High Availability QuickStart Guide

High Availability QuickStart GuideIDP 100

Version 2.0Part Number 093-0716-000 Rev. C

Copyright NoticeCopyright © 1998-2002 NetScreen Technologies, Inc. All rights reserved.

Copyright © 1998-2002 NetScreen Technologies, Inc. All rights reserved. NetScreen, NetScreen Technologies, and the NetScreen logo are registered trademarks of NetScreen Technologies, Inc. and NetScreen-5, NetScreen-5XP, NetScreen-10, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-1000, NetScreen 5200, NetScreen 5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-IDP 100, NetScreen-IDP 500, NetScreen-Remote, GigaScreen, and NetScreen ScreenOS are trademarks of NetScreen Technologies, Inc. All other trademarks and registered trademarks are the property of their respective companies.

Information in this document is subject to change without notice.

No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from NetScreen Technologies, Inc.

NetScreen Technologies, Inc.350 Oakmead ParkwaySunnyvale, CA 94085 U.S.A.www.netscreen.com

General InformationToll Free: 877-NETSCREEN, [email protected] SupportToll Free: 877-NETSCREEN, [email protected]

http:\\www.netscreen.com

HA QuickStart Guide 2.0, IDP 100 3

Contents

Getting Acquainted with IDP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Step 1: Determining A High Availability Solution . . . . . . . . . . . . . . . . . . . . 6

Step 2: Installing the IDP Management Server . . . . . . . . . . . . . . . . . . . . 12

Step 3: Connecting to the IDP Appliance . . . . . . . . . . . . . . . . . . . . . . . . 14

Step 4: Configuring the IDP Sensor. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Step 5: Connecting IDP to Your Network. . . . . . . . . . . . . . . . . . . . . . . . . 19

Step 6: Configuring Your Network Switch . . . . . . . . . . . . . . . . . . . . . . . . 20

Step 7: Installing the User Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Step 8: Adding Network Components . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Step 9: Verifying the Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Step 10: Creating the HA Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

IDP QuickSheet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

4 NetScreen Technologies, Inc.

Getting Acquainted with IDPIDP Package ContentsEach NetScreen Sensor package contains:

• IDP appliance• A bezel• An accessory box containing:

• 1 North American power cable• 2 Ethernet cables (blue cables)• 2 Crossover Ethernet cables (orange cables)• 1 Null modem Serial cable (beige cable)

• A documentation box containing:• Hardware Information Guide• Product data sheet• IDP Implementation Guide 2.0• IDP Release Notes 2.0

IDP Management Package ContentsIncluded in each NetScreen Management package you should find the following:

• NetScreen IDP Installation CD• IDP QuickStart Guide 2.0, IDP 100• IDP High Availability QuickStart 2.0, IDP 100• IDP Release Notes 2.0

OverviewThis booklet describes how to install version 2.0 of the IDP Intrusion Detection and Prevention system for high availability (HA) configurations that use IDP 100 appliances.

For non-HA configurations, please see the IDP 100 QuickStart Guide 2.0. For IDP upgrades, please contact customer support.


Installing One Sensor at a TimeBecause all networks are different, NetScreen recommends that you install one IDP Sensor at a time. When you have successfully installed a Sensor and are receiving log records, you can configure and connect additional Sensors to your network.

The Installation ProcessThe installation process consists of ten steps:

Step 1: Determining where to place your IDP appliance in your networkIn this step, you choose a deployment mode for the IDP system.

Step 2: Installing the IDP Management Server softwareIn this step, you install the Management Server on a separate computer.

Step 3: Connecting to IDP applianceIn this step, you connect your system to the IDP appliance using a serial or network connection.

Step 4: Configuring the IDP Sensor softwareIn this step, you configure the Sensor software that is pre-installed on the IDP appliance.

Step 5: Connecting the IDP appliance to your networkIn this step, you connect the IDP appliance to your network.

Step 6: Configuring your Network Switch (Standalone HA Only)In this step, you configure your network switch to pass multicast or unicast MAC traffic to the IDP appliance.

Step 7: Installing the NetScreen User Interface (UI)In this step, you install the UI.

Step 8: Adding the IDP Sensor as a Network ObjectIn this step, you add the IDP Sensor as a Network Object in the IDP system.

Step 9: Verifying the InstallationIn this step, you install a Security Policy on the IDP Sensor.

Step 10: Creating the HA ClusterIn this step, you configure additional Sensors and add them to your network to create an HA Cluster.

The NetScreen IDP Installation CD contains the software required to install the IDP Management Server, the IDP Sensor, and the User Interface.


Step 1: Determining A High Availability SolutionThe first step in setting up the IDP system on your network is to determine where you want to install the IDP appliance and which high availability deployment solution you want to use for failure protection or load balancing.

IDP Appliance PlacementThe IDP appliances in your HA cluster can be placed:

• In front of your firewall• Behind your firewall (recommended)• Anywhere on your network

You should choose a location for your IDP appliances based on your existing network hardware and the network/s you want to protect. The examples provided in this guide place the IDP appliance/s behind the firewall.

Choosing a High Availability Deployment ModeTo use a high availability solution, you must deploy the IDP appliances in bridge, router, or proxy-ARP mode. The network diagrams on pages 8-11 illustrate example configurations for each deployment mode. Review the examples to determine which deployment mode to use for your network.

NOTE: The IDP system defaults to sniffer mode. You must configure the IDP appliance to use bridge, router, or proxy-ARP mode to enable high availability.

Choosing a High Availability SolutionEach deployment mode supports one or more HA solutions.

• Standalone high availability. This HA solution can support 2 to 16 IDP appliances in a load-sharing or hot standby configuration. No additional hardware is required. You can configure standalone HA solutions using the Appliance Configuration Manager in Step 4. Supported modes: proxy-ARP and router.

• Third-party high availability. This HA solution can support 2 to 16 IDP appliances in load-balancing or hot standby configuration but requires the use of third-party devices. You can configure third-party HA solutions using the Appliance Configuration Manager in Step 4. Supported modes: bridge (requires Nokia FireWall-1 appliances) and router (requires Alteon AceDirectors).


• Spanning Tree Protocol (STP). This HA solution uses STP to provide failover protection. STP uses the spanning tree algorithm to determine all paths available to a switch and to route traffic through the best path. You must configure STP manually using the IDP command line utilities. Supported modes: bridge.

Multicast or Unicast Forwarding [Standalone HA only]The Standalone HA solution can use two different forwarding options to send and receive traffic: unicast or multicast. You choose one of these forwarding options based on your existing network hardware and configuration.

If you are using a standalone HA solution, review your existing network hardware and use the table below to determine which forwarding method to use for the HA cluster. You are prompted to specify the forwarding method for the standalone HA solution during the Sensor configuration process described in “Configuring the IDP Sensor” on page 17.

NOTE: You can use the mcasttest utility (available from the NetScreen customer Support Web site) to automatically determine which devices on your network do not support multicast ARP traffic. From the Sensor command line, type mcasttest -h for a list of options, or see the mcasttest man page for more details.

When you have chosen a deployment mode, HA solution, and forwarding method (if necessary) proceed to “Installing the IDP Management Server” on page 12.

TABLE 1. Supported Forwarding Methods

IF YOUR NETWORK

SWITCH SUPPORTS...

IN ROUTER MODEIf your Layer 3 devices (routers,

servers, etc.)...

IN PROXY-ARP MODEIf your Layer-3 devices (routers,

servers, etc.)......can learn

multicast ARP...cannot learn multicast ARP

,,,can learn multicast ARP

...cannot learn multicast ARP

Unicast traffic to multiple ports

YES YES (Best) YES YES (Best)

Multicast traffic to multiple ports

YES aNot Recommended

a.To use a network switch that supports only multicast (and not unicast) with network devices that cannot pass multicast ARPs, you must manually configure static ARP entries for devices that cannot pass multicast ARPs.

YES aNot Recommended


Example 1: Proxy-ARP mode (Standalone w/Multicast)

TABLE 2. Standalone Proxy-ARP Advantages/DisadvantagesAdvantages Disadvantages

• Supports standalone HA solutions• Reliably responds to and prevents attacks• Simple, transparent deployment

• Network nodes may need to update cached ARP entries

Eth2 10.0.113.17

Eth0 10.0.113.1

Node 1idpHA1

Eth1 192.168.0.2

Eth2 10.0.113.18

Eth0 10.0.113.2

Node 2idpHA2

Eth1 192.168.0.1

Eth1 192.168.0.3

Eth2 10.0.113.19

Eth0 10.0.113.3

Node 3idpHA3

Cluster IP 10.0.113.20Cluster MAC 01:00:00:00:01:01


Server110.0.113.21

GW 10.0.113.254

Server210.0.113.22

GW 10.0.113.254

Server310.0.113.23

GW 10.0.113.254

Server410.0.113.24

GW 10.0.113.254

Protected Network 10.0.113.0/24

External Network 10.0.113.0/24

Firewall 10.0.113.254 Router

State Sync192.168.0.0/24

Internet


Example 2: Router mode (Standalone w/Multicast)

TABLE 3. Standalone Router Advantages/DisadvantagesAdvantages Disadvantages

• Supports standalone HA solutions• Reliably responds to and prevents attacks• Connects IP networks with different address spaces

• Requires re-subnetting one or more networks.

Eth2 10.0.113.17

Eth0 10.0.113.1

Node 1idpHA1

Eth1 192.168.0.2

Eth2 10.0.113.18

Eth0 10.0.113.2

Node 2idpHA2

Eth1 192.168.0.1

Eth1 192.168.0.3

Eth2 10.0.113.19

Eth0 10.0.113.3

Node 3idpHA3



Server110.0.113.21

GW 10.0.113.20

Server210.0.113.22

GW 10.0.113.20

Server310.0.113.23

GW 10.0.113.20

Server410.0.113.24

GW 10.0.113.20




State Sync192.168.0.0/24

Internet


Example 3: Bridge Mode with Nokia IPSO Appliances running VRRP (Third-Party)

TABLE 4. Third-Party Bridge Advantages/DisadvantagesAdvantages Disadvantages

• Reliably responds to and prevents attacks• Simple, transparent deployment• No changes to routing tables or network equipment

• Supports only Nokia FireWall-1 appliances with VRRP

Eth2 10.2.1.21

Node 1idpHA1

Eth1 192.168.0.2 Node 2idpHA2

Eth1 192.168.0.1

Server110.2.1.2

GW 10.2.1.1

Server210.2.1.3

GW 10.2.1.1

Server310.2.1.4

GW 10.2.1.1

Server410.2.1.5

GW 10.2.1.1


State Sync192.168.0.0/24

Internet

Eth0 192.168.1.1 Eth0 192.168.1.2

Eth2 10.2.1.22

Virtual Router IP 10.2.0.1

10.2.1.12

FireWall-1

10.2.0.2 10.2.0.3

10.2.1.11

FireWall-1

Virtual Router IP 10.2.1.1




Example 4: Router mode using Alteon AceDirectors (Third-Party)

When you have chosen a deployment mode for your IDP system, proceed to “Installing the IDP Management Server” on page 12.

TABLE 5. Third-Party Router Advantages/DisadvantagesAdvantages Disadvantages

• Reliably responds to and prevents attacks• Load balances traffic decisions that are made outside

the IDP appliance faster and more efficiently

• Supports only Alteon AceDirectors

Eth2 10.2.1.11

Node 1idpHA1

Eth1 192.168.0.2 Node 2idpHA2

Eth1 192.168.0.1

Server110.2.20.2

GW 10.2.20.1

Server210.2.20.3

GW 10.2.20.1

Server310.2.20.4

GW 10.2.20.1

Server410.2.20.5

GW 10.2.20.1


State Sync192.168.0.0/24

Internet

Eth0 10.2.0.11 Eth0 10.2.0.12

Eth2 10.2.1.12

Load Balancer10.2.0.1

Load Balancer

10.2.10.1

10.2.0.2

10.2.1.1 10.2.1.2


10.2.20.1



Step 2: Installing the IDP Management ServerIn this step, you install the IDP Management Server software that controls your IDP appliances. You must install the Management Server software on a secure and trusted Red Hat Linux 7.2 or Solaris 7/8 computer.

Because you are using multiple appliances, you cannot install the Management Server software on an IDP appliance that you are using in the HA cluster. However, you must establish the communication between the Management Server and the Sensor during the Sensor configuration process by providing IP address of the Management Server computer.

For quick reference, write the Management Server IP address below:

To Install the Management ServerNOTE: The Management Server installation process is case-sensitive. You must follow the

menu selections exactly as shown in the script’s help text.

1. Ensure that the computer you are installing the Management Server on is:• Plugged in to a power source and powered on• Connected to a serial console or monitor and keyboard• A secure and trusted Red Hat Linux 7.2 or Solaris 7/8 computer that is

connected to your network2. Insert the IDP Installation CD into the Management Server.3. Log in to the computer as root.

At the password prompt, enter the root password for the computer. If you are already logged in as a user other than root, become root by typing:su - At the password prompt, enter the root password for the computer.

4. Create an idp group with the user idp as the only member.For Linux, type the command: useradd idpFor Solaris, type the commands:groupadd idpuseradd -g idp idp

5. Mount the IDP Installation CD following the manufacturer’s instructions.6. Change to the Management Server directory by using the cd command.

For Linux: cd /mnt/cdrom/Mgt-Svr/Linux

Management Server IP Address


For Solaris: cd /cdrom/cdrom0/Mgt-Svr/Solaris7. Run the Management Server install script by entering the appropriate

command.For Linux: ./mgtsvr_linux_2_0.shFor Solaris: ./mgtsvr_solaris_2_0.shThe installation automatically begins.

8. When prompted, specify the directory IDP will use to store the Management Server data files.

9. When prompted, specify a password for the IDP Management Server admin account. Confirm password.

NOTE: The admin account authenticates communication between the Management Server and the User Interface (UI). You are asked for this password again when you log in to the UI in “Installing the User Interface” on page 21.

The installation proceeds automatically. Several messages display to confirm the installation progress. After the installation is complete, the Management Server processes automatically start.

When you have successfully installed the Management Server, proceed to “Connecting to the IDP Appliance” on page 14.


Step 3: Connecting to the IDP ApplianceIn this step, you connect to the IDP appliance and prepare to configure the Sensor software that is installed on it. You can connect to the IDP appliance using one of the methods shown below:

• Option 1: A standalone computer, such as a laptop, connected to the IDP appliance eth2 port.In this method, you change the IP address of a standalone computer to an IP address that is on the 192.168.1.0/24 network. Then, you connect the standalone computer to the IDP appliance and use the default settings for ethernet access to configure the Sensor software.

• Option 2: A serial console or keyboard and monitor connected to the IDP appliance.In this method, you assign the IDP appliance an IP address that is on your network. First, you connect a serial console or keyboard and monitor to the IDP appliance and configure ethernet access by choosing an ethernet port, IP address, and default route. Then, after you have configured ethernet access, you connect the IDP appliance to your network and configure the Sensor software from a computer on your network.

Choose a connection method and following the instructions below.

When you have established ethernet access to the IDP appliance, you can configure the Sensor software using the Appliance Configuration Manager (ACM), the Web-based IDP configuration tool. The configuration process is described in “Configuring the IDP Sensor” on page 17.

Use the illustration below to locate the IDP appliance ethernet and serial ports:

IDP 100 Appliance Back Panel

eth2

eth3

eth0eth1

Keyboard

DB-9Serial Interface

DB-15Video Interface

Power


To connect using a standalone computer

1. Connect a standalone computer, such as a laptop, to the IDP appliance eth2 port.To connect directly to the appliance, use a cross-over cable. To connect to the appliance over a hub or switch, use a straight-through cable.

2. Change the IP address of the standalone computer to 192.168.1.2. To change an IP address, see your computer’s operating system documentation.

3. On the connected computer, open a Web browser. The ACM supports Mozilla and IE 6.0 Web browsers.Enter the URL of the ACM wizard as https://192.168.1.1.

NOTE: Because the ACM uses HTTPS, you MUST enter https:// before the IP address.

4. Enter the default username and password as shown below:username: rootpassword: abc123The ACM wizard automatically displays. Proceed to “Configuring the IDP Sensor” on page 17.

To connect using a serial console or keyboard and monitor

For serial console connections1. Connect a serial console to the IDP appliance serial port and configure the

terminal software to use parameters 8-N-1, 9600, hardware. (For Windows, use HyperTerminal. For Linux, use minicom.)Press Enter.

For keyboard and monitor connections1. Connect a keyboard and monitor to the IDP appliance.

For all connections2. Login to the IDP appliance using the information shown below:

login: rootpassword: abc123The ethernet configuration script automatically runs.

3. Follow the instructions in the script’s help text to configure ethernet access to the IDP appliance.


• When prompted, enter the network card on the IDP appliance that you want to use to configure the Sensor software. The current configuration (if any) of the specified network card displays.

• When prompted, specify if you want to reconfigure the network card settings or accept the default configuration.

To reconfigure the current settings, type y . When prompted, assign an IP address to the network card and press Enter. Use an IP address that is reachable by the computer you will use to configure the Sensor software. When prompted, assign a network to the network card and press Enter.To accept the default settings, type n .

The current default route displays.• When prompted, specify if you want to assign a new route or accept the

default route.To assign a new default route, type y . When prompted, enter the default route for the computer that you will use to configure the Sensor software and press Enter.To accept the current default route, type n .

4. Use the ethernet port you chose in the configuration script to connect the IDP appliance to your network.To connect directly to another computer, use a cross-over cable. To connect to a hub or switch, use a straight-through cable.

5. Using the computer that is on your network, open a Web browser. The ACM supports Mozilla and IE 6.0 Web browsers.

6. Enter the IP address you chose in the configuration script.

NOTE: Because the ACM uses HTTPS, you MUST enter https:// before the IP address.

7. Enter the default username and password as shown below:username: rootpassword: abc123The ACM wizard automatically displays.

Proceed to “Configuring the IDP Sensor” on page 17.

NOTE: Because all networks are different, NetScreen recommends that you install one IDP Sensor at a time. When you have successfully installed a Sensor and are receiving log records, you can configure and connect additional Sensors to your network.


Step 4: Configuring the IDP SensorIn this step, you configure the IDP Sensor software that is pre-installed on the IDP appliance. Using the Appliance Configuration Manager (ACM), a Web-based software tool, you configure the IDP Sensor for your network.

Follow the on-screen instructions as the ACM wizard leads you through the seven-section configuration process. To view the ACM online help, click the

icon in the upper right corner. You can use your browser’s back button to return to previous page without loss of information.

NOTE: During the configuration process, you choose a One Time Password (OTP) and are given a VIN for your Sensor. Because you are prompted for this information again in Step 8: Adding Network Components, you might want to record the VIN.

The table below summarizes the information you should have available.

TABLE 6. ACM Configuration InformationSection Configuration Information

Setup • IDP Sensor host and domain name• IDP Sensor root and admin passwords (default is abc123)

Mode • Deployment mode: router, bridge, or proxy-ARP (sniffer mode is not available for HA solutions)

• Enable high availability• Choose high availability solution (standalone or third-party)

Networking • Speed and duplex settings for the IDP appliance interfaces• Management interface• Gateway interfaces• Routing table

High Availability Because you are using a high availability solution, you must:• Choose and configure the state-sync interface on the appliance• Configure third-party or standalone high availability

System • Enable/configure SSH • Enable/configure NTP• Enable/configure DNS• Set Time and Time Zone

Management • IP address of the Management Server for this Sensor and OTP• Sensor VIN ________________________________________ (case sensitive)• Enable/configure ACM access

Confirmand Exit

View the current configuration and then:• Save all changes• Apply the configuration to the IDP appliance


After you have saved and applied a configuration to the IDP Sensor, exit the ACM by closing the Web browser window.

Rebooting the IDP ApplianceAfter you have configured the Sensor software, you must reboot the IDP appliance. Ensure that you are logged in to the Sensor as root, then, from the Sensor command line, type the following command: reboot;rebootYou can now disconnect the serial console, keyboard and monitor, or other standalone computer from the IDP appliance. If you changed the IP address of a standalone computer to access the ACM, be sure to change it back to its original IP address.

When you have successfully configured and rebooted the IDP Sensor, proceed to “Connecting IDP to Your Network” on page 19.


Step 5: Connecting IDP to Your NetworkIn this step, you connect the IDP appliance to your network using the provided cables.

Connect the IDP appliance to your network using the ethernet ports (interfaces).

An example configuration, showing ethernet ports and their intended connections, is shown below (your configuration may differ):

Use the following general guidelines to determine the appropriate cable. The necessary cables are included with the IDP system.

• To connect a Sensor to a switch or hub, use the straight-through ethernet cable.

• To connect a Sensor to a firewall or router, use the crossover ethernet cable.

When you have successfully connected the IDP appliance to your network, proceed to “Installing the User Interface” on page 21.

NOTE: Because all networks are different, NetScreen recommends that you install one IDP Sensor at a time. When you have successfully installed a Sensor and are receiving log records, you can configure and connect additional Sensors to your network.

The State-Sync InterfaceThe State-Sync interface is used to share state information between IDP Sensors in an HA Cluster. When you install the first IDP appliance in the HA cluster, you do not need to use the state-sync interface. As you configure and connect additional IDP appliances to your network, however, you connect their state-sync interfaces to each other. This process is described in “Creating the HA Cluster” on page 25.

to other IDP appliancesto external network

to protected network to protected network

eth1 State-Sync Interface

eth0 Forwarding Interface(optional)

eth2 Forwarding Interfacecan also be the management interface

eth3 Forwarding Interface


Step 6: Configuring Your Network Switch[STANDALONE HA ONLY] In this step, you configure your network switches to pass multicast or unicast MAC packets and heartbeats to the HA Cluster, as specified in the Sensor configuration.

Cluster IPs and MACsThe nodes in an HA Cluster receive incoming packets via a Cluster IP address, which is mapped to a multicast or unicast Cluster MAC address to enable all Sensors to receive a copy of all network traffic.

You must manually configure your network switches to pass multicast or unicast MAC traffic to the IDP appliances in the HA cluster. For instructions on configuring your switches, please consult your switch manufacturer’s operating manual.

NOTE: Switches that cannot pass multicast or unicast MAC traffic cannot be used for a standalone HA configuration and are not supported.

HeartbeatsThe nodes in an HA Cluster communicate with each other using a heartbeat protocol, which uses a multicast IP address. Switches can automatically “learn” about the heartbeat protocol using the Internet Group Management Protocol (IGMP).

You must enable IGMP on your network switch to pass heartbeats between IDP appliances in the HA cluster. For instructions on configuring your switches, please consult your switch manufacturer’s operating manual.

NOTE: Switches that do not support IGMP cannot be used for a standalone HA configuration and are not supported.

When you have successfully configured your network switches to pass multicast or unicast packets and heartbeats, proceed to “Installing the User Interface” on page 21.


Step 7: Installing the User InterfaceThe NetScreen IDP Installation CD includes two versions of the installation for the User Interface. Follow the steps below for Windows or Red Hat Linux systems.

NOTE: The User Interface installation cannot be canceled from the initial install screen. You must click OK to reach the Introduction screen, then click Cancel to exit the installation.

To install the UI on a Windows client machine1. Ensure that you are an Administrator user for the computer that you are

installing the UI on. For instructions on adding users to the Administrator group, please see your operating system manual.

2. Insert the IDP Installation CD into the CD drive of the client machine.If Autoplay is enabled, the installation starts automatically. If not, run the install application install.exe from your CD-ROM drive.

3. Follow the directions in the dialog boxes to install the UI.When prompted for the install set, choose Optimized for Windows to install a performance-enhanced version of the UI for Windows NT/2000/XP.

NOTE: If the computer you are installing the UI on has less than 256 MB of RAM, choose the install set Optimized for Memory Usage instead.

To install the UI on a Red Hat Linux client machine1. Insert the IDP Installation CD into the CD drive of the client machine and

mount the CD following the manufacturer’s instructions.2. In a command shell, run: ./install.bin from the /mnt/cdrom/UI/Linux

directory of your CD drive.

NOTE: For other Linux systems, run the install script from the appropriate mount directory.

3. Follow the directions in the dialog boxes to install the UI.When prompted for the install set, choose Optimized for Memory Usage to install the common features.


Opening the User Interface After InstallationWhen you open the User Interface for the first time after installing the UI, you must specify the following information to log in:

NOTE: Passwords and user names are case-sensitive.

• Host Name. Use the name of your IDP Management Server.• User Name. Use the default user name admin.• Password. Use the password you specified when you installed the

Management Server.

When you have installed the UI, proceed to “Adding Network Components” on page 23.


Step 8: Adding Network ComponentsNetwork Objects represent the components of your network, such as individual host machines, servers, and subnets. You must add each IDP Sensor as a Network Object and combine them in a Cluster Network Object before the IDP system is functional. You can also create Network Objects for the network components you want to protect.

To add the IDP Sensor as a Network Object1. Double-click the Object component in the Navigation Tree and select

Network Objects.2. Choose File>New Object from the menu bar to display the Select Object

Type dialog box. Click OK.3. Select Sensor and click OK to display the Sensor Editor. Enter the

information about the Sensor, including a unique name. Use the VIN and OTP from “Configuring the IDP Sensor” on page 17. Click OK.

4. Click the Interfaces tab and specify the IDP appliance interfaces as internal or external. You can also add anti-spoofing information using the Anti-spoofing tab.

5. From the toolbar, click to save the new IDP Sensor object to the IDP system. The IDP Sensor Network Object is added to the Network Object database.

6. Choose File>New Cluster from the menu bar to display the Cluster Editor. Enter a unique name for the cluster.

7. In the Members box, select the IDP Sensor/s you want in the HA cluster. Click OK.

NOTE: As you configure and connect additional IDP Sensors (described in “Creating the HA Cluster” on page 25), you can add them to the HA cluster.

Adding Network Objects using OPSECIf you are running Check Point™ FireWall-1™ Next Generation (NG) on your network, you can automatically add FireWall-1 Network Objects to IDP using the OPSEC Object Importer. See the “Configuring OPSEC” chapter in the IDP Concepts Guide 2.0 for more information on importing objects with OPSEC.

When you have added the Sensor as a Network Object and included it in a Cluster Object, proceed to “Verifying the Installation” on page 24.


Step 9: Verifying the InstallationIn this step, you verify the installation of the Sensor by pushing a Security Policy to the Cluster Object (created in “Adding Network Components” on page 23) and ensuring that you receive log records. You also verify that the Sensor is correctly connected to your network by sending other types of traffic through the IDP appliance.

To push a template Security Policy to the Cluster1. Select the Security Policy component in the Navigation Tree and choose

File>New Policy from the menu bar.2. In the New Security Policy dialogue box, select Use Template and choose a

template from the pull-down menu.You can use the inline_template Security Policy created by NetScreen, or you can create a new, custom Security Policy for your network.

3. Click OK. The selected Security Policy template displays. Customize the template to your network.

4. In the Install On column, specify the Cluster that you want the Security Policy installed on.

5. Choose Policy>Install from the menu bar to push the Security Policy to the Sensor/s in the Cluster. The Security Policy begins generating log records for security events immediately.

6. Open the Log Viewer component in the UI to ensure that you are receiving logs.

NOTE: As you configure and connect additional IDP Sensors (described in “Creating the HA Cluster” on page 25), you add them to the Cluster and push the Security Policy again to verify the new Sensor.

To verify Sensor connectivityPerform these connectivity tests after you have added the first Sensor to the HA Cluster. Repeat for each subsequent Sensor added.

• Ping through the IDP appliance: From a computer on the protected network, ping the Management Server IP address.

• Test connectivity to external networks: Use a computer on the protected network to browse the Internet or send/receive email.

When you have verified that the Sensor is operating normally, proceed to the final installation step, “Creating the HA Cluster” on page 25.


Step 10: Creating the HA ClusterIn this step, you create the HA cluster by configuring additional IDP appliances for HA and then connecting them to your network. The HA cluster is a group of 2 to 16 Sensors that provides failure protection and load balancing.

For each appliance you want to include in your existing HA Cluster:

1. Configure the Sensor software on each IDP appliance. Repeat “Connecting to the IDP Appliance” on page 14 and “Configuring the IDP Sensor” on page 17.

2. Connect the IDP appliance to your network.Repeat “Connecting IDP to Your Network” on page 19.

3. Connect the appliance to other appliances via the State-Sync interface. See below.

4. Add the Sensor as a Network Object using the UI and include in the Cluster Object. Repeat “Adding Network Components” on page 23.

Connect the IDP Appliance State-Sync InterfacesUsing the state-sync interfaces that you selected when you configured the Sensor, connect the IDP appliances to each other to form the HA cluster. Use the following general guidelines to determine the appropriate cable.

An example is shown below:

State Sync Interface

Forwarding Interface

IDP Appliance

to external network

to protected network

Forwarding Interface(can also be the management interface)

Forwarding Interface

to external network

to protected network

IDP Appliance

Forwarding Interface(can also be the management interface)


• To deploy two IDP appliances, use a crossover cable to connect the appliances via the state-sync interface.

• To deploy more than two IDP appliances, use straight-through cables and a switch to connect the state-sync interfaces of all appliances.

As you add Sensors to the HA Cluster, you should verify that each node is operating normally.

Verify HA Cluster connectivityPerform this connectivity test after you have added the second Sensor to the HA Cluster. Each time you add another Sensor to the HA cluster, repeat the test.

NOTE: Be sure to test all nodes in the HA cluster. Each node should report the same status information.

1. From the Sensor command line, type the command: sctop.The sctop menu displays.

2. Type w to select HA status. The node and Cluster statistics for the IDP Sensor display. • An UP status indicates that the node is functioning normally• A DOWN status can indicate that the node is not sending heartbeats,

not receiving heartbeats, or there is a switch problem.


Congratulations!You have successfully installed the NetScreen IDP system on your network.

Additional Resources• For further instructions on using your IDP system, use the IDP Online Help

in the User Interface.• For more information about the IDP system, see the IDP Concepts Guide 2.0.• For detailed, step-by-step instructions on setting up and fine-tuning your

IDP system, see the IDP Implementation Guide 2.0.• For more information about installing a Standalone HA solution, see the

Configuring IDP for Standalone High Availability (Technical Note).• For more information about installing a Third-Party HA solution, see the

Configuring IDP for Third-Party High Availability (Technical Note).

Problems?If you experienced problems during this installation or have an installation issue you want to discuss, we strongly encourage you to contact NetScreen customer support at 1-877-NETSCREEN or [email protected].

For general information concerning known issues, IDP versions, and the IDP FAQ, please visit the NetScreen Support Web site at www.netscreen.com/support.


IDP QuickSheet

Usernames & Passwords

Sensor Login & Configure

username: rootpassword: abc123

Management Server Login

username: adminpassword: you set this password during the Management Server configuration process.

Appliance Configuration

Manager

URLhttps://192.168.1.1; this is also the default IP address of eth2, the management interface. Because the ACM uses HTTPS, you MUST enter https:// before the IP address.

Accessing To configure the Sensor, you must use a computer that is on the same network as the IDP appliance.

Management Server

HA You cannot install the Management Server on the IDP Appliance. You must install on a Red Hat 7.2 or Solaris 7/8 computer.

Interfaces & IPs

Management interface: default is eth2IP address: must be unique

Forwarding interface: any interface; can use multiple interfacesIP address: must be unique

State-Sync interface: any unused interface; must use one interfaceIP address: must be unique

HA

Cluster MAC For forwarding interfaces, give the same interface on each IDP appliance a MAC multicast or unicast address so each Sensor can receive a copy of the network traffic.

Cluster IP For forwarding interfaces, give the same interface on each IDP appliance an IP multicast or unicast address so each Sensor can send heartbeats.

Use crossover cable to connect to a firewall or routerUse straight-through cable to connect to a hub or switchDefault management interface is eth2

to other IDP appliancesto external network

to protected network to protected network

eth1 State-Sync Interface

eth0 Forwarding Interface(optional)

eth2 Forwarding Interfacecan also be the management interface

eth3 Forwarding Interface

Example HA Configuration

Documents

High Availability QuickStart Guide