NetScreen_Concepts_and_Examples_for_ScreenOS_4.0_Vol._3

��

��

��

��

�!��"

��

��

��

compliance of Class B devices: The enerates and may radiate radio-frequency nce with NetScreen’s installation e with radio and television reception. This d to comply with the limits for a Class B specifications in part 15 of the FCC rules. provide reasonable protection against allation. However, there is no guarantee rticular installation.

interference to radio or television y turning the equipment off and on, the e interference by one or more of the

ing antenna.

en the equipment and receiver.

ienced radio/TV technician for help.

utlet on a circuit different from that to d.

o this product could void the user's device.

ITED WARRANTY FOR THE ET FORTH IN THE INFORMATION PRODUCT AND ARE INCORPORATED OU ARE UNABLE TO LOCATE THE

WARRANTY, CONTACT YOUR OR A COPY.

��

Copyright © 1998-2002 NetScreen Technologies, Inc. All rights reserved.

NetScreen, NetScreen Technologies, and the NetScreen logo are registered trademarks of NetScreen Technologies, Inc. and NetScreen-5, NetScreen-5XP, NetScreen-10, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-1000, NetScreen-5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote, GigaScreen, and NetScreen ScreenOS are trademarks of NetScreen Technologies, Inc. All other trademarks and registered trademarks are the property of their respective companies.

Information in this document is subject to change without notice.

No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from NetScreen Technologies, Inc.

NetScreen Technologies, Inc. 350 Oakmead ParkwaySunnyvale, CA 94085 U.S.A.www.netscreen.com

��

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.

The following information is for FCC equipment described in this manual genergy. If it is not installed in accordainstructions, it may cause interferencequipment has been tested and foundigital device in accordance with the These specifications are designed tosuch interference in a residential instthat interference will not occur in a pa

If this equipment does cause harmfulreception, which can be determined buser is encouraged to try to correct thfollowing measures:

• Reorient or relocate the receiv

• Increase the separation betwe

• Consult the dealer or an exper

• Connect the equipment to an owhich the receiver is connecte

Caution: Changes or modifications twarranty and authority to operate this

�� THE SOFTWARE LICENSE AND LIMACCOMPANYING PRODUCT ARE SPACKET THAT SHIPPED WITH THEHEREIN BY THIS REFERENCE. IF YSOFTWARE LICENSE OR LIMITED NETSCREEN REPRESENTATIVE F

http:\\www.netscreen.com

�#� ��

��

�� :�� :�� 3�� :

�� 3�� -�� -��

��7��((��*�� -��5��*��

�0�-� �� 1�� -�� +��?��0�-� �� -�� ?��1 ��1��

��5��4��3�2�(�� =

��!�� 9�� -�� 9�� -�� * �� :

�� 6� �-��,��(��6��$��

, ��(�� 5��-5��5��6>7��

�;�� -��6�� 3��-� �$��7� ��

�� #� ��$��%�"&��$��'��

#� �� (��

#� !� �� !)�*+,��!�-�� #� !� �� !

"&��$��*.��/��/�0��/��1�� !

#0,�#� !� �� !2�$� �� 3�2�� !��2�$� �� !!��*��3��(�#0,�#�� 4�� !�

�� 2�� !��

#5�$��

6� �-�� 6��5�� 7�� )�*�+��, ��(��

6�$��(��!�-�� 0�!�� )�*+,��)�*+,�8��$��9877� ��:��;��0�3��

#�� 0� ��, ��(�� 7�� #�� 5��"&��$��#��1��5��<�(��0�-� ��=��#� ��9

�� >��*�� :"&��$�� -�+$��#��

�� !��, ��(��$��

0�!��(�� 9 �� 9 ��)�� 9

�� 3��3��3��

2�(� � -�� +��"&��$�� -"&��$��6��(3"&��$��2��

�� -�� !#5� -� -��5��

"&��$��#5� -

#5� -� -��5�� "&��$��#5� -�� 1"&��$��#5� -

�� -��5��2�!�� -��

�� -�� "&��$�� -��)��;"&��$��

6� �-��,� ��"&��$�� -, ��(��

6� �-�� @� ��"&��$�� , ��(��

��!��1�"&��$�� 5��-5�� ,��

�#� ��

��

��==

�!��1 �� =:

�+$��6��#�� =�

�� 9�

��9�

-�� 4��1�#�� :�

��:�

�� -��5��3�� 0�- �� :�

��:�

A��, �� 2�� :�

��3��(�� :�

-�"�� :=

��,

�� ,B�,

�� #� ��$��%�"&��$��'��

"&��$�� 5��-5��7� ��(��5��7��@� � ��

#5�$��6� �� -�� 2�!��

�� -�0�-�, (�� =

"!� ��0�-��9��1� -��5��"!� ��0�-��:

"&��$��2�1 �� -��5��"!� ��0�-�(��#��"!� ��

7��((��0�-��=�"&��$��2�1 �� -��7��((��0�-��=�

��(�0�-��=�"&��$��2�1 �� -��5��(�0�-��=�

�3��- ��=�)�*7�� =�

"&��$��" �*�� -��3��-�� )�*7�� (��(�� "!� �� =�

��6� ��

,�$�� !�

"&��$�� -

��6� �� -��

#��

"&��$��1�

�� !��3�0�- ��

"&��$��2�1 ��

7��((��

"&��$��3�

"&��$��#��$

"&��$��

$$� ��&��6��6,A�4��

, ��&��

��

lly or remotely. Volume 3, d explains ScreenOS ministration of NetScreen

of the NetScreen Management es and SNMP management

�� #� ��$��%�"&��$��'��

��(��

NetScreen devices provide different ways for you to manage the devices, either loca“Administration” describes the various methods for managing NetScreen devices anadministrative levels. This volume also describes how to secure local and remote addevices, and how to monitor device activity. An appendix contains brief descriptionsInformation Base (MIB) files that support communications between NetScreen devicapplications.

��(�� #� !� ��

�!��

he Web user interface (WebUI) ons used in this book for both

I by clicking menu options and

nu column.

�� #� ��$��%�"&��$��'��

��This book presents two management methods for configuring a NetScreen device: tand the command line interface (CLI). The following sections introduce the conventimanagement methods.

)�*+,��!�-�� #� !� �� Throughout this book, a chevron ( > ) is used to indicate navigation through the WebUlinks.

"&��$��*.��/��/�0��/��1

To access the new address configuration page, do the following:

1. Click Objects in the menu column.

The Objects menu option expands to reveal a subset of options for Objects.

2. (Applet menu1) Hover the mouse over Addresses.

(DHTML menu) Click Addresses .

The Addresses option expands to reveal a subset of options for Addresses.

3. Click List.

The address book list appears.

4. Click the New link in the upper right corner.

The new address configuration page appears.

1. You can choose either the applet or DHTML menu types by clicking the Toggle Menu option at the bottom of the me

��(�� #� !� ��

!��

ntax. This syntax may include ommand descriptions use atory, and in which contexts.

ing special characters.

e symbols are essential for

symbols are not essential for affect the outcome.

ymbol appears between two is symbol appears at the end of

me contexts, and mandatory in

e_1, feature_2, and feature_3, s surround feature_2 and Otherwise, you cannot

command.

�� #� ��$��%�"&��$��'��

#0,�#� !� �� Each CLI command description in this manual reveals some aspect of command syoptions, switches, parameters, and other features. To illustrate syntax rules, some cdependency delimiters. Such delimiters indicate which command features are mand

2�$� �� 3�2��

Each syntax description shows the dependencies between command features by us

• The { and } symbols denote a mandatory feature. Features enclosed by thesexecution of the command.

• The [ and ] symbols denote an optional feature. Features enclosed by theseexecution of the command, although omitting such features might adversely

• The | symbol denotes an “or” relationship between two features. When this sfeatures on the same line, you can use either feature (but not both). When tha line, you can use the feature on that line, or the one below it.

��2�$� ��

Many CLI commands have nested dependencies, which make features optional in soothers. The three hypothetical features shown below demonstrate this principle.

[ feature_1 { feature_2 | feature_3 } ]

The delimiters [ and ] surround the entire clause. Consequently, you can omit featurand still execute the command successfully. However, because the { and } delimiterfeature_3, you must include either feature_2 or feature_3 if you include feature_1.successfully execute the command.

The following example shows some of the feature dependencies of the set interface

set interface vlan1 broadcast { flood | arp [ trace-route ] }

��(�� #� !� ��

!��

trast, the [ and ] brackets ight take any of the following

y find that certain commands

x, attempting to use such a ge appears, confirm the ailable options for the set vpn

�� #� ��$��%�"&��$��'��

The { and } brackets indicate that specifyng either flood or arp is mandatory. By conindicate that the trace-route option for arp is not mandatory. Thus, the command mforms:

ns-> set interface vlan1 broadcast floodns-> set interface vlan1 broadcast arpns-> set interface vlan1 broadcast arp trace-route

!��*��3��(�#0,�#�� 4��

As you execute CLI commands using the syntax descriptions in this manual, you maand command features are unavailable for your NetScreen device model.

Because NetScreen devices treat unavailable command features as improper syntafeature usually generates the unknown keyword error message. When this messafeature’s availability using the ? switch. For example, the following commands list avcommand:

ns-> set vpn ?ns-> set vpn vpn_name ?ns-> set vpn gateway gate_name ?

��(�� 2��

!��

om/support/manuals.html. To ccess archived documentation

lease notes document for that are Download. Select the

ered user.)

e-mail address below:

�� #� ��$��%�"&��$��'��

��To obtain technical documentation for any NetScreen product, visit www.netscreen.caccess the latest NetScreen documentation, see the Current Manuals section. To afrom previous releases, see the Archived Manuals section.

To obtain the latest technical information on a NetScreen product release, see the rerelease. To obtain release notes, visit www.netscreen.com/support and select Softwproduct and version, then click Go. (To perform this download, you must be a regist

If you find any errors or omissions in the following content, please contact us at the

[email protected]

www.netscreen.com/support/manuals.html

http://www.netscreen.com/support

mailto:[email protected]

��(�� 2��

!��
�� #� ��$��%�"&��$��'��

�

��

inistrative traffic, and the ains the following sections:

�� #� ��$��%�"&��$��'��

��

��

This chapter describes various management methods and tools, ways to secure admadministrative privilege levels that you can assign to admin users. This chapter cont

• “Management Methods and Tools” on page 2

– “Web User Interface” on page 3

– “Command Line Interface” on page 11

– “NetScreen-Global PRO” on page 18

• “Administrative Interface Options” on page 25

• “Levels of Administration” on page 27

– “Defining Admin Users” on page 29

• “Securing Administrative Traffic” on page 31

– “Changing the Port Number” on page 32

– “Changing the Admin Login Name and Password” on page 33

– “Restricting Administrative Access” on page 37

– “Resetting the Device to the Factory Default Settings” on page 36

– “Manage IP” on page 39

– “Management Zone Interfaces” on page 42

– “Virtual Private Networks” on page 43

#5�$�� 6� �-�� 6��5�� 7��

��

nted in the following sections:

�� #� ��$��%�"&��$��'��

�� !��"�The management methods and the tools with which to apply each method are prese

• “Web User Interface” on page 3

– “HTTP” on page 8

– “Secure Sockets Layer” on page 9

• “Command Line Interface” on page 11

– “Telnet” on page 11

– “Secure Command Shell” on page 13

– “Serial Console” on page 17

• “NetScreen-Global PRO” on page 18

#5�$�� 6� �-�� 6��5�� 7��

��

UI). NetScreen devices use software.

(version 5.5 or later)

elp

�� #� ��$��%�"&��$��'��

)�*�+��, ��(��For administrative ease and convenience, you can use the Web user interface (WebWeb technology that provides a Web-server interface to configure and manage the

To use the WebUI, you must have the following:

• Netscape Communicator (version 4.7 or later) or Microsoft Internet Explorer

• TCP/IP network connection to the NetScreen device

HMenu

Column

Central Display

Web User Interface(WebUI)

DHTML or Applet Menu Toggle

Option

#5�$�� 6� �-�� 6��5�� 7��

��

levels exist as required by

l 2.

l 3

ys

O

�� #� ��$��%�"&��$��'��

6�$��(��!�-�� 0�!�� )�*+,

The following diagram maps out the top three navigation levels in the WebUI1. Othervarious ScreenOS features.

• Level 1 contains the options visible in the menu column.

• Level 2 contains more specific options for menu items in Level 1.

• Level 3 contains even more specific options for some of the options in Leve

1. If an option is preceded by an asterisk, it is only available on select NetScreen devices.

Level 1

Home

Configuration

Level 2 Leve

ScreenOS/KeConfig File

AdministratorsPermitted IPsManagement*NACNBanners

Log SettingsEmailSNMPSyslogWebTrendsNS Global PR

Date/Time

Update

Admin

Auth

URL Filtering

Report Settings

WebAuthFirewallServers

#5�$�� 6� �-�� 6��5�� 7��

��

el 3

s

gs

s

�� #� ��$��%�"&��$��'��

Policies

VPNs

DNS

Zones

Interfaces

Routing

Redundancy

Network

Level 1 Level 2 Lev

Settings

VSD Group

Track IP

Gateway

P1 Proposal

P2 Proposal

XAuth Setting

VPN Groups

Default Settin

Tunnel

AutoKey IKE

AutoKey Advanced

Manual Key

L2TP

Monitor Status

Routing Table

Virtual Router

Vsys

#5�$�� 6� �-�� 6��5�� 7��

=��

ry

s

ers

el 3

�� #� ��$��%�"&��$��'��

Objects

Reports

Logout

Help

Addresses

Services

Users

User Groups

IP Pools

Schedules

Group Expressions

Certificates

System

Interface

Policies

Online Help

Registration

Knowledgebase

About

ListGroupSummary

PredefinedCustomGroup

LocalExternalManual Key

Event

Self

Asset Recove

Statistics

Flow Counter

Screen Count

Bandwidth

LevLevel 2Level 1

System Log

Interface

Policies

Active Users

LocalManual Key

*Initial Config

*Incoming Policy

Outgoing Policy

VPN

Wizards

#5�$�� 6� �-�� 6��5�� 7��

9��

reenos_version>500).

ocally and point the WebUI to case you do not have Internet uld not have.

ebUI to point to the Help files a server on your local network e Help files from there.

re.

ou can skip this procedure.

�� #� ��$��%�"&��$��'��

)�*+,�8��$You can view Help files for the WebUI at http://help.netscreen.com/help/english/<sc/ns<platform_number> (for example, http://help.netscreen.com/help/english/4.0.0/ns

You also have the option of relocating the Help files. You might want to store them leither the administrator’s workstation or to a secured server on the local network. Inaccess, storing the Help files locally provides accessibility to them you otherwise wo

#�$3� -��5��8��$�4��0��2��!�

The Help files are available on the documentation CD. You can modify the Won the CD in your local CD drive. You can also copy the files from the CD toor to another drive on your workstation and configure the WebUI to invoke th

1. Load the documentation CD in the CD drive of your workstation.

2. Navigate to that drive and copy the directory named help.

The Help directory contains the following subdirectories: english/<ScreenOS_number>/ns<platform_number>.

3. Navigate to the location you want to store the Help directory and paste it the

Note: If you want to run the Help files directly from the documentation CD, yProceed to “Pointing the WebUI to the New Help Location” on page 8.

#5�$�� 6� �-�� 6��5�� 7��

:��

ectory. Change the default URL

’s workstation

tScreen device that you are

e underlined section of the /ns<platform_number>

ice now uses the new path that

curity configurations remotely

PN) tunnel or through the ing management traffic from tive traffic through the MGT

kets Layer” (below), and

�� #� ��$��%�"&��$��'��

�� -��5��)�*+,��5��1�8��$�0��

You must now redirect the WebUI to point to the new location of the Help dirto the new file path, where

– <path> is the specific path to the Help directory from the administrator

– <screenos_version> is the version of the ScreenOS loaded on the Nemanaging

– <platform_number> is the platform number of the NetScreen device

1. Configuration > Admin > Management: In the Help Link Path field, replace thdefault URLhttp://help.netscreen.com/help/english/<screenos_version>

with

(for local drive) file://<path>/ …

or

(for local server) http://<server_name>/<path>/ …

2. Click Apply .

When you click the help link in the upper right corner of the WebUI, the devyou specified in the Help Link Path field to locate the appropriate Help file.

877�With a standard Web browser you can access, monitor, and control your network seusing the Hypertext Transfer Protocol (HTTP).

You can secure HTTP traffic by either encapsulating it in a virtual private network (VSecure Sockets Layer (SSL) protocol. You can also secure it by completely separatnetwork user traffic. With some NetScreen device models, you can run all administrainterface, or devote an interface (such as the DMZ) entirely to administrative traffic.

Note: For more information, see “Virtual Private Networks” on page 43, “Secure Soc“Management Zone Interfaces” on page 42.

#5�$�� 6� �-�� 6��5�� 7��

��

on between a Web client and a

y Cryptography” on page 4 -23.)

which allows the server and ecord Protocol (SSLRP), which protocols operate at the

ses certificates to authenticate ing the session. Before using se SSL is integrated with PKI

icates in the certificate list. You

Screen device and your Web browser xplorer , and read “Cipher Strength.”

About Communicator, and read the

4 -29.

�� #� ��$��%�"&��$��'��

��;��0�3��Secure Sockets Layer (SSL) is a set of protocols that can provide a secure connectiWeb server communicating over a TCP/IP network. NetScreen ScreenOS provides:

• Web SSL support

• SSL version 3 compatibility (not version 2)

• Netscape Communicator 4.7x and Internet Explorer 5.x compatibility2

• Public Key Infrastructure (PKI) key management integration (see “Public Ke

SSL is not a single protocol, but consists of the SSL Handshake Protocol (SSLHP), client to authenticate each other and negotiate an encryption method, and the SSL Rprovides basic security services to higher-level protocols such as HTTP. These two following two layers in the Open Systems Interconnection (OSI) model:

• SSLHP at the application layer (layer 7)

• SSLRP at the presentation layer (layer 6)

Independent of application protocol, SSL uses TCP to provide secure service. SSL ufirst the server or both the client and the server, and then encrypt the traffic sent durSSL, you must first create a public/private key pair and then load a certificate. Becaukey/certificate management, you can select the SSL certificate from one of the certifcan also use the same certificate for an IPSec VPN.

2. Check your Web browser to see how strong the ciphers can be and which ones your browser supports. (Both the Netmust support the same kind and size of ciphers you use for SSL.) In Internet Explorer 5x, click Help, About Internet ETo obtain the advanced security package, click the Update Information link. In Netscape Communicator, click Help, section about RSA®. To change the SSL configuration settings, click Security Info , Navigator , Configure SSL v3.

Note: For information on obtaining certificates, see “Certificates and CRLs” on page

#5�$�� 6� �-�� 6��5�� 7��

��

age Digest version 5 (MD5) and ith MD5; DES and 3DES with

Ls” on page 4 -29.

pply :

list.

permit SSL management:

he SSL management service

e IP address for managing the follow the IP address with a :1443).

�� #� ��$��%�"&��$��'��

NetScreen supports the following encryption algorithms for SSL:

• RC4 with 40-bit and 128-bit keys

• DES: Data Encryption Standard

• 3DES: Triple DES

NetScreen supports the same authentication algorithms for SSL as for VPNs—MessSecure Hash Algorithm version 1 (SHA-1). The RC4 algorithms are always paired wSHA-1.

The basic steps for setting up SSL are as follows:

1. Obtain a certificate and load it on the NetScreen device3.

For details on requesting and loading a certificate, see “Certificates and CR

2. Enable SSL management:

Configuration > Admin > Management: Enter the following, and then click A

Certificate: Select the certificate you intend to use from the drop-down

Cipher: Select the cipher you intend to use from the drop-down list.

3. Configure the interface through which you manage the NetScreen device to

Network > Interfaces > Edit (for the interface you want to manage): Enable tcheck box, and then click OK .

4. Connect to the NetScreen device via the SSL port. That is, when you type thNetScreen device in your browser’s URL field, change “http” to “https”, and colon and the HTTPS (SSL) port number (for example, https://123.45.67.89

3. Be sure to specify a bit length that your Web browser also supports.

#5�$�� 6� �-�� 6��5�� 7��

��

(CLI). To configure a inal. With a terminal emulator,

, or Macintosh® operating ommand Shell (SCS). With a

p to connect to and remotely net client program on the on the NetScreen device. After program on the NetScreen Using Telnet to manage

nnel4 or by completely l, you can run all administrative administrative traffic.

n CLI Reference Guide.

�� #� ��$��%�"&��$��'��

#�� 0� ��, ��(��Advanced administrators can attain finer control by using the command line interfaceNetScreen device with the CLI, you can use any software that emulates a VT100 termyou can configure the NetScreen device using a console from any Windows, UNIX™

system. For remote administration through the CLI, you can use Telnet or Secure Cdirect connection through the console port, you can use Hyperterminal®.

7�� Telnet is a login and terminal emulation protocol that uses a client/server relationshiconfigure network devices over a TCP/IP network. The administrator launches a Teladministration workstation and creates a connection with the Telnet server programlogging on, the administrator can issue CLI commands, which are sent to the Telnetdevice, effectively configuring the device as if operating through a direct connection.NetScreen devices requires the following:

• Telnet software on the administrative workstation

• An Ethernet connection to the NetScreen device

You can secure Telnet traffic by encapsulating it in a virtual private network (VPN) tuseparating it from network user traffic. Depending upon your NetScreen device modetraffic through the MGT interface or devote an interface such as the DMZ entirely to

Note: For a complete listing of the ScreenOS CLI commands, refer to the NetScree

4. For information on VPN tunnels, see Volume 4, “VPNs”.

#5�$�� 6� �-�� 6��5�� 7��

��
�� #� ��$��%�"&��$��'��
The setup procedure to establish a Telnet connection is as follows:

Establishing a Telnet connection

1. Telnet client sends a TCP connection request to port 23 on the NetScreen device (acting as a Telnet server).

3. Client sends his user name and password—either in the clear or encrypted in a VPN tunnel.

2. NetScreen prompts the client to log on with a user name and password.

#5�$�� 6� �-�� 6��5�� 7��

��

means by which administrators allows you to open a remote

Screen device is an ible client console/terminal

entication methods:

d to configure or monitor a reen device. If SCS the NetScreen device signals SSH client has this information, d password in the admin user’s do not match, the NetScreen

y over the password stead of a user name and of an RSA public/private key be bound to an admin. If one of hem match, the NetScreen

SCS Server

�� #� ��$��%�"&��$��'��

��#�� 5��The built-in Secure Command Shell (SCS) server on a NetScreen device provides acan remotely manage the device in a secure manner using Secure Shell (SSH). SSHcommand shell securely and execute commands. The SCS task running on the Netimplementation of the SSH 1.x server component, which allows an SSH 1.x-compatapplication to connect to a NetScreen device.

An administrator can connect to a NetScreen device with SSH using one of two auth

• Password Authentication: This method is used by administrators who neeNetScreen device. The SSH client initiates an SSH connection to the NetScmanageability is enabled on the interface receiving the connection request, the SSH client to prompt the user for a user name and password. When the it sends it to the NetScreen device, which compares it with the user name anaccount. If they match, the NetScreen device authenticates the user. If theydevice rejects the connection request.

• Public Key Authentication (PKA): This method provides increased securitauthentication method and allows you to run automated scripts. Basically, inpassword, the SSH client sends a user name and the public key componentpair. The NetScreen device compares it with up to four public keys that can the keys matches, the NetScreen device authenticates the user. If none of tdevice rejects the connection request.

ScreenOS

Administrator’sWorkstation

SSH Client Internet

Encrypted Administrative Traffic

NetScreen Device

#5�$�� 6� �-�� 6��5�� 7��

��

e the SSH client logs on. The

Keys: Persistent RSA ate key pair used to te the NetScreen

d encrypt the session creen stores it in flash

y: Temporary RSA ate key pair used to e session key n generates a new one r by default.)ey: Temporary secret

or 3DES) that the client reen create together connection setup to mmunication (when the

nds, it is discarded): Persistent RSA ate key pair that resides H client. The client’s must also be loaded on reen device before n SSH connection.lic/Private Key Pair = A tographic keys such one encrypts the other the other) can decrypt.

�� #� ��$��%�"&��$��'��

Both authentication methods require the establishment of a secure connection beforbasic connection setup procedure is shown below:

1. SSH client sends a TCP connection request to port 22 on the NetScreen device (acting as an SCS server).

3. NetScreen sends the public component of its host and server keys, cookie, and the encryption and authentication algorithms it supports.

7. Client encrypts a user name and either a password or the public component of its PKA key and sends them for authentication.

2. NetScreen and client exchange information about the SSH version they support.

4. Client creates a secret session key, encrypts it with the public component of the NetScreen host and server keys, and then sends the session key to NetScreen.

5. NetScreen sends a confirmation message that it encrypts with the session key. The creation of a secure channel is complete.

Establishing a secure connection for SSH

Host Keypublic/privauthenticadevice ankey (NetSmemory.)Server Kepublic/privencrypt th(NetScreeevery houSession Kkey (DESand NetScduring theencrypt cosession ePKA Keypublic/privon the SSpublic keythe NetScinitiating aNote: Pubset of crypthat what (and only

6. NetScreen signals the SSH client to prompt the end user for authentication information.

#5�$�� 6� �-�� 6��5�� 7��

��

he must authenticate himself

min user on the NetScreen manage the NetScreen device Defining Admin Users” on page SSH client.

and private key pair.

server5, and launch the TFTP

.

ter the following CLI command:

r tftp_ip_addr

he root admin can bind an RSA in—enter the command without t; that is, it binds the key to the

gent on the SSH client to ld the decrypted version of the

e_str ] key key_str , (pasting it where However, the CLI and WebUI have a TP.

user.

�� #� ��$��%�"&��$��'��

After an SSH client has established an SSH connection with the NetScreen device, either with a user name and password or with a user name and public key.

Both password authentication and PKA require that you create an account for the addevice and enable SCS manageability on the interface through which you intend to via an SSH connection. (For information about creating an admin user account, see “29.) The password authentication method does not require any further set up on the

On the other hand, to prepare for PKA, you must first perform the following tasks:

1. Using a key generation program on the SSH client, generate an RSA public

2. Move the public key from the local SSH directory to a directory on your TFTPprogram.

3. Log on to the NetScreen device so that you can configure it through the CLI

4. To load the the public key from the TFTP server to the NetScreen device, en

exec scs tftp pka-rsa [ username name ] file-name name_str ip-add

The username name option is only available to the root admin, so that only tkey to another admin. When you—as the root admin or as a read/write adma user name, the NetScreen device binds the key to your own admin accounadmin that enters the command.

Note: If you want to use PKA for automated logins, you must also load an adecrypt the private key component of the PKA public/private key pair and hoprivate key in memory.

5. You can also paste the content of the public key file directly into the CLI command set scs pka-rsa [ username namindicated by the variable key_str), or into the Key field in the WebUI (Configuration > Admin > Management > SCS). size restriction: the public key size cannot exceed 512 bits. This restriction is not present when loading the key via TF

Note: The NetScreen device supports up to four PKA public keys per admin

#5�$�� 6� �-�� 6��5�� 7��

�=��

nageability enabled, the etScreen device authenticates

tScreen device prompts for a use only the PKA method: set ion method you intend the e a password, even though

for a remote host that runs an vice is to download the ention is necessary when the

ileges. You enable SCS

an RSA public/private key pair, our TFTP server, and launched

n click OK:

e exec scs command.

�� #� ��$��%�"&��$��'��

When an administrator attempts to log on via SCS on an interface that has SCS maNetScreen device first checks if a public key is bound to that administrator. If so, the Nthe administrator using PKA. If a public key is not bound to the administrator, the Neuser name and password. (You can use the following command to force an admin toadmin scs password disable username name_str .) Regardless of the authenticatadministrator to use, when you initially define his or her account, you still must includwhen you later bind a public key to this user, the password becomes irrelevant.

"&��$��#��1��5��<�(��0�-� �In this example, you (as the root admin) set up SCS public key authentication (PKA)automated script. The sole purpose for this remote host to access the NetScreen deconfiguration file every night. Because authentication is automated, no human intervSSH client logs on to the NetScreen device.

You define an admin user account named cfg, with password cfg and read-write privmanageability on interface ethernet1, which is bound to the Untrust zone.

You have previously used a key generation program on your SSH client to generatemoved the public key file, which has the file name “idnt_cfg.pub”, to a directory on ythe TFTP program. The IP address of the TFTP server is 10.1.1.5.

��

1. Configuration > Admin > Administrators > New: Enter the following, and the

Name: cfg

New Password: cfg

Confirm Password: cfg

Privileges: ALL (select)

2. Interfaces > Edit (for ethernet1): Select SCS, and then click OK.

Note: You can only load a public key file for SCS from a TFTP server via th

#5�$�� 6� �-�� 6��5�� 7��

�9��

ministrator’s workstation to the ys possible, this is the most e NetScreen device is

ne of the following cables:

ernet cable

tor) on the management

the NetScreen CLI .

�� #� ��$��%�"&��$��'��

��

1. set admin user cfg password cfg privilege read-write

2. set interface ethernet1 manage scs

3. exec scs tftp pka-rsa username cfg file-name idnt_cfg.pub ip-addr 10.1.1.5

4. save

��#� ��You can manage a NetScreen device through a direct serial connection from the adNetScreen device via the console port. Although a direct connection is not alwasecure method for managing the device provided that the location around thsecure.

Depending on your NetScreen device model, creating a serial connection requires o

• A female DB-9 to male DB-25 straight-through serial cable

• A female DB-9 to male DB-9 straight-through serial cable

• A female DB-9 to male MiniDIN-8 serial cable

• A female DB-9 to RJ-45 adapter with an RJ-45 to RJ-45 straight-through eth

You will also need Hyperterminal software (or another kind of VT100 terminal emulaworkstation, with the Hyperterminal port settings configured as follows:

– Serial communications 9600 bps

– 8 bit

– No parity

– 1 stop bit

– No flow control

Note: For more details on using Hyperterminal, see the “Getting Started” chapter in Reference Guide or the “Initial Configuration” chapter in one of the installer’s guides

#5�$�� 6� �-�� 6��5�� 7��

�:��

roducts, both of which provide evices from a central location:

a single location. The Policy port Manager component

s from a single location. e real-time reporting

concurrent access for multiple an access relevant areas of the statistics.

�� #� ��$��%�"&��$��'��

�� >��*�� The NetScreen-Global PRO line of security management solutions consists of two pconfiguration and monitoring capabilities of large-scale deployments of NetScreen d

• NetScreen-Global PRO

• NetScreen-Global PRO Express

With NetScreen-Global PRO, you can manage up to 10,000 NetScreen devices fromManager component allows you to deploy policies to the NetScreen devices. The Reprovides real-time and historical reports of system events and attack alarms.

With NetScreen-Global PRO Express, you can manage up to 100 NetScreen deviceNetScreen-Global PRO Express combines Policy Manager with Realtime Monitor, thcomponent of Report Manager.

Using a role-based management scheme, NetScreen-Global PRO provides secure,administrators with various privilege levels and access rights. These administrators cNetScreen-Global PRO system to make configuration changes and view reports and

Note: For more information, refer to the NetScreen-Global PRO documentation.

#5�$�� 6� �-�� 6��5�� 7��

��

NetScreen device, it must have n the NetScreen device has a

igned IP address, using either ol (DHCP). In these cases, the

a specific interface (referred to he IP address of the monitor

ost6), the device automatically P. This prevents interruption of

M host. For more information, refer to

�� #� ��$��%�"&��$��'��

�� #5� -��(�� C�#�D

Before the NetScreen-Global PRO Policy Manager host (or “PM host”) can contact athe current IP address of the NetScreen device interface. This is relatively easy whestatic IP address on its monitor interface.

However, the monitor interface of a NetScreen device might have a dynamically assPoint-to-Point Protocol over Ethernet (PPPoE) or Dynamic Host Configuration ProtocNetScreen device uses NetScreen Address Change Notification (NACN) to monitor hereafter as the “monitor interface”), and then register with NetScreen-Global PRO tinterface whenever it changes.

If you enable NACN on your NetScreen device (and in NetScreen-Global PRO PM hregisters with NetScreen-Global PRO any new address assigned by PPPoE or DHCcommunication between NetScreen-Global PRO and the NetScreen device.

6. You must enter the serial number of the NetScreen device and the NACN password on the NetScreen-Global PRO Pyour NetScreen-Global PRO documentation.

#5�$�� 6� �-�� 6��5�� 7��

��

with NetScreen-Global PRO.

* The transmission of the SCS host key hash string is in preparation for NetScreen-Global PRO administration via SCS.

etScreen -Global PRO Policy Manager Host

�� #� ��$��%�"&��$��'��

The NetScreen device uses Secure Sockets Shell (SSL) to encrypt communicationsThe exchange is shown in the following illustration:

Note: For more information about SSL, see “Secure Sockets Layer” on page 9.

DHCP server assigns new address to the untrust interface.

1

2 NetScreen initiates SSL connection.

PM host sends its public key. NetScreen verifies it with its CA certificate, and establishes an SSL connection.

3

4NetScreen sends its NACN password, its serial number, policy domain, and the hash string of its SCS host key*.

5PM host authenticates the NetScreen device and updates its database with the new address.

PM host sends a status reply—either a success or error message.6

DHCP Server

N

NetScreen-5XP

NACN

#5�$�� 6� �-�� 6��5�� 7��

��

tasks:

primary (and secondary) Policy

r both) on that interface.

server to prevent

e following NACN settings:

ajax.com

a1, on the NetScreen device. RO PM host, this CA certificate

NetScreen device initiates an address 210.3.3.1.

n the untrust interface.

Screen device. For security purposes,

�� #� ��$��%�"&��$��'��

In addition to configuring and enabling NACN, you must also complete the following

• Enter the IP addresses and NACN passwords of the NetScreen-Global PROManager (PM) hosts.

• Identify the monitor interface and enable manageability for SCS or Telnet7 (o

• Set the system clock on the NetScreen device.

• Activate the preinstalled CA certificate on the NetScreen device.

• (Optional) Enter the subject name of the X.509 certificate on the Global PROman-in-the-middle attacks.

"&��$�� -�+$��#�In the following example, you enable NACN on a NetScreen device and configure th

• Primary PM host IP address and password: 210.3.3.1; swordfish

• Secondary PM host IP address: 210.3.3.2; trout

• Policy domain on both the primary and secondary PM hosts: dept1

• Monitor interface: Untrust

• Port: 11122

• Subject name of the local certificate that the PM host sends:

CN=Marketing,OU=Marketing,O=Ajax,L=Chicago,ST=IL,C=US,Email=jdoe@

Using the CLI, you activate the preinstalled NetScreen CA certificate, phonehome1cWhen the NetScreen device initiates an SSL connection with the NetScreen-Global Pcan verify the default local certificate that the PM host sends.

When the IP address of the monitor interface on the NetScreen device changes, theSSL connection using the NACN protocol to port 11122 on the primary PM host at IP

You also enable the SCS server on the NetScreen device and SCS manageability o

7. NetScreen-Global PRO can use either Secure Command Shell (SCS) or Telnet to send configuration changes to a NetNetScreen recommends that you use SCS.

#5�$�� 6� �-�� 6��5�� 7��

��

nologies

hicago,ST=IL,C=US,Email=jdo

” via the CLI command exec

potentially great number of policy

t used by the Policy Manager console

�� #� ��$��%�"&��$��'��

��

��3�� 3��6�8��

1. Configuration > Admin > NACN: Enter the following, and then click Apply :

Enable NACN: (select)

Primary PM Host

Hostname/IP Address: 210.3.3.1

Password: swordfish

Policy Domain: dept18

Monitored Interface: Untrust

Port: 11122

Selected CA: OU=(c) 2001 NetScreen Tech

Cert Subject Name: CN=Marketing,OU=Marketing,O=Ajax,[email protected],9

Note: You can only activate the preinstalled CA certificate “phonehome1ca1pki x509 install-factory-certs phonehome1ca1.

8. Defining the policy domain is not necessary, but doing so expedites the search for the NetScreen device among the domains on the Global PRO database.

9. Be sure to include the final comma at the end of the Cert Subject Name string. This is the same certificate name as thato log on to the Policy Manager host. For more information, refer to your NetScreen-Global PRO documentation.

#5�$�� 6� �-�� 6��5�� 7��

��

nologies

hicago,ST=IL,C=US,Email=jdo

and then click Apply .

OK:

CA certificates, along with their has an ID number of 2.

�� #� ��$��%�"&��$��'��

Secondary PM Host

Hostname/IP Address: 210.3.3.2

Password: trout

Policy Domain: dept1

Monitored Interface: Untrust

Port: 11122

Selected CA: OU=(c) 2001 NetScreen Tech

Cert Subject Name: CN=Marketing,OU=Marketing,O=Ajax,[email protected],

�#�

2. Configuration > Admin > Management: Select the Enable SCS check box,

3. Network > Interfaces > Edit (for untrust): Enter the following, and then click

Management Services:

SCS: (select)

��

1. exec pki x509 install-factory-certs phonehome1CA1

2. get ssl ca-list

Note: The following command, get ssl ca-list, displays the currently active ID numbers. For this example, assume that one of the listed CA certificates

#5�$�� 6� �-�� 6��5�� 7��

��

@ajax.com,”10

@ajax.com,”

t used by the Policy Manager console

�� #� ��$��%�"&��$��'��

��3��6�8��

3. set global-pro policy-manager primary ca-idx 2

4. set global-pro policy-manager primary cert-subject “CN=Marketing,OU=Marketing,O=Ajax,L=Chicago,ST=IL,C=US,Email=jdoe

5. set global-pro policy-manager primary outgoing untrust

6. set global-pro policy-manager primary host 210.3.3.1

7. set global-pro policy-manager primary password swordfish

8. set global-pro policy-manager primary policy-domain dept1

�� 3��6�8��

9. set global-pro policy-manager secondary ca-idx 2

10. set global-pro policy-manager secondary cert-subject “CN=Marketing,OU=Marketing,O=Ajax,L=Chicago,ST=IL,C=US,Email=jdoe

11. set global-pro policy-manager secondary outgoing untrust

12. set global-pro policy-manager secondary host 210.3.3.2

13. set global-pro policy-manager secondary password trout

14. set global-pro policy-manager secondary policy-domain dept1

�#�

15. set scs enable

16. set interface untrust manage scs

17. set global-pro policy-manager nacn

18. save

10. Be sure to include the final comma at the end of the Cert Subject Name string. This is the same certificate name as thato log on to the Policy Manager host. For more information, refer to your NetScreen-Global PRO documentation.

#5�$�� !��, ��(��$��

��

one or more interfaces. For bound to the Trust zone and devices that have multiple might dedicate one physical om network user traffic.

gh the WebUI and the CLI, do

llowing management service

ace to receive HTTP traffic for ebUI).

/IP networks such as the ly control network devices. eability.

ce from an Ethernet connection Shell (SCS), which is

lient that is compatible with nts are available for Windows . The NetScreen device its built-in SCS server, which ent services. Selecting this

rupted network operation: set timer

�� #� ��$��%�"&��$��'��

��#��You can configure a NetScreen device to allow administration of the device throughexample, you might have local management access the device through an interfaceremote management through an interface bound to the Untrust zone. On NetScreenphysical interfaces for network traffic (but no dedicated management interface), youinterface exclusively for administration, separating management traffic completely fr

To enable an interface to allow various methods of administration to traverse it throuthe following:

��

Network > Interfaces > Edit (for the interface you want to edit): Select the fooptions, and then click OK11:

WebUI: Selecting this option allows the interfmanagement via the Web user interface (W

Telnet: A terminal emulation program for TCPInternet, Telnet is a common way to remoteSelecting this option enables Telnet manag

SCS: You can administer the NetScreen devior a dial-in modem using Secure CommandSSH-compatible. You must have an SSH cVersion 1.5 of the SSH protocol. These clie95 and later, Windows NT, Linux, and UNIXcommunicates with the SSH client through provides device configuration and managemoption enables SCS manageability.

11. Through the CLI, you can schedule the NetScreen device to reset at a time that is convenient for maintaining uninterdate_str time_str action reset.

#5�$�� !��, ��(��$��

�=��

imple Network Management in RFC-1157, and all relevant roups, as defined in RFC-1213. eability.

to receive HTTPS traffic for ce via the WebUI.

the interface to receive

en device to respond to an nes whether a specific IP

identification requests. If they e request again. While the ss. By enabling the Ident-reset

reset announcement in and restores access that has ification request.

mp | ssl | telnet | web }

�� #� ��$��%�"&��$��'��

SNMP: The NetScreen device supports the SProtocol version 1.5 (SNMPv1), described Management Information Base II (MIB II) gSelecting this option enables SNMP manag

SSL: Selecting this option allows the interfacesecure management of the NetScreen devi

NS-Global PRO: Selecting this option allowsNetScreen-Global PRO traffic.

Ping: Selecting this option allows the NetScreICMP echo request, or ping, which determiaddress is accessible over the network.

Ident-Reset: Services like Mail and FTP sendreceive no acknowledgement, they send threquest is processing, there is no user acceoption, the NetScreen device sends a TCPresponse to an IDENT request to port 113 been blocked by an unacknowledged ident

��

To enable all the management services and ping (but not ident-reset):

set interface interface manage

To enable specific management and network services:

set interface interface manage { global-pro | ident-reset | ping | scs | sn

#5�$�� 0�!��(��

�9��

ges made by an administrator,

els depends on the model of ges for each level. These

valid user name and password.

t administrator per NetScreen

terfaces to them

nnot create, modify, or remove

one

ministrator)

�� #� ��$��%�"&��$��'��

"��"��NetScreen devices support multiple administrative users. For any configuration chanthe NetScreen device logs the following information:

• The name of the administrator making the change

• The IP address from which the change was made

• The time of the change

There are several levels of administrative user. The availability of some of these levyour NetScreen device. The following sections list all the admin levels and the privileprivileges are only accessible to an admin after he or she successfully logs in with a

�� The root administrator has complete administrative privileges. There is only one roodevice. The root administrator has the following privileges:

• Manages the root system of the NetScreen device

• Adds, removes, and manages all other administrators

• Establishes and manages virtual systems, and assigns physical or logical in

• Creates, removes, and manages virtual routers (VRs)

• Adds, removes, and manages security zones

• Assigns interfaces to security zones

��)�� The read/write administrator has the same privileges as the root administrator, but caother admin users. The read/write administrator has the following privileges:

• Creates virtual systems and assigns a virtual system administrator for each

• Monitors any virtual system

• Tracks statistics (a privilege that cannot be delegated to a virtual system ad

#5�$�� 0�!��(��

�:��

nly issue the get and ping CLI

enter, exit, get, and ping

que security domain, which can sys. Virtual system each vsys, the virtual system

ly administrator, but only within ges for his particular vsys s within his vsys.

�� #� ��$��%�"&��$��'��

�� 3�� The read-only administrator has only viewing privileges using the WebUI, and can ocommands. The read-only administrator has the following privileges:

• Read-only privileges in the root system, using the following four commands:

• Read-only privileges in virtual systems

��3�� Some NetScreen devices support virtual systems. Each virtual system (vsys) is a unibe managed by virtual system administrators with privileges that apply only to that vadministrators independently manage virtual systems through the CLI or WebUI. Onadministrator has the following privileges:

• Creates and edits auth, IKE, L2TP, XAuth, and Manual Key users

• Creates and edits services

• Creates and edits policies

• Creates and edits addresses

• Creates and edits VPNs

• Modifies the virtual system administrator login password

• Creates and manages security zones

��3�� 3�� A virtual system read-only administrator has the same set of privileges as a read-ona specific virtual system. A virtual system read-only administrator has viewing privilethrough the WebUI, and can only issue the enter, exit, get , and ping CLI command

Note: For more information on virtual systems, see “Virtual Systems” on page 6 -1.

#5�$�� 0�!��(��

��

ers. In the following example,

er with password 2bd21wG7.

n click OK:

�� #� ��$��%�"&��$��'��

2�(� � -�� +��The root administrator is the only one who can create, modify, and remove admin usthe one performing the procedure must be a root administrator.

"&��$�� -�� 3�� In this example, you—as the root admin—add a read-only administrator named Rog

��

Configuration > Admin > Administrators > New: Enter the following, and the

Name: Roger

New Password: 2bd21wG712

Confirm Password: 2bd21wG7

Privileges: READ ONLY

��

1. set admin user Roger password 2bd21wG7 privilege read-only

2. save

12. The password can be up to 31 characters long and is case sensitive.

#5�$�� 0�!��(��

��

to read/write.

g, and then click OK :

mn for Roger.

�� #� ��$��%�"&��$��'��

"&��$��6��(3� -�� In this example, you—as the root admin—change Roger’s privileges from read-only

��

Configuration > Admin > Administrators > Edit (for Roger): Enter the followin

Name: Roger

New Password: 2bd21wG7

Confirm Password: 2bd21wG7

Privileges: ALL

��

1. set admin user Roger password 2bd21wG7 privilege all

2. save

"&��$��2�� -�� In this example, you—as the root admin—delete the admin user Roger.

��

Configuration > Admin > Administrators: Click Remove in the Configure colu

��

1. unset admin user Roger

2. save

#5�$�� -�� !��7��((��

��

hich respond to requests

the following service options,

en device to respond to an ines whether a specific IP

FTP sends an identification it sends the request again. ss is disabled. With the en device automatically

�� #� ��$��%�"&��$��'��

�� To secure the NetScreen device during setup, perform the following steps:

1. On the Web interface, change the administrative port.

See “Changing the Port Number” on page 32.

2. Change the user name and password for administration access.

See “Changing the Admin Login Name and Password” on page 33.

3. Define the management client IP addresses for the admin users.

See “Restricting Administrative Access” on page 37.

4. Turn off any unnecessary interface management service options.

See “Administrative Interface Options” on page 25.

5. Disable the ping and ident-reset service options on the interfaces, both of winitiated by unknown parties and can reveal information about your network:

��

Network > Interfaces > Edit (for the interface you want to edit): Disableand then click OK :

Ping: Selecting this option allows the NetScreICMP echo request, or “ping,” which determaddress is accessible from the device.

Ident-Reset: When a service such as Mail orrequest and receives no acknowledgment, While the request is in progress, user acceIdent-Reset checkbox enabled, the NetScrerestores user access.

#5�$�� -�� !��7��((��

��

ent traffic improves security. nge the port number, you must

attempt to contact the 188.30.12.2:15522.)

4. To manage the NetScreen y of the HTTP connection, you

nd then click Apply.

�� #� ��$��%�"&��$��'��

��

unset interface interface manage ping

unset interface interface manage ident-reset

#5� -� -��5��*��Changing the port number to which the NetScreen device listens for HTTP managemThe default setting is port 80, the standard port number for HTTP traffic. After you chathen type the new port number in the URL field in your Web browser when you nextNetScreen device. (In the following example, the administrator needs to enter http://

"&��$��#5� -� -��5��*��In this example, the IP address of the interface bound to the Trust zone is 10.1.1.1/2device via the WebUI on this interface, you must use HTTP. To increase the securitchange the HTTP port number from 80 (the default) to 15522.

��

Configuration > Admin > Management: In the HTTP Port field, type 15522, a

��

1. set admin port 15522

2. save

#5�$�� -�� !��7��((��

��

word is also netscreen. password immediately. The meric, with no symbols. Record

se or an external auth server13. l database for authentication. If a matching entry in the external erver, the NetScreen device in user is managing or

the continual authentication e local cache, the NetScreen al auth-server, and can thereby

assword, or privilege—any f the root admin changes any of in changes his own password, ich he made the change.

NetScreen device to its factory g the Device to the Factory

min Users” on page 2 -338.) Although nly admin users on an external auth

r must be RADIUS and you must load

on page 27. For more about

ent connection, any change that you

�� #� ��$��%�"&��$��'��

#5� -� -��5�� 0�-� �� 1��By default, the initial login name for NetScreen devices is netscreen. The initial passBecause these have been widely published, you should change the login name andlogin name and password are both case-sensitive. Each must be one word, alphanuthe new admin login name and password in a secure manner.

Admin users for the NetScreen device can be authenticated using the internal databaWhen the admin user logs on to the NetScreen device, it first checks the local internathere is no entry present and an external auth server is connected, it then checks for auth server database. After an admin user successfully logs on to an external auth scaches that admin’s login status from the external auth server locally. When the admmonitoring the NetScreen device via the WebUI, the cached data greatly expedites checks that HTTP requires every time the admin user clicks a link. By referring to thdevice does not have to relay authentication checks between the user and the externprovide faster responses to the user’s actions.

When the root admin changes any attribute of an admin user’s profile—user name, padministrative session that that admin currently has open automatically terminates. Ithese attributes for himself, or if a root-level read/write admin or vsys read/write admall of that user’s currently open admin sessions14 terminate, other than the one in wh

Warning: Be sure to record your new password. If you forget it, you must reset the settings, and all your configurations will be lost. For more information, see “ResettinDefault Settings” on page 36.

13. NetScreen supports RADIUS, SecurID, and LDAP servers for admin user authentication. (For more information, see “Adthe root admin account must be stored on the local database, you can store root-level read/write and root-level read-oserver. To store root-level and vsys-level admin users on an external auth server and query their privileges, the servethe netscreen.dct file on it. (See “NetScreen Dictionary File” on page 2 -257.)

Note: For more information about admin user levels, see “Levels of Administration” using external auth servers, see “External Auth Servers” on page 2 -252.

14. The behavior of an HTTP or HTTPS session using the WebUI is different. Because HTTP does not support a persistmake to your own user profile automatically logs you out of that and all other open sessions.

#5�$�� -�� !��7��((��

��

��m John to Smith and his

, and then click OK:

istration” on page 27.

can use an apparently random string letter from each word. For example,

�� #� ��$��%�"&��$��'��

"&��$��#5� -� -�� +��?��0�-� �� 1�The root administrator has decided to change a super administrator’s login name fropassword from xL7s62a1 to 3MAb99j215.

��

Configuration > Admin > Administrators > Edit (for John): Enter the following

Name: Smith

Old Password: xL7s62a1

New Password: 3MAb99j2

Confirm Password: 3MAb99j2

��

1. unset admin user John

2. set admin user Smith password 3MAb99j2 privilege all

3. save

Note: For information on the different levels of administrators, see “Levels of Admin

15. Instead of using actual words for passwords, which might be guessed or discovered through a dictionary attack, you of letters and numbers. To create such a string that you can easily remember, compose a sentence and use the first “Charles will be 6 years old on November 21” becomes “Cwb6yooN21.”

#5�$�� -�� !��7��((��

��

e. In this example, a super 2 to ru494Vq5.

wing, and then click OK:

�� #� ��$��%�"&��$��'��

"&��$��#5� -� -�� ?��1 ��1��Non-root users can change their own administrator password, but not their login namadministrator with the login name “starling” is changing her password from 3MAb99j

��

Configuration > Admin > Administrators > Edit (for first entry): Enter the follo

Name: starling

Old Password: 3MAb99j2

New Password: ru494Vq5

Confirm Password: ru494Vq5

��

1. set admin password ru494Vq5

2. save

#5�$�� -�� !��7��((��

�=��

creen device to its default perform this operation, you LI Reference Guide and the

e to factory defaults, clearing all

of the device will be erased. In as been reset. This is your last

ory default configuration, which uld you like to continue? y/n

.

ng the unset admin feature is automatically

�� #� ��$��%�"&��$��'��

�� -��5��2�!��5��4��3�2�(�� -�If the admin password is lost, you can use the following procedure to reset the NetSsettings. The configurations will be lost, but access to the device will be restored. Toneed to make a console connection, which is described in detail in the NetScreen Cinstaller’s guides.

1. At the login prompt, type the serial number of the device.

2. At the password prompt, type the serial number again.

The following message appears:

!!!! Lost Password Reset !!!! You have initiated a command to reset the deviccurrent configuration, keys and settings. Would you like to continue? y/n

3. Press the y key.

The following message appears:

!! Reconfirm Lost Password Reset !! If you continue, the entire configurationaddition, a permanent counter will be incremented to signify that this device hchance to cancel this command. If you proceed, the device will return to factis: System IP: 192.168.1.1; username: netscreen; password: netscreen. Wo

4. Press the y key to reset the device.

You can now log on using netscreen as the default username and password

Note: By default the device recovery feature is enabled. You can disable it by enteridevice-reset command. Also, if the NetScreen device is in FIPS mode, the recoverydisabled.

#5�$�� -�� !��7��((��

�9��

By default, any host on the c workstations, you must

2 is the only administrator

dd:

ou are managing the device via creen device immediately that workstation.

�� #� ��$��%�"&��$��'��

�� -�� !��You can administer NetScreen devices from one or multiple addresses of a subnet. trusted interface can administer a NetScreen device. To restrict this ability to specificonfigure management client IP addresses.

"&��$�� -�� -��)��;�� In this example, the administrator at the workstation with the IP address 172.16.40.4specified to manage the NetScreen device.

��

Configuration > Admin > Permitted IPs: Enter the following, and then click A

IP Address/Netmask: 172.16.40.42/32

��

1. set admin manager-ip 172.16.40.42/32

2. save

Note: The assignment of a management client IP address takes effect immediately. If ya network connection and your workstation is not included in the assignment, the NetSterminates your current session and you are no longer able to manage the device from

#5�$�� -�� !��7��((��

�:��

subnet are specified to manage

dd:

�� #� ��$��%�"&��$��'��

"&��$�� -�� * ��In this example, the group of administrators with workstations in the 172.16.40.0/24 a NetScreen device.

��

Configuration > Admin > Permitted IPs: Enter the following, and then click A


��

1. set admin manager-ip 172.16.40.0 255.255.255.0

2. save

#5�$�� -�� !��7��((��

��

(HA), you can access and

ntrust zone. You set the ministrative traffic using each cal administrators in the DMZ a remote site. Ethernet2 and

tive traffic are directed.

ays:

dress can be the endpoint of a

interface—but you can only

�� #� ��$��%�"&��$��'��

6� �-��,�Any interface you bind to a security zone can have at least two IP addresses:

• An interface IP address, which connects to a network.

• A logical manage IP address for receiving administrative traffic.

When a NetScreen device is a backup unit in a redundant group for High Availabilityconfigure the unit through its manage IP address (or addresses)

"&��$�� -�6� �-��,��(��6��$��, ��(��In this example, ethernet2 is bound to the DMZ zone and ethernet3 is bound to the Umanagement options on each interface to provide access for the specific kinds of adinterface. You allow HTTP, SNMP, and Telnet access on ethernet2 for a group of lozone, and NetScreen-Global PRO access on ethernet3 for central management fromethernet3 each have a manage IP address, to which the various kinds of administra

Note: The manage IP address differs from the VLAN1 address in the following two w

• When the NetScreen device is in Transparent mode, the VLAN1 IP adVPN tunnel, but the manage IP address cannot.

• You can define multiple manage IP addresses—one for each networkdefine one VLAN1 IP address—for the entire system.

#5�$�� -�� !��7��((��

��

traffic to use ethernet3 to reach ted SNMP traffic to reach the ubnet.

tScreen-Global PRO

DMZ ZoneEthernet2

IP: 210.1.1.1/24Manage IP: 210.1.1.2

�� #� ��$��%�"&��$��'��

Note: You also need to set a route directing self-generated NetScreen-Global PRO the external router at IP address 211.1.1.250. A route is unnecessary for self-generaSNMP community in the DMZ zone because the community is in a locally attached s

Untrust ZoneEthernet3

IP: 211.1.1.1/24Manage IP: 211.1.1.2

Local Administrators

Ne

LAN

Trust Zone

Internet

Router 211.1.1.250

#5�$�� -�� !��7��((��

��

K:

: (select)

K:

ct)

�� #� ��$��%�"&��$��'��

��

1. Network > Interfaces > Edit (ethernet2): Enter the following, and then click O

Zone Name: DMZ


Manage IP: 210.1.1.2

Management Services: WebUI, Telnet, SNMP


Zone Name: Untrust


Manage IP: 211.1.1.2

Management Services: NS-Global PRO: (sele

��

1. set interface ethernet2 ip 210.1.1.1/24

2. set interface ethernet2 manage-ip 210.1.1.2

3. set interface ethernet2 manage web

4. set interface ethernet2 manage telnet

5. set interface ethernet2 manage snmp


7. set interface ethernet3 manage-ip 211.1.1.2

8. set interface ethernet3 manage global-pro

9. save

#5�$�� -�� !��7��((��

��

n when running the NetScreen ow administration through the

nt (MGT)—dedicated when running the NetScreen

inistrative traffic exclusively to ing administrative traffic from anagement bandwidth.

le the MGT interface to receive

:

�� #� ��$��%�"&��$��'��

6� �-�� @� ��, ��(��There are two interfaces bound by default to the Management (MGT) zone:

• VLAN1: Use this interface for management traffic and VPN tunnel terminatiodevice in Transparent mode. You can configure all NetScreen devices to allVLAN1 interface when operating in Transparent mode.

• MGT: Some NetScreen devices also have a physical interface—Managemeexclusively for management traffic. Use this interface for management trafficdevice in NAT or Route mode.

To maintain the highest level of security, NetScreen recommends that you limit admthe VLAN1 or MGT interface and user traffic to the security zone interfaces. Separatnetwork user traffic greatly increases administrative security and assures constant m

"&��$�� 5��-5��5��6>7�, ��(��In this example, you set the IP address of the MGT interface to 10.1.1.2/24 and enabSCS and Web administrative traffic.

��

Network > Interfaces > Edit (for mgt): Enter the following, and then click OK


Management Services: WebUI, SCS: (select)

��

1. set interface mgt ip 10.1.1.2/24

2. set interface mgt manage web

3. set interface mgt manage scs

4. save

#5�$�� -�� !��7��((��

��

and monitoring of a NetScreen you can protect any kind of

ociation (SA) at both ends of hentication key. To change any

uthentication and one for s a set of symmetrical keys at . At predetermined intervals,

participants at both ends of the key pair (for encryption). The he other to decrypt.

s) generated by the NetScreen fy the default interface bound to inates in the NetScreen device

ce is the prebound Trust zone ains as the default interface. If

of the other interfaces that you ee the Default IF column on the

r more information on

ddress must be the default t zone.

�� #� ��$��%�"&��$��'��

��!��1��;�You can use a Virtual Private Network (VPN) tunnel to secure remote management device from either a dynamically assigned or fixed IP address. Using a VPN tunnel, traffic, such as NetScreen-Global PRO, HTTP, Telnet, or SNMP.

NetScreen supports three methods for creating a VPN tunnel:

• Manual Key: You manually set the three elements that define a Security Assthe tunnel: a Security Parameters Index (SPI), an encryption key, and an autelement in the SA, you must manually enter it at both ends of the tunnel.

• AutoKey IKE with Preshared Key: One or two preshared secrets—one for aencryption—function as seed values. Using them, the IKE protocol generateboth ends of the tunnel; that is, the same key is used to encrypt and decryptthese keys are automatically regenerated.

• AutoKey IKE with Certificates: Using the Public Key Infrastructure (PKI), thetunnel use a digital certificate (for authentication) and an RSA public/privateencryption is asymmetrical; that is, one key in a pair is used to encrypt and t

To send traffic (such as syslog reports, NetScreen-Global PRO reports, or SNMP trapdevice through a VPN tunnel to an administrator in the Untrust zone, you must specithe Trust zone as the source address in the policy. (Although the traffic actually origitself, you must specify the default Trust zone interface as the source address.)

The default interface is the first interface bound to a zone. Initially, the default interfainterface. If you bind multiple interfaces to the Trust zone, the prebound interface remyou later unbind the default Trust zone interface, the NetScreen device uses the firstbound to the Trust zone. To learn which interface is the default interface for a zone, sZones > Zone page in the WebUI, or type the get zone command in the CLI.

Note: For a complete description of VPN tunnels, see the VPN chapters. FoNetScreen-Remote, refer to the NetScreen-Remote User’s Guide.

Note: To tunnel administrative traffic generated by a NetScreen device, the source ainterface bound to the Trust zone, and the destination address must be in the Untrus

#5�$�� -�� !��7��((��

��

�7� ��traps and syslog reports16 from preshared key (Ci5y0a1aAG) oth Phase 1 and Phase 2

k OK:

emote admin sets up the VPN tunnel

3 is bound to the Untrust zone. ain.

his is the address to which the SNMP

ay Syslog server and SNMP host

10.20.1.2

�� #� ��$��%�"&��$��'��

"&��$�� -��6�� 3��-� �$��5��-5�� ,��In this example, a remote administrator behind a NetScreen device receives SNMP another NetScreen device through an AutoKey IKE IPSec tunnel. The tunnel uses afor data origin authentication and the security level predefined as “Compatible” for bproposals.

��

, ��(��'��3�@� ��

1. Network > Interfaces > Edit (for ethernet1): Enter the following, and then clic

Zone Name: Trust


16. This example assumes that the remote admin has already set up the syslog server and SNMP manager. When the ron his NetScreen device, he uses 210.2.2.1 as the remote gateway and 10.10.1.1 as the destination address.

Note: For the following example, ethernet1 is bound to the Trust zone, and ethernetThe default gateway IP address is 210.2.2.2. All zones are in the trust-vr routing dom

17. When the remote admin configures the SNMP manager, he must enter 10.10.1.1 in the Remote SNMP Agent field. Tmanager sends queries.

ethernet1Trust Zone

10.10.1.1/24

ethernet3Untrust Zone210.2.2.1/24

Remote Gatew3.3.3.3

Internet

VPN TunnelLAN

Trust Zone Untrust ZoneDefault Gateway

210.2.2.2

#5�$�� -�� !��7��((��

��

click OK:

.1.1/32

.1.2/32

(select)

�� #� ��$��%�"&��$��'��

2. Network > Interfaces > Edit ( for ethernet1/2): Enter the following, and then

Zone Name: Untrust


��

3. Objects > Addresses > List > New: Enter the following, and then click OK :

Address Name: trust_int

IP Address/Domain Name: IP/Netmask: 10.10

Zone: Trust


Address Name: remote_admin

IP Address/Domain Name: IP/Netmask: 10.20

Zone: Untrust

��

5. VPNs > AutoKey IKE > New: Enter the following, and then click OK :

VPN Name: admin

Security Level: Compatible

Remote Gateway: Create a Simple Gateway:

Gateway Name: to_admin

Type: Static IP, IP Address: 3.3.3.3

Preshared Key: Ci5y0a1aAG

Security Level: Compatible

Outgoing interface ethernet3

#5�$�� -�� !��7��((��

�=��

Apply :

N: (select)

wing, and then click OK:

as Source IP for VPN, and

then click OK:

�� #� ��$��%�"&��$��'��

�3��-�� 6�

6. Configuration > Report Settings > Syslog: Enter the following, and then click

Enable Syslog Messages: (select)

Use Trust Zone Interface as Source IP for VP

Syslog Host Name/Port: 10.20.1.2

7. Configuration > Report Settings > SNMP > New Community: Enter the follo

Community Name: remote_admin

Permissions: Write, Trap: (select)

Hosts: 10.20.1.2

8. Configuration > Report Settings > SNMP: Select Use Trust Zone Interfacethen click Apply.

��

9. Network > Routing > Routing Table > trust-vr New: Enter the following, and

Network Address/Netmask: 0.0.0.0/0

Gateway: (select)

Interface: ethernet3

Gateway IP Address: (select) 210.2.2.2

#5�$�� -�� !��7��((��

�9��

ick OK :

ick OK :

�� #� ��$��%�"&��$��'��

��

10. Policies > (From: Trust, To: Untrust) > New: Enter the following, and then cl

Source Address:

Address Book: (select), trust_int

Destination Address:

Address Book: (select), remote_admin

Service: SNMP

Action: Tunnel

Tunnel VPN: admin

Modify matching outgoing VPN policy: (clear)

Position at Top: (select)

11. Policies > (From: Trust, To: Untrust) > New: Enter the following, and then cl

Source Address:

Address Book: (select), trust_int


Address Book: (select), remote_admin

Service: SYSLOG

Action: Tunnel

Tunnel VPN: admin

Modify matching outgoing VPN policy: (clear)


#5�$�� -�� !��7��((��

�:��

i5y0a1sec-level compatible

dmin admin

�� #� ��$��%�"&��$��'��

��

, ��(��'��3�@� ��

1. set interface ethernet1 zone trust2. set interface ethernet1 ip 10.10.1.1/243. set interface ethernet3 zone untrust4. set interface ethernet3 ip 210.2.2.1/24

��

5. set address trust trust_int 10.10.1.1/246. set address untrust remote_admin 10.20.1.2/24

��

7. set ike gateway to_admin ip 3.3.3.3 outgoing-interface ethernet3 preshare C8. set vpn admin gateway to_admin sec-level compatible

�3��-�� 6�

9. set syslog config 10.20.1.2 auth/sec local010. set syslog vpn11. set syslog enable12. set snmp community remote_admin read-write trap-on13. set snmp host remote_admin 10.20.1.214. set snmp vpn

��

15. set vrouter trust-vr route 0.0.0.0/0 interface ethernet3 gateway 210.2.2.2

��

16. set policy top from trust to untrust trust_int remote_admin snmp tunnel vpn a17. set policy top from trust to untrust trust_int remote_admin syslog tunnel vpn18. save

#5�$�� -�� !��7��((��

��

� �ity administrative traffic. The ound to the Trust zone called “Other” whose sole ecifies the VPN tunnel.

pply:

l Key nnel: unnel

�� #� ��$��%�"&��$��'��

"&��$�� 5��-5��7� ��(��5��7��@In this example, you set up a VPN tunnel to provide confidentiality for network securManual Key VPN tunnel extends from the workstation (10.10.1.56) to the interface b(10.10.1.1/24). The workstation is using NetScreen-Remote. You also create a zonepurpose is to provide a destination zone and destination address for a policy that sp

��

, ��(�� @� ��

1. Network > Interfaces > Edit (ethernet1): Enter the following, and then click A

Zone Name: Trust


Trust Zone ethernet1

10.10.1.1/24

LAN

Other Zone

Trust Zone

Other Zone ethernet42.2.2.1/24

ManuaVPN Tu

Admin_T

Admin10.10.1.56

#5�$�� -�� !��7��((��

��

K:

�� #� ��$��%�"&��$��'��

2. Network > Zones > New: Enter the following, and then click OK :

Zone Name: Other

Virtual Router Name: trust-vr


Zone Name: Other


��


Address Name: Admin

IP Address/Domain Name:

IP/Netmask: 10.10.1.56/24

Zone: Trust


Address Name: Other_Interface


IP/Netmask: 2.2.2.1/24

Zone: Other

Note: The Trust zone is preconfigured. You do not have to create it.

#5�$�� -�� !��7��((��

��

k Return to set the advanced n page:

ntrust_Tun

configure the tunnel do the following: the generated hexadecimal key; and

�� #� ��$��%�"&��$��'��

��

6. VPNs > Manual Key > New: Enter the following, and then click OK:

VPN Tunnel Name: Admin_Tunnel

Gateway IP: 10.10.1.56

Security Index: 4567 (Local) 5555 (Remote)

Outgoing Interface: ethernet1

ESP-CBC: (select)

Encryption Algorithm: DES-CBC

Generate Key by Password18: netscreen1

Authentication Algorithm: MD5

Generate Key by Password: netscreen2

> Advanced: Enter the following, and then clicoptions and return to the basic configuratio

Bind To: Tunnel Zone: (select) U

18. Because NetScreen-Remote processes passwords into keys differently than other NetScreen products do, after you (1) Return to the Manual Key Configuration dialog box (click Edit in the Configure column for “Admin Tunnel”); (2) copy(3) use that hexadecimal key when configuring the NetScreen-Remote end of the tunnel.

#5�$�� -�� !��7��((��

��

k OK:

terface

)

�� #� ��$��%�"&��$��'��

��

7. Policies > (From: Trust, To: Other) > New: Enter the following, and then clic

Source Address: Address Book: Admin

Destination Address: Address Book: Other_In

Service: ANY

Action: Tunnel

Tunnel VPN: Admin_Tunnel

Modify matching outgoing VPN policy: (select


#5�$�� -�� !��7��((��

��

ernet1 esp des password

in_Tunnel

in_Tunnel

�� #� ��$��%�"&��$��'��

��

, ��(�� @� ��

1. set interface ethernet1 zone trust


3. set zone name Other

4. set interface ethernet4 zone Other


��

6. set address trust Admin 10.10.1.56/24

7. set address Other Other_Interface 2.2.2.1/24

��

8. set vpn Admin_Tunnel manual 4567 5555 gateway 10.10.1.56 outgoing ethnetscreen1 auth md5 password netscreen2

��

9. set policy top from trust to Other Admin Other_Interface any tunnel vpn Adm

10. set policy top from Other to trust Other_Interface Admin any tunnel vpn Adm

11. save

#5�$�� -�� !��7��((��

��
�� #� ��$��%�"&��$��'��

�

��
�� #� ��$��%�"&��$��'��
��

�� $��

This chapter discusses the following topics about monitoring NetScreen devices:

• “Storing Log Information” on page 56

• “Event Log” on page 57

– “Viewing the Event Log” on page 58

• “Traffic Log” on page 60

• “Self Log” on page 62

• “Syslog” on page 63

– “WebTrends” on page 63

• “SNMP” on page 66

– “Implementation Overview” on page 68

– “VPN Monitoring” on page 71

• “Counters” on page 74

• “Asset Recovery Log” on page 81

• “Traffic Alarms” on page 82

#5�$��6� �� -�� 2�!�� -�0�-�, (��

�=��

storage) and externally (in a mount of memory is limited. erwriting the oldest log entries

e the logged information, you ally in a syslog or WebTrends

leshooting a NetScreen device es (critical, alert, emergency) t the time an alarm is triggered.

ination for log entries, but of

ministrators.

an also send alarm messages

ly, it can also send to a syslog the internal flash storage on a at might occur when log entries

level events in a more graphical

, NetScreen-Global PRO offers f reports.

fter storing data on a device and store it or load it on

�� #� ��$��%�"&��$��'��

�� "� ��All NetScreen devices allow you to store event and traffic log data internally (in flashnumber of locations). Although storing log information internally is convenient, the aWhen the internal storage space completely fills up, the NetScreen device begins ovwith the latest ones. If this first-in-first-out (FIFO) mechanism occurs before you savcan lose data. To mitigate such data loss, you can store event and traffic logs externserver, or in the NetScreen-Global PRO database.

The following list provides the possible destinations for logged data:

• Console: A useful destination for all log entries to appear when you are troubthrough the console. Optionally, you might elect to have only alarm messagappear here to alert you immediately if you happen to be using the console a

• Internal: The internal database on a NetScreen device is a convenient destlimited space.

• Email: A convenient method for sending event and traffic logs to remote ad

• SNMP: In addition to the transmission of SNMP traps, a NetScreen device c(critical, alert, emergency) from its event log to an SNMP community.

• Syslog: All event and traffic logs that a NetScreen device can store internalserver. Because syslog servers have a much greater storage capacity than NetScreen device, sending data to a syslog server can mitigate data loss thexceed the maximum internal storage space.

• WebTrends: Allows you to view log data for critical-, alert-, and emergency-format than syslog, which is a text-based tool.

• NetScreen-Global PRO: In addition to its multiple-device configuration toolsexcellent monitoring capabilities in regards to both the viewing and storing o

• CompactFlash (PCMCIA): The advantage of this destination is portability. ACompactFlash card, you can physically remove the card from the NetScreenanother device.

#5�$��6� �� -�� 2�!�� "!� ��0�-

�9��

he NetScreen device

Ping of Death attacks. For 2 -33.

er firewall attacks not included

ty (HA) status changes, and

on and log out, and user

configuration changes.

ies.

ou can view system events for r the CLI. You can also open or otepad or WordPad) to view the Information” on page 56).

r to the NetScreen Message

�� #� ��$��%�"&��$��'��

��"� NetScreen provides an event log for monitoring system events and network traffic. Tcategorizes system events by the following severity levels:

• Emergency: Generates messages on SYN attacks, Tear Drop attacks, andmore information on these types of attacks, see “Firewall Options” on page

• Alert: Generates messages for multiple user authentication failures and othin the emergency category.

• Critical: Generates messages for URL blocks, traffic alarms, high availabiliglobal communications.

• Error: Generates messages for admin log on failures.

• Warning: Generates messages for admin logins and logouts, failures to logauthentication failures, successes, and timeouts.

• Notification: Generates messages for link status changes, traffic logs, and

• Information: Generates any kind of message not specified in other categor

• Debugging: Generates all messages.

The event log displays the date, time, level and description of each system event. Yeach category stored in flash storage on the NetScreen device through the WebUI osave the file to the location you specify, and then use an ASCII text editor (such as Nfile. Alternatively, you can send them to an external storage space (see “Storing Log

Note: For detailed information about the messages that appear in the event log, refeLog Reference Guide.

#5�$��6� �� -�� 2�!�� "!� ��0�-

�:��

both the WebUI and CLI. With make your search even more rd exclusion. For example, you

“zone trust” exclude block

op-down list.

ormation | debugging }

ters in length in the search field,

�� #� ��$��%�"&��$��'��

��1� -��5��"!� ��0�-You can display log entries by severity level and search the event log by keyword inthe CLI, you can combine severity level and key word to refine your search. You cangranular by including start and end times, a message type ID number, and a key womight conduct a search with parameters such as the following:

get event level notif type 00037 start-time 07/18 end-time 07/19 include

To display the event log by severity level, do either of the following:

��

Reports > System Log > Event: Select a severity level from the Log Level dr

��

get event level { emergency | alert | critical | error | warning | notification | inf

To search the event log by keyword, do either of the following:

��

Reports > System Log > Event: Type a word or word phrase up to 15 characand then click Search .

��

get event include word_string

#5�$��6� �� -�� 2�!�� "!� ��0�-

��

l directory “C:\netscreen\logs” LI). You name the file

vel setting, and then click

or) or save it to disk.

Save .

�� #� ��$��%�"&��$��'��

"&��$��2�1 �� -��5��"!� ��0�-�(��#��"!� ��In this example, you download the critical events entered in the event log to the loca(WebUI) or to the root directory of a TFTP server at the IP address 10.10.20.200 (C“crt_evnt07-02.txt”.

��

1. Reports > System Log > Event: Next to Search, enter Critical for the Log LeSearch .

A table appears with the result of the “critical events” search. Click Save.

The File Download wizard prompts you to open the file (using an ASCII edit

2. Select the Save this file to disk option, and then click OK.

The File Download wizard prompts you to choose a directory.

3. Specify C:\netscreen\logs, name the file “crt_evnt07-02.txt”, and then click

��

get event level critical > tftp 10.10.20.200 crt_evnt07-02.txt

#5�$��6� �� -�� 2�!�� 7��((��0�-

=��

cross the firewall. A traffic log

n for all policies. To log specific option on a policy, do either of

, click Return, and then click

her the CLI or WebUI. You can tor (such as Notepad or ace (see “Storing Log mail to an admin.

�� #� ��$��%�"&��$��'��

��"� NetScreen provides traffic logs to monitor and record the traffic that policies permit anotes the following elements for each session:

• Date and time that the connection started

• Source address and port number

• Translated source address and port number

• Destination address and port number

• The duration of the session

• The service used in the session

To log all traffic that a NetScreen device receives, you must enable the logging optiotraffic, enable logging only on policies that apply to that traffic. To enable the loggingthe following:

��

Policies > (From src_zone, To dst_zone) New > Advanced: Select LoggingOK.

��

set policy from src_zone to dst_zone src_addr dst_addr service action log

You can view traffic logs stored in flash storage on the NetScreen device through eitalso open or save the file to the location you specify, and then use an ASCII text ediWordPad) to view the file. Alternatively, you can send them to an external storage spInformation” on page 56). You can also include traffic logs with event logs sent by e-

#5�$��6� �� -�� 2�!�� 7��((��0�-

=��

WebUI, you download it to the of a TFTP server at the IP


Save.

�� #� ��$��%�"&��$��'��

"&��$��2�1 �� -��7��((��0�-In this example, you download the traffic log for a policy with ID number 12. For the local directory “C:\netscreen\logs”. For the CLI, you download it to the root directoryaddress 10.10.20.200. You name the file “traf_log11-21-02.txt”.

��

1. Reports > Policies > (for policy ID 12): Click Save.




3. Specify C:\netscreen\logs, name the file traf_log11-21-02.txt, and then click

��

get log traffic policy 12 > tftp 10.10.20.200 traf_log11-21-02.txt

#5�$��6� �� -�� 2�!�� (�0�-

=��

ose denied by a policy) and imilar to the traffic log, the self

and service for each dropped

rough either the CLI or WebUI. CII text editor (such as Notepad

ebUI) or to the root directory of 3-02.txt”.


Save .

�� #� ��$��%�"&��$��'��

��"�"� NetScreen provides a self log to monitor and record all dropped packets (such as thtraffic that terminates at the NetScreen device itself (such as administrative traffic). Slog displays the date, time, source address/port, destination address/port, duration, packet or session terminating at the NetScreen device.

You can view the self log, which is stored in flash storage on the NetScreen device, thYou can also save the log as a text file to a location you specify, and then use an ASor WordPad) to view it.

"&��$��2�1 �� -��5��(�0�-In this example, you download a self log to the local directory “C:\netscreen\logs” (Wa TFTP server at the IP address 10.10.20.200 (CLI). You name the file “self_log07-0

��

1. Reports > System Log > Self: Click Save.




3. Specify C:\netscreen\logs, name the file self_log07-03-02.txt, and then click

��

get log self > tftp 10.10.20.200 self_log07-03-02.txt

#5�$��6� �� -�� 2�!�� 3��-

=��

reen device generates syslog els in “Event Log” on page 57) IX/Linux system. You can use essages on the console of the

Use Trust Interface as

and all levels above it. For hereas a debugging setting

customize syslog reports of al format. You can create ll events with the severity levels

ct the Use Trust Interface as

etrieves information from the

the same Windows NT system.

�� #� ��$��%�"&��$��'��

�%�"� Syslog enables the logging of system events to a single file for later review. A NetScmessages for system events at predefined severity levels (see the list of severity levand sends these messages via UDP (port 514) to a syslog host, which runs on a UNsyslog messages to create e-mail alerts for the system administrator, or to display mdesignated host using UNIX syslog conventions.

You can also send syslog messages through a VPN tunnel. In the WebUI, select theSource IP for VPN . In the CLI, use the set syslog vpn command.

Syslog organizes messages hierarchically, so that setting a level includes that level example, an alert setting generates messages for alert and emergency messages, wgenerates messages for all levels.

)�*7�� WebTrends offers a product called the WebTrends Firewall Suite that allows you to critical, alert, and emergency events to display the information you want in a graphicreports that focus on areas such as firewall attacks (emergency-level events) or on aof critical, alert, and emergency.

You can also send WebTrends messages through a VPN tunnel. In the WebUI, seleSource IP for VPN . In the CLI, use the set webtrends vpn command.

Note: On UNIX/Linux platforms, modify the /etc/rc.d/init.d/syslog file so that syslog rremote source (syslog -r).

Note: You can also send traffic logs with the syslog messages.

Note: The WebTrends Syslog Server and the WebTrends Firewall Suite must run onYou must have administrator rights to configure it.

#5�$��6� �� -�� 2�!�� 3��-

=��

�� to port 514 on a WebTrends

ffic logs are included with the

Apply :

click Apply :

4

�� #� ��$��%�"&��$��'��

"&��$��" �*�� -��3��-�� )�*7�� (��(�� "!�In the following example, you set up the syslog facility to send notification messagessyslog Server at 172.10.16.25. The security and facility levels are set to Local0. Trasystem event messages.

��

�3��-�� -�

1. Configuration > Report Settings > Syslog: Enter the following, and then click

Enable syslog messages: (select)

Include Traffic Log: (select)

Syslog Host Name/Port: 172.10.16.25/5141

Security Facility: Local0

Facility: Local0

)�*7�� -�

2. Configuration > Report Settings > WebTrends: Enter the following, and then

Enable WebTrends Messages: (select)

WebTrends Host Name/Port: 172.10.16.25/51

1. The syslog host port number must match the WebTrends port number.

#5�$��6� �� -�� 2�!�� 3��-

=��

k Apply :

ing in Transparent mode, you

�� #� ��$��%�"&��$��'��

��!��3�0�!��

3. Configuration > Report Settings > Log Settings: Enter the following, then clic

WebTrends Notification: (select)

Syslog Notification: (select)

��

�3��-�� -�

1. set syslog config 172.10.16.25 local0 local0

2. set syslog port 514

3. set syslog traffic

4. set syslog enable

)�*7�� -�

5. set webtrends host-name 172.10.16.25

6. set webtrends port 514

7. set webtrends enable

��!��3�0�!��

8. set log module system level notification destination syslog

9. set log module system level notification destination webtrends

10. save

Note: When you enable syslog and WebTrends on a NetScreen device runnmust set up a static route. See “Route Tables” on page 2 -63.

#5�$��6� �� -�� 2�!�� 6�

==��

rovides network administrators ceive notification of system

ork Management Protocol”. s defined in RFC-1213, : MIB-II”. NetScreen also has

the NetScreen MIBs is included

ns, when specified events or

becomes operational after you

uthentication failure trap if it

onditions trigger system d to hardware, security, and ll Options” on page 2 -33, and

the alarm thresholds set in e 2 -213.)

�� #� ��$��%�"&��$��'��

��#The Simple Network Management Protocol (SNMP) agent for the NetScreen device pwith a way to view statistical data about the network and the devices on it, and to reevents of interest.

NetScreen supports the SNMPv1 protocol, described in RFC-1157, “A Simple NetwNetScreen also supports all relevant Management Information Base II (MIB II) group“Management Information Base for Network Management of TCP/IP-based internetsprivate enterprise MIB files, which you can load into an SNMP MIB browser. A list of in the appendix. (See Appendix A, “SNMP MIB Files”.)

Accordingly, the NetScreen SNMP agent generates the following traps, or notificatioconditions occur:

• Cold Start Trap: The NetScreen device generates a cold start trap when it power it on.

• Trap for SNMP Authentication Failure: The SNMP manager triggers the asends the incorrect community string.

• Traps for System Alarms: NetScreen device error conditions and firewall calarms. Three NetScreen enterprise traps are defined to cover alarms relatesoftware. (For more information on firewall settings and alarms, see “Firewa“Traffic Alarms” on page 82.)

• Traps for Traffic Alarms: Traffic alarms are triggered when traffic exceedspolicies. (For more information on configuring policies, see “Policies” on pag

#5�$��6� �� -�� 2�!�� 6�

=9��

o configure your NetScreen nd assign permissions

HP OpenView® or SunNet ed or untrusted interface. There

the Internet.

ysLocation variables on a NetScreen

�� #� ��$��%�"&��$��'��

The following table list possible alarm types and their associated trap number:

NetScreen devices do not ship with a default configuration for the SNMP manager. Tdevice for SNMP, you must first create communities, define their associated hosts, a(read-write or read only2).

Trap Enterprise ID Description

100 Hardware problems

200 Firewall problems

300 Software problems

400 Traffic problems

500 VPN problems

Note: The network administrator must have an SNMP manager application such asManagerTM to browse the SNMP MIB II data and to receive traps from either the trustare also several shareware and freeware SNMP manager applications available from

2. For security reasons, an SNMP community member with read-write privileges can change only the sysContact and sdevice.

#5�$��6� �� -�� 2�!�� 6�

=:��

ing up to eight hosts. Hosts

data.

each of the hosts in each

at are set to receive traps.

fic alarms.

Use Trust Interface as

�� #� ��$��%�"&��$��'��

,�$�� !��!��1The following points summarize how SNMP is implemented in NetScreen devices:

• The network administrator can create up to three communities, each containmust be listed individually; they cannot be specified as a range.

• Each community has either read-only or read-write permission for the MIB II

• You can allow or deny each community from receiving traps.

• You can access the MIB II data and traps through any physical interface.

• Each system alarm generates a single NetScreen enterprise SNMP trap to community that is set to receive traps.

• Cold Start / Link Up / Link Down traps are sent to all hosts in communities th

• If you specify trap-on for a community, you also have the option to allow traf

You can also send SNMP messages through a VPN tunnel. In the WebUI, select theSource IP for VPN . In the CLI, use the set snmp vpn command.

#5�$��6� �� -�� 2�!�� 6�

=��

Cooper.” In the first community, embers can read and write MIB mi.” The JCarney community er community host is

hen click Apply :

ing settings, and then click OK:

ing settings, and then click OK:

s the host name of the

�� #� ��$��%�"&��$��'��

"&��$�� -�+$��6��#�� In this example, you configure SNMP for two communities, named “JCarney” and “Tits members can read MIB II data and receive traps. In the second community, its mII data, receive traps, and traffic alarms. The contact person is “John Fisher” in “Miahost IP addresses are 172.16.20.181, 172.16.40.245, and 172.16.40.55. The TCoop172.16.20.250.

��

1. Configuration > Report Settings > SNMP: Enter the following settings, and t

System Contact: John Fisher

Location: Miami

2. Configuration > Report Settings > SNMP > New Community: Enter the follow

Community Name: JCarney

Permissions: Trap: (select)

Hosts: 172.16.20.181172.16.40.245172.16.40.55

3. Configuration > Report Settings > SNMP > New Community: Enter the follow

Community Name: TCooper

Permissions: Write, Trap: (select)

Including Traffic Alarms: (select)

Hosts: 172.16.20.250

Note: The MIB II system group variables sysContact, sysName (which is the same aNetScreen device) are read-write objects. All other variables are read-only.

#5�$��6� �� -�� 2�!�� 6�

9��
�� #� ��$��%�"&��$��'��
��

1. set snmp contact John Fisher

2. set snmp location Miami

3. set snmp community JCarney read-only trap-on

4. set snmp host JCarney 172.16.20.181



7. set snmp community TCooper read-write trap-on traffic

8. set snmp host TCooper 172.16.20.250

9. save

#5�$��6� �� -�� 2�!�� 6�

9��

of active VPNs through the use

el, the NetScreen device

SHA-1) types

e is also reported in remaining

MIBs, you must import the ension files on the NetScreen

�� #� ��$��%�"&��$��'��

��6� �� -The NetScreen ScreenOS provides the ability to determine the status and condition of SNMP VPN monitoring objects and traps.

By enabling the VPN monitoring feature on a Manual Key or AutoKey IKE VPN tunnactivates its SNMP VPN monitoring objects, which include data on the following:

• The total number of active VPN sessions

• The time each session started

• The Security Association (SA) elements for each session:

– ESP encryption (DES or 3DES) and authentication algorithm (MD5 or

– AH algorithm type (MD5 or SHA-1)

– Key exchange protocol (AutoKey IKE or Manual Key)

– Phase 1 authentication method (Preshared Key or certificates)

– VPN type (dialup or peer-to-peer)

– Peer and local gateway IP addresses

– Peer and local gateway IDs

– Security Parameter Index (SPI) numbers

• Session status parameters

– VPN monitoring status (up or down)

– Tunnel status (up or down)

– Phase 1 and 2 status (inactive or active)

– Phase 1 and 2 lifetime (time in seconds before rekeying; Phase 2 lifetimbytes before rekeying)

Note: To enable your SNMP manager application to recognize the VPN monitoring NetScreen-specific MIB extension files into the application. You can find the MIB extdocumentation CD that shipped with your NetScreen device.

#5�$��6� �� -�� 2�!�� 6�

9��

through the tunnel at specified VPN gateways.3 The source fers according to the type of erating at Layer 3 (NAT or

e of successful responses, the

efinable threshold4 for the vice triggers one of the

t elicited a response after a

its a response.

is 10 seconds.

ote device is another device, then

intrazone blocking is enabled), you must

f what you specify as the source e NetScreen device uses the erface as the source interface.

f what you specify as the face, the NetScreen device uses interface as the source interface.

ault is 10 consecutive ping requests.

�� #� ��$��%�"&��$��'��

With VPN monitoring enabled, the NetScreen device also pings the remote gatewayintervals (configurable in seconds) to monitor network connectivity between the two interface that the local NetScreen device uses to send and receive ping requests difdevice at the remote end of the tunnel and whether the local NetScreen device is opRoute mode) or Layer 2 (Transparent mode):

The VPN monitoring MIB notes whether the ping elicits a response, a running averaglatency of the response, and the average latency over the last 30 attempts.

If the ping activity indicates that the VPN status has changed (by exceeding a user-dnumber of consecutive successful or unsuccessful ping requests), the NetScreen defollowing SNMP traps:

• Up to Down: The state of the VPN tunnel is up, but the ping request has nospecified consecutive number of ping requests.

• Down to Up: The state of the VPN tunnel is down, but the ping request elic

3. To change the ping interval, you can use the following CLI command: set vpnmonitor interval number. The default

If the local device is operating at

and the remote device is a VPN client (such as the NetScreen-Remote), then

and the remNetScreen

Layer 3 the source-interface can be any interface* with an IP address and in any zone except in the MGT zone.

* If the source-interface is in a different zone from the outgoing interface (or if it is in the same zone and create a policy permitting pings through the VPN tunnel.

regardless ointerface, thoutgoing int

Layer 2 you cannot use the VPN monitoring feature. regardless osource-interthe outgoing

Note: A VPN tunnel bound to a tunnel interface cannot support VPN monitoring.

4. To change the ping threshold, you can use the following CLI command: set vpnmonitor threshold number. The def

#5�$��6� �� -�� 2�!�� 6�

9��

VPN Monitor check box and o go back to the basic VPN

e VPN Monitor check box and o go back to the basic VPN

termines whether the remote gateway

�� #� ��$��%�"&��$��'��

To enable VPN monitoring, do the following:

��

VPNs > Manual Key > New: Configure the VPN, click Advanced , select thechoose an interface from the Source Interface drop-down list, click Return tconfiguration page, and then click OK.

Or

VPNs > AutoKey IKE > New: Configure the VPN, click Advanced , select thchoose an interface from the Source Interface drop-down list, click Return tconfiguration page, and then click OK.

��

1. set vpn name_str monitor [ source-interface interface ]5

2. set vpnmonitor frequency number6

3. set vpnmonitor threshold number7

4. save

5. If you do not choose a source interface, the NetScreen device uses the outgoing interface as the default.

6. The VPN monitoring frequency is in seconds.

7. The VPN monitoring threshold number is the consecutive number of successful or unsuccessful ping requests that deis reachable through the VPN tunnel or not.

#5�$��6� �� -�� 2�!�� #��

9��

ers give processing information

avior and for viewing the

ents blocked

n ICMP flood

uspected UDP flood

suspected WinNuke attack

d blocked

Tear Drop attack

suspected SYN flood

art of an IP spoofing attack

ackets that are oversized or of

ected land attack

rt of a suspected SYN

sing or malformed flags field

an unknown protocol

ed or incomplete IP options

Route option enabled

et Timestamp option set

ption set

�� #� ��$��%�"&��$��'��

��NetScreen provides screen, hardware, and flow counters for monitoring traffic. Countfor specified interfaces and help you to verify configurations for desired policies.

NetScreen provides the following screen counters for monitoring general firewall behamount of traffic affected by specified policies:

• Block Java/Active X Component – the number of Java or ActiveX compon

• ICMP Flood Protection – the number of ICMP packets blocked as part of a

• UDP Flood Protection – the number of UDP packets dropped as part of a s

• WinNuke Attack Protection – the number of packets detected as part of a

• Port Scan Protection – the number of port scans detected and blocked

• IP Sweep Protection – the number of IP sweep attack packets detected an

• Tear-drop Attack Protection – the number of packets blocked as part of a

• SYN Flood Protection – the number of SYN packets detected as part of a

• IP Spoofing Attack Protection – the number of IP addresses blocked as p

• Ping-of-Death Protection – the number of suspected and rejected ICMP pan irregular size

• Source Route IP Option Filter – the number of IP source routes filtered

• Land Attack Protection – the number of packets blocked as part of a susp

• SYN Fragment Detection – the number of packet fragments dropped as pafragments attack

• TCP Packet without Flag – the number of illegal packets dropped with mis

• Unknown Protocol Protection – the number of packets blocked as part of

• Bad IP Option Detection – the number of frames discarded due to malform

• IP Record Route Option – the number of frames detected with the Record

• IP Timestamp Option – the number of IP packets discarded with the Intern

• IP Security Option – the number of frames discarded with the IP Security o

#5�$��6� �� -�� 2�!�� #��

9��

oose Source Route option

t Source Route option enabled

entifier set

g set, or with offset indicated in

th greater than 1024

bination of flags

h an illegal combination of flags

ked

mit had been reached

e SYN-ACK-ACK-proxy DoS

mance and packets with errors:

uffers

rs

(CRC) error

bit stream

�� #� ��$��%�"&��$��'��

• IP Loose Src Route Option – the number of IP packets detected with the Lenabled

• IP Strict Src Route Option – the number of packets detected with the Stric

• IP Stream Option – the number of packets discarded with the IP Stream id

• ICMP Fragment – the number of ICMP frames with the More Fragments flathe offset field

• Large ICMP Packet – the number of ICMP frames detected with an IP leng

• SYN and FIN bits set – the number of packets detected with an illegal com

• FIN bit with no ACK bit – the number of packets detected and dropped wit

• Malicious URL Protection – the number of suspected malicious URLs bloc

• limit session – the number of undeliverable packets because the session li

• SYN-ACK-ACK-Proxy DoS – the number of blocked packets because of thSCREEN option

NetScreen provides the following hardware counters for monitoring hardware perfor

• in bytes – the number of bytes received

• out bytes – the number of bytes sent

• in packets – the number of packets received

• out packets – the number of packets sent

• in no buffer – the number of unreceivable packets because of unavailable b

• out no buffer – the number of unsent packets because of unavailable buffe

• in overrun – the number of transmitted overrun packets

• in underrun – the number of transmitted underrun packets

• in coll err – the number of incoming collision packets

• out coll err – the number of outgoing collision packets

• in crc err– the number of incoming packets with a cyclic redundancy check

• in align err– the number of incoming packets with an alignment error in the

#5�$��6� �� -�� 2�!�� #��

9=��

ror

n unknown MAC address

ment

ent

was exceeded while an

, an undefined subinterface, or Transparent mode

ense Multiple Access/Collision

2.3 standard available at

�� #� ��$��%�"&��$��'��

• in short frame – the number of incoming packets with an in-short frame er

• out bs pak – the number of packets held in back store while searching for a

• early frame – counters used in an ethernet driver buffer descriptor manage

• late frame – counters used in an ethernet driver buffer descriptor managem

• in err – the number of incoming packets with at least one error

• in unk – the number of UNKNOWN packets received

• in misc err – the number of incoming packets with a miscellaneous error

• out misc err – the number of outgoing packets with a miscellaneous error

• in dma err – the number of incoming packets with a dma error

• out discard – the number of discarded outgoing packets

• out defer – the number of deferred outgoing packets

• out heartbeat – the number of outgoing heartbeat packets

• re xmt limit – the number of dropped packets when the retransmission limitinterface was operating at half duplex

• drop vlan – the number of dropped packets because of missing VLAN tagsbecause VLAN trunking was not enabled when the NetScreen device was in

• out cs lost – the number of dropped outgoing packets because the Carrier SDetect (CSMA/CD) protocol lost the signal8

8. For more information about the Carrier Sense Multiple Access/Collision Detect (CSMA/CD) protocol, see the IEEE 80http://standards.ieee.org.

#5�$��6� �� -�� 2�!�� #��

99��

ackets inspected at the flow

ackets

protocol

pe

at did not have MAC addresses

to relearn the interface hanged

olve

or ICMP

be malicious

bound to the Null zone

r than half of the maximum

�� #� ��$��%�"&��$��'��

NetScreen also provides the following flow counters9 for monitoring the number of plevel:

• in bytes – the number of bytes received

• out bytes – the number of bytes sent

• in packets – the number of packets received

• out packets – the number of packets sent

• in vlan – the number of incoming vlan packets

• out vlan – the number of outgoing vlan packets

• in arp req – the number of incoming arp request packets

• in arp resp – the number of outgoing arp request packets

• *in un auth – the number of unauthorized incoming TCP, UDP, and ICMP p

• *in unk prot – the number of incoming packets using an unknown ethernet

• in other – the number of incoming packets that are of a different Ethernet ty

• no mac address – (NetScreen-5000 series only) the number of sessions thfor the source or destination IP addresses

• mac relearn – the number of times that the MAC address learning table hadassociated with a MAC address because the location of the MAC address c

• *slow mac – the number of frames whose MAC addresses were slow to res

• syn frag – the number of dropped SYN packets because of a fragmentation

• *misc prot – the number of packets using a protocol other than TCP, UDP,

• mal url – the number of blocked packets destined for a URL determined to

• null zone – the number of dropped packets erroneously sent to an interface

• *no xmit vpnf – the number of dropped VPN packets due to fragmentation

• *no frag sess – the number of times that fragmented sessions were greatenumber of NAT sessions

9. Counters preceded by an asterisk are not yet operational at the time of this writing and always display a value of 0.

#5�$��6� �� -�� 2�!�� #��

9:��

buffer fell below 70%

o which no VPN tunnel is bound

ified ip sweep threshold

ber is outside the acceptable

es sent from a processor

t to the wrong processor

hen sending a PCI message

er of sessions on a processor

received

P address

ot be looped back

s the SYN flood protection

n could not be found

�� #� ��$��%�"&��$��'��

• no frag netpak – the number of times that the available space in the netpak

• sessn thresh – the threshold for the maximum number of sessions

• *no nsp tunnel – the number of dropped packets sent to a tunnel interface t

• ip sweep – the number of packets received and discarded beyond the spec

• tcp out of seq – the number of TCP packets received whose sequence numrange

• wrong intf – (NetScreen-1000 only) the number of session creation messagmodule to the master processor module

• wrong slot – (NetScreen-1000 only) the number of packets erroneously senmodule

• *icmp broadcast – the number of ICMP broadcasts received

• mp fail – (NetScreen-1000 only) the number of times a problem occurred wbetween the master processor module and the processor module

• proc sess – (NetScreen-1000 only) the number of times that the total numbmodule exceeded the maximum threshold

• invalid zone – the number of packets destined for an invalid security zone

• in icmp – the number of Internet Control Message Protocol (ICMP) packets

• in self – the number of packets addressed to the NetScreen Management I

• in vpn – the number of IPSec packets received

• trmn drop – the number of packets dropped by traffic management

• trmng queue – the number of packets waiting in the queue

• tiny frag – the number of tiny fragmented packets received

• connections – the number of sessions established since the last boot

• loopback drop – the number of packets dropped because the packets cann

• tcp proxy – the number of packets dropped from using a TCP proxy such aoption or user authentication

• no g parent – the number of packets dropped because the parent connectio

#5�$��6� �� -�� 2�!�� #��

9��

ates in the firewall for them

ess Translation (NAT)

trusted side

Address Translation (NAT)

(DIP) addresses

SA) was defined

ciated with an SA

store while waiting for

p attack

te option

d

received

kets

s

�� #� ��$��%�"&��$��'��

• no gate sess – the number of terminated sessions because there were no g

• no nat vector – the number of packets dropped because the Network Addrconnection was unavailable for the gate

• no map – the number of packets dropped because there was no map to the

• no conn – the number of packets dropped because of unavailable Networkconnections

• no dip – the number of packets dropped because of unavailable Dynamic IP

• no gate – the number of packets dropped because no gate was available

• no route – the number of unroutable packets received

• no sa – the number of packets dropped because no Security Associations (

• no sa policy – the number of packets dropped because no policy was asso

• sa inactive – the number of packets dropped because of an inactive SA

• sa policy deny – the number of packets denied by an SA policy

• policy deny – the number of packets denied by a defined policy

• auth fail – the number of times user authentication failed

• big bkstr – the number of packets that are too big to buffer in the ARP backMAC-to-IP address resolution

• land attack – the number of suspected land attack packets received

• no route – the number of unroutable packets received

• tear drop – the number of packets blocked as part of a suspected Tear Dro

• src route – the number of packets dropped because of the filter source rou

• pingdeath – the number of suspected Ping of Death attack packets receive

• address spoof – the number of suspected address spoofing attack packets

• url block – the number of HTTP requests that were blocked

• nvec err – the number of packets dropped because of NAT vector error

• enc fai – the number of failed Point-to-Point Tunneling Protocol (PPTP) pac

• illegal pak– the number of packets dropped because they are illegal packet

#5�$��6� �� -�� 2�!�� #��

:��

interface.

drop-down list.

wn list.

�� #� ��$��%�"&��$��'��

"&��$��1� -�� 4��1�#�� In this example, you view the NetScreen screen and flow counters for the ethernet1

��

1. Reports > Interface > Screen Counters: Select ethernet1 from the Interface

2. Reports > Interface > Statistics: Select ethernet1 from the Interface drop-do

��

1. get counter screen interface ethernet1

2. get counter flow interface ethernet1

#5�$��6� �� -�� 2�!�� !��3�0�-

:��

device is returned to its default y Default Settings” on page 36). open or save the file to the

een\logs” (WebUI) or to the root sys_rst.txt”.


�� #� ��$��%�"&��$��'��

��%"� NetScreen provides an asset recovery log to display information about each time thesettings using the asset recovery procedure (see “Resetting the Device to the FactorIn addition to viewing the asset recovery log through the WebUI or CLI, you can alsolocation you specify. Use an ASCII text editor (such as Notepad) to view the file.

"&��$��2�1 �� -��5��3�� 0�-In this example, you download the asset recovery log to the local directory “C:\netscrdirectory of a TFTP server at the IP address 10.10.20.200 (CLI). You name the file “

��

1. Reports > System Log > Asset Recovery: Click Save .




3. Specify C:\netscreen\logs, name the file sys_rst.txt, and then click Save .

��

get log self > tftp 10.10.20.200 sys_rst.txt

#5�$��6� �� -�� 2�!�� 7��((��

:��

u have defined in policies. You methods whenever the

omalous activity, you must first you must observe traffic that you consider as normal, ggers an alarm to call your ermine what caused the

cation of a compromised .

�� #� ��$��%�"&��$��'��

��"��The NetScreen device supports traffic alarms when traffic exceeds thresholds that yocan configure the NetScreen device to alert you through one or more of the followingNetScreen device generates a traffic alarm:

• Console

• Internal (Event Log)

• E-mail

• SNMP

• Syslog

• WebTrends

• NetScreen-Global PRO

You set alarm thresholds to detect anomalous activity. To know what constitutes anestablish a baseline of normal activity. To create such a baseline for network traffic, patterns over a period of time. Then, after you have determined the amount of trafficyou can set alarm thresholds above that amount. Traffic exceeding that threshold triattention to a deviation from the baseline. You can then evaluate the situation to detdeviation and whether you need to take action in response.

You can also use traffic alarms to provide policy-based intrusion detection and notifisystem. Examples of the use of traffic alarms for these purposes are provided below

#5�$��6� �� -�� 2�!�� 7��((��

:��

) in the DMZ zone. You want to accomplish this, you create a eb server named web1 in the ize of IP packet is 64 bytes, ill trigger an alarm.

ck OK:


�� #� ��$��%�"&��$��'��

"&��$��3�A��, �� 2�� In this example, there is a Web server with IP address 211.20.1.5 (and name “web1”detect any attempts from the Untrust zone to access this Web server via Telnet. To policy denying Telnet traffic from any address in the Untrust zone destined to the WDMZ zone, and you set a traffic alarm threshold at 64 bytes. Because the smallest seven one Telnet packet attempting to reach the Web server from the Untrust zone w

��


Address Name: web1


IP/Netmask: (select), 211.20.1.5/32

Zone: DMZ

2. Policies > (From: Untrust, To: DMZ) > New: Enter the following, and then cli

Source Address:

Address Book: (select), Any


Address Book: (select), web1

Service: Telnet

Action: Deny


Counting: (select)

Alarm Threshold: 64 Bytes/Sec

#5�$��6� �� -�� 2�!�� 7��((��

:��

m. You have an FTP server -get traffic to reach this server.

f such traffic would indicate that ou define an address for the

lick OK :

�� #� ��$��%�"&��$��'��

��

1. set address dmz web1 211.20.1.5/32

2. set policy from untrust to dmz any web1 telnet deny count alarm 64

3. save

"&��$��#��$��3��(�� In this example, you use traffic alarms to provide notification of a compromised systewith IP address 211.20.1.10 (and name ftp1) in the DMZ zone. You want to allow FTPYou don’t want traffic of any kind to originate from the FTP server. The occurrence othe system has been compromised, perhaps by a virus similar to the NIMDA virus. YFTP server in the Global zone, so that you can then create two global policies.

��


Address Name: ftp1


IP/Netmask: (select), 211.20.1.10/32

Zone: Global

2. Policies > (From: Global, To: Global) > New: Enter the following, and then c

Source Address:



Address Book: (select), ftp1

Service: FTP-Get

Action: Permit

#5�$��6� �� -�� 2�!�� 7��((��

:��

lick OK :


�� #� ��$��%�"&��$��'��

3. Policies > (From: Global, To: Global) > New: Enter the following, and then c

Source Address:

Address Book: (select), ftp1



Service: ANY

Action: Deny


Counting: (select)

Alarm Threshold: 64 Bytes/Sec

��

1. set address global ftp1 211.20.1.10/32

2. set policy global any ftp1 ftp-get permit

3. set policy global ftp1 any any deny count alarm 64

4. save

#5�$��6� �� -�� 2�!�� 7��((��

:=��

mail server is at 172.16.10.254, ress is [email protected].

n click Apply :

�� #� ��$��%�"&��$��'��

"&��$�� -�"��In this example, you set up notification by e-mail alerts when there is an alarm. The the first e-mail address to be notified is [email protected], and the second addThe NetScreen device includes traffic logs with event logs sent via e-mail.

��

Configuration > Report Settings > Email: Enter the following information, the

Enable E-Mail Notification for Alarms: (select)

Include Traffic Log: (select)

SMTP Server Name: 172.16.10.25410

E-Mail Address 1: [email protected]

E-Mail Address 2: [email protected]

��

1. set admin mail alert

2. set admin mail mail-addr1 [email protected]

3. set admin mail mail-addr2 [email protected]

4. set admin mail server-name 172.16.10.254

5. set admin mail traffic-log

6. save

10. If you have DNS enabled, you can also use a host name for the mail server, such as mail.netscreen.com.

�,��

��

ization’s applications and the from

nts in previous versions of re and are described as follows:

�� #� ��$��%�"&��$��'��

��#��&�� NetScreen provides MIB files to support SNMP communication between your organSNMP agent in the NetScreen device. To obtain the latest MIB files, download themwww.netscreen.com/support.

The MIB files for the current ScreenOS version are fully compatible with SNMP ageScreenOS. The NetScreen MIB files are organized in a multi-tier hierarchical structu

• “The Primary-Level MIB File Folders” on page II

• “Secondary-Level MIB Folders” on page IV

– “netscreenProducts” on page IV

– “netScreenIds” on page V

– “netscreenVpn” on page V

– “netscreenQos” on page V

– “netscreenSetting” on page VI

– “netscreenZone” on page VI

– “netscreenPolicy” on page VII

– “netscreenNAT” on page VII

– “netscreenAddr” on page VII

– “netscreenService” on page VII

– “netscreenSchedule” on page VII

– “netscreenVsys” on page VIII

– “netscreenResource” on page VIII

– “netscreenIp” on page VIII

$$� ��&��6��6,A�4��

�,,��

olders are as follows:

roduct series.

IDS) configuration.

information.

.

�� #� ��$��%�"&��$��'��

�� #��'" $ ��&�� The MIB files are arranged in a hierarchical folder structure. The primary-level MIB f

Each folder contains a category of MIB files.

netscreenProducts Assigns Object Identifiers (OIDs) to different NetScreen p

netscreenTrapInfo Defines enterprise traps sent by the NetScreen device.

netscreenIDS Defines the NetScreen device intrusion detection service (

netscreenVpn Defines NetScreen device VPN configuration and runtime

netscreenQos Defines NetScreen device Quality of Service configuration

$$� ��&��6��6,A�4��

�,,,��

ttings, such as DHCP,

.

cluding the virtual

r the NetScreen device.

and Virtual IP.

the NetScreen device.

igured by the user.

ation.

source utilization.

.

�� #� ��$��%�"&��$��'��

netScreenNsrp Defines NetScreen device NSRP configuration.

netscreenSetting Defines miscellaneous NetScreen device configuration seemail, authentication, and administrator.

netscreenZone Defines zone information residing in the NetScreen Device

netscreenInterface Defines the NetScreen device’s interface configuration, ininterface.

netscreenPolicy Defines the outgoing and incoming policy configuration fo

netscreenNAT Defines NAT configuration, including Map IP, Dynamic IP

netscreenAddr Represents the address table on a NetScreen interface.

netscreenService Describes services (including user-defined) recognized by

netscreenSchedule Defines NetScreen device task schedule information, conf

netscreenVsys Defines NetScreen device virtual system (VSYS) configur

netscreenResource Accesses information regarding the NetScreen device’s re

netscreenIp Accesses NetScreen device private IP-related information

netScreen Chassis Empty placeholder folder for future MIB support folders

$$� ��&��6��6,A�4��

�,��

condary-level folder contains

�� #� ��$��%�"&��$��'��

� ��'" $ ��&�� This section describes the secondary-level MIB files for NetScreen devices. Each sesubsequent-level folders or MIB files.

��

netscreenGeneric Generic object identifiers (OIDs) for NetScreen products

netscreenNs5 NetScreen-5XP OIDs

netscreenNs10 NetScreen-10XP OIDs

netscreenNs100 NetScreen-100 OIDs







$$� ��&��6��6,A�4��

��

e

en device

tion

usion attempt

�� #� ��$��%�"&��$��'��

�� ,��

�� $

�� E��

nsldsProtect IDS service on NetScreen devic

nsldsProtectSetTable IDS service enabled on NetScre

nsldsProtectThreshTable IDS service threshold configura

nsldsAttkMonTable Statistical Information about intr

netscreenVpnMon Show SA information of vpn tunnel

nsVpnManualKey Manual key configuration

nsVpnIke IKE configuration

nsVpnGateway VPN tunnel gateway configuration

nsVpnPhaseOneCfg IPSec Phase One configuration

nsVpnPhaseTwoCfg IPSec Phase Two configuration

nsVpnCert Certification configuration

nsVpnL2TP L2TP configuration

nsVpnPool IP pool configuration

nsVpnUser VPN user configuration

nsQosPly QoS configuration on policy

$$� ��&��6��6,A�4��

��,��
�� #� ��$��%�"&��$��'��
�� -

�� @� �

nsSetGeneral General configuration of NS device

nsSetAuth Authentication method configuration

nsSetDNS DNS server setting

nsSetURLFilter URL filter setting

nsSetDHCP DHCP server setting

nsSetSysTime System time setting

nsSetEmail Email setting

nsSetLog Syslog setting

nsSetSNMP SNMP agent configuration

nsSetGlbMng Global management configuration

nsSetAdminUser Administration user configuration

nsSetWebUI Web UI configuration

nsZoneCfg Zone configuration for the device

$$� ��&��6��6,A�4��

��,,��
�� #� ��$��%�"&��$��'��
�� 3

�� 7

��

�� !��

�� 5��

NsPlyTable Policy configuration

NsPlyMonTable Statistical Information about each policy

nsNatMipTable Mapped IP configuration

nsNatDipTable Dynamic IP configuration

nsNatVip Virtual IP Configuration

nsAddrTable Address table on a NetScreen interface

nsServiceTable Service Information

nsServiceGroupTable Service Group Information

nsServiceGrpMemberTable Service Group Member Info

nschOnceTable One-time schedule information

nschRecurTable Re-occur schedule information

$$� ��&��6��6,A�4��

��,,,��
�� #� ��$��%�"&��$��'��
�� 3�

��

�� ,$

nsVsysCfg NetScreen device virtual system (VSYS) configuration

nsresCPU CPU utilization

nsresMem Memory utilization

nsresSession Session utilization

Note: NetScreen no longer supports the failedSession counter.

nslpArp ARP table

�, ��&

,B�,��

6–81

pactFlash (PCMCIA) 56

ole 56

il 56

nal 56

creen-Global PRO 56

very log 81

log 62

P 56, 66

g 56, 63

Trends 56, 63

IP 39

ent client IP addresses 37

ent information base II MIB II

ent methods11

ole 17

9

et 11

UI 3

ent zone, interfaces 42

ey

s 43

s

57

al 57

g 57

rgency 57

�� #� ��$��%�"&��$��'��

, ��&administration

CLI (Command Line Interface) 11

restricting 37, 38

WebUI 3

administrative traffic 42

alarms

E-mail alert 82

thresholds 82

traffic 82–86

AutoKey IKE VPN 43

Aback store 76

bit stream 75

browser requirements 3

#cables, serial 17

CLI 11, 42

command line interface

See CLI

CompactFlash 56

configuration settings

browser requirements 3

console 56

conventions

WebUI iv

creating

keys 9

2DIP 79

Dynamic IP

See DIP

"E-mail alert notification 64, 65, 86

4filter source route 79

8HTTP 8

Hypertext Transfer Protocol

See HTTP

,inactive SA 79

in-short error 76

interfaces

default 43

MGT 42

internal flash storage 56

IP addresses

manage IP 39

<keys

creating 9

0logging 5

Comcons

e-mainter

NetSreco

self SNM

syslo

Web

6manage managem

ManagemSee

managemCLI

consSSL

TelnWeb

ManagemManual K

VPNmessage

alertcritic

debueme

�, ��&

,B�,,

ing public keys, CLI 15

ing public keys, TFTP 15, 16

ing public keys, WebUI 15

word authentication 13

15

authentication 13

key 14

er key 14

ion key 14

cure Command Shell) 26

ockets Layer

SSL

Associations (SA) 79

2

les 17

rver IP 86

6, 66

entication failure trap 66

start trap 66

munity, private 69

munity, public 69

iguration 69

yption 43, 68

ementation 68

files I

folders, primary II

em alarm traps 66

c alarm traps 66

types 67

66

monitoring 71–72

aps

hardware problems 67

firewall problems 67

software problems 67

traffic problems 67

�� #� ��$��%�"&��$��'��

error 57

info 57

notice 57

warning 57

WebTrends 64

MIB files I

MIB folders

primary IIMIB II 26, 66

�NAT vector error 79

NetScreen-Global PRO 18, 56

Policy Manager 18

Report Manager 18

NetScreen-Global PRO Express 18

Realtime Monitor 18

Network Address Translation (NAT) 79

�operating system 11

�packets 78

address spoofing attack 79

collision 75

denied 79

dropped 79

fragmented 78

illegal 79

incoming 75

Internet Control Message Protocol (ICMP) 74,

78

IPSec 78

land attack 79

Network Address Translation (NAT) 79

Point to Point Tunneling Protocol (PPTP) 79

received 75, 77

transmitted underrun 75

UNKNOWN 76

unreceivable 75

unroutable 79

parent connection 78

password

forgetting 33

PCMCIA 56

ping 72

PKI

key 9

Point-to-Point Tunneling Protocol (PPTP) 79

Policy Manager 18

RADIUS 33

Realtime Monitor 18

recovery log 81

Report Manager 18

reset

scheduled 25

to factory defaults 36

�SA policy 79

scheduled reset 25

SCS 13–16

authentication method priority 16

automated logins 16

connection procedure 14

forcing PKA authentication only 16

host key 14

load

load

load

pass

PKA

PKA

PKA

serv

sess

SCS (Se

Secure S

See

Security

self log 6

serial cab

SMTP se

SNMP 2

auth

cold

com

com

conf

encr

impl

MIB

MIB

syst

traffi

trap

traps

VPN

SNMP tr

100,

200,

300,

400,

�, ��&

,B�,,,��

ual Key 43

itoring 86

wser requirements 3

r interface

WebUI

ds 56, 63

yption 43, 63

sages 64

, 42

onventions iv

42

�� #� ��$��%�"&��$��'��

500, VPN problems 67

allow or deny 68

source route 79

SSL 9

SSL Handshake ProtocolSee SSLHP

SSLHP 9

syslog 56

encryption 43, 63

facility 64

host 63

host name 64, 65

messages 63

security facility 64

7TCP

proxy 78

Telnet 11, 25

traffic

alarms 82–86

+users

multiple administrative users 27

�virtual private network

See VPNs

virtual system

administrators 28

read-only admins 28

VLAN1

MGT zone 42

VPNs

AutoKey IKE 43

for administrative traffic 43

Man

mon

)Web bro

Web use

See

WebTren

encr

mes

WebUI 3

WebUI, c

@zones

MGT

�, ��&

,B�,�
�� #� ��$��%�"&��$��'��

Documents

NetScreen_Concepts_and_Examples_for_ScreenOS_4.0_Vol._3