionpage 8 -6.) If you do not reference an auth user or user group in a policy (in the Weboption), the policy applies to all auth users in the specified auth server.
HA Session BackupWhen two NetScreen devices are in an NSRP cluster for high availability (HA), you backup and which not to backup. For traffic whose sessions you do not want backedsession backup option disabled. In the WebUI, clear the HA Session Backup checno-session-backup argument in the set policy command. By default, NetScreen dup sessions.
URL FilteringURL filtering, which is also called web filtering, enables you to manage Internet acceinappropriate web content. When you enable URL filtering in a policy, you must confiltering solutions:
• Integrated URL filtering, where the NetScreen device intercepts each HTTPwhether to permit or block access to a requested site based on the URL filtepolicy.
• Redirect URL filtering, where the NetScreen device sends the first HTTP reqeither a Websense server or a SurfControl server, enabling you to block or pbased on their URLs, domain names, and IP addresses..
Note: NetScreen links authentication privileges with the IP address of the host fromthe NetScreen device authenticates one user from a host behind a NAT device thatNAT assignments, then users at other hosts behind that NAT device automatically r
Note: For more information on URL filtering, see “URL Filtering” on page 4 -106.
Chapter 6 Policies Policies Defined
314
hich that particular policy eports > Policies > (for the command.
r of bytes of traffic to which this graphs for a policy in the see).
exceeds a specified number of etScreen device to monitor the
. You can configure schedules ontrolling the flow of network cerned about employees outbound FTP-Put and MAIL
the set schedule command.
en Devices” on page 3 -73.
at the current time is not within hite background.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
LoggingWhen you enable logging in a policy, the NetScreen device logs all connections to wapplies. You can view the logs through either the WebUI or CLI. In the WebUI, click Rpolicy whose log you want to see). In the CLI, use the get log traffic policy id_num
CountingWhen you enable counting in a policy, the NetScreen device counts the total numbepolicy applies and records the information in historical graphs. To view the historicalWebUI, click Reports > Policies > (for the policy whose traffic count you want to
Traffic Alarm ThresholdYou can set a threshold that triggers an alarm when the traffic permitted by the policybytes per second, bytes per minute, or both. Because the traffic alarm requires the Ntotal number of bytes, you must also enable the counting feature.
SchedulesBy associating a schedule to a policy, you can determine when the policy is in effecton a recurring basis and as a one-time event. Schedules provide a powerful tool in ctraffic and in enforcing network security. For an example of the latter, if you were contransmitting important data outside the company, you might set a policy that blockedtraffic after normal business hours.
In the WebUI, define schedules in the Objects > Schedules section. In the CLI, use
Note: For more information about viewing logs and graphs, see “Monitoring NetScre
Note: For more information about traffic alarms, see “Traffic Alarms” on page 3 -92.
Note: In the WebUI, scheduled policies appear with a gray background to indicate ththe defined schedule. When a scheduled policy becomes active, it appears with a w
Chapter 6 Policies Policies Defined
315
ilter FTP, HTTP, IMAP, POP3, nd sends a message reporting
ffic shaping parameters include:
ps). Traffic below this threshold ent or shaping mechanism.
on in kilobits per second (kbps).
aximum settings, the only if there is no other higher
for tagging (or “marking”) traffic priority levels to the DiffServ aps to the first three bits (0111) yte (see RFC 1349), in the IP to (0000) in the ToS DiffServ
page 4 -81.
this threshold lead to dropped t.
ee “Traffic Shaping” on
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Antivirus ScanningSome NetScreen devices support an internal AV scanner that you can configure to fand SMTP traffic. If the embedded AV scanner detects a virus, it drops the packet athe virus to the client initiating the traffic.
Traffic ShapingYou can set parameters for the control and shaping of traffic for each policy. The tra
Guaranteed Bandwidth: Guaranteed throughput in kilobits per second (kbpasses with the highest priority without being subject to any traffic managem
Maximum Bandwidth: Secured bandwidth available to the type of connectiTraffic beyond this threshold is throttled and dropped.
Traffic Priority: When traffic bandwidth falls between the guaranteed and mNetScreen device passes higher priority traffic first, and lower priority traffic priority traffic. There are eight priority levels.
DiffServ Codepoint Marking: Differentiated Services (DiffServ) is a systemat a position within a hierarchy of priority. You can map the eight NetScreensystem. By default, the highest priority (priority 0) in the NetScreen system min the DiffServ field (see RFC 2474), or the IP precedence field in the ToS bpacket header. The lowest priority (priority 7) in the NetScreen system mapssystem.
Note: (For more information about antivirus scanning, see “Antivirus Scanning” on
Note: It is advised that you do not use rates less than 10 kbps. Rates belowpackets and excessive retries that defeat the purpose of traffic managemen
Note: For a more detailed discussion of traffic management and shaping, spage 347.
Chapter 6 Policies Policies Defined
316
erv system, use the following
er3 number4 number5
OS DiffServ system), number1
ut the second three bits in the are preserved and handled
figurable only from the CLI.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
To change the mapping between the NetScreen priority levels and the DiffSCLI command:
set traffic-shaping ip_precedence number0 number1 number2 numbnumber6 number7
where number0 is the mapping for priority 0 (the highest priority in the Tis the mapping for priority 1, and so forth.
To subsume IP precedence into class selector codepoints—that is, to zero oDiffServ field and thus insure that priority levels you set with ip_precedencecorrectly by downstream routers—use the following CLI command:
set traffic-shaping dscp-class-selector
Note: The set traffic-shaping dscp-class-selector command is con
Chapter 6 Policies Policies Applied
317
ering and reordering, and
ies by source and destination cking Go . In the CLI, use the
mary of policy components.
c to which the policy applies.
to which the policy applies.
to which the policy applies. It et (RST) segment to the source ination unreachable, port ) for UDP traffic. For types of
etScreen device drops the packet h is also what occurs when the
-based source or destination or NAT-dst) on all traffic to which
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
POLICIES APPLIEDThis section describes the management of policies: viewing, creating, modifying, ordremoving policies.
Viewing PoliciesTo view policies through the WebUI, click Policies . You can sort the displayed policzones by choosing zone names from the From and To drop-down lists and then cliget policy [ all | from zone to zone | global | id number ] command.
Policy IconsWhen viewing a list of policies, the WebUI uses icons to provide you a graphical sumThe table below defines the different icons used in the policies page.
Icon Function Description
Permit The NetScreen device passes all traffi
Deny The NetScreen device blocks all traffic
Reject The NetScreen device blocks all trafficdrops the packet and sends a TCP reshost for TCP traffic and an ICMP �destunreachable� message (type 3, code 3traffic other than TCP and UDP, the Nwithout notifying the source host, whicaction is �deny�.
Policy-level NAT The NetScreen device performs policynetwork address translation (NAT-src the policy applies.
Chapter 6 Policies Policies Applied
318
ll outbound VPN traffic and which the policy applies.
pposite direction.
rself when initiating a connection.
to which the policy applies to its
Inspection (DI) on all traffic to
Inspection and antivirus licy applies.
to which the policy applies to an
ll outbound L2TP traffic and o which the policy applies.
for syslog and e-mail, if enabled.
) the amount of traffic to which the
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Encapsulation and Decapsulation
The NetScreen device encapsulates adecapsulates all inbound VPN traffic to
Bidirectional VPN policies
A matching VPN policy exists for the o
Authentication The user must authenticate himself/he
Antivirus The NetScreen device sends all trafficinternal antivirus (AV) scanner.
Deep Inspection The NetScreen device performs Deepwhich the policy applies.
Deep Inspection and Antivirus
The NetScreen device performs Deepprotection on all traffic to which the po
URL Filtering The NetScreen device sends all trafficexternal URL filtering server.
L2TP The NetScreen device encapsulates adecapsulates all inbound L2TP traffic t
Logging All traffic is logged and made available
Counting The NetScreen device counts (in bytespolicy applies.
Icon Function Description
Chapter 6 Policies Policies Applied
319
, or tunnel traffic between those creen device is the only n addresses referenced in the
n addresses in the Global zone
d Untrust zones—you need to Untrust to Trust. Depending on and destination addresses are
—root or virtual. To define a . (For information about shared
a threshold that you have set, the e traffic log for this policy. Clicking ated in the Reports section.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Creating PoliciesTo allow traffic to flow between two zones, you create policies to deny, permit, rejectzones. You can also create policies to control traffic within the same zone if the NetSnetwork device that can route the intrazone traffic between the source and destinatiopolicy. You can also create global policies, which make use of source and destinatioaddress book.
To allow bidirectional traffic between two zones—for example, between the Trust ancreate a policy that goes from Trust to Untrust, and then create a second policy fromyour needs, the policies can use the same or different IP addresses, only the sourcereversed.
Policy LocationYou can define policies between any zones that are located within the same systempolicy between the root system and a vsys, one of the zones must be a shared zonezones in relation to virtual systems, see Volume 9, “Virtual Systems”.)
Alarm When the amount of traffic surpasses NetScreen device makes an entry in ththe icon takes you to the traffic log loc
Icon Function Description
Chapter 6 Policies Policies Applied
320
a local mail server in the DMZ m the internal users to traverse
n the local mail server in the
you must first design the and assign the interfaces IP
ess 10.1.1.0/24.
ss 1.2.2.5/32.
ddress 2.2.2.5/32.
d services MAIL and POP3.
ternal router at 1.1.1.250
e transmission, retrieval, and
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Interzone Policies Mail ServiceIn this example, you create three policies to control the flow of e-mail traffic.
The first policy allows internal users in the Trust zone to send and retrieve e-mail fromzone. This policy permits the services MAIL (that is, SMTP) and POP3 originating frothe NetScreen firewall to reach the local mail server.
The second and third policies permit the service MAIL to traverse the firewall betweeDMZ zone and a remote mail server in the Untrust zone.
However, before creating policies to control traffic between different security zones, environment in which to apply those policies. First, you first bind interfaces to zonesaddresses:
• Bind ethernet1 to the Trust zone and assign it IP address 10.1.1.1/24.
• Bind ethernet2 to the DMZ zone and assign it IP address 1.2.2.1/24.
• Bind ethernet3 to the Untrust zone and assign it IP address 1.1.1.1/24.
All security zones are in the trust-vr routing domain.
Second, you create addresses for use in the policies:
• Define an address in the Trust zone named “corp_net” and assign it IP addr
• Define an address in the DMZ zone named “mail_svr” and assign it IP addre
• Define an address in the Untrust zone named “r-mail_svr” and assign it IP a
Third, you create a service group named “MAIL-POP3” containing the two predefine
Fourth, you configure a default route in the trust-vr routing domain pointing to the exthrough ethernet3.
After completing steps 1 – 4, you can then create the policies necessary to permit thdelivery of e-mail in and out of your protected network.
Chapter 6 Policies Policies Applied
321
k Apply :
k OK:
k OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
1. InterfacesNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Zone Name: Trust
Static IP: (select this option when present)
IP Address/Netmask: 10.1.1.1/24
Enter the following, and then click OK:
Interface Mode: NAT
Network > Interfaces > Edit (for ethernet2): Enter the following, and then clic
Zone Name: DMZStatic IP: (select this option when present)IP Address/Netmask: 1.2.2.1/24
Network > Interfaces > Edit (for ethernet3): Enter the following, and then clic
Zone Name: UntrustStatic IP: (select this option when present)IP Address/Netmask: 1.1.1.1/24
2. AddressesObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: corp_net
IP Address/Domain Name:
IP/Netmask: (select), 10.1.1.0/24
Zone: Trust
Chapter 6 Policies Policies Applied
322
ing services, and then click OK :
he service from the Available lumn.
the service from the Available lumn.
then click OK:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: mail_svr
IP Address/Domain Name:
IP/Netmask: (select), 1.2.2.5/32
Zone: DMZ
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: r-mail_svr
IP Address/Domain Name:
IP/Netmask: (select), 2.2.2.5/32
Zone: Untrust
3. Service GroupObjects > Services > Group: Enter the following group name, move the follow
Group Name: MAIL-POP3
Select MAIL and use the << button to move tMembers column to the Group Members co
Select POP3 and use the << button to move Members column to the Group Members co
4. RouteNetwork > Routing > Routing Entries > trust-vr New: Enter the following, and
Network Address/Netmask: 0.0.0.0/0
Gateway: (select)
Interface: ethernet3
Gateway IP Address: 1.1.1.250
Chapter 6 Policies Policies Applied
323
lick OK:
OK:
OK:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
5. PoliciesPolicies > (From: Trust, To: Untrust) > New : Enter the following, and then c
Source Address:
Address Book Entry: (select), corp_net
Destination Address:
Address Book Entry: (select), mail_svr
Service: Mail-POP3
Action: Permit
Policies > (From: DMZ, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), mail_svr
Destination Address:
Address Book Entry: (select), r-mail_svr
Service: MAIL
Action: Permit
Policies > (From: Untrust, To: DMZ) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), r-mail_svr
Destination Address:
Address Book Entry: (select), mail_svr
Service: MAIL
Action: Permit
Chapter 6 Policies Policies Applied
324
gateway 1.1.1.250
permitpermitpermit
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet2 zone dmzset interface ethernet2 ip 1.2.2.1/24set interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24
2. Addressesset address trust corp_net 10.1.1.0/24set address dmz mail_svr 1.2.2.5/32set address untrust r-mail_svr 2.2.2.5/32
3. Service Groupset group service MAIL-POP3 set group service MAIL-POP3 add mailset group service MAIL-POP3 add pop3
4. Routeset vrouter trust-vr route 0.0.0.0/0 interface ethernet3
5. Policiesset policy from trust to dmz corp_net mail_svr MAIL-POP3set policy from dmz to untrust mail_svr r-mail_svr MAIL set policy from untrust to dmz r-mail_svr mail_svr MAIL save
Chapter 6 Policies Policies Applied
325
and both are in the Trust zone.
AIL, and POP3.
themselves via WebAuth. (For on page 8 -41.)
Z zone.
the DMZ zone.
s “sys-admins”) who have
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Interzone Policy SetA small software firm, ABC Design, has divided its internal network into two subnets,These two subnets are:
• Engineering (with the defined address “Eng”)
• The rest of the company (with the defined address “Office”).
It also has a DMZ zone for its Web and mail servers.
The following example presents a typical set of policies for the following users:
• “Eng” can use all the services for outbound traffic except FTP-Put, IMAP, M
• “Office” can use e-mail and access the Internet, provided they authenticate information about WebAuth user authentication, see “Authentication Users”
• Everyone in the Trust zone can access the Web and mail servers in the DM
• A remote mail server in the Untrust zone can access the local mail server in
• There is also a group of system administrators (with the user-defined addrescomplete user and administrative access to the servers in the DMZ zone.
External Router
Internal Router
NetScreen
www.abc.commail.abc.com
Eng. LANOffice LAN
Trust Zone
Untrust Zone
DMZ Zone
Internet
Chapter 6 Policies Policies Applied
326
d the interfaces, addresses, g these, see “Interfaces” on Dynamic Routing.”.
ActionAP, MAIL, POP3) Reject
Permit
HTTP, HTTPS) Permit(+ WebAuth)
ActionPermit
S) Permit
ActionL, POP3) Permit
HTTP, HTTPS) Permit
Permit
ActionPermit
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
This example focuses only on policies and assumes that you have already configureservice groups, and routes that must be in place. For more information on configurinpage 51, “Addresses” on page 139, “Service Groups” on page 266, and Volume 6, “
From Zone - Src Addr To Zone - Dest Addr ServiceTrust - Any Untrust - Any Com (service group: FTP-Put, IM
Trust - Eng Untrust - Any Any
Trust - Office Untrust - Any Internet (service group: FTP-Get,
From Zone - Src Addr To Zone - Dest Addr ServiceUntrust - Any DMZ - mail.abc.com MAIL
Untrust - Any DMZ - www.abc.com Web (service group: HTTP, HTTP
From Zone - Src Addr To Zone - Dest Addr ServiceTrust - Any DMZ - mail.abc.com e-mail (service group: IMAP, MAI
Trust - Any DMZ - www.abc.com Internet (service group: FTP-Get,
Trust - sys-admins DMZ - Any Any
From Zone - Src Addr To Zone - Dest Addr ServiceDMZ - mail.abc.com Untrust - Any MAIL
Note: The default policy is to deny all.
Chapter 6 Policies Policies Applied
327
OK :
OK :
k Return to set the advanced n page:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
1. From Trust, To Untrust
Policies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Eng
Destination Address:
Address Book Entry: (select), Any
Service: ANY
Action: Permit
Policies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Office
Destination Address:
Address Book Entry: (select), Any
Service: Internet7
Action: Permit
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
Authentication: (select)
WebAuth: (select)
7. “Internet” is a service group with the following members: FTP-Get, HTTP, and HTTPS.
Chapter 6 Policies Policies Applied
328
OK :
OK:
olicy denies everything.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Policies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Any
Service: Com8
Action: Reject
Position at Top: (select)
2. From Untrust, To DMZPolicies > (From: Untrust, To: DMZ) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), mail.abc.com
Service: MAIL
Action: Permit
8. “Com” is a service group with the following members: FTP-Put, MAIL, IMAP, and POP3.
Note: For traffic from the Untrust zone to the Trust zone, the default deny p
Chapter 6 Policies Policies Applied
329
OK:
K :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Policies > (From: Untrust, To: DMZ) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), www.abc.com
Service: Web9
Action: Permit
3. From Trust, To DMZPolicies > (From: Trust, To: DMZ) New: Enter the following, and then click O
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), mail.abc.com
Service: e-mail10
Action: Permit
9. “Web” is a service group with the following members: HTTP and HTTPS.
10. “e-mail” is a service group with the following members: MAIL, IMAP, and POP3.
Chapter 6 Policies Policies Applied
330
K :
K :
OK:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Policies > (From: Trust, To: DMZ) New: Enter the following, and then click O
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), www.abc.com
Service: Internet
Action: Permit
Policies > (From: Trust, To: DMZ) New: Enter the following, and then click O
Source Address:
Address Book Entry: (select), sys-admins
Destination Address:
Address Book Entry: (select), Any
Service: ANY
Action: Permit
4. From DMZ, To UntrustPolicies > (From: DMZ, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), mail.abc.com
Destination Address:
Address Book Entry: (select), Any
Service: MAIL
Action: Permit
Chapter 6 Policies Policies Applied
331
rmit webauth
mitit
rmitermit
mit
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
1. From Trust, To Untrustset policy from trust to untrust eng any any permitset policy from trust to untrust office any Internet11 peset policy top from trust to untrust any any Com12 reject
2. From Untrust, To DMZset policy from untrust to dmz any mail.abc.com mail perset policy from untrust to dmz any www.abc.com Web13 perm
3. From Trust, To DMZset policy from trust to dmz any mail.abc.com e-mail14 peset policy from trust to dmz any www.abc.com Internet11 pset policy from trust to dmz sys-admins any any permit
4. From DMZ, To Untrustset policy from dmz to untrust mail.abc.com any mail persave
11. “Internet” is a service group with the following members: FTP-Get, HTTP, and HTTPS.
12. “Com” is a service group with the following members: FTP-Put, MAIL, IMAP, and POP3.
13. “Web” is a service group with the following members: HTTP and HTTPS.
14. “e-mail” is a service group with the following members: MAIL, IMAP, and POP3.
Chapter 6 Policies Policies Applied
332
ess to a confidential server on ive it IP address 10.1.1.1/24. nable intrazone blocking in the
y stores its financial records ment are located (10.1.5.0/24).
k Apply :
k Apply :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Intrazone PoliciesIn this example, you create an intrazone policy to permit a group of accountants accthe corporate LAN in the Trust zone. You first bind ethernet1 to the Trust zone and gYou then bind ethernet2 to the Trust zone and assign it IP address 10.1.5.1/24. You eTrust zone. Next, you define two addresses—one for a server on which the compan(10.1.1.100/32) and another for the subnet on which hosts for the accounting departYou then create an intrazone policy to permit access to the server from those hosts.
WebUI
1. Trust Zone � Interfaces and BlockingNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Zone Name: Trust
Static IP: (select this option when present)
IP Address/Netmask: 10.1.1.1/24
Select the following, and then click OK:
Interface Mode: NAT
Network > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Zone Name: Trust
Static IP: (select this option when present)
IP Address/Netmask: 10.1.5.1/24
Select the following, and then click OK:
Interface Mode: NAT
Network > Zones > Edit (for Trust): Enter the following, and then click OK:
Block Intra-Zone Traffic: (select)
Chapter 6 Policies Policies Applied
333
k OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
2. AddressesObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: Hamilton
IP Address/Domain Name:
IP/Netmask: (select), 10.1.1.100/32
Zone: Trust
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: accounting
IP Address/Domain Name:
IP/Netmask: (select), 10.1.5.0/24
Zone: Trust
3. PolicyPolicies > (From: Trust, To: Trust) > New : Enter the following, and then clic
Source Address:
Address Book Entry: (select), accounting
Destination Address:
Address Book Entry: (select), Hamilton
Service: ANY
Action: Permit
Chapter 6 Policies Policies Applied
334
ermit
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
1. Trust Zone � Interfaces and Blockingset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 nat
set interface ethernet2 zone trustset interface ethernet2 ip 10.1.5.1/24set interface ethernet2 nat
set zone trust block
2. Addressesset address trust Hamilton 10.1.1.100/32set address trust accounting 10.1.5.0/24
3. Policyset policy from trust to trust accounting Hamilton any psave
Chapter 6 Policies Policies Applied
335
s the company Web site, which any security zones. In this
mplished (where n = number of
lick OK:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Global PolicyIn this example, you create a global policy so that every host in every zone can accesis www.juniper.net15. Using a global policy is a convenient shortcut when there are mexample, one global policy accomplishes what n interzone policies would have accozones).
WebUI
1. Global AddressObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: server1
IP Address/Domain Name:
Domain Name: (select), www.juniper.net
Zone: Global
2. PolicyPolicies > (From: Global, To: Global) > New : Enter the following, and then c
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), server1
Service: HTTP
Action: Permit
15. To use a domain name instead of an IP address, be sure to have DNS service configured on the NetScreen device.
Chapter 6 Policies Policies Applied
336
n enter the context of the policy ing policy:
permit attack
estination address, another r the pertinent commands:
not remove them all. For server1 because then no
ss server2
ss server1
ss server2ss server1
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
1. Global Addressset address global server1 www.juniper.net
2. Policyset policy global any server1 http permitsave
Entering a Policy ContextWhen configuring a policy through the CLI, after you first create a policy, you can theto make additions and modifications. For example, perhaps you first create the follow
set policy id 1 from trust to untrust host1 server1 HTTPHIGH:HTTP:SIGS action close
If you want to make some changes to the policy, such as adding another source or dservice, or another attack group, you can enter the context for policy 1 and then ente
set policy id 1ns(policy:1)-> set src-address host2ns(policy:1)-> set dst-address server2ns(policy:1)-> set service FTPns(policy:1)-> set attack CRITICAL:HTTP:SIGS
You can also remove multiple items for a single policy component as long as you doexample, you can remove server2 from the above configuration, but not server2 anddestination address would remain:
ns(policy:1)-> unset dst-addre
ns(policy:1)-> unset dst-addre
ns(policy:1)-> unset dst-addrens(policy:1)-> unset dst-addre
!!
"
You can remove either server2,
or you can remove server1,
but you cannot remove them both.
Chapter 6 Policies Policies Applied
337
n addresses or services is to at group in a policy. You can an simply add extra items
omponent to which you want to tton. Select an item in the ive Members” column. You can policy configuration page.
ally add anything else to it. ould it occur.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Multiple Items per Policy ComponentScreenOS allows you to add multiple items to the following components of a policy:
• Source address• Destination address• Service• Attack group
In pre-ScreenOS 5.0.0 releases, the only way to have multiple source and destinatiofirst create an address or service group with multiple members and then reference thstill use address and service groups in policies in ScreenOS 5.0.0. In addition, you cdirectly to a policy component.
To add multiple items to a policy component, do either of the following:
WebUI
To add more addresses and services, click the Multiple button next to the cadd more items. To add more attack groups, click the Attack Protection bu“Available Members” column, and then use the << key to move it to the “Actrepeat this action with other items. When finished, click OK to return to the
CLI
Enter the policy context with the following command:
set policy id number
Then use one of the following commands as appropriate:
ns(policy:number)-> set src-address stringns(policy:number)-> set dst-address stringns(policy:number)-> set service stringns(policy:number)-> set attack string
Note: If the first address or service referenced in a policy is “Any”, you cannot logicNetScreen prevents this kind of misconfiguration and displays an error message sh
Chapter 6 Policies Policies Applied
338
d as either the source or ess to everyone except the tion option.
Multiple button next to either
tion address.
zone access to all FTP servers specifications for one another.
to apply it. First, you enable fore the NetScreen device
Trust zone.
in the negated component.
eir FTP server because the n firewall to reach their own
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Address NegationYou can configure a policy so that it applies to all addresses except the one specifiedestination. For example, you might want to create a policy that permits Internet acc“P-T_contractors” address group. To accomplish this, you can use the address nega
In the WebUI, this option is available on the pop-up that appears when you click theSource Address or Destination Address on the policy configuration page.
In the CLI, you insert an exclamation point ( ! ) immediately before source or destina
Example: Destination Address NegationIn this example, you create an intrazone policy that allows all addresses in the Trustexcept to an FTP server named “vulcan”, which engineering uses to post functional
However, before creating the policy, you must first design the environment in which intrazone blocking for the Trust zone. Intrazone blocking requires a policy lookup bepasses traffic between two interfaces bound to the same zone.
Second, you bind two interfaces to the Trust zone and assign them IP addresses:
• You bInd ethernet1 to the Trust zone and assign it IP address 10.1.1.1/24.
• You bind ethernet4 to the Trust zone and assign it IP address 10.1.2.1/24.
Third, you create an address (10.1.2.5/32) for the FTP server named “vulcan” in the
After completing these two steps , you can then create the intrazone policies.
Note: Address negation occurs at the policy component level, applying to all items
Note: You do not have to create a policy for the engineering department to reach thengineers are also in the 10.1.2.0/24 subnet and do not have to cross the NetScreeserver.
Chapter 6 Policies Policies Applied
339
k Apply :
FTP Server�vulcan�10.1.2.5
t424
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
1. Intrazone BlockingNetwork > Zones > Edit (for Trust): Enter the following, and then click OK:
Virtual Router Name: trust-vr
Block Intra-Zone Traffic: (select)
2. Trust Zone Interfaces
Network > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Zone Name: Trust
Static IP: (select this option when present)
IP Address/Netmask: 10.1.1.1/24
Select the following, and then click OK:
Interface Mode: NAT
Trust ZoneIntrazone Blocking Enabled
10.1.2.0/24(Engineering)
10.1.1.0/24(Rest of Corporate)
etherne10.1.2.1/
ethernet110.1.1.1/24
Internal Switches
Chapter 6 Policies Policies Applied
340
k Apply :
K :
g check box, and then click OK ge.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Network > Interfaces > Edit (for ethernet4): Enter the following, and then clic
Zone Name: Trust
Static IP: (select this option when present)
IP Address/Netmask: 10.1.2.1/24
Select the following, and then click OK:
Interface Mode: NAT
3. AddressObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: vulcan
IP Address/Domain Name:
IP/Netmask: (select), 10.1.2.5/32
Zone: Trust
4. PolicyPolicies > (From: Trust, To: Trust) New: Enter the following, and then click O
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), vulcan
> Click Multiple , select the Negate Followinto return to the basic policy configuration pa
Service: FTP
Action: Permit
Chapter 6 Policies Policies Applied
341
Juniper Networks NetScreen Concepts & Examples � Volume 2: FundamentalsCLI
1. Intrazone Blockingset zone trust block
2. Trust Zone Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 nat
set interface ethernet4 zone trustset interface ethernet4 ip 10.1.2.1/24set interface ethernet1 nat
3. Addressset address trust vulcan 10.1.2.5/32
4. Policyset policy from trust to trust any !vulcan ftp permitsave
Chapter 6 Policies Policies Applied
342
ebUI, click the Edit link in the age that appears for that policy,
olicy is enabled. To disable it,
that you want to disable.
r the policy that you want to
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Modifying and Disabling PoliciesAfter you create a policy, you can always return to it to make modifications. In the WConfigure column for the policy that you want to change. In the Policy configuration pmake your changes, and then click OK . In the CLI, use the set policy command.
ScreenOS also provides a means for enabling and disabling policies. By default, a pdo the following:
WebUI
Policies: Clear the Enable check box in the Configure column for the policy
The row of text for a disabled policy appears as grey.
CLI
set policy id id_num disablesave
Note: To enable the policy again, select Enable in the Configure column foenable (WebUI), or type unset policy id id_num disable (CLI).
Chapter 6 Policies Policies Applied
343
. It is possible for one policy to
ty
list, when it finds a match for e NetScreen device never specific “dst-A” address in
the Trust zone bound for dst-A
ing the more specific one first:
yt
s where there are dozens or pot. To check if there is any
responsibility to correct the
adows another policy. In the ther do shadow it:
permit permitdeny
ore a subsequent policy. Because the and destination address, and service ist and never reaches the second one.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Policy VerificationScreenOS offers a tool for verifying that the order of policies in the policy list is valideclipse, or “shadow”, another policy. Consider the following example:
set policy id 1 from trust to untrust any any HTTP permiset policy id 2 from trust to untrust any dst-A HTTP den
Because the NetScreen device performs a policy lookup starting from the top of the traffic received, it does not look any lower in the policy list. In the above example, threaches policy 2 because the destination address “any” in policy 1 includes the morepolicy 2. When an HTTP packet arrives at the NetScreen device from an address inin the Untrust zone, the NetScreen device always first finds a match with policy 1.
To correct the above example, you can simply reverse the order of the policies, putt
set policy id 2 from trust to untrust any dst-A HTTP denset policy id 1 from trust to untrust any any HTTP permi
Of course, this example is purposefully simple to illustrate the basic concept. In casehundreds of policies, the eclipsing of one policy by another might not be so easy to spolicy shadowing16 in your policy list, you can use the following CLI command:
exec policy verify
This command reports the shadowing and shadowed policies. It is then the admin’s situation.
The policy verification tool cannot detect the case where a combination of policies shfollowing example, no single policy shadows policy 3; however, policies 1 and 2 toge
set group address trust grp1 add host1set group address trust grp1 add host2set policy id 1 from trust to untrust host1 server1 HTTPset policy id 2 from trust to untrust host2 server1 HTTPset policy id 3 from trust to untrust grp1 server1 HTTP
16. The concept of policy “shadowing” refers to the situation where a policy higher in the policy list always takes effect befpolicy lookup always uses the first policy it finds that matches the five-part tuple of source and destination zone, sourcetype, if another policy applies to the same tuple (or a subset of the tuple), the policy lookup uses the first policy in the l
Chapter 6 Policies Policies Applied
344
eginning with the first one listed g through the list. Because the
y in the list, you must arrange t preclude the application of a fic one does.)
an option that allows you to WebUI, select the Position at olicy top …
arrows or by clicking the single
in the list, enter the ID number
nd a table displaying the other
n, contains arrows pointing to oints to the location in the list
.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Reordering PoliciesThe NetScreen device checks all attempts to traverse the firewall against policies, bin the policy set for the appropriate list (see “Policy Set Lists” on page 302) and movinNetScreen device applies the action specified in the policy to the first matching policthem from the most specific to the most general. (Whereas a specific policy does nomore general policy located down the list, a general policy appearing before a speci
By default, a newly created policy appears at the bottom of a policy set list. There isposition a policy at the top of the list instead. In the Policy configuration page in the Top check box. In the CLI, add the key word top to the set policy command: set p
To move a policy to a different position in the list, do either of the following:
WebUI
There are two ways to reorder policies in the WebUI: by clicking the circulararrow in the Configure column for the policy you want to move.
If you click the circular arrows:
A User Prompt dialog box appears.
To move the policy to the very end of the list, enter <-1>. To move it upof the policy above which you want to move the policy in question.
Click OK to execute the move.
If you click the single arrow:
A Policy Move page appears displaying the policy you want to move apolicies.
In the table displaying the other policies, the first column, Move Locatiovarious locations where you can move the policy. Click the arrow that pwhere you want to move the policy.
The Policy List page reappears with the policy you moved in its new position
Chapter 6 Policies Policies Applied
345
UI, click Remove in the prompts for confirmation to and.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
set policy move id_num { before | after } numbersave
Removing a PolicyIn addition to modifying and repositioning a policy, you can also delete it. In the WebConfigure column for the policy that you want to remove. When the system messageproceed with the removal, click Yes. In the CLI, use the unset policy id_num comm
Chapter 6 Policies Policies Applied
346
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals7
347
Chapter 7
age limited bandwidth without
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Traffic Shaping
This chapter discusses the various ways you can use your NetScreen device to mancompromising quality and availability of the network to all of your users.
The topics discussed include:
• “Applying Traffic Shaping” on page 348
– “Managing Bandwidth at the Policy Level” on page 348
• “Setting Service Priorities” on page 355
Chapter 7 Traffic Shaping Applying Traffic Shaping
348
very user and application on an capacity at a guaranteed g policies and by applying
.
dwidth, the maximum interface is allocated to the is sharable by any other traffic. ft over on a priority basis (up to
ping for a specific policy, while shaping policy to that particular
or which you have turned off affic-shaping mode off. You system to turn on traffic quire it.
gle physical interface bound to r more subinterfaces or more
mation about DS Codepoint Marking,
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
APPLYING TRAFFIC SHAPINGTraffic shaping is the allocation of the appropriate amount of network bandwidth to einterface. The appropriate amount of bandwidth is defined as cost-effective carryingQuality of Service (QoS). You can use a NetScreen device to shape traffic by creatinappropriate rate controls to each class of traffic going through the NetScreen device
Managing Bandwidth at the Policy LevelTo classify traffic, you create a policy which specifies the amount of guaranteed banbandwidth, and the priority for each class of traffic. The physical bandwidth of everyguaranteed bandwidth parameter for all policies. If there is any bandwidth left over, itIn other words, each policy gets its guaranteed bandwidth and shares whatever is lethe limit of its maximum bandwidth specification).
The traffic shaping function applies to traffic from all policies. If you turn off traffic shatraffic shaping is still turned on for other policies, the system applies a default traffic policy, with the following parameters:
• Guaranteed bandwidth 0
• Unlimited maximum bandwidth
• Priority of 7 (the lowest priority setting)1
If you do not want the system to assign this default traffic shaping policy to policies ftraffic shaping, then turn off traffic shaping system wide via the CLI command set trcan set traffic shaping to automatic: set traffic-shaping mode auto . This allows theshaping when a policy requires it, and turn off traffic shaping when policies do not re
Note: You can only apply traffic shaping to policies whose destination zone has a sinit. NetScreen does not support traffic shaping if the destination zone contains one othan one physical interface.
1. You can enable a mapping of the NetScreen priority levels to the DiffServ Codepoint Marking system. For more inforsee “Traffic Shaping” on page 6-315.
Chapter 7 Traffic Shaping Applying Traffic Shaping
349
partments on the same subnet. trust zone.
k OK:
k OK:
s.
Internet
st Zone
DMZ Zone
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Traffic ShapingIn this example, you partition 45Mbps of bandwidth on a T3 interface among three deThe interface ethernet1 is bound to the Trust zone and ethernet3 is bound to the Un
WebUI
1. Bandwidth on InterfacesNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Traffic Bandwidth: 450002
Network > Interfaces > Edit (for ethernet3): Enter the following, and then clic
Traffic Bandwidth: 45000
2. If you do not specify bandwidth settings on an interface, NetScreen uses whatever the available physical bandwidth i
Marketing: 10 Mbps In, 10 Mbps Out
Sales: 5 Mbps In, 10 Mbps Out
Support: 5 Mbps In, 5 Mbps Out
DMZ for Servers
Router Router
T3�45 Mbps
Trust Zone Untru
Chapter 7 Traffic Shaping Applying Traffic Shaping
350
OK :
k Return to set the advanced n page:
000
00
OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
2. Bandwidth in PoliciesPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click
Name: Marketing Traffic Shaping
Source Address:
Address Book Entry: (select), Marketing
Destination Address:
Address Book Entry: (select), Any
Service: Any
Action: Permit
VPN Tunnel: None3
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
Traffic Shaping: (select)
Guaranteed Bandwidth: 10
Maximum Bandwidth: 150
Policies > (From: Trust, To: Untrust) New: Enter the following, and then click
Name: Sales Traffic Shaping Policy
Source Address:
Address Book Entry: (select), Sales
Destination Address:
Address Book Entry: (select), Any
Service: Any
3. You can also enable traffic shaping in policies referencing VPN tunnels.
Chapter 7 Traffic Shaping Applying Traffic Shaping
351
k Return to set the advanced n page:
0
OK :
k Return to set the advanced n page:
OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Action: Permit
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
Traffic Shaping: (select)
Guaranteed Bandwidth: 1000
Maximum Bandwidth: 10000
Policies > (From: Trust, To: Untrust) New: Enter the following, and then click
Name: Support Traffic Shaping Policy
Source Address:
Address Book Entry: (select), Support
Destination Address:
Address Book Entry: (select), Any
Service: Any
Action: Permit
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
Traffic Shaping: (select)
Guaranteed Bandwidth: 5000
Maximum Bandwidth: 10000
Policies > (From: Untrust, To: Trust) New: Enter the following, and then click
Name: Allow Incoming Access to Marketing
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Marketing
Chapter 7 Traffic Shaping Applying Traffic Shaping
352
k Return to set the advanced n page:
0
OK :
k Return to set the advanced n page:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Service: Any
Action: Permit
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
Traffic Shaping: (select)
Guaranteed Bandwidth: 1000
Maximum Bandwidth: 10000
Policies > (From: Untrust, To: Trust) New: Enter the following, and then click
Name: Allow Incoming Access to Sales
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Sales
Service: Any
Action: Permit
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
Traffic Shaping: (select)
Guaranteed Bandwidth: 5000
Maximum Bandwidth: 10000
Chapter 7 Traffic Shaping Applying Traffic Shaping
353
OK :
k Return to set the advanced n page:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Policies > (From: Untrust, To: Trust) New: Enter the following, and then click
Name: Allow Incoming Access to Support
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Support
Service: Any
Action: Permit
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
Traffic Shaping: (select)
Guaranteed Bandwidth: 5000
Maximum Bandwidth: 5000
Chapter 7 Traffic Shaping Applying Traffic Shaping
354
untrust marketing any
t to untrust sales any
ust to untrust support
m untrust to trust any w 10000trust to trust any 00untrust to trust any 000
s.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
To enable traffic shaping by policy, do the following:
1. Bandwidth on Interfaces
set interface ethernet1 bandwidth 450004
set interface ethernet3 bandwidth 45000
2. Bandwidth in Policiesset policy name “Marketing Traffic Shaping” from trust to
any permit traffic gbw 10000 priority 0 mbw 15000 set policy name “Sales Traffic Shaping Policy” from trus
any permit traffic gbw 10000 priority 0 mbw 10000set policy name “Support Traffic Shaping Policy” from tr
any any permit traffic gbw 5000 priority 0 mbw 10000set policy name “Allow Incoming Access to Marketing” fro
marketing any permit traffic gbw 10000 priority 0 mbset policy name “Allow Incoming Access to Sales” from un
sales any permit traffic gbw 5000 priority 0 mbw 100set policy name “Allow Incoming Access to Support” from
support any permit traffic gbw 5000 priority 0 mbw 5save
4. If you do not specify bandwidth settings on an interface, NetScreen uses whatever the available physical bandwidth i
Chapter 7 Traffic Shaping Setting Service Priorities
355
ing on the bandwidth that is not g is a feature that allows all hile ensuring that important
allows NetScreen to buffer
other policies is queued on the ompete for bandwidth in a
policies with high priority before til all traffic requests have been dropped.
o manage all of traffic on your d so on. The NetScreen device
he policy configuration process data if the guaranteed e.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
SETTING SERVICE PRIORITIESThe traffic shaping feature on NetScreen devices allows you to perform priority queuallocated to guaranteed bandwidth, or unused guaranteed bandwidth. Priority queuinyour users and applications to have access to available bandwidth as they need it, wtraffic can get through, if necessary at the expense of less important traffic. Queuingtraffic in up to eight different priority queues. These eight queues are:
• High priority
• 2nd priority
• 3rd priority
• 4th priority
• 5th priority
• 6th priority
• 7th priority
• Low priority (default)
The priority setting for a policy means that the bandwidth not already guaranteed to basis of high priority first and low priority last. Policies with the same priority setting cround robin fashion. The NetScreen device processes all of the traffic from all of the processing any traffic from policies with the next lower priority setting, and so on, unprocessed. If traffic requests exceed available bandwidth, the lowest priority traffic is
If you do not allocate any guaranteed bandwidth, then you can use priority queuing tnetwork. That is, all high priority traffic is sent before any 2nd priority traffic is sent, anprocesses low priority traffic only after all other traffic has been processed.
Caution: Be careful not to allocate more bandwidth than the interface can support. Tdoes not prevent you from creating unsupported policy configurations. You can losebandwidth on contending policies surpasses the traffic bandwidth set on the interfac
Chapter 7 Traffic Shaping Setting Service Priorities
356
artments—Support, Sales, and
firewall, the NetScreen device interface ethernet1 is bound to
Internet
ust Zone
DMZ Zone
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Priority QueuingIn this example, you configure the guaranteed and maximum bandwidth for three depMarketing— as follows:
If all three departments send and receive traffic concurrently through the NetScreenmust allocate 20 Mbps of bandwidth to fulfill the guaranteed policy requirements. Thethe Trust zone and ethernet3 is bound to the Untrust zone.
Outbound Guaranteed
Inbound Guaranteed
Combined Guaranteed
Priority
Support 5*
* Megabits per second (Mbps)
5 10 High
Sales 2.5 3.5 6 2
Marketing 2.5 1.5 4 3
Total 10 10 20
Marketing: 2.5 Mbps Out, 1.5Mbps In, 3rd Priority
Sales: 2.5 Mbps Out, 3.5 Mbps In, 2nd Priority
Support: 5Mbps Out, 5Mbps In, High Priority
DMZ for Servers
Router Router
T3 (45 Mbps)
Trust ZoneUntr
Chapter 7 Traffic Shaping Setting Service Priorities
357
OK:
k Return to set the advanced n page:
(select)
depoint Marking maps the NetScreen on about DS Codepoint Marking, see
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
1. Bandwidth on InterfacesInterfaces > Edit (for ethernet1): Enter the following, and then click OK:
Traffic Bandwidth: 40000
Interfaces > Edit (for ethernet3): Enter the following, and then click OK:
Traffic Bandwidth: 40000
2. Bandwidth in PoliciesPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click
Name: Sup-out
Source Address:
Address Book Entry: (select), Support
Destination Address:
Address Book Entry: (select), Any
Service: Any
Action: Permit
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
Traffic Shaping: (select)
Guaranteed Bandwidth: 5000
Maximum Bandwidth: 40000
Traffic Priority: High priority
DiffServ Codepoint Marking5:
5. Differentiated Services (DS) is a system for tagging (or “marking”) traffic at a position within a hierarchy of priority. DS Copriority level of the policy to the first three bits of codepoint in the DS field in the IP packet header. For more informati“Traffic Shaping” on page 315.
Chapter 7 Traffic Shaping Setting Service Priorities
358
OK :
k Return to set the advanced n page:
nable
OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Policies > (From: Trust, To: Untrust) New: Enter the following, and then click
Name: Sal-out
Source Address:
Address Book Entry: (select), Sales
Destination Address:
Address Book Entry: (select), Any
Service: Any
Action: Permit
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
Traffic Shaping: (select)
Guaranteed Bandwidth: 2500
Maximum Bandwidth: 40000
Traffic Priority: 2nd priority
DiffServ Codepoint Marking: E
Policies > (From: Trust, To: Untrust) New: Enter the following, and then click
Name: Mar-out
Source Address:
Address Book Entry: (select), Marketing
Destination Address:
Address Book Entry: (select), Any
Service: Any
Action: Permit
Chapter 7 Traffic Shaping Setting Service Priorities
359
k Return to set the advanced n page:
select)
OK:
k Return to set the advanced n page:
select)
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
Traffic Shaping: (select)
Guaranteed Bandwidth: 2500
Maximum Bandwidth: 40000
Traffic Priority: 3rd priority
DiffServ Codepoint Marking: (
Policies > (From: Untrust, To: Trust) New: Enter the following, and then click
Name: Sup-in
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Support
Service: Any
Action: Permit
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
Traffic Shaping: (select)
Guaranteed Bandwidth: 5000
Maximum Bandwidth: 40000
Traffic Priority: High priority
DiffServ Codepoint Marking: (
Chapter 7 Traffic Shaping Setting Service Priorities
360
OK:
k Return to set the advanced n page:
select)
OK :
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Policies > (From: Untrust, To: Trust) New: Enter the following, and then click
Name: Sal-in
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Sales
Service: Any
Action: Permit
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
Traffic Shaping: (select)
Guaranteed Bandwidth: 3500
Maximum Bandwidth: 40000
Traffic Priority: 2nd priority
DiffServ Codepoint Marking: (
Policies > (From: Untrust, To: Trust) New: Enter the following, and then click
Name: Mar-in
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), Marketing
Service: Any
Action: Permit
Chapter 7 Traffic Shaping Setting Service Priorities
361
k Return to set the advanced n page:
select)
y any permit traffic
any permit traffic gbw
any any permit traffic
any permit traffic gbw
ny permit traffic gbw
ng any permit traffic
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
Traffic Shaping: (select)
Guaranteed Bandwidth: 1500
Maximum Bandwidth: 40000
Traffic Priority: 3rd priority
DiffServ Codepoint Marking: (
CLI
1. Bandwidth on Interfacesset interface ethernet1 bandwidth 40000set interface ethernet3 bandwidth 40000
2. Bandwidth in Policiesset policy name sup-out from trust to untrust support an
gbw 5000 priority 0 mbw 40000 dscp enableset policy name sal-out from trust to untrust sales any
2500 priority 2 mbw 40000 dscp enableset policy name mar-out from trust to untrust marketing
gbw 2500 priority 3 mbw 40000 dscp enableset policy name sup-in from untrust to trust any support
5000 priority 0 mbw 40000 dscp enableset policy name sal-in from untrust to trust any sales a
3500 priority 2 mbw 40000 dscp enableset policy name mar-in from untrust to trust any marketi
gbw 1500 priority 3 mbw 40000 dscp enablesave
Chapter 7 Traffic Shaping Setting Service Priorities
362
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals8
363
Chapter 8
fecting the following areas of a
412
0
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
System Parameters
This chapter focuses on the concepts involved in establishing system parameters afNetScreen security appliance:
• “Domain Name System Support” on page 365
– “DNS Lookup” on page 366
– “DNS Status Table” on page 367
– “Dynamic DNS” on page 370
– “Proxy DNS Address Splitting” on page 373
• “DHCP” on page 376
– “DHCP Server” on page 378
– “DHCP Relay Agent” on page 388
– “DHCP Client” on page 394
– “TCP/IP Settings Propagation” on page 396
• “PPPoE” on page 399
– “Multiple PPPoE Sessions over a Single Interface” on page 405
– “PPPoE and High Availability” on page 410
• “Upgrading and Downgrading Firmware” on page 411
– “Requirements to Upgrade and Downgrade Device Firmware” on page
– “Downloading New Firmware” on page 413
– “Upgrading NetScreen Devices in an NSRP Configuration” on page 42
– “Authenticating Firmware and DI Files” on page 431
Chapter 8 System Parameters
364
8
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
• “Downloading and Uploading Configurations” on page 435
– “Saving and Importing Configurations” on page 435
– “Configuration Rollback” on page 437
– “Locking the Configuration File” on page 440
• “Setting NetScreen-Security Manager Bulk-CLI” on page 443
• “License Keys” on page 444
• “Registration and Activation of Subscription Services” on page 446
– “Temporary Service” on page 446
– “AV, URL Filtering, and DI Bundled with a New Device” on page 447
– “AV, URL Filtering, and DI Upgrade to an Existing Device” on page 44
– “DI Upgrade Only” on page 449
• “System Clock” on page 450
– “Date and Time” on page 450
– “Time Zone” on page 450
– “NTP” on page 451
Chapter 8 System Parameters Domain Name System Support
365
ou to use domain names as ddresses associated with
e (such as www.juniper.net) in 8. DNS translation is supported
ddresses for DNS servers (the
ol (DHCP) server (see “DHCP” age on the WebUI or through
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
DOMAIN NAME SYSTEM SUPPORTThe NetScreen device incorporates Domain Name System (DNS) support allowing ywell as IP addresses for identifying locations. A DNS server keeps a table of the IP adomain names. Using DNS makes it possible to reference locations by domain namaddition to using the routable IP address, which for www.juniper.net is 207.17.137.6in all the following programs:
• Address Book
• Syslog
• WebTrends
• Websense
• LDAP
• SecurID
• RADIUS
• NetScreen Security Manager
Before you can use DNS for domain name/address resolution, you must enter the aprimary and secondary DNS servers) in the NetScreen device.
Note: When enabling the NetScreen device as a Dynamic Host Configuration Protocon page 376), you must also enter the IP addresses for DNS servers in the DHCP pthe set interface interface dhcp command in the CLI.
Chapter 8 System Parameters Domain Name System Support
366
h a specified DNS server at the
oughout the day
DNS table, you can also define
IP address mapping, it stores lved in a DNS lookup:
ntries. The other programs
ain name table has changed the exec dns refresh CLI
, the NetScreen device displays the DNS name lookup failed.
IKE gateway through the ype a CLI command that .
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
DNS LookupThe NetScreen device refreshes all the entries in its DNS table by checking them witfollowing times:
• After an HA failover occurs
• At a regularly scheduled time of day and at regularly scheduled intervals thr
• When you manually command the device to perform a DNS lookup
– WebUI: Network > DNS: Click Refresh DNS cache.
– CLI: exec dns refresh
In addition to the existing method of setting a time for a daily automatic refresh of thean interval of time from 4 hours to 24 hours.
When the NetScreen device connects to the DNS server to resolve a domain name/that entry in its DNS status table. The following list contains some of the details invo
• When a DNS lookup returns multiple entries, the address book accepts all elisted on page 365 accept only the first one.
• The NetScreen device reinstalls all policies if it finds that anything in the domwhen you refresh a lookup using the Refresh button in the WebUI or enter command.
• If a DNS server fails, the NetScreen device looks up everything again.
• If a lookup fails, the NetScreen device removes it from the cache table.
• If the domain name lookup fails when adding addresses to the address bookan error message stating that you have successfully added the address but
Note: When you add a fully-qualified domain name (FQDN) such as an address or WebUI, the NetScreen device resolves it when you click Apply or OK . When you treferences an FQDN, the NetScreen device attempts to resolve it when you enter it
Chapter 8 System Parameters Domain Name System Support
367
e NetScreen device to do at a
nd enter time <hh:mm>
P addresses, whether the The report format looks like the
Lookup000 16:45:33
000 16:45:38
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
The NetScreen device must do a new lookup once a day, which you can schedule thspecified time:
WebUI
Network > DNS: Enter the following, and then click Apply :
DNS refresh every day at: Select check box a
CLI
set dns host schedule time_strsave
DNS Status TableThe DNS status table reports all the domain names looked up, their corresponding Ilookup was successful, and when each domain name/IP address was last resolved. example below:
Name IP Address Status Last www.yahoo.com
www.hotbot.com
204.71.200.74204.71.200.75204.71.200.67204.71.200.68209.185.151.28209.185.151.210216.32.228.18
Success
Success
8/13/2
8/13/2
Chapter 8 System Parameters Domain Name System Support
368
and 24.0.0.3 are entered in the s scheduled to refresh the DNS
DNS Server.64.38 Server3
Internet
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
To view the DNS status table, do either of the following:
WebUI
Network > DNS > Show DNS Table
CLI
get dns host report
Example: DNS Server and Refresh ScheduleTo implement DNS functionality, the IP addresses for the DNS servers at 24.1.64.38NetScreen device, protecting a single host in a home office. The NetScreen device isettings stored in its DNS status table everyday at 11:00 P.M.
WebUI
Network > DNS: Enter the following, and then click Apply :
Primary DNS Server: 24.0.0.3
Secondary DNS Server: 24.1.64.38
DNS Refresh: (select)
Every Day at: 23:00
Secondary24.1
Primary DNS24.0.0.
Trust Zone Untrust Zone
Chapter 8 System Parameters Domain Name System Support
369
hours beginning at 12:01 AM
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
set dns host dns1 24.0.0.3set dns host dns2 24.1.64.38set dns host schedule 23:00save
Example: Setting a DNS Refresh IntervalIn this example, you configure the NetScreen device to refresh its DNS table every 4every day.
WebUI
Network > DNS: Enter the following, and then click Apply :
DNS Refresh: (select)
Every Day at: 12:01
Interval: 4
CLI
set dns host schedule 12:01 interval 4save
Chapter 8 System Parameters Domain Name System Support
370
ddresses for registered domain ly change the IP address for a om the internet can access the ly changed. This change is ynamically-changed addresses nformation, periodically or in
he server uses this account
might change. When a change ww.my_host.com), either
mewhat different configurations
Web Serverw.my_host.com
Trust Zone
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Dynamic DNSDynamic DNS (DDNS) is a mechanism that allows clients to dynamically update IP anames. This update is useful when an ISP uses PPP, DHCP, or XAuth to dynamicalCPE router (such as a NetScreen device) that protects a web server. Thus, clients frweb server using a domain name, even if the IP address of the CPE router previousmade possible by a DDNS server such as dyndns.org or ddo.jp, which contains the dand their associated domain names. The CPE updates the DDNS servers with this iresponse to IP address changes.
To use DDNS, create an account (username and password) on the DDNS server. Tinformation to configure the client device.
In the diagram shown above, it is possible that the IP address for interface ethernet7happens, the client can still access the protected Web server using the host name (wthrough the dyndns.org server or the ddo.jp server. Each of these servers require soon the NetScreen device.
NetScreen Device (CPE Router)
Client
DDNS Server
ww
dyndns.org or ddo.jp
ethernet7
Internet
Note: The Untrust zone is not shown.
Chapter 8 System Parameters Domain Name System Support
371
e device uses the dyndns.org t using the Host Name setting, nds an update to the ddo.jp
inutes, and the allowable range is DNS entry from its cache. In addition, he recommended value is 10 minutes
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: DDNS Setup for dyndns ServerIn the following example, you configure a NetScreen device for DDNS operation. Thserver to resolve changed addresses. For this server, you specify the protected hoswhich explicitly binds to the DNS interface (ethernet7); therefore, when the device seserver, it associates the Host Name with the IP address of the interface.
WebUI
Network > DNS > DDNS > New: Enter the following, and then click OK :
ID: 12
Server Settings
Server Type: dyndns
Server Name: dyndns.org
Refresh Interval: 24
Minimum Update Interval: 151
Account Settings
Username: swordfish
Password: ad93lvb
Bind to Interface: ethernet7
Host Name: www.my_host.com
1. This setting specifies the minimum time interval (expressed in minutes) between DDNS updates. The default is 10 m1-1440. In some cases, the device might not update the interval because the DNS server first needs to timeout the Dif you set the Minimum Update Interval to a very low value, then the NetScreen device might lock you out; therefore, tor more.
Chapter 8 System Parameters Domain Name System Support
372
refresh-interval 24
.my_host.com
ses the ddo.jp server to resolve ame for the DDNS entry, tomatically derives the host me of my_host to derived DNS.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
set dns ddnsset dns ddns enableset dns ddns id 12 server dyndns.org server-type dyndns
minimum-update-interval 15set dns ddns id 12 src-interface ethernet7 host-name wwwset dns ddns id 12 username swordfish password ad93lvbsave
Example: DDNS Setup for ddo ServerIn the following example, you configure a NetScreen device for DDNS. The device uaddresses. For the ddo.jp server, you specify the protected host FQDN as the Userninstead of specifying the protected host using the Host Name setting. The service auname from the Username value. For example, the ddo.jp server translates a user namy_host.ddo.jp. Make sure that the registered domain name on ddo.jp matches the
WebUI
Network > DNS > DDNS > New: Enter the following, and then click OK :
ID: 25
Server Settings
Server Type: ddo
Server Name: juniper.net
Refresh Interval: 24
Minimum Update Interval: 15
Account Settings
Username: my_host
Password: ad93lvb
Bind to Interface: ethernet7
Chapter 8 System Parameters Domain Name System Support
373
-interval 24
e split DNS queries. Using this ccording to partial or complete
iple network connectivity, and it er network.
t for the corporate domain all others go to the ISP DNS revent corporate domain
erface, thus preventing ple, DNS queries bound for the res such as authentication,
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
set dns ddnsset dns ddns enableset dns ddns id 25 server ddo.jp server-type ddo refresh
minimum-update-interval 15set dns ddns id 25 src-interface ethernet7set dns ddns id 25 username my_host password ad93lvbsave
Proxy DNS Address SplittingThe proxy DNS feature provides a transparent mechanism that allows clients to maktechnique, the proxy selectively redirects the DNS queries to specific DNS servers, adomain names. This is useful when VPN tunnels or PPPoE virtual links provide multis necessary to direct some DNS queries to one network, and other queries to anoth
The most important advantages of a DNS proxy are as follows.
• Domain lookups are usually more efficient. For example, DNS queries mean(such as acme.com) could go to the corporate DNS server exclusively, whileserver, thus reducing the load on the corporate server. In addition, this can pinformation from leaking into the internet.
• DNS proxy allows you to transmit selected DNS queries through a tunnel intmalicious users from learning about internal network configuration. For examcorporate server can pass through a tunnel interface, and use security featuencryption, and anti-replay.
Chapter 8 System Parameters Domain Name System Support
374
queries to different servers.
out through tunnel interface
tomatically directs the query to the query to IP address 3.1.1.2.)
g.com goes out through tunnel
evice directs the query to this query to IP address 3.1.1.5.)
s and go out through interface
tomatically bypasses the ery to IP address
2.1.1.212.1.1.34
CorporateDNS Servers
cme_eng.com => 3.1.1.5
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Splitting DNS RequestsThe following commands create two proxy-DNS entries that selectively forward DNS
• Any DNS query with a FQDN containing the domain name acme.com goes tunnel.1, to the corporate DNS server at IP address 2.1.1.21.
For example, if a host sends a DNS query for www.acme.com, the device authis server. (For this example, assume for this case that the server resolves
• Any DNS query with a FQDN containing the domain name acme_engineerininterface tunnel.1 to the DNS server at IP address 2.1.1.34.
For example, if a host sends a DNS query for intranet.acme_eng.com, the dserver. (For this example, assume for this case that the server resolves the
• All other DNS queries (denoted by an asterisk) bypass the corporate serverethernet3 to the DNS server at IP address 1.1.1.23.
For example, if the host and domain name is www.juniper.net, the device aucorporate servers and directs the query to this server, which resolves the qu207.17.137.68.
tunnel.1
ethernet3
acme_eng.com
*
1.1.1.23netscreen.com => 63.126.135.170 netscreen.com
63.126.135.170
acme.com => 3.1.1.2
a
ISP DNS Servers
acme.com
Internet
Chapter 8 System Parameters Domain Name System Support
375
tunnel.1
face tunnel.1
et3 primary-server
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI1. Network > DNS > Proxy: Enter the following, and then click Apply :
Initialize DNS Proxy: Enable
Enable DNS Proxy: Enable2. Network > DNS > Proxy > New: Enter the following, and then click OK:
Domain Name: acme.com
Outgoing Interface: tunnel.1
Primary DNS Server: 2.1.1.21
3. Network > DNS > Proxy > New: Enter the following, and then click OK:
Domain Name: acme_eng.com
Outgoing Interface: tunnel.1
Primary DNS Server: 2.1.1.34
4. Network > DNS > Proxy > New: Enter the following, and then click OK:
Domain Name: *
Outgoing Interface: ethernet3
Primary DNS Server: 1.1.1.23
CLIset dns proxyset dns proxy enableset interface ethernet3 proxy dnsset dns server-select domain acme.com outgoing-interface
primary-server 2.1.1.21set dns server-select domain acme_eng.com outgoing-inter
primary-server 2.1.1.34set dns server-select domain * outgoing-interface ethern
1.1.1.23save
Chapter 8 System Parameters DHCP
376
on network administrators by uiring administrators to assign, hine on a network, DHCP does ed, reassigns unused ich a host is connected.
a dynamically assigned IP
cating dynamic IP addresses to e.
agents, receiving DHCP y physical or VLAN interface in
ously act as a DHCP client, a single interface. For example, tionally, you can configure the server module, for use when
uch as workstations in a zone, s and WINS servers.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
DHCPDynamic Host Configuration Protocol (DHCP) was designed to reduce the demandsautomatically assigning the TCP/IP settings for the hosts on a network. Instead of reqconfigure, track, and change (when necessary) all the TCP/IP settings for every macit all automatically. Furthermore, DHCP ensures that duplicate addresses are not usaddresses, and automatically assigns IP addresses appropriate for the subnet on wh
Different NetScreen devices support different DHCP roles:
• DHCP Client: Some NetScreen devices can act as DHCP clients, receivingaddress for any physical interface in any zone.
• DHCP Server: Some NetScreen devices can also act as DHCP servers, allohosts (acting as DHCP clients) on any physical or VLAN interface in any zon
• DHCP Relay Agent: Some NetScreen devices can also act as DHCP relayinformation from a DHCP server and relaying that information to hosts on anany zone.
• DHCP Client/Server/Relay Agent: Some NetScreen devices can simultaneserver, and relay agent. Note that you can only configure one DHCP role on you cannot configure the DHCP client and server on the same interface. OpDHCP client module to forward TCP/IP settings that it receives to the DHCPproviding TCP settings to hosts in the Trust zone acting as DHCP clients.
Note: While using the DHCP server module to assign addresses to hosts syou can still use fixed IP addresses for other machines such as mail server
Chapter 8 System Parameters DHCP
377
nfiguration settings and a P server, it provides the
0.0/0, the DHCP server module erface2.
maps a NetBIOS name used in ased network.
stribution of administrative data
.
m resource locator (URL) to an
ers SMTP messages to a mail
incoming mail. A POP3 server
groups.
that zone and assigned an IP address.
parameters has a specified IP he DHCP server.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
DHCP consists of two components: a protocol for delivering host-specific TCP/IP comechanism for allocating IP addresses. When the NetScreen device acts as a DHCfollowing TCP/IP settings to each host when that host boots up:
• Default gateway IP address and netmask. If you leave these settings as 0.0.automatically uses the IP address and netmask of the default Trust zone int
• The IP addresses of the following servers:
– WINS servers (2):3 A Windows Internet Naming Service (WINS) servera Windows NT network environment to an IP address used on an IP-b
– NetInfo servers (2): NetInfo is an Apple network service used for the diwithin a LAN.
– NetInfo tag (1): The identifying tag used by the Apple NetInfo database
– DNS servers (3): A Domain Name System (DNS) server maps a uniforIP address.
– SMTP server (1): A Simple Mail Transfer Protocol (SMTP) server delivserver, such as a POP3 server, which stores the incoming mail.
– POP3 server (1): A Post Office Protocol version 3 (POP3) server storesmust work conjointly with an SMTP server.
– News server (1): A news server receives and stores postings for news
2. On devices that can have multiple interfaces bound to the Trust zone, the default interface is the first interface bound to
3. The number in parentheses indicates the number of servers supported.
Note: If a DHCP client to which the NetScreen device is passing the aboveaddress, that address overrides all the dynamic information received from t
Chapter 8 System Parameters DHCP
378
N interface in any zone. When asks in two modes:
or “leases”) an IP address from mined period of time or until the .)
om an address pool exclusively
address pools.
with reserved IP addresses, he Trust zone, has IP address
w DHCP address assignments. You
CP in flash memory. ignments.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
DHCP ServerA NetScreen appliance can support up to eight DHCP servers on any physical or VLAacting as a DHCP server, a NetScreen device allocates IP addresses and subnet m
• In Dynamic mode, the NetScreen device, acting as a DHCP server, assigns (an address pool4 to a host DHCP client. The IP address is leased for a deterclient relinquishes the address. (To define an unlimited lease period, enter 0
• In Reserved mode, the NetScreen device assigns a designated IP address frto a specific client every time that client goes online.
Example: NetScreen Device as DHCP ServerUsing DHCP, the 172.16.10.0/24 network in the Trust zone is sectioned into three IP
• 172.16.10.10 through 172.16.10.19
• 172.16.10.120 through 172.16.10.129
• 172.16.10.210 through 172.16.10.219
The DHCP server assigns all IP addresses dynamically, except for two workstationsand four servers that have static IP addresses. The interface ethernet1 is bound to t172.16.10.1/24, and is in NAT mode. The domain name is dynamic.com.
4. An address pool is a defined range of IP addresses within the same subnet from which the NetScreen device can dracan group up to 255 IP addresses.
Note: The NetScreen device saves every IP address assigned through DHConsequently, rebooting the NetScreen device does not affect address ass
Chapter 8 System Parameters DHCP
379
and POP3 ServersFixed IPs
.25 and 172.16.10.10
NS ServersFixed IPs2.16.10.2402.16.10.241
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
1. AddressesObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: DNS#1
Comment: Primary DNS Server
IP Address/Domain Name:
IP/Netmask: (select), 172.16.10.240/32
Zone: Trust
Trust Zone
Address Pool172-16.10.10 � 172.16.10.19
Address Pool172-16.10.210 � 172.16.10.219
Address Pool172-16.10.120 � 172.16.10.129
172.16.10.0/24LAN
Reserved IP172.16.10.11
MAC: 12:34:ab:cd:56:78
Reserved IP172.16.10.112
MAC: ab:cd:12:34:ef:gh
SMTP
172.16.10
D
1717
ethernet1172.16.10.1/24 (NAT)
Chapter 8 System Parameters DHCP
380
Juniper Networks NetScreen Concepts & Examples � Volume 2: FundamentalsObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: DNS#2
Comment: Secondary DNS Server
IP Address/Domain Name:
IP/Netmask: (select), 172.16.10.241/32
Zone: Trust
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: SMTP
Comment: SMTP Server
IP Address/Domain Name:
IP/Netmask: (select), 172.16.10.25/32
Zone: Trust
Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: POP3
Comment: POP3 Server
IP Address/Domain Name:
IP/Netmask: (select), 172.16.10.110/32
Zone: Trust
Chapter 8 System Parameters DHCP
381
and then click Apply:5
then click Return to set the onfiguration page:
then click OK :
k set for ethernet1 to its clients settings to the DHCP server module he Gateway and Netmask fields.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
2. DHCP ServerNetwork > DHCP > Edit (for ethernet1) > DHCP Server: Enter the following,
Lease: Unlimited (select)
WINS#1: 0.0.0.0
DNS#1: 172.16.10.240
> Advanced Options: Enter the following, andadvanced options and return to the basic c
WINS#2: 0.0.0.0
DNS#2: 172.16.10.241
DNS#3: 0.0.0.0
SMTP: 172.16.10.25
POP3: 172.16.10.110
NEWS: 0.0.0.0
NetInfo Server #1: 0.0.0.0
NetInfo Server #2: 0.0.0.0
NetInfo Tag: (leave field empty)
Domain Name: dynamic.com
> Addresses > New: Enter the following, and
Dynamic: (select)
IP Address Start: 172.16.10.10
IP Address End: 172.16.10.19
5. If you leave the Gateway and Netmask fields as 0.0.0.0, the DHCP server module sends the IP address and netmas(172.16.10.1 and 255.255.255.0 in this example). However, if you enable the DHCP client module to forward TCP/IP(see “TCP/IP Settings Propagation” on page 396), then you must manually enter 172.16.10.1 and 255.255.255.0 in t
Chapter 8 System Parameters DHCP
382
then click OK :
then click OK :
then click OK :
78
then click OK :
gh
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
> Addresses > New: Enter the following, and
Dynamic: (select)
IP Address Start: 172.16.10.120
IP Address End: 172.16.10.129
> Addresses > New: Enter the following, and
Dynamic: (select)
IP Address Start: 172.16.10.210
IP Address End: 172.16.10.219
> Addresses > New: Enter the following, and
Reserved: (select)
IP Address: 172.16.10.11
Ethernet Address: 1234 abcd 56
> Addresses > New: Enter the following, and
Reserved: (select)
IP Address: 172.16.10.112
Ethernet Address: abcd 1234 ef
Chapter 8 System Parameters DHCP
383
ver”erver”
namic.com6
0.2400.2410.250.11072.16.10.19172.16.10.129172.16.10.2191234abcd5678 abcd1234efgh
ss and netmask for ethernet1 settings to the DHCP server module 1 dhcp server option gateway
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
1. Addressesset address trust dns1 172.16.10.240/32 “primary dns serset address trust dns2 172.16.10.241/32 “secondary dns sset address trust snmp 172.16.10.25/32 “snmp server”set address trust pop3 172.16.10.110/32 “pop3 server”
2. DHCP Server
set interface ethernet1 dhcp server option domainname dyset interface ethernet1 dhcp server option lease 0set interface ethernet1 dhcp server option dns1 172.16.1set interface ethernet1 dhcp server option dns2 172.16.1set interface ethernet1 dhcp server option smtp 172.16.1set interface ethernet1 dhcp server option pop3 172.16.1set interface ethernet1 dhcp server ip 172.16.10.10 to 1set interface ethernet1 dhcp server ip 172.16.10.120 to set interface ethernet1 dhcp server ip 172.16.10.210 to set interface ethernet1 dhcp server ip 172.16.10.11 mac set interface ethernet1 dhcp server ip 172.16.10.112 macset interface ethernet1 dhcp server servicesave
6. If you do not set an IP address for the gateway or a netmask, the DHCP server module sends its clients the IP addre(172.16.10.1 and 255.255.255.0 in this example). However, if you enable the DHCP client module to forward TCP/IP(see “TCP/IP Settings Propagation” on page 396), then you must manually set these options: set interface ethernet172.16.10.1 and set interface ethernet1 dhcp server option netmask 255.255.255.0.
Chapter 8 System Parameters DHCP
384
tions that identify the servers or s of the primary and secondary
tions and BOOTP Vendor
om DHCP server options. For onfiguration information which le custom options.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
DHCP Server OptionsWhen you specify DHCP servers for an interface, you may need to specify certain opprovide information used by the servers. For example, you can specify the IP addresDNS servers, or set the IP address lease time.
The following are predefined DHCP services, as described in RFC 2132, “DHCP OpExtensions”.
In situations where the predefined server options do not suffice, you can define custexample, for certain VoIP (Voice-over IP) configurations, it is necessary send extra cis not supported by predefined server options. In such cases, you must define suitab
Terminology NetScreen CLI Terminology Option CodeSubnet Mask netmask 1
Router Option gateway 3
Domain Name Server dns1, dns2, dns3 6
Domain Name domainname 15
NetBIOS over TCP/IP Name Server Option
wins1, wins2 44
IP Address Lease Time lease 51
SMTP Server Option smtp 69
POP3 Server Option pop3 70
NNTP Server Option news 71
(N/A) nis1, nis2 112
(N/A) nistag 113
Chapter 8 System Parameters DHCP
385
t as DHCP clients. The phones
ver”erver”
namic.com
0.2400.241ring “Server 4”1.1.1.1teger 200472.16.10.19
embers in the cluster maintain ew master unit maintains all the ation of existing DHCP n resynchronize the DHCP rp rto-mirror sync.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Custom DHCP Server OptionsIn the following example, you create DHCP server definitions for IP phones which acuse the following custom options:
• Option code 444, containing string “Server 4”
• Option code 66, containing IP address 1.1.1.1
• Option code 160, containing integer 2004
CLI
1. Addressesset address trust dns1 172.16.10.240/32 “primary dns serset address trust dns2 172.16.10.241/32 “secondary dns s
2. DHCP Serverset interface ethernet1 dhcp server option domainname dyset interface ethernet1 dhcp server option lease 0set interface ethernet1 dhcp server option dns1 172.16.1set interface ethernet1 dhcp server option dns2 172.16.1set interface ethernet1 dhcp server option custom 444 stset interface ethernet1 dhcp server option custom 66 ip set interface ethernet1 dhcp server option custom 160 inset interface ethernet1 dhcp server ip 172.16.10.10 to 1
DHCP Server in an NSRP ClusterWhen the master unit in a redundant NSRP cluster functions as a DHCP server, all mall DHCP configurations and IP address assignments. In the event of a failover, the nDHCP assignments. However, termination of HA communication disrupts synchronizassignments among the cluster members. After restoring HA communication, you caassignments by using the following CLI command on both units in the cluster: set ns
Chapter 8 System Parameters DHCP
386
see if there is already a DHCP s from starting if another DHCP s out DHCP boot requests at ts, it then starts its local DHCP
generates a message because another DHCP server
HCP server.
ce: Auto, Enable, or Disable7. er at bootup. You can configure he NetScreen DHCP server to ice does not check if there is an off.
creen devices that support the DHCP
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
DHCP Server DetectionWhen a DHCP server on a NetScreen device starts up, the system can first check toserver on the interface. ScreenOS automatically stops the local DHCP server processerver is detected on the network. To detect another DHCP server, the device sendtwo-second intervals. If the device does not receive any response to its boot requesserver process.
If the NetScreen device receives a response from another DHCP server, the systemindicating that the DHCP service is enabled on the NetScreen device but not startedis present on the network. The log message includes the IP address of the existing D
You can set one of three operational modes for DHCP server detection on an interfaAuto mode causes the Netscreen device to always check for an existing DHCP servthe device to not attempt to detect another DHCP server on an interface by setting tEnable or Disable mode. In Enable mode, the DHCP server is always on and the devexisting DHCP server on the network. In Disable mode, the DHCP server is always
7. Auto mode is the default DHCP server detection mode for NetScreen-5XP and NetScreen-5XT devices. For other NetSserver, Enable mode is the default DHCP server detection mode.
Chapter 8 System Parameters DHCP
387
existing DHCP server on the
and then click OK :
ut checking to see if there is an
and then click OK :
mand activates the DHCP server on the NetScreen
nset interface interface dhcp lso deletes any existing DHCP
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Turning On DHCP Server DetectionIn this example, you set the DHCP server on the ethernet1 interface to check for an interface first before starting up.
WebUI
Network > DHCP > Edit (for ethernet1) > DHCP Server: Enter the following,
Server Mode: Auto (select)
CLI
set interface ethernet1 dhcp server autosave
Example: Turning Off DHCP Server DetectionIn this example, you set the DHCP server on the ethernet1 interface to start up withoexisting DHCP server on the network.
WebUI
Network > DHCP > Edit (for ethernet1) > DHCP Server: Enter the following,
Server Mode: Enable (select)
CLI
set interface ethernet1 dhcp server enablesave
Note: Issuing the CLI command set interface interface dhcp server service comserver. If the DHCP server detection mode for the interface is set to Auto, the DHCPdevice starts only if it does not find an existing server on the network. Issuing the userver service command disables the DHCP server on the NetScreen device and aconfiguration.
Chapter 8 System Parameters DHCP
388
s and assignments between en the NetScreen device and
on a NetScreen device, s on the same interface. When er Route mode or Transparent nother zone for the predefined ide in the V1-Trust zone, while eeded for interfaces in
agent unicasts an address s to the client the first response
en device as a DHCP relay l when traveling over the
e does not generate DHCP ss allocations.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
DHCP Relay AgentWhen acting as a DHCP relay agent, the NetScreen device forwards DHCP requesthosts in one zone and a DHCP server in another zone. The DHCP messages betwethe DHCP server can be transmitted in the open or through a VPN tunnel.
You can configure a DHCP relay agent on one or more physical or VLAN interfacesalthough you cannot configure DHCP relay agent and DHCP server or client functionthe NetScreen device functions as a DHCP relay agent, its interfaces must be in eithmode. For interfaces in Route mode, you must configure a policy from one zone to aservice DHCP-Relay. For interfaces in Transparent mode, the DHCP client must resthe DHCP server can reside in either the V1-Untrust or V1-DMZ zone. No policy is nTransparent mode.
You can configure up to three DHCP servers for each DHCP relay agent. The relay request from a DHCP client to all configured DHCP servers. The relay agent forwardreceived from a server.
The following simplified illustration presents the process involved in using a NetScreagent. Note that to ensure security, the DHCP messages pass through a VPN tunneuntrusted network.
Note: When a NetScreen device acts as a DHCP relay agent, the NetScreen devicallocation status reports because the remote DHCP server controls all the IP addre
Chapter 8 System Parameters DHCP
389
rver at 194.2.9.10 and relays it n the DHCP server. The VPN tunnel between the local whose Untrust zone interface IP address 180.10.10.1/24, and IP address 1.1.1.1/24. All
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: NetScreen Device as DHCP Relay AgentIn this example, a NetScreen device receives its DHCP information from a DHCP seto hosts in the Trust zone. The hosts receive IP addresses from an IP pool defined oaddress range is 180.10.10.2—180.10.10.254. The DHCP messages pass through aNetScreen device and the DHCP server, located behind a remote NetScreen deviceIP address is 2.2.2.2/24. The interface ethernet1 is bound to the Trust zone, has the is in Route mode. The interface ethernet3 is bound to the Untrust zone and has the security zones are in the trust-vr routing domain.
Host RelayAgent
DHCPServer
Request Request
Assignment Assignment
Release Release
TrustZone
1
2
3
VPN Tunnel in Untrust Zone
Chapter 8 System Parameters DHCP
390
DHCPServer
194.2.9.10
IP Pool180.10.10.2 � 180.10.10.254
mote NetScreen Device
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
1. InterfacesInterfaces > Edit (for ethernet1): Enter the following, and then click Apply:
Zone: Trust
Static IP: (select this option when present)
IP Address/Netmask: 180.10.10.1/24
Enter the following, and then click OK:
Interface Mode: Route
Interfaces > Edit (for ethernet3): Enter the following, and then click OK:
Zone: Untrust
Static IP: (select this option when present)
IP Address/Netmask: 1.1.1.1/24
Internet
VPN TunnelRouter
1.1.1.250
ethernet1180.10.10.1/24
ethernet31.1.1.1/24
Trust Zone Untrust Zone
Local NetScreen Device Re
DHCP Relay Agent
Chapter 8 System Parameters DHCP
391
click OK:
2.2
k Return to set the advanced n page:
lect)g2-3des-shation)
k Return to set the advanced n page:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
2. AddressObjects > Addresses > List > New: Enter the following, and then click OK :
Address Name: DHCP Server
IP Address/Domain Name:
IP/Netmask: (select), 194.2.9.10/32
Zone: Untrust
3. VPNVPNs > AutoKey Advanced > Gateway > New: Enter the following, and then
Gateway Name: dhcp server
Security Level: Custom
Remote Gateway Type:
Static IP: (select), Address/Hostname: 2.2.
Outgoing Interface: ethernet3
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
Security Level: User Defined: Custom (se
Phase1 Proposal: rsa-Mode (Initiator): Main (ID Protec
VPNs > AutoKey IKE > New: Enter the following, and then click OK :
VPN Name: to_dhcp
Security Level: Compatible
Remote Gateway:
Predefined: (select), to_dhcp
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
Bind to: None
Chapter 8 System Parameters DHCP
392
wing, and then click Apply:
.2.9.10
N: (select)
then click OK:
OK :
r
)
traffic. In this example, the NetScreen n the illustration for this example, the
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
4. DHCP Relay AgentNetwork > DHCP > Edit (for ethernet1) > DHCP Relay Agent: Enter the follo
Relay Agent Server IP or Domain Name: 194
Use Trust Zone Interface as Source IP for VP
5. RouteNetwork > Routing > Routing Entries > trust-vr New: Enter the following, and
Network Address/Netmask: 0.0.0.0/0
Gateway: (select)
Interface: ethernet3
Gateway IP Address: 1.1.1.2508
6. PoliciesPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click
Source Address:
Address Book Entry: (select), Any
Destination Address:
Address Book Entry: (select), DHCP Serve
Service: DHCP-Relay
Action: Tunnel
Tunnel VPN: to_dhcp
Modify matching outgoing VPN policy: (select
8. Setting a route to the external router designated as the default gateway is essential for both outbound VPN and networkdevice sends encapsulated VPN traffic to this router as the first hop along its route to the remote NetScreen device. Iconcept is presented by depicting the tunnel passing through the router.
Chapter 8 System Parameters DHCP
393
nterface ethernet3
es-sha
0
gateway 1.1.1.250
lay tunnel vpn to_dhcplay tunnel vpn to_dhcp
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
1. Interfacesset interface ethernet1 zone trust set interface ethernet1 ip 180.10.10.1/24set interface ethernet1 routeset interface ethernet3 zone untrust set interface ethernet3 ip 1.1.1.1/24
2. Addressset address untrust dhcp_server 194.2.9.10/32
3. VPNset ike gateway “dhcp server” ip 2.2.2.2 main outgoing-i
proposal rsa-g2-3des-shaset vpn to_dhcp gateway “dhcp server” proposal g2-esp-3d
4. DHCP Relay Agentset interface ethernet1 dhcp relay server-name 194.2.9.1set interface ethernet1 dhcp relay vpn
5. Routeset vrouter trust-vr route 0.0.0.0/0 interface ethernet3
6. Policiesset policy from trust to untrust any dhcp_server dhcp-reset policy from untrust to trust dhcp_server any dhcp-resave
Chapter 8 System Parameters DHCP
394
ically from a DHCP server for a single security zone, you can to the same network segment.
work segment, the first address to the same IP address, IKE is
IP address. When the net mask, gateway IP address, .2.5.
t, or a DHCP client at the same
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
DHCP ClientWhen acting as a DHCP client, the NetScreen device receives an IP address dynamany physical interface in any security zone. If there are multiple interfaces bound to configure a DHCP client for each interface as long as each interface is not connectedIf you configure a DHCP client for two interfaces that are connected to the same netassigned by a DHCP server is used. (If the DHCP client receives an address updatenot rekeyed.)
Example: NetScreen Device as DHCP ClientIn this example, the interface bound to the Untrust zone has a dynamically assignedNetScreen device requests its IP address from its ISP, it receives its IP address, suband the length of its lease for the address. The IP address of the DHCP server is 2.2
Note: While some NetScreen devices can act as a DHCP server, DHCP relay agentime, you cannot configure more than one DHCP role on a single interface.
Trust Zone
1. IP address requested for ethernet3 (Untrust zone)
2. IP address assigned ISP
(DHCP Server)
InternetUntrust Zone
Internal LAN
2.2.2.5
Chapter 8 System Parameters DHCP
395
and then click OK .
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
Network > Interfaces > Edit (for ethernet3): Select Obtain IP using DHCP9,
CLI
set interface ethernet3 dhcp clientset interface ethernet3 dhcp settings server 2.2.2.5save
Note: Before setting up a site for DHCP service, you must have the following:
• Digital subscriber line (DSL) modem and line
• Account with ISP
9. You cannot specify the IP address of the DHCP server through the WebUI; however, you can do so through the CLI.
Chapter 8 System Parameters DHCP
396
t, receiving its TCP/IP settings HCP server. Some NetScreen
lients in any zone. When a an transfer the TCP/IP settings settings include the IP address owing servers:
device resides on a specific interface 5XT, the default DHCP server resides et2 interface for Home-Work and
DHCP Server
terface: DHCP Client
DHCP Clients
rface: DHCP Serverdresses dynamically from ISP.
0.1.1.1/0HCP Range:0.1.1.50 - 10.1.1.200
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
TCP/IP Settings PropagationSome NetScreen devices can act as a Dynamic Host Control Protocol (DHCP) clienand the IP address for any physical interface in any security zone from an external Ddevices can act as a DHCP server, providing TCP/IP settings and IP addresses to cNetScreen device acts both as a DHCP client and a DHCP server simultaneously, it clearned through its DHCP client module to its default DHCP server module10. TCP/IPof the default gateway and a subnet mask, and IP addresses for any or all of the foll
10. While you can configure up to eight DHCP servers on any physical or VLAN interface, the default DHCP server on theon each platform. On the NetScreen-5XP, the default DHCP server resides on the Trust interface. On the NetScreen-on the Trust interface for Trust-Untrust port mode, the ethernet1 interface for Dual-Untrust port mode, and the ethernCombined port modes. For other devices, the default DHCP server resides on the ethernet1 interface.
• DNS (3) • SMTP (1)
• WINS (2) • POP3 (1)
• NetInfo (2) • News (1)
Untrust Zone In
Trust Zone
Untrust Zone
TCP/IP Settings and Untrust Zone Interface IP Address
TCP/IP Settings
Trust Zone Inte
The NetScreen device is both a client of the DHCP server in the Untrust zone and a DHCP server to the clients in the Trust zone.
It takes the TCP/IP settings that it receives as a DHCP client and forwards them as a DHCP server to the clients in the Trust zone.
ISP
Receives IP ad
1D1
Chapter 8 System Parameters DHCP
397
eceives from the DHCP client command. You can also
the ethernet3 interface and as net1 interface.)
terface and its TCP/IP settings e NetScreen device to transfer
IP settings that it receives from
r IP addresses with the
that it does not receive from the
wing IP Pool to the hosts acting
ehavior on some NetScreen devices),
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
You can configure the DHCP server module to propagate all TCP/IP settings that it rmodule using the set interface interface dhcp-client settings update-dhcpserveroverride any setting with a different one.
Example: Forwarding TCP/IP SettingsIn this example, you configure the NetScreen device to act both as a DHCP client ona DHCP server on the ethernet1 interface. (The default DHCP server is on the ether
As a DHCP client, the NetScreen device receives an IP address for the ethernet3 infrom an external DHCP server at 211.3.1.6. You enable the DHCP client module in ththe TCP/IP settings it receives to the DHCP server module.
You configure the NetScreen DHCP server module to do the following with the TCP/the DHCP client module:
• Forward the DNS IP addresses to its DHCP clients in the Trust zone.
• Override the default gateway11, netmask, and SMTP server and POP3 servefollowing:
– 10.1.1.1 (this is the IP address of the ethernet1 interface)
– 255.255.255.0 (this is the netmask for the ethernet1 interface)
– SMTP: 211.1.8.150
– POP3: 211.1.8.172
You also configure the DHCP server module to deliver the following TCP/IP settings DHCP client module:
• Primary WINS server: 10.1.2.42
• Secondary WINS server: 10.1.5.90
Finally, you configure the DHCP server module to assign IP addresses from the folloas DHCP clients in the Trust zone: 10.1.1.50 – 10.1.1.200.
11. If the DHCP server is already enabled on the Trust interface and has a defined pool of IP addresses (which is default byou must first delete the IP address pool before you can change the default gateway and netmask.
Chapter 8 System Parameters DHCP
398
3.1.6server
1.155.255.04290172150.1.200
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
WebUI
CLI
1. DHCP Clientset interface ethernet3 dhcp-client settings server 211.set interface ethernet3 dhcp-client settings update-dhcpset interface ethernet3 dhcp-client settings autoconfigset interface ethernet3 dhcp-client enable
2. DHCP Serverset interface ethernet1 dhcp server option gateway 10.1.set interface ethernet1 dhcp server option netmask 255.2set interface ethernet1 dhcp server option wins1 10.1.2.set interface ethernet1 dhcp server option wins2 10.1.5.set interface ethernet1 dhcp server option pop3 211.1.8.set interface ethernet1 dhcp server option smtp 211.1.8.set interface ethernet1 dhcp server ip 10.1.1.50 to 10.1set interface ethernet1 dhcp server servicesave
Note: You can only set this feature through the CLI.
Chapter 8 System Parameters PPPoE
399
lly used for dialup connections, stomer premises equipment. nd type of service are handled to operate compatibly on DSL, et access.
r all interfaces. You configure a nd bind the instance to an the Untrust zone, you can
2, you can configure the primary you can configure PPPoE for
n device for PPPoE
or its Untrust zone interface resses for the three hosts in its CP server. The Trust zone
ode.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
PPPOEPPP-over-Ethernet (PPPoE) merges the Point-to-Point Protocol (PPP), which is usuawith the Ethernet protocol, which can connect multiple users at a site to the same cuWhile many users can share the same physical connection, access control, billing, aon a per-user basis. Some NetScreen devices support a PPPoE client, allowing themEthernet Direct, and cable networks run by ISPs using PPPoE for their clients’ Intern
On devices that support PPPoE, you can configure a PPPoE client instance on any ospecific instance of PPPoE with a user name and password and other parameters, ainterface. When there are two Ethernet interfaces (a primary and a backup) bound toconfigure one or both interfaces for PPPoE. For example, in Dual Untrust port mode1
interface (ethernet3) for DHCP and the backup interface (ethernet2) for PPPoE. Or, both the primary and backup interfaces.
Example: Setting Up PPPoEThe following example illustrates how to define the untrusted interface of a NetScreeconnections, and how to initiate PPPoE service.
In this example, the NetScreen device receives a dynamically assigned IP address f(ethernet3) from the ISP, and the NetScreen device also dynamically assigns IP addTrust zone. In this case, the NetScreen device acts both as a PPPoE client and a DHinterface must be in either NAT mode or Route mode. In this example, it is in NAT m
12. Port modes are supported on some NetScreen appliances, such as the NetScreen-5XT.
Chapter 8 System Parameters PPPoE
400
wing:
k OK:
Internet
Untrust Zone
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Before setting up the site in this example for PPPoE service, you must have the follo
• Digital subscriber line (DSL) modem and line
• Account with ISP
• User name and password (obtained from the ISP)
WebUI
1. Interfaces and PPPoENetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Zone: Trust
Static IP: (select this option when present)
IP Address/Netmask: 172.16.30.10/24
NetScreenDevice
DSL Modem
ISP
DSL Line
HubDSLAM
AC
Primary DNS Server
Secondary DNS ServerTrust ZoneDHCP Range:
172.16.30.2 - 172.16.30.5
Untrust (ethernet3): DHCP mode Trust Interface: 172.16.30.10/24
Chapter 8 System Parameters PPPoE
401
k OK:
click Connect .
nd then click Apply .
then click Apply :
k Return:
es the IP addresses for the (DNS) servers. When the gs overwrite the local settings
tings, you can use the CLI
n the IP addresses of the DNS in the Trust zone.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Network > Interfaces > Edit (for ethernet3): Enter the following, and then clic
Zone: Untrust
Obtain IP using PPPoE: (select)
User Name/Password: <name>/<password>
Network > Interfaces > Edit (for ethernet3): To test your PPPoE connection,
2. DHCP ServerNetwork > Interfaces > Edit (for ethernet1) > DHCP: Select DHCP Server, a
Network > Interfaces > Edit (for ethernet1) > DHCP: Enter the following, and
Lease: 1 hour
Gateway: 0.0.0.0
Netmask: 0.0.0.0
DNS#1: 0.0.0.0
> Advanced: Enter the following, and then clic
DNS#2: 0.0.0.0
Domain Name: (leave blank)
Note: When you initiate a PPPoE connection, your ISP automatically providUntrust zone interface and the IP addresses for the Domain Name Service NetScreen device receives DNS addresses via PPPoE, the new DNS settinby default. If you do not want the new DNS settings to replace the local setcommand unset pppoe dhcp-updateserver to disable this behavior.If you use a static IP address for the Untrust zone interface, you must obtaiservers and manually enter them on the NetScreen device and on the hosts
Chapter 8 System Parameters PPPoE
402
wing, and then click OK:
workstations.
the ISP, gets the IP addresses
s. They get an IP address for
zone automatically goes
ne, the NetScreen device from the ISP to the hosts.
P, you must manually enter the
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Network > Interfaces > DHCP (for ethernet1) > New Address: Enter the follo
Dynamic: (select)
IP Address Start: 172.16.30.2
IP Address End: 172.16.30.5
3. Activating PPPoE on the NetScreen DeviceTurn off the power to the DSL modem, the NetScreen device, and the three
Turn on the DSL modem.
Turn on the NetScreen device.
The NetScreen device makes a PPPoE connection to the ISP and, through for the DNS servers.
4. Activating DHCP on the Internal NetworkTurn on the workstations.
The workstations automatically receive the IP addresses for the DNS serverthemselves when they attempt a TCP/IP connection.
Every TCP/IP connection that a host in the Trust zone makes to the Untrustthrough the PPPoE encapsulation process.
Note: When you use DHCP to assign IP addresses to hosts in the Trust zoautomatically forwards the IP addresses of the DNS servers that it receives
If the IP addresses for the hosts are not dynamically assigned through DHCIP addresses for the DNS servers on each host.
Chapter 8 System Parameters PPPoE
403
2.16.30.5
workstations.
s. They get an IP address for
zone automatically goes
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
1. Interfaces and PPPoEset interface ethernet1 zone trustset interface ethernet1 ip 172.16.30.10/24set interface ethernet3 zone untrustset pppoe interface ethernet3set pppoe username name_str password pswd_str
To test your PPPoE connection:
exec pppoe connectget pppoe
2. DHCP Serverset interface ethernet1 dhcp server serviceset interface ethernet1 dhcp server ip 172.16.30.2 to 17set interface ethernet1 dhcp server option lease 60save
3. Activating PPPoE on the NetScreen DeviceTurn off the power to the DSL modem, the NetScreen device, and the three
Turn on the DSL modem.
Turn on the NetScreen device.
4. Activating DHCP on the Internal NetworkTurn on the workstations.
The workstations automatically receive the IP addresses for the DNS serverthemselves when they attempt a TCP/IP connection.
Every TCP/IP connection that a host in the Trust zone makes to the Untrustthrough the PPPoE encapsulation process.
Chapter 8 System Parameters PPPoE
404
terfacesple, you configure PPPoE for
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Configuring PPPoE on Primary and Backup Untrust InFor this example, the NetScreen-5XT is in Dual Untrust mode. In the following examboth the primary (ethernet3) and backup (ethernet2) interfaces to the Untrust zone.
WebUI
PPPoE Configuration for ethernet3 Interface
Network > PPPoE > New: Enter the following, and then click OK:
PPPoE instance: eth3-pppoe
Bound to interface: ethernet3 (select)
Username: user1
Password: 123456
Authentication: Any (select)
Access Concentrator: ac-11
PPPoE Configuration for ethernet2 Interface
Network > PPPoE > New: Enter the following, and then click OK:
PPPoE instance: eth2-pppoe
Bound to interface: ethernet2 (select)
Username: user2
Password: 654321
Authentication: Any (select)
Access Concentrator: ac-22
Chapter 8 System Parameters PPPoE
405
ith the same MAC address) for nection with one ISP, and u can establish these usly to different ISPs.
ed only by number of nterfaces can support multiple parameters separately for each
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
1. PPPoE Configuration for ethernet3 Interfaceset pppoe name eth3-pppoe username user1 password 123456set pppoe name eth3-pppoe ac ac-11set pppoe name eth3-pppoe authentication anyset pppoe name eth3-pppoe interface ethernet3
2. PPPoE Configuration for ethernet2 Interfaceset pppoe name eth2-pppoe username user2 password 654321set pppoe name eth2-pppoe ac ac-22set pppoe name eth2-pppoe authentication anyset pppoe name eth2-pppoe interface ethernet2save
Multiple PPPoE Sessions over a Single InterfaceSome NetScreen devices support creation of multiple PPPoE sub-interfaces (each wa given physical interface. This support allows you to establish a private network conconnect to the Internet through a different ISP using the same physical interface. Yoconnections using different username or domain names or be connected simultaneo
The maximum number of concurrent PPPoE sessions on a physical interface is limitsub-interfaces allowed by the device. There is no restriction on how many physical isessions. You can specify username, static-ip, idle-timeout, auto-connect and other PPPoE instance or session.
Chapter 8 System Parameters PPPoE
406
ce does not use a VLAN tag to ds the sub-interface to PPPoE an host multiple PPPoE r (AC), therefore allowing rface. For more information on
ncentrators
erface (e.g. ethernet7)
isp_1ac
isp_2ac
isp_3ac
Three PPPoE Session
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Untagged InterfacesTo support a PPPoE session, a sub-interface must be untagged. An untagged interfaidentify a VLAN for a sub-interface. Instead, it uses a feature called encap, which binencapsulation. Thus, by hosting multiple sub-interfaces, a single physical interface cinstances. You can configure each instance to go to a specified Access Concentratoseparate entities such as ISPs to manage the PPPoE sessions through a single inteVLANs and VLAN tags, see Volume 9, “Virtual Systems”.
Multiple Sub-Interfaces
Access Co
Single Physical Int
isp_2acisp_1ac
isp_2isp_3
isp_1
isp_3ac
Trust Zone Untrust Zone
ethernet7
Three PPPoE Instancese7
e7.1e7.2
Chapter 8 System Parameters PPPoE
407
entrator (AC) for each, then
o interface ethernet7. The AC is
ub-interface ethernet7.1. The
-interface ethernet7.2. The AC
click OK:
OK:
OK:
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Multiple PPPoE InstancesIn the following example you define three PPPoE instances, specify an Access Concinitiate each instance.
• Instance isp_1, username “user1@domain1”, password “swordfish”, bound tnamed “isp_1ac”.
• Instance isp_2, username “user2@domain2”, password “marlin”, bound to sAC is named “isp_2ac”.
• Instance isp_3, username “user3@domain3”, password “trout”, bound to subis named “isp_3ac”.
WebUI
Interface and Sub-Interfaces
1. Network > Interfaces > Edit (for ethernet7): Enter the following, and then
Zone Name: Untrust
2. Network > Interfaces > New (Sub-IF): Enter the following, and then click
Interface Name: ethernet7.1
Zone Name: Untrust
3. Network > Interfaces > New (Sub-IF): Enter the following, and then click
Interface Name: ethernet7.2
Zone Name: Untrust
Chapter 8 System Parameters PPPoE
408
Juniper Networks NetScreen Concepts & Examples � Volume 2: FundamentalsPPPoE Instances and AC
4. Network > PPPoE > New: Enter the following, and then click OK:
PPPoE Instance: isp_1
Enable: Enable
Bound to Interface: ethernet7
Username: user1@domain1
Access Concentrator: isp_1ac
5. Network > PPPoE > New: Enter the following, and then click OK:
PPPoE Instance: isp_2
Enable: Enable
Bound to Interface: ethernet7.1
Username: user2@domain2
Access Concentrator: isp_2ac
6. Network > PPPoE > New: Enter the following, and then click OK:
PPPoE Instance: isp_3
Enable: Enable
Bound to Interface: ethernet7.2
Username: user3@domain3
Access Concentrator: isp_3ac
PPPoE Initiation
7. Network > PPPoE > Connect (for isp_1)
8. Network > PPPoE > Connect (for isp_2)
9. Network > PPPoE > Connect (for isp_3)
Chapter 8 System Parameters PPPoE
409
rdfish
lin
ut
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
1. Interface and Sub-Interfacesset interface ethernet7 zone untrustset interface ethernet7.1 encap pppoe zone untrustset interface ethernet7.2 encap pppoe zone untrust
2. PPPoE Instances and ACsset pppoe name isp_1 username user1@domain1 password swoset pppoe name isp_1 interface ethernet7set pppoe name isp_1 ac isp_1acset pppoe name isp_2 username user2@domain2 password marset pppoe name isp_2 interface ethernet7.1set pppoe name isp_2 ac isp_2acset pppoe name isp_3 username user3@domain3 password troset pppoe name isp_3 interface ethernet7.2set pppoe name isp_3 ac isp_3acsave
3. PPPoE Initiationexec pppoe name isp_1 connectexec pppoe name isp_2 connectexec pppoe name isp_3 connect
Chapter 8 System Parameters PPPoE
410
over of a PPPoE connection. ith the backup device. Because to make a new PPPoE ith the Access Concentrator N connections, and these mation about high availability
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
PPPoE and High AvailabilityTwo NetScreen devices that support PPPoE in Active/Passive mode can handle failUpon initiation of the connection, the master device synchronizes its PPPoE state wthe passive device uses the same IP address as the master device, it does not haveconnection once it becomes the master. Therefore, it can maintain communication wafter failure of the master. This is necessary when the PPPoE interface supports VPconnections must continue, using the same interface IP after failover. For more inforconfigurations, see Volume 10, “High Availability”.
Chapter 8 System Parameters Upgrading and Downgrading Firmware
411
single device or on devices
e 420425
n you need to upgrade to 5.0.0
e existing configuration file and d to downgrade.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
UPGRADING AND DOWNGRADING FIRMWAREThis section describes three methods to upgrade a NetScreen device:
• Web User Interface (WebUI)
• Command Line Interface (CLI)
• Boot Loader or ScreenOS Loader
The procedures vary depending on whether you are downloading the firmware on a configured for High Availability.
The section contains the following:
• “Requirements to Upgrade and Downgrade Device Firmware” on page 412– “NetScreen-Security Manager Server Connection” on page 413
• “Downloading New Firmware” on page 413– “Uploading New Firmware” on page 416– “Using the Boot/OS Loader” on page 418
• “Upgrading NetScreen Devices in an NSRP Configuration” on page 420– “Upgrading Devices in an NSRP Active/Passive Configuration” on pag– “Upgrading Devices in an NSRP Active/Active Configuration” on page
• “Authenticating Firmware and DI Files” on page 431– “Obtaining the Authentication Certificate” on page 431– “Loading the Authentication Certificate” on page 432– “Authenticating ScreenOS Firmware” on page 433– “Authenticating a DI Attack Object Database File” on page 434
Note: If you have a version that was released prior to 5.0.0 (for example 4.0.X), thebefore you can upgrade your NetScreen with the 5.1.0 ScreenOS firmware.
Important: Before you begin the process of upgrading a NetScreen device, save thalso make sure that you have access to a ScreenOS 5.0.0 firmware in case you nee
Chapter 8 System Parameters Upgrading and Downgrading Firmware
412
arereen device firmware. You can
from ScreenOS 5.1.0 to er.
site and saved locally on your
omputer
site and saved to the TFTP
sfer data, namely from the
ge the NetScreen device)
mputer
uniper Networks recommends ation.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Requirements to Upgrade and Downgrade Device FirmwThis section lists what is required to perform the upgrade or the downgrade of NetScuse one of three methods to upgrade a NetScreen device or to downgrade a deviceScreenOS 5.0.0: the WebUI, the CLI, or through the Boot Loader or ScreenOS Load
To use the WebUI, you must have:
• Root or read-write privileges to the NetScreen device
• Network access to the NetScreen device from your computer
• An Internet browser installed on your computer
• The new ScreenOS firmware (downloaded from the Juniper Networks Web computer)
To use the CLI, you must have:
• Root or read-write privileges to the NetScreen device
• A console connection or Telnet access to the NetScreen device from your c
• A TFTP server installed on your computer
• The new ScreenOS firmware (downloaded from the Juniper Networks Web server directory on your computer)
To upgrade or downgrade through the boot loader, you must have:
• Root or read-write privileges to the NetScreen device
• A TFTP server installed on your computer or on your local network
• An Ethernet connection from your computer to the NetScreen device (to tranTFTP server on your computer)
• A console connection from your computer to the NetScreen device (to mana
• The new ScreenOS firmware saved to the TFTP server directory on your co
Note: You can upgrade or downgrade a NetScreen device locally or remotely, but Jthat you perform the upgrade or downgrade of a NetScreen device at the device loc
Chapter 8 System Parameters Upgrading and Downgrading Firmware
413
he following sections: RP Configuration” on page 420.
ty Manager 2004 server, then s:
ice not being able to connect to reenOS release.
cent ScreenOS firmware. You wnloads, you must be a red your NetScreen product, r Networks Web site.
loaded onto the device are lost. remain.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
To upgrade or downgrade a NetScreen device, see the step-by-step procedures in t“Uploading New Firmware” on page 416 or “Upgrading NetScreen Devices in an NS
NetScreen-Security Manager Server ConnectionIf the NetScreen device you want to downgrade is connected to a NetScreen-Securibefore you downgrade the device, you must first execute the following CLI command
unset nsm enableunset nsm init otpunset nsm init idunset nsm server primarydelete nsm keyssave
Failing to execute these commands before downgrading the device results in the devthe NetScreen-Security Manager server the next time you upgrade it to the latest Sc
Downloading New FirmwareBefore you begin the upgrade of the NetScreen devices, you must have the most recan obtain the firmware from the Juniper Networks Web site. To access firmware doregistered customer with an active user ID and password. If you have not yet registethen you must do so before proceeding. You can register your product on the Junipe
Note: When you downgrade to ScreenOS 5.0.0, any ScreenOS 5.1.0 keys that you However, keys that you loaded onto the device prior to upgrading to ScreenOS 5.1.0
Chapter 8 System Parameters Upgrading and Downgrading Firmware
414
eb browser. Click Support >
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
To get the latest ScreenOS firmware, enter http://www.juniper.net/support in your WCustomer Support Center, and then follow these steps:
1. Log in by entering your user ID and password, and then click LOGIN.
2. Under My Technical Assistance Center, click Download Software.
Juniper prepares a list of available downloads.
3. Click Continue.
The File Download page appears.
File Download Page
Product Links
Chapter 8 System Parameters Upgrading and Downgrading Firmware
415
ware Zip file.
rm the upgrade.
e firmware to any directory.
the firmware to the root TFTP talled on your computer, then , then you must use the WebUI
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
4. Click the product link for the firmware you want to download.
The Upgrades page appears.
5. Click the link for the ScreenOS version you want to download.
The Upgrades page appears.
6. Click the upgrade link.
The Download File dialog box appears.
7. Click Save and then navigate to the location where you want to save the firm
You must save the firmware onto the computer from which you want to perfo
– If you want to upgrade the NetScreen device using the WebUI, save th
– If you want to upgrade the NetScreen devices using the CLI, then saveserver directory on the computer. If you do not have a TFTP server insyou can download one from the Internet. If no TFTP server is availableto load the new firmware onto the NetScreen device.
Chapter 8 System Parameters Upgrading and Downgrading Firmware
416
de from ScreenOS 5.1.0 to etScreen device.
taining the new firmware, see
the Management IP address in eges.
e.
cfg.txt), and then click Save.
pe the path to its location in the
complete when the device
device ScreenOS firmware in
than ScreenOS 5.0.0, then you . Make sure that you save your
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Uploading New FirmwareFollowing are the procedures to upgrade a single NetScreen device and to downgraScreenOS 5.0.0. These procedures are independent of the operating mode of the N
Using the WebUIPerform the following steps to load firmware with the WebUI:
1. Make sure that you have the new ScreenOS firmware. For information on ob“Downloading New Firmware” on page 413.
2. Log in to the NetScreen device by opening a Web browser and then enteringthe Address field. Log in as the root admin or an admin with read-write privil
3. Save the existing configuration:
a. Go to Configuration > Update > Config File, and then click Save to Fil
b. In the File Download dialog box, click Save.
c. Navigate to the location where you want to save the configuration file (
4. Configuration > Update > ScreenOS/Keys > Select Firmware Update.
5. Click Browse to navigate to the location of the new ScreenOS firmware or tyLoad File field.
6. Click Apply.
A message box appears with information on the upgrade time.
7. Click OK to continue.
The NetScreen device reboots automatically. The upgrade or downgrade is displays the login page in the browser.
8. Log in to the NetScreen device. You can verify the version of the NetScreenthe Device Information section of the WebUI Home page.
Note: If you are upgrading a NetScreen device from a firmware version that is earliermust upgrade the firmware to ScreenOS 5.0.0 before upgrading it to ScreenOS 5.1.0existing configuration so previously entered data is not lost when upgrading.
Chapter 8 System Parameters Upgrading and Downgrading Firmware
417
taining the new firmware, see
e Shell (SSH) or HyperTerminal admin with read-write
t1 | tftp } command.
er application.
h, where the IP address is that
device. Execute the reset
ScreenOS firmware.
o { flash | slot1 | tftp }
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Using the CLI
Perform the following steps to load firmware with the CLI:
1. Make sure that you have the new ScreenOS firmware. For information on ob“Downloading New Firmware” on page 413.
2. Log in to the NetScreen device using an application such as Telnet or Securif directly connected through the console port. Log in as the root admin or anprivileges.
3. Save the existing configuration by executing the save config to { flash | slo
4. Run the TFTP server on your computer by double-clicking on the TFTP serv
5. On the NetScreen device, enter save soft from tftp ip_addr filename to flasof your computer and the filename is that of the ScreenOS firmware.
6. When the upgrade or downgrade is complete, you must reset the NetScreencommand and enter y at the prompt to reset the device.
7. Wait a few minutes, and then log in to the Netscreen device again.
8. Use the get system command to verify the version of the NetScreen device
9. Upload the configuration file that you saved in step 3 with the save config tcommand.
Chapter 8 System Parameters Upgrading and Downgrading Firmware
418
critical hardware
nsole port on the NetScreen ables you to manage the
port 1 or to the management f data between the computer,
er directory on your computer. are” on page 413.
er application. You can
minal. Log in as the root admin
e” on the console display, press
firmware to flash memory. Use
ad the firmware saved in
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Using the Boot/OS LoaderThe Boot/OS Loader brings up the hardware system, performs basic and sometimesconfigurations, and loads system software used to run a NetScreen device.
Perform the following steps to load firmware with the Boot/OS Loader:
1. Connect your computer to the NetScreen device:
a. Using a serial cable, connect the serial port on your computer to the codevice. This connection, in combination with a terminal application, enNetScreen device.
b. Using an Ethernet cable, connect the network port on your computer toport on the NetScreen device13. This connection enables the transfer othe TFTP server, and the NetScreen device.
2. Make sure that you have the new ScreenOS firmware stored in the TFTP servFor information on obtaining the new firmware, see “Downloading New Firmw
3. Run the TFTP server on your computer by double-clicking on the TFTP servminimize its window but it must be active in the background.
4. Log in to the NetScreen device using a terminal emulator such as HyperTeror an admin with read-write privileges.
5. Reboot the NetScreen device.
6. When you see “Hit any key to run loader” or “Hit any key to load new firmwarany key on your computer keyboard to interrupt the bootup process.
Note: On the NetScreen-500, you cannot use this process to save ScreenOS 5.1.0the WebUI or CLI to save ScreenOS 5.1.0 firmware to flash memory.
13. Which port you connect to depends on the NetScreen device model.
Note: If you do not interrupt the NetScreen device in time, it proceeds to loflash memory.
Chapter 8 System Parameters Upgrading and Downgrading Firmware
419
that you want to load.pecified file from the external e, then the file is instead a Compact Flash card, then an me.
et as the TFTP server.
es of “rtatatatatatata...” running P server window. When the was successful.
on:
lly if you do not interrupt the
ame at the following prompt:
input the name in the TFTP
et; otherwise, the TFTP loader
the boot file name used by the , and NetScreen-5000 Series e on-board flash disk for the a limit for saving firmware files
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
7. At the Boot File Name prompt, enter the file name of the ScreenOS firmwareIf you type slot1: before the specified file name, then the loader reads the sCompact Flash or memory card. If you do not type slot1: before the filenamdownloaded from the TFTP server. If the NetScreen device does not supporterror message is displayed and the console prompts you to retype the filena
8. At the Self IP Address prompt, enter an IP address that is on the same subn
9. At the TFTP IP Address prompt, enter the IP address of the TFTP server.
An indication that the firmware is loading successfully is the display of a serion the terminal emulator screen and a series of symbols running on the TFTfirmware installation is complete, a message informs you that the installation
Saving Multiple Firmware Images with Boot Loader
After firmware is downloaded successfully, the console displays the following questi
Save to on-board flash disk? (y/[n]/m)
Answering y (yes) saves the file as the default firmware. This image runs automaticabootup process.
Answering m (multiple) saves the file as a multiple firmware. You must select a file n
Please input multiple firmware file name [BIMINITE.D]: test.d
The name in brackets is the recommended name automatically generated after you server. If you do not enter a name, then the recommended name is used.
Note: The Self IP address and TFTP IP address must be in the same subnrejects the Self IP address and then prompts you to re-enter it.
Note: You must enter a name that is DOS 8.3 compatible. The maximum length of Loader cannot exceed 63 characters. Only the NetScreen-5GT, NetScreen-ISG200supports multiple firmware. You can assign a maximum of three firmware files to thNetScreen-5GT. The NetScreen-ISG2000 and NetScreen-5000 Series do not haveto the on-board flash disk.
Chapter 8 System Parameters Upgrading and Downgrading Firmware
420
you must upgrade each device different NSRP configurations:
e master and device B is the
nts to Upgrade and Downgrade firmware to which you are
creenOS 5.0.0, you must ocedures in this section 1.0.
are. Doing so could result in
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Upgrading NetScreen Devices in an NSRP ConfigurationFor NetScreen devices in an NetScreen Redundancy Protocol (NSRP) configuration,individually. This section describes two different upgrade procedures addressing twoNSRP active/passive and NSRP active/active.
Upgrading Devices in an NSRP Active/Passive ConfigurationThe following illustrates a basic NSRP active/passive configuration where device A is thbackup.
Before you begin, please read the requirements to perform an upgrade (“RequiremeDevice Firmware” on page 412). Also, make sure that you download the ScreenOS upgrading each device.
Note: If you are upgrading a NetScreen device from a release that is earlier than Supgrade the device to ScreenOS 5.0.0 before upgrading to ScreenOS 5.1.0. The prdescribe how to upgrade a NetScreen device from ScreenOS 5.0.0 to ScreenOS 5.
Warning: Do not power off your NetScreen device while it is upgrading to new firmwpermanent damage to your device.
NSRP Active/Passive
Device A (master) Device B (backup)
HA Link
VSD Group 0
Chapter 8 System Parameters Upgrading and Downgrading Firmware
421
(note that for some of these
n obtaining the firmware, see
orer or Netscape) and entering in or an admin with read-write
ile.
e (cfg.txt), and then click Save.
pdate.
or type the path to its location
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Upgrade Procedure
To upgrade two devices in an NSRP active/passive configuration, follow these stepssteps you can only use the CLI):
A. Upgrade Device B to ScreenOS 5.1.0
B. Fail Over Device A to Device B (CLI only)
C. Upgrade Device A to ScreenOS 5.1.0
D. Synchronize Device A (CLI only)
E. Fail Over Device B to Device A (CLI only)
A. Upgrade Device B to ScreenOS 5.1.0
WebUI
1. Make sure that you have the ScreenOS 5.1.0 firmware. For information o“Downloading New Firmware” on page 413.
2. Log in to device B by opening a Web browser (for example Internet Explthe Management IP address in the Address field. Log in as the root admprivileges.
3. Save the existing configuration:
a. Go to Configuration > Update > Config File, and then click Save to F
b. In the File Download dialog box, click Save.
c. Navigate to the location where you want to save the configuration fil
4. Go to Configuration > Update > ScreenOS/Keys and select Firmware U
5. Click Browse to navigate to the location of the ScreenOS 5.1.0 firmwarein the Load File field.
6. Click Apply.
A message box appears with information on the upgrade time.
Chapter 8 System Parameters Upgrading and Downgrading Firmware
422
hen the device displays the
een device ScreenOS firmware
n obtaining the firmware, see
SH) or HyperTerminal if directly in with read-write privileges.
| slot1 | tftp } command.
server application.
flash. Where the IP address is ware.
xecute the reset command and
vice ScreenOS firmware.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
7. Click OK to continue.
The NetScreen device reboots automatically. The upgrade is complete wlogin page in the browser.
8. Log in to the NetScreen device. You can verify the version of the NetScrin the Device Information section of the WebUI Home page.
CLI
1. Make sure that you have the ScreenOS 5.1.0 firmware. For information o“Downloading New Firmware” on page 413.
2. Log in to device B using an application such as Telnet or Secure Shell (Sconnected through the console port. Log in as the root admin or an adm
3. Save the existing configuration by executing the save config to { flash
4. Run the TFTP server on your computer by double-clicking on the TFTP
5. On the NetScreen device, enter save soft from tftp ip_addr filename tothat of your computer and the filename is that of the ScreenOS 5.1.0 firm
6. When the upgrade is complete, you must reset the NetScreen device. Eenter y at the prompt to reset the device.
7. Wait a few minutes, and then log in to the Netscreen device again.
8. Use the get system command to verify the version of the NetScreen de
Chapter 8 System Parameters Upgrading and Downgrading Firmware
423
to execute depends on whether
e ineligible
ode backup
ice to immediately assume
n obtaining the firmware, see
ile.
e (cfg.txt), and then click Save.
pdate.
or type the path to its location
enOS Reference Guide, Volume 8.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
B. Fail Over Device A to Device B (CLI only)
Manually fail over the master device to the backup device.
1. Log in to the master device.
2. Issue one of the following CLI commands. The command that you need or not the preempt14 option is enabled on the master device.
– If the preempt feature is enabled: exec nsrp vsd-group 0 mod
– If the preempt option is not enabled: exec nsrp vsd-group 0 m
Either command forces the master device to step down and the backup devmastership.
C. Upgrade Device A to ScreenOS 5.1.0
WebUI
1. Make sure that you have the ScreenOS 5.1.0 firmware. For information o“Downloading New Firmware” on page 413.
2. Log in to NetScreen device A.
3. Save the existing configuration:
a. Go to Configuration > Update > Config File, and then click Save to F
b. In the File Download dialog box, click Save.
c. Navigate to the location where you want to save the configuration fil
4. Go to Configuration > Update > ScreenOS/Keys and select Firmware U
5. Click Browse to navigate to the location of the ScreenOS 5.1.0 firmwarein the Load File field.
6. Click Apply.
A message box appears with information on the upgrade time.
14. For more information on the preempt option and NSRP in general, refer to the NetScreen Concepts & Examples Scre
Chapter 8 System Parameters Upgrading and Downgrading Firmware
424
hen the device displays the
eenOS firmware version on the
n obtaining the firmware, see
| slot1 | tftp } command.
server application.
flash. Where the IP address is ware.
xecute the reset command and
g the get system command.
nchronize the two devices. On nd to synchronize the RTOs
ackup device. Follow the same t that you log in to device B and
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
7. Click OK to continue.
The NetScreen device reboots automatically. The upgrade is complete wlogin page in the browser.
8. Log in to the NetScreen device. You can verify the NetScreen device ScrWebUI Home page, in the Device Information section.
CLI
1. Make sure that you have the ScreenOS 5.1.0 firmware. For information o“Downloading New Firmware” on page 413.
2. Log in to NetScreen device A.
3. Save the existing configuration by executing the save config to { flash
4. Run the TFTP server on your computer by double-clicking on the TFTP
5. On the NetScreen device, enter save soft from tftp ip_addr filename tothat of your computer and the filename is that of the ScreenOS 5.1.0 firm
6. When the upgrade is complete, you must reset the NetScreen device. Eenter y at the prompt to reset the device.
7. Wait a few minutes, and then log in to the Netscreen device again.
8. You can verify the NetScreen device ScreenOS firmware version by usin
D. Synchronize Device A (CLI only)
After you complete the upgrade of device A to ScreenOS 5.1.0, manually sydevice A (backup), issue the exec nsrp sync rto all from peer CLI commafrom device B (master).
E. Fail Over Device B to Device A (CLI only)
After synchronizing the devices, manually fail over the master device to the bsteps as in “B. Fail Over Device A to Device B (CLI only)” on page 423 excepfail over device B instead of failing over device A.
Chapter 8 System Parameters Upgrading and Downgrading Firmware
425
reen devices into two Virtual roup and the backup in the sical device is master of both d.
master of VSD 0 and backup
nts to Upgrade and Downgrade 5.1.0 firmware.
are. Doing so could result in
Link
e A
e B
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Upgrading Devices in an NSRP Active/Active ConfigurationThis upgrade section applies to an NSRP configuration where you paired two NetScSecurity Devices (VSD) groups, with each physical device being the master in one gother. To upgrade, you first have to fail over one of the devices so that only one phyVSD groups. You then upgrade the backup device first and the master device secon
The following illustrates a typical NSRP active/active configuration where device A isfor VSD 1, and device B is master of VSD 1 and backup for VSD 0.
Before you begin, please read the requirements to perform an upgrade (“RequiremeDevice Firmware” on page 412). Also, make sure that you download the ScreenOS
Warning: Do not power off your NetScreen device while it is upgrading to new firmwpermanent damage to your device.
HA
NSRP Active/Active
Devic
Devic
VSD Group: 0 VSD Group: 1
(backup)
(backup)
(master)
(master)
Chapter 8 System Parameters Upgrading and Downgrading Firmware
426
note that for some of these
A in VSD group 1.
SH) or HyperTerminal if directly in with read-write privileges.
ecute depends on whether or
e ineligible
ode backup
ssume mastership of VSD 1. At r both VSD 0 and 1.
enOS Reference Guide, Volume 8.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Upgrade Procedure
To upgrade two devices in an NSRP active/active configuration, follow these steps (steps you can only use the CLI):
A. Fail Over Device B in VSD 1 to Device A in VSD 1 (CLI only)
B. Upgrade Device B to ScreenOS 5.1.0
C. Fail Over Device A to Device B (CLI only)
D. Upgrade Device A to ScreenOS 5.1.0
E. Synchronize Device A (CLI only)
F. Fail Over Device B in VSD 0 to Device A in VSD 0 (CLI only)
A. Fail Over Device B in VSD 1 to Device A in VSD 1 (CLI only)
Manually fail over the master device B in VSD group 1 to the backup device
1. Log in to device B using an application such as Telnet or Secure Shell (Sconnected through the console port. Log in as the root admin or an adm
2. Issue one of the following CLI commands. The command you need to exnot the preempt15 option is enabled on the master device.
– If the preempt feature is enabled: exec nsrp vsd-group 1 mod
– If the preempt option is not enabled: exec nsrp vsd-group 1 m
Either command forces device B to step down and device A to immediately athis point, device A is master of both VSD 0 and 1 and device B is backup fo
15. For more information on the preempt option and NSRP in general, refer to the NetScreen Concepts & Examples Scre
Chapter 8 System Parameters Upgrading and Downgrading Firmware
427
n obtaining the firmware, see
ternet Explorer or Netscape) the root admin or an admin with
ile.
e (cfg.txt), and then click Save.
pdate.
or type the path to its location
hen the device displays the
eenOS firmware version on the
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
B. Upgrade Device B to ScreenOS 5.1.0
WebUI
1. Make sure that you have the ScreenOS 5.1.0 firmware. For information o“Downloading New Firmware” on page 413.
1. Log in to NetScreen device B by opening a Web browser (for example Inand entering the Management IP address in the Address field. Log in as read-write privileges.
2. Save the existing configuration:
a. Go to Configuration > Update > Config File, and then click Save to F
b. In the File Download dialog box, click Save.
c. Navigate to the location where you want to save the configuration fil
3. Go to Configuration > Update > ScreenOS/Keys and select Firmware U
4. Click Browse to navigate to the location of the ScreenOS 5.1.0 firmwarein the Load File field.
5. Click Apply.
A message box appears with information on the upgrade time.
6. Click OK to continue.
The NetScreen device reboots automatically. The upgrade is complete wlogin page in the browser.
7. Log in to the NetScreen device. You can verify the NetScreen device ScrWebUI Home page, in the Device Information section.
Chapter 8 System Parameters Upgrading and Downgrading Firmware
428
n obtaining the firmware, see
| slot1 | tftp } command.
server application.
flash. Where the IP address is ware.
xecute the reset command and
g the get system command.
ing one of the following CLI not the preempt option is
e ineligible
ode backup
ing one of the following CLI not the preempt option is
e ineligible
ode backup
for both VSD 0 and 1.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
1. Make sure that you have the ScreenOS 5.1.0 firmware. For information o“Downloading New Firmware” on page 413.
2. Log in to device B.
3. Save the existing configuration by executing the save config to { flash
4. Run the TFTP server on your computer by double-clicking on the TFTP
5. On the NetScreen device, enter save soft from tftp ip_addr filename tothat of your computer and the filename is that of the ScreenOS 5.0.0 firm
6. When the upgrade is complete, you must reset the NetScreen device. Eenter y at the prompt to reset the device.
7. Wait a few minutes, and then log in to the Netscreen device again.
8. You can verify the NetScreen device ScreenOS firmware version by usin
C. Fail Over Device A to Device B (CLI only)
Manually fail over device A completely to device B.
1. Log in to device A.
2. Fail over master device A in VSD 0 to backup device B in VSD 0 by issucommands. The command you need to execute depends on whether or enabled on the master device.
– If the preempt feature is enabled: exec nsrp vsd-group 0 mod
– If the preempt option is not enabled: exec nsrp vsd-group 0 m
3. Fail over master device A in VSD 1 to backup device B in VSD 1 by issucommands. The command you need to execute depends on whether or enabled on the master device.
– If the preempt feature is enabled: exec nsrp vsd-group 1 mod
– If the preempt option is not enabled: exec nsrp vsd-group 1 m
At this point, device B is master of both VSD 0 and 1 and device A is backup
Chapter 8 System Parameters Upgrading and Downgrading Firmware
429
n obtaining the firmware, see
ile.
e (cfg.txt), and then click Save.
pdate.
or type the path to its location
hen the device displays the
eenOS firmware version on the
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
D. Upgrade Device A to ScreenOS 5.1.0
WebUI
1. Make sure that you have the ScreenOS 5.1.0 firmware. For information o“Downloading New Firmware” on page 413.
2. Log in to NetScreen device A.
3. Save the existing configuration:
a. Go to Configuration > Update > Config File, and then click Save to F
b. In the File Download dialog box, click Save.
c. Navigate to the location where you want to save the configuration fil
4. Go to Configuration > Update > ScreenOS/Keys and select Firmware U
5. Click Browse to navigate to the location of the ScreenOS 5.1.0 firmwarein the Load File field.
6. Click Apply.
A message box appears with information on the upgrade time.
7. Click OK to continue.
The NetScreen device reboots automatically. The upgrade is complete wlogin page in the browser.
8. Log in to the NetScreen device. You can verify the NetScreen device ScrWebUI Home page, in the Device Information section.
Chapter 8 System Parameters Upgrading and Downgrading Firmware
430
n obtaining the firmware, see
| slot1 | tftp } command.
server application.
flash. Where the IP address is ware.
xecute the reset command and
g the get system command.
chronize the two devices. On hronize the RTOs from device B.
P active/active configuration.
ing one of the following CLI not the preempt option is
e ineligible
ode backup
B is master of VSD 1 and
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
1. Make sure that you have the ScreenOS 5.1.0 firmware. For information o“Downloading New Firmware” on page 413.
2. Log in to device A.
3. Save the existing configuration by executing the save config to { flash
4. Run the TFTP server on your computer by double-clicking on the TFTP
5. On the NetScreen device, enter save soft from tftp ip_addr filename tothat of your computer and the filename is that of the ScreenOS 5.1.0 firm
6. When the upgrade is complete, you must reset the NetScreen device. Eenter y at the prompt to reset the device.
7. Wait a few minutes, and then log in to the Netscreen device again.
8. You can verify the NetScreen device ScreenOS firmware version by usin
E. Synchronize Device A (CLI only)
After you complete the upgrade of device A to ScreenOS 5.1.0, manually syndevice A, issue the exec nsrp sync rto all from peer CLI command to sync
F. Fail Over Device B in VSD 0 to Device A in VSD 0 (CLI only)
As the final step, you have to reinstate the two NetScreen devices in an NSR
1. Log in to device A.
2. Fail over master device B in VSD 0 to backup device A in VSD 0 by issucommands. The command you need to execute depends on whether or enabled on the master device.
– If the preempt feature is enabled: exec nsrp vsd-group 1 mod
– If the preempt option is not enabled: exec nsrp vsd-group 1 m
At this point, device A is master of VSD 0 and backup for VSD 1, and devicebackup for VSD 0.
Chapter 8 System Parameters Upgrading and Downgrading Firmware
431
porated into each ScreenOS s NetScreen firewall/VPN to the device and Deep e device.
tability. If you attempt to save a saving it to flash memory.
ave auto start enabled on their
ttp://www.juniper.net/support/.
password, and then click
t-click Download the e_key.zip file to a local
ount, you can set one up online by ions.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Authenticating Firmware and DI FilesBeginning with ScreenOS 2.6.1r1, an image authentication signature has been incorbuild. If you load the authentication certificate (imagekey.cer) into a Juniper Networkdevice, then it can authenticate ScreenOS firmware when you attempt to save themInspection (DI) attack object database files when you attempt to download them to th
Authenticating an image and DI attack object database provides both security and smodified or corrupted ScreenOS image or database, then the device rejects it before
Obtaining the Authentication CertificateYou can get the authentication certificate zip file from the following two sources:
• The documentation CD that ships with your NetScreen device:
1. Insert the documentation CD in your CD drive.
It starts automatically. (For Macintosh users and PC users who do not hsystems, double-click index.htm to open the CD.)
2. Click Explore CD-ROM Contents.
3. Open the extra folder.
The image_key.zip file is in this folder.
• The Customer Support area of the Juniper Networks Web site16:
1. Open a Web browser and enter the following URL in the Address field: h
2. In the Login to Support Center section, enter your user customer ID andLOGIN .
3. In the Download Software section, click ScreenOS Software .
4. At the top of the page there is a section titled Image Authentication. RighAuthentication Certificate, select Save Target As, and save the imagdirectory.
16. You must be a registered customer to access the Customer Support area. If you do not already have a customer accvisiting http://www.juniper.net/support/, clicking Login Assistance, and then following the online registration instruct
Chapter 8 System Parameters Upgrading and Downgrading Firmware
432
o files from image_key.zip:
ether you want to load it on the
rm its integrity by calculating a g MD5 message digest:
On UNIX/Linux, you can use a
ntication certificate before it is to the NetScreen device.
certificate on the NetScreen
k Apply :
)
, or click Browse to navigate to n click Open .
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Once you have obtained the certificate zip file, do the following:
1. Use a data compression utility such as WinZip to extract the following twimagekey.cer and image_key_readme.pdf 17.
2. Save imagekey.cer to either of the following locations, depending on whNetScreen device using the WebUI or CLI:
– WebUI – a local directory
– CLI – the root directory of a TFTP server
Loading the Authentication CertificateBefore loading the authentication certificate on the NetScreen device, you can conficryptographic checksum, or message digest, and then comparing it with the followin
AC359646EDD723F541AA0E52E015E8F0
A free MD5 utility for Windows is FastSum, which is available at www.fastsum.com. program such as md5sum to calculate the message digest.
When the authentication certificate is loaded, the firmware is checked with the autherun or saved. if the firmware fails authentication, then it is rejected to be uploaded on
When you feel confident about the integrity of the authentication certificate, load thedevice by doing either of the following:
WebUI1. Make an HTTP connection to the NetScreen device, and then log in.
2. Configuration > Update > ScreenOS/Keys: Enter the following, and then clic
Image Key Update (See Online Help): (select
Load File: Enter the location of imagekey.certhe file location, select imagekey.cer, and the
17. The readme file contains essentially the same information as in this section.
Chapter 8 System Parameters Upgrading and Downgrading Firmware
433
en log in.
enOS signature embedded in
ot Loader/OS Loader displays
jected, and then either prompts
ice does not attempt to the certificate, enter the delete
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
1. If necessary, start the TFTP server.
2. Make a console, Telnet, or SSH connection to the NetScreen device, and th
3. Enter the following CLI command:
save image-key tftp ip_addr imagekey.cer
in which ip_addr is the address of the TFTP server.
Authenticating ScreenOS FirmwareDownload the NetScreen device uses the authentication certificate to check the Screthe file. On the console, you see one of the following two results:
• The NetScreen device can successfully authenticate the firmware, so the Bothe following message:
Loaded Successfully! . . .
Image authenticated!
• If the NetScreen device cannot authenticate the ScreenOS firmware, it is reyou to load different firmware or it automatically reboots:
********Invalid DSA signature
*******Bogus Image - not authenticated.
Note: If the authentication certificate is not loaded, then the NetScreen devauthenticate a ScreenOS firmware or DI attack object database. To removecrypto auth-key command.
Chapter 8 System Parameters Upgrading and Downgrading Firmware
434
n (DI), the NetScreen device uthentication effort produces
ject database and makes the
to flash.
g event log entry:
WebUI and the authentication
able to verify its integrity.
ice does not attempt to e certificate, enter the delete
Log Reference Guide.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Authenticating a DI Attack Object Database FileThe next time you attempt to download an attack object database for Deep Inspectiouses the authentication certificate to check the signature embedded in the file. The aone of the following two results:
• The NetScreen device successfully authenticates the downloaded attack obfollowing event log entry:
Attack database version <number> has been authenticated and saved
• The authentication check fails, and the NetScreen device makes the followin
Attack database was rejected because the authentication check failed.
Additionally, if you attempt to download the database manually through the check fails, then the following pop-up message appears:
Rejected DI attack database because the authentication check was un
Note: If the authentication certificate is not loaded, then the NetScreen devauthenticate a ScreenOS image or DI attack object database. To remove thcrypto auth-key command.
For information about event log messages, refer to the NetScreen Message
Chapter 8 System Parameters Downloading and Uploading Configurations
435
s. The WebUI allows you to NetScreen devices, you can
d to revert to the saved backup
stribution of configuration
n click Save .
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
DOWNLOADING AND UPLOADING CONFIGURATIONSWhen making changes to the configuration, it is good practice to backup your settingdownload the configuration to any local directory as a backup precaution. With someuse the CLI to download the configuration to a TFTP server or flash card. If you neeconfiguration, then you can upload it onto the NetScreen device.
The section contains the following:
• “Saving and Importing Configurations” on page 435
• “Configuration Rollback” on page 437
– “Last-Known-Good Configuration” on page 437
– “Automatic and Manual Configuration Rollback” on page 438
– “Loading a New Configuration File” on page 439
• “Locking the Configuration File” on page 440
– “Adding Comments to a Configuration File” on page 441
Saving and Importing ConfigurationsThe ability to save and import configuration settings provides the means for mass ditemplates.
To save a configuration:
WebUI
1. Configuration > Update > Config File: Click Save to File.
A system message prompts you to open the file or save it to your computer.
2. Click Save .
3. Browse to the location where you want to save the configuration file, and the
Chapter 8 System Parameters Downloading and Uploading Configurations
436
me [ from interface ]
ply:
f you want to combine both the lace Current Configuration if
e the current configuration.
cation or click Browse to lick Open .
sh [ merge [ from
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
CLI
save config from flash to { tftp ip_addr | slot } filena
To import a configuration:
WebUI
Configuration > Update > Config File: Enter the following, and then click Ap
Select Merge to Current Configuration inew and the current configurations, or Repyou want the new configuration to overwrit
> New Configuration File: Enter the configuration file lonavigate to the file location, select the file, and then c
CLI
save config from { tftp ip_addr | slot } filename to flainterface ] ]
Note: On some NetScreen devices, you must specify slot1 or slot2.
Note: On some NetScreen devices, you must specify slot1 or slot2.
Chapter 8 System Parameters Downloading and Uploading Configurations
437
re of the NetScreen device or n rollback to revert to a
file saved in flash memory so en the NetScreen CLI and then $.cfg. If you do not see this file,
-known-good command. This e current configuration file.
creen device supports this
iguration file is a good way to the configuration.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Configuration RollbackIn the event that you load a configuration file that causes problems, such as the failuremote users losing the ability to manage the device, you can perform a configuratioLast-Known-Good (LKG) configuration file that was saved in flash memory.
Last-Known-Good ConfigurationBefore performing a configuration rollback, make sure you have a LKG configurationthat the NetScreen device can revert to it if errors occur. To check for the LKG file, optype the get config rollback command. The filename for a LKG configuration is $lkgthen it does not exist so you must create it.
To save a configuration file to flash as the LKG:
1. Ensure that the current configuration on the NetScreen device is good.
2. Save the current configuration to flash memory with the save config to lastcommand overwrites the existing LKG configuration in flash memory with th
Note: Not all NetScreen devices support configuration rollback. To see if your NetSfeature, please refer to the relevant data sheet for your platform.
Note: Regularly saving the configuration on the NetScreen device as the LKG confbackup your latest changes to the configuration and maintain an up-to-date copy of
Chapter 8 System Parameters Downloading and Uploading Configurations
438
n or you can perform the n device to rollback to the LKG
disabled after every startup, nable automatic configuration e the exec config rollback
d.
indicate this state:
just the device host name:
nfig rollback command. If it is
utput is:
he flash.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Automatic and Manual Configuration RollbackYou can enable the NetScreen device to revert automatically to the LKG configuratiorollback manually. The automatic configuration rollback feature enables the NetScreeconfiguration if there is a problem with a newly loaded configuration.
The automatic configuration rollback feature is disabled by default. Furthermore, it isregardless of whether it was enabled or disabled before starting up the device. To erollback, use the exec config rollback enable command. To disable the feature, usdisable command.
To perform a manual configuration rollback, use the exec config rollback comman
After you enable the configuration rollback feature, the command prompt changes to
ns-> exec config rollback enable
ns(rollback enabled)->
When you disable the configuration rollback feature, the command prompt returns to
ns(rollback enabled)-> exec config rollback disable
ns->
To verify that the automatic configuration rollback feature is enabled, use the get coenabled, then the first line of the get config rollback output is:
config rollback is enabled
Otherwise, the first line of the output is:
config rollback is disabled
If an LKG configuration file exists, then the second line of the get config rollback o
Last-known-good config file flash:/$lkg$.cfg exists in t
Note: The WebUI does not support the configuration rollback feature.
Chapter 8 System Parameters Downloading and Uploading Configurations
439
is:
ist.
ation by any of the following
)
n rollback feature, and what to
fig to last-known-good
ec config rollback enable t other users from overwriting it,
n, see “Upgrading and
ccur:
each and manage the n you power it on, the configuration rollback feature is lly load the LKG file.
case, you need to reset the it reads the flash memory file, information prompts the
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
If an LKG configuration file does not exist, the second—and final—line of the output
Last-known-good config file flash:/$lkg$.cfg does not ex
When the configuration rollback feature is enabled, you can trigger the rollback operactions:
• Rebooting the NetScreen device (by turning the power off and then on again
• Resetting the NetScreen device (by entering the reset command)
• Entering the exec config rollback command
Loading a New Configuration FileThe following describes how to load a new configuration file, enable the configuratiodo if the new configuration file causes problems.
1. Using the CLI, save the current configuration as the LKG with the save concommand.
2. Enable automatic configuration rollback on the NetScreen device with the excommand. Enabling this feature simultaneously locks the LKG file to prevenand consequently disrupting an ongoing configuration rollback.
3. Load the new configuration file using the WebUI or CLI. For more informatioDowngrading Firmware” on page 411.
4. Test the new configuration file by issuing commands. A few scenarios can o
– The new configuration is running correctly.
– The new configuration is defective and as a result, you can no longer rNetScreen device. In this case, you have to power off the device. WheNetScreen device reads the flash memory file, which indicates that the enabled. That information prompts the NetScreen device to automatica
– You notice problems with or errors in the new configuration file. In thisNetScreen device with the reset command. When the device reboots,which indicates that the configuration rollback feature is enabled. ThatNetScreen device to automatically load the LKG file.
Chapter 8 System Parameters Downloading and Uploading Configurations
440
o become inoperable. In this oots, it reads the flash memory hat information prompts the
by other admins or before arts a lock timer. If the device utomatically reboots, using the
configuration of the device ezing for an indefinite period of
ce (for example, through Telnet ration, and then save the new
if loading a new configuration e setup, if loading a new
er you save the configuration to
ot available on the WebUI.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
– The new configuration is defective and causes the NetScreen device tcase, the NetScreen device reboots automatically. When the device rebfile, which indicates that the configuration rollback feature is enabled. TNetScreen device to automatically load the LKG file.
Locking the Configuration FileYou can lock a configuration file in flash memory to prevent it from being overwrittenimporting a new configuration file. When you lock the configuration file, the device stdoes not receive a CLI command within a previously specified lockout period, then it aconfiguration that was locked in flash memory. It is good practice to lock the currentbefore you start importing a configuration file. This action prevents the device from fretime due to a failure in the import process.
When you lock the configuration file, you and any other admin connected to the devior the WebUI) cannot save to the configuration file. You must first unlock the configuconfiguration commands with the save command.
CLI
To lock the configuration file:
exec config lock start
To unlock the file:
exec config lock end
Note: NetScreen Redundancy Protocol (NSRP)—In an active/active setup,file fails, then both NetScreen devices revert to the LKG. In an active/passivconfiguration file fails, then only the master unit reverts to the LKG. Only aftfile does the master unit synchronize the backup unit.
Note: You can lock/unlock a configuration file through the CLI only. This feature is n
Chapter 8 System Parameters Downloading and Uploading Configurations
441
n that was previously locked in
eparate line of text or at the end y a space. When the comment save the file onto a NetScreen ely replacing the existing ng with the number symbol and
bol in either RAM of flash
s
ask 255.255.255.255ask 255.255.255.255ask 255.255.255.255
vice does not treat it as a the NetScreen device does not cause it appears within
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
To abort the lockout and immediately reboot the device with the configuratioflash:
exec config lock abort
To change the default lockout period (5 minutes):
set config lock timeout <number>
Adding Comments to a Configuration FileYou can add comments to an external configuration file. The comments can be in a sof one line. The comment must begin with the number symbol ( # ) and be followed bis at the end of a line, a space must also come before the number symbol. When youdevice—either by merging the new configuration with the existing one or by completconfiguration with the new one—the device parses the configuration for lines beginniremoves any comments.
The NetScreen device does not save any comments introduced with the number symmemory. For example, if an external configuration file contains the following lines:
set interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24 # change IP addres# add new MIP addressesset interface ethernet3 mip 1.1.1.10 host 10.1.1.10 netmset interface ethernet3 mip 1.1.1.11 host 10.1.1.11 netmset interface ethernet3 mip 1.1.1.12 host 10.1.1.12 netm# all MIPs use the trust-vr routing domain by default
Note: If the number symbol appears within quotation marks, then the NetScreen despecial marker but as part of an object name and does not remove it. For example, delete “#5 server” in the command set address trust “#5 server” 10.1.1.5/32 bequotation marks.
Chapter 8 System Parameters Downloading and Uploading Configurations
442
mments are gone):
ask 255.255.255.255ask 255.255.255.255ask 255.255.255.255
lnet session, then the
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
When you view the configuration after you load the file, you see the following (the co
set interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24set interface ethernet3 mip 1.1.1.10 host 10.1.1.10 netmset interface ethernet3 mip 1.1.1.11 host 10.1.1.11 netmset interface ethernet3 mip 1.1.1.12 host 10.1.1.12 netm
Also, if you paste a block of commands that includes comments into a console or TeNetScreen device discards all comments immediately upon running the commands.
Chapter 8 System Parameters Setting NetScreen-Security Manager Bulk-CLI
443
etScreen-Security Manager hrough all of the configured ion. If not, then the Agent waits . The range for the is 60 seconds.
nditions:
successful message to the
Manager.
rting message to the cenarios for error instructions:
ommands and reboots.
remaining CLI commands.
the Agent checks if the bulk-cli
tinues to execute the remaining
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
SETTING NETSCREEN-SECURITY MANAGER BULK-CLISetting the bulk-CLI determines how and when the device performs rollback if the Nconnection drops during an update session. When this happens, the Agent iterates tNetScreen-Security Manager servers once to see if it can establish another connectfor the specified time period before it reboots the device to roll back the configurationreboot-timeout value is 60 through 86400 seconds. The default reboot-timeout value
The Agent checks the NetScreen-Security Manager connection status under two co
• All of the CLI commands are executed and need to send a successful or unNetScreen-Security Manager.
• An error occurs, therefore it needs to be reported to the NetScreen-Security
If an error is generated during the CLI execution, then the Agent sends an error-repoNetScreen-Security Manager, and then waits for error instructions. There are three s
• If the Agent is instructed to stop, then it stops executing the remaining CLI c
• If the Agent is instructed to continue, then it continues the execution for the
• If there is no Agent instruction within the specified reboot-timeout value, thenreboot-timeout is enabled or disabled.
– If enabled, then a reboot occurs immediately.
– If disabled, then the Agent does not reboot the device. The device conCLI commands.
To set the reboot-timeout value, use the following command:
set nsmgmt bulkcli reboot_timeout number
in which the unit value for number is in seconds.
To disable the reboot-timeout, use the following command:
set nsmgmt bulkcli reboot_timeout disable
Chapter 8 System Parameters License Keys
444
ce without having to upgrade to eatures already loaded in the
port the activation of optional ich features are currently .
or contact Juniper Networks
nt.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
LICENSE KEYSThe license key feature allows you to expand the capabilities of your NetScreen devia different device or system image. You can purchase a key that unlocks specified ffirmware, such as the following:
• User capacity
• Virtual systems, zones, and virtual routers
• HA
Each NetScreen device ships with a standard set of features enabled and might supfeatures or the increased capacity of existing features. For information regarding whavailable for upgrading, refer to the latest marketing literature from Juniper Networks
The procedure for obtaining and applying a license key is as follows:
1. Contact the value-added reseller (VAR) who sold you the NetScreen devicedirectly.
2. Provide the serial number of your device and state the feature option you wa
The license key is generated and then sent to you via e-mail.
3. Enter the key through either the WebUI or CLI. (See the following example.)
Chapter 8 System Parameters License Keys
445
own to the point where it now ilities of the device by obtaining e726ca050192 and is in a text
Apply :
eys, select A2010002.txt, and
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Expanding User CapacityA small company using a single NetScreen device with a license for 10 users has grneeds an unrestricted user license. The NetScreen administrator expands the capaba firmware key for an unrestricted number of users. The license key number is 6a48file named “A2010002.txt” located at C:\netscreen\keys.
WebUI
Configuration > Update > ScreenOS/Keys: Do the following, and then click
License Key Update: (select)
Load File: C:\netscreen\keys\A2010002.txt
Or
Click Browse and navigate to C:\netscreen\kthen click Open.
CLI
exec license-key capacity 6a48e726ca050192reset
Chapter 8 System Parameters Registration and Activation of Subscription Services
446
vice for antivirus (AV) patterns, to the service, register for the your services on the device. services and what the services
ry grace period. During this
I service, you must start a nfiguration > Update >
as pre-installed temporary
e does not have a temporary
n as possible after purchasing
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
REGISTRATION AND ACTIVATION OF SUBSCRIPTION SERVICESBefore your Juniper Networks NetScreen device can receive regular subscription serDeep Inspection (DI) signatures, or URL Filtering, you must purchase a subscriptionservice, and then retrieve the subscription key. Retrieving the subscription activatesHow the service activation process works depends upon the way you purchased theare.
Temporary ServiceTo allow you time to for AV or DI services, the NetScreen device provides a temporaperiod, the device can obtain services on a temporary basis.
• No NetScreen device comes with DI already enabled. To obtain temporary DWebUI session and click the Retrieve Subscriptions Now button in the CoScreenOS/Keys page. This provides a one-time, one-day DI key.
• If your device has AV service bundled at time of purchase, then the device hservice. This temporary service lasts up to 60 days.
• No NetScreen device comes with URL Filtering already enabled. This featurservice.
Warning! To avoid service interruption, you must perform registration as sooyour subscription. Registration ensures continuation of the subscription.
Chapter 8 System Parameters Registration and Activation of Subscription Services
447
d DI services, then perform the
etting Started Guide and the
scription, so you can go ahead eceive your full paid
ys:
figuration > Update >
services. For instructions on n page 4 -81, “URL Filtering” on
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
AV, URL Filtering, and DI Bundled with a New DeviceIf you purchased a new NetScreen device that already has the AV, URL Filtering, anfollowing steps to activate the services.
1. Configure the device for internet connectivity. (For instructions, refer to the GUser’s Guide for your NetScreen device.)
2. Register the device at the following site:
www.juniper.net/support
Devices with bundled AV services come with a temporary, pre-installed suband use the service immediately. However, you must register the device to rsubscription.
3. Retrieve the subscription key on the device. You can do this either of two wa
– In WebUI, click the Retrieve Subscriptions Now button from the ConScreenOS/Keys page.
– Using the CLI, run the following command:
exec license-key update
4. You must reset the device after the Key has been loaded.
You can now configure the device to automatically or manually retrieve the signatureconfiguring your NetScreen device for these services, refer to “Antivirus Scanning” opage 4 -106, and “Deep Inspection” on page 4 -131.
Chapter 8 System Parameters Registration and Activation of Subscription Services
448
device, perform the following
ail, from Juniper Networks or ument that contains information
following site:
, then go on to Step 5.
up to four hours for the system
ys:
figuration > Update >
services. For instructions on n page 4 -81, “URL Filtering” on
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
AV, URL Filtering, and DI Upgrade to an Existing DeviceIf you purchase AV, URL Filtering, and DI services to add to your existing NetScreensteps to activate the services.
1. After ordering the services, you should receive a support certificate, via e-myour authorized NetScreen device reseller. This certificate is a readable docyou need to register your device.
2. Make sure the device is registered. If it is not currently registered, go to the
www.juniper.net/support
3. Register the support certificate to the device.
4. If you are subscribing and registering for the DI service or URL Filtering only
If you are subscribing and registering for the AV service, then you must waitto process the registration before proceeding with Step 5.
5. Confirm that your device has internet connectivity.
6. Retrieve the subscription key on the device. You can do this either of two wa
– In WebUI, click the Retrieve Subscriptions Now button from the ConScreenOS/Keys page.
– Using the CLI, run the following command:
exec license-key update
7. You must reset the device after the Key has been loaded.
You can now configure the device to automatically or manually retrieve the signatureconfiguring your NetScreen device for these services, refer to “Antivirus Scanning” opage 4 -106, and “Deep Inspection” on page 4 -131.
Chapter 8 System Parameters Registration and Activation of Subscription Services
449
ately from the DI service, then
, from Juniper Networks or your t that contains information you
following site:
ys:
figuration > Update >
ure service. For instructions on e 4 -131.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
DI Upgrade OnlyIf you purchased DI services only, and you purchased your NetScreen device separperform the following steps to activate the service.
1. After ordering the service, you should receive a support certificate, via e-mailauthorized NetScreen device reseller. This certificate is a readable documenneed to register your device.
2. Make sure the device is registered. If it is not currently registered, go to the
www.juniper.net/support
3. Register the support certificate to the device.
4. Confirm that your device has internet connectivity.
5. Retrieve the subscription key on the device. You can do this either of two wa
– In WebUI, click the Retrieve Subscriptions Now button from the ConScreenOS/Keys page.
– Using the CLI, run the following command:
exec license-key update
6. You must reset the device after the Key has been loaded.
You can now configure the device to automatically or manually retrieve the DI signatconfiguring your NetScreen device for this service, refer to “Deep Inspection” on pag
Chapter 8 System Parameters System Clock
450
er things, the time on your re are many ways that you can st set the system clock to the gure up to three NTP servers te its system clock.
ough the WebUI, you do this by
saving time option on your
t saving time or No to
command “set clock
the NetScreen device is behind e NetScreen device is Pacific
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
SYSTEM CLOCKIt is important that your NetScreen device always be set to the right time. Among othNetScreen device affects the set up of VPN tunnels and the timing of schedules. Theensure that the NetScreen device always maintains the accurate time. First, you mucurrent time. Next, you can enable the daylight saving time option and you can confi(one primary and two backups) from which the NetScreen device can regularly upda
Date and TimeTo set the clock to the current time and date, you can use the WebUI or the CLI. Thrsynchronizing the system clock with the clock on your computer:
1. Configuration > Date/Time: Click the Sync Clock with Client button.
A pop-up message prompts you to specify if you have enabled the daylight computer clock.
2. Click Yes to synchronize the system clock and adjust it according to daylighsynchronize the system clock without adjusting it for daylight saving time.
Through the CLI, you set the clock by manually entering the date and time using thismm/dd/yyyy hh:mm:ss”.
Time ZoneYou set the time zone by specifying the number of hours by which the local time for or ahead of GMT (Greenwich Mean Time). For example, if the local time zone for thStandard Time, it is 8 hours behind GMT. Therefore, you have to set the clock to -8.
If you set the time zone using the WebUI:
Configuration > Date/Time > Set Time Zone_hours_minutes from GMT
Chapter 8 System Parameters System Clock
451
(Network Time Protocol) to o this manually or configure the t you specify.
er and two backup servers. ally, it queries each configured he query is not successful, the rom one of the NTP servers server before it terminates the
e CLI, you can specify a ice queries that server only. If nfigured on the NetScreen name.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
If you set the time zone using the CLI:
ns -> set clock timezone number (a number from -12 to 12)
or
ns-> set ntp timezone number (a number from -12 to 12)
NTPTo ensure that the NetScreen device always maintains the right time, it can use NTPsynchronize its system clock with that of an NTP server over the Internet. You can dNetScreen device to perform this synchronization automatically at time intervals tha
Multiple NTP ServersYou can configure up to three NTP servers on a NetScreen device: one primary servWhen you configure the NetScreen device to synchronize its system clock automaticNTP server sequentially. The device always queries the primary NTP server first. If tdevice then queries the first backup NTP server and so on until it gets a valid reply fconfigured on the NetScreen device. The device makes four attempts on each NTP update and logs the failure.
When you manually synchronize the system clock, and you can only do this using thparticular NTP server or none at all. If you specify a NTP server, the NetScreen devyou do not specify a NTP server, the NetScreen device queries each NTP server codevice sequentially. You can specify a NTP server using its IP address or its domain
Chapter 8 System Parameters System Clock
452
n seconds). The maximum time device system clock and the the NTP server time if the time justment value that you set. For evice system clock is 4:00:00 o is acceptable and the
ue you set, the NetScreen r configured on the NetScreen
figured NTP servers, it econds and the range is 0 (no
e CLI, the NetScreen device ly, the NetScreen device
justment is, and the type of stem clock update.
s message appears only after Screen device.
ing the system clock of NSRP s sub-second resolution. essing delays, Juniper abled on both cluster members RP time synchronization
ressing Ctrl-C on the keyboard.
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Maximum Time AdjustmentFor automatic synchronization, you can specify a maximum time adjustment value (iadjustment value represents the acceptable time difference between the NetScreentime received from an NTP server. The NetScreen device only adjusts its clock with difference between its clock and the NTP server time is within the maximum time adexample, if the maximum time adjustment value is 3 seconds, and the time on the dand the NTP server sends 4:00:02 as the time, the difference in time between the twNetScreen device can update its clock. If the time adjustment is greater than the valdevice does not synchronize its clock and proceeds to try the first backup NTP servedevice. If the NetScreen device does not receive a valid reply after trying all the congenerates an error message in the event log. The default value for this feature is 3 slimit) to 3600 (one hour).
When you manually synchronize the system clock, and you can only do this using thdoes not verify the maximum time adjustment value. Instead, if it receives a valid repdisplays a message informing you of which NTP server it reached, what the time adauthentication method used. The message also asks you to confirm or cancel the sy
If the NetScreen device does not receive a reply, it displays a timeout message. Thithe device unsuccessfully attempted to reach all NTP servers configured on the Net
NTP and NSRPThe NetScreen Redundancy Protocol (NSRP) contains a mechanism for synchronizcluster members. Although the resolution for synchronization is in seconds, NTP haBecause the time on each cluster member might differ by a few seconds due to procNetworks recommends that you disable NSRP time synchronization when NTP is enand they can each update their system clock from an NTP server. To disable the NSfunction, enter the following command:
set ntp no-ha-sync
Note: When issuing requests using the CLI, you can cancel the current request by p
Chapter 8 System Parameters System Clock
453
stment Valueve-minute intervals from NTP adjustment value of 2 seconds.
e Server (NTP): (select)
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Example: Configuring NTP Servers and a Maximum Time AdjuIn the following example you configure the NetScreen device to update its clock at fiservers at IP addresses 1.1.1.1, 1.1.1.2, and 1.1.1.3. You also set a maximum time
WebUI
Configuration > Date/Time: Enter the following, and then click Apply :
Automatically synchronize with an Internet Tim
Update system clock every minutes: 5
Maximum time adjustment seconds: 2
Primary Server IP/Name: 1.1.1.1
Backup Server1 IP/Name: 1.1.1.2
Backup Server2 IP/Name: 1.1.1.3
CLI
set clock ntpset ntp server 1.1.1.1set ntp server backup1 1.1.1.2set ntp server backup2 1.1.1.3set ntp interval 5set ntp max-adjustment 2save
Chapter 8 System Parameters System Clock
454
of NTP packets. You do not TP traffic. It does not prevent
shared key to each NTP server a checksum, with which the
.
de the authentication r and must authenticate all NTP een a NetScreen device and a must first exchange a key id in different ways such as via
perate as in Required mode by etScreen device then operates ithout including a key id and uthentication fails, the
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Secure NTP ServersYou can secure NTP traffic by using MD5-based checksum to provide authenticationneed to create an IPSec tunnel. This type of authentication ensures the integrity of Noutside parties from viewing the data, but prevents anyone from tampering with it.
To enable the authentication of NTP traffic, you must assign a unique key id and preyou configure on a NetScreen device. The key id and preshared key serve to createNetScreen device and the NTP server can authenticate the data.
Authentication Types
There are two types of authentication for NTP traffic: required and preferred
When you select Required authentication, the NetScreen device must incluinformation—key id and checksum—in every packet it sends to a NTP servepackets it receives from a NTP server. Before authentication can occur betwNTP server, the administrators of the NetScreen device and the NTP serverand a preshared key. They have to exchange these manually and can do soe-mail or telephone.
When you select Preferred authentication, the NetScreen device must first otrying to authenticate all NTP traffic. If all attempts to authenticate fail, the Nas if you selected no authentication. It sends out packets to a NTP server wchecksum. Essentially, although there is a preference for authentication, if aNetScreen device still permits NTP traffic.
Index
IX-I
nsviiiration xies xiiUI ix314
ess groups 144ice groups 267s 35ervices 149–151ot and vsys 149
pectionenticating downloads 431–434
s 3527, 133, 399t 376385 agent 376
er 376e 447, 448, 449315DS Codepoint Marking, 270–273ort 272ps 288–291ifying a DIP pool 273271
s 310
ess splitting 374ain lookups 373mic DNS 370
up 366y DNS address splitting 373er 401s table 367eling to servers 373
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
IndexAaccess policies
See policiesaddress book
adding addresses 140editing group entries 145entries 140groups 142modifying addresses 141removing addresses 146See also addresses
address groups 142, 306creating 144editing 145options 143removing entries 146
address negation 338addresses
address book entries 140defined 306in policies 306private 65public 64
aggregate interfaces 54alarms
thresholds 314ALG 200
for custom services 308MS RPC 159RTSP 165SIP 196SIP NAT 209Sun RPC 156
application, in policies 308ARP 107
ingress IP address 110auth users
pre-policy auth 312run-time auth process 311run-time authentication 311WebAuth 312
authenticationAllow Any 313policies 311users 311
authentication certificate 431–434MD5 message digest 432
AV service 447, 448
Bbandwidth 315
default priority 355guaranteed 315, 348, 356managing 348maximum 315, 356maximum specification 348priority levels 355priority queues 355unlimited maximum 348
bulk-CLI 443
Ccharacter types, ScreenOS supported xiiCLI
conventions viiidelete crypto auth-key 434set arp always-on-dest 95, 101
clock, system 450–454See also system clock
configurationadding comments 441backing up 435downloading the uploading 435LKG 437loading 439locking 440rollback 437–439, 440saving 435saving and importing 435
conventioCLIillustnamWeb
countingcreating
addrservzone
custom sin ro
DDeep Ins
authdefining
zoneDHCP 1
clienHArelayserv
DI servicDiffServ
See DIP 131
fix-pgroumodPATpool
DNS 365addrdomdynalookproxservstatutunn
Index
IX-II
te 64te address ranges 65
ic 64ndary 72ing on interfaces 80
DIP poolsgmic option 82
re on egress interface 96–98re on ingress interface 99–102ct failure threshold 82ting traffic 80–102
ed interfaces 81orted interfaces 81ed IP failure threshold 8281
ht 82rnet Service Provider 373
ies 309wn-Good configurationLKG configurationeys 444–445t-known-good) 437figuration 43714 interfaces 74
ent interfaceMGT interfacerface 55
ne with interface-based NAT 124 ALGed 159ice groups 163ices 160ia sessions, SIP 196
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Domain name systemSee DNS
DS Codepoint Marking 348, 357, 358DSL 395, 400Dynamic IP pools
See DIP poolsdyndns.org and ddo.jp 370
Eediting
address groups 145policies 342zones 36
Ffirmware
authenticating 431–433Function Zone Interfaces 55
HA Interface 55Management Interface 55
Ggatekeeper devices 177graphs, historical 314group
addresses 142services 266
HHA
DHCP 385Virtual HA Interface 55See also NSRP
High AvailabilitySee HA
historical graphs 314Home zone 47
IICMP services 154
message code 154message type 154
iconsdefined 317policy 317
illustrationconventions xi
interface monitoringinterfaces 87–94loops 88security zones 94
interfacesaddressing 64aggregate 54binding to zone 63default 66DIP 270down, logically 78down, physically 78HA 55IP tracking (See IP tracking)L3 security zones 64loopback 74MGT 55modifying 68monitoring connection 80physical 3redundant 54secondary IP address 72state changes 78–102tunnel 33, 56, 56–60unbinding from zone 67up, logically 78up, physically 78viewing interface table 61Virtual HA 55VSI 54
IP addressesdefining for each port 140host ID 65L3 security zones 64–65network ID 65
privaprivapublsecotrack
IP poolsSee
IP trackindynafailufailuobjererousharsupptrackvsysweig
ISP - Inte
LL2TP
policLast-Kno
See license kLKG (lasLKG conlogging 3loopback
MManagem
See MGT inteMIP 13
to zoMS RPC
definservserv
multimed
Index
IX-III
ices in 147, 306owing 343c logging 314c shaping 315el 307s 300–301al systems 303 dialup user groups 306s 308sed NATel interfaces 56ress TranslationPATes 39–5099–410
iguration 404 availability 410iple instances 407iple session per interface 405p 399ueuing 355ddresses 65dresses 64
43eout value 443
, "Type of Service in the Internet Protocol Suite" 315, “Address Allocation for Private Internets” 65, "Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers" 315443configuration 437–439de 130–135
face settings 131
een secondary IP addresses 72
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
Nnames
conventions xiiNAT mode 122–129
interface settings 125traffic to Untrust zone 103, 124
NAT-srcRoute mode Route mode
NAT-src 130negation, address 338NetInfo 377netmasks 306
uses of 65network, bandwidth 348NSM
bulk-CLI 443reboot-timeout 443
NSRPconfiguration rollback 440DHCP 385DIP groups 288–291HA session backup 313NTP synchronization 452redundant interfaces 54VSIs 54
NTP 451–454authentication types 454max time adjustment 452maximum time adjustment 452multiple servers 451NSRP synchronization 452secure servers 454server configuration 453servers 451
Ppacket flow 12–14PAT 271pinholes 202policies 3
actions 307address groups 306address negation 338addresses 306addresses in 306
alarms 314application 308authentication 311bidirectional VPNs 308, 318changing 342counting 314Deep Inspection 309deny 307DIP groups 289disabling 342enabling 342functions of 297global 301, 319, 335HA session backup 313icons 317ID 306internal rules 303interzone 300, 319, 320, 325intrazone 301, 319, 332L2TP 309L2TP tunnels 309location 319lookup sequence 302management 317managing bandwidth 348maximum limit 143multiple items per component 337name 308NAT-dst 310NAT-src 310order 344permit 307policy context 336policy set lists 302policy verification 343position at top 310, 344reject 307removing 345reordering 344required elements 299root system 303schedules 314security zones 306service book 147service groups 266services 306
servshadtraffitraffitunntypevirtuVPNVPN
policy-batunn
Port AddSee
port modPPPoE 3
confhighmultmultsetu
priority qprivate apublic ad
QQoS 348
Rreboot 4reboot-timRFCs
1349
1918
2474
rollbackrollback, Route mo
interrouting
betw
Index
IX-IV
y in private zone 232y in public zone 236 intrazone 252st intrazone 246
g a DIP pool 225g incoming DIP 219g interface DIP 221full-mesh VPN 256
ting 411aces 4ting (root system) 70ting 71ionsled services 447
retrieval 448tration and activation 446–449
ice activation 448, 449orary service 446 ALGcenarios 156ed 156ices 157ertificate 448, 449lock 450–454 & time 450 with client 450 zone 450arameters 363–453
450te 110, 113
ting 314ing 314ity 315ing 348
aping 347–361matic 348face requirement 348ice priorities 355ent mode 104–121/trace-route 108king non-ARP traffic 106
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
RSH ALG 156RTSP ALG
defined 165request methods 167server in private domain 171server in public domain 174status codes 169
rules, derived from polices 303run-time authentication 311
Sschedules 292, 314SCREEN
MGT zone 32ScreenOS
function zones 38global zone 32Home-Work zone 47interfaces physical 3overview 1–28packet flow 12–14policies 3port modes 39security zone interfaces 3security zones 2, 32security zones, global 2security zones, predefined 2subinterfaces 4tunnel zones 33updating 411virtual systems 11zones 29–38
SDP 200–202secondary IP addresses 72security zones 2
destination zone determination 14global 2interfaces 3, 53physical interfaces 53predefined 2source zone determination 13subinterfaces 53
service bookadding service 149custom service 147
custom service (CLI) 149modifying entries (CLI) 151modifying entries (WebUI) 268pre-configured services 147removing entries (CLI) 151service groups (WebUI) 266
service groups 266–269creating 267deleting 269modifying 268
services 147custom 149–151custom ALGs 308custom in vsys 149defined 306drop-down list 147ICMP 154in policies 306modifying timeout 153timeout threshold 152
shadowed policies 343SIP 196–207
ALG 200, 205connection information 201defined 196inactivity timeouts 205media announcements 202media inactivity timeout 205, 207messages 196multimedia sessions 196pinholes 200request method types 197Request Methods 197response codes 199responses 199RTCP 202RTP 202SDP 200–202session inactivity timeout 205signaling 200signaling inactivity timeout 205, 207
SIP NATcall setup 209, 216defined 209incoming, with MIP 225, 229proxy in DMZ 240
proxproxtrustuntruusinusinusinwith
softwareupda
subinterfcreadele
subscriptbundkey regisservtemp
Sun RPCcall sdefinserv
support csystem c
datesynctime
system, p
Ttime zonetrace-routraffic
counloggpriorshap
traffic shautointerserv
TransparARPbloc
Index
IX-V
arding traffic between 5duction 5
olicy auth process 312
entions ixe 47
–38tion 38al 32r 2 105rity 32el 33N 38, 105
Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals
blocking non-IP traffic 106broadcast traffic 106flood 108routes 106unicast options 108
tunnel interfaces 56definition 56policy-based NAT 56
Uunknown unicast options 107–113
ARP 110–113flood 108–109trace-route 110, 113
untagged interfaces 406URL filtering 313URL filtering service 447, 448
VVIP 13
to zone with interface-based NAT 124Virtual HA interface 55virtual routers
See VRsvirtual system 11VLAN zone 105VLAN1
Interface 105, 114Zones 105
VLANstags 4
voice-over IPbandwidth management 264defined 177
VPNspolicies 308to zone with interface-based NAT 124tunnel zones 33
VRsforwintro
WWebAuth
pre-pWebUI
convWork zon
Zzones 29
funcglobLayesecutunnVLA
Index
IX-VI
Juniper Networks NetScreen Concepts & Examples � Volume 2: FundamentalsRecommended