Upload
ray-wang
View
233
Download
8
Tags:
Embed Size (px)
DESCRIPTION
NetScreen_Concepts_and_Examples_for_ScreenOS_4.0_Vol._3
Citation preview
���
������������������ ����������
����� ��������
����������������
�!��"
���������������������
������������ ��������
���
compliance of Class B devices: The enerates and may radiate radio-frequency nce with NetScreen’s installation e with radio and television reception. This d to comply with the limits for a Class B specifications in part 15 of the FCC rules. provide reasonable protection against allation. However, there is no guarantee rticular installation.
interference to radio or television y turning the equipment off and on, the e interference by one or more of the
ing antenna.
en the equipment and receiver.
ienced radio/TV technician for help.
utlet on a circuit different from that to d.
o this product could void the user's device.
ITED WARRANTY FOR THE ET FORTH IN THE INFORMATION PRODUCT AND ARE INCORPORATED OU ARE UNABLE TO LOCATE THE
WARRANTY, CONTACT YOUR OR A COPY.
������������
Copyright © 1998-2002 NetScreen Technologies, Inc. All rights reserved.
NetScreen, NetScreen Technologies, and the NetScreen logo are registered trademarks of NetScreen Technologies, Inc. and NetScreen-5, NetScreen-5XP, NetScreen-10, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-1000, NetScreen-5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote, GigaScreen, and NetScreen ScreenOS are trademarks of NetScreen Technologies, Inc. All other trademarks and registered trademarks are the property of their respective companies.
Information in this document is subject to change without notice.
No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from NetScreen Technologies, Inc.
NetScreen Technologies, Inc. 350 Oakmead ParkwaySunnyvale, CA 94085 U.S.A.www.netscreen.com
����� � �
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.
The following information is for FCC equipment described in this manual genergy. If it is not installed in accordainstructions, it may cause interferencequipment has been tested and foundigital device in accordance with the These specifications are designed tosuch interference in a residential instthat interference will not occur in a pa
If this equipment does cause harmfulreception, which can be determined buser is encouraged to try to correct thfollowing measures:
• Reorient or relocate the receiv
• Increase the separation betwe
• Consult the dealer or an exper
• Connect the equipment to an owhich the receiver is connecte
Caution: Changes or modifications twarranty and authority to operate this
�������� �THE SOFTWARE LICENSE AND LIMACCOMPANYING PRODUCT ARE SPACKET THAT SHIPPED WITH THEHEREIN BY THIS REFERENCE. IF YSOFTWARE LICENSE OR LIMITED NETSCREEN REPRESENTATIVE F
�#� �� ��
����
�������� �������������������������������������� �:�� �������� ��������������������������������� �:���� �3���� �������� ��������������� �:
��������������������������������������������������� ����� ����� �3���� ����������������� ��� -�� ���� ����������������������������� ��-�� ���� ������������������������������� ��
��7��((����������������������������������������*�� ���������������������������������������� ��� -��5����������*�� ������������������ ��
�0�-� ������� ������1��� ������ ��� -�� ���� �+���?��0�-� ������������������������������������������������ ��� -�� �?���1 �����1�������������� ��
�����5��4�����3�2�(�������������������������������������������������������� �=
��!������� ������������������������������� �9�� -���� �������� ������� ����������������������������������������� �9�� -���� �������� ��������* �� �� �:
��������������������������������������������������� ���6� �-��,���(���6����$������������������������������������������������������ ��
, ���(���� ����������������������������������� ���������� ��5���-5��5��6>7���������������������������������������������������� ��
�;������������������������������������������������ ��-���6��� ���3���-� �$������7� �� �������������������������������������� ��
�������� �#� ��$���%�"&��$����'������������� ��������
#� �� �����(��� ������������������������������������������������������������������������� ���
#� !� ��� � �������������������������������������������������������������� �!)�*+,���!�-���� �#� !� ��� � ����������������������������������� �!
"&��$����*.�����/����������/�0����/���1�������� �!
#0,�#� !� ��� ������������������������������������������������������������� !2�$� �� �3�2��������������������������������������������������� !�������2�$� �� ���� ������������������������������������������� !!����*����3��(�#0,�#���� ���� ��4������� ��������� !�
�������� �2����� ����� ����������������������������������������!��
#5�$���������� �������� �����������������������������������������������
6� �-��� ��6��5����� ��7���� �������������������������������)�*�+����, ���(��� ��������������������������������������������������������
6�$��(���!�-���� �0�!����� �)�*+,�������������������������)�*+,�8��$�������������������������������������������������������������9877� ������������������������������������������������������������������������:����������;����0�3�� ����������������������������������������������
#���� ��0� ��, ���(��� ���������������������������������������������7�� �������������������������������������������������������������������������������#���� ���5���������������������������������������������"&��$����#��1��5��<�(������������0�-� ���������=�������#� ������������������������������������������������������������9
�������� �>��*���� � ������������������������������������������������:"&��$�������� -�+$��#��������������������������������������
��� �������!��, ���(�����$��� ����������������������������������
0�!�����(���� �������� ���������������������������������������������9 ������� �������� �������������������������������������������������9 ����)�������� �������� ���������������������������������������9
����� �3�������������3���������������3����� �
2�(� � -���� �+���"&��$������ -"&��$���6���(3"&��$���2�����
������ -���� �������!#5� -� -��5��������
"&��$���#5� -
#5� -� -��5����� "&��$���#5� -������ ������1"&��$���#5� -
������ -��5��2�!�������� -���������������������
�������� -���� �����"&��$��� ������������� -���)��;"&��$��� ������
6� �-��,� ��������������"&��$�������� -, ���(���� ����������
6� �-��� ��@� ��"&��$������ , ���(��� �����������
�����������!�������1�"&��$����� �� �5���-5�� �,����
�#� �� ��
�����
�����������������������������������������������==
�!��1 ������������������������������������������ =:
�+$���6��#���� ����� ������������� =�
��������������������������������������������������� 9�
�����������������������������������������������9�
-������ �� ��4��1�#�� ���������� :�
�����������������������������������������������:�
��� -��5���3����� �����0�- ����� :�
�����������������������������������������������:�
A�����, ������ �2������� ���������� :�
���������3���������(������ ������� :�
-�"����������� ���������������������������� :=
������������������������������������������,
����������������������������������������� ,B�,
�������� �#� ��$���%�"&��$����'������������� ��������
"&��$������ �������� ��5���-5�������7� ���(�����5��7�����@� � �������������������������������������������������
#5�$�������6� ����� -��������� �2�!���� ��������������������
����� -�0�-�, (������� ����������������������������������������������=
"!� ��0�-�������������������������������������������������������������������9���1� -��5��"!� ��0�-��������������������������������������������������:
"&��$���2�1 ����� -��5��"!� ��0�-�(���#��������"!� �� ����������������������������������������������������
7��((���0�-�����������������������������������������������������������������=�"&��$���2�1 ����� -���7��((���0�-��������������������=�
���(�0�-���������������������������������������������������������������������=�"&��$���2�1 ����� -��5�����(�0�-���������������������=�
�3���- �����������������������������������������������������������������������=�)�*7�� �� ������������������������������������������������������������������=�
"&��$���" �*�� -��3���-�� ��)�*7�� ���(�������(������ �"!� �� �������������������������������������������=�
��6� �������������������������
,�$���� ����� ��!�
"&��$�������� -
����6� ����� -��������
#�� ���� ��������������������
"&��$������1�
����� ���!��3�0�- ���
"&��$���2�1 ��
7��((�������� �������������
"&��$��������3�
"&��$���#��$
"&��$����� ��
$$� ��&�����6��6,A�4����
, ��&����������������������������������
������
lly or remotely. Volume 3, d explains ScreenOS ministration of NetScreen
of the NetScreen Management es and SNMP management
�������� �#� ��$���%�"&��$����'������������� ��������
���(���
NetScreen devices provide different ways for you to manage the devices, either loca“Administration” describes the various methods for managing NetScreen devices anadministrative levels. This volume also describes how to secure local and remote addevices, and how to monitor device activity. An appendix contains brief descriptionsInformation Base (MIB) files that support communications between NetScreen devicapplications.
����(��� #� !� ��� �
�!���
he Web user interface (WebUI) ons used in this book for both
I by clicking menu options and
nu column.
�������� �#� ��$���%�"&��$����'������������� ��������
�����������This book presents two management methods for configuring a NetScreen device: tand the command line interface (CLI). The following sections introduce the conventimanagement methods.
)�*+,���!�-���� �#� !� ��� �Throughout this book, a chevron ( > ) is used to indicate navigation through the WebUlinks.
"&��$����*.�����/����������/�0����/���1
To access the new address configuration page, do the following:
1. Click Objects in the menu column.
The Objects menu option expands to reveal a subset of options for Objects.
2. (Applet menu1) Hover the mouse over Addresses.
(DHTML menu) Click Addresses .
The Addresses option expands to reveal a subset of options for Addresses.
3. Click List.
The address book list appears.
4. Click the New link in the upper right corner.
The new address configuration page appears.
1. You can choose either the applet or DHTML menu types by clicking the Toggle Menu option at the bottom of the me
����(��� #� !� ��� �
!���
ntax. This syntax may include ommand descriptions use atory, and in which contexts.
ing special characters.
e symbols are essential for
symbols are not essential for affect the outcome.
ymbol appears between two is symbol appears at the end of
me contexts, and mandatory in
e_1, feature_2, and feature_3, s surround feature_2 and Otherwise, you cannot
command.
�������� �#� ��$���%�"&��$����'������������� ��������
#0,�#� !� ��� �Each CLI command description in this manual reveals some aspect of command syoptions, switches, parameters, and other features. To illustrate syntax rules, some cdependency delimiters. Such delimiters indicate which command features are mand
2�$� �� �3�2���������
Each syntax description shows the dependencies between command features by us
• The { and } symbols denote a mandatory feature. Features enclosed by thesexecution of the command.
• The [ and ] symbols denote an optional feature. Features enclosed by theseexecution of the command, although omitting such features might adversely
• The | symbol denotes an “or” relationship between two features. When this sfeatures on the same line, you can use either feature (but not both). When tha line, you can use the feature on that line, or the one below it.
�������2�$� �� ����
Many CLI commands have nested dependencies, which make features optional in soothers. The three hypothetical features shown below demonstrate this principle.
[ feature_1 { feature_2 | feature_3 } ]
The delimiters [ and ] surround the entire clause. Consequently, you can omit featurand still execute the command successfully. However, because the { and } delimiterfeature_3, you must include either feature_2 or feature_3 if you include feature_1.successfully execute the command.
The following example shows some of the feature dependencies of the set interface
set interface vlan1 broadcast { flood | arp [ trace-route ] }
����(��� #� !� ��� �
!����
trast, the [ and ] brackets ight take any of the following
y find that certain commands
x, attempting to use such a ge appears, confirm the ailable options for the set vpn
�������� �#� ��$���%�"&��$����'������������� ��������
The { and } brackets indicate that specifyng either flood or arp is mandatory. By conindicate that the trace-route option for arp is not mandatory. Thus, the command mforms:
ns-> set interface vlan1 broadcast floodns-> set interface vlan1 broadcast arpns-> set interface vlan1 broadcast arp trace-route
!����*����3��(�#0,�#���� ���� ��4�������
As you execute CLI commands using the syntax descriptions in this manual, you maand command features are unavailable for your NetScreen device model.
Because NetScreen devices treat unavailable command features as improper syntafeature usually generates the unknown keyword error message. When this messafeature’s availability using the ? switch. For example, the following commands list avcommand:
ns-> set vpn ?ns-> set vpn vpn_name ?ns-> set vpn gateway gate_name ?
����(��� �������� �2����� �����
!�����
om/support/manuals.html. To ccess archived documentation
lease notes document for that are Download. Select the
ered user.)
e-mail address below:
�������� �#� ��$���%�"&��$����'������������� ��������
����������������������To obtain technical documentation for any NetScreen product, visit www.netscreen.caccess the latest NetScreen documentation, see the Current Manuals section. To afrom previous releases, see the Archived Manuals section.
To obtain the latest technical information on a NetScreen product release, see the rerelease. To obtain release notes, visit www.netscreen.com/support and select Softwproduct and version, then click Go. (To perform this download, you must be a regist
If you find any errors or omissions in the following content, please contact us at the
����(��� �������� �2����� �����
!������
�������� �#� ��$���%�"&��$����'������������� ���������
����
inistrative traffic, and the ains the following sections:
�������� �#� ��$���%�"&��$����'������������� ��������
���������
������������
This chapter describes various management methods and tools, ways to secure admadministrative privilege levels that you can assign to admin users. This chapter cont
• “Management Methods and Tools” on page 2
– “Web User Interface” on page 3
– “Command Line Interface” on page 11
– “NetScreen-Global PRO” on page 18
• “Administrative Interface Options” on page 25
• “Levels of Administration” on page 27
– “Defining Admin Users” on page 29
• “Securing Administrative Traffic” on page 31
– “Changing the Port Number” on page 32
– “Changing the Admin Login Name and Password” on page 33
– “Restricting Administrative Access” on page 37
– “Resetting the Device to the Factory Default Settings” on page 36
– “Manage IP” on page 39
– “Management Zone Interfaces” on page 42
– “Virtual Private Networks” on page 43
#5�$��������� �������� 6� �-��� ��6��5����� ��7����
����
nted in the following sections:
�������� �#� ��$���%�"&��$����'������������� ��������
���� ��������!���������"�The management methods and the tools with which to apply each method are prese
• “Web User Interface” on page 3
– “HTTP” on page 8
– “Secure Sockets Layer” on page 9
• “Command Line Interface” on page 11
– “Telnet” on page 11
– “Secure Command Shell” on page 13
– “Serial Console” on page 17
• “NetScreen-Global PRO” on page 18
#5�$��������� �������� 6� �-��� ��6��5����� ��7����
����
UI). NetScreen devices use software.
(version 5.5 or later)
elp
�������� �#� ��$���%�"&��$����'������������� ��������
)�*�+����, ���(���For administrative ease and convenience, you can use the Web user interface (WebWeb technology that provides a Web-server interface to configure and manage the
To use the WebUI, you must have the following:
• Netscape Communicator (version 4.7 or later) or Microsoft Internet Explorer
• TCP/IP network connection to the NetScreen device
HMenu
Column
Central Display
Web User Interface(WebUI)
DHTML or Applet Menu Toggle
Option
#5�$��������� �������� 6� �-��� ��6��5����� ��7����
����
levels exist as required by
l 2.
l 3
ys
O
�������� �#� ��$���%�"&��$����'������������� ��������
6�$��(���!�-���� �0�!����� �)�*+,
The following diagram maps out the top three navigation levels in the WebUI1. Othervarious ScreenOS features.
• Level 1 contains the options visible in the menu column.
• Level 2 contains more specific options for menu items in Level 1.
• Level 3 contains even more specific options for some of the options in Leve
1. If an option is preceded by an asterisk, it is only available on select NetScreen devices.
Level 1
Home
Configuration
Level 2 Leve
ScreenOS/KeConfig File
AdministratorsPermitted IPsManagement*NACNBanners
Log SettingsEmailSNMPSyslogWebTrendsNS Global PR
Date/Time
Update
Admin
Auth
URL Filtering
Report Settings
WebAuthFirewallServers
#5�$��������� �������� 6� �-��� ��6��5����� ��7����
����
el 3
s
gs
s
�������� �#� ��$���%�"&��$����'������������� ��������
Policies
VPNs
DNS
Zones
Interfaces
Routing
Redundancy
Network
Level 1 Level 2 Lev
Settings
VSD Group
Track IP
Gateway
P1 Proposal
P2 Proposal
XAuth Setting
VPN Groups
Default Settin
Tunnel
AutoKey IKE
AutoKey Advanced
Manual Key
L2TP
Monitor Status
Routing Table
Virtual Router
Vsys
#5�$��������� �������� 6� �-��� ��6��5����� ��7����
=���
ry
s
ers
el 3
�������� �#� ��$���%�"&��$����'������������� ��������
Objects
Reports
Logout
Help
Addresses
Services
Users
User Groups
IP Pools
Schedules
Group Expressions
Certificates
System
Interface
Policies
Online Help
Registration
Knowledgebase
About
ListGroupSummary
PredefinedCustomGroup
LocalExternalManual Key
Event
Self
Asset Recove
Statistics
Flow Counter
Screen Count
Bandwidth
LevLevel 2Level 1
System Log
Interface
Policies
Active Users
LocalManual Key
*Initial Config
*Incoming Policy
Outgoing Policy
VPN
Wizards
#5�$��������� �������� 6� �-��� ��6��5����� ��7����
9���
reenos_version>500).
ocally and point the WebUI to case you do not have Internet uld not have.
ebUI to point to the Help files a server on your local network e Help files from there.
re.
ou can skip this procedure.
�������� �#� ��$���%�"&��$����'������������� ��������
)�*+,�8��$You can view Help files for the WebUI at http://help.netscreen.com/help/english/<sc/ns<platform_number> (for example, http://help.netscreen.com/help/english/4.0.0/ns
You also have the option of relocating the Help files. You might want to store them leither the administrator’s workstation or to a secured server on the local network. Inaccess, storing the Help files locally provides accessibility to them you otherwise wo
#�$3� -��5��8��$�4����������0�����2��!�
The Help files are available on the documentation CD. You can modify the Won the CD in your local CD drive. You can also copy the files from the CD toor to another drive on your workstation and configure the WebUI to invoke th
1. Load the documentation CD in the CD drive of your workstation.
2. Navigate to that drive and copy the directory named help.
The Help directory contains the following subdirectories: english/<ScreenOS_number>/ns<platform_number>.
3. Navigate to the location you want to store the Help directory and paste it the
Note: If you want to run the Help files directly from the documentation CD, yProceed to “Pointing the WebUI to the New Help Location” on page 8.
#5�$��������� �������� 6� �-��� ��6��5����� ��7����
:���
ectory. Change the default URL
’s workstation
tScreen device that you are
e underlined section of the /ns<platform_number>
ice now uses the new path that
curity configurations remotely
PN) tunnel or through the ing management traffic from tive traffic through the MGT
kets Layer” (below), and
�������� �#� ��$���%�"&��$����'������������� ��������
��� �� -��5��)�*+,�����5����1�8��$�0������
You must now redirect the WebUI to point to the new location of the Help dirto the new file path, where
– <path> is the specific path to the Help directory from the administrator
– <screenos_version> is the version of the ScreenOS loaded on the Nemanaging
– <platform_number> is the platform number of the NetScreen device
1. Configuration > Admin > Management: In the Help Link Path field, replace thdefault URLhttp://help.netscreen.com/help/english/<screenos_version>
with
(for local drive) file://<path>/ …
or
(for local server) http://<server_name>/<path>/ …
2. Click Apply .
When you click the help link in the upper right corner of the WebUI, the devyou specified in the Help Link Path field to locate the appropriate Help file.
877�With a standard Web browser you can access, monitor, and control your network seusing the Hypertext Transfer Protocol (HTTP).
You can secure HTTP traffic by either encapsulating it in a virtual private network (VSecure Sockets Layer (SSL) protocol. You can also secure it by completely separatnetwork user traffic. With some NetScreen device models, you can run all administrainterface, or devote an interface (such as the DMZ) entirely to administrative traffic.
Note: For more information, see “Virtual Private Networks” on page 43, “Secure Soc“Management Zone Interfaces” on page 42.
#5�$��������� �������� 6� �-��� ��6��5����� ��7����
����
on between a Web client and a
y Cryptography” on page 4 -23.)
which allows the server and ecord Protocol (SSLRP), which protocols operate at the
ses certificates to authenticate ing the session. Before using se SSL is integrated with PKI
icates in the certificate list. You
Screen device and your Web browser xplorer , and read “Cipher Strength.”
About Communicator, and read the
4 -29.
�������� �#� ��$���%�"&��$����'������������� ��������
����������;����0�3��Secure Sockets Layer (SSL) is a set of protocols that can provide a secure connectiWeb server communicating over a TCP/IP network. NetScreen ScreenOS provides:
• Web SSL support
• SSL version 3 compatibility (not version 2)
• Netscape Communicator 4.7x and Internet Explorer 5.x compatibility2
• Public Key Infrastructure (PKI) key management integration (see “Public Ke
SSL is not a single protocol, but consists of the SSL Handshake Protocol (SSLHP), client to authenticate each other and negotiate an encryption method, and the SSL Rprovides basic security services to higher-level protocols such as HTTP. These two following two layers in the Open Systems Interconnection (OSI) model:
• SSLHP at the application layer (layer 7)
• SSLRP at the presentation layer (layer 6)
Independent of application protocol, SSL uses TCP to provide secure service. SSL ufirst the server or both the client and the server, and then encrypt the traffic sent durSSL, you must first create a public/private key pair and then load a certificate. Becaukey/certificate management, you can select the SSL certificate from one of the certifcan also use the same certificate for an IPSec VPN.
2. Check your Web browser to see how strong the ciphers can be and which ones your browser supports. (Both the Netmust support the same kind and size of ciphers you use for SSL.) In Internet Explorer 5x, click Help, About Internet ETo obtain the advanced security package, click the Update Information link. In Netscape Communicator, click Help, section about RSA®. To change the SSL configuration settings, click Security Info , Navigator , Configure SSL v3.
Note: For information on obtaining certificates, see “Certificates and CRLs” on page
#5�$��������� �������� 6� �-��� ��6��5����� ��7����
�����
age Digest version 5 (MD5) and ith MD5; DES and 3DES with
Ls” on page 4 -29.
pply :
list.
permit SSL management:
he SSL management service
e IP address for managing the follow the IP address with a :1443).
�������� �#� ��$���%�"&��$����'������������� ��������
NetScreen supports the following encryption algorithms for SSL:
• RC4 with 40-bit and 128-bit keys
• DES: Data Encryption Standard
• 3DES: Triple DES
NetScreen supports the same authentication algorithms for SSL as for VPNs—MessSecure Hash Algorithm version 1 (SHA-1). The RC4 algorithms are always paired wSHA-1.
The basic steps for setting up SSL are as follows:
1. Obtain a certificate and load it on the NetScreen device3.
For details on requesting and loading a certificate, see “Certificates and CR
2. Enable SSL management:
Configuration > Admin > Management: Enter the following, and then click A
Certificate: Select the certificate you intend to use from the drop-down
Cipher: Select the cipher you intend to use from the drop-down list.
3. Configure the interface through which you manage the NetScreen device to
Network > Interfaces > Edit (for the interface you want to manage): Enable tcheck box, and then click OK .
4. Connect to the NetScreen device via the SSL port. That is, when you type thNetScreen device in your browser’s URL field, change “http” to “https”, and colon and the HTTPS (SSL) port number (for example, https://123.45.67.89
3. Be sure to specify a bit length that your Web browser also supports.
#5�$��������� �������� 6� �-��� ��6��5����� ��7����
�����
(CLI). To configure a inal. With a terminal emulator,
, or Macintosh® operating ommand Shell (SCS). With a
p to connect to and remotely net client program on the on the NetScreen device. After program on the NetScreen Using Telnet to manage
nnel4 or by completely l, you can run all administrative administrative traffic.
n CLI Reference Guide.
�������� �#� ��$���%�"&��$����'������������� ��������
#���� ��0� ��, ���(���Advanced administrators can attain finer control by using the command line interfaceNetScreen device with the CLI, you can use any software that emulates a VT100 termyou can configure the NetScreen device using a console from any Windows, UNIX™
system. For remote administration through the CLI, you can use Telnet or Secure Cdirect connection through the console port, you can use Hyperterminal®.
7�� ��Telnet is a login and terminal emulation protocol that uses a client/server relationshiconfigure network devices over a TCP/IP network. The administrator launches a Teladministration workstation and creates a connection with the Telnet server programlogging on, the administrator can issue CLI commands, which are sent to the Telnetdevice, effectively configuring the device as if operating through a direct connection.NetScreen devices requires the following:
• Telnet software on the administrative workstation
• An Ethernet connection to the NetScreen device
You can secure Telnet traffic by encapsulating it in a virtual private network (VPN) tuseparating it from network user traffic. Depending upon your NetScreen device modetraffic through the MGT interface or devote an interface such as the DMZ entirely to
Note: For a complete listing of the ScreenOS CLI commands, refer to the NetScree
4. For information on VPN tunnels, see Volume 4, “VPNs”.
#5�$��������� �������� 6� �-��� ��6��5����� ��7����
�����
�������� �#� ��$���%�"&��$����'������������� ��������The setup procedure to establish a Telnet connection is as follows:
Establishing a Telnet connection
1. Telnet client sends a TCP connection request to port 23 on the NetScreen device (acting as a Telnet server).
3. Client sends his user name and password—either in the clear or encrypted in a VPN tunnel.
2. NetScreen prompts the client to log on with a user name and password.
#5�$��������� �������� 6� �-��� ��6��5����� ��7����
�����
means by which administrators allows you to open a remote
Screen device is an ible client console/terminal
entication methods:
d to configure or monitor a reen device. If SCS the NetScreen device signals SSH client has this information, d password in the admin user’s do not match, the NetScreen
y over the password stead of a user name and of an RSA public/private key be bound to an admin. If one of hem match, the NetScreen
SCS Server
�������� �#� ��$���%�"&��$����'������������� ��������
�������#���� ���5���The built-in Secure Command Shell (SCS) server on a NetScreen device provides acan remotely manage the device in a secure manner using Secure Shell (SSH). SSHcommand shell securely and execute commands. The SCS task running on the Netimplementation of the SSH 1.x server component, which allows an SSH 1.x-compatapplication to connect to a NetScreen device.
An administrator can connect to a NetScreen device with SSH using one of two auth
• Password Authentication: This method is used by administrators who neeNetScreen device. The SSH client initiates an SSH connection to the NetScmanageability is enabled on the interface receiving the connection request, the SSH client to prompt the user for a user name and password. When the it sends it to the NetScreen device, which compares it with the user name anaccount. If they match, the NetScreen device authenticates the user. If theydevice rejects the connection request.
• Public Key Authentication (PKA): This method provides increased securitauthentication method and allows you to run automated scripts. Basically, inpassword, the SSH client sends a user name and the public key componentpair. The NetScreen device compares it with up to four public keys that can the keys matches, the NetScreen device authenticates the user. If none of tdevice rejects the connection request.
ScreenOS
Administrator’sWorkstation
SSH Client Internet
Encrypted Administrative Traffic
NetScreen Device
#5�$��������� �������� 6� �-��� ��6��5����� ��7����
�����
e the SSH client logs on. The
Keys: Persistent RSA ate key pair used to te the NetScreen
d encrypt the session creen stores it in flash
y: Temporary RSA ate key pair used to e session key n generates a new one r by default.)ey: Temporary secret
or 3DES) that the client reen create together connection setup to mmunication (when the
nds, it is discarded): Persistent RSA ate key pair that resides H client. The client’s must also be loaded on reen device before n SSH connection.lic/Private Key Pair = A tographic keys such one encrypts the other the other) can decrypt.
�������� �#� ��$���%�"&��$����'������������� ��������
Both authentication methods require the establishment of a secure connection beforbasic connection setup procedure is shown below:
1. SSH client sends a TCP connection request to port 22 on the NetScreen device (acting as an SCS server).
3. NetScreen sends the public component of its host and server keys, cookie, and the encryption and authentication algorithms it supports.
7. Client encrypts a user name and either a password or the public component of its PKA key and sends them for authentication.
2. NetScreen and client exchange information about the SSH version they support.
4. Client creates a secret session key, encrypts it with the public component of the NetScreen host and server keys, and then sends the session key to NetScreen.
5. NetScreen sends a confirmation message that it encrypts with the session key. The creation of a secure channel is complete.
Establishing a secure connection for SSH
Host Keypublic/privauthenticadevice ankey (NetSmemory.)Server Kepublic/privencrypt th(NetScreeevery houSession Kkey (DESand NetScduring theencrypt cosession ePKA Keypublic/privon the SSpublic keythe NetScinitiating aNote: Pubset of crypthat what (and only
6. NetScreen signals the SSH client to prompt the end user for authentication information.
#5�$��������� �������� 6� �-��� ��6��5����� ��7����
�����
he must authenticate himself
min user on the NetScreen manage the NetScreen device Defining Admin Users” on page SSH client.
and private key pair.
server5, and launch the TFTP
.
ter the following CLI command:
r tftp_ip_addr
he root admin can bind an RSA in—enter the command without t; that is, it binds the key to the
gent on the SSH client to ld the decrypted version of the
e_str ] key key_str , (pasting it where However, the CLI and WebUI have a TP.
user.
�������� �#� ��$���%�"&��$����'������������� ��������
After an SSH client has established an SSH connection with the NetScreen device, either with a user name and password or with a user name and public key.
Both password authentication and PKA require that you create an account for the addevice and enable SCS manageability on the interface through which you intend to via an SSH connection. (For information about creating an admin user account, see “29.) The password authentication method does not require any further set up on the
On the other hand, to prepare for PKA, you must first perform the following tasks:
1. Using a key generation program on the SSH client, generate an RSA public
2. Move the public key from the local SSH directory to a directory on your TFTPprogram.
3. Log on to the NetScreen device so that you can configure it through the CLI
4. To load the the public key from the TFTP server to the NetScreen device, en
exec scs tftp pka-rsa [ username name ] file-name name_str ip-add
The username name option is only available to the root admin, so that only tkey to another admin. When you—as the root admin or as a read/write adma user name, the NetScreen device binds the key to your own admin accounadmin that enters the command.
Note: If you want to use PKA for automated logins, you must also load an adecrypt the private key component of the PKA public/private key pair and hoprivate key in memory.
5. You can also paste the content of the public key file directly into the CLI command set scs pka-rsa [ username namindicated by the variable key_str), or into the Key field in the WebUI (Configuration > Admin > Management > SCS). size restriction: the public key size cannot exceed 512 bits. This restriction is not present when loading the key via TF
Note: The NetScreen device supports up to four PKA public keys per admin
#5�$��������� �������� 6� �-��� ��6��5����� ��7����
�=���
nageability enabled, the etScreen device authenticates
tScreen device prompts for a use only the PKA method: set ion method you intend the e a password, even though
for a remote host that runs an vice is to download the ention is necessary when the
ileges. You enable SCS
an RSA public/private key pair, our TFTP server, and launched
n click OK:
e exec scs command.
�������� �#� ��$���%�"&��$����'������������� ��������
When an administrator attempts to log on via SCS on an interface that has SCS maNetScreen device first checks if a public key is bound to that administrator. If so, the Nthe administrator using PKA. If a public key is not bound to the administrator, the Neuser name and password. (You can use the following command to force an admin toadmin scs password disable username name_str .) Regardless of the authenticatadministrator to use, when you initially define his or her account, you still must includwhen you later bind a public key to this user, the password becomes irrelevant.
"&��$����#��1��5��<�(������������0�-� �In this example, you (as the root admin) set up SCS public key authentication (PKA)automated script. The sole purpose for this remote host to access the NetScreen deconfiguration file every night. Because authentication is automated, no human intervSSH client logs on to the NetScreen device.
You define an admin user account named cfg, with password cfg and read-write privmanageability on interface ethernet1, which is bound to the Untrust zone.
You have previously used a key generation program on your SSH client to generatemoved the public key file, which has the file name “idnt_cfg.pub”, to a directory on ythe TFTP program. The IP address of the TFTP server is 10.1.1.5.
�����
1. Configuration > Admin > Administrators > New: Enter the following, and the
Name: cfg
New Password: cfg
Confirm Password: cfg
Privileges: ALL (select)
2. Interfaces > Edit (for ethernet1): Select SCS, and then click OK.
Note: You can only load a public key file for SCS from a TFTP server via th
#5�$��������� �������� 6� �-��� ��6��5����� ��7����
�9���
ministrator’s workstation to the ys possible, this is the most e NetScreen device is
ne of the following cables:
ernet cable
tor) on the management
the NetScreen CLI .
�������� �#� ��$���%�"&��$����'������������� ��������
��
1. set admin user cfg password cfg privilege read-write
2. set interface ethernet1 manage scs
3. exec scs tftp pka-rsa username cfg file-name idnt_cfg.pub ip-addr 10.1.1.5
4. save
�������#� ����You can manage a NetScreen device through a direct serial connection from the adNetScreen device via the console port. Although a direct connection is not alwasecure method for managing the device provided that the location around thsecure.
Depending on your NetScreen device model, creating a serial connection requires o
• A female DB-9 to male DB-25 straight-through serial cable
• A female DB-9 to male DB-9 straight-through serial cable
• A female DB-9 to male MiniDIN-8 serial cable
• A female DB-9 to RJ-45 adapter with an RJ-45 to RJ-45 straight-through eth
You will also need Hyperterminal software (or another kind of VT100 terminal emulaworkstation, with the Hyperterminal port settings configured as follows:
– Serial communications 9600 bps
– 8 bit
– No parity
– 1 stop bit
– No flow control
Note: For more details on using Hyperterminal, see the “Getting Started” chapter in Reference Guide or the “Initial Configuration” chapter in one of the installer’s guides
#5�$��������� �������� 6� �-��� ��6��5����� ��7����
�:���
roducts, both of which provide evices from a central location:
a single location. The Policy port Manager component
s from a single location. e real-time reporting
concurrent access for multiple an access relevant areas of the statistics.
�������� �#� ��$���%�"&��$����'������������� ��������
�������� �>��*���� �The NetScreen-Global PRO line of security management solutions consists of two pconfiguration and monitoring capabilities of large-scale deployments of NetScreen d
• NetScreen-Global PRO
• NetScreen-Global PRO Express
With NetScreen-Global PRO, you can manage up to 10,000 NetScreen devices fromManager component allows you to deploy policies to the NetScreen devices. The Reprovides real-time and historical reports of system events and attack alarms.
With NetScreen-Global PRO Express, you can manage up to 100 NetScreen deviceNetScreen-Global PRO Express combines Policy Manager with Realtime Monitor, thcomponent of Report Manager.
Using a role-based management scheme, NetScreen-Global PRO provides secure,administrators with various privilege levels and access rights. These administrators cNetScreen-Global PRO system to make configuration changes and view reports and
Note: For more information, refer to the NetScreen-Global PRO documentation.
#5�$��������� �������� 6� �-��� ��6��5����� ��7����
�����
NetScreen device, it must have n the NetScreen device has a
igned IP address, using either ol (DHCP). In these cases, the
a specific interface (referred to he IP address of the monitor
ost6), the device automatically P. This prevents interruption of
M host. For more information, refer to
�������� �#� ��$���%�"&��$����'������������� ��������
�������� ��������#5� -������(������ �C�#�D
Before the NetScreen-Global PRO Policy Manager host (or “PM host”) can contact athe current IP address of the NetScreen device interface. This is relatively easy whestatic IP address on its monitor interface.
However, the monitor interface of a NetScreen device might have a dynamically assPoint-to-Point Protocol over Ethernet (PPPoE) or Dynamic Host Configuration ProtocNetScreen device uses NetScreen Address Change Notification (NACN) to monitor hereafter as the “monitor interface”), and then register with NetScreen-Global PRO tinterface whenever it changes.
If you enable NACN on your NetScreen device (and in NetScreen-Global PRO PM hregisters with NetScreen-Global PRO any new address assigned by PPPoE or DHCcommunication between NetScreen-Global PRO and the NetScreen device.
6. You must enter the serial number of the NetScreen device and the NACN password on the NetScreen-Global PRO Pyour NetScreen-Global PRO documentation.
#5�$��������� �������� 6� �-��� ��6��5����� ��7����
�����
with NetScreen-Global PRO.
* The transmission of the SCS host key hash string is in preparation for NetScreen-Global PRO administration via SCS.
etScreen -Global PRO Policy Manager Host
�������� �#� ��$���%�"&��$����'������������� ��������
The NetScreen device uses Secure Sockets Shell (SSL) to encrypt communicationsThe exchange is shown in the following illustration:
Note: For more information about SSL, see “Secure Sockets Layer” on page 9.
DHCP server assigns new address to the untrust interface.
1
2 NetScreen initiates SSL connection.
PM host sends its public key. NetScreen verifies it with its CA certificate, and establishes an SSL connection.
3
4NetScreen sends its NACN password, its serial number, policy domain, and the hash string of its SCS host key*.
5PM host authenticates the NetScreen device and updates its database with the new address.
PM host sends a status reply—either a success or error message.6
DHCP Server
N
NetScreen-5XP
NACN
#5�$��������� �������� 6� �-��� ��6��5����� ��7����
�����
tasks:
primary (and secondary) Policy
r both) on that interface.
server to prevent
e following NACN settings:
ajax.com
a1, on the NetScreen device. RO PM host, this CA certificate
NetScreen device initiates an address 210.3.3.1.
n the untrust interface.
Screen device. For security purposes,
�������� �#� ��$���%�"&��$����'������������� ��������
In addition to configuring and enabling NACN, you must also complete the following
• Enter the IP addresses and NACN passwords of the NetScreen-Global PROManager (PM) hosts.
• Identify the monitor interface and enable manageability for SCS or Telnet7 (o
• Set the system clock on the NetScreen device.
• Activate the preinstalled CA certificate on the NetScreen device.
• (Optional) Enter the subject name of the X.509 certificate on the Global PROman-in-the-middle attacks.
"&��$�������� -�+$��#�In the following example, you enable NACN on a NetScreen device and configure th
• Primary PM host IP address and password: 210.3.3.1; swordfish
• Secondary PM host IP address: 210.3.3.2; trout
• Policy domain on both the primary and secondary PM hosts: dept1
• Monitor interface: Untrust
• Port: 11122
• Subject name of the local certificate that the PM host sends:
CN=Marketing,OU=Marketing,O=Ajax,L=Chicago,ST=IL,C=US,Email=jdoe@
Using the CLI, you activate the preinstalled NetScreen CA certificate, phonehome1cWhen the NetScreen device initiates an SSL connection with the NetScreen-Global Pcan verify the default local certificate that the PM host sends.
When the IP address of the monitor interface on the NetScreen device changes, theSSL connection using the NACN protocol to port 11122 on the primary PM host at IP
You also enable the SCS server on the NetScreen device and SCS manageability o
7. NetScreen-Global PRO can use either Secure Command Shell (SCS) or Telnet to send configuration changes to a NetNetScreen recommends that you use SCS.
#5�$��������� �������� 6� �-��� ��6��5����� ��7����
�����
nologies
hicago,ST=IL,C=US,Email=jdo
” via the CLI command exec
potentially great number of policy
t used by the Policy Manager console
�������� �#� ��$���%�"&��$����'������������� ��������
�����
������3�� ������ ���3��6�8����
1. Configuration > Admin > NACN: Enter the following, and then click Apply :
Enable NACN: (select)
Primary PM Host
Hostname/IP Address: 210.3.3.1
Password: swordfish
Policy Domain: dept18
Monitored Interface: Untrust
Port: 11122
Selected CA: OU=(c) 2001 NetScreen Tech
Cert Subject Name: CN=Marketing,OU=Marketing,O=Ajax,[email protected],9
Note: You can only activate the preinstalled CA certificate “phonehome1ca1pki x509 install-factory-certs phonehome1ca1.
8. Defining the policy domain is not necessary, but doing so expedites the search for the NetScreen device among the domains on the Global PRO database.
9. Be sure to include the final comma at the end of the Cert Subject Name string. This is the same certificate name as thato log on to the Policy Manager host. For more information, refer to your NetScreen-Global PRO documentation.
#5�$��������� �������� 6� �-��� ��6��5����� ��7����
�����
nologies
hicago,ST=IL,C=US,Email=jdo
and then click Apply .
OK:
CA certificates, along with their has an ID number of 2.
�������� �#� ��$���%�"&��$����'������������� ��������
Secondary PM Host
Hostname/IP Address: 210.3.3.2
Password: trout
Policy Domain: dept1
Monitored Interface: Untrust
Port: 11122
Selected CA: OU=(c) 2001 NetScreen Tech
Cert Subject Name: CN=Marketing,OU=Marketing,O=Ajax,[email protected],
�#�
2. Configuration > Admin > Management: Select the Enable SCS check box,
3. Network > Interfaces > Edit (for untrust): Enter the following, and then click
Management Services:
SCS: (select)
��
1. exec pki x509 install-factory-certs phonehome1CA1
2. get ssl ca-list
Note: The following command, get ssl ca-list, displays the currently active ID numbers. For this example, assume that one of the listed CA certificates
#5�$��������� �������� 6� �-��� ��6��5����� ��7����
�����
@ajax.com,”10
@ajax.com,”
t used by the Policy Manager console
�������� �#� ��$���%�"&��$����'������������� ��������
������3��6�8���
3. set global-pro policy-manager primary ca-idx 2
4. set global-pro policy-manager primary cert-subject “CN=Marketing,OU=Marketing,O=Ajax,L=Chicago,ST=IL,C=US,Email=jdoe
5. set global-pro policy-manager primary outgoing untrust
6. set global-pro policy-manager primary host 210.3.3.1
7. set global-pro policy-manager primary password swordfish
8. set global-pro policy-manager primary policy-domain dept1
���� ���3��6�8���
9. set global-pro policy-manager secondary ca-idx 2
10. set global-pro policy-manager secondary cert-subject “CN=Marketing,OU=Marketing,O=Ajax,L=Chicago,ST=IL,C=US,Email=jdoe
11. set global-pro policy-manager secondary outgoing untrust
12. set global-pro policy-manager secondary host 210.3.3.2
13. set global-pro policy-manager secondary password trout
14. set global-pro policy-manager secondary policy-domain dept1
�#�
15. set scs enable
16. set interface untrust manage scs
17. set global-pro policy-manager nacn
18. save
10. Be sure to include the final comma at the end of the Cert Subject Name string. This is the same certificate name as thato log on to the Policy Manager host. For more information, refer to your NetScreen-Global PRO documentation.
#5�$��������� �������� ��� �������!��, ���(�����$��� �
�����
one or more interfaces. For bound to the Trust zone and devices that have multiple might dedicate one physical om network user traffic.
gh the WebUI and the CLI, do
llowing management service
ace to receive HTTP traffic for ebUI).
/IP networks such as the ly control network devices. eability.
ce from an Ethernet connection Shell (SCS), which is
lient that is compatible with nts are available for Windows . The NetScreen device its built-in SCS server, which ent services. Selecting this
rupted network operation: set timer
�������� �#� ��$���%�"&��$����'������������� ��������
������������������������#�����You can configure a NetScreen device to allow administration of the device throughexample, you might have local management access the device through an interfaceremote management through an interface bound to the Untrust zone. On NetScreenphysical interfaces for network traffic (but no dedicated management interface), youinterface exclusively for administration, separating management traffic completely fr
To enable an interface to allow various methods of administration to traverse it throuthe following:
�����
Network > Interfaces > Edit (for the interface you want to edit): Select the fooptions, and then click OK11:
WebUI: Selecting this option allows the interfmanagement via the Web user interface (W
Telnet: A terminal emulation program for TCPInternet, Telnet is a common way to remoteSelecting this option enables Telnet manag
SCS: You can administer the NetScreen devior a dial-in modem using Secure CommandSSH-compatible. You must have an SSH cVersion 1.5 of the SSH protocol. These clie95 and later, Windows NT, Linux, and UNIXcommunicates with the SSH client through provides device configuration and managemoption enables SCS manageability.
11. Through the CLI, you can schedule the NetScreen device to reset at a time that is convenient for maintaining uninterdate_str time_str action reset.
#5�$��������� �������� ��� �������!��, ���(�����$��� �
�=���
imple Network Management in RFC-1157, and all relevant roups, as defined in RFC-1213. eability.
to receive HTTPS traffic for ce via the WebUI.
the interface to receive
en device to respond to an nes whether a specific IP
identification requests. If they e request again. While the ss. By enabling the Ident-reset
reset announcement in and restores access that has ification request.
mp | ssl | telnet | web }
�������� �#� ��$���%�"&��$����'������������� ��������
SNMP: The NetScreen device supports the SProtocol version 1.5 (SNMPv1), described Management Information Base II (MIB II) gSelecting this option enables SNMP manag
SSL: Selecting this option allows the interfacesecure management of the NetScreen devi
NS-Global PRO: Selecting this option allowsNetScreen-Global PRO traffic.
Ping: Selecting this option allows the NetScreICMP echo request, or ping, which determiaddress is accessible over the network.
Ident-Reset: Services like Mail and FTP sendreceive no acknowledgement, they send threquest is processing, there is no user acceoption, the NetScreen device sends a TCPresponse to an IDENT request to port 113 been blocked by an unacknowledged ident
��
To enable all the management services and ping (but not ident-reset):
set interface interface manage
To enable specific management and network services:
set interface interface manage { global-pro | ident-reset | ping | scs | sn
#5�$��������� �������� 0�!�����(���� ��������
�9���
ges made by an administrator,
els depends on the model of ges for each level. These
valid user name and password.
t administrator per NetScreen
terfaces to them
nnot create, modify, or remove
one
ministrator)
�������� �#� ��$���%�"&��$����'������������� ��������
"���"�����������������NetScreen devices support multiple administrative users. For any configuration chanthe NetScreen device logs the following information:
• The name of the administrator making the change
• The IP address from which the change was made
• The time of the change
There are several levels of administrative user. The availability of some of these levyour NetScreen device. The following sections list all the admin levels and the privileprivileges are only accessible to an admin after he or she successfully logs in with a
������� ��������The root administrator has complete administrative privileges. There is only one roodevice. The root administrator has the following privileges:
• Manages the root system of the NetScreen device
• Adds, removes, and manages all other administrators
• Establishes and manages virtual systems, and assigns physical or logical in
• Creates, removes, and manages virtual routers (VRs)
• Adds, removes, and manages security zones
• Assigns interfaces to security zones
����)�������� ��������The read/write administrator has the same privileges as the root administrator, but caother admin users. The read/write administrator has the following privileges:
• Creates virtual systems and assigns a virtual system administrator for each
• Monitors any virtual system
• Tracks statistics (a privilege that cannot be delegated to a virtual system ad
#5�$��������� �������� 0�!�����(���� ��������
�:���
nly issue the get and ping CLI
enter, exit, get, and ping
que security domain, which can sys. Virtual system each vsys, the virtual system
ly administrator, but only within ges for his particular vsys s within his vsys.
�������� �#� ��$���%�"&��$����'������������� ��������
����� �3���� ��������The read-only administrator has only viewing privileges using the WebUI, and can ocommands. The read-only administrator has the following privileges:
• Read-only privileges in the root system, using the following four commands:
• Read-only privileges in virtual systems
���������3�������� ��������Some NetScreen devices support virtual systems. Each virtual system (vsys) is a unibe managed by virtual system administrators with privileges that apply only to that vadministrators independently manage virtual systems through the CLI or WebUI. Onadministrator has the following privileges:
• Creates and edits auth, IKE, L2TP, XAuth, and Manual Key users
• Creates and edits services
• Creates and edits policies
• Creates and edits addresses
• Creates and edits VPNs
• Modifies the virtual system administrator login password
• Creates and manages security zones
���������3����� ����� �3���� ��������A virtual system read-only administrator has the same set of privileges as a read-ona specific virtual system. A virtual system read-only administrator has viewing privilethrough the WebUI, and can only issue the enter, exit, get , and ping CLI command
Note: For more information on virtual systems, see “Virtual Systems” on page 6 -1.
#5�$��������� �������� 0�!�����(���� ��������
�����
ers. In the following example,
er with password 2bd21wG7.
n click OK:
�������� �#� ��$���%�"&��$����'������������� ��������
2�(� � -���� �+����The root administrator is the only one who can create, modify, and remove admin usthe one performing the procedure must be a root administrator.
"&��$������ -��� ����� �3���� In this example, you—as the root admin—add a read-only administrator named Rog
�����
Configuration > Admin > Administrators > New: Enter the following, and the
Name: Roger
New Password: 2bd21wG712
Confirm Password: 2bd21wG7
Privileges: READ ONLY
��
1. set admin user Roger password 2bd21wG7 privilege read-only
2. save
12. The password can be up to 31 characters long and is case sensitive.
#5�$��������� �������� 0�!�����(���� ��������
�����
to read/write.
g, and then click OK :
mn for Roger.
�������� �#� ��$���%�"&��$����'������������� ��������
"&��$���6���(3� -�� ���� In this example, you—as the root admin—change Roger’s privileges from read-only
�����
Configuration > Admin > Administrators > Edit (for Roger): Enter the followin
Name: Roger
New Password: 2bd21wG7
Confirm Password: 2bd21wG7
Privileges: ALL
��
1. set admin user Roger password 2bd21wG7 privilege all
2. save
"&��$���2����� -�� ���� In this example, you—as the root admin—delete the admin user Roger.
�����
Configuration > Admin > Administrators: Click Remove in the Configure colu
��
1. unset admin user Roger
2. save
#5�$��������� �������� ������ -���� �������!��7��((��
�����
hich respond to requests
the following service options,
en device to respond to an ines whether a specific IP
FTP sends an identification it sends the request again. ss is disabled. With the en device automatically
�������� �#� ��$���%�"&��$����'������������� ��������
������� ���������������������To secure the NetScreen device during setup, perform the following steps:
1. On the Web interface, change the administrative port.
See “Changing the Port Number” on page 32.
2. Change the user name and password for administration access.
See “Changing the Admin Login Name and Password” on page 33.
3. Define the management client IP addresses for the admin users.
See “Restricting Administrative Access” on page 37.
4. Turn off any unnecessary interface management service options.
See “Administrative Interface Options” on page 25.
5. Disable the ping and ident-reset service options on the interfaces, both of winitiated by unknown parties and can reveal information about your network:
�����
Network > Interfaces > Edit (for the interface you want to edit): Disableand then click OK :
Ping: Selecting this option allows the NetScreICMP echo request, or “ping,” which determaddress is accessible from the device.
Ident-Reset: When a service such as Mail orrequest and receives no acknowledgment, While the request is in progress, user acceIdent-Reset checkbox enabled, the NetScrerestores user access.
#5�$��������� �������� ������ -���� �������!��7��((��
�����
ent traffic improves security. nge the port number, you must
attempt to contact the 188.30.12.2:15522.)
4. To manage the NetScreen y of the HTTP connection, you
nd then click Apply.
�������� �#� ��$���%�"&��$����'������������� ��������
��
unset interface interface manage ping
unset interface interface manage ident-reset
#5� -� -��5����������*��Changing the port number to which the NetScreen device listens for HTTP managemThe default setting is port 80, the standard port number for HTTP traffic. After you chathen type the new port number in the URL field in your Web browser when you nextNetScreen device. (In the following example, the administrator needs to enter http://
"&��$���#5� -� -��5����������*��In this example, the IP address of the interface bound to the Trust zone is 10.1.1.1/2device via the WebUI on this interface, you must use HTTP. To increase the securitchange the HTTP port number from 80 (the default) to 15522.
�����
Configuration > Admin > Management: In the HTTP Port field, type 15522, a
��
1. set admin port 15522
2. save
#5�$��������� �������� ������ -���� �������!��7��((��
�����
word is also netscreen. password immediately. The meric, with no symbols. Record
se or an external auth server13. l database for authentication. If a matching entry in the external erver, the NetScreen device in user is managing or
the continual authentication e local cache, the NetScreen al auth-server, and can thereby
assword, or privilege—any f the root admin changes any of in changes his own password, ich he made the change.
NetScreen device to its factory g the Device to the Factory
min Users” on page 2 -338.) Although nly admin users on an external auth
r must be RADIUS and you must load
on page 27. For more about
ent connection, any change that you
�������� �#� ��$���%�"&��$����'������������� ��������
#5� -� -��5����� �0�-� ������� ������1���By default, the initial login name for NetScreen devices is netscreen. The initial passBecause these have been widely published, you should change the login name andlogin name and password are both case-sensitive. Each must be one word, alphanuthe new admin login name and password in a secure manner.
Admin users for the NetScreen device can be authenticated using the internal databaWhen the admin user logs on to the NetScreen device, it first checks the local internathere is no entry present and an external auth server is connected, it then checks for auth server database. After an admin user successfully logs on to an external auth scaches that admin’s login status from the external auth server locally. When the admmonitoring the NetScreen device via the WebUI, the cached data greatly expedites checks that HTTP requires every time the admin user clicks a link. By referring to thdevice does not have to relay authentication checks between the user and the externprovide faster responses to the user’s actions.
When the root admin changes any attribute of an admin user’s profile—user name, padministrative session that that admin currently has open automatically terminates. Ithese attributes for himself, or if a root-level read/write admin or vsys read/write admall of that user’s currently open admin sessions14 terminate, other than the one in wh
Warning: Be sure to record your new password. If you forget it, you must reset the settings, and all your configurations will be lost. For more information, see “ResettinDefault Settings” on page 36.
13. NetScreen supports RADIUS, SecurID, and LDAP servers for admin user authentication. (For more information, see “Adthe root admin account must be stored on the local database, you can store root-level read/write and root-level read-oserver. To store root-level and vsys-level admin users on an external auth server and query their privileges, the servethe netscreen.dct file on it. (See “NetScreen Dictionary File” on page 2 -257.)
Note: For more information about admin user levels, see “Levels of Administration” using external auth servers, see “External Auth Servers” on page 2 -252.
14. The behavior of an HTTP or HTTPS session using the WebUI is different. Because HTTP does not support a persistmake to your own user profile automatically logs you out of that and all other open sessions.
#5�$��������� �������� ������ -���� �������!��7��((��
�����
��m John to Smith and his
, and then click OK:
istration” on page 27.
can use an apparently random string letter from each word. For example,
�������� �#� ��$���%�"&��$����'������������� ��������
"&��$���#5� -� -�� ���� �+���?��0�-� ������� ������1�The root administrator has decided to change a super administrator’s login name fropassword from xL7s62a1 to 3MAb99j215.
�����
Configuration > Admin > Administrators > Edit (for John): Enter the following
Name: Smith
Old Password: xL7s62a1
New Password: 3MAb99j2
Confirm Password: 3MAb99j2
��
1. unset admin user John
2. set admin user Smith password 3MAb99j2 privilege all
3. save
Note: For information on the different levels of administrators, see “Levels of Admin
15. Instead of using actual words for passwords, which might be guessed or discovered through a dictionary attack, you of letters and numbers. To create such a string that you can easily remember, compose a sentence and use the first “Charles will be 6 years old on November 21” becomes “Cwb6yooN21.”
#5�$��������� �������� ������ -���� �������!��7��((��
�����
e. In this example, a super 2 to ru494Vq5.
wing, and then click OK:
�������� �#� ��$���%�"&��$����'������������� ��������
"&��$���#5� -� -�� �?���1 �����1���Non-root users can change their own administrator password, but not their login namadministrator with the login name “starling” is changing her password from 3MAb99j
�����
Configuration > Admin > Administrators > Edit (for first entry): Enter the follo
Name: starling
Old Password: 3MAb99j2
New Password: ru494Vq5
Confirm Password: ru494Vq5
��
1. set admin password ru494Vq5
2. save
#5�$��������� �������� ������ -���� �������!��7��((��
�=���
creen device to its default perform this operation, you LI Reference Guide and the
e to factory defaults, clearing all
of the device will be erased. In as been reset. This is your last
ory default configuration, which uld you like to continue? y/n
.
ng the unset admin feature is automatically
�������� �#� ��$���%�"&��$����'������������� ��������
������ -��5��2�!��������5��4�����3�2�(���������� -�If the admin password is lost, you can use the following procedure to reset the NetSsettings. The configurations will be lost, but access to the device will be restored. Toneed to make a console connection, which is described in detail in the NetScreen Cinstaller’s guides.
1. At the login prompt, type the serial number of the device.
2. At the password prompt, type the serial number again.
The following message appears:
!!!! Lost Password Reset !!!! You have initiated a command to reset the deviccurrent configuration, keys and settings. Would you like to continue? y/n
3. Press the y key.
The following message appears:
!! Reconfirm Lost Password Reset !! If you continue, the entire configurationaddition, a permanent counter will be incremented to signify that this device hchance to cancel this command. If you proceed, the device will return to factis: System IP: 192.168.1.1; username: netscreen; password: netscreen. Wo
4. Press the y key to reset the device.
You can now log on using netscreen as the default username and password
Note: By default the device recovery feature is enabled. You can disable it by enteridevice-reset command. Also, if the NetScreen device is in FIPS mode, the recoverydisabled.
#5�$��������� �������� ������ -���� �������!��7��((��
�9���
By default, any host on the c workstations, you must
2 is the only administrator
dd:
ou are managing the device via creen device immediately that workstation.
�������� �#� ��$���%�"&��$����'������������� ��������
�������� -���� �������!�������You can administer NetScreen devices from one or multiple addresses of a subnet. trusted interface can administer a NetScreen device. To restrict this ability to specificonfigure management client IP addresses.
"&��$��� �������� -���� �������� �������� -���)��;������ In this example, the administrator at the workstation with the IP address 172.16.40.4specified to manage the NetScreen device.
�����
Configuration > Admin > Permitted IPs: Enter the following, and then click A
IP Address/Netmask: 172.16.40.42/32
��
1. set admin manager-ip 172.16.40.42/32
2. save
Note: The assignment of a management client IP address takes effect immediately. If ya network connection and your workstation is not included in the assignment, the NetSterminates your current session and you are no longer able to manage the device from
#5�$��������� �������� ������ -���� �������!��7��((��
�:���
subnet are specified to manage
dd:
�������� �#� ��$���%�"&��$����'������������� ��������
"&��$��� �������� -���� �������� ��������* ��In this example, the group of administrators with workstations in the 172.16.40.0/24 a NetScreen device.
�����
Configuration > Admin > Permitted IPs: Enter the following, and then click A
IP Address/Netmask: 172.16.40.0/24
��
1. set admin manager-ip 172.16.40.0 255.255.255.0
2. save
#5�$��������� �������� ������ -���� �������!��7��((��
�����
(HA), you can access and
ntrust zone. You set the ministrative traffic using each cal administrators in the DMZ a remote site. Ethernet2 and
tive traffic are directed.
ays:
dress can be the endpoint of a
interface—but you can only
�������� �#� ��$���%�"&��$����'������������� ��������
6� �-��,�Any interface you bind to a security zone can have at least two IP addresses:
• An interface IP address, which connects to a network.
• A logical manage IP address for receiving administrative traffic.
When a NetScreen device is a backup unit in a redundant group for High Availabilityconfigure the unit through its manage IP address (or addresses)
"&��$�������� -�6� �-��,���(���6����$���, ���(����In this example, ethernet2 is bound to the DMZ zone and ethernet3 is bound to the Umanagement options on each interface to provide access for the specific kinds of adinterface. You allow HTTP, SNMP, and Telnet access on ethernet2 for a group of lozone, and NetScreen-Global PRO access on ethernet3 for central management fromethernet3 each have a manage IP address, to which the various kinds of administra
Note: The manage IP address differs from the VLAN1 address in the following two w
• When the NetScreen device is in Transparent mode, the VLAN1 IP adVPN tunnel, but the manage IP address cannot.
• You can define multiple manage IP addresses—one for each networkdefine one VLAN1 IP address—for the entire system.
#5�$��������� �������� ������ -���� �������!��7��((��
�����
traffic to use ethernet3 to reach ted SNMP traffic to reach the ubnet.
tScreen-Global PRO
DMZ ZoneEthernet2
IP: 210.1.1.1/24Manage IP: 210.1.1.2
�������� �#� ��$���%�"&��$����'������������� ��������
Note: You also need to set a route directing self-generated NetScreen-Global PRO the external router at IP address 211.1.1.250. A route is unnecessary for self-generaSNMP community in the DMZ zone because the community is in a locally attached s
Untrust ZoneEthernet3
IP: 211.1.1.1/24Manage IP: 211.1.1.2
Local Administrators
Ne
LAN
Trust Zone
Internet
Router 211.1.1.250
#5�$��������� �������� ������ -���� �������!��7��((��
�����
K:
: (select)
K:
ct)
�������� �#� ��$���%�"&��$����'������������� ��������
�����
1. Network > Interfaces > Edit (ethernet2): Enter the following, and then click O
Zone Name: DMZ
IP Address/Netmask: 210.1.1.1/24
Manage IP: 210.1.1.2
Management Services: WebUI, Telnet, SNMP
2. Network > Interfaces > Edit (ethernet3): Enter the following, and then click O
Zone Name: Untrust
IP Address/Netmask: 211.1.1.1/24
Manage IP: 211.1.1.2
Management Services: NS-Global PRO: (sele
��
1. set interface ethernet2 ip 210.1.1.1/24
2. set interface ethernet2 manage-ip 210.1.1.2
3. set interface ethernet2 manage web
4. set interface ethernet2 manage telnet
5. set interface ethernet2 manage snmp
6. set interface ethernet3 ip 211.1.1.1/24
7. set interface ethernet3 manage-ip 211.1.1.2
8. set interface ethernet3 manage global-pro
9. save
#5�$��������� �������� ������ -���� �������!��7��((��
�����
n when running the NetScreen ow administration through the
nt (MGT)—dedicated when running the NetScreen
inistrative traffic exclusively to ing administrative traffic from anagement bandwidth.
le the MGT interface to receive
:
�������� �#� ��$���%�"&��$����'������������� ��������
6� �-��� ��@� ��, ���(����There are two interfaces bound by default to the Management (MGT) zone:
• VLAN1: Use this interface for management traffic and VPN tunnel terminatiodevice in Transparent mode. You can configure all NetScreen devices to allVLAN1 interface when operating in Transparent mode.
• MGT: Some NetScreen devices also have a physical interface—Managemeexclusively for management traffic. Use this interface for management trafficdevice in NAT or Route mode.
To maintain the highest level of security, NetScreen recommends that you limit admthe VLAN1 or MGT interface and user traffic to the security zone interfaces. Separatnetwork user traffic greatly increases administrative security and assures constant m
"&��$������ �������� ��5���-5��5��6>7�, ���(���In this example, you set the IP address of the MGT interface to 10.1.1.2/24 and enabSCS and Web administrative traffic.
�����
Network > Interfaces > Edit (for mgt): Enter the following, and then click OK
IP Address/Netmask: 10.1.1.2/24
Management Services: WebUI, SCS: (select)
��
1. set interface mgt ip 10.1.1.2/24
2. set interface mgt manage web
3. set interface mgt manage scs
4. save
#5�$��������� �������� ������ -���� �������!��7��((��
�����
and monitoring of a NetScreen you can protect any kind of
ociation (SA) at both ends of hentication key. To change any
uthentication and one for s a set of symmetrical keys at . At predetermined intervals,
participants at both ends of the key pair (for encryption). The he other to decrypt.
s) generated by the NetScreen fy the default interface bound to inates in the NetScreen device
ce is the prebound Trust zone ains as the default interface. If
of the other interfaces that you ee the Default IF column on the
r more information on
ddress must be the default t zone.
�������� �#� ��$���%�"&��$����'������������� ��������
�����������!�������1��;�You can use a Virtual Private Network (VPN) tunnel to secure remote management device from either a dynamically assigned or fixed IP address. Using a VPN tunnel, traffic, such as NetScreen-Global PRO, HTTP, Telnet, or SNMP.
NetScreen supports three methods for creating a VPN tunnel:
• Manual Key: You manually set the three elements that define a Security Assthe tunnel: a Security Parameters Index (SPI), an encryption key, and an autelement in the SA, you must manually enter it at both ends of the tunnel.
• AutoKey IKE with Preshared Key: One or two preshared secrets—one for aencryption—function as seed values. Using them, the IKE protocol generateboth ends of the tunnel; that is, the same key is used to encrypt and decryptthese keys are automatically regenerated.
• AutoKey IKE with Certificates: Using the Public Key Infrastructure (PKI), thetunnel use a digital certificate (for authentication) and an RSA public/privateencryption is asymmetrical; that is, one key in a pair is used to encrypt and t
To send traffic (such as syslog reports, NetScreen-Global PRO reports, or SNMP trapdevice through a VPN tunnel to an administrator in the Untrust zone, you must specithe Trust zone as the source address in the policy. (Although the traffic actually origitself, you must specify the default Trust zone interface as the source address.)
The default interface is the first interface bound to a zone. Initially, the default interfainterface. If you bind multiple interfaces to the Trust zone, the prebound interface remyou later unbind the default Trust zone interface, the NetScreen device uses the firstbound to the Trust zone. To learn which interface is the default interface for a zone, sZones > Zone page in the WebUI, or type the get zone command in the CLI.
Note: For a complete description of VPN tunnels, see the VPN chapters. FoNetScreen-Remote, refer to the NetScreen-Remote User’s Guide.
Note: To tunnel administrative traffic generated by a NetScreen device, the source ainterface bound to the Trust zone, and the destination address must be in the Untrus
#5�$��������� �������� ������ -���� �������!��7��((��
�����
�7� ��traps and syslog reports16 from preshared key (Ci5y0a1aAG) oth Phase 1 and Phase 2
k OK:
emote admin sets up the VPN tunnel
3 is bound to the Untrust zone. ain.
his is the address to which the SNMP
ay Syslog server and SNMP host
10.20.1.2
�������� �#� ��$���%�"&��$����'������������� ��������
"&��$����� �� -���6��� ���3���-� �$������5���-5�� �,����In this example, a remote administrator behind a NetScreen device receives SNMP another NetScreen device through an AutoKey IKE IPSec tunnel. The tunnel uses afor data origin authentication and the security level predefined as “Compatible” for bproposals.
�����
, ���(�����'��������3�@� ��
1. Network > Interfaces > Edit (for ethernet1): Enter the following, and then clic
Zone Name: Trust
IP Address/Netmask: 10.10.1.117/24
16. This example assumes that the remote admin has already set up the syslog server and SNMP manager. When the ron his NetScreen device, he uses 210.2.2.1 as the remote gateway and 10.10.1.1 as the destination address.
Note: For the following example, ethernet1 is bound to the Trust zone, and ethernetThe default gateway IP address is 210.2.2.2. All zones are in the trust-vr routing dom
17. When the remote admin configures the SNMP manager, he must enter 10.10.1.1 in the Remote SNMP Agent field. Tmanager sends queries.
ethernet1Trust Zone
10.10.1.1/24
ethernet3Untrust Zone210.2.2.1/24
Remote Gatew3.3.3.3
Internet
VPN TunnelLAN
Trust Zone Untrust ZoneDefault Gateway
210.2.2.2
#5�$��������� �������� ������ -���� �������!��7��((��
�����
click OK:
.1.1/32
.1.2/32
(select)
�������� �#� ��$���%�"&��$����'������������� ��������
2. Network > Interfaces > Edit ( for ethernet1/2): Enter the following, and then
Zone Name: Untrust
IP Address/Netmask: 210.2.2.1/24
��������
3. Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: trust_int
IP Address/Domain Name: IP/Netmask: 10.10
Zone: Trust
4. Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: remote_admin
IP Address/Domain Name: IP/Netmask: 10.20
Zone: Untrust
���
5. VPNs > AutoKey IKE > New: Enter the following, and then click OK :
VPN Name: admin
Security Level: Compatible
Remote Gateway: Create a Simple Gateway:
Gateway Name: to_admin
Type: Static IP, IP Address: 3.3.3.3
Preshared Key: Ci5y0a1aAG
Security Level: Compatible
Outgoing interface ethernet3
#5�$��������� �������� ������ -���� �������!��7��((��
�=���
Apply :
N: (select)
wing, and then click OK:
as Source IP for VPN, and
then click OK:
�������� �#� ��$���%�"&��$����'������������� ��������
�3���-�� ����6�
6. Configuration > Report Settings > Syslog: Enter the following, and then click
Enable Syslog Messages: (select)
Use Trust Zone Interface as Source IP for VP
Syslog Host Name/Port: 10.20.1.2
7. Configuration > Report Settings > SNMP > New Community: Enter the follo
Community Name: remote_admin
Permissions: Write, Trap: (select)
Hosts: 10.20.1.2
8. Configuration > Report Settings > SNMP: Select Use Trust Zone Interfacethen click Apply.
����
9. Network > Routing > Routing Table > trust-vr New: Enter the following, and
Network Address/Netmask: 0.0.0.0/0
Gateway: (select)
Interface: ethernet3
Gateway IP Address: (select) 210.2.2.2
#5�$��������� �������� ������ -���� �������!��7��((��
�9���
ick OK :
ick OK :
�������� �#� ��$���%�"&��$����'������������� ��������
��������
10. Policies > (From: Trust, To: Untrust) > New: Enter the following, and then cl
Source Address:
Address Book: (select), trust_int
Destination Address:
Address Book: (select), remote_admin
Service: SNMP
Action: Tunnel
Tunnel VPN: admin
Modify matching outgoing VPN policy: (clear)
Position at Top: (select)
11. Policies > (From: Trust, To: Untrust) > New: Enter the following, and then cl
Source Address:
Address Book: (select), trust_int
Destination Address:
Address Book: (select), remote_admin
Service: SYSLOG
Action: Tunnel
Tunnel VPN: admin
Modify matching outgoing VPN policy: (clear)
Position at Top: (select)
#5�$��������� �������� ������ -���� �������!��7��((��
�:���
i5y0a1sec-level compatible
dmin admin
�������� �#� ��$���%�"&��$����'������������� ��������
��
, ���(�����'��������3�@� ��
1. set interface ethernet1 zone trust2. set interface ethernet1 ip 10.10.1.1/243. set interface ethernet3 zone untrust4. set interface ethernet3 ip 210.2.2.1/24
��������
5. set address trust trust_int 10.10.1.1/246. set address untrust remote_admin 10.20.1.2/24
���
7. set ike gateway to_admin ip 3.3.3.3 outgoing-interface ethernet3 preshare C8. set vpn admin gateway to_admin sec-level compatible
�3���-�� ����6�
9. set syslog config 10.20.1.2 auth/sec local010. set syslog vpn11. set syslog enable12. set snmp community remote_admin read-write trap-on13. set snmp host remote_admin 10.20.1.214. set snmp vpn
����
15. set vrouter trust-vr route 0.0.0.0/0 interface ethernet3 gateway 210.2.2.2
��������
16. set policy top from trust to untrust trust_int remote_admin snmp tunnel vpn a17. set policy top from trust to untrust trust_int remote_admin syslog tunnel vpn18. save
#5�$��������� �������� ������ -���� �������!��7��((��
�����
� �ity administrative traffic. The ound to the Trust zone called “Other” whose sole ecifies the VPN tunnel.
pply:
l Key nnel: unnel
�������� �#� ��$���%�"&��$����'������������� ��������
"&��$������ �������� ��5���-5�������7� ���(�����5��7�����@In this example, you set up a VPN tunnel to provide confidentiality for network securManual Key VPN tunnel extends from the workstation (10.10.1.56) to the interface b(10.10.1.1/24). The workstation is using NetScreen-Remote. You also create a zonepurpose is to provide a destination zone and destination address for a policy that sp
�����
, ���(������ ��@� ��
1. Network > Interfaces > Edit (ethernet1): Enter the following, and then click A
Zone Name: Trust
IP Address/Netmask: 10.10.1.1/24
Trust Zone ethernet1
10.10.1.1/24
LAN
Other Zone
Trust Zone
Other Zone ethernet42.2.2.1/24
ManuaVPN Tu
Admin_T
Admin10.10.1.56
#5�$��������� �������� ������ -���� �������!��7��((��
�����
K:
�������� �#� ��$���%�"&��$����'������������� ��������
2. Network > Zones > New: Enter the following, and then click OK :
Zone Name: Other
Virtual Router Name: trust-vr
3. Network > Interfaces > Edit (ethernet4): Enter the following, and then click O
Zone Name: Other
IP Address/Netmask: 2.2.2.1/24
��������
4. Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: Admin
IP Address/Domain Name:
IP/Netmask: 10.10.1.56/24
Zone: Trust
5. Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: Other_Interface
IP Address/Domain Name:
IP/Netmask: 2.2.2.1/24
Zone: Other
Note: The Trust zone is preconfigured. You do not have to create it.
#5�$��������� �������� ������ -���� �������!��7��((��
�����
k Return to set the advanced n page:
ntrust_Tun
configure the tunnel do the following: the generated hexadecimal key; and
�������� �#� ��$���%�"&��$����'������������� ��������
���
6. VPNs > Manual Key > New: Enter the following, and then click OK:
VPN Tunnel Name: Admin_Tunnel
Gateway IP: 10.10.1.56
Security Index: 4567 (Local) 5555 (Remote)
Outgoing Interface: ethernet1
ESP-CBC: (select)
Encryption Algorithm: DES-CBC
Generate Key by Password18: netscreen1
Authentication Algorithm: MD5
Generate Key by Password: netscreen2
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
Bind To: Tunnel Zone: (select) U
18. Because NetScreen-Remote processes passwords into keys differently than other NetScreen products do, after you (1) Return to the Manual Key Configuration dialog box (click Edit in the Configure column for “Admin Tunnel”); (2) copy(3) use that hexadecimal key when configuring the NetScreen-Remote end of the tunnel.
#5�$��������� �������� ������ -���� �������!��7��((��
�����
k OK:
terface
)
�������� �#� ��$���%�"&��$����'������������� ��������
��������
7. Policies > (From: Trust, To: Other) > New: Enter the following, and then clic
Source Address: Address Book: Admin
Destination Address: Address Book: Other_In
Service: ANY
Action: Tunnel
Tunnel VPN: Admin_Tunnel
Modify matching outgoing VPN policy: (select
Position at Top: (select)
#5�$��������� �������� ������ -���� �������!��7��((��
�����
ernet1 esp des password
in_Tunnel
in_Tunnel
�������� �#� ��$���%�"&��$����'������������� ��������
��
, ���(������ ��@� ��
1. set interface ethernet1 zone trust
2. set interface ethernet1 ip 10.10.1.1/24
3. set zone name Other
4. set interface ethernet4 zone Other
5. set interface ethernet4 ip 2.2.2.1/24
��������
6. set address trust Admin 10.10.1.56/24
7. set address Other Other_Interface 2.2.2.1/24
���
8. set vpn Admin_Tunnel manual 4567 5555 gateway 10.10.1.56 outgoing ethnetscreen1 auth md5 password netscreen2
��������
9. set policy top from trust to Other Admin Other_Interface any tunnel vpn Adm
10. set policy top from Other to trust Other_Interface Admin any tunnel vpn Adm
11. save
#5�$��������� �������� ������ -���� �������!��7��((��
�����
�������� �#� ��$���%�"&��$����'������������� ���������
�����
�������� �#� ��$���%�"&��$����'������������� �����������������
���������� ��� �� $�� �
This chapter discusses the following topics about monitoring NetScreen devices:
• “Storing Log Information” on page 56
• “Event Log” on page 57
– “Viewing the Event Log” on page 58
• “Traffic Log” on page 60
• “Self Log” on page 62
• “Syslog” on page 63
– “WebTrends” on page 63
• “SNMP” on page 66
– “Implementation Overview” on page 68
– “VPN Monitoring” on page 71
• “Counters” on page 74
• “Asset Recovery Log” on page 81
• “Traffic Alarms” on page 82
#5�$������6� ����� -��������� �2�!���� ����� -�0�-�, (�������
�=���
storage) and externally (in a mount of memory is limited. erwriting the oldest log entries
e the logged information, you ally in a syslog or WebTrends
leshooting a NetScreen device es (critical, alert, emergency) t the time an alarm is triggered.
ination for log entries, but of
ministrators.
an also send alarm messages
ly, it can also send to a syslog the internal flash storage on a at might occur when log entries
level events in a more graphical
, NetScreen-Global PRO offers f reports.
fter storing data on a device and store it or load it on
�������� �#� ��$���%�"&��$����'������������� ��������
������ "� �����������All NetScreen devices allow you to store event and traffic log data internally (in flashnumber of locations). Although storing log information internally is convenient, the aWhen the internal storage space completely fills up, the NetScreen device begins ovwith the latest ones. If this first-in-first-out (FIFO) mechanism occurs before you savcan lose data. To mitigate such data loss, you can store event and traffic logs externserver, or in the NetScreen-Global PRO database.
The following list provides the possible destinations for logged data:
• Console: A useful destination for all log entries to appear when you are troubthrough the console. Optionally, you might elect to have only alarm messagappear here to alert you immediately if you happen to be using the console a
• Internal: The internal database on a NetScreen device is a convenient destlimited space.
• Email: A convenient method for sending event and traffic logs to remote ad
• SNMP: In addition to the transmission of SNMP traps, a NetScreen device c(critical, alert, emergency) from its event log to an SNMP community.
• Syslog: All event and traffic logs that a NetScreen device can store internalserver. Because syslog servers have a much greater storage capacity than NetScreen device, sending data to a syslog server can mitigate data loss thexceed the maximum internal storage space.
• WebTrends: Allows you to view log data for critical-, alert-, and emergency-format than syslog, which is a text-based tool.
• NetScreen-Global PRO: In addition to its multiple-device configuration toolsexcellent monitoring capabilities in regards to both the viewing and storing o
• CompactFlash (PCMCIA): The advantage of this destination is portability. ACompactFlash card, you can physically remove the card from the NetScreenanother device.
#5�$������6� ����� -��������� �2�!���� "!� ��0�-
�9���
he NetScreen device
Ping of Death attacks. For 2 -33.
er firewall attacks not included
ty (HA) status changes, and
on and log out, and user
configuration changes.
ies.
ou can view system events for r the CLI. You can also open or otepad or WordPad) to view the Information” on page 56).
r to the NetScreen Message
�������� �#� ��$���%�"&��$����'������������� ��������
�����"� NetScreen provides an event log for monitoring system events and network traffic. Tcategorizes system events by the following severity levels:
• Emergency: Generates messages on SYN attacks, Tear Drop attacks, andmore information on these types of attacks, see “Firewall Options” on page
• Alert: Generates messages for multiple user authentication failures and othin the emergency category.
• Critical: Generates messages for URL blocks, traffic alarms, high availabiliglobal communications.
• Error: Generates messages for admin log on failures.
• Warning: Generates messages for admin logins and logouts, failures to logauthentication failures, successes, and timeouts.
• Notification: Generates messages for link status changes, traffic logs, and
• Information: Generates any kind of message not specified in other categor
• Debugging: Generates all messages.
The event log displays the date, time, level and description of each system event. Yeach category stored in flash storage on the NetScreen device through the WebUI osave the file to the location you specify, and then use an ASCII text editor (such as Nfile. Alternatively, you can send them to an external storage space (see “Storing Log
Note: For detailed information about the messages that appear in the event log, refeLog Reference Guide.
#5�$������6� ����� -��������� �2�!���� "!� ��0�-
�:���
both the WebUI and CLI. With make your search even more rd exclusion. For example, you
“zone trust” exclude block
op-down list.
ormation | debugging }
ters in length in the search field,
�������� �#� ��$���%�"&��$����'������������� ��������
���1� -��5��"!� ��0�-You can display log entries by severity level and search the event log by keyword inthe CLI, you can combine severity level and key word to refine your search. You cangranular by including start and end times, a message type ID number, and a key womight conduct a search with parameters such as the following:
get event level notif type 00037 start-time 07/18 end-time 07/19 include
To display the event log by severity level, do either of the following:
�����
Reports > System Log > Event: Select a severity level from the Log Level dr
��
get event level { emergency | alert | critical | error | warning | notification | inf
To search the event log by keyword, do either of the following:
�����
Reports > System Log > Event: Type a word or word phrase up to 15 characand then click Search .
��
get event include word_string
#5�$������6� ����� -��������� �2�!���� "!� ��0�-
�����
l directory “C:\netscreen\logs” LI). You name the file
vel setting, and then click
or) or save it to disk.
Save .
�������� �#� ��$���%�"&��$����'������������� ��������
"&��$���2�1 ����� -��5��"!� ��0�-�(���#��������"!� ��In this example, you download the critical events entered in the event log to the loca(WebUI) or to the root directory of a TFTP server at the IP address 10.10.20.200 (C“crt_evnt07-02.txt”.
�����
1. Reports > System Log > Event: Next to Search, enter Critical for the Log LeSearch .
A table appears with the result of the “critical events” search. Click Save.
The File Download wizard prompts you to open the file (using an ASCII edit
2. Select the Save this file to disk option, and then click OK.
The File Download wizard prompts you to choose a directory.
3. Specify C:\netscreen\logs, name the file “crt_evnt07-02.txt”, and then click
��
get event level critical > tftp 10.10.20.200 crt_evnt07-02.txt
#5�$������6� ����� -��������� �2�!���� 7��((���0�-
=����
cross the firewall. A traffic log
n for all policies. To log specific option on a policy, do either of
, click Return, and then click
her the CLI or WebUI. You can tor (such as Notepad or ace (see “Storing Log mail to an admin.
�������� �#� ��$���%�"&��$����'������������� ��������
�������"� NetScreen provides traffic logs to monitor and record the traffic that policies permit anotes the following elements for each session:
• Date and time that the connection started
• Source address and port number
• Translated source address and port number
• Destination address and port number
• The duration of the session
• The service used in the session
To log all traffic that a NetScreen device receives, you must enable the logging optiotraffic, enable logging only on policies that apply to that traffic. To enable the loggingthe following:
�����
Policies > (From src_zone, To dst_zone) New > Advanced: Select LoggingOK.
��
set policy from src_zone to dst_zone src_addr dst_addr service action log
You can view traffic logs stored in flash storage on the NetScreen device through eitalso open or save the file to the location you specify, and then use an ASCII text ediWordPad) to view the file. Alternatively, you can send them to an external storage spInformation” on page 56). You can also include traffic logs with event logs sent by e-
#5�$������6� ����� -��������� �2�!���� 7��((���0�-
=����
WebUI, you download it to the of a TFTP server at the IP
or) or save it to disk.
Save.
�������� �#� ��$���%�"&��$����'������������� ��������
"&��$���2�1 ����� -���7��((���0�-In this example, you download the traffic log for a policy with ID number 12. For the local directory “C:\netscreen\logs”. For the CLI, you download it to the root directoryaddress 10.10.20.200. You name the file “traf_log11-21-02.txt”.
�����
1. Reports > Policies > (for policy ID 12): Click Save.
The File Download wizard prompts you to open the file (using an ASCII edit
2. Select the Save this file to disk option, and then click OK.
The File Download wizard prompts you to choose a directory.
3. Specify C:\netscreen\logs, name the file traf_log11-21-02.txt, and then click
��
get log traffic policy 12 > tftp 10.10.20.200 traf_log11-21-02.txt
#5�$������6� ����� -��������� �2�!���� ���(�0�-
=����
ose denied by a policy) and imilar to the traffic log, the self
and service for each dropped
rough either the CLI or WebUI. CII text editor (such as Notepad
ebUI) or to the root directory of 3-02.txt”.
or) or save it to disk.
Save .
�������� �#� ��$���%�"&��$����'������������� ��������
��"�"� NetScreen provides a self log to monitor and record all dropped packets (such as thtraffic that terminates at the NetScreen device itself (such as administrative traffic). Slog displays the date, time, source address/port, destination address/port, duration, packet or session terminating at the NetScreen device.
You can view the self log, which is stored in flash storage on the NetScreen device, thYou can also save the log as a text file to a location you specify, and then use an ASor WordPad) to view it.
"&��$���2�1 ����� -��5�����(�0�-In this example, you download a self log to the local directory “C:\netscreen\logs” (Wa TFTP server at the IP address 10.10.20.200 (CLI). You name the file “self_log07-0
�����
1. Reports > System Log > Self: Click Save.
The File Download wizard prompts you to open the file (using an ASCII edit
2. Select the Save this file to disk option, and then click OK.
The File Download wizard prompts you to choose a directory.
3. Specify C:\netscreen\logs, name the file self_log07-03-02.txt, and then click
��
get log self > tftp 10.10.20.200 self_log07-03-02.txt
#5�$������6� ����� -��������� �2�!���� �3���-
=����
reen device generates syslog els in “Event Log” on page 57) IX/Linux system. You can use essages on the console of the
Use Trust Interface as
and all levels above it. For hereas a debugging setting
customize syslog reports of al format. You can create ll events with the severity levels
ct the Use Trust Interface as
etrieves information from the
the same Windows NT system.
�������� �#� ��$���%�"&��$����'������������� ��������
�%�"� Syslog enables the logging of system events to a single file for later review. A NetScmessages for system events at predefined severity levels (see the list of severity levand sends these messages via UDP (port 514) to a syslog host, which runs on a UNsyslog messages to create e-mail alerts for the system administrator, or to display mdesignated host using UNIX syslog conventions.
You can also send syslog messages through a VPN tunnel. In the WebUI, select theSource IP for VPN . In the CLI, use the set syslog vpn command.
Syslog organizes messages hierarchically, so that setting a level includes that level example, an alert setting generates messages for alert and emergency messages, wgenerates messages for all levels.
)�*7�� ��WebTrends offers a product called the WebTrends Firewall Suite that allows you to critical, alert, and emergency events to display the information you want in a graphicreports that focus on areas such as firewall attacks (emergency-level events) or on aof critical, alert, and emergency.
You can also send WebTrends messages through a VPN tunnel. In the WebUI, seleSource IP for VPN . In the CLI, use the set webtrends vpn command.
Note: On UNIX/Linux platforms, modify the /etc/rc.d/init.d/syslog file so that syslog rremote source (syslog -r).
Note: You can also send traffic logs with the syslog messages.
Note: The WebTrends Syslog Server and the WebTrends Firewall Suite must run onYou must have administrator rights to configure it.
#5�$������6� ����� -��������� �2�!���� �3���-
=����
�� to port 514 on a WebTrends
ffic logs are included with the
Apply :
click Apply :
4
�������� �#� ��$���%�"&��$����'������������� ��������
"&��$���" �*�� -��3���-�� ��)�*7�� ���(�������(������ �"!�In the following example, you set up the syslog facility to send notification messagessyslog Server at 172.10.16.25. The security and facility levels are set to Local0. Trasystem event messages.
�����
�3���-������ -�
1. Configuration > Report Settings > Syslog: Enter the following, and then click
Enable syslog messages: (select)
Include Traffic Log: (select)
Syslog Host Name/Port: 172.10.16.25/5141
Security Facility: Local0
Facility: Local0
)�*7�� �������� -�
2. Configuration > Report Settings > WebTrends: Enter the following, and then
Enable WebTrends Messages: (select)
WebTrends Host Name/Port: 172.10.16.25/51
1. The syslog host port number must match the WebTrends port number.
#5�$������6� ����� -��������� �2�!���� �3���-
=����
k Apply :
ing in Transparent mode, you
�������� �#� ��$���%�"&��$����'������������� ��������
��!����3�0�!���
3. Configuration > Report Settings > Log Settings: Enter the following, then clic
WebTrends Notification: (select)
Syslog Notification: (select)
��
�3���-������ -�
1. set syslog config 172.10.16.25 local0 local0
2. set syslog port 514
3. set syslog traffic
4. set syslog enable
)�*7�� �������� -�
5. set webtrends host-name 172.10.16.25
6. set webtrends port 514
7. set webtrends enable
��!����3�0�!���
8. set log module system level notification destination syslog
9. set log module system level notification destination webtrends
10. save
Note: When you enable syslog and WebTrends on a NetScreen device runnmust set up a static route. See “Route Tables” on page 2 -63.
#5�$������6� ����� -��������� �2�!���� ��6�
==���
rovides network administrators ceive notification of system
ork Management Protocol”. s defined in RFC-1213, : MIB-II”. NetScreen also has
the NetScreen MIBs is included
ns, when specified events or
becomes operational after you
uthentication failure trap if it
onditions trigger system d to hardware, security, and ll Options” on page 2 -33, and
the alarm thresholds set in e 2 -213.)
�������� �#� ��$���%�"&��$����'������������� ��������
���#The Simple Network Management Protocol (SNMP) agent for the NetScreen device pwith a way to view statistical data about the network and the devices on it, and to reevents of interest.
NetScreen supports the SNMPv1 protocol, described in RFC-1157, “A Simple NetwNetScreen also supports all relevant Management Information Base II (MIB II) group“Management Information Base for Network Management of TCP/IP-based internetsprivate enterprise MIB files, which you can load into an SNMP MIB browser. A list of in the appendix. (See Appendix A, “SNMP MIB Files”.)
Accordingly, the NetScreen SNMP agent generates the following traps, or notificatioconditions occur:
• Cold Start Trap: The NetScreen device generates a cold start trap when it power it on.
• Trap for SNMP Authentication Failure: The SNMP manager triggers the asends the incorrect community string.
• Traps for System Alarms: NetScreen device error conditions and firewall calarms. Three NetScreen enterprise traps are defined to cover alarms relatesoftware. (For more information on firewall settings and alarms, see “Firewa“Traffic Alarms” on page 82.)
• Traps for Traffic Alarms: Traffic alarms are triggered when traffic exceedspolicies. (For more information on configuring policies, see “Policies” on pag
#5�$������6� ����� -��������� �2�!���� ��6�
=9���
o configure your NetScreen nd assign permissions
HP OpenView® or SunNet ed or untrusted interface. There
the Internet.
ysLocation variables on a NetScreen
�������� �#� ��$���%�"&��$����'������������� ��������
The following table list possible alarm types and their associated trap number:
NetScreen devices do not ship with a default configuration for the SNMP manager. Tdevice for SNMP, you must first create communities, define their associated hosts, a(read-write or read only2).
Trap Enterprise ID Description
100 Hardware problems
200 Firewall problems
300 Software problems
400 Traffic problems
500 VPN problems
Note: The network administrator must have an SNMP manager application such asManagerTM to browse the SNMP MIB II data and to receive traps from either the trustare also several shareware and freeware SNMP manager applications available from
2. For security reasons, an SNMP community member with read-write privileges can change only the sysContact and sdevice.
#5�$������6� ����� -��������� �2�!���� ��6�
=:���
ing up to eight hosts. Hosts
data.
each of the hosts in each
at are set to receive traps.
fic alarms.
Use Trust Interface as
�������� �#� ��$���%�"&��$����'������������� ��������
,�$���� ����� ��!��!��1The following points summarize how SNMP is implemented in NetScreen devices:
• The network administrator can create up to three communities, each containmust be listed individually; they cannot be specified as a range.
• Each community has either read-only or read-write permission for the MIB II
• You can allow or deny each community from receiving traps.
• You can access the MIB II data and traps through any physical interface.
• Each system alarm generates a single NetScreen enterprise SNMP trap to community that is set to receive traps.
• Cold Start / Link Up / Link Down traps are sent to all hosts in communities th
• If you specify trap-on for a community, you also have the option to allow traf
You can also send SNMP messages through a VPN tunnel. In the WebUI, select theSource IP for VPN . In the CLI, use the set snmp vpn command.
#5�$������6� ����� -��������� �2�!���� ��6�
=����
Cooper.” In the first community, embers can read and write MIB mi.” The JCarney community er community host is
hen click Apply :
ing settings, and then click OK:
ing settings, and then click OK:
s the host name of the
�������� �#� ��$���%�"&��$����'������������� ��������
"&��$�������� -�+$���6��#���� �����In this example, you configure SNMP for two communities, named “JCarney” and “Tits members can read MIB II data and receive traps. In the second community, its mII data, receive traps, and traffic alarms. The contact person is “John Fisher” in “Miahost IP addresses are 172.16.20.181, 172.16.40.245, and 172.16.40.55. The TCoop172.16.20.250.
������
1. Configuration > Report Settings > SNMP: Enter the following settings, and t
System Contact: John Fisher
Location: Miami
2. Configuration > Report Settings > SNMP > New Community: Enter the follow
Community Name: JCarney
Permissions: Trap: (select)
Hosts: 172.16.20.181172.16.40.245172.16.40.55
3. Configuration > Report Settings > SNMP > New Community: Enter the follow
Community Name: TCooper
Permissions: Write, Trap: (select)
Including Traffic Alarms: (select)
Hosts: 172.16.20.250
Note: The MIB II system group variables sysContact, sysName (which is the same aNetScreen device) are read-write objects. All other variables are read-only.
#5�$������6� ����� -��������� �2�!���� ��6�
9����
�������� �#� ��$���%�"&��$����'������������� ����������
1. set snmp contact John Fisher
2. set snmp location Miami
3. set snmp community JCarney read-only trap-on
4. set snmp host JCarney 172.16.20.181
5. set snmp host JCarney 172.16.40.245
6. set snmp host JCarney 172.16.40.55
7. set snmp community TCooper read-write trap-on traffic
8. set snmp host TCooper 172.16.20.250
9. save
#5�$������6� ����� -��������� �2�!���� ��6�
9����
of active VPNs through the use
el, the NetScreen device
SHA-1) types
e is also reported in remaining
MIBs, you must import the ension files on the NetScreen
�������� �#� ��$���%�"&��$����'������������� ��������
����6� ����� -The NetScreen ScreenOS provides the ability to determine the status and condition of SNMP VPN monitoring objects and traps.
By enabling the VPN monitoring feature on a Manual Key or AutoKey IKE VPN tunnactivates its SNMP VPN monitoring objects, which include data on the following:
• The total number of active VPN sessions
• The time each session started
• The Security Association (SA) elements for each session:
– ESP encryption (DES or 3DES) and authentication algorithm (MD5 or
– AH algorithm type (MD5 or SHA-1)
– Key exchange protocol (AutoKey IKE or Manual Key)
– Phase 1 authentication method (Preshared Key or certificates)
– VPN type (dialup or peer-to-peer)
– Peer and local gateway IP addresses
– Peer and local gateway IDs
– Security Parameter Index (SPI) numbers
• Session status parameters
– VPN monitoring status (up or down)
– Tunnel status (up or down)
– Phase 1 and 2 status (inactive or active)
– Phase 1 and 2 lifetime (time in seconds before rekeying; Phase 2 lifetimbytes before rekeying)
Note: To enable your SNMP manager application to recognize the VPN monitoring NetScreen-specific MIB extension files into the application. You can find the MIB extdocumentation CD that shipped with your NetScreen device.
#5�$������6� ����� -��������� �2�!���� ��6�
9����
through the tunnel at specified VPN gateways.3 The source fers according to the type of erating at Layer 3 (NAT or
e of successful responses, the
efinable threshold4 for the vice triggers one of the
t elicited a response after a
its a response.
is 10 seconds.
ote device is another device, then
intrazone blocking is enabled), you must
f what you specify as the source e NetScreen device uses the erface as the source interface.
f what you specify as the face, the NetScreen device uses interface as the source interface.
ault is 10 consecutive ping requests.
�������� �#� ��$���%�"&��$����'������������� ��������
With VPN monitoring enabled, the NetScreen device also pings the remote gatewayintervals (configurable in seconds) to monitor network connectivity between the two interface that the local NetScreen device uses to send and receive ping requests difdevice at the remote end of the tunnel and whether the local NetScreen device is opRoute mode) or Layer 2 (Transparent mode):
The VPN monitoring MIB notes whether the ping elicits a response, a running averaglatency of the response, and the average latency over the last 30 attempts.
If the ping activity indicates that the VPN status has changed (by exceeding a user-dnumber of consecutive successful or unsuccessful ping requests), the NetScreen defollowing SNMP traps:
• Up to Down: The state of the VPN tunnel is up, but the ping request has nospecified consecutive number of ping requests.
• Down to Up: The state of the VPN tunnel is down, but the ping request elic
3. To change the ping interval, you can use the following CLI command: set vpnmonitor interval number. The default
If the local device is operating at
and the remote device is a VPN client (such as the NetScreen-Remote), then
and the remNetScreen
Layer 3 the source-interface can be any interface* with an IP address and in any zone except in the MGT zone.
* If the source-interface is in a different zone from the outgoing interface (or if it is in the same zone and create a policy permitting pings through the VPN tunnel.
regardless ointerface, thoutgoing int
Layer 2 you cannot use the VPN monitoring feature. regardless osource-interthe outgoing
Note: A VPN tunnel bound to a tunnel interface cannot support VPN monitoring.
4. To change the ping threshold, you can use the following CLI command: set vpnmonitor threshold number. The def
#5�$������6� ����� -��������� �2�!���� ��6�
9����
VPN Monitor check box and o go back to the basic VPN
e VPN Monitor check box and o go back to the basic VPN
termines whether the remote gateway
�������� �#� ��$���%�"&��$����'������������� ��������
To enable VPN monitoring, do the following:
�����
VPNs > Manual Key > New: Configure the VPN, click Advanced , select thechoose an interface from the Source Interface drop-down list, click Return tconfiguration page, and then click OK.
Or
VPNs > AutoKey IKE > New: Configure the VPN, click Advanced , select thchoose an interface from the Source Interface drop-down list, click Return tconfiguration page, and then click OK.
��
1. set vpn name_str monitor [ source-interface interface ]5
2. set vpnmonitor frequency number6
3. set vpnmonitor threshold number7
4. save
5. If you do not choose a source interface, the NetScreen device uses the outgoing interface as the default.
6. The VPN monitoring frequency is in seconds.
7. The VPN monitoring threshold number is the consecutive number of successful or unsuccessful ping requests that deis reachable through the VPN tunnel or not.
#5�$������6� ����� -��������� �2�!���� #�� ����
9����
ers give processing information
avior and for viewing the
ents blocked
n ICMP flood
uspected UDP flood
suspected WinNuke attack
d blocked
Tear Drop attack
suspected SYN flood
art of an IP spoofing attack
ackets that are oversized or of
ected land attack
rt of a suspected SYN
sing or malformed flags field
an unknown protocol
ed or incomplete IP options
Route option enabled
et Timestamp option set
ption set
�������� �#� ��$���%�"&��$����'������������� ��������
��������NetScreen provides screen, hardware, and flow counters for monitoring traffic. Countfor specified interfaces and help you to verify configurations for desired policies.
NetScreen provides the following screen counters for monitoring general firewall behamount of traffic affected by specified policies:
• Block Java/Active X Component – the number of Java or ActiveX compon
• ICMP Flood Protection – the number of ICMP packets blocked as part of a
• UDP Flood Protection – the number of UDP packets dropped as part of a s
• WinNuke Attack Protection – the number of packets detected as part of a
• Port Scan Protection – the number of port scans detected and blocked
• IP Sweep Protection – the number of IP sweep attack packets detected an
• Tear-drop Attack Protection – the number of packets blocked as part of a
• SYN Flood Protection – the number of SYN packets detected as part of a
• IP Spoofing Attack Protection – the number of IP addresses blocked as p
• Ping-of-Death Protection – the number of suspected and rejected ICMP pan irregular size
• Source Route IP Option Filter – the number of IP source routes filtered
• Land Attack Protection – the number of packets blocked as part of a susp
• SYN Fragment Detection – the number of packet fragments dropped as pafragments attack
• TCP Packet without Flag – the number of illegal packets dropped with mis
• Unknown Protocol Protection – the number of packets blocked as part of
• Bad IP Option Detection – the number of frames discarded due to malform
• IP Record Route Option – the number of frames detected with the Record
• IP Timestamp Option – the number of IP packets discarded with the Intern
• IP Security Option – the number of frames discarded with the IP Security o
#5�$������6� ����� -��������� �2�!���� #�� ����
9����
oose Source Route option
t Source Route option enabled
entifier set
g set, or with offset indicated in
th greater than 1024
bination of flags
h an illegal combination of flags
ked
mit had been reached
e SYN-ACK-ACK-proxy DoS
mance and packets with errors:
uffers
rs
(CRC) error
bit stream
�������� �#� ��$���%�"&��$����'������������� ��������
• IP Loose Src Route Option – the number of IP packets detected with the Lenabled
• IP Strict Src Route Option – the number of packets detected with the Stric
• IP Stream Option – the number of packets discarded with the IP Stream id
• ICMP Fragment – the number of ICMP frames with the More Fragments flathe offset field
• Large ICMP Packet – the number of ICMP frames detected with an IP leng
• SYN and FIN bits set – the number of packets detected with an illegal com
• FIN bit with no ACK bit – the number of packets detected and dropped wit
• Malicious URL Protection – the number of suspected malicious URLs bloc
• limit session – the number of undeliverable packets because the session li
• SYN-ACK-ACK-Proxy DoS – the number of blocked packets because of thSCREEN option
NetScreen provides the following hardware counters for monitoring hardware perfor
• in bytes – the number of bytes received
• out bytes – the number of bytes sent
• in packets – the number of packets received
• out packets – the number of packets sent
• in no buffer – the number of unreceivable packets because of unavailable b
• out no buffer – the number of unsent packets because of unavailable buffe
• in overrun – the number of transmitted overrun packets
• in underrun – the number of transmitted underrun packets
• in coll err – the number of incoming collision packets
• out coll err – the number of outgoing collision packets
• in crc err– the number of incoming packets with a cyclic redundancy check
• in align err– the number of incoming packets with an alignment error in the
#5�$������6� ����� -��������� �2�!���� #�� ����
9=���
ror
n unknown MAC address
ment
ent
was exceeded while an
, an undefined subinterface, or Transparent mode
ense Multiple Access/Collision
2.3 standard available at
�������� �#� ��$���%�"&��$����'������������� ��������
• in short frame – the number of incoming packets with an in-short frame er
• out bs pak – the number of packets held in back store while searching for a
• early frame – counters used in an ethernet driver buffer descriptor manage
• late frame – counters used in an ethernet driver buffer descriptor managem
• in err – the number of incoming packets with at least one error
• in unk – the number of UNKNOWN packets received
• in misc err – the number of incoming packets with a miscellaneous error
• out misc err – the number of outgoing packets with a miscellaneous error
• in dma err – the number of incoming packets with a dma error
• out discard – the number of discarded outgoing packets
• out defer – the number of deferred outgoing packets
• out heartbeat – the number of outgoing heartbeat packets
• re xmt limit – the number of dropped packets when the retransmission limitinterface was operating at half duplex
• drop vlan – the number of dropped packets because of missing VLAN tagsbecause VLAN trunking was not enabled when the NetScreen device was in
• out cs lost – the number of dropped outgoing packets because the Carrier SDetect (CSMA/CD) protocol lost the signal8
8. For more information about the Carrier Sense Multiple Access/Collision Detect (CSMA/CD) protocol, see the IEEE 80http://standards.ieee.org.
#5�$������6� ����� -��������� �2�!���� #�� ����
99���
ackets inspected at the flow
ackets
protocol
pe
at did not have MAC addresses
to relearn the interface hanged
olve
or ICMP
be malicious
bound to the Null zone
r than half of the maximum
�������� �#� ��$���%�"&��$����'������������� ��������
NetScreen also provides the following flow counters9 for monitoring the number of plevel:
• in bytes – the number of bytes received
• out bytes – the number of bytes sent
• in packets – the number of packets received
• out packets – the number of packets sent
• in vlan – the number of incoming vlan packets
• out vlan – the number of outgoing vlan packets
• in arp req – the number of incoming arp request packets
• in arp resp – the number of outgoing arp request packets
• *in un auth – the number of unauthorized incoming TCP, UDP, and ICMP p
• *in unk prot – the number of incoming packets using an unknown ethernet
• in other – the number of incoming packets that are of a different Ethernet ty
• no mac address – (NetScreen-5000 series only) the number of sessions thfor the source or destination IP addresses
• mac relearn – the number of times that the MAC address learning table hadassociated with a MAC address because the location of the MAC address c
• *slow mac – the number of frames whose MAC addresses were slow to res
• syn frag – the number of dropped SYN packets because of a fragmentation
• *misc prot – the number of packets using a protocol other than TCP, UDP,
• mal url – the number of blocked packets destined for a URL determined to
• null zone – the number of dropped packets erroneously sent to an interface
• *no xmit vpnf – the number of dropped VPN packets due to fragmentation
• *no frag sess – the number of times that fragmented sessions were greatenumber of NAT sessions
9. Counters preceded by an asterisk are not yet operational at the time of this writing and always display a value of 0.
#5�$������6� ����� -��������� �2�!���� #�� ����
9:���
buffer fell below 70%
o which no VPN tunnel is bound
ified ip sweep threshold
ber is outside the acceptable
es sent from a processor
t to the wrong processor
hen sending a PCI message
er of sessions on a processor
received
P address
ot be looped back
s the SYN flood protection
n could not be found
�������� �#� ��$���%�"&��$����'������������� ��������
• no frag netpak – the number of times that the available space in the netpak
• sessn thresh – the threshold for the maximum number of sessions
• *no nsp tunnel – the number of dropped packets sent to a tunnel interface t
• ip sweep – the number of packets received and discarded beyond the spec
• tcp out of seq – the number of TCP packets received whose sequence numrange
• wrong intf – (NetScreen-1000 only) the number of session creation messagmodule to the master processor module
• wrong slot – (NetScreen-1000 only) the number of packets erroneously senmodule
• *icmp broadcast – the number of ICMP broadcasts received
• mp fail – (NetScreen-1000 only) the number of times a problem occurred wbetween the master processor module and the processor module
• proc sess – (NetScreen-1000 only) the number of times that the total numbmodule exceeded the maximum threshold
• invalid zone – the number of packets destined for an invalid security zone
• in icmp – the number of Internet Control Message Protocol (ICMP) packets
• in self – the number of packets addressed to the NetScreen Management I
• in vpn – the number of IPSec packets received
• trmn drop – the number of packets dropped by traffic management
• trmng queue – the number of packets waiting in the queue
• tiny frag – the number of tiny fragmented packets received
• connections – the number of sessions established since the last boot
• loopback drop – the number of packets dropped because the packets cann
• tcp proxy – the number of packets dropped from using a TCP proxy such aoption or user authentication
• no g parent – the number of packets dropped because the parent connectio
#5�$������6� ����� -��������� �2�!���� #�� ����
9����
ates in the firewall for them
ess Translation (NAT)
trusted side
Address Translation (NAT)
(DIP) addresses
SA) was defined
ciated with an SA
store while waiting for
p attack
te option
d
received
kets
s
�������� �#� ��$���%�"&��$����'������������� ��������
• no gate sess – the number of terminated sessions because there were no g
• no nat vector – the number of packets dropped because the Network Addrconnection was unavailable for the gate
• no map – the number of packets dropped because there was no map to the
• no conn – the number of packets dropped because of unavailable Networkconnections
• no dip – the number of packets dropped because of unavailable Dynamic IP
• no gate – the number of packets dropped because no gate was available
• no route – the number of unroutable packets received
• no sa – the number of packets dropped because no Security Associations (
• no sa policy – the number of packets dropped because no policy was asso
• sa inactive – the number of packets dropped because of an inactive SA
• sa policy deny – the number of packets denied by an SA policy
• policy deny – the number of packets denied by a defined policy
• auth fail – the number of times user authentication failed
• big bkstr – the number of packets that are too big to buffer in the ARP backMAC-to-IP address resolution
• land attack – the number of suspected land attack packets received
• no route – the number of unroutable packets received
• tear drop – the number of packets blocked as part of a suspected Tear Dro
• src route – the number of packets dropped because of the filter source rou
• pingdeath – the number of suspected Ping of Death attack packets receive
• address spoof – the number of suspected address spoofing attack packets
• url block – the number of HTTP requests that were blocked
• nvec err – the number of packets dropped because of NAT vector error
• enc fai – the number of failed Point-to-Point Tunneling Protocol (PPTP) pac
• illegal pak– the number of packets dropped because they are illegal packet
#5�$������6� ����� -��������� �2�!���� #�� ����
:����
interface.
drop-down list.
wn list.
�������� �#� ��$���%�"&��$����'������������� ��������
"&��$������1� -������ �� ��4��1�#�� ����In this example, you view the NetScreen screen and flow counters for the ethernet1
�����
1. Reports > Interface > Screen Counters: Select ethernet1 from the Interface
2. Reports > Interface > Statistics: Select ethernet1 from the Interface drop-do
��
1. get counter screen interface ethernet1
2. get counter flow interface ethernet1
#5�$������6� ����� -��������� �2�!���� ����� ���!��3�0�-
:����
device is returned to its default y Default Settings” on page 36). open or save the file to the
een\logs” (WebUI) or to the root sys_rst.txt”.
or) or save it to disk.
�������� �#� ��$���%�"&��$����'������������� ��������
������������%"� NetScreen provides an asset recovery log to display information about each time thesettings using the asset recovery procedure (see “Resetting the Device to the FactorIn addition to viewing the asset recovery log through the WebUI or CLI, you can alsolocation you specify. Use an ASCII text editor (such as Notepad) to view the file.
"&��$���2�1 ����� -��5���3����� �����0�-In this example, you download the asset recovery log to the local directory “C:\netscrdirectory of a TFTP server at the IP address 10.10.20.200 (CLI). You name the file “
�����
1. Reports > System Log > Asset Recovery: Click Save .
The File Download wizard prompts you to open the file (using an ASCII edit
2. Select the Save this file to disk option, and then click OK.
The File Download wizard prompts you to choose a directory.
3. Specify C:\netscreen\logs, name the file sys_rst.txt, and then click Save .
��
get log self > tftp 10.10.20.200 sys_rst.txt
#5�$������6� ����� -��������� �2�!���� 7��((��������
:����
u have defined in policies. You methods whenever the
omalous activity, you must first you must observe traffic that you consider as normal, ggers an alarm to call your ermine what caused the
cation of a compromised .
�������� �#� ��$���%�"&��$����'������������� ��������
��������"����The NetScreen device supports traffic alarms when traffic exceeds thresholds that yocan configure the NetScreen device to alert you through one or more of the followingNetScreen device generates a traffic alarm:
• Console
• Internal (Event Log)
• SNMP
• Syslog
• WebTrends
• NetScreen-Global PRO
You set alarm thresholds to detect anomalous activity. To know what constitutes anestablish a baseline of normal activity. To create such a baseline for network traffic, patterns over a period of time. Then, after you have determined the amount of trafficyou can set alarm thresholds above that amount. Traffic exceeding that threshold triattention to a deviation from the baseline. You can then evaluate the situation to detdeviation and whether you need to take action in response.
You can also use traffic alarms to provide policy-based intrusion detection and notifisystem. Examples of the use of traffic alarms for these purposes are provided below
#5�$������6� ����� -��������� �2�!���� 7��((��������
:����
) in the DMZ zone. You want to accomplish this, you create a eb server named web1 in the ize of IP packet is 64 bytes, ill trigger an alarm.
ck OK:
k Return to set the advanced n page:
�������� �#� ��$���%�"&��$����'������������� ��������
"&��$��������3�A�����, ������ �2������� In this example, there is a Web server with IP address 211.20.1.5 (and name “web1”detect any attempts from the Untrust zone to access this Web server via Telnet. To policy denying Telnet traffic from any address in the Untrust zone destined to the WDMZ zone, and you set a traffic alarm threshold at 64 bytes. Because the smallest seven one Telnet packet attempting to reach the Web server from the Untrust zone w
�����
1. Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: web1
IP Address/Domain Name:
IP/Netmask: (select), 211.20.1.5/32
Zone: DMZ
2. Policies > (From: Untrust, To: DMZ) > New: Enter the following, and then cli
Source Address:
Address Book: (select), Any
Destination Address:
Address Book: (select), web1
Service: Telnet
Action: Deny
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
Counting: (select)
Alarm Threshold: 64 Bytes/Sec
#5�$������6� ����� -��������� �2�!���� 7��((��������
:����
m. You have an FTP server -get traffic to reach this server.
f such traffic would indicate that ou define an address for the
lick OK :
�������� �#� ��$���%�"&��$����'������������� ��������
��
1. set address dmz web1 211.20.1.5/32
2. set policy from untrust to dmz any web1 telnet deny count alarm 64
3. save
"&��$���#��$���������3���������(������ In this example, you use traffic alarms to provide notification of a compromised systewith IP address 211.20.1.10 (and name ftp1) in the DMZ zone. You want to allow FTPYou don’t want traffic of any kind to originate from the FTP server. The occurrence othe system has been compromised, perhaps by a virus similar to the NIMDA virus. YFTP server in the Global zone, so that you can then create two global policies.
�����
1. Objects > Addresses > List > New: Enter the following, and then click OK :
Address Name: ftp1
IP Address/Domain Name:
IP/Netmask: (select), 211.20.1.10/32
Zone: Global
2. Policies > (From: Global, To: Global) > New: Enter the following, and then c
Source Address:
Address Book: (select), Any
Destination Address:
Address Book: (select), ftp1
Service: FTP-Get
Action: Permit
#5�$������6� ����� -��������� �2�!���� 7��((��������
:����
lick OK :
k Return to set the advanced n page:
�������� �#� ��$���%�"&��$����'������������� ��������
3. Policies > (From: Global, To: Global) > New: Enter the following, and then c
Source Address:
Address Book: (select), ftp1
Destination Address:
Address Book: (select), Any
Service: ANY
Action: Deny
> Advanced: Enter the following, and then clicoptions and return to the basic configuratio
Counting: (select)
Alarm Threshold: 64 Bytes/Sec
��
1. set address global ftp1 211.20.1.10/32
2. set policy global any ftp1 ftp-get permit
3. set policy global ftp1 any any deny count alarm 64
4. save
#5�$������6� ����� -��������� �2�!���� 7��((��������
:=���
mail server is at 172.16.10.254, ress is [email protected].
n click Apply :
�������� �#� ��$���%�"&��$����'������������� ��������
"&��$����� �� -�"�����������In this example, you set up notification by e-mail alerts when there is an alarm. The the first e-mail address to be notified is [email protected], and the second addThe NetScreen device includes traffic logs with event logs sent via e-mail.
�����
Configuration > Report Settings > Email: Enter the following information, the
Enable E-Mail Notification for Alarms: (select)
Include Traffic Log: (select)
SMTP Server Name: 172.16.10.25410
E-Mail Address 1: [email protected]
E-Mail Address 2: [email protected]
��
1. set admin mail alert
2. set admin mail mail-addr1 [email protected]
3. set admin mail mail-addr2 [email protected]
4. set admin mail server-name 172.16.10.254
5. set admin mail traffic-log
6. save
10. If you have DNS enabled, you can also use a host name for the mail server, such as mail.netscreen.com.
�,���
����������
ization’s applications and the from
nts in previous versions of re and are described as follows:
�������� �#� ��$���%�"&��$����'������������� ��������
���#��&��� �NetScreen provides MIB files to support SNMP communication between your organSNMP agent in the NetScreen device. To obtain the latest MIB files, download themwww.netscreen.com/support.
The MIB files for the current ScreenOS version are fully compatible with SNMP ageScreenOS. The NetScreen MIB files are organized in a multi-tier hierarchical structu
• “The Primary-Level MIB File Folders” on page II
• “Secondary-Level MIB Folders” on page IV
– “netscreenProducts” on page IV
– “netScreenIds” on page V
– “netscreenVpn” on page V
– “netscreenQos” on page V
– “netscreenSetting” on page VI
– “netscreenZone” on page VI
– “netscreenPolicy” on page VII
– “netscreenNAT” on page VII
– “netscreenAddr” on page VII
– “netscreenService” on page VII
– “netscreenSchedule” on page VII
– “netscreenVsys” on page VIII
– “netscreenResource” on page VIII
– “netscreenIp” on page VIII
$$� ��&����6��6,A�4����
�,,���
olders are as follows:
roduct series.
IDS) configuration.
information.
.
�������� �#� ��$���%�"&��$����'������������� ��������
�� #������'" $ ���&��� ���� ��The MIB files are arranged in a hierarchical folder structure. The primary-level MIB f
Each folder contains a category of MIB files.
netscreenProducts Assigns Object Identifiers (OIDs) to different NetScreen p
netscreenTrapInfo Defines enterprise traps sent by the NetScreen device.
netscreenIDS Defines the NetScreen device intrusion detection service (
netscreenVpn Defines NetScreen device VPN configuration and runtime
netscreenQos Defines NetScreen device Quality of Service configuration
$$� ��&����6��6,A�4����
�,,,���
ttings, such as DHCP,
.
cluding the virtual
r the NetScreen device.
and Virtual IP.
the NetScreen device.
igured by the user.
ation.
source utilization.
.
�������� �#� ��$���%�"&��$����'������������� ��������
netScreenNsrp Defines NetScreen device NSRP configuration.
netscreenSetting Defines miscellaneous NetScreen device configuration seemail, authentication, and administrator.
netscreenZone Defines zone information residing in the NetScreen Device
netscreenInterface Defines the NetScreen device’s interface configuration, ininterface.
netscreenPolicy Defines the outgoing and incoming policy configuration fo
netscreenNAT Defines NAT configuration, including Map IP, Dynamic IP
netscreenAddr Represents the address table on a NetScreen interface.
netscreenService Describes services (including user-defined) recognized by
netscreenSchedule Defines NetScreen device task schedule information, conf
netscreenVsys Defines NetScreen device virtual system (VSYS) configur
netscreenResource Accesses information regarding the NetScreen device’s re
netscreenIp Accesses NetScreen device private IP-related information
netScreen Chassis Empty placeholder folder for future MIB support folders
$$� ��&����6��6,A�4����
�,����
condary-level folder contains
�������� �#� ��$���%�"&��$����'������������� ��������
� �������'" $ ���&���� ��This section describes the secondary-level MIB files for NetScreen devices. Each sesubsequent-level folders or MIB files.
������� ��������
netscreenGeneric Generic object identifiers (OIDs) for NetScreen products
netscreenNs5 NetScreen-5XP OIDs
netscreenNs10 NetScreen-10XP OIDs
netscreenNs100 NetScreen-100 OIDs
netscreenNs1000 NetScreen-1000 OIDs
netscreenNs500 NetScreen-500 OIDs
netscreenNs50 NetScreen-50 OIDs
netscreenNs25 NetScreen-25 OIDs
netscreenNs204 NetScreen-204 OIDs
netscreenNs208 NetScreen-208 OIDs
$$� ��&����6��6,A�4����
�����
e
en device
tion
usion attempt
�������� �#� ��$���%�"&��$����'������������� ��������
������� ,��
������� �$
������� E��
nsldsProtect IDS service on NetScreen devic
nsldsProtectSetTable IDS service enabled on NetScre
nsldsProtectThreshTable IDS service threshold configura
nsldsAttkMonTable Statistical Information about intr
netscreenVpnMon Show SA information of vpn tunnel
nsVpnManualKey Manual key configuration
nsVpnIke IKE configuration
nsVpnGateway VPN tunnel gateway configuration
nsVpnPhaseOneCfg IPSec Phase One configuration
nsVpnPhaseTwoCfg IPSec Phase Two configuration
nsVpnCert Certification configuration
nsVpnL2TP L2TP configuration
nsVpnPool IP pool configuration
nsVpnUser VPN user configuration
nsQosPly QoS configuration on policy
$$� ��&����6��6,A�4����
��,���
�������� �#� ��$���%�"&��$����'������������� ��������������� ����� -
������� @� �
nsSetGeneral General configuration of NS device
nsSetAuth Authentication method configuration
nsSetDNS DNS server setting
nsSetURLFilter URL filter setting
nsSetDHCP DHCP server setting
nsSetSysTime System time setting
nsSetEmail Email setting
nsSetLog Syslog setting
nsSetSNMP SNMP agent configuration
nsSetGlbMng Global management configuration
nsSetAdminUser Administration user configuration
nsSetWebUI Web UI configuration
nsZoneCfg Zone configuration for the device
$$� ��&����6��6,A�4����
��,,���
�������� �#� ��$���%�"&��$����'������������� ��������������� �����3
������� �7
������� ���
������� ���!���
������� ��5�����
NsPlyTable Policy configuration
NsPlyMonTable Statistical Information about each policy
nsNatMipTable Mapped IP configuration
nsNatDipTable Dynamic IP configuration
nsNatVip Virtual IP Configuration
nsAddrTable Address table on a NetScreen interface
nsServiceTable Service Information
nsServiceGroupTable Service Group Information
nsServiceGrpMemberTable Service Group Member Info
nschOnceTable One-time schedule information
nschRecurTable Re-occur schedule information
$$� ��&����6��6,A�4����
��,,,���
�������� �#� ��$���%�"&��$����'������������� ��������������� ��3�
������� �������
������� ,$
nsVsysCfg NetScreen device virtual system (VSYS) configuration
nsresCPU CPU utilization
nsresMem Memory utilization
nsresSession Session utilization
Note: NetScreen no longer supports the failedSession counter.
nslpArp ARP table
�, ��&
,B�,���
6–81
pactFlash (PCMCIA) 56
ole 56
il 56
nal 56
creen-Global PRO 56
very log 81
log 62
P 56, 66
g 56, 63
Trends 56, 63
IP 39
ent client IP addresses 37
ent information base II MIB II
ent methods11
ole 17
9
et 11
UI 3
ent zone, interfaces 42
ey
s 43
s
57
al 57
g 57
rgency 57
�������� �#� ��$���%�"&��$����'������������� ��������
, ��&administration
CLI (Command Line Interface) 11
restricting 37, 38
WebUI 3
administrative traffic 42
alarms
E-mail alert 82
thresholds 82
traffic 82–86
AutoKey IKE VPN 43
Aback store 76
bit stream 75
browser requirements 3
#cables, serial 17
CLI 11, 42
command line interface
See CLI
CompactFlash 56
configuration settings
browser requirements 3
console 56
conventions
WebUI iv
creating
keys 9
2DIP 79
Dynamic IP
See DIP
"E-mail alert notification 64, 65, 86
4filter source route 79
8HTTP 8
Hypertext Transfer Protocol
See HTTP
,inactive SA 79
in-short error 76
interfaces
default 43
MGT 42
internal flash storage 56
IP addresses
manage IP 39
<keys
creating 9
0logging 5
Comcons
e-mainter
NetSreco
self SNM
syslo
Web
6manage managem
ManagemSee
managemCLI
consSSL
TelnWeb
ManagemManual K
VPNmessage
alertcritic
debueme
�, ��&
,B�,,
ing public keys, CLI 15
ing public keys, TFTP 15, 16
ing public keys, WebUI 15
word authentication 13
15
authentication 13
key 14
er key 14
ion key 14
cure Command Shell) 26
ockets Layer
SSL
Associations (SA) 79
2
les 17
rver IP 86
6, 66
entication failure trap 66
start trap 66
munity, private 69
munity, public 69
iguration 69
yption 43, 68
ementation 68
files I
folders, primary II
em alarm traps 66
c alarm traps 66
types 67
66
monitoring 71–72
aps
hardware problems 67
firewall problems 67
software problems 67
traffic problems 67
�������� �#� ��$���%�"&��$����'������������� ��������
error 57
info 57
notice 57
warning 57
WebTrends 64
MIB files I
MIB folders
primary IIMIB II 26, 66
�NAT vector error 79
NetScreen-Global PRO 18, 56
Policy Manager 18
Report Manager 18
NetScreen-Global PRO Express 18
Realtime Monitor 18
Network Address Translation (NAT) 79
�operating system 11
�packets 78
address spoofing attack 79
collision 75
denied 79
dropped 79
fragmented 78
illegal 79
incoming 75
Internet Control Message Protocol (ICMP) 74,
78
IPSec 78
land attack 79
Network Address Translation (NAT) 79
Point to Point Tunneling Protocol (PPTP) 79
received 75, 77
transmitted underrun 75
UNKNOWN 76
unreceivable 75
unroutable 79
parent connection 78
password
forgetting 33
PCMCIA 56
ping 72
PKI
key 9
Point-to-Point Tunneling Protocol (PPTP) 79
Policy Manager 18
RADIUS 33
Realtime Monitor 18
recovery log 81
Report Manager 18
reset
scheduled 25
to factory defaults 36
�SA policy 79
scheduled reset 25
SCS 13–16
authentication method priority 16
automated logins 16
connection procedure 14
forcing PKA authentication only 16
host key 14
load
load
load
pass
PKA
PKA
PKA
serv
sess
SCS (Se
Secure S
See
Security
self log 6
serial cab
SMTP se
SNMP 2
auth
cold
com
com
conf
encr
impl
MIB
MIB
syst
traffi
trap
traps
VPN
SNMP tr
100,
200,
300,
400,
�, ��&
,B�,,,���
ual Key 43
itoring 86
wser requirements 3
r interface
WebUI
ds 56, 63
yption 43, 63
sages 64
, 42
onventions iv
42
�������� �#� ��$���%�"&��$����'������������� ��������
500, VPN problems 67
allow or deny 68
source route 79
SSL 9
SSL Handshake ProtocolSee SSLHP
SSLHP 9
syslog 56
encryption 43, 63
facility 64
host 63
host name 64, 65
messages 63
security facility 64
7TCP
proxy 78
Telnet 11, 25
traffic
alarms 82–86
+users
multiple administrative users 27
�virtual private network
See VPNs
virtual system
administrators 28
read-only admins 28
VLAN1
MGT zone 42
VPNs
AutoKey IKE 43
for administrative traffic 43
Man
mon
)Web bro
Web use
See
WebTren
encr
mes
WebUI 3
WebUI, c
@zones
MGT
�, ��&
,B�,�
�������� �#� ��$���%�"&��$����'������������� ��������