Netscreen Concepts and Examples

NetScreen Concepts & Exampleside

ScreenOS 5.1.0

P/N 093-1367-000

Rev. B

ScreenOS Reference Gu

Volume 2: Fundamentals

compliance of Class B devices: The enerates and may radiate radio-frequency nce with NetScreen�s installation e with radio and television reception. This d to comply with the limits for a Class B specifications in part 15 of the FCC rules. provide reasonable protection against allation. However, there is no guarantee rticular installation.

interference to radio or television y turning the equipment off and on, the e interference by one or more of the

ing antenna.

en the equipment and receiver.

ienced radio/TV technician for help.

utlet on a circuit different from that to d.

o this product could void the user's device.

ITED WARRANTY FOR THE ET FORTH IN THE INFORMATION PRODUCT AND ARE INCORPORATED OU ARE UNABLE TO LOCATE THE

WARRANTY, CONTACT YOUR OR A COPY.

Copyright NoticeCopyright © 2004 Juniper Networks, Inc. All rights reserved.Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo are registered trademarks of Juniper Networks, Inc. NetScreen-5GT, NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of Juniper Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies.Information in this document is subject to change without notice.No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from: Juniper Networks, Inc.ATTN: General Counsel1194 N. Mathilda Ave.Sunnyvale, CA 94089-1206

FCC StatementThe following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.

The following information is for FCC equipment described in this manual genergy. If it is not installed in accordainstructions, it may cause interferencequipment has been tested and foundigital device in accordance with the These specifications are designed tosuch interference in a residential instthat interference will not occur in a pa

If this equipment does cause harmfulreception, which can be determined buser is encouraged to try to correct thfollowing measures:

� Reorient or relocate the receiv

� Increase the separation betwe

� Consult the dealer or an exper

� Connect the equipment to an owhich the receiver is connecte

Caution: Changes or modifications twarranty and authority to operate this

DisclaimerTHE SOFTWARE LICENSE AND LIMACCOMPANYING PRODUCT ARE SPACKET THAT SHIPPED WITH THEHEREIN BY THIS REFERENCE. IF YSOFTWARE LICENSE OR LIMITEDNETSCREEN REPRESENTATIVE F

Contents

i

..............................................33 a Tunnel Interface .................................................. 34

ones and Tunnel Zones..........35................................................... 35

................................................... 36

................................................... 37

..............................................38................................................... 38

................................................... 38

................................................... 38

................................................... 38

................................................... 38

..............................................39................................................... 45Work Port Mode ......................... 46

and Combined ................................................... 47Work Zones ................................ 49

..........................................51

..............................................53ces ............................................. 53................................................... 53................................................... 53aces........................................... 54faces .......................................... 54terfaces..................................... 54

Juniper Networks NetScreen Concepts & Examples � Volume 2: Fundamentals

ContentsPreface ........................................................................ vii

Conventions .............................................................viiiCLI Conventions..........................................................viii

WebUI Conventions...................................................... ix

Illustration Conventions ................................................ xi

Naming Conventions and Character Types ................xii

Juniper Networks NetScreen Documentation ........... xiii

Chapter 1 ScreenOS Architecture.................................1

Security Zones ............................................................2

Security Zone Interfaces .............................................3Physical Interfaces ........................................................3

Subinterfaces................................................................4

Virtual Routers .............................................................5

Policies .......................................................................6

VPNs............................................................................9

Virtual Systems ..........................................................11

Packet Flow Sequence.............................................12Example (Part 1): Enterprise with Six Zones............15Example (Part 2): Interfaces for Six Zones .............17Example (Part 3): Two Routing Domains................21Example (Part 4): Policies......................................23

Chapter 2 Zones .........................................................29

Security Zones ..........................................................32Global Zone................................................................32

SCREEN Options ..........................................................32

Tunnel Zones...............Example: Bindingto a Tunnel Zone

Configuring Security ZCreating a Zone......

Modifying a Zone....

Deleting a Zone ......

Function Zones ...........Null Zone .................

MGT Zone ................

HA Zone...................

Self Zone..................

VLAN Zone ...............

Port Modes .................Setting Port Modes...

Example: Home-

Zones in Home-WorkPort Modes ..............

Example: Home-

Chapter 3 Interfaces ........

Interface Types ...........Security Zone Interfa

Physical .............Subinterface .....Aggregate InterfRedundant InterVirtual Security In

Contents

ii

a Loopback Interface.............. 76 a Loopback Interface .............. 76ack Interface rface .......................................... 77

es ..........................................78 Monitoring ................................ 80

s ................................................. 80acking ........................................ 81uring Interface ................................................... 83

................................................... 87onitored Interfaces ..................... 89ce Monitoring Loop.................... 90

ring............................................ 94

Traffic Flow ............................... 95ress Interface............................. 96ress Interface............................ 99

s ......................................103

............................................104................................................. 105................................................. 105r 2 Zones .................................. 105

................................................. 106

tions ......................................... 107................................................. 108 Method ................................... 110 Interface t................................................ 114arent Mode.............................. 117

............................................122und NAT Traffic ......................... 124

................................................. 125


Function Zone Interfaces ............................................55Management Interface........................................55HA Interface .........................................................55

Tunnel Interfaces ........................................................56Deleting Tunnel Interfaces....................................59Example: Deleting a Tunnel Interface ..................59

Viewing Interfaces ....................................................61Interface Table .....................................................61

Configuring Security Zone Interfaces .......................63Binding an Interface to a Security Zone .....................63

Example: Binding an Interface .............................63

Addressing a L3 Security Zone Interface.....................64Public IP Addresses ...............................................64Private IP Addresses ..............................................65Example: Addressing an Interface .......................66

Unbinding an Interface from a Security Zone.............67Example: Unbinding an Interface.........................67

Modifying Interfaces ...................................................68Example: Modifying Interface Settings .................69

Creating Subinterfaces...............................................70Example: Subinterface in the Root System ...........70

Deleting Subinterfaces................................................71Example: Deleting a Security Zone Interface...............................................................71

Secondary IP Addresses ...........................................72Secondary IP Address Properties.................................72

Example: Creating a Secondary IP Address.........73

Loopback Interfaces ................................................74Example: Creating a Loopback Interface............74

Using Loopback Interfaces .........................................75Example: Loopback Interface for Management ..................................................75

Example: BGP onExample: VSIs onExample: Loopbas a Source Inte

Interface State ChangPhysical Connection

Tracking IP AddresseConfiguring IP TrExample: ConfigIP Tracking.........

Interface MonitoringExample: Two MExample: Interfa

Security Zone Monito

Down Interfaces andFailure on the EgFailure on the Ing

Chapter 4 Interface Mode

Transparent Mode ......Zone Settings ...........

VLAN Zone.........Predefined Laye

Traffic Forwarding....

Unknown Unicast OpFlood Method ...ARP/Trace-RouteExample: VLAN1for ManagemenExample: Transp

NAT Mode...................Inbound and Outbo

Interface Settings ....

Contents

iii

cedure Call teway ..................................... 159

................................................. 160roups...................................... 163

s for MS RPC............................ 163

Protocol teway ..................................... 165

thods ....................................... 167s .............................................. 169

Server in Private Domain ......... 171 Server in Public Domain .......... 174

ice-over-IP............................... 177eper in the Trust Zone oute Mode) ............................. 177eper in the Untrust Zone oute Mode) ............................. 179ing Calls with NAT ..................... 182ing Calls with NAT ..................... 187eper in the Untrust Zone

................................................. 191

ocol (SIP) .................................. 196ods.......................................... 197sponses.................................... 199n-Layer Gateway..................... 200................................................. 201................................................ 202 Timeout ................................... 205tion .......................................... 206tect Deny ................................. 206ng and Media ts .............................................. 207oding Protection..................... 207

nnection Maximum .................. 208


Example: NAT Mode ...........................................126

Route Mode............................................................130Interface Settings ......................................................131

Example: Route Mode........................................132

Chapter 5 Building Blocks for Policies .......................137

Addresses ...............................................................139Address Entries ..........................................................140

Example: Adding Addresses...............................140Example: Modifying Addresses...........................141Example: Deleting Addresses .............................142

Address Groups ........................................................142Example: Creating an Address Group................144Example: Editing an Address Group Entry ..........145Example: Removing a Member and a Group ......................................................146

Services ..................................................................147Predefined Services ..................................................147

Custom Services .......................................................149Example: Adding a Custom Service ...................149Example: Modifying a Custom Service...............151Example: Removing a Custom Service...............151

Service Timeouts .......................................................152Example: Setting a Service Timeout....................153

ICMP Services ...........................................................154Example: Defining an ICMP Service ...................155

RSH ALG ....................................................................156

Sun Remote Procedure Call Application Layer Gateway......................................156

Typical RPC Call Scenarios.................................156Sun RPC Services ................................................157Example: Sun RPC Services ................................158

Microsoft Remote ProApplication Layer Ga

MS RPC ServicesMS RPC Service GExample: Service

Real Time StreamingApplication Layer Ga

RTSP Request MeRTSP Status CodeExample: MediaExample: Media

H.323 Protocol for VoExample: Gateke(Transparent or RExample: Gateke(Transparent or RExample: OutgoExample: IncomExample: Gatekewith NAT.............

Session Initiation ProtSIP Request MethClasses of SIP ReALG � ApplicatioSDP....................Pinhole CreationSession InactivitySIP Attack ProtecExample: SIP ProExample: SignaliInactivity TimeouExample: UDP FloExample: SIP Co

Contents

iv

................................................. 273

nd DIP ..................................... 274IP in a Different Subnet ........... 274

and DIP.................................... 282 a Loopback Interface............. 283

................................................. 288up........................................... 290

............................................292ing Schedule............................ 292

........................................297

............................................299

............................................300................................................. 300

................................................. 301

................................................. 301

............................................302

............................................303................................................. 303

................................................. 305

................................................. 306

................................................. 306

................................................. 306

................................................. 306

................................................. 307

................................................. 308

................................................. 308

................................................. 308

................................................. 309................................................ 309 Top of the Policy List .............. 310ranslation ................................ 310


SIP with Network Address Translation .........................209Outgoing Calls ...................................................210Incoming Calls ...................................................210Forwarded Calls .................................................211Call Termination .................................................211Call Re-INVITE Messages.....................................211Call Session Timers..............................................211Call Cancellation ...............................................212Forking................................................................212SIP Messages ......................................................212SIP Headers.........................................................213SIP Body..............................................................216SIP NAT Scenario .................................................216Incoming SIP Call Support Using the SIP Registrar.........................................219Example: Incoming Call (Interface DIP)..............221Example: Incoming Call (DIP Pool) .....................225Example: Incoming Call with MIP .......................229Example: Proxy in the Private Zone.....................232Example: Proxy in the Public Zone......................236Example: Three-Zone, Proxy in the DMZ..............240Example: Untrust Intrazone .................................246Example: Trust Intrazone .....................................252Example: Full-Mesh VPN for SIP ...........................256

Bandwidth Management for VoIP Services ...............264

Service Groups .........................................................266Example: Creating a Service Group...................267Example: Modifying a Service Group.................268Example: Removing a Service Group.................269

DIP Pools .................................................................270Port Address Translation ......................................271Example: Creating a DIP Pool with PAT ...............271Example: Modifying a DIP Pool...........................273

Sticky DIP Addresses

Extended Interface aExample: Using D

Loopback Interface Example: DIP on

DIP Groups ..............Example: DIP Gro

Schedules...................Example: Recurr

Chapter 6 Policies ............

Basic Elements............

Three Types of PoliciesInterzone Policies.....

Intrazone Policies.....

Global Policies ........

Policy Set Lists .............

Policies Defined..........Policies and Rules....

Anatomy of a PolicyID ......................Zones ................Addresses..........Services.............Action................Application .......Name................VPN Tunneling ...L2TP Tunneling...Deep InspectionPlacement at theSource Address T

Contents

v

s ..........................................355 Queuing.................................. 356

ters ..................................363

Support...............................365................................................. 366

................................................. 367rver

edule........................................ 368 a DNS Refresh Interval ............ 369

................................................. 370etup for dyndns Server............ 371etup for ddo Server................. 372

litting ...................................... 373g DNS Requests ........................ 374

............................................376................................................. 378een Device ................................................. 378tions.......................................... 384

DHCP Server Options ............. 385n NSRP Cluster ......................... 385ection ...................................... 386 On DHCP Server ................................................. 387 Off DHCP Server ................................................. 387

................................................. 388een Device gent......................................... 389

................................................. 394een Device ................................................. 394


Destination Address Translation ..........................310User Authentication.............................................311HA Session Backup .............................................313URL Filtering ........................................................313Logging ..............................................................314Counting ............................................................314Traffic Alarm Threshold........................................314Schedules...........................................................314Antivirus Scanning ..............................................315Traffic Shaping....................................................315

Policies Applied......................................................317Viewing Policies ........................................................317

Policy Icons ........................................................317

Creating Policies.......................................................319Policy Location ...................................................319Example: Interzone Policies Mail Service............320Example: Interzone Policy Set.............................325Example: Intrazone Policies ................................332Example: Global Policy ......................................335

Entering a Policy Context..........................................336

Multiple Items per Policy Component.......................337

Address Negation .....................................................338Example: Destination Address Negation ............338

Modifying and Disabling Policies..............................342

Policy Verification .....................................................343

Reordering Policies ...................................................344

Removing a Policy....................................................345

Chapter 7 Traffic Shaping.........................................347

Applying Traffic Shaping ........................................348Managing Bandwidth at the Policy Level .................348

Example: Traffic Shaping....................................349

Setting Service PrioritieExample: Priority

Chapter 8 System Parame

Domain Name SystemDNS Lookup.............

DNS Status Table......Example: DNS Seand Refresh SchExample: Setting

Dynamic DNS ..........Example: DDNS SExample: DDNS S

Proxy DNS Address SpExample: Splittin

DHCP ..........................DHCP Server ............

Example: NetScras DHCP Server .DHCP Server OpExample: CustomDHCP Server in aDHCP Server DetExample: TurningDetection ..........Example: TurningDetection ..........

DHCP Relay Agent...Example: NetScras DHCP Relay A

DHCP Client.............Example: NetScras DHCP Client ..

Contents

vi

d Configuration........................ 437

anual Configuration ................................................. 438

onfiguration File ..................... 439

ration File ................................. 440

nts to File ........................................... 441

urity Manager Bulk-CLI ........443

............................................444

ding User Capacity .................. 445

ation s ..........................................446

................................................. 446

DI Bundled ................................................. 447

DI Upgrade ................................................ 448

................................................. 449

............................................450

................................................. 450

................................................. 450

................................................. 451

ers............................................ 451

djustment ................................ 452

................................................. 452

uring NTP Servers Time Adjustment Value ........... 453

rs ............................................. 454

......................................... IX-I


TCP/IP Settings Propagation ......................................396Example: Forwarding TCP/IP Settings ..................397

PPPoE......................................................................399Example: Setting Up PPPoE .................................399Example: Configuring PPPoE on Primary and Backup Untrust Interfaces............................404

Multiple PPPoE Sessions over a Single Interface........405Untagged Interfaces ..........................................406Example: Multiple PPPoE Instances.....................407

PPPoE and High Availability.......................................410

Upgrading and Downgrading Firmware.................411Requirements to Upgrade and Downgrade Device Firmware ...................................412

NetScreen-Security Manager Server Connection ........................................................413

Downloading New Firmware.....................................413Uploading New Firmware ...................................416Using the Boot/OS Loader ...................................418

Upgrading NetScreen Devices in an NSRP Configuration..........................................420

Upgrading Devices in an NSRP Active/Passive Configuration ..............................420Upgrading Devices in an NSRP Active/Active Configuration................................425

Authenticating Firmware and DI Files........................431Obtaining the Authentication Certificate ...........431Loading the Authentication Certificate ..............432Authenticating ScreenOS Firmware ....................433Authenticating a DI Attack Object Database File .....................................................434

Downloading and Uploading Configurations.........435Saving and Importing Configurations .......................435

Configuration Rollback.............................................437

Last-Known-Goo

Automatic and MRollback............

Loading a New C

Locking the Configu

Adding Commea Configuration

Setting NetScreen-Sec

License Keys ...............

Example: Expan

Registration and Activof Subscription Service

Temporary Service ..

AV, URL Filtering, andwith a New Device ..

AV, URL Filtering, andto an Existing Device

DI Upgrade Only .....

System Clock ..............

Date and Time ........

Time Zone................

NTP ..........................

Multiple NTP Serv

Maximum Time A

NTP and NSRP....

Example: Configand a Maximum

Secure NTP Serve

Index..................................

vii

cluding examples for

ecurity interfaces (VSIs),

ss Translation (NAT), Route,

e elements that are used to services

TCP/IP settings

nd from a NetScreen device


Preface

Volume 2, “Fundamentals” describes the ScreenOS architecture and its elements, inconfiguring various elements. This volume describes the following:

• A general overview of the ScreenOS architecture

• Security, tunnel, and function zones

• Various interface types, such as physical interfaces, subinterfaces, virtual sredundant interfaces, aggregate interfaces, and VPN tunnel interfaces

• Interface modes in which NetScreen interfaces can operate: Network Addreand Transparent

• Policies, which are used to control the traffic flow across an interface, and thcreate policies and virtual private networks, such as addresses, users, and

• Traffic management concepts

• System parameters for the following functions:

– Domain Name System (DNS) addressing

– Dynamic Host Configuration Protocol (DHCP) for assigning or relaying

– URL filtering

– Uploading and downloading of configuration settings and software to a

– License keys to expand the capabilities of a NetScreen device

– System clock configuration

Preface Conventions

viii

llowing sections:

nterface (CLI) command:

r example,

manage

t3 interface”.

for variables, which are always of a NetScreen device.”

ord uniquely. For example, e j12fmt54. Although you can

e presented in their entirety.


CONVENTIONS

This document contains several types of conventions, which are introduced in the fo

• “CLI Conventions”

• “WebUI Conventions” on page ix

• “Illustration Conventions” on page xi

• “Naming Conventions and Character Types” on page xii

CLI ConventionsThe following conventions are used when presenting the syntax of a command line i

• Anything inside square brackets [ ] is optional.

• Anything inside braces { } is required.

• If there is more than one choice, each choice is separated by a pipe ( | ). Fo

set interface { ethernet1 | ethernet2 | ethernet3 }

means “set the management options for the ethernet1, ethernet2, or etherne

• Variables appear in italic. For example:

set admin user name password

When a CLI command appears within the context of a sentence, it is in bold (exceptin italic). For example: “Use the get system command to display the serial number

Note: When typing a keyword, you only have to type enough letters to identify the wtyping set adm u joe j12fmt54 is enough to enter the command set admin user jouse this shortcut when entering commands, all the commands documented here ar

Preface Conventions

ix

I by clicking menu options and Objects > Addresses > List >

ble appears.

nfiguration dialog box

4


WebUI ConventionsThroughout this book, a chevron ( > ) is used to indicate navigation through the WebUlinks. For example, the path to the address configuration dialog box is presented as New. This navigational sequence is shown below.

1. Click Objects in the menu column.The Objects menu option expands to reveal a subset of options for Objects.

2. (Applet menu) Hover the mouse over Addresses .(DHTML menu) Click Addresses .The Addresses option expands to reveal a subset of options for Addresses.

3. Click List .The address book ta

4. Click the New link.The new address coappears.

1

2

3

Preface Conventions

x

ox where you can then define parts: a navigational path and to the address configuration

Note: Because there are no instructions for the Comment field, leave it as it is.


To perform a task with the WebUI, you must first navigate to the appropriate dialog bobjects and set parameters. The set of instructions for each task is divided into two configuration details. For example, the following set of instructions includes the pathdialog box and the settings for you to configure:

Objects > Addresses > List > New: Enter the following, and then click OK :Address Name: addr_1IP Address/Domain Name:

IP/Netmask: (select), 10.2.2.5/32Zone: Untrust

Zone: Untrust

Click OK .

Address Name: addr_1

IP Address Name/Domain Name:

IP/Netmask: (select), 10.2.2.5/32

Preface Conventions

xi

out this book:

ocal Area Network (LAN) ith a Single Subnet

example: 10.1.1.0/24)

nternet

esktop Computer

erver

eneric Network Deviceexamples: NAT server, ccess Concentrator)

aptop Computer

ynamic IP (DIP) Pool


Illustration ConventionsThe following graphics make up the basic set of images used in illustrations through

Generic NetScreen Device

Security Zone

Security Zone InterfacesWhite = Protected Zone Interface(example: Trust Zone)Black = Outside Zone Interface(example: Untrust Zone)

Router Icon

Switch Icon

Virtual Routing Domain

VPN Tunnel

Lw(

I

D

S

G(A

Tunnel Interface

L

D

Preface Conventions

xii

as addresses, admin users, creenOS configurations.

osed within double quotes ( “ );

tes; for example, “ local LAN ”

ensitive. For example, “local

. Examples of SBCS are ASCII, e character sets (DBCS)—are

quotes ( “ ), which have special ludes spaces.

h SBCS and MBCS, depending


Naming Conventions and Character TypesScreenOS employs the following conventions regarding the names of objects—suchauth servers, IKE gateways, virtual systems, VPN tunnels, and zones—defined in S

• If a name string includes one or more spaces, the entire string must be enclfor example, set address trust “local LAN” 10.1.1.0/24.

• NetScreen trims any spaces leading or trailing text within a set of double quobecomes “local LAN” .

• NetScreen treats multiple consecutive spaces as a single space.

• Name strings are case sensitive, although many CLI key words are case insLAN” is different from “local lan”.

ScreenOS supports the following character types:

• Single-byte character sets (SBCS) and multiple-byte character sets (MBCS)European, and Hebrew. Examples of MBCS—also referred to as double-bytChinese, Korean, and Japanese.

• ASCII characters from 32 (0x20 in hexidecimals) to 255 (0xff), except doublesignificance as an indicator of the beginning or end of a name string that inc

Note: A console connection only supports SBCS. The WebUI supports boton the character sets that your Web browser supports.

Preface Juniper Networks NetScreen Documentation

xiii

t www.juniper.net/techpubs/.

w.juniper.net/support/ or call tates).

-mail address below:


JUNIPER NETWORKS NETSCREEN DOCUMENTATION

To obtain technical documentation for any Juniper Networks NetScreen product, visi

For technical support, open a support case using the Case Manager link at http://ww1-888-314-JTAC (within the United States) or 1-408-745-9500 (outside the United S

If you find any errors or omissions in the following content, please contact us at the e

[email protected]

http://www.juniper.net/techpubs/

http://www.juniper.net/support/

mailto:[email protected]

Preface Juniper Networks NetScreen Documentation

xiv

1

1

Chapter 1

signing the layout of your ate numerous security zones e or more interfaces to each n a per-zone basis. Essentially, ires, assign the number of

ents:

you can see the flow sequence

for a NetScreen device using


ScreenOS Architecture

The Juniper Networks NetScreen ScreenOS architecture offers great flexibility in denetwork security. On NetScreen devices with more than two interfaces, you can creand configure policies to regulate traffic between and within zones. You can bind onzone and enable a unique set of management and firewall attack screening options oScreenOS allows you to create the number of zones your network environment requinterfaces each zone requires, and design each interface to your specifications.

This chapter presents an overview of ScreenOS, covering the following key compon

• “Security Zones” on page 2

• “Security Zone Interfaces” on page 3

• “Virtual Routers” on page 5

• “Policies” on page 6

• “VPNs” on page 9

• “Virtual Systems” on page 11

Furthermore, to better understand the ScreenOS mechanism for processing traffic, for an incoming packet in “Packet Flow Sequence” on page 12.

The chapter concludes with a four-part example that illustrates a basic configurationScreenOS:

• “Example (Part 1): Enterprise with Six Zones” on page 15

• “Example (Part 2): Interfaces for Six Zones” on page 17

• “Example (Part 3): Two Routing Domains” on page 21

• “Example (Part 4): Policies” on page 23

Chapter 1 ScreenOS Architecture Security Zones

2

tion of inbound and outbound hich one or more interfaces are es, the exact number of which can also use the predefined V1-DMZ (for Layer 2 lso ignore the predefined zones s—predefined and a network design that best

lobal Zone” on page 32.) Additionally, egments.

ity zone, you also automatically delete

t

etScreen device


SECURITY ZONESA security zone is a collection of one or more network segments requiring the regulatraffic via policies (see “Policies” on page 6)1. Security zones are logical entities to wbound. With many types of NetScreen devices, you can define multiple security zonyou determine based on your network needs. In addition to user-defined zones, youzones: Trust, Untrust, and DMZ (for Layer 3 operation), or V1-Trust, V1-Untrust, andoperation)2. If you want, you can continue using just the predefined zones. You can aand use user-defined zones exclusively3. Optionally, you can use both kinds of zoneuser-defined—side by side. This flexibility for zone configuration allows you to createsuits your specific needs.

1. The one security zone that requires no network segment is the global zone. (For more information, see Global zone “Gany zone without an interface bound to it nor any address book entries can also be said not to contain any network s

2. If you upgrade from an earlier version of ScreenOS, all your configurations for these zones remain intact.

3. You cannot delete a predefined security zone. You can, however, delete a user-defined zone. When you delete a securall addresses configured for that zone.

PolicyEngine

DMZ

Untrus

Trust

Finance

Eng

A network configured with 5 security zones�3 default zones (Trust, Untrust, DMZ), and 2 user-defined zones (Finance, Eng)

Traffic (indicated by black lines) passes from one security zone to another only if a policy permits it.

N

Chapter 1 ScreenOS Architecture Security Zone Interfaces

3

IP traffic can pass between that

direction or in both4. With the r must use. Because you can ffic to the interfaces of your

r an interface in Route or NAT o common interface types are s (that is, a layer 2

ces”.

een device. The interface e, a physical interface is . For example, the interface econd port (ethernet1/2).

urity equivalency. ScreenOS requires

ser’s Guide for that device.


SECURITY ZONE INTERFACESAn interface for a security zone can be thought of as a doorway through which TCP/zone and any other zone.

Through the policies you define, you can permit traffic between zones to flow in oneroutes that you define, you specify the interfaces that traffic from one zone to anothebind multiple interfaces to a zone, the routes you chart are important for directing trachoice.

To permit traffic to flow from zone to zone, you bind an interface to the zone and—fomode (see Chapter 4, “Interface Modes”)—assign an IP address to the interface. Twphysical interfaces and—for those devices with virtual system support—subinterfacesubstantiation of a physical interface). For more information, see Chapter 3, “Interfa

Physical InterfacesA physical interface relates to components that are physically present on the NetScrnaming convention differs from device to device. On the NetScreen-500, for examplidentified by the position of an interface module and an ethernet port on that moduleethernet1/2 designates the interface module in the first bay (ethernet1/2) and the s

4. For traffic to flow between interfaces bound to the same zone, no policy is required because both interfaces have secpolicies for traffic between zones, not within a zone.

Note: To see the naming convention for a specific NetScreen device, refer to the U

1/1 1/2 3/1 3/2

2/1 2/2 4/1 4/2

Physical Interface Assignments

Chapter 1 ScreenOS Architecture Security Zone Interfaces

4

erface into several virtual ace from which it stems. A distinguished by 802.1Q VLAN via its IP address and VLAN s the subinterface number. For efers to the interface module in /2.3).

the zone to which you bind it is e subinterface ethernet1/2.3 to which you bind ethernet1/2.2 . interface does not imply that its

rnet frame formats used to indicate


SubinterfacesOn devices that support virtual LANs (VLANs), you can logically divide a physical intsubinterfaces, each of which borrows the bandwidth it needs from the physical interfsubinterface is an abstraction that functions identically to a physical interface and is tagging5. The NetScreen device directs traffic to and from a zone with a subinterfacetag. For convenience, administrators usually use the same number for a VLAN tag aexample, the interface ethernet1/2 using VLAN tag 3 is named ethernet1/2.3. This rthe first bay, the second port on that module, and subinterface number 3 (ethernet1

Note that although a subinterface shares part of its identity with a physical interface,not dependent on the zone to which you bind the physical interface. You can bind tha different zone than that to which you bind the physical interface ethernet1/2, or to Similarly, there are no restrictions in terms of IP address assignments. The term subaddress be in a subnet of the address space of the physical interface.

5. 802.1Q is an IEEE standard that defines the mechanisms for the implementation of virtual bridged LANs and the etheVLAN membership via VLAN tagging.

Subinterface Assignments

1/1.11/1.2

1/2.11/2.2

2/1.12/1.2

2/2.12/2.2

4/1.14/1.2

4/2.14/2.2

3/1.13/1.23/1.3

3/2.13/2.23/2.3

1/1 1/2 3/1 3/2

2/1 2/2 4/1 4/2

Chapter 1 ScreenOS Architecture Virtual Routers

5

st and multicast routing tables. s the NetScreen device to

g information in one virtual n with untrusted parties and n for the protected zones is the surreptitious extraction of

forwarded between zones that affic to pass between virtual in one VR that defines the other e 6 “Routing”.

vr routing domain

te: The castle icon represents an rface for a security zone.


VIRTUAL ROUTERSA virtual router (VR) functions as a router. It has its own interfaces and its own unicaIn ScreenOS, a NetScreen device supports two predefined virtual routers. This allowmaintain two separate unicast and multicast routing tables and to conceal the routinrouter from the other. For example, the untrust-vr is typically used for communicatiodoes not contain any routing information for the protected zones. Routing informatiomaintained by the trust-vr. Thus, no internal network information can be gleaned by routes from the untrust-vr.

When there are two virtual routers on a NetScreen device, traffic is not automaticallyreside in different VRs, even if there are policies that permit the traffic. If you want trrouters, you need to either export routes between the VRs or configure a static route VR as the next-hop. For more information about using two virtual routers, see Volum

untrust-

Route Forwarding

Finance

Trust

Eng

Untrust

DMZ

trust-vr routing domain

Nointe

Chapter 1 ScreenOS Architecture Policies

6

l connection attempts that

n of policies, you can then ass from specified sources to ds of traffic from any source in the narrowest level, you can e and another specified host in

but denies all inbound traffic from the

P service a mail M to 7:00 PM


POLICIESNetScreen devices secure a network by inspecting, and then allowing or denying, alrequire passage from one security zone to another.

By default, a NetScreen device denies all traffic in all directions6. Through the creatiocontrol the traffic flow from zone to zone by defining the kinds of traffic permitted to pspecified destinations at scheduled times. At the broadest level, you can allow all kinone zone to any destination in all other zones without any scheduling restrictions. Atcreate a policy that allows only one kind of traffic between a specified host in one zonanother zone during a scheduled period of time.

6. Some NetScreen devices ship with a default policy that allows all outbound traffic from the Trust to the Untrust zone Untrust zone to the Trust zone.

Broadly defined Internet Access: Any service from any point in the Trust zone to any point in the Untrust zone at any time

Narrowly defined Internet Access: SMTfrom a mail server in the Trust zone toserver in the Untrust zone from 5:00 A

Trust Zone

Untrust Zone

Trust Zone

Untrust Zone


7

faces bound to the same zone, see “Policy Set Lists” on page one A to zone B—you must

w the other way, you must ss from one zone to another,

st be a policy to permit traffic to

untrust-vr routing domain


Every time a packet attempts to pass from one zone to another or between two interthe NetScreen device checks its policy set lists for a policy that permits such traffic (302). To allow traffic to pass from one security zone to another—for example, from zconfigure a policy that permits zone A to send traffic to zone B. To allow traffic to floconfigure another policy permitting traffic from zone B to zone A. For any traffic to pathere must be a policy that permits it. Also, if intrazone blocking is enabled, there mupass from one interface to another within that zone.

Note: For information about policies, see Chapter 6, “Policies”.

PolicyEngine

Finance

Trust

Eng

Untrust

DMZNote: The black lines represent traffic

between security zones.

Route Forwarding



8

e multicast policies. By default, t control traffic are the

st (PIM). Multicast policies multicast) to pass between

, see “Multicast Policies” on


If you configure multicast routing on a NetScreen device, you might have to configura NetScreen device does not permit multicast control traffic between zones. Multicasmessages transmitted by multicast protocols, such as Protocol Independent Multicacontrol the flow of multicast control traffic only. To allow data traffic (both unicast andzones, you must configure firewall policies. (For information about multicast policiespage 6 -204.)

Chapter 1 ScreenOS Architecture VPNs

9

two main types are as follows:

device encapsulates. Policies licy permits the traffic and the en device also encapsulates it.

of VPN tunnels. Once ute between one security zone

device encapsulates when the n.

an be apply multiple policies to r dialup VPN configurations t a route.

VPN configuration:

destination or end entity), g interface. (The IP address for gateway.)

ne7.

ust use tunnel.1 .

n access a tunnel interface if a route

Destination Zone

Packet arrives


VPNSScreenOS supports several virtual private network (VPN) configuration options. The

• Route-based VPN – A route lookup determines which traffic the NetScreeneither permit or deny traffic to the destination specified in the route. If the poroute references a tunnel interface bound to a VPN tunnel, then the NetScreThis configuration separates the application of policies from the application configured, such tunnels exist as available resources for securing traffic en roand another.

• Policy-based VPN – A policy lookup determines which traffic the NetScreenpolicy references a particular VPN tunnel and specifies “tunnel” as the actio

A route-based VPN is good choice for site-to-site VPN configurations because you ctraffic passing through a single VPN tunnel. A policy-based VPN is a good choice fobecause the dialup client might not have an internal IP address to which you can se

The following steps provide a sense of the main elements involved in a route-based

1. While configuring the VPN tunnel (for example, vpn-to-SF, where SF is thespecify a physical interface or subinterface on the local device as the outgointhis interface is what the remote peer must use when configuring its remote

2. Create a tunnel interface (for example, tunnel.1), and bind it to a security zo

3. Bind the tunnel interface tunnel.1 to the VPN tunnel vpn-to-SF.

4. To direct traffic through this tunnel, set up a route stating that traffic to SF m

7. You do not have to bind the tunnel interface to the same zone for which VPN traffic is destined. Traffic to any zone capoints to that interface.

Routing Table

------------------------------------------------

VPN tunnelSource Zone TunnelInterface

Packet sent

PolicyEngine

vpn-to-SFtunnel.1

Chapter 1 ScreenOS Architecture VPNs

10

s book entries, such as “Trust different types of traffic from a

VPN Tunnelvpn-to-SF

LAN.2.0/24

efault Gateway:1.1.1.250


At this point, the tunnel is ready for traffic bound for SF . You can now create addresLAN” (10.1.1.0/24) and “SF LAN” (10.2.2.0/24) and set up policies to permit or blockspecified source, such as “Trust LAN”, to a specified destination, such as “SF LAN”.

Note: For detailed information about VPNs, see Volume 5, “VPNs”.

Trust Zoneeth3/2�10.1.1.1/24

To Reach Use10.1.1.0/24 eth3/2

0.0.0.0/0 untrust-vr

SF10.2

To Reach Use1.1.1.0/24 eth1/2

10.2.2.0/24 tunnel.10.0.0.0/0 1.1.1.250

Local Device

The local NetScreen device routes traffic from the Trust zone to �SF LAN� in the Untrust zone through the tunnel.1 interface. Because tunnel.1 is bound to the VPN tunnel �vpn-to-SF�, the NetScreen device encrypts the traffic and sends it through that tunnel to the remote peer.

Untrust ZoneOutgoing Interfaceeth1/2, 1.1.1.1/24

Interface: tunnel.1



D

Chapter 1 ScreenOS Architecture Virtual Systems

11

ision of the main system that each other and from the root

stems involves the coordination ration presents a conceptual evels.

ces, and virtual routers within

Eng

vsys1

t-vsys2

vsys3

vsys1-vr

vsys2-vr

vsys3-vr


VIRTUAL SYSTEMSSome NetScreen devices support virtual systems (vsys). A virtual system is a subdivappears to the user to be a stand-alone entity. Virtual systems reside separately fromsystem within the same NetScreen device. The application of ScreenOS to virtual syof three main components: zones, interfaces, and virtual routers. The following illustoverview of how ScreenOS integrates these components at both the root and vsys l

Note: For further information on virtual systems and the application of zones, interfathe context of virtual systems, see Volume 9, “Virtual Systems”.

vsys1

vsys2

vsys3

root sys

DMZMail

Untrust

Finance

Trust

Trust-

Trus

Trust-

physical interface dedicated to vsys3

subinterfacededicated to

vsys2

shared interface for root and vsys1

untrust-vr

trust-vr

Note: The castle icon represents a security zone interface.

Chapter 1 ScreenOS Architecture Packet Flow Sequence

12

low.

nd -Src )

8

Create Session

Session Tableid 977 vsys id 0, flag 000040/00, pid -1, did 0, time 18013 (01) 10.10.10.1/1168 -> 211.68.1.2/80, 6, 002be0c0066b, subif 0, tun 0

�

9

Perform Operation


PACKET FLOW SEQUENCEIn ScreenOS, the flow sequence of an incoming packet progresses as presented be

4

If network traffic, source zone = security zone to which interface or subinterface is bound.

If VPN traffic to tunnel interface in a tunnel zone, source zone = carrier zone

SourceZone

IncomingInterface

MIP/VIPHost IP

RouteLookup

Forwarding Table10.10.10.0/24 eth1/10.0.0.0/0 untrust-vr

�

PolicyLookup

Policy Set Listsrc dst service action

�

( ) NAT-Dst athen/or NAT(

Destination Interface� and �

Destination Zone

Permit = Forward packetDeny = Drop packetReject = Drop packet and send TCP RST to source

Tunnel = Use specified tunnel for VPN encryption

1 5 6 7

If destination zone = security zone, use that zone for policy lookup.

If destination zone = tunnel zone, use its carrier zone for policy lookup

Incoming Packet

SecurityZones

TunnelZone

3

SessionLookup

If packet does not match an existing session, perform steps 4-9.

If it does match, go directly to step 9.

If VPN traffic to tunnel interface bound to VPN tunnel, source zone = security zone in which tunnel interface is configured

2

SCREENFilter


13

e source zone to which the

to which the incoming interface

tunnel, the source zone is the

e, the source zone is the for that tunnel zone.

evice activates the SCREEN ree results:

nfigured to block the packet, nt log.

nfigured to record the event but REEN counters list for the

reen device proceeds to the

cket with an existing session.

rms First Packet Processing, a

ast Processing, using the ast Processing bypasses steps een obtained during the

g module resolves the MIP or


1. The interface module identifies the incoming interface and, consequently, thinterface is bound.

The source zone determination is based on the following criteria:

– If the packet is not encapsulated, the source zone is the security zone or subinterface is bound.

– If the packet is encapsulated and the tunnel interface is bound to a VPNsecurity zone in which the tunnel interface is configured.

– If the packet is encapsulated and the tunnel interface is in a tunnel zoncorresponding carrier zone (a security zone that carries a tunnel zone)

2. If you have enabled SCREEN options for the source zone, the NetScreen dmodule at this point. SCREEN checking can produce one of the following th

– If a SCREEN mechanism detects anomalous behavior for which it is cothe NetScreen device drops the packet and makes an entry in the eve

– If a SCREEN mechanism detects anomalous behavior for which it is conot block the packet, the NetScreen device records the event in the SCingress interface and proceeds to the next step.

– If the SCREEN mechanisms detect no anomalous behavior, the NetScnext step.

3. The session module performs a session lookup, attempting to match the pa

If the packet does not match an existing session, the NetScreen device perfoprocedure involving the following steps 4 through 9.

If the packet matches an existing session, the NetScreen device performs Finformation available from the existing session entry to process the packet. F4 through 8 because the information generated by those steps has already bprocessing of the first packet in the session.

4. If a mapped IP (MIP) or virtual IP (VIP) address is used, the address-mappinVIP so that the routing table can search for the actual host address.


14

ss. In so doing, the interface

y lookup. is used for the policy lookup.ocking is disabled for that zone, step 8). If intrazone blocking is

esses in the identified source

oes with the packet:

packet to its destination.ket.cket and—if the protocol is

packet to the VPN module, tunnel settings.

T module translates the original

cy-based NAT-src), the NAT ing it either to its destination or

n device first performs NAT-dst

results of steps 1 through 7.ntry when processing

n and encryption, decryption,


5. The route table lookup finds the interface that leads to the destination addremodule identifies the destination zone to which that interface is bound.

The destination zone determination is based on the following criteria:

– If the destination zone is a security zone, that zone is used for the polic– If the destination zone is a tunnel zone, the corresponding carrier zone– If the destination zone is the same as the source zone and intrazone bl

the NetScreen device bypasses steps 6 and 7 and creates a session (enabled, then the NetScreen device drops the packet.

6. The policy engine searches the policy set lists for a policy between the addrand destination zones.

The action configured in the policy determines what the NetScreen firewall d

– If the action is permit, the NetScreen device determines to forward the– If the action is deny, the NetScreen device determines to drop the pac– If the action is reject , the NetScreen device determines to drop the pa

TCP—to send a reset (RST) to the source IP address.– If the action is tunnel, the NetScreen device determines to forward the

which encapsulates the packet and transmits it using the specified VPN7. If destination address translation (NAT-dst) is specified in the policy, the NA

destination address in the IP packet header to a different address.

If source address translation is specified (either interface-based NAT or polimodule translates the source address in the IP packet header before forwardto the VPN module.

(If both NAT-dst and NAT-src are specified in the same policy, the NetScreeand then NAT-src.)

8. The session module creates a new entry in the session table containing theThe NetScreen device then uses the information maintained in the session esubsequent packets of the same session.

9. The NetScreen device performs the operation specified in the session.Some typical operations are source address translation, VPN tunnel selectioand packet forwarding.


15

e concepts covered in the t, see “Example (Part 2): an enterprise:

, Eng, and Mail zones. By t have to specify a virtual router u must also specify that it be in

ust and DMZ zones from the



Example (Part 1): Enterprise with Six ZonesThis is the first of a four-part example, the purpose of which is to illustrate some of thprevious sections. For this second part, in which the interfaces for each zone are seInterfaces for Six Zones” on page 17. Here you configure the following six zones for

The Trust, Untrust, and DMZ zones are preconfigured. You must define the Financedefault, a user-defined zone is placed in the trust-vr routing domain. Thus, you do nofor the Finance and Eng zones. However, in addition to configuring the Mail zone, yothe untrust-vr routing domain. You must also shift virtual router bindings for the Untrtrust-vr to the untrust-vr8.

� Finance� Trust

� Eng� Mail

� Untrust� DMZ

8. For more information on virtual routers and their routing domains, see Volume 6, “Dynamic Routing.”

Finance

Trust

Eng

Mail

Untrust

DMZ



16

Name drop-down list, and then

ame drop-down list, and then


WebUI

Network > Zones > New: Enter the following, and then click OK :

Zone Name: Finance

Virtual Router Name: trust-vr

Zone Type: Layer 3: (select)


Zone Name: Eng




Zone Name: Mail

Virtual Router Name: untrust-vr


Network > Zones > Edit (for Untrust): Select untrust-vr in the Virtual Routerclick OK .

Network > Zones > Edit (for DMZ): Select untrust-vr in the Virtual Router Nclick OK .

CLI

set zone name financeset zone name engset zone name mailset zone mail vrouter untrust-vrset zone untrust vrouter untrust-vrset zone dmz vrouter untrust-vrsave


17

nes are configured, see in which virtual routers are part of the example address and various

Untrust.1.1.1/24eth1/2

1.3.3.1/24eth1/1

1.4.4.1/24VLAN tag 2

eth1/1.2


Example (Part 2): Interfaces for Six ZonesThis is the second part of an ongoing example. For the first part, in which zo“Example (Part 1): Enterprise with Six Zones” on page 15. For the next part,configured, see “Example (Part 3): Two Routing Domains” on page 21. Thisdemonstrates how to bind interfaces to zones and configure them with an IPmanagement options.

Finance10.1.2.1/24VLAN tag 1

eth3/2.1

Trust10.1.1.1/24

eth3/2

Eng10.1.3.1/24

eth3/1

DMZ1.2.2.1/24

eth2/2

1

Mail


18

lick OK :

, SSH (select)

lick OK :


WebUI

1. Interface ethernet3/2Network > Interfaces > Edit (for ethernet3/2): Enter the following, and then c

Zone Name: Trust

Static IP: (select this option when present)

IP Address/Netmask: 10.1.1.1/24

Manageable: (select)

Management Services: WebUI, Telnet, SNMP

Other Services: Ping (select)

2. Interface ethernet3/2.1Network > Interfaces > Sub-IF New: Enter the following, and then click OK :

Interface Name: ethernet3/2.1

Zone Name: Finance



VLAN Tag: 1



Zone Name: Eng





19

lick OK :

lick OK:

lick OK :



Zone Name: Mail



5. Interface ethernet1/1.2Network > Interfaces > Sub-IF New: Enter the following, and then click OK :

Interface Name: ethernet1/1.2

Zone Name: Mail



VLAN Tag: 2


Zone Name: Untrust



Manageable: (select)

Management Services: SNMP (select)


Zone Name: DMZ

Static IP: (select)



20
CLI

1. Interface ethernet3/2set interface ethernet3/2 zone trustset interface ethernet3/2 ip 10.1.1.1/24set interface ethernet3/2 manage pingset interface ethernet3/2 manage webuiset interface ethernet3/2 manage telnetset interface ethernet3/2 manage snmpset interface ethernet3/2 manage ssh

2. Interface ethernet3/2.1set interface ethernet3/2.1 tag 1 zone financeset interface ethernet3/2.1 ip 10.1.2.1/24set interface ethernet3/2.1 manage ping

3. Interface ethernet3/1set interface ethernet3/1 zone engset interface ethernet3/1 ip 10.1.3.1/24set interface ethernet3/1 manage ping

4. Interface ethernet1/1set interface ethernet1/1 zone mailset interface ethernet1/1 ip 1.3.3.1/24

5. Interface ethernet1/1.2set interface ethernet1/1.2 tag 2 zone mailset interface ethernet1/1.2 ip 1.4.4.1 /24

6. Interface ethernet1/2set interface ethernet1/2 zone untrustset interface ethernet1/2 ip 1.1.1.1/24set interface ethernet1/2 manage snmp

7. Interface ethernet2/2set interface ethernet2/2 zone dmzset interface ethernet2/2 ip 1.2.2.1/24save


21

s for the various security zones xt part, in which the polices are onfigure a route for the default n device when you create the

then click OK:

st-vr

Untrust1.1.1.1/24th1/2, Route

Z.1/24, Route

1.1.1.254

ToInternet



Example (Part 3): Two Routing DomainsThis is the third part of an ongoing example. For the previous part, in which interfaceare defined, see “Example (Part 2): Interfaces for Six Zones” on page 17. For the neset, see “Example (Part 4): Policies” on page 23. In this example, you only have to cgateway to the Internet. The other routes are automatically created by the NetScreeinterface IP addresses.

WebUINetwork > Routing > Routing Entries > trust-vr New: Enter the following, and

Network Address/Netmask: 0.0.0.0/0

Next Hop Virtual Router Name: (select); untru

Finance10.1.2.1/24VLAN tag 1

eth3/2.1, NAT

Trust10.1.1.1/24eth3/2, NAT

Eng10.1.3.1/24eth3/1, NAT

e

DM1.2.2

eth2/2

1.3.3.1/24eth1/1, Route

1.4.4.1/24VLAN tag 2

eth1/1.2, Route

Route Forwarding


Mail


22

nd then click OK :

gateway 1.1.1.254

Note: These are the only user-configured entries.


Network > Routing > Routing Entries > untrust-vr New: Enter the following, a


Gateway: (select)

Interface: ethernet1/2

Gateway IP Address: 1.1.1.254

CLIset vrouter trust-vr route 0.0.0.0/0 vrouter untrust-vrset vrouter untrust-vr route 0.0.0.0/0 interface eth1/2 save

The NetScreen device automatically creates the following routes (in black):

trust-vrTo Reach: Use Interface: Use Gateway/Vrouter:

0.0.0.0/0 n/a untrust-vr

10.1.3.0/24 eth3/1 0.0.0.0

10.1.1.0/24 eth3/2 0.0.0.0

10.1.2.0/24 eth3/2.1 0.0.0.0

untrust-vrTo Reach: Use Interface: Use Gateway/Vrouter:

1.2.2.0/24 eth2/2 0.0.0.0

1.1.1.0/24 eth1/2 0.0.0.0

1.4.4.0/24 eth1/1.2 0.0.0.0

1.3.3.0/24 eth1/1 0.0.0.0

0.0.0.0/0 eth1/2 1.1.1.254


23

wo Routing Domains” on page

d to create new service groups.

ress Any for all hosts within

Untrust


Example (Part 4): PoliciesThis is the last part of an ongoing example. The previous part is “Example (Part 3): T21. This part of the example demonstrates how to configure new policies.

For the purpose of this example, before you begin configuring new policies, you nee

Note: When you create a zone, the NetScreen device automatically creates the addthat zone. This example makes use of the address Any for the hosts.

Finance

Trust

Eng DMZ

Mail

PolicyEngine

Route Forwarding


24

at service from the Available lumn.

hat service from the Available lumn.

that service from the Available lumn.

ve that service from the mbers column.

OK:


WebUI

1. Service GroupsObjects > Services > Groups > New: Enter the following, and then click OK:

Group Name: Mail-Pop3

Select Mail and use the << button to move thMembers column to the Group Members co

Select Pop3 and use the << button to move tMembers column to the Group Members co

Object > Services > Groups > New: Enter the following, and then click OK :

Group Name: HTTP-FTPGet

Select HTTP and use the << button to move Members column to the Group Members co

Select FTP-Get and use the << button to moAvailable Members column to the Group Me

2. PoliciesPolicies > (From: Finance, To: Mail) New: Enter the following, and then click

Source Address:

Address Book Entry: (select), Any

Destination Address:


Service: Mail-Pop3

Action: Permit


25

K :

:

OK :


Policies > (From: Trust, To: Mail) New: Enter the following, and then click O

Source Address:




Service: Mail-Pop3

Action: Permit

Policies > (From: Eng, To: Mail) New: Enter the following, and then click OK

Source Address:




Service: Mail-Pop3

Action: Permit

Policies > (From: Untrust, To: Mail) New: Enter the following, and then click

Source Address:




Service: Mail

Action: Permit


26

lick OK :

k OK :

OK :


Policies > (From: Finance, To: Untrust) New: Enter the following, and then c

Source Address:




Service: HTTP-FTPGet

Action: Permit

Policies > (From: Finance, To: DMZ) New: Enter the following, and then clic

Source Address:





Action: Permit

Policies > (From: Trust, To: Untrust) New: Enter the following, and then click

Source Address:





Action: Permit


27

K :

:

:


Policies > (From: Trust, To: DMZ) New: Enter the following, and then click O

Source Address:





Action: Permit

Policies > (From: Eng, To: DMZ) New: Enter the following, and then click OK

Source Address:





Action: Permit

Policies > (From: Eng, To: DMZ) New: Enter the following, and then click OK

Source Address:




Service: FTP-Put

Action: Permit


28

OK:

ermittmit

t

t


Policies > (From: Untrust, To: DMZ) New: Enter the following, and then click

Source Address:





Action: Permit

CLI

1. Service Groupsset group service mail-pop3 add mailset group service mail-pop3 add pop3set group service http-ftpget add httpset group service http-ftpget add ftp-get

2. Policiesset policy from finance to mail any any mail-pop3 permitset policy from trust to mail any any mail-pop3 permitset policy from eng to mail any any mail-pop3 permitset policy from untrust to mail any any mail permitset policy from finance to untrust any any http-ftpget pset policy from finance to dmz any any http-ftpget permiset policy from trust to untrust any any http-ftpget perset policy from trust to dmz any any http-ftpget permitset policy from eng to untrust any any http-ftpget permiset policy from eng to dmz any any http-ftpget permitset policy from eng to dmz any any ftp-put permitset policy from untrust to dmz any any http-ftpget permisave

2

29

Chapter 2

(a security zone), a logical al or logical entity that performs articular emphasis given to the


Zones

A zone can be a segment of network space to which security measures are applied segment to which a VPN tunnel interface is bound (a tunnel zone), or either a physica specific function (a function zone). This chapter examines each type of zone, with psecurity zone, and is organized into the following sections:

• “Security Zones” on page 32

– “Global Zone” on page 32

– “SCREEN Options” on page 32

• “Tunnel Zones” on page 33

• “Configuring Security Zones and Tunnel Zones” on page 35

– “Creating a Zone” on page 35

– “Modifying a Zone” on page 36

– “Deleting a Zone” on page 37

• “Function Zones” on page 38

– “Null Zone” on page 38

– “MGT Zone” on page 38

– “HA Zone” on page 38

– “Self Zone” on page 38

– “VLAN Zone” on page 38

• “Port Modes” on page 39

– “Setting Port Modes” on page 45

– “Zones in Home-Work and Combined Port Modes” on page 47

Chapter 2 Zones

30

zones. In the WebUI, click mand.


When you first boot up a NetScreen device, you can see a number of preconfiguredNetwork > Zones in the menu column on the left. In the CLI, use the get zone com

Chapter 2 Zones

31

hese zones provide ackward compatibility when pgrading from a release prior

o ScreenOS 3.1.0�the upper for devices in NAT or Route ode, the lower 3 for devices

n Transparent mode.

he root and virtual systems hare these zones.

hese zones do not and annot have an interface.

Untrust-Tun n upgrading, .)


The output of the get zone command:

The preconfigured zones shown above can be grouped into three different types:

Security Zones: Untrust, Trust, DMZ, Global, V1-Untrust, V1-Trust, V1-DMZ

Tunnel Zone: Untrust-Tun

Function Zones: Null, Self, MGT, HA, VLAN

Tbut3mi

Ts

Tc

By default, VPN tunnel interfaces are bound to thezone, whose carrier zone is the Untrust zone. (Wheexisting tunnels are bound to the Untrust-Tun zone

Zone ID numbers 7�9 and 15 are reserved for future use.

ns500-> get zoneTotal of 13 zones in vsys root------------------------------------------------------------------------ID Name Type Attr VR Default-IF VSYS0 Null Null Shared untrust-vr null Root1 Untrust Sec(L3) Shared trust-vr ethernet1/2 Root2 Trust Sec(L3) trust-vr ethernet3/2 Root3 DMZ Sec(L3) trust-vr ethernet2/2 Root4 Self Func trust-vr self Root5 MGT Func trust-vr mgt Root6 HA Func trust-vr ha1 Root10 Global Sec(L3) trust-vr null Root11 V1-Untrust Sec(L2) trust-vr v1-untrust Root12 V1-Trust Sec(L2) trust-vr v1-trust Root13 V1-DMZ Sec(L2) trust-vr v1-dmz Root14 VLAN Func trust-vr vlan1 Root16 Untrust-Tun Tun trust-vr null Root------------------------------------------------------------------------

Chapter 2 Zones Security Zones

32

the network into segments to At a minimum, you must define ome NetScreen platforms, you esign— and without deploying

ed in policies. The Global zone zones have—an interface. The esses. The predefined Global in the Global zone. Because s not require an interface for

about global policies, see

all connection attempts that MGT zone, you can enable a the NetScreen device ptions available, see Volume 4,

r traffic shaping.


SECURITY ZONESOn a single NetScreen device, you can configure multiple security zones, sectioningwhich you can apply various security options to satisfy the needs of each segment. two security zones, basically to protect one area of the network from the other. On scan define many security zones, bringing finer granularity to your network security dmultiple security appliances to do so.

Global ZoneYou can identify a security zone because it has an address book and can be referencsatisfies these criteria. However, it does not have one element that all other securityGlobal zone serves as a storage area for mapped IP (MIP) and virtual IP (VIP) addrzone address “Any” applies to all MIPs, VIPs, and other user-defined addresses set traffic going to these addresses is mapped to other addresses, the Global zone doetraffic to flow through it.

The Global zone also contains addresses for use in global policies. For information “Global Policies” on page 301.

SCREEN OptionsA NetScreen firewall secures a network by inspecting, and then allowing or denying,require passage from one security zone to another. For every security zone, and theset of predefined SCREEN options that detect and block various kinds of traffic that determines as potentially harmful. For more information about the many SCREEN o“Attack Detection and Defense Mechanisms”.

Note: Any policy that uses the Global zone as its destination cannot support NAT o

Chapter 2 Zones Tunnel Zones

33

l zone is conceptually affiliated “parent”, which you can also ffic. The tunnel zone provides dresses and netmasks that can icy-based NAT services.

ic to the tunnel endpoint. The n create other tunnel zones and ne per virtual system1.

unnel zone into another routing

ces are bound by default to the st security zone. You can bind zone to another tunnel zone.

rust-Tun zone.

ne

ity zone interface.e tunnel interface.

terface of the security zone hosting nnel zone provides firewall ction for the encapsulated traffic.

VPN Tunnel


TUNNEL ZONESA tunnel zone is a logical segment that hosts one or more tunnel interfaces. A tunnewith a security zone in a “child-parent” relationship. The security zone acting as the conceive of as a carrier zone, provides the firewall protection to the encapsulated trapacket encapsulation/decapsulation, and—by supporting tunnel interfaces with IP adhost mapped IP (MIP) addresses and dynamic IP (DIP) pools—can also provide pol

The NetScreen device uses the routing information for the carrier zone to direct traffdefault tunnel zone is Untrust-Tun, and it is associated with the Untrust zone. You cabind them to other security zones, with a maximum of one tunnel zone per carrier zo

By default, a tunnel zone is in the trust-vr routing domain, but you can also move a tdomain.

When upgrading from a version of ScreenOS earlier than 3.1.0, existing tunnel interfapreconfigured Untrust-Tun tunnel zone, which is a “child” of the preconfigured Untrumultiple tunnel zones to the same security zone; however, you cannot bind a tunnel

1. The root system and all virtual systems can share the Untrust zone. However, each system has its own separate Unt

Tunnel Zone

Security Zone

Tunnel Interface Security Zo

Interface

Outbound traffic enters the tunnel zone via the tunnel interface, is encapsulated, and exits via the securInbound traffic enters via the security zone interface, is decapsulated in the tunnel zone, and exits via th

The inthe tuprote

Traffic to or from a VPN tunnel

The tunnel interface�which when bound to a tunnel zone must have an IP address/netmask�supports policy-based NAT for pre-encapsulated and post-decapsulated VPN traffic.

Chapter 2 Zones Tunnel Zones

34

Untrust-Tun zone, and assign nslating 3.3.3.5 to 10.1.1.5, e carrier zone for the

K:

and then click OK :


Example: Binding a Tunnel Interface to a Tunnel ZoneIn this example, you create a tunnel interface and name it tunnel.3. You bind it to theit IP address 3.3.3.3/24. You then define a mapped IP (MIP) address on tunnel.3, trawhich is the address of a server in the Trust zone. Both the Untrust zone, which is thUntrust-Tun zone, and the Trust zone are in the trust-vr routing domain.

WebUI

1. Tunnel InterfaceNetwork > Interfaces > New Tunnel IF: Enter the following, and then click O

Tunnel Interface Name: tunnel.3

Zone (VR): Untrust-Tun (trust-vr)

Fixed IP: (select)

IP Address / Netmask 3.3.3.3/24

2. MIPNetwork > Interfaces > Edit (for tunnel.3) > MIP > New: Enter the following,

Mapped IP: 3.3.3.5

Netmask: 255.255.255.255

Host IP Address: 10.1.1.5

Host Virtual Router Name: trust-vr

CLI

1. Tunnel Interfaceset interface tunnel.3 zone Untrust-Tunset interface tunnel.3 ip 3.3.3.3/24

2. MIPset interface tunnel.3 mip 3.3.3.5 host 10.1.1.5save

Chapter 2 Zones Configuring Security Zones and Tunnel Zones

35

nel zones are quite similar.

I or CLI:

in whose routing domain you

o which you can bind interfaces reate a zone to which you can t Tunnel Out Zone when rrier zone, and then select a

t.

block traffic between hosts ntra-zone blocking is disabled.

lthough you can edit them.


CONFIGURING SECURITY ZONES AND TUNNEL ZONESThe creation, modification and deletion of Layer 3 or Layer 2 security zones and tun

Creating a ZoneTo create a Layer 3 or Layer 2 security zone, or a tunnel zone, use either the WebU

WebUINetwork > Zones > New: Enter the following, and then click OK :

Zone Name: Type a name for the zone2.

Virtual Router Name: Select the virtual routerwant to place the zone.

Zone Type: Select Layer 3 to create a zone tin NAT or Route mode. Select Layer 2 to cbind interfaces in Transparent mode. Seleccreating a tunnel zone and binding it to a caspecific carrier zone from the drop-down lis

Block Intra-Zone Traffic: Select this option to within the same security zone. By default, i

CLI

set zone name zone [ l2 vlan_id_num3 | tunnel sec_zone ]set zone zone blockset zone zone vrouter name_str

Note: You cannot delete predefined security zones or the predefined tunnel zone, a

2. The name of a Layer 2 security zone must begin with “L2-”; for example, “L2-Corp” or “L2-XNet”.

3. When creating a Layer 2 security zone, the VLAN ID number must be 1 (for VLAN1).


36

for a tunnel zone, you must first a-zone blocking option and the

e name you want to change, or

.

n click OK .

owing, and then click OK:

, select the virtual router into e zone.

check box. To disable, clear it.


Modifying a ZoneTo modify the name of a security zone or tunnel zone, or to change the carrier zone delete the zone4, and then create it again with the changes. You can change the intrvirtual router5 on an existing zone.

WebUI

1. Modifying the Zone NameNetwork > Zones: Click Remove (for the security zone or tunnel zone whosfor the tunnel zone whose carrier zone you want to change).

When the prompt appears, asking for confirmation of the removal, click Yes

Network > Zones > New: Enter the zone settings with your changes, and the

2. Changing the Intra-Zone Blocking Option or Virtual RouterNetwork > Zones > Edit (for the zone that you want to modify): Enter the foll

Virtual Router Name: From the drop-down listwhose routing domain you want to move th

Block Intra-Zone Traffic: To enable, select the

CLI

1. Modifying the Zone Nameunset zone zoneset zone name zone [ l2 vlan_id_num | tunnel sec_zone ]

2. Changing the Intra-Zone Blocking Option or Virtual Router{ set | unset } zone zone blockset zone zone vrouter name_str

4. Before you can remove a zone, you must first unbind all interfaces bound to it.

5. You must first remove any interfaces bound to a zone before changing its virtual router.


37

.

ee “Binding an Interface to a Security


Deleting a ZoneTo delete a security zone or tunnel zone, do either of the following6:

WebUI

Network > Zones: Click Remove (for the zone you want to delete).

When the prompt appears, asking for confirmation of the removal, click Yes

CLI

unset zone zone

6. Before you can remove a zone, you must first unbind all interfaces bound to it. To unbind an interface from a zone, sZone” on page 63.

Chapter 2 Zones Function Zones

38

ingle purpose, as explained

other zone.

ptions on this zone to protect rewall options, see Volume 4,

interfaces for the HA zone, the

ct to the NetScreen device via

inate VPN traffic when the ect the VLAN1 interface from


FUNCTION ZONESThe five function zones are Null, MGT, HA, Self, and VLAN. Each zone exists for a sbelow.

Null ZoneThis zone serves as temporary storage for any interfaces that are not bound to any

MGT ZoneThis zone hosts the out-of-band management interface, MGT. You can set firewall othe management interface from different types of attacks. For more information on fi“Attack Detection and Defense Mechanisms”.

HA ZoneThis zone hosts the high availability interfaces, HA1 and HA2. Although you can setzone itself is not configurable.

Self ZoneThis zone hosts the interface for remote management connections. When you conneHTTP, SCS, or Telnet, you connect to the Self zone.

VLAN ZoneThis zone hosts the VLAN1 interface, which you use to manage the device and termdevice is in Transparent mode. You can also set firewall options on this zone to protvarious attacks.

Chapter 2 Zones Port Modes

39

tically sets different port, 5GT, you can configure one of

ng port, interface, and zone

nd to the Untrust security zone

ackup interface to the Untrust

und to the Trust security zone

nced by their labels: Untrusted, 1-4, Each port can be bound to only one

creen device, and requires a

-5GT.

Trust Zone

Trust Interface


PORT MODESYou can select a port mode for some NetScreen appliances. The port mode automainterface, and zone bindings7 for the device. On the NetScreen-5XT and NetScreen-the following port modes:

• Trust-Untrust mode is the default port mode. This mode provides the followibindings:

– Binds the Untrusted Ethernet port to the Untrust interface, which is bou

– Binds the Modem port to the serial interface, which you can bind as a bsecurity zone

– Binds the Ethernet ports 1 through 4 to the Trust interface, which is bo

7. In the port mode context, port refers to a physical interface on the back of the NetScreen device. The ports are refereConsole, or Modem. The term interface refers to a logical interface that can be configured through the WebUI or CLI.interface, but multiple ports can be bound to an interface.

Warning: Changing the port mode removes any existing configurations on the NetSsystem reset.

Note: The Initial Configuration Wizard is slightly different for the NetScreen

Untrust Zone

The Untrust interface is the primary interface to the Untrust zone. You can bind the serial interface (shown in gray) as a backup interface to the Untrust zone.

Untrust Interface


40

ome and Work security zones. ach zone. In this mode, default one, but do not allow traffic r traffic from the Home zone to bindings:

und to the Work security zone

und to the Home security zone

ound to the Untrust security


information about configuring

Work Zone

ethernet1


• Home-Work mode binds interfaces to the Untrust security zone and to new HThe Work and Home zones allow you to segregate users and resources in epolicies allow traffic flow and connections from the Work zone to the Home zfrom the Home zone to the Work zone. By default, there are no restrictions fothe Untrust zone. This mode provides the following port, interface, and zone

– Binds the Ethernet ports 1 and 2 to the ethernet1 interface, which is bo


– Binds the Untrusted Ethernet port to the ethernet3 interface, which is bzone


See “Zones in Home-Work and Combined Port Modes” on page 47 for moreand using Home-Work mode.

Untrust Zone Home Zone

ethernet2

The ethernet3 interface is the primary interface to the Untrust zone. You can bind the serial interface (shown in gray) as a backup interface to the Untrust zone.

ethernet3


41

rust security zone. The primary up interface is used only when port, interface, and zone


ackup interface to the Untrust trust security zone)

bound to the Trust security

d using Dual Untrust mode.

st Zone

ethernet1


• Dual Untrust mode binds two interfaces, a primary and a backup, to the Untinterface is used to pass traffic to and from the Untrust zone, while the backthere is a failure on the primary interface. This mode provides the following bindings:


– Binds Ethernet port 4 to the ethernet2 interface, which is bound as a bsecurity zone (the ethernet3 interface is the primary interface to the Un

– Binds the Ethernet ports 1, 2, and 3 to the ethernet1 interface, which iszone

See Volume 10, “High Availability” for more information about configuring an

Note: The serial interface is not available in Dual Untrust port mode.

Untrust Zone Tru

The ethernet3 interface is the primary interface to the Untrust zone. The ethernet2 interface (shown in gray) is a backup interface to the Untrust zone.

ethernet2ethernet3


42

nd the segregation of users and

ound to the Untrust zone

ackup interface to the Untrust urity zone)

und to the Home zone

Work zone

d Port Modes” on page 47 for

n the NetScreen-5XT Elite th the Initial Configuration ds.

Work Zone

et2 ethernet1


• Combined mode allows both primary and backup interfaces to the Internet aresources in Work and Home zones.

This mode provides the following port, interface, and zone bindings:

– Binds the Untrusted Ethernet port to the ethernet4 interface, which is b

– Binds Ethernet port 4 to the ethernet3 interface, which is bound as a bzone (the ethernet4 interface is the primary interface to the Untrust sec


– Binds Ethernet port 1 to the ethernet1 interface, which is bound to the

See Volume 10, “High Availability” and “Zones in Home-Work and Combinemore information about configuring and using the Combined mode.

Note: For the NetScreen-5XT, the Combined port mode is supported only o(unrestricted users) platform. You cannot configure the Combined mode wiWizard. This mode can only be configured using the WebUI or CLI comman

Note: The serial interface is not available in Combined port mode.


ethern

The ethernet4 interface is the primary interface to the Untrust zone.The ethernet3 interface (shown in gray) is the backup interface to the Untrust zone. ethernet4 ethernet3


43

nd DMZ security zones, internal network.


und to the DMZ security zone



n-5GT Extended platform. You This mode can only be

Trust Zone

ethernet1


• Trust/Untrust/DMZ (Extended) mode binds interfaces to the Untrust, Trust aallowing you to segregate web, e-mail or other application servers from the






Note: The Trust/Untrust/DMZ port mode is supported only on the NetScreecannot configure the Combined mode with the Initial Configuration Wizard. configured using the WebUI or CLI commands.

Untrust Zone DMZ Zone

ethernet2

The ethernet3 interface is the primary interface to the Untrust zone. You can bind the serial interface as a backup interface to the Untrust zone.

ethernet3


44

urity zones, allowing you to


the DMZ security zone

the Untrust security zone

nd to the Untrust security zone

-5GT Extended platform.

o enable failover, instead of

Trust Zone

ethernet1


• DMZ/Dual Untrust mode binds interfaces to the Untrust, Trust, and DMZ secpass traffic simultaneously from the internal network.



– Binds the Ethernet port 3 to the ethernet2 interface, which is bound to

– Binds the Ethernet port 4 to the ethernet3 interface, which is bound to

– Binds the Untrust Ethernet port to the ethernet4 interface, which is bou

Note: The DMZ/Dual Untrust port mode is supported only on the NetScreen

Note: The serial interface is not available in DMZ/Dual Untrust port mode. Tpassing traffic simultaneously, use the set failover enable command.

Untrust Zone DMZ Zone

The ethernet3 and ethernet4 interfaces are active simultaneously. In this diagram, the two interfaces are bound to the Untrust zone to allow for load balancing.

ethernet2ethernet4 ethernet3


45

the NetScreen ScreenOS port

st

one trust

ust

ust

ust

trust

A

ntrust

onentrust

rust

rust

MZ

ntrust

/A


Setting Port ModesThe following tables summarizes the port, interface, and zone bindings provided by modes:

Port*

* As labeled on the NetScreen appliance chassis.

Trust-Untrust Mode�

† Default port mode

Home-Work Mode

Dual UntruMode

Interface Zone Interface Zone Interface ZUntrusted Untrust Untrust ethernet3 Untrust ethernet3 Un

1 Trust Trust ethernet1 Work ethernet1 Tr

2 Trust Trust ethernet1 Work ethernet1 Tr

3 Trust Trust ethernet2 Home ethernet1 Tr

4 Trust Trust ethernet2 Home ethernet2 Un

Modem serial Null serial Null N/A N/

Port*

* As labeled on the NetScreen appliance chassis.

Combined Mode Trust/Untrust/DMZ Mode

DMZ/Dual UMode

Interface Zone Interface Zone Interface ZUntrusted ethernet4 Untrust ethernet3 Untrust ethernet4 U

1 ethernet1 Work ethernet1 Trust ethernet1 T

2 ethernet2 Home ethernet1 Trust ethernet1 T

3 ethernet2 Home ethernet2 DMZ ethernet2 D

4 ethernet3 Untrust ethernet2 DMZ ethernet3 U

Modem N/A N/A serial Null N/A N


46

e CLI. Before setting the port

een device and requires a

the NetScreen device. For ode back to the default nfiguration but does not set the

de.

own list, and then click Apply.

ice, continue?

onfiguration and reboot box

n device and requires a system


You change the port mode setting on the NetScreen device through the WebUI or thmode, note the following:

• Changing the port mode removes any existing configurations on the NetScrsystem reset.

• Issuing the unset all CLI command does not affect the port mode setting onexample, if you want to change the port mode setting from the Combined mTrust-Untrust mode, issuing the unset all command removes the existing codevice to the Trust-Untrust mode.

Example: Home-Work Port ModeIn this example, you set the port mode on the NetScreen-5XT to the Home-Work mo

WebUI

Configuration > Port Mode > Port Mode: Select Home-Work from the drop-d

At the following prompt, click OK :

Operational mode change will erase current configuration and reset the dev

CLI

exec port-mode home-work

At the following prompt, enter y (for yes):

Change port mode from <trust-untrust> to <home-work> will erase system c

Are you sure y/[n] ?

Note: Changing the port mode removes any existing configurations on the NetScreereset.


47

come commonplace. The home back door to a corporate , such as servers and networks,

ork and Home zones. This in both Home and Work zones


To see the current port mode setting on the NetScreen device:

WebUI

Configuration > Port Mode

CLI

get system

Zones in Home-Work and Combined Port ModesSecurity conflicts can arise as both employee telecommuting and home networks benetwork used by both telecommuters and family members can become a dangerousnetwork, carrying threats such as worms and allowing access to corporate resourcesby non-employees.

The Home-Work and Combined port modes8 bind ScreenOS interfaces to special Wallows segregation of business and home users and resources, while allowing usersaccess to the Untrust zone.

8. You can set port modes only on certain NetScreen appliances. See “Port Modes” on page 39.


48

u can bind as a backup terface as a backup interface to

ckup the Untrust security port. the Untrust zone. For more security zone, see Volume 10,

P) server, allocating dynamic IP server, see “DHCP Server” on

Zone

Work Zone


The Home-Work port mode also binds the Modem port to a serial interface, which yointerface to the Untrust security zone. For more information about using the serial inthe Untrust security zone, see Volume 10, “High Availability”.

The Combined port mode also binds the Ethernet port 4 to the Untrusted zone to baThe backup interface is used only when there is a failure on the primary interface to information about using the ethernet3 interface as a backup interface to the Untrust “High Availability”.

By default, the NetScreen-5XT acts as a Dynamic Host Configuration Protocol (DHCaddresses to DHCP clients in the Work zone. (For more information about the DHCPpage 378.)

Untrust Zone Home Zone Work

Home-Work


Combined


49

m the Work zone only. You anagement services, including (ethernet1) is 192.168.1.1/24.

ing traffic control between

his policy)

the Home zone to the Untrust olicies that allow all traffic from m the Work zone to the Home one to the Work zone.

You then configure a policy to lt policy that allows all traffic

llows traffic from any source

creen device and requires a


You can configure the NetScreen device using a Telnet connection or the WebUI frocannot configure the NetScreen device from the Home zone. You cannot use any mping, on the Home zone interface. The default IP address of the Work zone interface

The default policies in the Home-Work and Combined port modes provide the followzones:

• Allow all traffic from the Work zone to the Untrust zone

• Allow all traffic from the Home zone to the Untrust zone

• Allow all traffic from the Work zone to the Home zone

• Block all traffic from the Home zone to the Work zone (you cannot remove t

You can create new policies for traffic from the Work zone to the Untrust zone, fromzone, and from the Work zone to the Home zone. You can also remove the default pthe Work zone to the Untrust zone, from the Home zone to the Untrust zone, and frozone. Note, however, that you cannot create a policy to allow traffic from the Home z

Example: Home-Work ZonesIn this example, you first set a NetScreen-5XT appliance in Home-Work port mode. allow only FTP traffic from the Home zone to the Untrust zone and remove the defaufrom the Home zone to the Untrust zone. In this example, the default policy, which aaddress to any destination address for any service, has an ID of 2.

Warning: Changing the port mode removes any existing configurations on the NetSsystem reset.


50

own list, and then click Apply .

e device, continue?

lick OK .

igure column for the policy with

will erase system


WebUI

Configuration > Port Mode > Port Mode: Select Home-Work from the drop-d

At the following prompt, click OK :

Operational mode change will erase current configuration and reset th

At this point, the system reboots, you log in, and then do the following:

Policies > (From: Home, To: Untrust) > New: Enter the following, and then c

Source Address:




Service: FTP

Action: Permit

Policies: In the “From Home to Untrust” policy list, click Remove in the ConfID 2.

CLI

exec port-mode home-work

At the following prompt, enter y (for yes):Change port mode from <trust-untrust> to <home-work>

configuration and reboot boxAre you sure y/[n] ?

set policy from home to untrust any any ftp permitunset policy 2save

3

51

Chapter 3

security zone. To allow network d, if it is a Layer 3 zone, assign ce to interface between zones. e to multiple zones.


Interfaces

Physical interfaces and subinterfaces, like doorways, allow traffic to enter and exit a traffic to flow in and out of a security zone, you must bind an interface to that zone anit an IP address. Then, you must configure policies to allow traffic to pass from interfaYou can assign multiple interfaces to a zone, but you cannot assign a single interfac

This chapter contains the following sections:

• “Interface Types” on page 53

– “Security Zone Interfaces” on page 53

– “Function Zone Interfaces” on page 55

– “Tunnel Interfaces” on page 56

• “Viewing Interfaces” on page 61

• “Configuring Security Zone Interfaces” on page 63

– “Binding an Interface to a Security Zone” on page 63

– “Addressing a L3 Security Zone Interface” on page 64

– “Unbinding an Interface from a Security Zone” on page 67

– “Modifying Interfaces” on page 68

– “Creating Subinterfaces” on page 70

– “Deleting Subinterfaces” on page 71

• “Secondary IP Addresses” on page 72

– “Secondary IP Address Properties” on page 72

• “Loopback Interfaces” on page 74

Chapter 3 Interfaces

52
• “Interface State Changes” on page 78

– “Physical Connection Monitoring” on page 80

– “Tracking IP Addresses” on page 80

– “Interface Monitoring” on page 87

– “Security Zone Monitoring” on page 94

– “Down Interfaces and Traffic Flow” on page 95

Chapter 3 Interfaces Interface Types

53

ation on how to view a table of

h which network traffic can

f the interface is predefined. me NetScreen devices), and es” on page 3). You can bind a ffic enters and exits the zone.

he physical ethernet interfaces Z. Which interface is bound to e “Security Zones” on page 2.)

rs and exits a security zone. virtual subinterface borrows the an extension of the physical Interfaces” on page 3.)

one as its physical interface, or o a Security Zone” on page 63


INTERFACE TYPESThis section describes security zone, function zone, and tunnel interfaces. For informall these interfaces, see “Viewing Interfaces” on page 61.

Security Zone InterfacesThe purpose of physical interfaces and subinterfaces is to provide an opening througpass between zones.

PhysicalEach port on your NetScreen device represents a physical interface, and the name oThe name of a physical interface is composed of the media type, slot number (for soport number, for example, ethernet3/2 or ethernet2 (see also “Security Zone Interfacphysical interface to any security zone where it acts as a doorway through which traWithout an interface, no traffic can access the zone or leave it.

On NetScreen devices that support changes to interface-to-zone bindings, three of tare pre-bound to specific Layer 2 security zones—V1-Trust, V1-Untrust, and V1-DMwhich zone is specific to each platform. (For more information on security zones, se

SubinterfaceA subinterface, like a physical interface, acts as a doorway through which traffic enteYou can logically divide a physical interface into several virtual subinterfaces. Each bandwidth it needs from the physical interface from which it stems, thus its name is interface name, for example, ethernet3/2.1 or ethernet2.1. (See also “Security Zone

You can bind a subinterface to any zone. You can bind a subinterface to the same zyou can bind it to a different zone. (For more information, see “Binding an Interface tand “Defining Subinterfaces and VLAN Tags” on page 9 -23.)


54

s the accumulation of two or ress of the aggregate interface

ount of bandwidth available to mber or members can continue

ich you can then bind to a andles all the traffic directed to and stands by in case the fails over to the secondary s provides a first line of

s forming a virtual security traffic use the IP address and

e, subinterface, or redundant are operating in HA mode, you the event of a device failover to he result is a virtual security

” on page 10 -59.

” on page 10 -59.

ter, see Volume 10, “High


Aggregate InterfacesThe NetScreen-5000 series supports aggregate interfaces. An aggregate interface imore physical interfaces, each of which shares the traffic load directed to the IP addequally among themselves. By using an aggregate interface, you can increase the ama single IP address. Also, if one member of an aggregate interface fails, the other meprocessing traffic—although with less bandwidth than previously available.

Redundant InterfacesYou can bind two physical interfaces together to create one redundant interface, whsecurity zone. One of the two physical interfaces acts as the primary interface and hthe redundant interface. The other physical interface acts as the secondary interfaceactive interface experiences a failure. If that occurs, traffic to the redundant interfaceinterface, which becomes the new primary interface. The use of redundant interfaceredundancy before escalating a failover to the device level.

Virtual Security InterfacesVirtual security interfaces (VSIs) are the virtual interfaces that two NetScreen devicedevice (VSD) share when operating in high availability (HA) mode. Network and VPNvirtual MAC address of a VSI. The VSD then maps the traffic to the physical interfacinterface to which you have previously bound the VSI. When two NetScreen devicesmust bind security zone interfaces that you want to provide uninterrupted service in one or more virtual security devices (VSDs). When you bind an interface to a VSD, tinterface (VSI).

Note: For more information about aggregate interfaces, see “Interface Redundancy

Note: For more information about redundant interfaces, see “Interface Redundancy

Note: For more information on VSIs and how they function with VSDs in an HA clusAvailability”.


55

al interface—the Management ic. Separating administrative agement bandwidth.

n devices that have dedicated ant group, or cluster. In a and traffic-shaping functions, ions should the master unit fail. ter to be master and backup for fully in Volume 10, “High

lability (HA) interface provides ly used for HA traffic, the Virtual e same procedure for binding a o a security zone (see “Binding

ion” on page 3 -1.

on page 10 -39.


Function Zone InterfacesFunction zone interfaces, such as Management and HA, serve a special purpose.

Management InterfaceOn some NetScreen devices, you can manage the device through a separate physic(MGT) interface—moving administrative traffic outside the regular network user trafftraffic from network user traffic greatly increases security and assures constant man

HA InterfaceThe HA interface is a physical port used exclusively for HA functions. With NetScreeHigh Availability (HA) interfaces, you can link two devices together to form a redundredundant group, one unit acts as the master, performing the network firewall, VPN,while the other unit acts as a backup, basically waiting to take over the firewall functThis is an active/passive configuration. You can also set up both members of the cluseach other. This is an active/active configuration. Both configurations are explained Availability”.

Virtual HA Interface

On NetScreen devices without a dedicated HA interface, a Virtual High Avaithe same functionality. Because there is no separate physical port exclusiveHA interface must be bound to one of the physical ethernet ports. You use thnetwork interface to the HA zone as you do for binding a network interface tan Interface to a Security Zone” on page 63).

Note: For information on configuring the device for administration, see “Administrat

Note: For more information about HA interfaces, see “Dual HA Interfaces”


56

tunnel via a tunnel interface.

rface in a route to a specific oach, you can finely control the ffic. When there is no tunnel

choose tunnel as the action. om a VPN tunnel.

amic IP (DIP) addresses in the a tunnel interface is to avoid IP

device can route traffic to and mbered (with IP ce is unnumbered, you must Screen device only uses the traffic—such as OSPF an interface in the same same routing domain.

ered tunnel interfaces to one loopback interface bound to the er-defined zone named “VPN” nd to the VPN zone. The VPN esses to which the tunnels lead your policies control VPN traffic


Tunnel InterfacesA tunnel interface acts as a doorway to a VPN tunnel. Traffic enters and exits a VPN

When you bind a tunnel interface to a VPN tunnel, you can reference that tunnel intedestination and then reference that destination in one or more policies. With this apprflow of traffic through the tunnel. It also provides dynamic routing support for VPN trainterface bound to a VPN tunnel, you must specify the tunnel in the policy itself and Because the action tunnel implies permission, you cannot specifically deny traffic fr

You can perform policy-based NAT on outgoing or incoming traffic using a pool of dynsame subnet as the tunnel interface. A typical reason for using policy-based NAT onaddress conflicts between the two sites on either end of the VPN tunnel.

You must bind a route-based VPN tunnel to a tunnel interface so that the NetScreenfrom it. You can bind a route-based VPN tunnel to a tunnel interface that is either nuaddress/netmask) or unnumbered (without IP address/netmask). If the tunnel interfaspecify an interface from which the tunnel interface borrows an IP address. The Netborrowed IP address as a source address when the NetScreen device itself initiatesmessages—through the tunnel. The tunnel interface can borrow the IP address fromsecurity zone or from an interface in a different one as long as both zones are in the

You can achieve very secure control of VPN traffic routing by binding all the unnumbzone, which is in its own virtual routing domain, and borrowing the IP address from a same zone. For example, you can bind all the unnumbered tunnel interfaces to a usand configure them to borrow an IP address from the loopback.1 interface, also bouzone is in a user-defined routing domain named “vpn-vr”. You put all destination addrin the VPN zone. Your routes to these addresses point to the tunnel interfaces, and between other zones and the VPN zone.


57

ance for the failure of a VPN, ect traffic intended for tunneling out how to avoid such a

IP address. The purpose of icy-based VPN tunnels1.

in the same subnet as an interface.

Untrust Zone

.5

hernet31.1.1/24

external router

1.1.1.250

Note: The VPN tunnel itself is not shown.


Putting all the tunnel interfaces in such a zone is very secure because there is no chwhich causes the route to the associated tunnel interface to become inactive, to redirto use a non-tunneled route—such as the default route. (For several suggestions abproblem, see “Route-Based VPN Security Considerations” on page 5 -91.)

You can also bind a tunnel interface to a tunnel zone. When you do, it must have anbinding a tunnel interface to a tunnel zone is to make NAT services available for pol

1. Network address translation (NAT) services include dynamic IP (DIP) pools and mapped IP (MIP) addresses defined

Trust Zone

VPN Zonetunnel.1

unnumbered dst-110.2.2

src-1 10.1.1.5

et1.

ethernet110.1.1.1/24 trust-vr

vpn-vr

set vrouter name vpn-vrset zone name vpn vrouter vpn-vrset interface loopback.1 zone vpnset interface loopback.1 ip 172.16.1.1/24set interface tunnel.1 zone vpnset interface tunnel.1 ip unnumbered loopback.1

Configure addresses for src-1 and dst-1.Configure a VPN tunnel and bind it to tunnel.1.

set vrouter trust-vr route 10.2.2.5/32 vrouter vpn-vrset vrouter trust-vr route 0.0.0.0/0 interface ethernet3

gateway 1.1.1.250set vrouter vpn-vr route 10.2.2.5 interface tunnel.1

set policy from trust to vpn scr-1 dst-1 any permit

loopback.1 172.16.1.1/24

The NetScreen device sends traffic destined for 10.2.2.5/32 from the trust-vr to the vpn-vr. If tunnel.1 becomes disabled, the NetScreen device drops the packet. Because the default route (to 0.0.0.0/0) is only in the trust-vr, the NetScreen device does not attempt to send the packet in plain text out ethernet3.


58

om the local device to remote always there, available for use

port one or more dynamic IP s for destination address e “VPN Sites with Overlapping d netmask in either a security

, the tunnel interface must have an e DIP pools and MIP addresses on l zone, you cannot also bind it to a

a policy-based VPN configuration.

u must bind a VPN tunnel to the route-based VPN configuration.bered. If it is unnumbered, the default interface of the security l interface with an IP address and

ty zone and is the only interface in one interface. In this case, the nterface, but no other kind of traffic.


Conceptually, you can view VPN tunnels as pipes that you have laid. They extend frgateways, and the tunnel interfaces are the openings to these pipes. The pipes are whenever the routing engine directs traffic to one of their interfaces.

Generally, assign an IP address to a tunnel interface if you want the interface to sup(DIP) pools for source address translation (NAT-src) and mapped IP (MIP) addressetranslation (NAT-dst). For more information about VPNs and address translation, seAddresses” on page 5 -201. You can create a tunnel interface with an IP address anzone or a tunnel zone.

When a tunnel interface is bound to a tunnel zoneIP address and netmask. This allows you to definthat interface. If you bind a VPN tunnel to a tunnetunnel interface. In such cases, you must create

When a tunnel interface is in a security zone, yotunnel interface. Doing so allows you to create aThe tunnel interface can be numbered or unnumtunnel interface borrows the IP address from thezone in which you created it. Note: Only a tunnenetmask can support policy-based NAT.

When a numbered tunnel interface is in a securithat zone, you do not need to create a security zsecurity zone supports VPN traffic via the tunnel i

Security

Zone

Tunnel Zone

Tunnel Interfaces

Security Zone Interfaces

VPN Tunnel

VPN Tunnel

VPN Tunnel

Numbered or Unnumbered

Security

Zone

Numbered

Numbered


59

ration does not require the mbered. You must bind an You must also specify an zone to which the unnumbered at interface.

eric Routing Encapsulation NetScreen devices support ion on GRE, see “Generic

IPs) or Dynamic IP (DIP) u must first delete any policies

erface. Also, if a route-based guration before you can delete

ced in a policy (ID 10) for VPN o remove the tunnel interface, ), and then the DIP pool. Then, d on the tunnel interface, you

te-based VPN examples in


If the tunnel interface does not need to support address translation, and your configutunnel interface to be bound to a tunnel zone, you can specify the interface as unnuunnumbered tunnel interface to a security zone; you cannot bind it to a tunnel zone.interface with an IP address that is in the same virtual routing domain as the securityinterface is bound. The unnumbered tunnel interface borrows the IP address from th

If you are transmitting multicast packets through a VPN tunnel, you can enable Gen(GRE) on the tunnel interfaces to encapsulate multicast packets in unicast packets. GREv1 for encapsulating IP packets in IPv4 unicast packets. For additional informatRouting Encapsulation” on page 6 -201.

Deleting Tunnel InterfacesYou cannot immediately delete a tunnel interface that hosts mapped IP addresses (Maddress pools. Before you delete a tunnel interface hosting any of these features, yothat reference them. Then you must delete the MIPs and DIP pools on the tunnel intVPN configuration references a tunnel interface, you must first delete the VPN confithe tunnel interface.

Example: Deleting a Tunnel InterfaceIn this example, tunnel interface tunnel.2 is linked to DIP pool 8. DIP pool 8 is referentraffic from the Trust zone to the Untrust zone through a VPN tunnel named vpn1. Tyou must first delete the policy (or remove the reference to DIP pool 8 from the policyyou must unbind tunnel.2 from vpn1. After removing all the configurations that depencan then delete it.

Note: For examples showing how to bind a tunnel interface to a tunnel, see the rou“Site-to-Site VPNs” on page 5 -101 and “Dialup VPNs” on page 5 -231.


60

.

to: Tunnel Interface drop-down


WebUI

1. Deleting Policy 10, Which References DIP Pool 8Policies (From: Trust, To: Untrust): Click Remove for Policy ID 10.

2. Deleting DIP Pool 8, Which Is Linked to Tunnel.2Network > Interfaces > Edit (for tunnel.2) > DIP: Click Remove for DIP ID 8

3. Unbinding tunnel.2 from vpn1VPNs > AutoKey IKE > Edit (for vpn1) > Advanced: Select None in the Bindlist, click Return, and then click OK.

4. Deleting Tunnel.2Network > Interfaces: Click Remove for tunnel.2.

CLI

1. Deleting Policy 10, Which References DIP Pool 8unset policy 10

2. Deleting DIP Pool 8, Which Is Linked to Tunnel.2unset interface tunnel.2 dip 8

3. Unbinding tunnel.2 from vpn1unset vpn vpn1 bind interface

4. Deleting Tunnel.2unset interface tunnel.2save

Chapter 3 Interfaces Viewing Interfaces

61

y are predefined, physical and tunnel interfaces are only

ify the types of interfaces to

interface.

ndant, aggregate, VSI.

wn).


VIEWING INTERFACESYou can view a table that lists all interfaces on your NetScreen device. Because theinterfaces are listed regardless of whether or not you configure them. Subinterfaces listed once you create and configure them.

To view the interface table in the WebUI, click Network > Interfaces . You can specdisplay from the List Interfaces drop-down list.

To view the interface table in the CLI, use the get interface command.

Interface TableThe interface table displays the following information on each interface:

• Name: This field identifies the name of the interface.

• IP/Netmask: This field identifies the IP address and netmask address of the

• Zone: This field identifies the zone to which the interface is bound.

• Type: This field indicates if the interface type: Layer 2, Layer 3, tunnel, redu

• Link: This field identifies whether the interface is active (Up) or inactive (Do

• Configure: This field allows you modify or remove interfaces.

Chapter 3 Interfaces Viewing Interfaces

62
WebUI Interface Table

CLI Interface Table

Chapter 3 Interfaces Configuring Security Zone Interfaces

63

aces:

a subinterface only to a L3 n IP address to an interface

e drop-down list, and then click

pter 7, “Traffic Shaping”. For per interface, see “Controlling


CONFIGURING SECURITY ZONE INTERFACESThis section describes how to configure the following aspects of security zone interf

• Binding and unbinding an interface to a security zone

• Assigning an address to a Layer 3 (L3) security zone interface

• Modifying physical interfaces and subinterfaces

• Creating subinterfaces

• Deleting subinterfaces

Binding an Interface to a Security ZoneYou can bind any physical interface to either a L2 or L3 security zone. You can bindsecurity zone because a subinterface requires an IP address. You can only assign aafter you have bound it to a L3 security zone.

Example: Binding an InterfaceIn this example, you bind ethernet5 to the Trust zone.

WebUINetwork > Interfaces > Edit (for ethernet5): Select Trust from the Zone NamOK.

CLIset interface ethernet5 zone trustsave

Note: For information on setting traffic bandwidth for an interface, see Chamore information on the management and other services options available Administrative Traffic” on page 3 -36.


64

n it an IP address and netmask. ode as NAT or Route. (If the ute mode.)

s assignments are as follows:

public network like the Internet

rivate network and which other

f a L3 security zone in the in Route mode, then all the blic addresses. Public IP

ce Modes” on page 103.

a an ARP request to make sure ust be up at the time.) If the IP

nge55, .255

.255

55.255


Addressing a L3 Security Zone InterfaceWhen defining a Layer 3 (L3) security zone interface or subinterface, you must assigIf you bind the interface to a zone in the trust-vr, you can also specify the interface mzone to which you bind the interface is in the untrust-vr, the interface is always in Ro

The two basic types of IP addresses to be considered when making interface addres

• Public addresses, which Internet service providers (ISPs) supply for use on aand which must be unique

• Private addresses, which a local network administrator assigns for use on a padministrators can assign for use on other private networks too

Public IP AddressesIf an interface connects to a public network, it must have a public IP address. Also, iuntrust-vr connects to a public network and the interfaces of zones in the trust-vr areaddresses in the zones in the trust-vr—for interfaces and for hosts—must also be puaddresses fall into three classes, A, B, and C2, as shown below:

Note: For examples of NAT and Route mode configurations, see Chapter 4, “Interfa

Note: When you add an IP address to an interface, the NetScreen device checks vithat the IP address does not already exist on the local network. (The physical link maddress already exists, a warning is displayed.

Address Class Address Range Excluded Address RaA 0.0.0.0 � 127.255.255.255 10.0.0.0 � 10.255.255.2

127.0.0.0 � 127.255.255

B 128.0.0.0 � 191.255.255.255 172.16.0.0 � 172.31.255

C 192.0.0.0 � 223.255.255.255 192.168.0.0 � 192.168.2

2. There are also D and E class addresses, which are reserved for special purposes.


65

address, the first 8 bits indicate s B address, the first 16 bits n a class C address, the first 24 .hhh).

orks. A netmask essentially ID. For example, the 24-bit 010) identify the network

octets—002.003) identify the e host portion of the address. atly increases the efficient

n it any address, although it is —10.0.0.0/8, 172.16.0.0 – rivate Internets”.

bound to zones in the trust-vr nd for hosts—can be private


An IP address is composed of four octets, each octet being 8 bits long. In a class A the network ID, and the final 24 bits indicate the host ID (nnn.hhh.hhh.hhh). In a clasindicate the network ID, and the final 16 bits indicate the host ID (nnn.nnn.hhh.hhh). Ibits indicate the network ID, and the the final 8 bits indicate the host ID (nnn.nnn.nnn

Through the application of subnet masks (or netmasks), you can further divide netwmasks part of the host ID so that the masked part becomes a subnet of the network mask3 in the address 10.2.3.4/24 indicates that the first 8 bits (that is, the first octet—portion of this private class A address, the next 16 bits (that is, the second and third subnetwork portion of the address, and the last 8 bits (the last octet—004) identify thUsing subnets to narrow large network address spaces into smaller subdivisions gredelivery of IP datagrams.

Private IP AddressesIf an interface connects to a private network, a local network administrator can assigconventional to use an address from the range of addresses reserved for private use172.31.255.255, 192.168.0.0/16— as defined in RFC 1918, “Address Allocation for P

If a L3 security zone in the untrust-vr connects to a public network and the interfacesare in NAT mode, then all the addresses in the zones in the trust-vr—for interfaces aaddresses.

3. The dotted-decimal equivalent of a 24-bit mask is 255.255.255.0.


66

nage IP address 210.1.1.5. interface IP address.) Finally, default interfaces4 bound to the

k OK:

terface for a zone, see the Default IF d in the CLI.


Example: Addressing an InterfaceIn this example, you assign ethernet5 the IP address 210.1.1.1/24 and give it the Ma(Note that the Manage IP address must be in the same subnet as the security zone you set the interface in NAT mode, which translates all internal IP addresses to the other security zones.

WebUI

Network > Interfaces > Edit (for ethernet5): Enter the following, and then clic


Manage IP: 210.1.1.5

CLI

set interface ethernet5 ip 210.1.1.1/24set interface ethernet5 manage-ip 210.1.1.5save

4. The default interface in a security zone is the first interface bound to the zone. To learn which interface is the default incolumn on the Network > Zones page in the WebUI, or the Default-If column in the output from the get zone comman


67

o another. If an interface is nbind it from one security zone

st zone. You set its IP address

k OK:


Unbinding an Interface from a Security ZoneIf an interface is unnumbered, you can unbind it from one security zone and bind it tnumbered, you must first set its IP address and netmask to 0.0.0.0. Then, you can uand bind it to another one, and (optionally) reassign it an IP address/netmask.

Example: Unbinding an InterfaceIn this example, ethernet3 has the IP address 210.1.1.1/24 and is bound to the Untruand netmask to 0.0.0.0/0 and bind it to the Null zone.

WebUI


Zone Name: Null


CLI

set interface ethernet3 ip 0.0.0.0/0set interface ethernet3 zone nullsave


68

, an aggregate interface, or a ould the need arise:

or Route

ing” on page 347)

it (MTU) size

, including traffic between a with the CLI set interface

of the link to be down or up. By e cable from the interface port.


Modifying InterfacesAfter you have configured a physical interface, a subinterface, a redundant interfaceVirtual Security Interface (VSI), you can later change any of the following settings sh

• IP address and netmask

• Manage IP address

• (L3 zone interfaces) Management and network services

• (Subinterface) Subinterface ID number and VLAN tag number

• (Interfaces bound to L3 security zones in the trust-vr) Interface mode—NAT

• (Physical interface) Traffic bandwidth settings (see Chapter 7, “Traffic Shap

• (Physical, redundant, and aggregate interfaces) Maximum Transmission Un

• (L3 interfaces) Block traffic from coming in and going out the same interfaceprimary and secondary subnet or between secondary subnets (this is done command with the route-deny option)

For physical interfaces on some NetScreen devices, you can force the physical stateforcing the physical state of the link to be down, you can simulate a disconnect of th(This is done with the CLI set interface command with the phy link-down option.)


69

e Trust zone. You change the strative traffic, you also change WebUI.

, and then click OK :

lear) Telnet, WebUI


Example: Modifying Interface SettingsIn this example, you make some modifications to ethernet1, an interface bound to thManage IP address from 10.1.1.2 to 10.1.1.12. To enforce tighter security of adminithe management services options, enabling SCS and SSL and disabling Telnet and

WebUI

Network > Interfaces > Edit (for ethernet1): Make the following modifications

Manage IP: 10.1.1.12

Management Services: (select) SSH, SSL; (c

CLI

set interface ethernet1 manage-ip 10.1.1.12set interface ethernet1 manage sshset interface ethernet1 manage sslunset interface ethernet1 manage telnetunset interface ethernet1 manage websave


70

l system. A subinterface makes rfaces. Note that although a needs, you can bind a . Additionally, the IP address of al interfaces and subinterfaces.

configure the subinterface on ined zone named “accounting”, VLAN tag ID 3. The interface

on of a subinterface on a redundant


Creating SubinterfacesYou can create a subinterface on any physical interface5 in the root system or virtuause of VLAN tagging to distinguish traffic bound for it from traffic bound for other intesubinterface stems from a physical interface, from which it borrows the bandwidth it subinterface to any zone, not necessarily that to which its “parent” interface is bounda subinterface must be in a different subnet from the IP addresses of all other physic

Example: Subinterface in the Root SystemIn this example, you create a subinterface for the Trust zone in the root system. Youethernet1, which is bound to the Trust zone. You bind the subinterface to a user-defwhich is in the trust-vr. You assign it subinterface ID 3, IP address 10.2.1.1/24, and mode is NAT.

WebUI

Network > Interfaces > New Sub-IF: Enter the following, and then click OK :

Interface Name: ethernet1.3

Zone Name: accounting


VLAN Tag: 3

CLI

set interface ethernet1.3 zone accountingset interface ethernet1.3 ip 10.2.1.1/24 tag 3save

5. You can also configure subinterfaces on redundant interfaces and VSIs. For an example that includes the configuratiinterface, see “Virtual System Failover” on page 10 -130.


71

s), virtual IP addresses (VIPs), these features, you must first IPs, VIPs, and DIP pools on


Deleting SubinterfacesYou cannot immediately delete a subinterface that hosts mapped IP addresses (MIPor Dynamic IP (DIP) address pools. Before you delete a subinterface hosting any of delete any policies or IKE gateways that reference them. Then you must delete the Mthe subinterface.

Example: Deleting a Security Zone InterfaceIn this example, you delete the subinterface ethernet1:1.

WebUI

Network > Interfaces: Click Remove for ethernet1:1.

A system message prompts you to confirm the removal.

Click Yes to delete the subinterface.

CLI

unset interface ethernet1:1save

Chapter 3 Interfaces Secondary IP Addresses

72

situations demand that an tional IP address assignments n might have more network ed to a LAN. To solve such user-defined zone.

h addresses. These properties

resses. In addition, there can net on the NetScreen device.

address always has the same ot specify a separate

utomatically creates a , the device automatically

e in the routing table. For rops any packets directed from

zone.


SECONDARY IP ADDRESSESEach NetScreen interface has a single, unique primary IP address. However, some interface have multiple IP addresses. For example, an organization might have addiand might not wish to add a router to accommodate them. In addition, an organizatiodevices than its subnet can handle, as when there are more than 254 hosts connectproblems, you can add secondary IP addresses to an interface in the Trust, DMZ, or

Secondary IP Address PropertiesSecondary addresses have certain properties that affect how you can implement sucare as follows:

• There can be no subnet address overlap between any two secondary IP addbe no subnet address overlap between a secondary IP and any existing sub

• When you manage a NetScreen device through a secondary IP address, themanagement properties as the primary IP address. Consequently, you cannmanagement configuration for the secondary IP address.

• You cannot configure a gateway for a secondary IP address.

• Whenever you create a new secondary IP address, the NetScreen device acorresponding routing table entry. When you delete a secondary IP addressdeletes its routing table entry.

Enabling or disabling routing between two secondary IP addresses causes no changexample, if you disable routing between two such addresses, the NetScreen device done interface to the other, but no change occurs in the routing table.

Note: You cannot set multiple secondary IP addresses for interfaces in the Untrust

Chapter 3 Interfaces Secondary IP Addresses

73

, an interface that has IP

ing, and then click Add:


Example: Creating a Secondary IP AddressIn this example, you set up a secondary IP address—192.168.2.1/24—for ethernet1address 10.1.1.1/24 and is bound to the Trust zone.

WebUI

Network > Interfaces > Edit (for ethernet1) > Secondary IP: Enter the follow


CLI

set interface ethernet1 ip 192.168.2.1/24 secondarysave

Chapter 3 Interfaces Loopback Interfaces

74

etScreen device. However, he device on which it resides is eater than or equal to 16 and st assign an IP address to a

of its group. Traffic can reach a e type can be a member of a nt interface, or VSI.

Untrust zone, and assign the IP

OK :

sts that reside in other zones.


LOOPBACK INTERFACESA loopback interface is a logical interface that emulates a physical interface on the Nunlike a physical interface, a loopback interface is always in the up state as long as tup. Loopback interfaces are named loopback.id_num, where id_num is a number grdenotes a unique loopback interface on the device. Like a physical interface, you muloopback interface and bind it to a security zone.

After defining a loopback interface, you can then define other interfaces as membersloopback interface if it arrives through one of the interfaces in its group. Any interfacloopback interface group—physical interface, subinterface, tunnel interface, redunda

Example: Creating a Loopback InterfaceIn the following example, you create the loopback interface loopback.1, bind it to the address 1.1.1.27/24 to it.

WebUI

Network > Interfaces > New Loopback IF: Enter the following, and then click

Interface Name: loopback.1

Zone: Untrust (select)

IP Address/Netmask: 1.1.1.27./24

CLIset interface loopback.1 zone untrustset interface loopback.1 ip 1.1.1.27save

6. The maximum id_num value you can specify is platform-specific.

Note: The loopback interface is not directly accessible from networks or hoYou must define a policy to permit traffic to and from the interface.


75

his section shows examples of

y a group of interfaces; this interface with MIPs, see “MIP

erface or the manage IP

s a management interface for

s, and then click OK.

loopback interface for layer 2 features on loopback


Using Loopback InterfacesYou can use a loopback interface in many of the same ways as a physical interface. Tthe ways you can configure loopback interfaces.

You can define a MIP on a loopback interface. This allows the MIP to be accessed bcapability is unique to loopback interfaces. For information about using the loopbackand the Loopback Interface” on page 7 -105.

You can manage the NetScreen device using either the IP address of a loopback intaddress that you assign to a loopback interface.

Example: Loopback Interface for ManagementIn the following example, you configure the previously-defined loopback.1 interface athe device.

WebUI

Network > Interfaces > loopback.1 > Edit: Select all the management option

CLI

set interface loopback.1 managesave

Note: You cannot bind a loopback interface to a HA zone, nor can you configure a operation or as a redundant/aggregate interface. You cannot configure the followinginterfaces: NTP, DNS, VIP, secondary IP, track IP, or Webauth.


76

reen device. In the following

lick OK.

e. The physical state of the VSI g upon the state of the VSD

ce for the virtual router in which devices, See Volume 6,


Example: BGP on a Loopback InterfaceThe loopback interface can support the BGP dynamic routing protocol on the NetScexample, you enable BGP on the loopback.1 interface.

WebUI

Network > Interfaces > loopback.1 > Edit: Select Protocol BGP, and then c

CLI

set interface loopback.1 protocol bgpsave

Example: VSIs on a Loopback InterfaceYou can configure Virtual Security Interfaces (VSIs) for NSRP on a loopback interfacon the loopback interface is always up. The interface can be active or not, dependingroup to which the interface belongs.

WebUI

Network > Interfaces > New VSI IF: Enter the following, and then click OK:

Interface Name: VSI Base: loopback.1

VSD Group: 1


Note: To enable BGP on the loopback interface, you must first create a BGP instanyou plan to bind the interface. For information about configuring BGP on NetScreen“Routing”.


77

tes from the NetScreen device. address is used instead of the

g example, you specify that the g packets.

Apply :


CLI

set interface loopback.1:1 ip 1.1.1.1/24save

Example: Loopback Interface as a Source InterfaceYou can use a loopback interface as a source interface for certain traffic that origina(When you define a source interface for an application, the specified source interfaceoutbound interface address to communicate with an external device.) In the followinNetScreen device uses the previously-defined loopback.1 interface for sending syslo

WebUI

Configuration > Report Settings > Syslog: Enter the following, and then click

Enable Syslog Messages: (select)

Source interface: loopback.1 (select)

Syslog Servers:

No.: 1 (select)

IP/Hostname: 10.1.1.1

Traffic Log: (select)

Event Log: (select)

CLI

set syslog config 10.1.1.1 log allset syslog src-interface loopback.1set syslog enablesave

Chapter 3 Interfaces Interface State Changes

78

(Transparent mode) or Layer 3 ce is physically up when it is

ces, redundant interfaces, and h that interface is able to reach

nother network device or when physically down with the

h that interface cannot reach

e can be physically up and—at own, its logical state becomes

active and usable. When the interface—although, depending an interface whose state is ss of routes caused by the loss

cause, a state change from up te from down to up. To

up { logically |

monitoring interface into a e state of the monitoring


INTERFACE STATE CHANGESAn interface can be in one of the following states:

• Physically Up – For physical ethernet interfaces operating at either Layer 2(Route Mode) in the Open Systems Interconnection (OSI) model. An interfacabled to another network device and can establish a link to that device.

• Logically Up – For both physical interfaces and logical interfaces (subinterfaaggregate interfaces). An interface is logically up when traffic passing througspecified devices (at tracked IP addresses) on a network.

• Physically Down – An interface is physically down when it is not cabled to ait is cabled but cannot establish a link. You can also force an interface to befollowing CLI command: set interface interface phy link-down.

• Logically Down – An interface is logically down when traffic passing througspecified devices (at tracked IP addresses) on a network.

The physical state of an interface takes precedence over its logical state. An interfacthe same time—be either logically up or logically down. If an interface is physically dirrelevant.

When the state of an interface is up, all routes that make use of that interface remainstate of an interface is down, the NetScreen device deactivates all routes using that on whether the interface is physically or logically down, traffic might still flow throughdown (see “Down Interfaces and Traffic Flow” on page 95). To compensate for the loof an interface, you can configure alternate routes using an alternate interface.

Depending on how you set up the action that an observed interface state change canto down in a monitored interface can cause the monitoring interface to change its staconfigure this behavior, you can use the following CLI command:

set interface interface monitor threshold number action physically }

When you enter the above command, the NetScreen device automatically forces thedown state. If the monitored object (tracked IP address, interface, zone) fails, then thinterface becomes up—either logically or physically, per your configuration.


79

se events by itself or in wn and from down to up:

ing again succeeds), then the e the monitored object

wn, �

onitoring goes down.


An interface can monitor objects for one or more of the following events. Each of thecombination can cause the state of the monitoring interface to change from up to do

• Physical disconnection/reconnection

• IP tracking failure/success

• Failure/Success of a monitored interface

• Failure/Success of a monitored security zone

If, after failing, a monitored object succeeds (the interface is reconnected or IP trackmonitoring interface comes back up. There is about a one-second delay from the timsucceeds and when the monitoring interface re-activates itself.

Each of the above events is presented in the following sections.

✗

If a monitored object fails �

Physical Disconnection

IP Tracking Failure

Monitored Interface Failure

Monitored Zone Failure

and the weight for that object ≥ the monitor failure threshold, �

and the action is set to do

then the minterface

No Replies to ICMP Echo Requests

All interfaces in the same zone go down.

Security Zone

Interface becomes disconnected.

IP Tracking failures exceed threshold.

Monitoring Interface


80

ection to other network devices. evice, its state is physically up

rface command and in the Link

and and on the Network > ive. If there is no asterisk, it is

when one or more of them h that interface, even if the creen device regains contact

, to monitor the reachability of irectly to a router, you can track en you configure IP tracking on r target IP addresses at ives a response. If there is no be unreachable. Failure to elicit routes associated with that then redirects traffic to use the

e as the interface on which IP tracking


Physical Connection MonitoringAll physical interfaces on a NetScreen device monitor the state of their physical connWhen an interface is connected to and has established a link with another network dand all routes that use that interface are active.

You can see the state of an interface in the State column in the output of the get intecolumn on the Network > Interfaces page in the WebUI. It can be up or down.

You can see the state of a route in the status field of the get route id number commRouting > Routing Entries page in the WebUI. If there is an asterisk, the route is actinactive.

Tracking IP AddressesThe NetScreen device can track specified IP addresses through an interface so thatbecome unreachable, the NetScreen device can deactivate all routes associated witphysical link is still active7. A deactivated route becomes active again after the NetSwith those IP addresses.

NetScreen uses layer 3 path monitoring, or IP tracking, similar to that used for NSRPspecified IP addresses through an interface. For example, if an interface connects dthe next-hop address on the interface to determine if the router is still reachable. Whan interface, the NetScreen device sends ping requests on the interface to up to fouuser-defined intervals. The NetScreen device monitors these targets to see if it receresponse from a target for a specified number of times, that IP address is deemed to a response from one or more targets can cause the NetScreen device to deactivate interface. If another route to the same destination is available, the NetScreen devicenew route.

7. For some ScreenOS appliances, this action also causes a failover to the backup interface that is bound to the same zonis configured (see “Determining Interface Failover” on page 10 -72).


81

a manage IP address:

es)

an belong to the root system or only set it at the root level8.

ice to track. On a single device, ses whether they are for sys level.

. For each IP address to be

the IP address is considered

IP connections crosses a ated).

(Route mode).

nterface, it cannot be a member

. However, from within a vsys, you


Configuring IP TrackingYou can define IP tracking on the following interfaces for which you have configured

• Physical interface bound to a security zone (not the HA or MGT function zon

• Subinterface

• Redundant interface

• Aggregate interface

On devices that support virtual systems, the interface on which you set IP tracking cto a virtual system (vsys). However, to set IP tracking on a shared interface, you can

For each interface, you can configure up to four IP addresses for the NetScreen devyou can configure up to 64 track IP addresses. That total includes all track IP addresinterface-based IP tracking, for NSRP-based IP tracking, at the root level, or at the v

The tracked IP addresses do not have to be in the same subnetwork as the interfacetracked, you can specify the following:

• Interval, in seconds, at which the pings are sent to the specified IP address.

• Number of consecutive unsuccessful ping attempts before the connection tofailed.

• Weight of the failed IP connection (once the sum of the weights of all failed specified threshold, routes that are associated with the interface are deactiv

Note: The interface can operate at Layer 2 (Transparent mode) or Layer 3

Note: Although the interface can be a redundant interface or an aggregate iof a redundant or aggregate interface.

8. From a vsys, you can set interface monitoring to monitor a shared interface from an interface that belongs to the vsyscannot set interface monitoring from a shared interface. For more information, see “Interface Monitoring” on page 87.


82

rface that is a PPPoE or DHCP ynamic or (WebUI) Network > d: Select Dynamic.

utive failures to elicit a ping IP address. Not exceeding the eeding the threshold indicates ue between 1 and 200. The

mulative failed attempts to nterface to be deactivated. You 1, which means a failure to interface to be deactivated.

nce of connectivity to that ely greater weights to relatively ote that the assigned weights ched. For example, if the failure ith a weight of 3 meets the the interface to be deactivated. re threshold for IP tracking on

Screen device does not add a


You can also configure the NetScreen device to track the default gateway for an inteclient. To do that, use the “Dynamic” option: (CLI) set interface interface monitor dInterfaces > Edit (for the DHCP or PPPoE client interface) > Monitor > Track IP > Ad

There are two types of thresholds in configuring tracking IP addresses:

• Failure threshold for a specific tracked IP address — The number of consecresponse from a specific IP address that constitutes a failure in reaching thethreshold indicates an acceptable level of connectivity with the address; excan unacceptable level. You set this threshold for each IP address at any valdefault value is 3.

• Failure threshold for IP tracking on the interface — The total weight of the cureach IP addresses on the interface that causes routes associated with the ican set this threshold at any value between 1 and 255. The default value is reach any configured tracked IP address causes routes associated with the

By applying a weight, or a value, to a tracked IP address, you can adjust the importaaddress in relation to reaching other tracked addresses. You can assign comparativmore important addresses, and less weight to relatively less important addresses. Nonly come into play when the failure threshold for a specific tracked IP address is reathreshold for IP tracking on an interface is 3, failure of a single tracked IP address wfailure threshold for IP tracking on the interface, which causes routes associated withThe failure of a single tracked IP address with a weight of 1 would not meet the failuthe interface and routes associated with the interface would remain active.

Note: When you configure an IP address for the Netscreen device to track, the Nethost route for that IP address to the routing table.


83

igned the network address The ethernet3 interface is . The ethernet4 interface is .

ce with the router address e router address 2.2.2.250 as

ethernet3 is the preferred route ing output from the get route asterisk). The default route ce it is less preferred.

Untrust Zone

Internet

uter.250

uter.250


Example: Configuring Interface IP TrackingIn the following example, the interface ethernet1 is bound to the Trust zone and ass10.1.1.1/24. The interfaces ethernet3 and ethernet4 are bound to the Untrust zone. assigned the network address 1.1.1.1/24 and is connected to the router at 1.1.1.250assigned the network address 2.2.2.1/24 and is connected to the router at 2.2.2.250

There are two default routes configured: one uses ethernet3 as the outbound interfa1.1.1.250 as the gateway; the other uses ethernet4 as the outbound interface with ththe gateway and is configured with a metric value of 10. The default route that uses since it has a lower metric (the default metric value for static routes is 1). The followcommand shows four active routes for the trust-vr (active routes are denoted with anthrough ethernet3 is active, while the default route through ethernet4 is not active sin

Trust Zone

10.1.1.0/24

ethernet110.1.1.1/24

ethernet31.1.1.1/24

Ro1.1.1

ethernet42.2.2.1/24 Ro

2.2.2


84

t4 becomes active. You enable 1.1.250. If IP tracking fails to n the NetScreen device. As a

n able to reach 1.1.1.250, the ute through ethernet4 becomes

res IP tracking on the ethernet3 0.

----------------------, R - RIP

----------------------P Pref Mtr Vsys----------------------S 20 1 RootC 0 0 RootS 20 10 RootC 0 1 RootC 20 1 Root


If the route through ethernet3 becomes unavailable, the default route through etherneand configure IP tracking on the ethernet3 interface to monitor the router address 1.reach 1.1.1.250, all routes associated with the ethernet3 interface become inactive oresult, the default route through ethernet4 becomes active. When IP tracking is agaidefault route through ethernet3 becomes active and, at the same time, the default roinactive, because it is less preferred than the default route through ethernet3.

The following enables IP tracking with an interface failure threshold of 5 and configuinterface to monitor the router IP address 1.1.1.250, which is assigned a weight of 1

ns-> get routeuntrust-vr (0 entries)----------------------------------------------------------C - Connected, S - Static, A - Auto-Exported, I - ImportediB - IBGP, eB - EBGP, O - OSPF, E1 - OSPF external type 1E2 - OSPF external type 2trust-vr (4 entries)---------------------------------------------------------- ID IP-Prefix Interface Gateway ----------------------------------------------------------* 4 0.0.0.0/0 eth3 1.1.1.250 * 2 1.1.1.0/24 eth3 0.0.0.0 3 0.0.0.0/0 eth4 2.2.2.250 * 6 2.2.2.0/24 eth4 0.0.0.0 * 5 10.1.1.0/24 eth1 0.0.0.0


85

d then click Apply :

and then click Add :

ight 10

of 3. That is, if the target does failure threshold for IP tracking weight of 10 causes routes

and get interface ethernet3

l-count success-rate 46%


WebUI

Network > Interfaces > Edit (for ethernet3) > Monitor: Enter the following, an

Enable Track IP: (select)

Threshold: 5

> Monitor Track IP ADD: Enter the following,

Static: (select)

Track IP: 1.1.1.250

Weight: 10

CLI

set interface ethernet3 monitor track-ip ip 1.1.1.250 weset interface ethernet3 monitor track-ip threshold 5set interface ethernet3 monitor track-ipsave

In the example, the failure threshold for the target address is set to the default valuenot return a response to three consecutive pings, a weight of 10 is applied toward theon the interface. Because the failure threshold for IP tracking on the interface is 5, aassociated with the interface to be deactivated on the NetScreen device.

You can verify the status of the IP tracking on the interface by issuing the CLI commtrack-ip, as shown in the following:

ns-> get interface ethernet3 track-ipip address interval threshold wei gateway fai1.1.1.250 1 1 10 0.0.0.0 343threshold: 5, failed: 1 ip(s) failed, weighted sum = 10


86

e, while all routes through

uses the routes associated with ing is again able to reach n device. At the same time, the default route through ethernet3.

--------------------- R - RIP

--------------------- Pref Mtr Vsys--------------------- 20 1 Root 0 0 Root 20 10 Root 0 1 Root 20 1 Root


The get route command shows that the default route through ethernet4 is now activethernet3 are no longer active.

Note that even though the routes through ethernet3 are no longer active, IP tracking ethernet3 to continue sending ping requests to the target IP address. When IP track1.1.1.250, the default route through ethernet3 again becomes active on the NetScreedefault route through ethernet4 becomes inactive, since it is less preferred than the

ns-> get routeuntrust-vr (0 entries)-----------------------------------------------------------C - Connected, S - Static, A - Auto-Exported, I - Imported,iB - IBGP, eB - EBGP, O - OSPF, E1 - OSPF external type 1E2 - OSPF external type 2trust-vr (4 entries)----------------------------------------------------------- ID IP-Prefix Interface Gateway P----------------------------------------------------------- 4 0.0.0.0/0 eth3 1.1.1.250 S 2 1.1.1.0/24 eth3 0.0.0.0 C* 3 0.0.0.0/0 eth4 2.2.2.250 S* 6 2.2.2.0/24 eth4 0.0.0.0 C* 5 10.1.1.0/24 eth1 0.0.0.0 C


87

take action based on observed , the following can occur:

nother interface monitoring lso go down. You can

econd interface to be

face going physically down, going physically down

failover. An NSRP device occur as a result of a an interface.

nother interface that is t down to also go down. wn logically, you can

own state of the second al.

State Change for ethernet2If� the weight of the failure of

ethernet3 ≥ the monitor failure threshold, and

� the failure action is a change from up to down,

then ethernet2 changes its state from up to down.


Interface MonitoringA NetScreen device can monitor the physical and logical state of interfaces and thenchanges. For example, if the state of a monitored interface changes from up to down

If Thenthe physical state of an interface changes from up to down the state change might trigger a

the one that just went down to aspecify whether you want the sphysically or logically down.

The state change of either interor the combined weight of bothtogether, might trigger an NSRPor VSD group failover can only change to the physical state of

the logical state of an interface changes from up to down as the result of an IP tracking failure

the state change might trigger amonitoring the one that just wenAlthough the first interface is dospecify whether you want the dinterface to be logical or physic

Using IP tracking, ethernet3 monitors the router at 1.1.1.250.

ethernet3IP 1.1.1.1

ethernet2IP 2.1.1.1

Using interface monitoring, ethernet2 monitors ethernet3.

State Change for ethernet3If� the number of unsuccessful ping

attempts to 1.1.1.250 exceeds the failure threshold for that tracked IP address,

� the track IP weight for 1.1.1.250 ≥track object failure threshold,

� the track object weight ≥ monitorfailure threshold, and

� the failure action is a change fromup to down,

then ethernet3 changes its state from up to down.

One Interface Monitoring Another Interface


88

Monitor > Edit Interface: Enter

want to be monitored.

weight number ]

55.

changes state, the other

pport a configuration in which

Second State ChangeIf� the weight of the failure of

the first interface ≥ the monitor failure threshold of the second interface, and

� the failure action is a change from up to down,

then the second interface also changes its state from up to down.


To set interface monitoring, do either of the following:

WebUINetwork > Interfaces > Edit (for the interface you want to do the monitoring) >the following, and then click Apply :

Interface Name: Select the interface that you

Weight: Enter a weight between 1 and 255.

CLIset interface interface1 monitor interface interface2 [

If you do not set a weight, the NetScreen device applies the default value: 2

If two interfaces monitor each other, they form a loop. In that case, if either interfaceinterface in the loop also changes state.

Note: An interface can only be in one loop at a time. Juniper Networks does not suone interface belongs to multiple loops.

Using IP tracking, both interfaces monitor routers.

ethernet3IP 1.1.1.1

ethernet2IP 2.1.1.1

Using interface monitoring, they also monitor each other.

First State ChangeIf� the number of unsuccessful ping

attempts to either router exceedsthe failure threshold for that tracked IP address,

� the weight of the failed track IP ≥the track object failure threshold,

� the track object weight ≥ monitorfailure threshold, and

� the failure action is a change fromup to down,

then that interface changes its statefrom up to down.

Loop � Two Interfaces Monitoring Each Other


89

ernet2. Because the weight for et1 and ethernet must fail (and ge its state from up to down)9.

following, and then click Apply:

r Threshold field, and then click

rnet2 interfaces (see “Tracking ernet2 might fail is if they

ain links with those devices.

failure of either ethernet1 or ethernet2

t2. Because the monitor both interfaces combined, to cause ethernet3 to fail.

7 8


Example: Two Monitored InterfacesIn this example, you configure ethernet3 to monitor two interfaces—ethernet1 and etheach monitored interface (8 + 8) equals the monitor failure threshold (16), both ethernchange their state from up to down) concurrently to cause ethernet3 to fail (and chan

WebUINetwork > Interfaces > Edit (for ethernet3) > Monitor > Edit Interface: Enter the

ethernet1: (select); Weight: 8


Network > Interfaces > Edit (for ethernet3) > Monitor: Enter 16 in the MonitoApply .

Note: This example omits the configuration of IP tracking on the ethernet1 and etheIP Addresses” on page 80). Without IP tracking, the only way that ethernet1 and ethbecome physically disconnected from other network devices or if they cannot maint

9. If you set the monitor failure threshold to 8—or leave it at 16 and set the weight of each monitored interface to 16—the can cause ethernet3 to fail.

ethernet3 monitors ethernet1 and ethernefailure threshold (F-T) = the weights (W) ofboth of the monitored interfaces must fail

W = 8 W = 8Monitored Interfaces:ethernet1, weight 8ethernet2, weight 8

Monitor Failure Threshold: 16

F-T: 16

NetScreen Device Interfaces

ethernet1 � ethernet82 3 5 61 4


90

ht 8ht 8

ernet3. Then you configure s likewise. Finally, you define second set has the same

t egress interfaces (ethernet2 e first set of interfaces fails, the trust-vr routing domain.

7 8

down, the routes referencing The NetScreen device then gh ethernet2 and ethernet4.

ethernet1 gateway 10.1.1.250 metricethernet2 gateway 10.1.2.250 metrichernet3 gateway 1.1.1.250 metric 10hernet4 gateway 1.1.2.250 metric 12

rnet3 perform IP tracking. e internal router at 10.1.1.250. e external router at 1.1.1.250.

hreshold: 10

ht: 8reshold: 8


CLIset interface ethernet3 monitor interface ethernet1 weigset interface ethernet3 monitor interface ethernet2 weigset interface ethernet3 monitor threshold 16save

Example: Interface Monitoring LoopIn this example, you first configure IP tracking for two interfaces—ethernet1 and eththese interfaces to monitor each other so that if one changes its state, the other doetwo sets of routes. The first set forwards traffic through ethernet1 and ethernet3. Thedestination addresses, but these routes have lower ranked metrics and use differenand ethernet4) and different gateways from the first set. With this configuration, if thNetScreen device can reroute all traffic through the second set. All zones are in the

NetScreen Device Interfaces

ethernet1 � ethernet82 3 5 6

ethernet1 and ethernet3 monitor each other. Because the monitored interface weight = the monitor failure threshold, the failure of either interface causes the other to fail as well.

Monitoring Interface Loop:ethernet1 and ethernet3

Monitored Interface Weight: 8Monitor Failure Threshold: 8

41

If ethernet1 and ethernet3 becomethose interfaces become inactive. uses routes forwarding traffic throu

10.1.1.1/24Trust Zone

10.1.2.1/24Trust Zone

1.1.1.1/24Untrust Zone

1.1.2.1/24Untrust Zone

Internal Router10.1.1.25010.1.2.250

External Router1.1.1.2501.1.2.250

Routes

set route 10.1.0.0/16 interface set route 10.1.0.0/16 interface set route 0.0.0.0/0 interface etset route 0.0.0.0/0 interface et

ethernet1 and etheethernet1 tracks thethernet3 tracks thTrack IP Failure TTrack IP Weight: 8Track Object WeigMonitor Failure Th

To Trust Zone Hosts

To the Internet


91

d then click Apply .



and set interface interface monitor e other than the Null zone can be


WebUI

1. IP TrackingNetwork > Interfaces > Edit (for ethernet1) > Monitor: Enter the following, an


Monitor Threshold: 810

Track IP Option: Threshold: 8

Weight: 8


Static: (select)

Track IP: 10.1.1.250

Weight: 8

Interval: 3 Seconds

Threshold: 10

Network > Interfaces > Edit (for ethernet3) > Monitor: Enter the following, an


Monitor Threshold: 8

Track IP Option: Threshold: 8

Weight: 8

10. To control whether the state of an interface becomes logically or physically down (or up), you must use the CLI commthreshold number action { down | up } { logically | physically }. Only physical interfaces bound to any security zonphysically up or down.


92




then click OK :

then click OK :



Static: (select)

Track IP: 1.1.1.250

Weight: 8

Interval: 3 Seconds

Threshold: 10

2. Interface MonitoringNetwork > Interfaces > Edit (for ethernet1) > Monitor > Edit Interface: Enter the


Network > Interfaces > Edit (for ethernet3) > Monitor > Edit Interface: Enter the


3. RoutesNetwork > Routing > Routing Entries > trust-vr New: Enter the following, and


Gateway: (select)

Interface: ethernet1


Metric: 10

Network > Routing > Routing Entries > trust-vr New: Enter the following, and


Gateway: (select)



Metric: 12


93

then click OK :

then click OK :

ht 8physicallyht 8




Gateway: (select)



Metric: 10



Gateway: (select)



Metric: 12

CLI

1. IP Trackingset interface ethernet1 track-ip ip 10.1.1.250 weight 8set interface ethernet1 track-ip threshold 8set interface ethernet1 track-ip weight 8set interface ethernet1 track-ip

set interface ethernet3 track-ip ip 1.1.1.250 weight 8set interface ethernet3 track-ip threshold 8set interface ethernet3 track-ip weight 8set interface ethernet3 track-ip

2. Interface Monitoringset interface ethernet1 monitor interface ethernet3 weigset interface ethernet1 monitor threshold 8 action down set interface ethernet3 monitor interface ethernet1 weig


94

physically

t1 gateway 10.1.1.250

t2 gateway 10.1.2.250

gateway 1.1.1.250

gateway 1.1.2.250

ces in a security zone—any ound to that zone must fail. As ers the entire zone to be up.

Monitor > Edit Zone: Enter the

be monitored.

r ]

55.


set interface ethernet3 monitor threshold 8 action down

3. Routesset vrouter trust-vr route 10.1.0.0/16 interface etherne

metric 10set vrouter trust-vr route 10.1.0.0/16 interface etherne

metric 12set vrouter trust-vr route 0.0.0.0/0 interface ethernet3

metric 10set vrouter trust-vr route 0.0.0.0/0 interface ethernet4

metric 12save

Security Zone MonitoringIn addition to monitoring individual interfaces, an interface can monitor all the interfasecurity zone other than its own. For an entire security zone to fail, every interface blong as one interface bound to a monitored zone is up, the NetScreen device consid

To configure an interface to monitor a security zone, do either of the following:

WebUINetwork > Interfaces > Edit (for the interface you want to do the monitoring) >following, and then click Apply :

Zone Name: Select the zone that you want to

Weight: Enter a weight between 1 and 255.

CLIset interface interface monitor zone zone [ weight numbe

If you do not set a weight, the NetScreen device applies the default value: 2


95

ic through a different interface if le the NetScreen device might interface can remain physically s to process incoming traffic for led. Also, the NetScreen device ine if the targets again become cking has failed and for which ssion traffic on such an

erface for a session, session ill processes them.

terface for a session, applying ute session replies to another

ession replies through the deactivated routes using that

en it receives the initial packet the NetScreen device does not forms an ARP lookup when the ARP table, the NetScreen device sends an ARP request to its ARP table. The ccurs.

egress interface and on the and set arp always-on-dest .

how those changes can affect GT. For these devices, an IP t Interfaces” on page 10 -69.


Down Interfaces and Traffic FlowConfiguring IP tracking on an interface allows the NetScreen to reroute outgoing traffcertain IP addresses become unreachable through the first interface. However, whideactivate routes associated with an interface because of an IP tracking failure, the active and still send and receive traffic. For example, the NetScreen device continuean existing session that might arrive on the original interface on which IP tracking faicontinues to use the interface to send ping requests to target IP addresses to determreachable. In these situations, traffic still passes through an interface on which IP trathe NetScreen device has deactivated routes. How the NetScreen device handles seinterface depends upon the following:

• If the interface on which you configure IP tracking functions as an egress intreplies might continue to arrive at the interface and the NetScreen device st

• If the interface on which you configure IP tracking functions as an ingress inthe set arp always-on-dest command causes the NetScreen device to rerointerface. If you do not set this command, the NetScreen device forwards sinterface on which IP tracking failed even though the NetScreen device has interface. (By default, this command is unset.)

By default, a NetScreen device caches a session initiator’s MAC address whfor a new session. If you enter the CLI command set arp always-on-dest , cache a session initiator’s MAC address. Instead, the NetScreen device perprocessing the reply to that initial packet. If the initiator’s MAC address is in device uses that. If the MAC address is not in the ARP table, the NetScreenfor the destination MAC address and then adds the MAC address it receivesNetScreen device performs another ARP lookup whenever a route change o

The following section describes separate scenarios in which IP tracking fails on the ingress interface; and, in the case of the latter, what occurs when you use the comm

Note: The following section describes how IP tracking triggers routing changes andthe packet flow through all NetScreen devices other than the NetScreen-5XT and -5tracking failure triggers an interface failover. For more information, see “Dual Untrus


96

interface for sessions from host low.

t be in the same zone so that

trust Zone

Host B2.2.2.2

.1).

ession. If it belongs to

et in a session, and reach 0.0.0.0/0, send

ne traffic from Host A sending.1.254.til Host B receives it.

Gateways:1.1.1.2541.1.2.254

4

IP tracking is enabled from ethernet2.

Responder


Failure on the Egress InterfaceIn the following scenario, you configure IP tracking on ethernet2, which is the egress A to host B. Host A initiates the session by sending a packet to host B, as shown be

Note: You must first create two routes to host B and both the egress interfaces musthe same policy applies to traffic before and after the rerouting occurs.

Host A10.1.1.5

Trust Zone Un

10.1.1.0/24

Ingress Interfaceethernet1

10.1.1.1/24

First Egress Interfaceethernet21.1.1.1/24

Second Egress Interfaceethernet31.1.2.1/24

1. Host A at 10.1.1.5 sends a packet destined for Host B at 2.2.2.2 to ethernet1 (10.1.12. The NetScreen device performs the following tasks:

2.1 Session Lookup � If this is the first packet, the NetScreen device creates a san existing session, it refreshes the session table entry.

2.2 Route Lookup � The NetScreen device does a route lookup for the first packagain if the route changes. The route lookup results in the following route: Tothe packet out interface ethernet2 to gateway 1.1.1.254.

2.3 Policy Lookup � The NetScreen device enforces security policies on interzoin the Trust zone to Host B in the Untrust zone for the type of traffic Host A is

3. The NetScreen device forwards the packet through ethernet2 to the gateway at 1.1.4. The gateway at 1.1.1.254 forwards the packet to its next hop. Routing continues un

Session Lookup

Route Lookup

Policy Lookup

Traffic Flow from Host A to Host B � Request (Session Initiation)

1

2

3

Initiator


97

e NetScreen device, as shown

trust Zone

Host B2.2.2.2

for purposes of clarity). 1.1.1.1, the IP address

reen device matches it

its MAC address, the

1

IP tracking from ethernet2 succeeds.

Gateways:1.1.1.2541.1.2.254

Responder


When host B replies to host A, the return traffic follows a similar path back through thbelow.

Host A10.1.1.5

Trust Zone Un

10.1.1.0/24


10.1.1.1/24


1. Host B at 2.2.2.2 replies with a packet destined for Host A at 10.1.1.5 (omitting NAT 2. When the gateway at 1.1.1.254 receives the reply, it forwards it to its next hop, which is

of ethernet2.3. The NetScreen device performs a session lookup. Because this is a reply, the NetSc

with an existing session and refreshes the session table entry.4. By using the cached MAC address for host A or by doing an ARP lookup to discover

NetScreen device forwards the packet through ethernet1 to host A.

Session Lookup

Traffic Flow from Host A to Host B � Reply

2

3

4


Initiator


98

hernet2 and uses ethernet3 for either ethernet2 or ethernet3

trust Zone

Host B2.2.2.2

sks:t2. It does a route 54 with a route using

ies that use ethernet2

e performs a session rrive at, the NetScreen

IP tracking from ethernet2 fails.

Gateways:1.1.1.2541.1.2.254

Responder


If IP tracking on ethernet2 fails, the NetScreen device deactivates routes that use etoutbound traffic to host B. However, replies from host B to host A can arrive throughand the NetScreen device forwards them through ethernet1 to host A.

Host A10.1.1.5

Trust Zone Un

10.1.1.0/24


10.1.1.1/24


1. When IP tracking on ethernet2 fails, the NetScreen device performs the following ta1.1 Route Change � The NetScreen device deactivates all routes using etherne

lookup and replaces the route to 2.2.2.2 using ethernet2 and gateway 1.1.1.2ethernet3 and gateway 1.1.2.254.

1.2 Session Update � The NetScreen device scans the session table for all entrand reroutes them through ethernet3 to gateway 1.1.2.254.

2. The NetScreen device now redirects traffic from host A out ethernet3 to 1.1.2.254.3. The replies from host B might arrive at ethernet2 or ethernet3. The NetScreen devic

lookup and matches the packets with an existing session. Whichever interface they adevice forwards the packets through ethernet1 to host A.

4. The NetScreen device forwards the packet through ethernet1 to host A.

Session Update

Traffic Flow from Host A to Host B � IP Tracking Failure Triggers Rerouting

1

2

3

Route Change

4

Note: Outgoing traffic uses ethernet3 only, but incoming traffic can use either ethernet2 or ethernet3.


Initiator


99

ethernet2 is the ingress s the session by sending a

Untrust Zone

Host B2.2.2.2

r purposes of clarity).g tasks: new session table entry)

.5.

1

IP tracking is enabled from ethernet2.

e Gateways:1.1.1.2541.1.2.254

Initiator


Failure on the Ingress InterfaceIn the following scenario, you again configure IP tracking on ethernet2, but this time interface on the NetScreen device for sessions from host B to host A. Host B initiatepacket to host A, as shown below.

Host A10.1.1.5

Trust Zone

10.1.1.0/24


10.1.1.1/24


1. Host B at 2.2.2.2 sends a packet destined for Host A at 10.1.1.5 (omitting NAT fo2. When the packet reaches ethernet2, the NetScreen device performs the followin

2.1 Session lookup (and because this is the first packet in a session, creates a2.2 Route lookup2.3 Policy lookup

3. The NetScreen device forwards the packet through ethernet1 to host A at 10.1.1

Policy Lookup

Route Lookup

Session Lookup

Traffic Flow from Host B to Host A � Request (Session Initiation)

2

3

Second Egress Interfacethernet31.1.2.1/24

Responder


100

e NetScreen device, as shown

hernet2 and uses ethernet3 for rough ethernet2 and the requests from host B to host A host A can take one of two nd.

trust Zone

Host B2.2.2.2

IP tracking from ethernet2 succeeds .

.1.1.1.en device matches

kup to discover its way.ontinues until Host

4

Gateways:1.1.1.2541.1.2.254

Initiator


When host A replies to host B, the return traffic follows a similar path back through thbelow.

If IP tracking on ethernet2 fails, the NetScreen device deactivates routes that use etoutbound traffic to host B. However, requests from host B to host A can still arrive thNetScreen device still forwards them to host A through ethernet1. The data flow for looks the same after an IP tracking failure as it did before. However, the replies fromdifferent paths, depending on the application of the set arp always-on-dest comma

Host A10.1.1.5

Trust Zone Un

10.1.1.0/24


10.1.1.1/24


Session Lookup

Traffic Flow from Host B to Host A � Reply

1

2

3

1. Host A at 10.1.1.5 sends a reply packet destined for Host B (2.2.2.2) to ethernet1 at 102. The NetScreen device performs a session lookup. Because this is a reply, the NetScre

it with an existing session and refreshes the session table entry.3. By using the cached MAC address for the gateway at 1.1.1.254 or by doing an ARP loo

MAC address, the NetScreen device forwards the packet through ethernet2 to the gate4. When the gateway at 1.1.1.254 receives the reply, it forwards it to its next hop. Routing c

B receives it.


Responder


101

RP request for the destination ute change occurs. (When this s and uses that when

using ethernet2 and then does way at 1.1.2.254. It then scans always-on-dest command t from host A because it is in a s from host B arrive, the way at 1.1.2.254.

trust Zone

Host B2.2.2.2

IP tracking from ethernet2 fails .

places the route to 2.2.2.2 1.1.2.254.hat use ethernet2 and

ct them to ethernet3. The ssion.s an ARP lookup for host

Initiator

Gateways:1.1.1.2541.1.2.254


If you set the command set arp always-on-dest , the NetScreen device sends an AMAC address when processing the reply to the first packet in a session or when a rocommand is unset, the NetScreen device caches the session initiator’s MAC addresprocessing replies. By default, this command is unset).

When IP tracking on ethernet2 fails, the NetScreen device first deactivates all routesa route lookup. It finds another route to reach host B through ethernet3 and the gateits session table and redirects all sessions to the new route. If you have the set arp enabled, the NetScreen device does an ARP lookup when it receives the next packesession affected by the route change. Despite the ingress interface on which packetNetScreen device sends all further replies from host A through ethernet3 to the gate

Host A10.1.1.5

Trust Zone Un

10.1.1.0/24


10.1.1.1/24


Traffic Flow from Host B to Host A � IP Tracking Failure Triggers Rerouting

2

1. When IP tracking on ethernet2 fails, the NetScreen device performs the following tasks:1.1 Route Change � The NetScreen device deactivates all routes using ethernet2. It re

using ethernet2 and gateway 1.1.1.254 with a route using ethernet3 and gateway1.2 Session Update � The NetScreen device scans the session table for all entries t

reroutes them through ethernet3 to gateway 1.1.2.254.2. The requests from host B might still arrive at ethernet2, or the routing fabric might redire

NetScreen device performs a session lookup and matches the packet with an existing se3. Because you entered the set arp always-on-dest command, the NetScreen device doe

A�s reply and sends it through ethernet3 to the gateway at 1.1.2.254.

Session Update

1

Route Change


Responder

3


102

uration), the NetScreen device e initial session packet. The the IP tracking failure caused

eplaces the route to 2.2.2.2 1.1.2.254.

that use ethernet2 and tScreen device cached the for the replies from host A. a session lookup, matches 1.5.way at 1.1.1.254. Because in the session table from

st Zone

Host B2.2.2.2

IP tracking from ethernet2 fails.

4

ateways:1.1.1.2541.1.2.254

Initiator


If you have set the command unset arp always-on-dest (which is the default configuses the MAC address for the gateway at 1.1.1.1 that it cached when host B sent thNetScreen device continues to send session replies through ethernet2. In this case,no change in the flow of data through the NetScreen device.

Traffic Flow from Host B to Host A � IP Tracking Failure Triggers No Rerouting

1. When IP tracking on ethernet2 fails, the NetScreen device performs the following tasks:1.1 Route Change � The NetScreen device deactivates all routes using ethernet2. It r

using ethernet2 and gateway 1.1.1.254 with a route using ethernet3 and gateway1.2 Session Update � The NetScreen device scans the session table for all entries

reroutes them through ethernet3 to gateway 1.1.2.254. However, because the NeMAC address for the gateway at 1.1.1.254, it continues to use that MAC address

2. The requests from host B might still arrive at ethernet2. The NetScreen device performsthe packet with an existing session, and forwards it through ethernet1 to host A at 10.1.

3. When host A replies, the NetScreen device forwards the reply out ethernet2 to the gatethe set arp always-on-dest command is not set, the MAC address remains unchangedthe initial creation of the its entry.

Host A10.1.1.5

Trust Zone Untru

10.1.1.0/24


10.1.1.1/24


Session Lookup

1

2

3


G

Responder

4

103

Chapter 4

, Route, and Transparent. If an mode for that interface as either st, v1-untrust, and v1-dmz operational mode when you

e only performs NAT on traffic passing ther than the Untrust zone. Also, note


Interface Modes

Interfaces can operate in three different modes: Network Address Translation (NAT)interface bound to a Layer 3 zone has an IP address, you can define the operational NAT1 or Route. An interface bound to a Layer 2 zone (such as the predefined v1-truzones, or a user-defined Layer 2 zone) must be in Transparent mode. You select anconfigure an interface.

This chapter contains the following sections:

• “Transparent Mode” on page 104

– “Zone Settings” on page 105

– “Traffic Forwarding” on page 106

– “Unknown Unicast Options” on page 107

• “NAT Mode” on page 122

– “Inbound and Outbound NAT Traffic” on page 124

– “Interface Settings” on page 125

• “Route Mode” on page 130

– “Interface Settings” on page 131

1. Although you can define the operational mode for an interface bound to any Layer 3 zone as NAT, the NetScreen devicthrough that interface en route to the Untrust zone. NetScreen does not perform NAT on traffic destined for any zone othat NetScreen allows you to set an Untrust zone interface in NAT mode, but doing so activates no NAT operations.

Chapter 4 Interface Modes Transparent Mode

104

ersing the firewall without erfaces behave as though they witch or bridge. In Transparent

NetScreen device invisible, or

ind of server that mainly benefits:

ch protected servers

0.5

Trust Zone

Untrust Zone


TRANSPARENT MODEWhen an interface is in Transparent mode, the NetScreen device filters packets travmodifying any of the source or destination information in the IP packet header. All intare part of the same network, with the NetScreen device acting much like a Layer 2 smode, the IP addresses of interfaces are set at 0.0.0.0, making the presence of the “transparent,” to users.

Transparent mode is a convenient means for protecting Web servers, or any other kreceives traffic from untrusted sources. Using Transparent mode offers the following

• No need to reconfigure the IP settings of routers or protected servers

• No need to create Mapped or Virtual IP addresses for incoming traffic to rea

External Router

Public Address Space

Switch

209.122.30.1

209.122.30.2209.122.30.3

209.122.30.4

209.122.3

To Internet


105

ity zones: V1-Trust, V1-Untrust,

n and management abilities as u use the VLAN1 interface for N1 interface to permit hosts in

AN1 interface IP address in the

LAN1 interface IP. You can set face IP solely for VPN tunnel

t, and V1-DMZ. These three f the zones, it gets added to the es must be on the same subnet

ou use the VLAN1 interface to ou must enable the ich the management traffic e. To enable hosts in other ich they belong.

ch NetScreen platform, refer to


Zone SettingsBy default, ScreenOS creates one function zone, the VLAN zone, and three L2 securand V1-DMZ.

VLAN ZoneThe VLAN zone hosts the VLAN1 interface, which has the same configuratioa physical interface. When the NetScreen device is in Transparent mode, yomanaging the device and terminating VPN traffic. You can configure the VLAthe L2 security zones to manage the device. To do that, you must set the VLsame subnet as the hosts in the L2 security zones.

For management traffic, the VLAN1 Manage IP takes precedence over the Vthe VLAN1 Manage IP for management traffic and dedicate the VLAN1 intertermination.

Predefined Layer 2 ZonesScreenOS provides three L2 security zones by default: V1-Trust, V1-Untruszones share the same L2 domain. When you configure an interface in one oL2 domain shared by all interfaces in all the L2 zones. All hosts in the L2 zonto communicate.

As stated in the previous section, when the device is in transparent mode, ymanage the device. For management traffic to reach the VLAN1 interface, ymanagement options on the VLAN1 interface and on the zone(s) through whpasses. By default, all management options are enabled in the V1-Trust zonzones to manage the device, you must set those options on the zones to wh

Note: To see which physical interfaces are prebound to the L2 zones for eathe installer’s guide for that platform.


106

-zone traffic unless there is a licies” on page 297. After you

vice can then receive and pass

t traffic, enter the unset

ace vlan1 bypass-non-ip

d non-ARP unicast traffic, enter

ays overwrites the unset n the configuration file. ass-non-ip-all command, and

ly the non-IP and non-ARP on-ip command to allow all et interface icast traffic.

inate it, use the set interface he IPSec traffic to pass through

tes for two purposes: to direct capsulating or decapsulating it.


Traffic ForwardingA NetScreen device operating at Layer 2 (L2) does not permit any inter-zone or intrapolicy configured on the device. For more information on how to set policies, see “Poconfigure a policy on the NetScreen device, it does the following:

• Allows or denies the traffic specified in the policy

• Allows ARP and L2 non-IP multicast and broadcast traffic. The NetScreen deL2 broadcast traffic for the spanning tree protocol.

• Continues to block all non-IP and non-ARP unicast traffic, and IPSec traffic

You can change the forwarding behavior of the device as follows:

• To block all L2 non-IP and non-ARP traffic, including multicast and broadcasinterface vlan1 bypass-non-ip-all command.

• To allow all L2 non-IP traffic to pass through the device, enter the set interfcommand.

• To revert to the default behavior of the device, which is to block all non-IP anthe unset interface vlan1-bypass-non-ip command.

– Note that the unset interface vlan1 bypass-non-ip-all command alwinterface vlan1 bypass-non-ip command when both commands are iTherefore, if you had previously entered the unset interface vlan1 bypyou now want the device to revert to its default behavior of blocking onunicast traffic, you should first enter the set interface vlan1 bypass-nnon-IP traffic to pass through the device. Then you must enter the unsvlan1-bypass-non-ip command to block only the non-IP, non-ARP un

• To allow a NetScreen device to pass IPSec traffic without attempting to termvlan1 bypass-others-ipsec command. The NetScreen device then allows tto other VPN termination points.

Note: A NetScreen device with interfaces in Transparent mode requires rouself-initiated traffic, such as SNMP traps, and to forward VPN traffic after en


107

ted with the IP address of estor broadcasts an ARP query t the specified destination IP C address of the replier. When ddress and, because it is not rns an arp-r. After a device he.

notes the source MAC address tScreen device learns which ckets it receives. It then stores

zones unless there is a policy hen it is in Transparent mode,


Unknown Unicast OptionsWhen a host or any kind of network device does not know the MAC address associaanother device, it uses the Address Resolution Protocol (ARP) to obtain it. The requ(arp-q) to all the other devices on the same subnet. The arp-q requests the device aaddress to send back an ARP reply (arp-r), which provides the requestor with the MAall the other devices on the subnet receive the arp-q, they check the destination IP atheir IP address, drop the packet. Only the device with the specified IP address retumatches an IP address with a MAC address, it stores the information in its ARP cac

As ARP traffic passes through a NetScreen device in Transparent mode, the device in each packet and learns which interface leads to that MAC address. In fact, the Neinterface leads to which MAC address by noting the source MAC addresses in all pathis information in its forwarding table.

Note: A NetScreen device in Transparent mode does not permit any traffic betweenconfigured on the device. For more information on how the device forwards traffic wsee “Traffic Forwarding” on page 106.


108

C address, which it has in its or example, the NetScreen rding table with the CLI icast packet for which it has no

ource address is permitted, tinue using whichever interface

ts, which are ICMP echo erface at which the packet eives an ARP (or trace-route)

AC address in the initial packet. ion MAC address when the

switch maintains a forwarding he table also contains the very time a packet arrives with its forwarding table. It also

known to the switch, the switch h the packet arrived). It learns ith that MAC address arrives at

frame with a destination MAC t all interfaces.

more secure because the ial packet—out all interfaces.


The situation can arise when a device sends a unicast packet with a destination MAARP cache, but which the NetScreen device does not have in its forwarding table. Fdevice clears its forwarding table every time it reboots. (You can also clear the forwacommand clear arp.) When a NetScreen device in Transparent mode receives a unentry in its forwarding table, it can follow one of two courses:

• After doing a policy lookup to determine the zones to which traffic from the sflood the initial packet out the interfaces bound to those zones, and then conreceives a reply. This is the Flood option, which is enabled by default.

• Drop the initial packet, flood ARP queries (and, optionally, trace-route packerequests with the time-to-live value set to 1) out all interfaces (except the intarrived), and then send subsequent packets through whichever interface recreply from the router or host whose MAC address matches the destination MThe trace-route option allows the NetScreen device to discover the destinatdestination IP address is in a nonadjacent subnet.

Flood MethodThe flood method forwards packets in the same manner as most Layer 2 switches. Atable that contains MAC addresses and associated ports for each Layer 2 domain. Tcorresponding interface through which the switch can forward traffic to each device. Ea new source MAC address in its frame header, the switch adds the MAC address totracks the interface at which the packet arrived. If the destination MAC address is unduplicates the packet and floods it out all interfaces (other than the interface at whicthe previously unknown MAC address and its corresponding interface when a reply wone of its interfaces.

When you enable the flood method and the NetScreen device receives an ethernet address that is not listed in the NetScreen device MAC table, it floods the packet ou

Note: Of the two methods—flood and ARP/trace-route—ARP/trace-route isNetScreen device floods ARP queries and trace-route packets—not the init


109

ollowing:

ood , and then click OK.

NetScreen floods the packet out ethernet4, but receives no reply.

NetScreen floods the packet out ethernet3. When it receives a reply, it does the following:� Learns which interface

leads to the specified MAC address

� Stores the MAC/interface tuple in its forwarding table

� Continues to use ethernet3 for the remainder of the session


To enable the flood method for handling unknown unicast packets, do either of the f

WebUI

Network > Interface > Edit (for VLAN1): For the broadcast options, select Fl

CLI

set interface vlan1 broadcast floodsave

Packet arrives at ethernet1.

NetScreen floods the packet out ethernet2, but receives no reply.

L2-FinanceZone

V1-Trust Zone

V1-DMZZone

V1-Untrust Zone

CommonAddressSpace

Router

Router

Router

Flood Method ethernet1IP 0.0.0.0/0

ethernet4IP 0.0.0.0/0




110

evice receives an ethernet en device performs the

et (and, if it is not already there, ing table).

ce-route (an ICMP echo ets out all interfaces except the echo requests, the NetScreen For arp-q packets, the

ith the MAC address for with ffff.ffff.ffff. For the AC addresses from the initial

ingress IP address3, the host ce through which the

Method” on page 112.)

the ingress IP address, the stination4, and more

st forward traffic destined for

d without the trace-route option. t if the destination IP address is in the

vice might be the source that sent the

matches the destination MAC address sequently, which interface to use to


ARP/Trace-Route MethodWhen you enable the ARP method with the trace-route option2 and the NetScreen dframe with a destination MAC address that is not listed in its MAC table, the NetScrefollowing series of actions:

1. The NetScreen device notes the destination MAC address in the initial packadds the source MAC address and its corresponding interface to its forward

2. The NetScreen device drops the initial packet.

3. The NetScreen device generates two packets—ARP query (arp-q) and a trarequest, or PING) with a time-to-live (TTL) field of 1—and floods those packinterface at which the initial packet arrived. For the arp-q packets and ICMPdevice uses the source and destination IP addresses from the initial packet.NetScreen device replaces the source MAC address from the initial packet wVLAN1, and it replaces the destination MAC address from the initial packet trace-route option, the NetScreen device uses the source and destination Mpacket in the ICMP echo requests that it broadcasts.

If the destination IP address belongs to a device in the same subnet as the returns an ARP reply (arp-r) with its MAC address, thus indicating the interfaNetScreen device must forward traffic destined for that address. (See “ARP

If the destination IP address belongs to a device in a subnet beyond that of trace-route returns the IP and MAC addresses of the router leading to the designificantly, indicates the interface through which the NetScreen device muthat MAC address. (See “Trace-Route” on page 113.)

2. When you enable the ARP method, the trace-route option is enabled by default. You can also enable the ARP methoHowever, this method only allows the NetScreen device to discover the destination MAC address for a unicast packesame subnet as the ingress IP address. (For more information about the ingress IP address, see the next footnote.)

3. The ingress IP address refers to the IP address of the last device to send the packet to the NetScreen device. This depacket or a router forwarding the packet.

4. Actually, the trace-route returns the IP and MAC addresses of all the routers in the subnet. The NetScreen device then from the initial packet with the source MAC address on the arp-r packets to determine which router to target, and conreach that target.


111

the interface leading to that e.

orrect interface to the

ther of the following:

RP, and then click OK .

without the trace-route option, route. This command unsets nknown unicast packets.


4. Combining the destination MAC address gleaned from the initial packet withMAC address, the NetScreen device adds a new entry to its forwarding tabl

5. The NetScreen device forwards all subsequent packets it receives out the cdestination.

To enable the ARP/trace-route method for handling unknown unicast packets, do ei

WebUI

Network > Interface > Edit (for VLAN1): For the broadcast options, select A

CLI

set interface vlan1 broadcast arpsave

Note: The trace-route option is enabled by default. If you want to use ARP enter the following command: unset interface vlan1 broadcast arp trace-the trace-route option but does not unset ARP as the method for handling u


112

C when the destination IP

V1-DMZZone

V1-Untrust Zone

CommonAddressSpace

Router B210.1.1.200

00dd.11dd.11dd

Router A210.1.1.100

00cc.11cc.11cc

49ce

ethernet30.0.0.0/0

0010.db15.39ce

ethernet40.0.0.0/0

0010.db15.39ce


The following illustration shows how the ARP method can locate the destination MAaddress is in an adjacent subnet.

If the following packet

ethernet10.0.0.0/0

0010.db15.39ce

L2-FinanceZone

V1-Trust Zonearrives at ethernet1 and the forwarding table does not have an entry for MAC address 00bb.11bb.11bb, the NetScreen device floods the following arp-q packet out eth2, eth3, and eth4.

Ethernet Frame IP Datagram

dst src type src dst

11bb 11aa 0800 210.1.1.5 210.1.1.75

Ethernet Frame ARP Message


ffff 39ce 0806 210.1.1.5 210.1.1.75

When the NetScreen device receives the following arp-r at eth2,Ethernet Frame ARP Message


39ce 11bb 0806 210.1.1.75 210.1.1.5

it can now associate the MAC address with the interface leading to it.

ethernet20.0.0.0/0

0010.db15.39ce

PC A210.1.1.5

00aa.11aa.11aa

PC B210.1.1.75

00bb.11bb.11bb

Note: Only the relevant elements of the packet header and the last four digits in the MAC addresses are shown below.

ARP Method VLAN1210.1.1.1/2

0010.db15.3


113

MAC when the destination IP

V1-DMZZone

V1-Untrust Zone

CommonAddressSpace

Server C195.1.1.5

00dd.22dd.22dd

Router A210.1.1.100

00cc.11cc.11ccethernet40.0.0.0/00.db15.39ce

ter B.1.200dd.11dd

ethernet30.0.0.0/00.db15.39ce


The following illustration shows how the trace-route option can locate the destinationaddress is in a nonadjacent subnet.

If the following packet

L2-FinanceZone

V1-Trust Zonearrives at ethernet1 and the forwarding table does not have an entry for MAC address 00dd.11dd.11dd, the NetScreen device floods the following trace-route packet out eth2, eth3, and eth4.

Ethernet Frame IP Datagram


11dd 11aa 0800 210.1.1.5 195.1.1.5

Ethernet Frame ICMP Message

dst src type src dst TTL

11dd 11aa 0800 210.1.1.5 195.1.1.5 1

When the NetScreen device receives the following response at eth3,Ethernet Frame ICMP Message

dst src type src dst msg

11aa 11dd 0800 210.1.1.200 210.1.1.5 Time Exceeded

it can now associate the MAC address with the interface leading to it.

Note: Only the relevant elements of the packet header and the last four digits in the MAC addresses are shown below.

Trace-Route

ethernet10.0.0.0/0

0010.db15.39ce

PC A210.1.1.5

00aa.11aa.11aa

VLAN1210.1.1.1/24

0010.db15.39ce

001

ethernet20.0.0.0/0

0010.db15.39ce

PC B210.1.1.75

00bb.11bb.11bb

Rou210.1

00dd.11

001


114

nterface as follows:

st5 security zone.

st-vr routing domain) to enable ative workstation beyond the t-vr routing domain.

same management options for

g these options is included in this em manually.

V1-Untrust Zone

Internet


Example: VLAN1 Interface for ManagementIn this example, you configure the NetScreen device for management to its VLAN1 i

• Assign the VLAN1 interface an IP address of 1.1.1.1/24.

• Enable Web, Telnet, SSH and Ping on both the VLAN1 interface and V1-Tru

• Add a route in the trust virtual router (all Layer 2 security zones are in the trumanagement traffic to flow between the NetScreen device and an administrimmediate subnet of the NetScreen device. All security zones are in the trus

Note: To manage the device from a Layer 2 security zone, you must set theboth the VLAN1 interface and the Layer 2 security zone.

5. By default, NetScreen enables the management options for the VLAN1 interface and V1-Trust security zone. Enablinexample for illustrative purposes only. Unless you have previously disabled them, you really do not need to enable th

VLAN11.1.1.1/24

Internal Router1.1.1.2511.1.2.250

Admin Workstation1.1.2.5

V1-Trust Zone

1.1.1.0/24Subnet

1.1.2.0/24Subnet

V1-Trust Interfaceethernet10.0.0.0/0

V1-Untrust Interfaceethernet30.0.0.0/0


115

OK :

select)

K :

then click OK:


WebUI

1. VLAN1 InterfaceNetwork > Interfaces > Edit (for VLAN1): Enter the following, and then click


Management Services: WebUI, Telnet, SSH (


2. V1-Trust ZoneNetwork > Zones > Edit (for V1-Trust): Select the following, and then click O

Management Services: WebUI, Telnet, SSH

Other Services: Ping

3. RouteNetwork > Routing > Routing Entries > trust-vr New: Enter the following, and


Gateway: (select)

Interface: vlan1(trust-vr)


Metric: 1


116

eway 1.1.1.251 metric 1


CLI

1. VLAN1 Interfaceset interface vlan1 ip 1.1.1.1/24set interface vlan1 manage webset interface vlan1 manage telnetset interface vlan1 manage sshset interface vlan1 manage ping

2. V1-Trust Zoneset zone v1-trust manage webset zone v1-trust manage telnetset zone v1-trust manage sshset zone v1-trust manage ping

3. Routeset vrouter trust-vr route 1.1.2.0/24 interface vlan1 gatsave


117

a NetScreen device in ncoming SMTP services for the

r WebUI management from 80 the VLAN1 IP address—define addresses for the FTP 0, so that the NetScreen device st zone is also 1.1.1.250.)

parent Mode VPN” on page 5 -219.

Internet

trust Zone


Example: Transparent ModeThe following example illustrates a basic configuration for a single LAN protected byTransparent mode. Policies permit outgoing traffic for all hosts in the V1-Trust zone, imail server, and incoming FTP-GET services for the FTP server.

To increase the security of management traffic, you change the HTTP port number foto 5555, and the Telnet port number for CLI management from 23 to 4646. You use 1.1.1.1/24—to manage the NetScreen device from the V1-Trust security zone. You and Mail servers. You also configure a default route to the external router at 1.1.1.25can send outbound VPN traffic to it6. (The default gateway on all hosts in the V1-Tru

6. For an example of configuring a VPN tunnel for a NetScreen device with interfaces in Transparent mode, see “Trans

External Router1.1.1.250

VLAN1 IP1.1.1.1/24

Mail_Server1.1.1.10

V1-Trust Zone V1-Un

V1-Trust Interfaceethernet10.0.0.0/0

V1-Untrust Interfaceethernet30.0.0.0/0

1.1.1.0/24Address Space

FTP_Server1.1.1.5


118

nd then click OK :

)


k OK:

k OK:

:

uthorized access to the configuration. 555.


WebUI

1. VLAN1 InterfaceNetwork > Interfaces > Edit (for the VLAN1 interface): Enter the following, a


Management Services: WebUI, Telnet (select


2. HTTP PortConfiguration > Admin > Management: In the HTTP Port field, type 55557 an

3. InterfacesNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic

Zone Name: V1-Trust



Zone Name: V1-Untrust


4. V1-Trust ZoneNetwork > Zones > Edit (for v1-trust): Select the following, and then click OK

Management Services: WebUI, Telnet

Other Services: Ping

7. The default port number is 80. Changing this to any number between 1024 and 32,767 is advised for discouraging unaWhen logging on to manage the device later, enter the following in the URL field of your Web browser: http://1.1.1.1:5


119

then click OK:


5. AddressesObjects > Addresses > List > New: Enter the following and then click OK:

Address Name: FTP _Server

IP Address/Domain Name:


Zone: V1-Trust

Objects > Addresses > List > New: Enter the following and then click OK:

Address Name: Mail_Server



Zone: V1-Trust



Gateway: (select)

Interface: vlan1(trust-vr)


Metric: 1


120

n click OK:

n click OK:

n click OK:


7. PoliciesPolicies > (From: V1-Trust, To: V1-Untrust) New: Enter the following and the

Source Address:




Service: Any

Action: Permit

Policies > (From: V1-Untrust, To: V1-Trust) New: Enter the following and the

Source Address:



Address Book Entry: (select), Mail_Server

Service: Mail

Action: Permit

Policies > (From: V1-Untrust, To: V1-Trust) New: Enter the following and the

Source Address:



Address Book Entry: (select), FTP_Server

Service: FTP-GET

Action: Permit


121

eway 1.1.1.250 metric 1

tail permitp-get permit

uraging unauthorized access to the


CLI

1. VLAN1set interface vlan1 ip 1.1.1.1/24set interface vlan1 manage webset interface vlan1 manage telnetset interface vlan1 manage ping

2. Telnetset admin telnet port 46468

3. Interfacesset interface ethernet1 ip 0.0.0.0/0set interface ethernet1 zone v1-trustset interface ethernet3 ip 0.0.0.0/0set interface ethernet3 zone v1-untrust

4. V1-Trust Zoneset zone v1-trust manage webset zone v1-trust manage telnetset zone v1-trust manage ping

5. Addressesset address v1-trust FTP_Server 1.1.1.5/32set address v1-trust Mail_Server 1.1.1.10/32

6. Routeset vrouter trust-vr route 0.0.0.0/0 interface vlan1 gat

7. Policiesset policy from v1-trust to v1-untrust any any any permiset policy from v1-untrust to v1-trust any Mail_Server mset policy from v1-untrust to v1-trust any FTP_Server ftsave

8. The default port number for Telnet is 23. Changing this to any number between 1024 and 32,767 is advised for discoconfiguration. When logging on to manage the device later via Telnet, enter the following address: 1.1.1.1 4646.

Chapter 4 Interface Modes NAT Mode

122

reen device, acting like a Layer t destined for the Untrust zone: ource IP address of the e source port number with

mponents in the IP header of back to the original numbers.

Trust Zone

Untrust Zone

st Zone erface.1.1/24

st Zone erface.1.1/24


NAT MODEWhen an ingress interface is in Network Address Translation (NAT) mode, the NetSc3 switch (or router), translates two components in the header of an outgoing IP packeits source IP address and source port number. The NetScreen device replaces the soriginating host with the IP address of the Untrust zone interface. Also, it replaces thanother random port number generated by the NetScreen device.

When the reply packet arrives at the NetScreen device, the device translates two cothe incoming packet: the destination address and port number, which are translatedThe NetScreen device then forwards the packet to its destination.

Private Address Space

10.1.1.5

10.1.1.10 10.1.1.1510.1.1.20

10.1.1.25

TruInt

10.1

UntruInt

1.1

Internet

Public Address Space External Router

1.1.1.250


123

osts sending traffic through an hosts in the egress zone (such d the NetScreen device is Trust zone addresses are only the Trust zone addresses

zone in the trust-vr, and do not

dresses remain hidden when bound traffic. If you use only policies, the internal addresses

es are not available to provide IP addresses to have access to ss ranges are reserved for


NAT adds a level of security not provided in Transparent mode: The addresses of hingress interface in NAT mode (such as a Trust zone interface) are never exposed toas the Untrust zone) unless the two zones are in the same virtual routing domain anadvertising routes to peers through a dynamic routing protocol (DRP). Even then, thereachable if you have a policy permitting inbound traffic to them. (If you want to keephidden while using a DRP, then put the Untrust zone in the untrust-vr and the Trust export routes for internal addresses in the trust-vr to the untrust-vr.)

If the NetScreen device uses static routing and just one virtual router, the internal adtraffic is outbound, due to interface-based NAT. The policies you configure control inmapped IP (MIP) and virtual IP (VIP) addresses as the destinations in your inbound still remain hidden.

Also, NAT preserves the use of public IP addresses. In many environments, resourcpublic IP addresses for all devices on the network. NAT services allow many private Internet resources through one or a few public IP addresses. The following IP addreprivate IP networks and must not get routed on the Internet:

10.0.0.0 – 10.255.255.255

172.16.0.0 – 172.31.255.255

192.168.0.0 – 192.168.255.255


124

to the Untrust zone—assuming ce in NAT mode was unable to PN tunnel was set up for it9.

y zone—including the Untrust of addresses or if you are using still define a MIP, VIP, or VPN ot a concern, traffic from the

use of a MIP, VIP, or VPN.

. For more about VIPs, see

User-DefinedZone

ethernet210.1.2.1/24NAT Mode

ethernet31.1.1.1/24

Route ModeMIP 1.1.1.10 � 10.1.1.10MIP 1.1.1.20 � 10.1.2.20


Inbound and Outbound NAT TrafficA host in a zone sending traffic through an interface in NAT mode can initiate traffic that a policy permits it. In releases prior to ScreenOS 5.0.0, a host behind an interfareceive traffic from the Untrust zone unless a Mapped IP (MIP), Virtual IP (VIP), or VHowever, in ScreenOS 5.0.0, traffic to a zone with a NAT-enabled interface from anzone—does not need to use a MIP, VIP, or VPN. If you want to preserve the privacy private addresses that do not occur on a public network such as the Internet, you canfor traffic to reach them. However, if issues of privacy and private IP addresses are nUntrust zone can reach hosts behind an interface in NAT mode directly, without the

9. You can define a virtual IP (VIP) address only on an interface bound to the Untrust zone.

Note: For more information about MIPs, see “Mapped IP Addresses” on page 7 -90“Virtual IP Addresses” on page 7 -115.

Untrust Zone

Trust Zone


1

1. Interface-based NAT on traffic from the Trust zone to the Untrust zone.

2. Interface-based NAT on traffic from the User-Defined zone to the Untrust zone.(Note: This is possible only if the User-Defined and Untrust zones are in different virtual routing domains.)

3. No interface-based NAT on traffic between the Trust and User-Defined zones.

4 and 5. You can use MIPs, VIPs, or VPNs for traffic from the Untrust zone to reach the Trust zone or the User-Defined zone, but they are not required.

6. MIPs and VPNs are also not required for traffic between the Trust and User-Defined zones.

2

36

4 5

NAT NAT

No NATMIPs are optional

MIPs are optional


125

represent numbers in an IP umber of a VLAN tag, zone

ubinterfaces

ress for administrative traffic when it is in a high availability

ute.

ddr1k: maskag: vlan_id_numame: zoneselect)

, the NetScreen device does

ddr1k: maskag: vlan_id_numame: zone


Interface SettingsFor NAT mode, define the following interface settings, where ip_addr1 and ip_addr2address, mask represents the numbers in a netmask, vlan_id_num represents the nrepresents the name of a zone, and number represents the bandwidth size in kbps:

Zone Interfaces Settings Zone STrust, DMZ, and user-defined zones using NAT

IP: ip_addr1Netmask: maskManage IP*: ip_addr2Traffic Bandwidth�: numberNAT�: (select)

* You can set the manage IP address on a per interface basis. Its primary purpose is to provide an IP addseparate from network traffic. You can also use the manage IP address for accessing a specific device configuration.

† Optional setting for traffic shaping.

‡ Selecting NAT defines the interface mode as NAT. Selecting Route defines the interface mode as Ro

IP: ip_aNetmasVLAN TZone NNAT�: (

Untrust**

** Although you are able to select NAT as the interface mode on an interface bound to the Untrust zonenot perform any NAT operations on that interface.

IP: ip_addr1Netmask: maskManage IP*: ip_addr2Traffic Bandwidth�: number

IP: ip_aNetmasVLAN TZone N


126

et in the Trust zone. The LAN is l hosts in the Trust zone and ugh a Virtual IP address. Both

k Apply :

for interfaces bound to the Trust zone.

ter

Internet

Untrust Zone


Example: NAT Mode

The following example illustrates a simple configuration for a LAN with a single subnprotected by a NetScreen device in NAT mode. Policies permit outgoing traffic for alincoming mail for the mail server. The incoming mail is routed to the mail server throthe Trust and Untrust zones are in the trust-vr routing domain.

WebUI


Zone Name: Trust



Enter the following, and then click OK:

Interface Mode: NAT10

Note: Compare this example with that for Route mode on page 132.

10. By default, any interface that you bind to the Trust zone is in NAT mode. Consequently, this option is already enabled

External Rou1.1.1.250

Mail ServerVIP 1.1.1.5 ->

10.1.1.5 ethernet110.1.1.1/24NAT Mode

ethernet31.1.1.1/24

Route ModeTrust Zone


127

k OK:

en click Add :

he following, and then click OK:

then click OK:

and netmask fields empty and select he Create new PPPoE settings link,



Zone Name: Untrust


IP Address/Netmask11: 1.1.1.1/24

Interface Mode: Route

2. VIP12

Network > Interfaces > Edit (for ethernet3) > VIP: Enter the following, and th

Virtual IP Address: 1.1.1.5

Network > Interfaces > Edit (for ethernet3) > VIP > New VIP Service: Enter t

Virtual Port: 25

Map to Service: Mail

Map to IP: 10.1.1.5



Gateway: (select)



11. If the IP address in the Untrust zone on the NetScreen device is dynamically assigned by an ISP, leave the IP addressObtain IP using DHCP. If the ISP uses Point-to-Point Protocol over Ethernet, select Obtain IP using PPPoE , click tand enter the name and password.

12. For information about virtual IP (VIP) addresses, see “Virtual IP Addresses” on page 7 -115.


128

OK :

ck OK :


4. PoliciesPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click

Source Address:




Service: ANY

Action: Permit

Policies > (From: Untrust, To: Global) New: Enter the following, and then cli

Source Address:



Address Book Entry: (select), VIP(1.1.1.5)

Service: MAIL

Action: Permit


129

gateway 1.1.1.250

permit

mmand: set interface untrust dhcp. rmation, see the NetScreen CLI


CLI

1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 nat13

set interface ethernet3 zone untrust14 set interface ethernet3 ip 1.1.1.1/24set interface ethernet3 route

2. VIPset interface ethernet3 vip 1.1.1.5 25 mail 10.1.1.5

3. Routeset vrouter trust-vr route 0.0.0.0/0 interface ethernet3

4. Policiesset policy from trust to untrust any any any permitset policy from untrust to global any vip(1.1.1.5) mail save

13. The set interface ethernetn nat command determines that the NetScreen device operates in NAT mode.

14. If the IP address in the Untrust zone on the NetScreen device is dynamically assigned by an ISP, use the following coIf the ISP uses Point-to-Point Protocol over Ethernet, use the set pppoe and exec pppoe commands. For more infoReference Guide.

Chapter 4 Interface Modes Route Mode

130

erent zones without performing header remain unchanged as it ed IP (MIP) and virtual IP (VIP) e is in Route mode. Unlike

face level so that all source n zone interface. Instead, you to route and on which traffic to sses on either incoming or

Trust Zone

Untrust Zone

t Zone rface

2.1/24

st Zone rface

1.1/24


ROUTE MODE

When an interface is in Route mode, the NetScreen device routes traffic between diffsource NAT (NAT-src); that is, the source address and port number in the IP packet traverses the NetScreen device. Unlike NAT-src, you do not need to establish mappaddresses to allow inbound traffic to reach hosts when the destination zone interfacTransparent mode, the interfaces in each zone are on different subnets.

You do not have to apply source network address translation (“NAT-src”) at the interaddresses initiating outgoing traffic get translated to the IP address of the destinatiocan perform NAT-src selectively at the policy level. You can determine which traffic perform NAT-src by creating policies that enable NAT-src for specified source addre

1.2.2.5

1.2.2.10 1.2.2.151.2.2.20

1.2.2.25

TrusInte

1.2.

UntruInte

1.1.

Internet



External Router1.1.1.250


131

destination zone interface from ce. For VPN traffic, NAT can

2 represent numbers in an IP umber of a VLAN tag, zone

etwork Address Translation” on

ubinterfaces

ress for administrative traffic when it is in a high availability

AT.

ddr1k: maskag: vlan_id_numame: zone: (select)


outgoing traffic. For network traffic, NAT can use the IP address or addresses of thea Dynamic IP (DIP) pool, which is in the same subnet as the destination zone interfause a tunnel interface IP address or an address from its associated DIP pool.

Interface SettingsFor Route mode, define the following interface settings, where ip_addr1 and ip_addraddress, mask represents the numbers in a netmask, vlan_id_num represents the nrepresents the name of a zone, and number represents the bandwidth size in kbps:

Note: For more information about configuring policy-based NAT-src, see “Source Npage 7 -15.

Zone Interfaces Settings Zone STrust, Untrust, DMZ, and user-defined zones

IP: ip_addr1Netmask: maskManage IP*: ip_addr2Traffic Bandwidth�: numberRoute�: (select)

* You can set the manage IP address on a per interface basis. Its primary purpose is to provide an IP addseparate from network traffic. You can also use the manage IP address for accessing a specific device configuration.

† Optional setting for traffic shaping.

‡ Selecting Route defines the interface mode as Route. Selecting NAT defines the interface mode as N

IP: ip_aNetmasVLAN TZone NRoute�


132

zone LAN have private IP e network protected by a sses and that a MIP is in.

k Apply :

tering or exiting the Trust zone.

ter

Internet

Untrust Zone


Example: Route ModeIn the previous example, “Example: NAT Mode” on page 126, the hosts in the Trust addresses and a Mapped IP for the mail server. In the following example of the samNetScreen device operating in Route mode, note that the hosts have public IP addreunnecessary for the mail server. Both security zones are in the trust-vr routing doma

WebUI


Zone Name: Trust



Enter the following, and then click OK :

Interface Mode: Route15

15. Selecting Route determines that the NetScreen device operates in Route mode, without performing NAT on traffic en

External Rou1.1.1.250

Mail Server1.2.2.5

ethernet11.2.2.1/24

Route Mode

ethernet31.1.1.1/24

Route ModeTrust Zone


133

k OK:

then click OK:

and netmask fields empty and select he Create new PPPoE settings link,



Zone Name: Untrust


IP Address/Netmask16: 1.1.1.1/24

2. AddressObjects > Addresses > List > New: Enter the following and then click OK:

Address Name: Mail Server



Zone: Trust



Gateway: (select)



16. If the IP address in the Untrust zone on the NetScreen device is dynamically assigned by an ISP, leave the IP addressObtain IP using DHCP. If the ISP uses Point-to-Point Protocol over Ethernet, select Obtain IP using PPPoE , click tand enter the name and password.


134

OK :

OK :



Source Address:




Service: ANY

Action: Permit

Policies > (From: Untrust, To: Trust) New: Enter the following, and then click

Source Address:



Address Book Entry: (select), Mail Server

Service: MAIL

Action: Permit


135

gateway 1.1.1.250

rmit


CLI

1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 1.2.2.1/24set interface ethernet1 route17

set interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24set interface ethernet3 route

2. Addressset address trust mail_server 1.2.2.5/24


4. Policiesset policy from trust to untrust any any any permitset policy from untrust to trust any mail_server mail pesave

17. The set interface ethernetnumber route command determines that the NetScreen device operates in Route mode.


136

5

137

Chapter 5

n policies. The specific topics

e 159

65


Building Blocks for Policies

This chapter discusses the components, or building blocks, that you can reference idiscussed are:

• “Addresses” on page 139

– “Address Entries” on page 140

– “Address Groups” on page 142

• “Services” on page 147

– “Predefined Services” on page 147

– “Custom Services” on page 149

– “Service Timeouts” on page 152

– “ICMP Services” on page 154

– “RSH ALG” on page 156

– “Sun Remote Procedure Call Application Layer Gateway” on page 156

– “Microsoft Remote Procedure Call Application Layer Gateway” on pag

– “Real Time Streaming Protocol Application Layer Gateway” on page 1

– “H.323 Protocol for Voice-over-IP” on page 177

– “Session Initiation Protocol (SIP)” on page 196

– “SIP with Network Address Translation” on page 209

– “Bandwidth Management for VoIP Services” on page 264

– “Service Groups” on page 266

Chapter 5 Building Blocks for Policies

138

entication”.


• “DIP Pools” on page 270

– “Sticky DIP Addresses” on page 273

– “Extended Interface and DIP” on page 274

– “Loopback Interface and DIP” on page 282

– “DIP Groups” on page 288

• “Schedules” on page 292

Note: For information about user authentication, see Volume 8, “User Auth

Chapter 5 Building Blocks for Policies Addresses

139

nd netmask. Each zone

tmask setting of

.0.0).

ual hosts and subnets, you s.

pplies to all devices physically


ADDRESSESThe NetScreen ScreenOS classifies the addresses of all other devices by location apossesses its own list of addresses and address groups.

Individual hosts have only a single IP address defined and therefore, must have a ne255.255.255.255 (which masks out all but this host).

Subnets have an IP address and a netmask (for example, 255.255.255.0 or 255.255

Before you can configure policies to permit, deny, or tunnel traffic to and from individmust make entries for them in NetScreen address lists, which are organized by zone

Note: You do not have to make address entries for “Any”. This term automatically alocated within their respective zones.


140

ures, you need to define the IP addresses or domain er-authenticated.

/24 as an address in the Trust

click OK :

click OK :

e names you create for

stem (DNS) services. For information


Address EntriesBefore you can set up many of the NetScreen firewall, VPN, and traffic shaping feataddresses in one or more address lists. The address list for a security zone containsnames1 of hosts or subnets whose traffic is either allowed, blocked, encrypted, or us

Example: Adding AddressesIn this example, you add the subnet “Sunnyvale_Eng” with the IP address 10.1.10.0zone, and the address www.juniper.net as an address in the Untrust zone.

WebUI

Objects > Addresses > List > New: Enter the following information, and then

Address Name: Sunnyvale_Eng



Zone: Trust

Objects > Addresses > List > New: Enter the following information, and then

Address Name: Juniper


Domain Name: (select), www.juniper.net

Zone: Untrust

Note: For information regarding ScreenOS naming conventions—which apply to thaddresses—see “Naming Conventions and Character Types” on page xii.

1. Before you can use domain names for address entries, you must configure the NetScreen device for Domain Name Syon DNS configuration, see “Domain Name System Support” on page 365.


141

eflect that this department is

nd IP address to the following,

olicy, you cannot change the tion, you must first disassociate


CLI

set address trust Sunnyvale_Eng 10.1.10.0/24set address untrust Juniper www.juniper.netsave

Example: Modifying AddressesIn this example, you change the address entry for the address “Sunnyvale_Eng” to rspecifically for software engineering and has a different IP address—10.1.40.0/24.

WebUI

Objects > Addresses > List > Edit (for Sunnyvale_Eng): Change the name aand then click OK:

Address Name: Sunnyvale_SW_Eng



Zone: Trust

CLI

unset address trust Sunnyvale_Engset address trust Sunnyvale_SW_Eng 10.1.40.0/24save

Note: After you define an address—or an address group—and associate it with a paddress location to another zone (such as from Trust to Untrust). To change its locait from the underlying policy.


142

”.

nyvale_SW_Eng.

tries for individual hosts and w policies affect each address rge number of address entries, ied to each address entry in the


Example: Deleting AddressesIn this example, you remove the address entry for the address “Sunnyvale_SW_Eng

WebUI

Objects > Addresses > List: Click Remove in the Configure column for Sun

CLI

unset address trust “Sunnyvale_SW_Eng”save

Address GroupsThe previous section explained how you create, modify, and delete address book ensubnets. As you add addresses to an address list, it becomes difficult to manage hoentry. NetScreen allows you to create groups of addresses. Rather than manage a layou can manage a small number of groups. Changes you make to the group are applgroup.

1 Policy per Address 1 Policy per Address Group


143

address groups and later fill

ess book entry.

g individual policies for each een actually creates an internal for each user).3

e NetScreen device

used for an individual address

It can, however, be edited.

roup member individually, and l list (ACL). If you are not pecially if both the source and vice group.

Up VPN” to groups.

k when you add one group to another. t already contain B as its member.

having to create them one by one for


The address group option has the following features:

• You can create address groups in any zone.

• You can create address groups with existing users, or you can create emptythem with users.

• An address group can be a member of another address group2.

• You can reference an address group entry in a policy like an individual addr

• NetScreen applies policies to each member of the group by internally creatingroup member. While you only have to create one policy for a group, NetScrpolicy for each member in the group (as well as for each service configured

• When you delete an individual address book entry from the address book, thautomatically removes it from all groups to which it belonged.

The following constraints apply to address groups:

• Address groups can only contain addresses that belong to the same zone.

• Address names cannot be the same as group names. If the name “Paris” is entry, it cannot be used for a group name.

• If an address group is referenced in a policy, the group cannot be removed.

• When a single policy is assigned to an address group, it is applied to each gthe NetScreen device makes an entry for each member in the access controvigilant, it is possible to exceed the number of available policy resources, esdestination addresses are address groups and the specified service is a ser

• You cannot add the predefined addresses: “Any”, “All Virtual IPs,” and “Dial-

2. To ensure that a group does not accidentally contain itself as a member, the NetScreen device performs a sanity checFor example, if you add group A as a member to group B, the NetScreen device automatically checks that A does no

3. The automatic nature by which the NetScreen device applies policies to each address group member, saves you fromeach address. Furthermore, NetScreen writes these policies to ASIC which makes lookups run very fast.


144

anta Clara Eng” and “Tech st zone.

roup name, move the following

n to move the address from the mbers column.

move the address from the mbers column.

Eng”


Example: Creating an Address GroupIn the following example, you create a group named “HQ 2nd Floor” that includes “SPubs,” two addresses that you have already entered in the address book for the Tru

WebUI

Objects > Addresses > Groups > (for Zone: Trust) New: Enter the following gaddresses, and then click OK :

Group Name: HQ 2nd Floor

Select Santa Clara Eng and use the << buttoAvailable Members column to the Group Me

Select Tech Pubs and use the << button to Available Members column to the Group Me

CLI

set group address trust “HQ 2nd Floor” add “Santa Clara set group address trust “HQ 2nd Floor” add “Tech Pubs”save


145

address book) to the “HQ 2nd

ove the following address, and

ve the address from the mbers column.


Example: Editing an Address Group EntryIn this example, you add “Support” (an address that you have already entered in theFloor” address group.

WebUI

Objects > Addresses > Groups > (for Zone: Trust) Edit (for HQ 2nd Floor): Mthen click OK:

Select Support and use the << button to moAvailable Members column to the Group Me

CLI

set group address trust “HQ 2nd Floor” add Supportsave


146

group, and delete “Sales”, an

e the following address, and

e the address from the Group column.

ure column for Sales.

have removed all names.


Example: Removing a Member and a GroupIn this example, you remove the member “Support” from the HQ 2nd Floor address address group that you had previously created.

WebUI

Objects > Addresses > Groups > (for Zone: Trust) Edit (HQ 2nd Floor): Movthen click OK:

Select support and use the >> button to movMembers column to the Available Members

Objects > Addresses > Groups > (Zone: Trust): Click Remove in the Config

CLI

unset group address trust “HQ 2nd Floor” remove Supportunset group address trust Salessave

Note: The NetScreen device does not automatically delete a group from which you

Chapter 5 Building Blocks for Policies Services

147

nsport protocol and destination Telnet. When you create a s from the service book, or a

n use in a policy by viewing the et service command (CLI).

can find more detailed

creen device using the WebUI


SERVICESServices are types of traffic for which protocol standards exist. Each service has a traport number(s) associated with it, such as TCP/port 21 for FTP and TCP/port 23 for policy, you must specify a service for it. You can select one of the predefined servicecustom service or service group that you created. You can see which service you caService drop-down List on the Policy Configuration page (WebUI), or by using the g

Predefined ServicesScreenOS supports a great number of predefined services. Later in this section, youinformation on some of these, namely:

• “ICMP Services” on page 154

• “RSH ALG” on page 156

• “Sun Remote Procedure Call Application Layer Gateway” on page 156

• “Microsoft Remote Procedure Call Application Layer Gateway” on page 159

• “Real Time Streaming Protocol Application Layer Gateway” on page 165

• “H.323 Protocol for Voice-over-IP” on page 177

• “Session Initiation Protocol (SIP)” on page 196

You can view the list of predefined or custom services or service groups on the NetSor the CLI.

Using the WebUI:

Objects > Services > Predefined

Objects > Services > Custom

Objects > Services > Group

Using the CLI:

get service [ group | predefined | user ]


148

low:

the entire set of valid port ort outside of the range. If you m service. For information, see


The output from the get service pre-defined CLI is similar to that shown be

Name Proto Port Group Timeout (Minute) FlagANY 0 0/65535 other 1 Pre-defined

AOL 6 5190/5194 remote 30 Pre-defined

BGP 6 179 other 30 Pre-defined

DHCP-Relay 17 67 info seeking 1 Pre-defined

DNS 17 53 info seeking 1 Pre-defined

FINGER 6 79 info seeking 30 Pre-defined

FTP 6 21 remote 30 Pre-defined

FTP-Get 6 21 remote 30 Pre-defined

FTP-Put 6 21 remote 30 Pre-defined

GOPHER 6 70 info seeking 30 Pre-defined

H.323 6 1720 remote 2160 Pre-defined

--- more ---

Note: Each predefined service has a source port range of 1-65535, which includes numbers. This prevents potential attackers from gaining access by using a source pneed to use a different source port range for any predefined service, create a custo“Custom Services” on page 149.


149

n assign each custom service

a previously defined custom ecified transport protocol (TCP, om the default when a custom m service in the vsys and root

out in the root system.

ple: 23000 – 23000.

efined by the Internet

e names you create for custom


Custom ServicesInstead of using predefined services, you can easily create custom services. You cathe following attributes:

• Name

• Transport protocol

• Source and destination port numbers for services using TCP or UDP

• Type and code values for services using ICMP

• Timeout value

If you create a custom service in a virtual system (vsys) that has the same name as service in the root system, the service in the vsys takes the default timeout for the spUDP, or ICMP). To define a custom timeout for a service in a vsys that is different frservice with the same name in the root system has its own timeout, create the custosystem in the following order:

1. First, create the custom service with a custom timeout in the vsys.

2. Then create another custom service with the same name but a different time

The following examples describe how to add, modify and remove a custom service.

Example: Adding a Custom ServiceTo add a custom service to the service book, you need the following information:

• A name for the service, in this example “cust-telnet”

• A range of source port numbers: 1 – 65535

• A range of destination port numbers to receive the service request, for exam

• Whether the service uses TCP or UDP protocol, or some other protocol as dspecifications. In this example, the protocol is TCP.

Note: For information regarding ScreenOS naming conventions—which apply to thservices—see “Naming Conventions and Character Types” on page xii.


150

:

t-port 23000-23000

ant a service to time out, enter never.


WebUI

Objects > Services > Custom > New: Enter the following, and then click OK

Service Name: cust-telnet

Service Timeout: Custom (select), 30 (type)

Transport Protocol: TCP (select)

Source Port Low: 1

Source Port High: 65535

Destination Port Low: 23000

Destination Port High: 23000

CLI

set service cust-telnet protocol tcp src-port 1-65535 ds

set service cust-telnet timeout 304

save

4. The timeout value is in minutes. If you do not set it, the timeout value of a custom service is 180 minutes. If you do not w


151

tion port range to 23230-23230.

stom service without removing

d then click OK :

23230-23230

ust-telnet”.


Example: Modifying a Custom ServiceIn this example, you modify the custom service “cust-telnet” by changing the destina

Use the set service service_name clear command to remove the definition of a cuthe service from the service book:

WebUI

Objects > Services > Custom > Edit (for cust-telnet): Enter the following, an

Destination Port Low: 23230

Destination Port High: 23230

CLI

set service cust-telnet clearset service cust-telnet + tcp src-port 1-65535 dst-port save

Example: Removing a Custom ServiceIn this example, you remove the custom service “cust-telnet”.

WebUI

Objects > Services > Custom: Click Remove in the Configure column for “c

CLI

unset service cust-telnetsave


152

ou can use the service default

m timeout, the NetScreen

ed service ANY, the NetScreen rotocol (for TCP or UDP) + s in the following order,

2121 timeout 2000-2148 timeout 15

, the NetScreen device applies or ftp-1. This happens because ocols in tables—one for TCP service referenced in a service the timeout for the first service stination port numbers—is the e NetScreen device applies the 148) overlap those for ftp-1 p for a service with destination

services with overlapping self.

reen device applies the custom multiple services, the non-TCP or -UDP protocols.


Service TimeoutsYou can set the timeout threshold (in minutes) for a predefined or custom service. Ytimeout, specify a custom timeout, or use no timeout at all.

A few details about the behavior of service timeouts:

• When a policy references a single custom or predefined service with a custodevice applies that timeout.

• When a policy references a service group, multiple services, or the predefindevice applies the timeout for the last service configured that matches the pdestination port number. For example, if you define the following two service

set service ftp-1 protocol tcp src 0-65535 dst 2121-set service telnet-1 protocol tcp src 0-65535 dst 21

and you then reference ftp-1 together with other services in the same policythe 15-minute timeout defined for telnet-1 instead of the 20-minute timeout fthe NetScreen device stores timeouts for services using TCP and UDP protand another for UDP. When the NetScreen device looks up the timeout for agroup, a policy with multiple services, or the wildcard service ANY, it appliesit finds in the table, which—if there are multiple services with overlapping delatest service configured and entered into the table. In the above example, th15-minute timeout because the destination port numbers for telnet-1 (2100-2(2121), and you defined telnet-1 after you defined ftp-1. Therefore, the lookuport 2121 discovers the timeout for telnet-1 first and applies that.

To avoid the unintended application of a different timeout to a service, avoiddestination port numbers or apply the service defined earlier in a policy by it

• For services using ICMP or any protocol other than TCP or UDP, the NetSctimeout when a policy references just that service. When a policy referencesNetScreen device applies the default timeout (one minute) for services using


153

ere is a previously defined , the NetScreen device applies level.

t the vsys level. However, you m service in the vsys and then

rt number at the root level. To

otocol and destination port

75 minutes:

click OK :


• When a policy in a virtual system (vsys) references a custom service and thservice with the same protocol + destination port number in the root systemthe timeout for the service defined at the root level to the service at the vsys

• You cannot explicitly define a custom timeout for a custom service created acan indirectly apply a custom timeout at the vsys level if you create the custoapply the custom timeout you want to a service with the same protocol + poaccomplish this, do the following in the following order:

1. Create a custom service in the vsys.

2. Then in the root system create another custom service with the same prnumbers, and with the timeout that you want to apply at the vsys level.

Example: Setting a Service TimeoutIn this example, you change the timeout threshold for the BGP predefined service to

WebUI

Objects > Services > Predefined > Edit (BGP): Enter the following and then


CLI

set service BGP timeout 75save


154

P messages, as predefined or and code5. There are different

ecific information on the

and Network

Host


ICMP ServicesScreenOS supports ICMP (Internet Control Message Protocol) as well as several ICMcustom services. When configuring a custom ICMP service, you must define a type message types within ICMP. For example:

type 0 = Echo Request message

type 3 = Destination Unreachable message

An ICMP message type can also have a message code. The code provides more spmessage. For example:

ScreenOS supports any type or code within the 0-255 range.

5. For more information on ICMP types and codes, refer to RFC 792, “Internet Control Message Protocol”.

Message Type Message Code5 = Redirect 0 = Redirect Datagram for the Network (or subnet)

1 = Redirect Datagram for the Host

2 = Redirect Datagram for the Type of Service

3 = Redirect Datagram for the Type of Service and

11 = Time Exceeded Codes 0 =Time to Live exceeded in Transit

1 = Fragment Reassembly Time Exceeded


155

as the transport protocol. The u set the timeout value at 2


Example: Defining an ICMP ServiceIn this example, you define a custom service named “host-unreachable” using ICMPtype is 3 (for Destination Unreachable) and the code is 1 (for Host Unreachable). Yominutes.

WebUI

Objects > Services > Custom: Enter the following, and then click OK :

Service Name: host-unreachable


Transport Protocol: ICMP (select)

ICMP Type: 3

ICMP Code: 1

CLI

set service host-unreachable protocol icmp type 5 code 0set service host-unreachable timeout 2save


156

n shell commands on remote nd NAT modes; but the devices

or a program running on one umber of RPC services and the d based on the service’s ping the RPC program number

affic based on a policy you een devices to handle the am number-based firewall sts, or to permit or deny by g and outgoing requests.

vice—in the case of TCP/UDP,

mote machine. The GETPORT of the remote service it wants


RSH ALGRSH ALG (Remote Shell application-layer gateway) allows authenticated users to ruhosts. NetScreen devices support the RSH service in Transparent (L2), Route (L3) ado not support port translation of RSH traffic.

Sun Remote Procedure Call Application Layer GatewaySun RPC—also known as Open Network Computing (ONC) RPC—provides a way fhost to call procedures in a program running on another host. Because of the large nneed to broadcast, the transport address of an RPC service is dynamically negotiateprogram number and version number. Several binding protocols are defined for mapand version number to a transport address.

NetScreen devices support Sun RPC as a predefined service, and allow and deny trconfigure. The application layer gateway (ALG) provides the functionality for NetScrdynamic transport address negotiation mechanism of Sun RPC, and to ensure progrpolicy enforcement. You can define a firewall policy to permit or deny all RPC requespecific program number. The ALG also supports Route and NAT mode for incomin

Typical RPC Call ScenariosWhen a client calls a remote service, it needs to find the transport address of the serthis is a port number. A typical procedure for this case is as follows:

1. The client sends the GETPORT message to the RPCBIND service on the remessage contains the program number, and version and procedure numberto call.

2. The RPCBIND service replies with a port number.

3. The client calls the remote service using the port number returned.

4. The remote service replies to the client.


157

knowing the port number of the

machine. The CALLIT ber of the remote service it

tains the call result and the

is TCP/UDP port based service, e other services in this table are

aemon


A client also can use the CALLIT message to call the remote service directly, withoutservice. In this case, the procedure is as follows:

1. The client sends a CALLIT message to the RPCBIND service on the remotemessage contains the program number, and the version and procedure numwants to call.

2. RPCBIND calls the service for the client.

3. RCPBIND replies to the client if the call has been successful. The reply conservices’s port number.

Sun RPC ServicesThe following table lists predefined Sun RPC services.

Name Program Number

Description

SUN-RPC-PORTMAPPER 100000 Sun RPC Portmapper Protocol, thisincluding TCP/UDP port 111. All thprogram number based.

SUN-RPC-ANY N/A Any Sun RPC service

SUN-RPC-MOUNTD 100005 Sun RPC Mount Daemon

SUN-RPC-NFS 100003100227

Sun RPC Network File System

SUN-RPC-NLOCKMGR 100021 Sun RPC Network Lock Manager

SUN-RPC-RQUOTAD 100011 Sun RPC Remote Quota Daemon

SUN-RPC-RSTATD 100001 Sun RPC Remote Status Daemon

SUN-RPC-RUSERD 100002 Sun RPC Remote User Daemon

SUN-RPC-SADMIND 100232 Sun RPC System Administration D

SUN-RPC-SPRAYD 100012 Sun RPC SPRAY Daemon


158

lar service objects based on rpc service objects using 27. The corresponding

sun-rpc-nfs service object that egotiated TCP/UDP ports, and

Network File System, which is

n click Apply :

e


Example: Sun RPC ServicesBecause Sun RPC services use dynamically negotiated ports, you can not use regufixed TCP/UDP ports to permit them in security policy. Instead, you must create sunprogram numbers. For example, NFS uses two program numbers: 100003 and 1002TCP/UDP ports are dynamic. In order to permit the program numbers, you create a contains these two numbers. The ALG maps the program numbers into dynamically npermits or denies the service based on a policy you configure.In this example, you create a service object called my-sunrpc-nfs to use the Sun RPCidentified by two Program IDs: 100003 and 100227.

WebUI

Objects > Services > Sun RPC Services > New: Enter the following, and the

Service Name: my-sunrpc-nfs

Service Timeout: (select)

Program ID Low: 100003

Program ID High: 100003

Program ID Low: 100227

Program ID High: 100227

SUN-RPC-STATUS 100024 Sun RPC STATUS

SUN-RPC-WALLD 100008 Sun RPC WALL Daemon

SUN-RPC-YPBIND 100007 Sun RPC Yellow Page Bind Servic

Name Program Number

Description


159

3-1000037

way(DCE) RPC. Like the Sun RPC C provides a way for a program se of the large number of RPC mically negotiated based on the protocol is defined in

ffic based on a policy you ynamic transport address ement. You can define a ID number. The ALG also


CLI

set service my-sunrpc-nfs protocol sun-rpc program 10000set service my-sunrpc-nfs + sun-rpc program 100227-10022save

Microsoft Remote Procedure Call Application Layer GateMS RPC is the Microsoft implementation of the Distributed Computing Environment (see “Sun Remote Procedure Call Application Layer Gateway” on page 156), MS RPrunning on one host to call procedures in a program running on another host. Becauservices and the need to broadcast, the transport address of an RPC service is dynaservice program’s Universal Unique IDentifier (UUID). The Endpoint Mapper bindingScreenOS to map the specific UUID to a transport address.

NetScreen devices support MS RPC as a predefined service, and allow and deny traconfigure. The ALG provides the functionality for NetScreen devices to handle the dnegotiation mechanism of MS RPC, and to ensure UUID-based firewall policy enforcfirewall policy to permit or deny all RPC requests, or to permit or deny by specific UUsupports Route and NAT mode for incoming and outgoing requests.


160

riptionsoft Remote Procedure Call ) Endpoint Mapper (EPM) col, a TCP/UDP port based e, including TCP/UDP port 135.

e other services in this table are based

icrosoft Remote Procedure Call ) Services

soft Active Directory Backup and re Services

soft Active Directory Replication ce

soft Active Directory DSROLE ce

soft Active Directory Setup ce

soft Distributed Transaction inator Service

soft Exchange Database Service

soft Exchange Directory Service


MS RPC ServicesThe following table lists predefined MS RPC services:

Name UUID DescMS-RPC-EPM e1af8308-5d1f-11c9-91a4-08002b14a0fa Micro

(RPCProtoservicAll thUUID

MS-RPC-ANY N/A Any M(RPC

MS-AD-BR ecec0d70-a603-11d0-96b1-00a0c91ece3016e0cf3a-a604-11d0-96b1-00a0c91ece30

MicroResto

MS-AD-DRSUAPI e3514235-4b06-11d1-ab04-00c04fc2dcd2 MicroServi

MS-AD-DSROLE 1cbcad78-df0b-4934-b558-87839ea501c9 MicroServi

MS-AD-DSSETUP 3919286a-b10c-11d0-9ba8-00c04fd92ef5 MicroServi

MS-DTC 906b0ce0-c70b-1067-b317-00dd010662da MicroCoord

MS-EXCHANGE-DATABASE 1a190310-bb9c-11cd-90f8-00aa00466520 Micro

MS-EXCHANGE-DIRECTORY f5cc5a18-4264-101a-8c59-08002b2f8426f5cc5a7c-4264-101a-8c59-08002b2f8426f5cc59b4-4264-101a-8c59-08002b2f8426

Micro


161

soft Exchange Information Store ce

soft Exchange MTA Service

soft Exchange Store Service

soft Exchange System Attendant ce

soft File Replication Service

soft Internet Information Server GUID/UUID Service

soft Internet Information Server 4 Service

soft Internet Information Server INFO Service

soft Internet Information Server Service

ription


MS-EXCHANGE-INFO-STORE 0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde1453c42c-0fa6-11d2-a910-00c04f990f3b10f24e8e-0fa6-11d2-a910-00c04f990f3b1544f5e0-613c-11d1-93df-00c04fd7bd09

MicroServi

MS-EXCHANGE-MTA 9e8ee830-4459-11ce-979b-00aa005ffebe38a94e72-a9bc-11d2-8faf-00c04fa378ff

Micro

MS-EXCHANGE-STORE 99e66040-b032-11d0-97a4-00c04fd6551d89742ace-a9ed-11cf-9c0c-08002be7ae86a4f1db00-ca47-1067-b31e-00dd010662daa4f1db00-ca47-1067-b31f-00dd010662da

Micro

MS-EXCHANGE-SYSATD 67df7c70-0f04-11ce-b13f-00aa003bac6cf930c514-1215-11d3-99a5-00a0c9b61b0483d72bf0-0d89-11ce-b13f-00aa003bac6c469d6ec0-0d87-11ce-b13f-00aa003bac6c06ed1d30-d3d3-11cd-b80e-00aa004b9c30

MicroServi

MS-FRS f5cc59b4-4264-101a-8c59-08002b2f8426d049b186-814f-11d1-9a3c-00c04fc9b232a00c021c-2be2-11d2-b678-0000f87a8f8e

Micro

MS-IIS-COM 70b51430-b6ca-11d0-b9b9-00a0c922e750a9e69612-b80d-11d0-b9b9-00a0c922e70

MicroCOM

MS-IIS-IMAP4 2465e9e0-a873-11d0-930b-00a0c90ab17c MicroIMAP

MS-IIS-INETINFO 82ad4280-036b-11cf-972c-00aa006887b0 MicroINET

MS-IIS-NNTP 4f82f460-0e21-11cf-909e-00805f48a135 MicroNNTP

Name UUID Desc


162



soft Inter-site Messaging Service

soft Messenger Service

soft Windows Message Queue gement Service

soft Netlogon Service

soft Scheduler Service

soft Windows DNS Server

soft WINS Service

ription


MS-IIS-POP3 1be617c0-31a5-11cf-a7d8-00805f48a135 MicroPOP3

MS-IIS-SMTP 8cfb5d70-31a4-11cf-a7d8-00805f48a135 MicroSMTP

MS-ISMSERV 68dcd486-669e-11d1-ab0c-00c04fc2dcd2130ceefb-e466-11d1-b78b-00c04fa32883

Micro

MS-MESSENGER 17fdd703-1827-4e34-79d4-24a55c53bb375a7b91f8-ff00-11d0-a9b2-00c04fb6e6fc

Micro

MS-MQQM fdb3a030-065f-11d1-bb9b-00a024ea552576d12b80-3467-11d3-91ff-0090272f9ea31088a980-eae5-11d0-8d9b-00a02453c335b5b3580-b0e0-11d1-b92d-0060081e87f0 41208ee0-e970-11d1-9b9e-00e02c064c39

MicroMana

MS-NETLOGON 12345678-1234-abcd-ef00-01234567cffb Micro

MS-SCHEDULER 1ff70682-0a51-30e8-076d-740be8cee98b378e52b0-c0a9-11cf-822d-00aa0051e40f0a74ef1c-41a4-4e06-83ae-dc74fb1cdd53

Micro

MS-WIN-DNS 50abc2a4-574d-40b3-9d66-ee4fd5fba076 Micro

MS-WINS 45f52c28-7f9f-101a-b52b-08002b2efabe811109bf-a4e1-11d1-ab54-00a0c91e9b45

Micro

Name UUID Desc


163

ar service objects based on S RPC service objects using UIDs:

exchange-info-store service namically negotiated TCP/UDP cy you configure. UUIDs for the MS Exchange

MS-AD-DRSUAPI,

ATABASE, -INFO-STORE, and MS-EXCHANGE-SYSATD

S-IIS-COM, MS-IIS-IMAP4, and MS-IIS-SMTP


MS RPC Service GroupsThe following table lists predefined MS RPC service groups.

Example: Services for MS RPCBecause MS RPC services use dynamically negotiated ports, you can not use regulfixed TCP/UDP ports to permit them in a security policy. Instead, you must create MUUIDs. The MS Exchange Info Store service, for example, uses the following four U

• 0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde

• 1453c42c-0fa6-11d2-a910-00c04f990f3b

• 10f24e8e-0fa6-11d2-a910-00c04f990f3b

• 1544f5e0-613c-11d1-93df-00c04fd7bd09

The corresponding TCP/UDP ports are dynamic. To permit them, you create an ms-object that contains these four UUIDs. The ALG maps the program numbers into dyports based on these four UUIDs, and permits or denies the service based on a poliIn this example, you create a service object called my-ex-info-store that includes theInfo Store service.

Name DescriptionMS-AD Microsoft Active Directory, including MS-AD-BR,

MS-AD-DSROLE and MS-AD-DSSETUP

MS-EXCHANGE Microsoft Exchange, including MS-EXCHANGE-DMS-EXCHANGE-DIRECTORY, MS-EXCHANGEMS-EXCHANGE-MTA, MS-EXCHANGE-STORE

MS-IIS Microsoft Internet Information Server, including MMS-IIS-INETINFO, MS-IIS-NNTP, MS-IIS-POP3


164

de

3b

b

09

-11d2-a910-00c04f990f3b-11d2-a910-00c04f990f3b-11d1-93df-00c04fd7bd09


WebUI

Objects > Services > MS RPC: Enter the following, and then click Apply :

Service Name: my-ex-info-store

UUID: 0e4a0156-dd5d-11d2-8c2f-00c04fb6bc

UUID: 1453c42c-0fa6-11d2-a910-00c04f990f

UUID: 10f24e8e-0fa6-11d2-a910-00c04f990f3

UUID: 1544f5e0-613c-11d1-93df-00c04fd7bd

CLI

set service my-ex-info-store protocol ms-rpc uuid 0e4a0156-dd5d-11d2-8c2f-00c04fb6bcde

set service my-ex-info-store + ms-rpc uuid 1453c42c-0fa6set service my-ex-info-store + ms-rpc uuid 10f24e8e-0fa6set service my-ex-info-store + ms-rpc uuid 1544f5e0-613csave


165

onized streams of multimedia, tself—interleaving the of “network remote control” for

annels, such as UDP, multicast col (RTP). RTSP may also use viding information to the client ers, and non-aggregate control data can be live feeds or stored

on a policy you configure. The nveyed in the packet payload igned port numbers and opens

ranslates IP addresses and ode, and in both

ssion (when the user clicks the RTSP server on port 554, then audio and video features the ame and version of the server, , see “SIP Request Methods”

it wants. The server responds e client then sends the SETUP amed media, for example , the RTSP ALG keeps track of ethod and select one of the

media transport. The client then


Real Time Streaming Protocol Application Layer GatewayRTSP is an application-layer protocol used to control delivery of one or more synchrsuch as audio and video. Although RTSP is capable of delivering the data streams icontinuous media streams with the control stream—it is more typically used as a kindmultimedia servers. The protocol was designed as a means for selecting delivery chUDP, and TCP, and for selecting delivery mechanism based on the Real Time Protothe Session Description Protocol (SDP) (see “SDP” on page 201) as a means of profor aggregate control of a presentation composed of streams from one or more servof a presentation composed of multiple streams from a single server. The sources of clips.

NetScreen devices support RTSP as a service, and allow or deny RTSP traffic basedALG is needed because RTSP uses dynamically assigned port numbers that are coduring control connection establishment. The ALG keeps track of the dynamically asspinholes accordingly (see “Pinhole Creation” on page 202). In NAT mode, the ALG tports if necessary. NetScreen devices support RTSP in Route mode, Transparent minterface-based and policy-based NAT mode.

The following illustration diagrams a typical RTSP session. The client initiates the sePlay button on a RealPlayer, for example) and establishes a TCP connection to the sends the OPTIONS message (messages are also called methods), to find out whatserver supports. The server responds to the OPTIONS message by specifying the nand a session identifier, for example, 24256-1. (For more information about methodson page 197, and RFC 2326, section 11).

The client then sends the DESCRIBE message with the URL of the actual media fileto the DESCRIBE message with a description of the media using the SDP format. Thmessage, which specifies the transport mechanisms acceptable to the client for streRTP/RTCP or RDT, and the ports on which it will receive the media. When using NATthese ports and translates them as necessary. The server responds to the SETUP mtransport protocols, and in this way both client and server agree on a mechanism for sends the PLAY method, and the server begins streaming the media to the client.


166

Real Media ServerPort 554

-1 created)

dia presentation)

-1 from port 9086)

Port 9086

ion specified)ver


RealPlayer ClientPort 3408

NetScreen Device

1. SYN (port 3408 to RTSP port 554)2. SYN ACK)

3. ACK4. OPTIONS (what is supported)

5. RTSP OK (session 24256

6. DESCRIBE (media presentation)7. RTSP OK (with SDP of me8. SDP (continued)

9. SETUP (client listens on on 6970 for media)10. RTSP OK (session 2456

Port 6970

11. SET_PARAM 12. RTSP OK

13. PLAY 14. RTSP OK (RTP informat15. RTP data sent from ser

16. Occasional RTCP data

17. TEARDOWN 17. RSTP OK

17. TCP RST


167

t), the direction or directions in onal. Presentation refers to more streams presented to the udio or video, as well as all

entrver required

lient optional

ded

ded


RTSP Request MethodsThe following table lists methods that can be performed on a resource (media objecwhich information flows, and whether the method is required, recommended, or optiinformation such as network addresses, encoding, and content about a set of one orclient as a complete media feed. A Stream is a single media instance, for example apackets created by a source within the session.

Method Direction Object Requirem

OPTIONSClient to Serve Presentation, Stream Client to Se

Server to Client Presentation, Stream Server to C

DESCRIBE Client to Server Presentation, Stream Recommen

ANNOUNCEClient to Server Presentation, Stream

OptionalServer to Client Presentation, Stream

SETUP Client to Server Stream Required

GET_PARAMETERClient to Server

Presentation, Stream OptionalServer to Client

SET_PARAMETERClient to Server

Presentation, Stream OptionalServer to Client

PLAY Client to Server Presentation, Stream Required

PAUSE Client to Server Presentation, Stream Recommen

RECORD Client to Server Presentation, Stream Optional

REDIRECT Server to Client Presentation, Stream Optional

TEARDOWN Client to Server Presentation, Stream Required

Note: Additional methods might be defined in future.


168

upports, as well as such things

rates, color tables, and any stream. Typically the client escription of the media in SDP

ion or media object identified by tion in real-time.

h as the ports on which it will

eter specified in the URI. This ng can also be used to test for

r for a presentation or stream sed to set transport

cified in SETUP. The Client server queues PLAY requests request is completed. PLAY a time parameter—specified in used to synchronize streams

URL specifies a particular acks is maintained when

f PAUSE is for the duration l queued PLAY requests.

description. A UTC timestamp es in the presentation


Methods are defined as follows:

• OPTIONS—Client queries the server about what audio or video features it sas the name and version of the server, and session ID.

• DESCRIBE—For exchange of media initialization information, such as clocktransport-independent information the client needs for playback of the mediasends the URL of the of file it is requesting, and the server responds with a dformat. (See “SDP” on page 201.)

• ANNOUNCE—Client uses this method to post a description of the presentatthe request URL. The server uses this method to update the session descrip

• SETUP—Client specifies acceptable transport mechanisms to be used, sucreceive the media stream, and the transport protocol.

• GET_PARAMETER—Retrieves the value of a presentation or stream parammethod can be used with no entity body to test client or server aliveness. Pialiveness.

• SET_PARAMETER—Client uses this method to set the value of a parametespecified by the URI. Due to firewall considerations, this method cannot be uparameters.

• PLAY—Instructs the server to begin sending data using the mechanism spedoes not issue PLAY requests until all SETUP requests are successful. Thein order, and delays executing any new PLAY request until an active PLAY requests may or may not contain a specified range. The range may contain Coordinated Universal Time (UTC)—for start of playback, which can also befrom different sources.

• PAUSE—Temporarily halts delivery of an active presentation. If the requeststream, for example audio, this is equivalent to muting. Synchronization of trplayback or recording is resumed, although servers may close the session ispecified in the timeout parameter in SETUP. A PAUSE request discards al

• RECORD—Initiates recording a range of media defined in the presentation indicates start and end times, otherwise the server uses the start and end timdescription.


169

tains location information and for this URI, the client must ew session.

es associated with it. Unless all est must be issued before the

tus codes include a at the client’s discretion

ed

and accepted

st

d

ason phrases. Reason phrases

Phrase-URI Too Large

rted Media Type

rted Media Type

ce Not Found

ugh Bandwidth

Not Found

Not Valid in This State


• REDIRECT—Informs the client it must connect to a different server, and conpossibly a range parameter for that new URL. To continue to receive mediaissue a TEARDOWN request for the current session and a SETUP for the n

• TEARDOWN—Stops stream delivery for the given URI and frees the resourctransport parameters are defined by the session description, a SETUP requsession can be played again.

RTSP Status CodesRTSP uses status codes to provide information about client and server requests. Stamachine-readable three digit result code, and a human-readable reason phrase. It iswhether to display the reason phrase. Status codes are classed as follows:

• Informational (100 to 199)—request has been received and is being process

• Success (200 to 299)—action has been received successfully, understood,

• Redirection (300 to 399)—further action is necessary to complete the reque

• Client Error (400 to 499)—request contains bad syntax and cannot be fulfille

• Server Error (500 to 599)—server failed to fulfill an apparently valid request

The following table lists all status codes defined for RTSP 1.0, and recommended recan be revised or redefined without impacting the operation of the protocol.

Status Code Reason Phrase Status Code Reason100 Continue 414 Request

200 OK 415 Unsuppo

201 Created 451 Unsuppo

250 Low on Storage Space 452 Conferen

300 Multiple Choices 453 Not Eno

301 Moved Permanently 454 Session

303 See Other 455 Method


170

ield Not Valid for Resource

ange

er is Read-Only

te operation not allowed

regate operation allowed

rted transport

ion unreachable

Server Error

emented

eway

Unavailable

Time-out

ersion not supported

ot supported

ng Protocol (RTSP)”.

Phrase


304 Not Modified 456 Header F

305 Use Proxy 457 Invalid R

400 Bad Request 458 Paramet

401 Unauthorized 459 Aggrega

402 Payment Required 460 Only agg

403 Forbidden 461 Unsuppo

404 Not Found 462 Destinat

405 Method Not Allowed 500 Internal

406 Not Acceptable 501 Not Impl

407 Proxy Authentication Required 502 Bad Gat

408 Request Time-out 503 Service

410 Gone 504 Gateway

411 Length Required 505 RTSP V

412 Precondition Failed 551 Option n

413 Request Entity Too Large

Note: For complete definitions of status codes, see RFC 2326, “Real Time Streami

Status Code Reason Phrase Status Code Reason


171

zone. You put a MIP on the w RTSP traffic to flow from the

k Apply :

Client1.1.1.5

Untrust

LAN


Example: Media Server in Private DomainIn this example, the media server is in the Trust zone and the client is in the Untrustethernet3 interface to the media server in the Trust zone, then create a policy to alloclient in the Untrust zone to the media server in the Trust zone.

WebUI

1. InterfacesNetwork > Interfaces > Edit (for ethernet1): Enter the following and then clic

Zone Name: Trust



Manage IP: 10.1.1.2

Media Server10.1.1.3

ethernet110.1.1.1

ethernet31.1.1.1

Virtual DeviceMip on Ethernet31.1.1.3 -> 10.1.1.3

Trust

LANNetScreen Device


172

k Apply :

and then click OK :


Network > Interfaces > Edit (for ethernet3): Enter the following and then clic

Zone Name: Untrust



Manage IP: 1.1.1.2

2. AddressesObjects > Addresses > List > New: Enter the following, and then click OK :

Address Name: media_server



Zone: Trust

Objects > Addresses > List > New: Enter the following, and then click OK :

Address Name: client



Zone: Untrust

3. MIPNetwork > Interfaces > Edit (for ethernet3) > MIP > New: Enter the following

Mapped IP: 1.1.1.3



173

k OK :

p permit


4. PolicyPolicies > (From: Untrust, To: Trust) > New: Enter the following and then clic

Source Address:

Address Book Entry: (select), client


Address Book Entry: (select), MIP(1.1.1.3)

Service: RTSP

Action: Permit

CLI

1. Interfacesset interface ethernet1 trustset interface ethernet1 ip 10.1.1.1

set interface ethernet3 untrustset interface ethernet3 ip 1.1.1.1

2. Addressesset address trust media_server 10.1.1.3/24set address untrust client 1.1.1.5

3. MIPset interface ethernet3 mip (1.1.1.3) host 10.1.1.3

4. Policyset policy from untrust to trust client mip(1.1.1.3) rtssave


174

one. You put a DIP pool on the the Untrust zone, then create a

k Apply :

k Apply :

Media Server1.1.1.3

Untrust

LAN


Example: Media Server in Public DomainIn this example, the media server is in the Untrust zone and the client is in the Trust zethernet3 interface to do NAT when the media server to responds to the client from policy to allow RTSP traffic to flow from the Trust zone to the Untrust zone.

WebUI

1. InterfaceNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic

Zone Name: Trust



Manage IP: 10.1.1.2


Zone Name: Untrust



Manage IP: 1.1.1.2

ethernet110.1.1.1

ethernet31.1.1.1

Client10.1.1.3

DIP Poolon ethernet3

1.1.1.5 to 1.1.1.50

Trust

LANNetScreen Device


175

and then click OK:

ick OK :



Address Name: client



Zone: Trust


Address Name: media_server



Zone: Untrust

3. DIP PoolNetwork > Interfaces > Edit (for ethernet3) > DIP > New: Enter the following

ID: 5

IP Address Range: (select) 1.1.1.5 ~ 1.1.1.50

Port Translation: (select)

4. PolicyPolicies > (From: Trust, To: Untrust) > New: Enter the following, and then cl

Source Address:

Address Book Entry (select): client


Address Book Entry (select): media_server

Service: RTSP

Action: Permit


176

k OK:

50)/port-xlate

p nat dip 5 permit


> Advanced: Enter the following, and then clicNAT:

Source Translation: (select)(DIP on): 5 (1.1.1.5-1.1.1.

CLI

1. Interfaceset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1

set interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24

2. Addressesset address trust client ip 10.1.1.3/24set address untrust media_server ip 1.1.1.3/24

3. DIP Poolset interface ethernet3 dip 5 1.1.5 1.1.1.50

4. Policyset policy from trust to untrust client media_server rtssave


177

inal hosts, such as IP phones all registration, admission, and same zone.

Mode)een IP phone hosts and a this example, the NetScreen t security zones are in the

is possible to make ia devices.

Untrust Zone

rnternet

ointone

2.5

nternet

one


H.323 Protocol for Voice-over-IPH.323 protocol lets you to secure Voice-over-IP (VoIP) communication between termand multimedia devices. In such a telephony system, gatekeeper devices manage ccall status for VoIP calls. Gatekeepers can reside in the two different zones, or in the

Example: Gatekeeper in the Trust Zone (Transparent or Route In the following example, you set up two policies that allow H.323 traffic to pass betwgatekeeper in the Trust zone, and an IP phone host (2.2.2.5) in the Untrust zone. In device can be in either Transparent mode or Route mode. Both the Trust and Untrustrust-vr routing domain.

Note: The examples that follow use IP phones for illustrative purposes, although it configurations for other hosts that use VoIP protocol, such as NetMeeting© multimed

Trust Zone

Gatekeeper GatekeepePermit

Endpoint Endpoint

I

Permit

Gatekeeper

EndpointEndp

IP PhonesIP Ph2.2.

I

Untrust ZTrust Zone


178

OK :

OK :


WebUI

1. AddressObjects > Addresses > List > New: Enter the following, and then click OK :

Address Name: IP_Phone



Zone: Untrust


Source Address:



Address Book Entry: (select), IP_Phone

Service: H.323

Action: Permit


Source Address:




Service: H.323

Action: Permit


179

itit

te Mode)y kind, NetScreen device ation for a gatekeeper in the

en IP phone hosts in the Trust ne. The device can be in st-vr routing domain.

Internet

IP_Phone2.2.2.5/32

Zone


CLI

1. Addressset address untrust IP_Phone 2.2.2.5/32

2. Policiesset policy from trust to untrust any IP_Phone h.323 permset policy from untrust to trust IP_Phone any h.323 permsave

Example: Gatekeeper in the Untrust Zone (Transparent or RouBecause Transparent mode and Route mode do not require address mapping of anconfiguration for a gatekeeper in the Untrust zone is usually identical to the configurTrust zone.

In the following example, you set up two policies to allow H.323 traffic to pass betwezone, and the IP phone at IP address 2.2.2.5 (and the gatekeeper) in the Untrust zoTransparent or Route mode. Both the Trust and Untrust security zones are in the tru

IP_Phones

Gatekeeper

UntrustTrust Zone

LAN


180

OK :


WebUI


Address Name: IP_Phone



Zone: Untrust


Address Name: Gatekeeper



Zone: Untrust


Source Address:




Service: H.323

Action: Permit


181

OK :

OK :

itrmititrmit



Source Address:




Service: H.323

Action: Permit


Source Address:



Address Book Entry: (select), Gatekeeper

Service: H.323

Action: Permit

CLI

1. Addressesset address untrust IP_Phone 2.2.2.5/32set address untrust gatekeeper 2.2.2.10/32

2. Policiesset policy from trust to untrust any IP_Phone h.323 permset policy from trust to untrust any gatekeeper h.323 peset policy from untrust to trust IP_Phone any h.323 permset policy from untrust to trust gatekeeper any h.323 pesave


182

or endpoint device in the Trust s. When you set a NetScreen receive incoming traffic with a

d the gatekeeper device device to allow traffic between

t host IP_Phone2 in the Untrust

k Apply :

IP_Phone22.2.2.5

st Zone

Internet


Example: Outgoing Calls with NATWhen the NetScreen device uses NAT (Network Address Translation), a gatekeeperzone has a private address, and when it is in the Untrust zone it has a public addresdevice in NAT mode, you must map a public IP address to each device that needs toprivate address.

In this example, the devices in the Trust zone include the endpoint host (10.1.1.5) an(10.1.1.25). IP_Phone2 (2.2.2.5) is in the Untrust zone. You configure the NetScreenthe endpoint host IP_Phone1 and the gatekeeper in the Trust zone and the endpoinzone. Both the Trust and Untrust security zones are in the trust-vr routing domain.

WebUI


Zone Name: Trust



Select the following, and then click OK:

Interface Mode: NAT

Gatekeeper10.1.1.25

IP_Phone110.1.1.5


ethernet3 1.1.1.1/24

Trust Zone Untru

MIP 1.1.1.25 -> 10.1.1.25MIP 1.1.1.5 -> 10.1.1.5

Gateway1.1.1.250


183

k OK :



Zone Name: Untrust




Address Name: IP_Phone1



Zone: Trust





Zone: Trust





Zone: Untrust


184

, and then click OK:


then click OK:


3. Mapped IP AddressesNetwork > Interfaces > Edit (for ethernet3) > MIP > New: Enter the following

Mapped IP: 1.1.1.5

Netmask: 255.255.255.255



Network > Interfaces > Edit (for ethernet3) > MIP > New: Enter the following

Mapped IP: 1.1.1.25

Netmask: 255.255.255.255





Gateway: (select)




185

OK :

OK :

OK :



Source Address:

Address Book Entry: (select), IP_Phone1



Service: H.323

Action: Permit


Source Address:




Service: H.323

Action: Permit


Source Address:




Service: H.323

Action: Permit


186

OK :

)

gateway 1.1.1.250



Source Address:



Address Book Entry: (select), MIP(1.1.1.25

Service: H.323

Action: Permit

CLI

1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 nat


2. Addressesset address trust IP_Phone1 10.1.1.5/32set address trust gatekeeper 10.1.1.25/32set address untrust IP_Phone2 2.2.2.5/32

3. Mapped IP Addressesset interface ethernet3 mip 1.1.1.5 host 10.1.1.5set interface ethernet3 mip 1.1.1.25 host 10.1.1.25



187

23 permit323 permith.323 permit) h.323 permit

NAT boundary. To do this, you differs from most

ce) when the DIP pool uses the tination addresses in policies, pport incoming calls.

ing” instructs the device to add

ust Zone

et


5. Policiesset policy from trust to untrust IP_Phone1 IP_Phone2 h.3set policy from trust to untrust gatekeeper IP_Phone2 h.set policy from untrust to trust IP_Phone2 mip(1.1.1.5) set policy from untrust to trust IP_Phone2 mip (1.1.1.25save

Example: Incoming Calls with NATIn this example, you configure the NetScreen device to accept incoming calls over acan create a DIP address pool for dynamically allocating destination addresses. Thisconfigurations, where a DIP pool provides source addresses only.

The name of the DIP pool can be DIP(id_num) for a user-defined DIP, or DIP(interfasame address as an interface IP address. You can use such address entries as destogether with the services H.323, SIP, or other VoIP (Voice-over-IP) protocols, to su

The following example uses DIP in an H.323 VoIP configuration. The keyword “incomthe DIP and interface addresses to the global zone.

Trust Zone Untr

DIP Pool ID 51.1.1.12 ~ 1.1.1.150

ethernet31.1.1.1/24

InternLAN



188

k Apply :

k OK:

and then click OK :

50

econdary IPs: (select)


WebUI


Zone Name: Trust




Interface Mode: NAT


Zone Name: Untrust



2. DIP with Incoming NATNetwork > Interface > Edit (for ethernet3) > DIP > New: Enter the following,

ID: 5

IP Address Range: (select), 1.1.1.12 ~ 1.1.1.1


In the same subnet as the interface IP or its s

Incoming NAT: (select)


189

click OK:

n click OK:

OK :


3. AddressesObjects > Addresses > List > New (for Trust): Enter the following, and then

Address Name: IP_Phones1



Zone: Trust

Objects > Addresses > List > New (for Untrust): Enter the following, and the




Zone: Untrust


Source Address:

Address Book Entry: (select), IP_Phones1



Service: H.323

Action: Permit


190

OK :

g

t src dip 5 permitpermit



Source Address:



Address Book Entry: (select), DIP(5)

Service: H.323

Action: Permit

CLI

1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 natset interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24

2. DIP with Incoming NATset interface ethernet3 dip 5 1.1.1.12 1.1.1.150 incomin

3. Addressesset address trust IP_Phones1 10.1.1.5/24set address untrust IP_Phone2 2.2.2.5/32

4. Policiesset policy from trust to untrust IP_Phones1 any h.323 naset policy from untrust to trust IP_Phone2 dip(5) h.323 save


191

in the Untrust zone and host low traffic between host st zone. Both the Trust and

k Apply :

hone22.2.5

nternetne


Example: Gatekeeper in the Untrust Zone with NATIn this example, the gatekeeper device (2.2.2.25) and host IP_Phone2 (2.2.2.5) are IP_Phone1 (10.1.1.5) is in the Trust zone. You configure the NetScreen device to alIP_Phone1 in the Trust zone, and host IP_Phone2 (and the gatekeeper) in the UntruUntrust security zones are in the trust-vr routing domain.

WebUI


Zone Name: Trust




Interface Mode: NAT

ethernet31.1.1.1/24

Gateway 1.1.1.250


IP_Phone110.1.1.5

Gatekeeper2.2.2.25

IP_P2.

ITrust Zone Untrust Zo

MIP 1.1.1.5 -> 10.1.1.5

LAN


192

k OK:



Zone Name: Untrust







Zone: Trust





Zone: Untrust





Zone: Untrust


193


then click OK:

OK :


3. Mapped IP AddressNetwork > Interfaces > Edit (for ethernet3) > MIP > New: Enter the following

Mapped IP: 1.1.1.5

Netmask: 255.255.255.255




Gateway: (select)




Source Address:




Service: H.323

Action: Permit


194

OK :

OK :

OK :



Source Address:




Service: H.323

Action: Permit


Source Address:




Service: H.323

Action: Permit


Source Address:




Service: H.323

Action: Permit


195

gateway 1.1.1.250

23 permit323 permith.323 permit h.323 permit


CLI



2. Addressesset address trust IP_Phone1 10.1.1.5/32set address untrust gatekeeper 2.2.2.25/32set address untrust IP_Phone2 2.2.2.5/32

3. Mapped IP Addressesset interface ethernet3 mip 1.1.1.5 host 10.1.1.5


5. Policiesset policy from trust to untrust IP_Phone1 IP_Phone2 h.3set policy from trust to untrust IP_Phone1 gatekeeper h.set policy from untrust to trust IP_Phone2 mip(1.1.1.5) set policy from untrust to trust gatekeeper mip(1.1.1.5)save


196

tandard protocol for initiating, ght include conferencing, vel mobility in network

denying it based on a policy he destination port.

, to negotiate and modify the

ssion description indicates the scription protocols to describe

ight include information such umber in the SDP header (the

receive the media streams, and they can be the same). See

uests from a server to a client ation that runs at the endpoints uests on behalf of the user, and they arrive. Examples of User


Session Initiation Protocol (SIP)The Session Initiation Protocol (SIP) is an Internet Engineering Task Force (IETF)-smodifying, and terminating multimedia sessions over the Internet. Such sessions mitelephony, or multimedia, with features such as instant messaging and application-leenvironments.

NetScreen devices support SIP as a service and can screen SIP traffic, allowing andthat you configure. SIP is a predefined service in ScreenOS and uses port 5060 as t

Essentially, SIP is used to distribute the session description and, during the sessionparameters of the session. SIP is also used to terminate a multimedia session.

A user includes the session description either in an INVITE or an ACK request. A semultimedia type of the session, for example, voice or video. SIP can use different dethe session; NetScreen supports SDP (Session Description Protocol) only.

SDP provides information that a system can use to join a multimedia session. SDP mas IP addresses, port numbers, times and dates. Note that the IP address and port n“c=” and “m=” fields respectively) are the address and port where the client wants to not the IP address and port number from which the SIP request originates (although“SDP” on page 201 for more information.

SIP messages consist of requests from a client to a server and responses to the reqwith the purpose of establishing a session (or a call). A User Agent (UA) is an applicof the call and consists of two parts: the User Agent Client (UAC) that sends SIP reqa User Agent Server (UAS) that listens to the responses and notifies the user when Agents are SIP proxy servers and SIP phones.


197

ach of which contains a method types and response codes:

te in a session. The body of an e IP addresses in the Via:, odified as shown in the table in

confirm reception of the final ssion description, the ACK o:, Call-ID:, Contact:, Route:, Headers” on page 213.

pabilities of the SIP proxy. A rotocols, and message a UA outside NAT to a proxy

IP address in the To: field to the the proxy is outside NAT, the in “SIP Headers” on page 213.

om either user automatically o:, Call-ID:, Contact:, Route:, Headers” on page 213.

request. A CANCEL request se for the INVITE before it

o:, Call-ID:, Contact:, Route:, Headers” on page 213.

inform it of the current location EGISTER requests and makes AT mode, REGISTER requests

hen the SIP ALG receives the Request-URI. Incoming


SIP Request MethodsThe SIP transaction model includes a number of request and response messages, efield denoting the purpose of the message. ScreenOS supports the following method

• INVITE—A user sends an INVITE request to invite another user to participaINVITE request may contain the description of the session. In NAT mode, thFrom:, To:, Call-ID:, Contact:, Route:, and Record-Route: header fields are m“SIP Headers” on page 213.

• ACK—The user from whom the INVITE originated sends an ACK request toresponse to the INVITE. If the original INVITE request did not contain the serequest must include it. In NAT mode, the IP addresses in the Via:, From:, Tand Record-Route: header fields are modified as shown in the table in “SIP

• OPTIONS—Used by the User Agent (UA) to obtain information about the caserver responds with information about what methods, session description pencoding it supports. In NAT mode, when the OPTIONS request is sent frominside NAT, the SIP ALG translates the address in the Request-URI and the appropriate IP address of the internal client. When the UA is inside NAT andSIP ALG translates the From:, Via:, and Call-ID: fields as shown in the table

• BYE—A user sends a BYE request to abandon a session. A BYE request frterminates the session. In NAT mode, the IP addresses in the Via:, From:, Tand Record-Route: header fields are modified as shown in the table in “SIP

• CANCEL—A user can send a CANCEL request to cancel a pending INVITEhas no effect if the SIP server processing the INVITE had sent a final responreceived the CANCEL. In NAT mode, the IP addresses in the Via:, From:, Tand Record-Route: header fields are modified as shown in the table in “SIP

• REGISTER—A user sends a REGISTER request to a SIP registrar server toof the user. A SIP registrar server records all the information it receives in Rthis information available to any SIP server attempting to locate a user. In Nare handled as follows:

– REGISTER requests from an external client to an internal Registrar—Wincoming REGISTER request it translates the IP address, if any, in the


198

anslation is needed for the

hen the SIP ALG receives the From:, Via:, Call-ID:, and oming response.

naling path for the call. In NAT d Record-Route: header fields

ode. In NAT mode, the address ming from the external network tact:, Route:, and ders” on page 213.

er has a subscription. In NAT te IP address if the message is in the Via:, From:, To:, Call-ID:, the table in “SIP Headers” on

party by the contact information hanged to a private IP address . The IP addresses in the Via:, odified as shown in the table in

, to user C, who is also in the or user C so that user C can be rt mapping is stored in the ALG

:, From:, To:, Call-ID:, Contact:, in “SIP Headers” on page 213.

tus of a transaction. Header


REGISTER messages are allowed only to a MIP or VIP address. No troutgoing response.

– REGISTER requests from an internal client to an external Register—Woutgoing REGISTER request it translates the IP addresses in the To:, Contact: header fields. A backward translation is performed for the inc

• Info—Used to communicate mid-session signaling information along the sigmode, the IP addresses in the Via:, From:, To:, Call-ID:, Contact:, Route:, anare modified as shown in the table in “SIP Headers” on page 213.

• Subscribe—Used to request current state and state updates from a remote nin the Request-URI is changed to a private IP address if the messages is cointo the internal network. The IP addresses in Via:, From:, To:, Call-ID:, ConRecord-Route: header fields are modified as shown in the table in “SIP Hea

• Notify—Sent to inform subscribers of changes in state to which the subscribmode, the IP address in the Request-URI: header field is changed to a privacoming from the external network into the internal network. The IP address Contact:, Route:, and Record-Route: header fields are modified as shown inpage 213.

• Refer—Used to refer the recipient (identified by the Request-URI) to a third provided in the request. In NAT mode, the IP address in the Request-URI is cif the message is coming from the external network into the internal networkFrom:, To:, Call-ID:, Contact:, Route:, and Record-Route: header fields are m“SIP Headers” on page 213.

For example, if user A in a private network refers user B, in a public networkprivate network, the SIP ALG allocates a new IP address and port number fcontacted by user B. If user C is registered with a Registrar, however, its poNAT table and is reused to perform the translation.

• Update—Used to open pinhole for new or updated SDP information. The ViaRoute:, and Record-Route: header fields are modified as shown in the table

• 1xx,202, 2xx, 3xx, 4xx, 5xx, 6xx Response Codes—Used to indicate the stafields are modified as shown in the table in “SIP Headers” on page 213.


199

ed into the following classes:

est

ted

at this server

s all of them.

all is being forwarded

oved temporarily

ayment required

ethod not allowed

equest time-out

ength required

nsupported media type

all leg/transaction does not exist

ddress incomplete

equest cancelled


Classes of SIP Responses

Response codes indicate the status of a SIP transaction, and consist of codes group

• Informational (100 to 199)—request received, continuing to process the requ

• Success (200 to 299)—action successfully received, understood, and accep

• Redirection (300 to 399)—further action required to complete the request

• Client Error (400 to 499)—request contains bad syntax or cannot be fulfilled

• Server Error (500 to 599)—server failed to fulfill an apparently valid request

• Global Failure (600 to 699)—request cannot be fulfilled at any server

The following is the complete list of current SIP response codes. Netscreen support

1xx 100 Trying 180 Ringing 181 C

182 Queued 183 Session progress

2xx 200 OK 202 Accepted

3xx 300 Multiple choices 301 Moved permanently 302 M

305 Use proxy 380 Alternative service

4xx 400 Bad request 401 Unauthorized 402 P

403 Forbidden 404 Not found 405 M

406 Not acceptable 407 Proxy authentication required 408 R

409 Conflict 410 Gone 411 L

413 Request entity too large 414 Request-URL too large 415 U

420 Bad extension 480 Temporarily not available 481 C

482 Loop detected 483 Too many hops 484 A

485 Ambiguous 486 Busy here 487 R

488 Not acceptable here


200

traffic consists of request and UDP or TCP. The media ls such as RTP (Real-time

reate a policy that permits SIP ffic, permitting or denying it. ge several times during the l the media traffic. In this case,

their SDP content and extracts stream traverse the NetScreen

oles based on the information it and responses (see “SIP can allow SIP transactions to his policy enables the or deny the traffic or enable the holes only for the SIP requests contain SDP, the NetScreen

ad gateway

IP version not supported

oes not exist anywhere


ALG � Application-Layer GatewayThere are two types of SIP traffic, the signaling and the media stream. SIP signalingresponse messages between client and server and uses transport protocols such asstream carries the data (for example, audio data), and uses application layer protocoTransport Protocol) over UDP.

NetScreen devices support SIP signaling messages on port 5060. You can simply cservice and the NetScreen device filters SIP signaling traffic like any other type of traThe media stream, however, uses dynamically assigned port numbers that can chancourse of a call. Without fixed ports, it is impossible to create a static policy to controthe NetScreen device invokes the SIP ALG. The SIP ALG reads SIP messages andthe port number information it needs to dynamically open pinholes6 and let the mediadevice.

The SIP ALG monitors SIP transactions and dynamically creates and manages pinhextracts from these transactions. The NetScreen SIP ALG supports all SIP methodsRequest Methods” on page 197 and “Classes of SIP Responses” on page 199). Youtraverse the NetScreen firewall by creating a static policy that permits SIP service. TNetScreen device to intercept SIP traffic and do one of the following actions: permit SIP ALG to open pinholes to pass the media stream. The SIP ALG needs to open pinand responses that contain media information (SDP). For SIP messages that do notdevice simply lets them through.

5xx 500 Server internal error 501 Not implemented 502 B

502 Service unavailable 504 Gateway time-out 505 S

6xx 600 Busy everywhere 603 Decline 604 D

606 Not acceptable

6. We refer to a pinhole as the limited opening of a port to allow exclusive traffic.


201

ts the information it requires to extracts information such as IP ALG uses the IP addresses ams to traverse the NetScreen

n session-level and media-level dia-level information applies to l information, which appears at omes after.

because they contain transport

ork type, “IP4” as the address ion) IP address.

holes using the IP address and

eives a SIP message in which s a log message informing the ract the information it needs ot traverse the NetScreen

ulticast with SIP.


The SIP ALG intercepts SIP messages that contain SDP, and using a parser, extraccreate pinholes. The SIP ALG examines the SDP portion of the packet and a parseraddresses and port numbers, which the SIP ALG records in a pinhole table. The SIPand port numbers recorded in the pinhole table to open pinholes and allow media stredevice.

SDPAn SDP session description is text-based and consists of a set of lines. It can contaiinformation. The session-level information applies to the whole session, while the mea particular media stream. An SDP session description always contains session-levethe beginning of the description, and might contain media-level information7, which c

Of the many fields in the SDP description, two are particularly useful to the SIP ALGlayer information. The two fields are the following:

• c= for connection information

This field can appear at the session or media level. It displays in this format:

c=<network type><address type><connection address>

Currently, the NetScreen device supports only “IN” (for Internet) as the netwtype, and a unicast IP address8 or domain name as the destination (connect

If the destination IP address is a unicast IP address, the SIP ALG creates pinport numbers specified in the media description field m=.

Note: NetScreen devices do not support encrypted SDP. If a NetScreen device recSDP is encrypted, the SIP ALG permits it through the firewall anyway, but generateuser that it cannot process the packet. If SDP is encrypted, the SIP ALG cannot extfrom SDP to open pinholes. As a result, the media content that SDP describes canndevice.

7. In the SDP session description, the media-level information begins with the m= field.

8. Generally, the destination IP address can also be a multicast IP address, but NetScreen does not currently support m


202

ia. It displays in this format:

P” as the application layer tream (and not the origin of the n layer protocol that the media

and RTCP. Every RTP session . Therefore, whenever a media RTP and RTCP traffic. By

ddress. The IP address comes pear in either the session-level

s the IP address based on the

address in the media level. If it to create a pinhole for the

IP address from the c= field in edia. If the session description protocol stack and the

unication.


• m= for media announcement

This field appears at the media level and contains the description of the med

m=<media><port><transport><fmt list>

Currently, the NetScreen device supports only “audio” as the media and “RTtransport protocol. The port number indicates the destination of the media smedia stream). The format list (fmt list) provides information on the applicatiouses.

In this release of ScreenOS, the NetScreen device opens ports only for RTPhas a corresponding RTCP9 (Real-time Transport Control Protocol) sessionstream uses RTP, the SIP ALG must reserve ports (create pinholes) for bothdefault, the port number for RTCP is one higher than the RTP port number.

Pinhole CreationBoth pinholes for the RTP and RTCP traffic share the same destination IP afrom the c= field in the SDP session description. Because the c= field can apor media-level portion of the SDP session description, the parser determinefollowing rules (in accordance with SDP conventions):

– First, the SIP ALG parser verifies if there is a c= field containing an IP there is one, the parser extracts that IP address and the SIP ALG usesmedia.

– If there is no c= field in the media level, the SIP ALG parser extracts thethe session level and the SIP ALG uses it to create a pinhole for the mdoes not contain a c= field in either level, this indicates an error in the NetScreen device drops the packet and logs the event.

9. RTCP provides media synchronization and information about the members of the session and the quality of the comm


203

his information comes from the

c= field in the media or session

TP from the m= field in the this formula: RTP port number

ich a pinhole is open to allow a e expires. When the lifetime

ediately after, the SIP ALG

s and how the SIP ALG creates the NetScreen device has a ages.


The following lists the information the SIP ALG needs to create a pinhole. TSDP session description and parameters on the NetScreen device:

– Protocol: UDP

– Source IP: unknown

– Source port: unknown

– Destination IP: The parser extracts the destination IP address from thelevel.

– Destination port: The parser extracts the destination port number for Rmedia level and calculates the destination port number for RTCP using+ one.

– Lifetime: This value indicates the length of time (in seconds), during whpacket through. A packet must go through the pinhole before the lifetimexpires, the SIP ALG removes the pinhole.

When a packet goes through the pinhole within the lifetime period, immremoves the pinhole for the direction from which the packet came.

The following illustration describes a call setup between two SIP clientpinholes to allow RTP and RTCP traffic. The illustration assumes that policy that permits SIP, thus opening port 5060 for SIP signaling mess


204

SIP Client B2.2.2.2

ards the �INVITE� request

edia (RTP/RTCP traffic) to pinhole 1

the SIP proxy with a e

200 OK� response to the to the INVITE request (IP address:port number)

wards the �ACK� response

trust Zone


SIP Client A1.1.1.1

NetScreen DeviceSIP Proxy

1. Client A sends an �INVITE� request destined for Client B to the SIP proxy through port 5060 on the NetScreen deviceSDP: 1.1.1.1:2000 (IP address:port number)

3. The SIP proxy forwto Client B

11. Client B sends mclient A through

4. Client B replies to �Ringing� respons5. The SIP proxy forwards the �Ringing�

response from Client B to Client A through port 5060 on the NetScreen device

6. Client B sends a �SIP proxy in reply SDP: 2.2.2.2:30008. The SIP proxy forwards the �200 OK�

response from Client B to Client A through the NetScreen device

9. Client A sends an �ACK� response destined for Client B to the SIP proxy through port 5060 on the NetScreen device 10. The SIP proxy for

to Client B

UnTrust Zone2. Per the SDP, the SIP ALG creates a pinhole for 1.1.1.1:2000

7. Per the SDP, the SIP ALG creates a pinhole for 2.2.2.2:3000

Pinhole 1

12. Client A sends media (RTP/RTCP traffic) to client B through pinhole 2

Pinhole 2


205

e SIP ALG intercepts the BYE asons or problems preventing . In this case, the call might go t feature helps the NetScreen specific period of time.

or two media streams), one for ers the sessions in each voice posed to each session.

f time (in seconds) a call can ssage occurs within a call, this

me (in seconds) a call can time a RTP or RTCP packet

call from its table, thus

n the destination IP address is d, for example, during a SIP message in which the ny media until further notice. If


Session Inactivity TimeoutTypically a call ends when one of the clients sends a BYE or a CANCEL request. Thor CANCEL request and removes all media sessions for that call. There could be reclients in a call from sending BYE or CANCEL requests, for example, a power failureon indefinitely, consuming resources on the NetScreen device. The inactivity timeoudevice to monitor the liveliness of the call and terminate it if there is no activity for a

A call can have one or more voice channels. Each voice channel has two sessions (RTP and one for RTCP. When managing the sessions, the NetScreen device considchannel as one group. Settings such as the inactivity timeout apply to a group as op

There are two types of inactivity timeouts that determine the lifetime of a group:

• Signaling Inactivity Timeout: This parameter indicates the maximum length oremain active without any SIP signaling traffic. Each time a SIP signaling metimeout resets. The default setting is 43200 seconds (12 hours).

• Media Inactivity Timeout: This parameter indicates the maximum length of tiremain active without any media (RTP or RTCP) traffic within a group. Eachoccurs within a call, this timeout resets. The default setting is 120 seconds.

If either of these timeouts expire, the NetScreen device removes all sessions for thisterminating the call.

Note: The SIP ALG does not create pinholes for RTP and RTCP traffic whe0.0.0.0, which indicates that the session is on hold. To put a session on holtelephone communication, a user (User A) sends the other user (User B) adestination IP address is 0.0.0.0. Doing so indicates to User B not to send aUser B sends media anyway, the NetScreen device drops the packets.


206

VITE requests, whether proxy server from being figure the NetScreen device to

4xx, or 5xx response code (see the request and the IP address requests against this table and, t match entries in the table. You xy server by specifying the

rver (1.1.1.3/24) from repeat eriod of five seconds, after s.

ted by INVITE requests.


SIP Attack ProtectionThe ability of the SIP proxy server to process calls can be impacted by repeat SIP INmalicious or through client or server error, that it initially denied. To prevent the SIP overwhelmed by such requests, you can use the sip protect deny command to conmonitor INVITE requests and proxy server replies to them. If a reply contains a 3xx, “Classes of SIP Responses” on page 199), the ALG stores the source IP address ofof the proxy server in a table. Subsequently the NetScreen device checks all INVITE for a configurable number of seconds (the default is three), discards any packets thacan also configure the NetScreen device to monitor INVITE request to a specific prodestination IP address. SIP attack protection is configured globally.

Example: SIP Protect DenyIn this example, you configure the NetScreen device to protect a single SIP proxy seINVITE requests to which it has already denied service. Packets are dropped for a pwhich the NetScreen device resumes forwarding INVITE requests from those source

WebUI

CLI

set sip protect deny dst-ip 1.1.1.3/24set sip protect deny timeout 5save

Note: You must use the CLI to protect SIP proxy servers from being inunda


207

the media inactivity timeout to

address. In this example, you ived on IP address 1.1.1.5, in uent packets for the remainder

uts.

-specific. For more information d” on page 4 -65.


Example: Signaling and Media Inactivity TimeoutsIn this example, you configure the signaling inactivity timeout to 30,000 seconds and90 seconds.

WebUI

CLI

set sip signaling-inactivity-timeout 30000set sip media-inactivity-timeout 90save

Example: UDP Flooding ProtectionYou can protect the NetScreen device against UDP flooding by zone and destinationset a threshold of 80000 per second for the number of UDP packets that can be recethe Untrust zone, before the NetScreen device generates an alarm and drops subseqof that second.

WebUI

Screening > Screen: Enter the following, and then click Apply :

Zone: Untrust

UDP Flood Protection (select)

Note: You must use the CLI to set SIP signaling and media inactivity timeo

Note: This example uses a general ScreenOS command, and is not necessarily SIPabout UDP flood protection and how to determine effective settings, see “UDP Floo


208

click the Back arrow in your uration page:

ld 80000

ntrust zone by setting a ce detects more than 20 pts until the number of sessions

:

-specific. For more information urce- and Destination-Based


> Destination IP: Enter the following, and thenweb browser to return to the Screen config

Destination IP: 1.1.1.5

Threshold: 80000

Add: (select)

CLI

set zone untrust screen udp-flood dst-ip 1.1.1.5 threshosave

Example: SIP Connection MaximumIn this example, you prevent flood attacks on the SIP network from attackers in the Umaximum of 20 concurrent sessions from a single IP address. If the NetScreen deviconnection attempts from the same IP address, it begins dropping subsequent attemdrops below the specified maximum.

WebUI

Screening > Screen (Zone: Untrust): Enter the following, and then click OK

Source IP Based Session Limit: (select)

Threshold: 20 Sessions

CLI

set zone untrust screen limit-session source-ip-based 20save

Note: This example uses a general ScreenOS command, and is not necessarily SIPabout source-based session limits and how to determine effective settings, see “SoSession Limits” on page 4 -40.


209

subnet to share a single public ddress of the host in the private erted back into the private

IP addresses in the SIP aller and the receiver, and the

SIP body contains the Session ers for transmission of the nd and receive the media.

direction of the message. For with the public IP address and of the firewall is replaced with

mation from the message t end point. When a new , and “Call-ID: fields against the s that matches the existing call,

eates a NAT mapping between eal Time Protocol (RTP) and dd ports. If it is unable to find a


SIP with Network Address TranslationThe Network Address Translation (NAT) protocol enables multiple hosts in a privateIP address to access the Internet. For outgoing traffic, NAT replaces the private IP asubnet, with the public IP address. For incoming traffic, the public IP address is convaddress and the message routed to the appropriate host in the private subnet.

Using NAT with the SIP service is more complicated because SIP messages containheaders as well as in the SIP body. The SIP headers contain information about the cNetScreen device translates this information to hide it from the outside network. TheDescription Protocol (SDP) information, which includes IP addresses and port numbmedia. The NetScreen device translates SDP information to allocate resources to se

How IP addresses and port numbers in SIP messages are replaced depends on thean outgoing message, the private IP address and port number of the client is replacedport number of the NetScreen firewall. For an incoming message, the public addressthe private address of the client.

When an INVITE message is sent out across the firewall, the SIP ALG collects inforheader into a call table, which it uses to forward subsequent messages to the correcmessage arrives, for example an ACK or 200 OK, the ALG compares the “From:, To:call table to identify the call context of the message. If a new INVITE message arrivethe ALG processes it as a REINVITE.

When a message containing SDP information arrives, the ALG allocates ports and crthem and the ports in the SDP. Because the SDP requires sequential ports for the RReal Time Control Protocol (RTCP) channels, the ALG provides consecutive even-opair of ports it discards the SIP message.


210

rnal network, NAT replaces the resses and port numbers to the resent, are also bound to the for SIP response messages.

en device on the dynamically d Record-Route: header fields. oute: IP addresses and ports. d Record-Route: SIP fields

sses, or to interface IP oint to internal hosts; interface

ges sent by internal hosts to the Registrar” on page 219.) When ards the payload of the packet

ormation in the SDP, opens performs NAT on the IP s have a short time-to-live, and

reads the IP addresses and ms NAT on the addresses and s in the inbound direction.

ssage contains SDP hanged from the previous media to pass through. The pinholes if it determines that


Outgoing CallsWhen a SIP call is initiated with a SIP request message from the internal to the exteIP addresses and port numbers in the SDP and creates a binding to map the IP addNetScreen firewall. Via:, Contact:, Route:, and Record-Route: SIP header fields, if pfirewall IP address. The ALG stores these mappings for use in retransmissions and

The SIP ALG then opens pinholes in the firewall to allow media through the NetScreassigned ports negotiated based on information in the SDP and the Via:, Contact:, anThe pinholes also allow incoming packets to reach the Contact:, Via:, and Record-RWhen processing return traffic, the ALG inserts the original Contact:, Via:, Route:, anback into the packets.

Incoming CallsIncoming calls are initiated from the public network to public mapped IP (MIP) addreaddresses on NetScreen device. MIPs are statically configured IP addressees that pIP addresses are dynamically recorded by the ALG as it monitors REGISTER messaSIP Registrar. (For more information, see “Incoming SIP Call Support Using the SIP the NetScreen device receives an incoming SIP packet, it sets up a session and forwto the SIP ALG.

The ALG examines the SIP request message (initially an INVITE) and, based on infgates for outgoing media. When a 200 OK response message arrives, the SIP ALG addresses and ports and opens pinholes in the outbound direction. (The opened gatetime out if a 200 OK response message is not received quickly.)

When a 200 OK response arrives, the SIP proxy examines the SDP information andport numbers for each media session. The SIP ALG on the NetScreen device perforport numbers, opens pinholes for outbound traffic, and refreshes the timeout for gate

When the ACK arrives for the 200 OK, it also passes through the SIP ALG. If the meinformation, the SIP ALG ensures that the IP addresses and port numbers are not cINVITE—if they are, the ALG deletes old pinholes and creates new pinholes to allowALG also monitors the Via:, Contact:, and Record-Route: SIP fields and opens new these fields have changed.


211

the network, and user B from user A as a normal e network and notices that B l, because media will flow

a BYE message, it translates must be acknowledged by the for transmission of the 200 OK.

g existing media sessions. all and new address bindings

sessions are removed from a

r UPDATE message is not onse to the INVITE and uses n times out, it resets all timeout


Forwarded CallsA forwarded call is when, for example, user A outside the network calls user B insideforwards the call to user C outside the network. The SIP ALG processes the INVITEincoming call. But when the ALG examines the forwarded call from B to C outside thand C are reached using the same interface, it does not open pinholes in the firewaldirectly between user A and user C.

Call TerminationThe BYE message is used to terminate a call. When the NetScreen device receivesthe header fields just as it does for any other message, But because a BYE messagereceiver with a 200 OK, the ALG delays call teardown for five seconds to allow time

Call Re-INVITE MessagesRe-INVITE messages are used to add new media sessions to a call, and to removinWhen new media sessions are added to a call, new pinholes are opened in the firewcreated. The process is identical to the original call setup. When one or more mediacall, pinholes are closed and bindings released just as with a BYE message.

Call Session TimersThe SIP ALG uses the Session-Expires value to time out a session if a Re-INVITE oreceived. The ALG gets the Session-Expires value, if present, from the 200 OK respthis value for signaling timeout. If the ALG receives another INVITE before the sessiovalues to this new INVITE or to default values, and the process is repeated.


212

um amount of time a call can g:

end a BYE message.

NCEL message, the SIP ALG ss bindings. Before releasing conds to allow time for the final , regardless of whether a 487 or

ns simultaneously. When the ut updates call information with

uest messages, the first line of I, and protocol version. In headers contain IP addresses

ion by a blank line, is reserved upport the Session Description transport the media.

e the information from the at is, port numbers where the


As a precautionary measure, the SIP ALG uses hard timeout values to set the maximexist. This ensures that the NetScreen device is protected in the event of the followin

• End systems crash during a call and a BYE message is not received.

• Malicious users never send a BYE in an attempt to attack a SIP ALG.

• Poor implementations of sip proxy fail to process Record-Route and never s

• Network failures prevent a BYE message from being received.

Call CancellationEither party can cancel a call by sending a CANCEL message. Upon receiving a CAcloses pinholes through the firewall—if any have been opened—and releases addrethe resources, the ALG delays the control channel age-out for approximately five se200 OK to pass through. The call is terminated when the five second timeout expiresnon-200 response arrives.

ForkingForking enables a SIP proxy to send a single INVITE message to multiple destinatiomultiple 200 OK response messages arrive for the single call, the SIP ALG parses bthe first 200 OK message it receives.

SIP MessagesThe SIP message format consists of a SIP header section, and the SIP body. In reqthe header section is the request line, which includes the method type, Request-URresponse messages, the first line is the status line, which contains a status code. SIPand port numbers used for signaling. The SIP body, separated from the header sectfor session description information, which is optional. NetScreen devices currently sProtocol (SDP) only. The SIP body contains IP addresses and port numbers used to

In NAT mode, the NetScreen device translates information in the SIP headers to hidoutside network. NAT is performed on SIP body information to allocate resources, thmedia is to be received.


213

header fields—shown in bold

message, which can be any of

or several of the header fields side the network. It must also e.


SIP HeadersIn the following sample SIP request message, NAT replaces the IP addresses in thefont—to hide them from the outside network.

INVITE [email protected] SIP/2.0Via: SIP/2.0/UDP 10.150.20.3:5434From: [email protected]: [email protected]: [email protected]: [email protected]:5434Route: <sip:[email protected]:5060>Record-Route: <sip:[email protected]:5060>

How IP addresses translation is performed depends on the type and direction of thethe following:

• Inbound request

• Outbound response

• Outbound request

• Inbound response

The following table shows how NAT is performed in each of these cases. Note that fthe ALG must know more than just whether the messages comes from inside or outknow what client initiated the call, and whether the message is a request or respons


214

G address with local address



al address with ALG address



Message Type Fields ActionInbound Request(from public to private)

To: Replace AL

From: None

Call-ID: None

Via: None

Request-URI: Replace AL

Contact: None

Record-Route: None

Route: None

Outbound Response(from private to public)

To: Replace AL

From: None

Call-ID: None

Via: None

Request-URI: N/A

Contact: Replace loc

Record-Route: Replace loc

Route: None


215













Outbound Request(from private to public)

To: None

From: Replace loc

Call-ID: Replace loc

Via: Replace loc

Request-URI: None

Contact: Replace loc

Record-Route: Replace loc

Route: Replace AL

Outbound Response(from public to private)

To: None

From: Replace AL

Call-ID: Replace AL

Via: Replace AL

Request-URI: N/A

Contact: None

Record-Route: Replace AL

Route: Replace AL

Message Type Fields Action


216

channels for the media stream. d and receive the media.

for resource allocation.

ttaching multiple files to an erver might have the following

r a total of 12 channels per call.

IP addresses in the header

ive media. Note that the Media Contact Pinhole provides port


SIP BodyThe SDP information in the SIP body includes IP addresses the ALG uses to create Translation of the SDP section also allocates resources, that is, port numbers to sen

The following except from a sample SDP section shows the fields that are translated

o=user 2344234 55234434 IN IP4 10.150.20.3c=IN IP4 10.150.20.3m=audio 43249 RTP/AVP 0

SIP messages can contain more than one media stream. The concept is similar to ae-mail message. For example, an INVITE message sent from a SIP client to a SIP sfields:

c=IN IP4 10.123.33.4m=audio 33445 RTP/AVP 0

c=IN IP4 10.123.33.4m=audio 33447RTP/AVP 0

c=IN IP4 10.123.33.4m=audio 33449RTP/AVP 0

NetScreen devices support up to six SDP channels negotiated for each direction, foFor more information, see “SDP” on page 201.

SIP NAT ScenarioIn the following illustration, ph1 sends a SIP INVITE message to ph2. Note how the fields—shown in bold font—are translated by the NetScreen device.

The SDP section of the INVITE message indicates where the caller is willing to recePinhole contains two port numbers, 52002 and 52003, for RTCP and RTP. The Via/number 5060 for SIP signaling.


217

VITE message are reversed. ened to allow the media stream

twork

6.6.6.2 SIP ph2

6.6.2 SIP/2.06.6.1 : 1234.6.1

ation/sdp

IP4 6.6.6.1

/AVP 0


Observe how, in the 200 OK response message, the translations performed in the INThe IP addresses in this message, being public, are not translated, but gates are opaccess to the private network.

.

NetScreen Device

SIP ph1 5.5.5.1

6.6.6.152002/52003

5.5.5.1

45002/45003

Media Pinhole

5.5.5.2 6.6.6.1

Internal Network External Ne

5.5.5.1

5060

Via/Contact Pinhole

INVITE Sip: [email protected] SIP/2.0Via: SIP/2.0/UDP 5.5.5.1 :5060Call-ID: [email protected]: [email protected]: [email protected] 1 INVITEContent-type: application/sdpContent-Length: 98

V=Oo=ph1 3123 1234 IP IP4 5.5.5.1c=IN IP4 5.5.5.1m=audio 45002 RTP/AVP 0

INVITE Sip: [email protected]: SIP/2.0/UDP 6.Call-ID: [email protected]: [email protected]: [email protected] 1 INVITEContent-type: applicContent-Length: 98

V=Oo=ph1 3123 1234 IPc=IN IP4 6.6.6.1m=audio 52002 RTP

Any IPAny Port

6.6.6.11234

Any IPAny Port


218

twork

6.6.6.2 SIP ph2

.6.2 SIP/2.0

P 6.6.6.1:[email protected]

pplication/sdp: 98

6.6.6:5060

5642 IP IP4

2 RTP/AVP 0


NetScreen Device

SIP ph1 5.5.5.1 5.5.5.2 6.6.6.1

Internal Network External Ne

Any IPAny Port

Any IPAny Port

6.6.6.262002/62003

6.6.6.25060

Media Pinhole

Via/Contact Pinhole

ACK SIP:[email protected] SIP/2.0. . . . ACK SIP:[email protected]

. . . .

SIP/2.0 200 OKVia: SIP/2.0/UDCall-ID: a1234From: [email protected]: [email protected] 1 INVITEContent-type: aContent-LengthContact: sip 6.

V=0o=ph2 5454 566.6.6.2c=IN IP4 6.6.6.m=audio 62002

SIP/2.0 200 OKVia: SIP/2.0/UDP 5.5.5.1 :5060Call-ID: [email protected]: [email protected]: [email protected] 1 INVITEContent-type: application/sdpContent-Length: 98

V=0o=ph2 5454 565642 IP IP4 6.6.6.2c=IN IP4 6.6.6.2m=audio 62002 RTP/AVP 0


219

rvers are able to identify the contact locations by sending a message contain the tration. Registration creates address or addresses.

hese addresses, and stores the m outside the network, the e the INVITE message to. You iguring interface DIP or DIP dling incoming calls in a small

se environment.

nd H.323 services only.

in name resolution is also following illustration.


Incoming SIP Call Support Using the SIP RegistrarSIP registration provides a discovery capability by which SIP proxies and location selocation or locations where users want to be contacted. A user registers one or moreREGISTER message to the registrar. The To: and Contact: fields in the REGISTER address-of-record URI and one or more contact URIs, as shown in the following illusbindings in a location service that associates the address-of-record with the contact

The NetScreen device monitors outgoing REGISTER messages, performs NAT on tinformation in a Incoming DIP table. Then, when an INVITE message is received froNetScreen device uses the Incoming DIP table to identify which internal host to routcan take advantage of SIP proxy registration service to allow incoming calls by confpools on egress interface of the NetScreen device. Interface DIP is adequate for hanoffice, while setting up DIP pools is recommended for larger networks or an enterpri

Note: Incoming call support using interface DIP or a DIP pool is supported for SIP a

For incoming calls, NetScreen devices currently support UDP and TCP only. Domacurrently not supported, therefore URIs must contain IP addresses, as shown in the


220

6.6.6.2

Registrar

ng DIP Table

.6.1 : 5555 3600

sip:6.6.6.2 SIP/2.06.6.6.1

.6.6.1ITEp: 6.6.6.1:5555>00

6.6.6.1.6.6.1ITEp: 6.6.6.1:5555>00

etwork


Incomi

Add entry to Incoming DIP table

Update Timeout value

REGISTER sip: 6.6.6.2 SIP/2.0From: [email protected] To: [email protected] 1 INVITEContact <sip: 5.5.5.1:1234>Expires: 7200

200 OKFrom: [email protected]: [email protected] 1 INVITEContact <sip: 5.5.5.1:1234>Expires: 3600

NetScreen Device

SIP ph1 5.5.5.1 5.5.5.2 6.6.6.1

5.5.5.1 : 1234 6.6

Internal Network

REGISTERFrom: ph1@To: ph1@6CSeq 1 INVContact <siExpires: 72

200 OKFrom: ph1@To: ph1@6CSeq 1 INVContact <siExpires: 36

External N


221

nd the proxy server on on the ace to do NAT on incoming e, and reference that DIP in the zone using NAT Source. This n explanation of how incoming e SIP Registrar” on page 219.

k Apply :

phone21.1.1.4

Proxy Server1.1.1.3

Untrust

Internet


Example: Incoming Call (Interface DIP)In this example, phone1 is on the ethernet1 interface in the Trust zone and phone2 aethernet3 interface in the Untrust zone. You set Interface DIP on the ethernet3 interfcalls, then create a policy permitting SIP traffic from the Untrust zone to the Trust zonpolicy. You also create a policy that permits SIP traffic from the Trust to the Untrust enables phone1 in the Trust zone to register with the proxy in the Untrust zone. For aDIP works with the SIP registration service, see “Incoming SIP Call Support Using th

WebUI


Zone Name: Trust




Interface Mode: NAT

phone110.1.1.3


ethernet31.1.1.1/24

NetScreen DeviceTrust

LAN

Interface DIP on ethernet 3


222

k OK:



Zone Name: Untrust





Address Name: phone1



Zone: Trust





Zone: Untrust


Address Name: proxy



Zone: Untrust


223

NAT option, and then click OK.

OK :

k Return to set the advanced n page:

ss Interface IP)

OK :

3)


3. DIP with Incoming NATNetwork > Interface > Edit (for ethernet3) > DIP > New: Select the Incoming


Source Address

Address Book Entry: (select) phone1

Destination Address

Address Book Entry: (select) any

Service: SIP

Action: Permit

> Advanced: Enter the following, and then clicoptions and return to the basic configuratio

NAT:

Source Translation: (select)

(DIP on): None (Use Egre


Source Address


Destination Address

Address Book Entry: (select), DIP(ethernet

Service: SIP

Action: Permit


224

permitpermit


CLI



2. Addressesset address trust phone1 10.1.1.3/24set address untrust phone2 1.1.1.4/24set address untrust proxy 1.1.1.3/24

3. DIP with Incoming NATset interface ethernet3 dip interface-ip incomingset dip sticky

4. Policiesset policy from trust to untrust phone1 any sip nat src set policy from untrust to trust any dip(ethernet3) sip save


225

e Untrust zone. You set a DIP ting SIP traffic from the Untrust policy that permits SIP traffic ust zone to register with the tion service, see “Incoming SIP

k Apply :

Untrust

Internet

Proxy Server1.1.1.3

phone21.1.1.4


Example: Incoming Call (DIP Pool)This example, phone1 is in the Trust zone and phone2 and the proxy server are in thpool on the ethernet3 interface to do NAT on incoming calls, then set a policy permitzone to the Trust zone, and reference that DIP pool in the policy. You also create a from the Trust to the Untrust zone using NAT Source. This enables phone1 in the Trproxy in the Untrust zone. For an explanation of how DIP works with the SIP registraCall Support Using the SIP Registrar” on page 219.

WebUI


Zone Name: Trust




Interface Mode: NAT

NetScreen DeviceTrust

DIP Pool on ethernet31.1.1.20 -> 1.1.1.40

LAN

phone110.1.1.3


ethernet31.1.1.1/24


226

k OK:



Zone Name: Untrust








Zone: Trust





Zone: Untrust


Address Name: proxy



Zone: Untrust


227

and then click OK :

0


OK :


.40)/port-xlate))


3. DIP Pool with Incoming NATNetwork > Interface > Edit (for ethernet3) > DIP > New: Enter the following,

ID: 5

IP Address Range: (select), 1.1.1.20 ~ 1.1.1.4





Source Address

Address Book Entry: (select), phone1

Destination Address


Service: SIP

Action: Permit


NAT:


(DIP on): 5 (1.1.1.20-1.1.1


228

OK :

dip 5 permit



Source Address

Address Book Entry: (select) Any

Destination Address

Address Book Entry: (select) DIP(5)

Service: SIP

Action: Permit

CLI




3. DIP Pool with Incoming NATset interface ethernet3 dip 5 1.1.1.20 1.1.1.40 incomingset dip sticky

4. Policiesset policy from trust to untrust phone1 any sip nat src set policy from untrust to trust any dip(5) sip permitsave


229

nd the proxy server are on the hone1, then create a policy that the policy. You also create a mple is similar to the previous

: Incoming Call (DIP Pool)” on ss in the Trust zone, while with resses.

k Apply :

Internet

Untrust

Proxy Serverphone21.1.1.4


Example: Incoming Call with MIPIn this example, phone1 is on the ethernet1 interface in the Trust zone and phone2 aethernet3 interface in the Untrust zone. You put a MIP on the ethernet3 interface to pallows SIP traffic from the Untrust zone to the Trust zone, and reference that MIP in policy allowing phone1 to register with the proxy server in the Untrust zone. This exatwo examples (“Example: Incoming Call (Interface DIP)” on page 221 and “Examplepage 225), except that with a MIP you need one public address for each private addreInterface DIP or a DIP pool a single interface address can serve multiple private add

WebUI


Zone: Trust




Interface Mode: NAT

ethernet1 10.1.1.1/24


Virtual DeviceMIP on ethernet3

1.1.1.1/24

Trust

LAN

NetScreen Device

phone110.1.1.3


230

k OK:



Zone: Untrust







Zone: Trust





Zone: Untrust


Address Name: proxy



Zone: Untrust


231


OK:



Mapped IP: 1.1.1.3

Netmask: 255.255.255.255


4. PolicyPolicies > (From: Untrust, To: Trust) New: Enter the following, and then click

Source Address:

Address Book Entry: (select), any



Service: SIP

Action: Permit

CLI

1. Interfaces set interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 natset interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24set interface ethernet3 route


232

rmit

he Trust (private) zone, and net3 interface to the proxy affic from the Untrust to the ust to the Untrust zone to allow

phone21.1.1.4

Untrust

Internet



3. MIPset interface ethernet3 mip 1.1.1.3 host 10.1.1.3

4. Policyset policy from untrust to trust any mip(1.1.1.3) sip pesave

Example: Proxy in the Private ZoneIn this example, phone1 and the SIP proxy server are on the ethernet1 interface in tphone2 is on the ethernet3 interface in the Untrust zone. You put a MIP on the etherserver to allow phone2 to register with the proxy, then create a policy allowing SIP trTrust zone and reference that MIP in the policy. You also create a policy from the Trphone1 to call out.

Trust

Proxy Server10.1.1.4

phone110.1.1.3


ethernet31.1.1.1/24

NetScreen DeviceLAN

Virtual DeviceMIP on ethernet31.1.1.2 -> 10.1.1.4


233

k OK:

k OK :


WebUI


Zone: TrustStatic IP: (select this option when present)IP Address/Netmask: 10.1.1.1/24


Interface Mode: NAT


Zone: Untrust IP Address/Netmask: 1.1.1.1/24Interface Mode: Route





Zone: Trust





Zone: Untrust


234

g, and then click OK :

OK :


ss Interface IP)



Address Name: proxy



Zone: Trust

3. MIPNetwork > Interfaces > Edit (for loopback.3) > MIP > New: Enter the followin

Mapped IP: 1.1.1.2

Netmask: 255.255.255.255




Source Address:

Address Book Entry: (select) any



Service: SIP

Action: Permit


NAT: Source Translation: (select)



235

OK :

permit permit



Source Address:




Service: SIP

Action: Permit

CLI



2. Addressesset address trust phone1 10.1.1.3/24set address untrust phone2 1.1.1.4/24set address Trust proxy 10.1.1.4/24

3. MIPset interface ethernet3 mip 1.1.1.2 host 10.1.1.4

4. Policiesset policy from trust to untrust any phone2 sip nat src set policy from untrust to trust phone2 mip(1.1.1.2) sipsave


236

server and phone2 are on the ntrust interface, then create a at DIP in the policy. You also

r in the Untrust zone. This Call (DIP Pool)” on page 225, MIP” on page 229) and, as with

k Apply :

Proxy Server1.1.1.3

phone21.1.1.4

Untrust

Internet


Example: Proxy in the Public ZoneIn this example, phone1 is on the ethernet1 interface in the Trust zone and the proxyethernet3 interface in the Untrust (public) zone. You configure Interface DIP on the Upolicy permitting SIP traffic from the Untrust zone to the Trust zone, and reference thcreate a policy from Trust to Untrust to allow phone1 to register with the proxy serveexample is similar to the previous incoming call examples (see “Example: Incoming “Example: Incoming Call (DIP Pool)” on page 225 and “Example: Incoming Call with those examples, you can use DIP or MIP on the Untrust interface.

WebUI


Zone: Trust




Interface Mode: NAT

ethernet31.1.1.1/24


phone110.1.1.3

NetScreen Device

Trust

LAN

Interface DIPon ethernet 3


237

k OK:



Zone: Untrust







Zone: Trust





Zone: Untrust


Address Name: proxy



Zone: Untrust


238

check box.

OK :


ss Interface IP)

OK :

)


3. Interface DIPNetwork > Interface > Edit (for ethernet3) > DIP: Select the Incoming NAT


Source Address:




Service: SIP

Action: Permit


NAT:




Source Address:



Address Book Entry: (select) DIP(ethernet3

Service: SIP

Action: Permit


239

permitpermit


CLI




3. Interface DIPset interface ethernet3 dip interface-ip incoming

4. Policiesset policy from trust to untrust phone1 any sip nat src set policy from untrust to trust any dip(ethernet3) sip save


240

the ethernet3 interface in the t a MIP on the ethernet2 zone, and reference that MIP in each of the zones. The arrows e places a call to phone1 in the

xy Server.2.2.4


Example: Three-Zone, Proxy in the DMZ In this example, phone1 is on the ethernet1 interface in the Trust zone, phone2 is onUntrust zone, and the proxy server is on the ethernet2 interface in the DMZ. You puinterface to phone1 in the Trust zone, and create a policy from the DMZ to the Trust the policy. In fact, with three zones you need to create bidirectional policies betweenin the following illustration show the flow of SIP traffic when phone2 in the Untrust zonTrust zone.

Untrust

DMZ

Trust

Pro2



NetScreen Device

phone21.1.1.4

Internet

LAN

Virtual DeviceMIP on ethernet22.2.2.3 -> 10.1.1.3

phone110.1.1.3

ethernet22.2.2.2/24


241

k Apply :

k OK:

k OK:


WebUI


Zone: Trust

Static IP: (select when this option is present)



Interface Mode: NAT


Zone Name: DMZ




Zone Name: Untrust







Zone: Trust


242


K :






Zone: Untrust


Address Name: proxy



Zone: DMZ


Mapped IP: 2.2.2.3

Netmask: 255.255.255.255


4. PoliciesPolicies > (From: Trust, To: DMZ) New: Enter the following, and then click O

Source Address:



Address Book Entry: (select), proxy

Service: SIP

Action: Permit


243


ss Interface IP)

OK:

OK :

OK:



NAT:

Source Translation: Enable


Policies > (From: DMZ, To: Untrust) New: Enter the following, and then click

Source Address:




Service: SIP

Action: Permit


Source Address:




Service: SIP

Action: Permit


Source Address:





244

K :

OK :


ss Interface IP)


Service: SIP

Action: Permit

Policies > (From: DMZ, To: Trust) New: Enter the following, and then click O

Source Address:




Service: SIP

Action: Permit


Source Address:




Service: SIP

Action: Permit


NAT:




245

rmit

t

itrc permit


CLI

1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 natset interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24set interface ethernet3 routeset interface ethernet2 zone dmzset interface ethernet2 ip 2.2.2.2/24set interface ethernet2 route

2. Addressesset address trust phone1 10.1.1.3/24set address untrust phone2 1.1.1.4/24set address dmz proxy 2.2.2.4

3. MIPset interface2 mip 2.2.2.3 host 10.1.1.3

4. Policiesset policy from trust to dmz phone1 proxy sip nat src peset policy from dmz to untrust proxy phone2 sip permitset policy from untrust to trust phone2 phone1 sip permiset policy from untrust to dmz phone2 proxy sip permitset policy from dmz to trust proxy mip(2.2.2.3) sip permset policy from trust to untrust phone1 phone2 sip nat ssave


246

in a subnet on the ethernet3 Trust zone. To allow intrazone ace, add ethernet2 and dress of the proxy server. the Trust zone. Because

intrazone communication. For face” on page 7 -105.

ne2 .2.4


Example: Untrust IntrazoneIn this example, phone2 is on the ethernet2 interface in the Untrust zone, phone3 is interface in the Untrust zone, and the proxy server is on the ethernet1 interface in theSIP traffic between the two phones in the Untrust zone, you create a loopback interfethernet3 to a loopback group, then put a MIP on the loopback interface to the IP adCreating a loopback interface enables you to use a single MIP for the proxy server inblocking is on by default in the Untrust zone, you must also turn off blocking to allowmore information about using loopback interfaces, see “MIP and the Loopback Inter

Trust

Untrust

ethernet1 10.1.1.1/24



phone11.1.1.4

pho1.1

proxy10.1.1.5

Internet

LAN

Loopback.11.1.4.1/24

MIP on Loopback.1 1.1.4.5 -> 10.1.1.5


247

k Apply :

k OK:

k OK:

OK :


WebUI


Zone: Trust




Interface Mode: NAT


Zone: Untrust




Zone: Untrust



Network > Interfaces > New Loopback IF: Enter the following, and then click


Zone: Untrust (trust-vr)



248

k OK:

ack.1

k OK:

ack.1



Address Name: proxy



Zone: Trust





Zone: Untrust





Zone: Untrust

3. Loopback GroupNetwork > Interfaces > Edit (for ethernet4): Enter the following, and then clic

As member of loopback group: (select) loopb

Zone Name: Untrust


As member of loopback group: (select) loopb

Zone Name: Untrust


249


:

OK :


ss Interface IP)


4. MIPNetwork > Interfaces > Edit (for loopback.1) > MIP > New: Enter the followin

Mapped IP: 1.1.4.5

Netmask: 255.255.255.255



5. BlockingNetwork > Zones > Edit (for Untrust): Enter the following, and then click OK

Block Intra-Zone Traffic: (clear)


Source Address:




Service: SIP

Action: Permit


NAT:




250

OK :



Source Address:




Service: SIP

Action: Permit

CLI




set interface loopback.1 zone untrustset interface loopback.1 ip 1.1.4.1/24set interface loopback.1 route

2. Addressesset address trust proxy 10.1.1.5/32set address untrust phone1 1.1.1.4/32set address untrust phone2 1.1.2.4/32


251

ermitrmit


3. Loopback Groupset interface ethernet2 loopback-group loopback.1set interface ethernet3 loopback-group loopback.1

4. MIPset interface loopback.1 mip 1.1.4.5 host 10.1.1.5

5. Blocking

unset zone untrust block

6. Policiesset policy from trust to untrust proxy any sip nat src pset policy from untrust to trust any mip(1.1.4.5) sip pesave


252

n the ethernet2 interface in a trust interface. To allow both

IP on the ethernet3 interface to ffic between the Trust and the ou define).

k Apply :

Untrust

proxy server3.3.3.4

Internet


Example: Trust IntrazoneIn this example, phone1 is on the ethernet1 interface in the Trust zone, phone 2 is osubnet in the Trust zone, and the proxy server is on the ethernet3 interface in the Unphones in the Trust zone to communicate with each other, you configure interface Dallow them to contact the proxy server, then set policies to allow bidirectional SIP traUntrust zones. Blocking is off by default in the Trust zone (as it is in custom zones y

WebUI


Zone: Trust




Interface Mode: NAT

phone110.1.1.3

NetScreen deviceTrust



ethernet33.3.3.3/24

LAN

phone210.1.2.2

Interface DIPon ethernet3


253

k Apply :

k OK:



Zone: Trust




Interface Mode: NAT


Zone: Untrust







Zone: Trust





Zone: Trust


254

and then click OK :

OK :


ss Interface IP)



Address Name: proxy



Zone: Untrust

3. DIP with Incoming NATNetwork > Interface > Edit (for ethernet3) > DIP > New: Enter the following,



Source Address:




Service: SIP

Action: Permit


NAT:




255

OK :

k Return to set the advanced

ss Interface IP)



Source Address

Address Book Entry: (select) proxy

Destination Address


Service: SIP

Action: Permit

> Advanced: Enter the following, and then clicoptions:

NAT:



CLI


set interface ethernet2 zone trustset interface ethernet2 ip 10.1.2.1/24set interface ethernet2 nat



256

ermitp permit

PN. Each site has a single 1 is in the Trust zone at Branch necting the devices are in their ther device, to create a fully

urable interfaces available.


2. Addressesset address trust phone1 10.1.1.3/24set address trust phone2 10.1.2.2/24set address untrust proxy 3.3.3.4/24

3. Interface DIP

set interface ethernet3 dip interface-ip incoming

4. Policiesset policy from trust to untrust any proxy sip nat src pset policy from untrust to trust proxy dip(ethernet3) sisave

Example: Full-Mesh VPN for SIPIn this example, the central office and two branch offices are linked by a full-mesh VNetScreen device. The proxy server is in the Trust zone at the Central Office, phoneOffice One, and phone2 is in the Trust zone at Branch Office Two. All interfaces conrespective Untrust zones. On each device, you configure two tunnels, one to each omeshed network.

Note: NetScreen devices used in this example must have four independently config


257

h-2

Trusteth1-10.1.2.1

Untrusteth3-2.2.2.2

Untrusteth2/2-1.1.2.1

phone210.1.2.3

tunnel.2 interfaceunnumbered

Gateway RouterTo central: 1.1.2.1To branch-2:2.2.2.

Branch Office Two


Proxy10.1.3.3

VPN 3

VPN 1 VPN 2

Branch-1 Branc

Central

Trusteth1-10.1.1.1 Untrust

eth4-5.5.5.5Untrust

eth4-4.4.4.4

Untrusteth3-3-3.3.3.3

Trusteth2/8-10.1.3.1

Untrusteth2/1-1.1.1.1

Trust Zone

Trust Zone Trust Zone

Note: The Untrust zone for each device is not shown

phone110.1.1.3




Gateway RouterTo branch-1: 4.4.4.4To branch-2: 5.5.5.5

Gateway RouterTo central: 1.1.1.1

To branch-1:3.3.3.3

tunnel.27.7.7.7

tunnel.16.6.6.6

Central Office

Branch Office One


258

to the pages necessary to any WebUI section, refer to the


WebUI (for Central)

1. InterfacesNetwork > Interfaces > Edit (for ethernet2/1)

Network > Interfaces > Edit (for ethernet2/2)

Network > Interfaces > Edit (for ethernet2/8)

Network > Interfaces > New Tunnel IF

2. AddressObjects > Addresses > List > New

3. VPNVPNs > AutoKey IKE > New: > Advanced

4. RoutingNetwork > Routing > Routing Entries > New

5. PoliciesPolicies > (From Untrust to Trust) New

Policies > (From Trust to Untrust) New

Note: In this example, each WebUI section lists only navigational paths, which leadconfigure the device. To see the specific parameters and values you need to set for CLI section that follows it.


259

-interface ethernet2/1

-interface ethernet2/2

idletime 0 sec-level

idletime 0 sec-level


CLI (for Central)

1. Interfacesset interface ethernet2/1 zone untrustset interface ethernet2/1 ip 1.1.1.1/24

set interface ethernet2/2 zone untrustset interface ethernet2/2 ip 1.1.2.1/24

set interface ethernet2/8 zone trustset interface ethernet2/8 ip 10.1.1.1/24set interface ethernet2/8 nat

set interface tunnel.1 zone untrustset interface tunnel.1 ip 6.6.6.6/24

set interface tunnel.2 zone untrustset interface tunnel.2 ip 7.7.7.7/24

2. Addressset address trust proxy 10.1.3.3/32

3. VPNset ike gateway to-branch-1 address 3.3.3.3 main outgoing

preshare “netscreen” sec-level standardset ike gateway to-branch-2 address 2.2.2.2 main outgoing

preshare “netscreen” sec-level standardset vpn vpn_branch-1 gateway to-branch-1 no-reply tunnel

standardset vpn vpn-branch-1 id 1 bind interface tunnel.1set vpn vpn-branch-2 gateway to-branch-2 no-reply tunnel

standardset vpn vpn-branch-2 id 2 bind interface tunnel.2


260
4. Routingset route 10.1.2.0/24 interface tunnel.2set route 10.1.1.0/24 interface tunnel.1

5. Policiesset policy from untrust to trust any proxy sip permitset policy from trust to untrust proxy any sip permitsave

WebUI (for Branch Office 2)

1. InterfacesNetwork > Interfaces > Edit (for ethernet1)

Network > Interfaces > Edit (for ethernet2)









261

-interface ethernet3

terface ethernet4

dletime 0 sec-level

me 0 sec-level standard


CLI (for Branch Office 2)




set interface tunnel.1 zone untrustset interface tunnel.1 ip unnumbered interface ethernet3


2. Addressset address trust phone1 10.1.1.3/32

3. VPNset ike gateway to-central address 1.1.1.1 Main outgoing

preshare "netscreen" sec-level standardset ike gateway to-ns50 address 5.5.5.5 Main outgoing-in

preshare "netscreen" sec-level standardset vpn vpncentral gateway to-central no-replay tunnel i

standardset vpn vpncentral id 4 bind interface tunnel.1set vpn vpn-ns50 gateway to-ns50 no-replay tunnel idletiset vpn vpn-ns50 id 5 bind interface tunnel.3


262
4. Routesset route 10.1.3.0/24 interface tunnel.1set route 10.1.2.0/24 interface tunnel.3

5. Policiesset policy from trust to untrust phone1 any sip permitset policy from untrust to trust any phone1 sip permitsave

WebUI (for Branch Office 1)

1. InterfacesNetwork > Interfaces > Edit (for ethernet1)










263

-interface ethernet3

terface ethernet4

dletime 0 sec-level

me 0 sec-level standard


CLI (for Branch Office 1)






2. Addressset address trust phone2 10.1.2.1/32

3. VPNset ike gateway to-central address 1.1.2.1 main outgoing

preshare "netscreen" sec-level standardset ike gateway to-ns50 address 4.4.4.4 main outgoing-in

preshare "netscreen" sec-level standardset vpn vpncentral gateway to-central no-replay tunnel i

standardset vpn vpncentral bind interface tunnel.2set vpn vpn-ns50 gateway to-ns50 no-replay tunnel idletiset vpn vpn-ns50 bind interface tunnel.3


264

rvices, using the standard

lity VoIP service, and still allow inimum bandwidth necessary

euing to the highest level. The is available, and other types of by VoIP.

on-VoIP traffic, you make the euing to the highest level for use additional bandwidth, even

—Guaranteeing bandwidth for ut on the NetScreen device.

stream, and to keep or change m router so that the next hop (QoS) in its DiffServ domain. arking from the inner header of e correct QoS on the encrypted , see �Traffic Shaping� on page


4. Routesset route 10.1.1.0/24 interface tunnel.3set route 10.1.3.0/24 interface tunnel.2

5. Policiesset policy from trust to untrust phone2 any sip permitset policy from untrust to trust any phone2 sip permitsave

Bandwidth Management for VoIP ServicesJuniper Networks recommends the following ways to manage bandwidth for VoIP seScreenOS traffic shaping mechanisms.

• Guarantee bandwidth for VoIP traffic—The most effective way to ensure quaother types of traffic on the interface, is to create a policy guaranteeing the mfor the amount of VoIP traffic you expect on the interface, and set priority quadvantage of this strategy is that VoIP can use additional bandwidth when ittraffic can use bandwidth not guaranteed for VoIP when it is not being used

• Limit bandwidth for non-VoIP traffic—By setting a maximum bandwidth for nremaining bandwidth available to VoIP traffic. You would also set priority quVoIP traffic. The disadvantage of this method is that non-VoIP traffic cannot when it is not being used by VoIP traffic.

• Use priority queuing and Differentiated Services Codepoint (DSCP) markingVoIP traffic, and limiting bandwidth for non-VoIP traffic both govern throughpDSCP marking enables you to preserve your priority queuing settings downthe received DSCP value set by the originating networking device or upstrearouter, typically the LAN or WAN edge router, can enforce Quality of ServiceBy default in VPN configurations, the NetScreen device copies the DSCP mthe IP packet to the outer header, so that the next hop router can enforce thtraffic. For information about how DSCP works with priority levels in policies315.


265

dwidth (gbw) and maximum s you have determined you f 512 Kbps), and occasionally

e traffic, and set maximum eates a 512 Kbps overlap of

s like with high office traffic h, unless it has a higher priority what bandwidth usage looks to a lower priority. For more page 347”.

2 M

bps

Tota

l Ban

dwid

th

l

VoIP

Offi

ce T

raffi

c
The following illustration shows how priority level settings can affect guaranteed banbandwidth (mbw) usage on an ethernet1 (2 Mbps) interface. The illustration assumeneed to support at least eight VoIP calls (8 x 64 Kbps bandwidth per call, for a total oas many as 16 calls. You have guaranteed the remaining bandwidth to general officbandwidth for your office traffic to include bandwidth not guaranteed to VoIP. This crmaximum bandwidth for VoIP and office traffic services, shown by the dashed lines.

The left side of the illustration shows what bandwidth usage with these settings lookusage on the interface, and low VoIP usage. If VoIP suddenly needs more bandwidtthan the office traffic services, it cannot get it. The right side of the illustration showslike in the same circumstance when you give VoIP high priority, and set office trafficinformation about configuring bandwidth and priority levels, see “Traffic Shaping” on

2 M

bps

Tota

l Ban

dwid

th

gbw 1024 Kbps

mbw 1024 Kbps

Using Priority Levels with Bandwidth Settings

Guaranteed and maximum bandwidth settings

Adding priority levesettings

VoIP Office Traffic

gbw 512 Kbps

mbw 1536 Kbps

VoIP

Offi

ce T

raffi

c


266

e. After you create a group s, thus simplifying

ntries.

ave a service named “FTP,”

nnot remove it until you have

lso removed from all the groups


Service GroupsA service group is a set of services that you have gathered together under one namcontaining several services, you can then apply services at the group level to policieadministration.

The NetScreen service group option has the following features:

• Each service book entry can be referenced by one or more service groups.

• Each service group can contain predefined and user-defined service book e

Service groups are subject to the following limitations:

• Service groups cannot have the same names as services; therefore, if you hyou cannot have a service group named “FTP.”

• If a service group is referenced in a policy, you can edit the group but you cafirst removed the reference to it in the policy.

• If a custom service book entry is deleted from the service book, the entry is ain which it was referenced.

• One service group cannot contain another service group as a member.

• The all-inclusive service term “ANY” cannot be added to groups.

• A service can be part of only one group at a time.


267

d LDAP services.

the following services, and then

the service from the Available column.

the service from the Available column.

e the service from the Available column.

NetScreen device creates the emselves in the reference list.


Example: Creating a Service GroupIn this example, you create a service group named grp1 that includes IKE, FTP, an

WebUI

Objects > Services > Groups > New: Enter the following group name, moveclick OK :

Group Name: grp1

Select IKE and use the << button to move Members column to the Group Members

Select FTP and use the << button to move Members column to the Group Members

Select LDAP and use the << button to movMembers column to the Group Members

CLI

set group service grp1set group service grp1 add ikeset group service grp1 add ftpset group service grp1 add ldapsave

Note: If you try to add a service to a service group that does not exist, thegroup. Also, ensure that groups referencing other groups do not include th


268

reated in “Example: Creating a TTP, FINGER, and IMAP.

and then click OK :

service from the Group column.

e service from the Group column.

the service from the Group column.

the service from the Available lumn.


he service from the Available lumn.


Example: Modifying a Service GroupIn this example, you change the members in the service group named grp1 that you cService Group” on page 267. You remove IKE, FTP, and LDAP services, and add H

WebUI

Objects > Services > Groups > Edit (for grp1): Move the following services,

Select IKE and use the >> button to move theMembers column to the Available Members

Select FTP and use the >> button to move thMembers column to the Available Members

Select LDAP and use the >> button to move Members column to the Available Members

Select HTTP and use the << button to move Members column to the Group Members co

Select Finger and use the << button to moveMembers column to the Group Members co

Select IMAP and use the << button to move tMembers column to the Group Members co

CLI

unset group service grp1 clearset group service grp1 add httpset group service grp1 add fingerset group service grp1 add imapsave


269

ich you have removed all


Example: Removing a Service GroupIn this example, you delete the service group named “grp1”.

WebUI

Objects > Services > Groups: Click Remove (for grp1).

CLI

unset group service grp1save

Note: The NetScreen device does not automatically delete a group from whmembers.

Chapter 5 Building Blocks for Policies DIP Pools

270

e can dynamically or on the source IP address

translation, see “NAT-Src from pool is in the same subnet as ddresses, and any mapped IP ddresses is in the subnet of an

al interfaces and subinterfaces

nel

1.2�1.20

.1.1/24

ces N


DIP POOLSA dynamic IP (DIP) pool is a range of IP addresses from which the NetScreen devicdeterministically take addresses to use when performing network address translation(NAT-src) in IP packet headers. (For information about deterministic source addressa DIP Pool with Address Shifting” on page 7 -24.) If the range of addresses in a DIP the interface IP address, the pool must exclude the interface IP address, router IP a(MIP) or virtual IP (VIP) addresses that might also be in that subnet. If the range of aextended interface, the pool must exclude the extended interface IP address.

There are three kinds of interfaces that you can link to Dynamic IP (DIP) pools: physicfor network and VPN traffic, and tunnel interfaces for VPN tunnels only.

ethernet1 ethernet2 ethernet3 Tunnel Tun

10.10.1.2�10.10.1.20

210.10.1.2�210.10.1.20

220.10.1.2�220.10.1.20

10.20.1.2�10.20.1.20

10.30.10.30.

10.10.1.1/24 210.10.1.1/24 220.10.1.1/24 10.20.1.1/24 10.30

DIP Pools

Interfaces

To DMZ Zone

To Untrust Zone

To Trust Zone

VPN Tunnels

NetScreen Firewall

The physical interfaces lead to networks or VPN

tunnels.

The tunnel interfalead only to VP

tunnels.


271

s, the NetScreen device hich host. With PAT enabled,

ws Internet Naming Service to them. For such applications, For fixed-port DIP, the able, thus allowing the

an FTP server at a remote site. 10.1.1.0/24. To solve the on the local NetScreen device, e address (10.10.1.2–

in a neutral address space, as 10.20.2.5 to host 10.1.1.5.

K:

companying DIP pool. For a ee “VPN Sites with Overlapping


Port Address TranslationUsing Port Address Translation (PAT), multiple hosts can share the same IP addresmaintaining a list of assigned port numbers to distinguish which session belongs to wup to ~64,500 hosts can share a single IP address.

Some applications, such as NetBIOS Extended User Interface (NetBEUI) and Windo(WINS), require specific port numbers and cannot function properly if PAT is appliedyou can specify not to perform PAT (that is, to use a fixed port) when applying DIP. NetScreen device hashes the original host IP address and saves it in its host hash tNetScreen device to associate the right session with each host.

Example: Creating a DIP Pool with PATIn this example, you want to create a VPN tunnel for users at the local site to reach However, the internal networks at both sites use the same private address space of problem of overlapping addresses, you create a tunnel interface in the Untrust zoneassign it IP address 10.10.1.1/24, and associate it with a DIP pool with a range of on10.10.1.2) and port address translation enabled.

The admin at the remote site, must also create a tunnel interface with an IP addresssuch as 10.20.2.1/24, and set up a Mapped IP (MIP) address to its FTP server, such

WebUINetwork > Interfaces > New Tunnel IF: Enter the following, and then click O

Tunnel Interface Name: tunnel.1

Zone (VR): Untrust (trust-vr)

Fixed IP: (select)

IP Address / Netmask: 10.10.1.1/24

Note: This example includes only the configuration of the tunnel interface and its accomplete example showing all the configuration steps necessary for this scenario, sAddresses” on page 5 -201.


272

and then click OK :


g it. To create the same DIP the following:

r the Port Translation check


Network > Interfaces > Edit (for tunnel.1) > DIP > New: Enter the following,

ID: 510

IP Address Range: 10.10.1.2 ~ 10.10.1.2



CLI

set interface tunnel.1 zone untrust-tunset interface tunnel.1 ip 10.10.1.1/24set interface tunnel.1 dip 5 10.10.1.2 10.10.1.2save

10. You can use the ID number displayed, which is the next available number sequentially, or type a different number.

Note: Because PAT is enabled by default, there is no argument for enablinpool as defined above but without PAT (that is, with fixed port numbers), do

• (WebUI) Network > Interfaces > Edit (for tunnel.1) > DIP > New: Cleabox, and then click OK .

• (CLI) set interface tunnel.1 dip 5 10.10.1.2 10.10.1.2 fix-port


273

m 10.20.1.2 – 10.20.1.2 to e the DIP pool range through pool.

llowing, and then click OK :

translation (NAT) and is device assigns a different lematic for services that create

using the AOL Instant ch chat. For the AIM server to address of the login session mly assigned from a DIP pool

, you must first delete the policy

ssions from the same host.


Example: Modifying a DIP PoolIn this example, you change the range of addresses in an existing DIP pool (ID 5) fro10.20.1.2 – 10.20.1.10. This DIP pool is associated with tunnel.1. Note that to changthe CLI, you must first remove (or unset) the existing dip pool and then create a new

WebUI

Network > Interfaces > Edit (for tunnel.1) > DIP > Edit (for ID 5): Enter the fo

IP Address Range: 10.20.1.2 ~ 10.20.1.10

CLI

unset interface tunnel.1 dip 5set interface tunnel.1 dip 5 10.20.1.2 10.20.1.10save

Sticky DIP AddressesWhen a host initiates several sessions that match a policy requiring network addressassigned an address from a DIP pool with port translation enabled11, the NetScreen source IP address for each session. Such random address assignment can be probmultiple sessions that require the same source IP address for each session.

For example, it is important to have the same IP address for multiple sessions whenMessaging (AIM) client. You create one session when you log in, and another for eaverify that a new chat belongs to an authenticated user, it must match the source IPwith that of the chat session. If they are different—possibly because they were randoduring the NAT process—the AIM server rejects the chat session.

Note: There are no policies using this particular DIP pool. If a policy uses a DIP poolor modify it to not use the DIP pool before you can modify the DIP pool.

11. For DIP pools that do not perform port translation, the NetScreen device assigns one IP address for all concurrent se


274

o a host for multiple concurrent and set dip sticky.

nslated to an address in a option. This option allows you in a different subnet. You can

d interface for the translation.

office requires them to use only rent IP addresses from their ed interface option to configure ets it sends to the central office ices A and B are as follows:

urity zones are in the trust-vr .1/24. You bind ethernet3 to the A and 201.1.1.1/24 for Office

IP address on ethernet3:

0.1.1; PAT enabled

0.1.1; PAT enabled

ed IP Addressentral Office)ne Extended Interface DIP10.1.1/24

20.1.1/24


To ensure that the NetScreen device assigns the same IP address from a DIP pool tsessions, you can enable the “sticky” DIP address feature by entering the CLI comm

Extended Interface and DIPIf circumstances require that the source IP address in outbound firewall traffic be tradifferent subnet from that of the egress interface, you can use the extended interfaceto graft a second IP address and an accompanying DIP pool onto an interface that isthen enable NAT on a per-policy basis and specify the DIP pool built on the extende

Example: Using DIP in a Different SubnetIn this example, two branch offices have leased lines to a central office. The central the authorized IP addresses it has assigned them. However, the offices receive diffeISPs for Internet traffic. For communication with the central office, you use the extendthe NetScreen device in each branch office to translate the source IP address in packto the authorized address. The authorized and assigned IP addresses for branch off

The NetScreen devices at both sites have a Trust zone and an Untrust zone. All secrouting domain. You bind ethernet1 to the Trust zone and assign it IP address 10.1.1Untrust zone and give it the IP address assigned by the ISPs: 195.1.1.1/24 for OfficeB. You then create an extended interface with a DIP pool containing the authorized

• Office A: extended interface IP 211.10.1.10/24; DIP pool 211.10.1.1 – 211.1

• Office B: extended interface IP 211.20.1.10/24; DIP pool 211.20.1.1 – 211.2

Assigned IP Address(from ISP)

Used for Untrust Zone Physical Interface

Authoriz(from C

Used for Untrust ZoOffice A 195.1.1.1/24 211.

Office B 201.1.1.1/24 211.


275

ddress as its source address in to the central office that . (The DIP pool ID number is 5.

s for ~64,500 hosts.) The MIP s “HQ” in the Untrust zone

ed line to use that leased line. ternet.

Trust Zone, ethernet110.1.1.1/24

Untrust Zone, ethernet3ISP assigns 201.1.1.1/24

(physical interface)HQ authorizes 211.20.1.1/24

(extended interface)Default Gateway 201.1.1.254


You set the Trust zone interface in NAT mode. It uses the Untrust zone interface IP aall outbound traffic except for traffic sent to the central office. You configure a policy translates the source address to an address in the DIP pool in the extended interfaceIt contains one IP address, which, with port address translation, can handle sessionaddress that the central office uses for inbound traffic is 200.1.1.1, which you enter aaddress book on each NetScreen device.

Note: Each ISP must set up a route for traffic destined to a site at the end of a leasThe ISPs route any other traffic they receive from a local NetScreen device to the In

Office A Office BTrust Zone, ethernet1

10.1.1.1/24Trust ZoneTrust Zone

Untrust ZoneUntrust Zone

I n t e r n e t

Central Office(HQ)

Untrust Zone, ethernet3ISP assigns 195.1.1.1/24

(physical interface)HQ authorizes 211.10.1.1/24

(extended interface)Default Gateway 195.1.1.254

Note: Leased lines connect branch offices A and B directly to the central office.

ISP ISP

ISP

Leased Line

Leased Line

200.1.1.1


276

k OK:

k OK:


55.0


WebUI (Branch Office A)


Zone Name: Trust



Interface Mode: NAT


Zone Name: Untrust




Network > Interfaces > Edit (for ethernet3) > DIP > New: Enter the following

ID: 5

IP Address Range: 211.10.1.1 ~ 211.10.1.1


Extended IP/Netmask: 211.10.1.10/255.255.2


Address Name: HQ



Zone: Untrust


277

then click OK:

OK :

OK :




Gateway: (select)


Gateway IP address: 195.1.1.254


Source Address:




Service: ANY

Action: Permit


Source Address:



Address Book Entry: (select), HQ

Service: ANY

Action: Permit

Position at Top: (select)


278


1.10.1.1)/X-late

k OK:

k OK:


55.0



NAT:


(DIP on): 5 (211.10.1.1-21

WebUI (Branch Office B)


Zone Name: Trust



Interface Mode: NAT


Zone Name: Untrust




Network > Interfaces > Edit (for ethernet3) > DIP > New: Enter the following

ID: 5

IP Address Range: 211.20.1.1 ~ 211.20.1.1


Extended IP/Netmask: 211.20.1.10/255.255.2


279

then click OK:

OK :



Address Name: HQ



Zone: Untrust



Gateway: (select)




Source Address:




Service: ANY

Action: Permit


280

OK :


.1.1-211.20.1.1)/X-late

dip 5 211.10.1.1



Source Address:Address Book Entry: (select), Any


Address Book Entry: (select), HQ

Service: ANY

Action: Permit



NAT:


DIP On: (select), 5 (211.20

CLI (Branch Office A)


set interface ethernet3 zone untrustset interface ethernet3 ip 195.1.1.1/24set interface ethernet3 routset interface ethernet3 ext ip 211.10.1.10 255.255.255.0

2. Addressset address untrust hq 200.1.1.1/32


281

gateway 195.1.1.254

dip 5 permit

dip 5 211.20.1.1

gateway 201.1.1.254

dip 5 permit



4. Policiesset policy from trust to untrust any any any permitset policy top from trust to untrust any hq any nat src save

CLI (Branch Office B)


set interface ethernet3 zone untrustset interface ethernet3 ip 201.1.1.1/24set interface ethernet3 routeset interface ethernet3 ext ip 211.20.1.10 255.255.255.0

2. Addressset address untrust hq 200.1.1.1/32


4. Policiesset policy from trust to untrust any any any permitset policy top from trust to untrust any hq any nat src save


282

e device on which it resides is o that it can be accessed by the ming source address re in the same subnet as the ote that the addresses in the efined on the loopback

source addresses to the same interfaces.

Destination IP2.2.2.2 DATA


NetScreen Device


Loopback Interface and DIPA loopback interface is a logical interface that is always in the up state as long as thup12. You can create a pool of dynamic IP (DIP) addresses on a loopback interface sgroup of interfaces belonging to its associated loopback interface group when perfortranslation. The addresses that the NetScreen device draws from such a DIP pool aloopback interface IP address, not in the subnet of any of the member interfaces. (NDIP pool must not overlap with the interface IP address or any MIP addresses also dinterface.)

The primary application for putting a DIP pool on a loopback interface is to translateaddress or range of addresses although different packets might use different egress

12. For information about loopback interfaces, see “Loopback Interfaces” on page 74.

Loopback Interfaceloopback.11.3.3.1/30 DIP Pool

1.3.3.2 � 1.3.3.2

ethernet31.2.2.1/24

ethernet21.1.1.1/24


Host A10.1.1.5

Host B10.1.1.6

Source IP10.1.1.5


Source IP1.3.3.2


Source IP10.1.1.6

Source IP1.3.3.2

Source Address Translation Using a DIP Pool on a Loopback Interface

Regardless of the egress interface, the NetScreen device translates the source IP addresses to the address in the DIP pool defined on the loopback.1 interface.


283

ntrust zone interfaces from

dresses. You also bind

om the Trust zone to a remote .3.2) because the remote office y obtained the public IP addresses in addition to the

DIP pool of 1.3.3.2 – 1.3.3.2 on et2 members of the loopback

/32. You also define default nd ISP-2 respectively.

refer one route over the other, te13.

outbound traffic to the remote

alue closer to 1.


Example: DIP on a Loopback InterfaceIn this example, the NetScreen device receives the following IP addresses for two Udifferent Internet service providers (ISPs): ISP-1 and ISP-2:

• ethernet2, 1.1.1.1/24, ISP-1

• ethernet3, 1.2.2.1/24, ISP-2

You bind these interfaces to the Untrust zone and then assign them the above IP adethernet1 to the Trust zone and assign it IP address 10.1.1.1/24.

You want the NetScreen device to translate the source address in outbound traffic froffice in the Untrust zone. The translated address must be the same IP address (1.3has a policy permitting inbound traffic only from that IP address. You have previousladdresses 1.3.3.1 and 1.3.3.2 and have notified both ISPs that you are using these addresses that they assign the device.

You configure a loopback interface loopback.1 with the IP address 1.3.3.1/30 and a that interface. The DIP pool has ID number 10. You then make ethernet1 and etherngroup for loopback.1.

You define an address for the remote office named “r-office” with IP address 2.2.2.2routes for both ethernet1 and ethernet2 interfaces pointing to the routers for ISP-1 a

You define routes to two gateways for outbound traffic to use. Because you do not pyou do not include any metrics in the routes. Outbound traffic might follow either rou

Finally, you create a policy applying source network address translation (NAT-src) tooffice. The policy references DIP pool ID 10.

13. To indicate a route preference, include metrics in both routes, giving your preferred route a higher metric—that is, a v


284

OK :

k OK:

e

DIP Pool ID 10 (on Loopback.1)1.3.3.2 � 1.3.3.2

et3, 1.2.2.1/24ay 1.2.2.250


WebUI

1. InterfacesNetwork > Interfaces > New Loopback IF: Enter the following, and then click


Zone: Untrust (trust-vr)



As member of loopback group: loopback.1

Zone Name: Trust



ISP-1 ISP-2

Loopback.1Untrust Zon

1.3.3.1/30

etherngatew

ethernet2, 1.1.1.1/24gateway 1.1.1.250

ethernet1, 10.1.1.1/24NAT Mode

10.1.1.0/24

r-office2.2.2.2

Untrust Zone

Trust Zone

Source IP10.1.1.X


Source IP1.3.3.2


The NetScreen device translates all source IP addresses in packets destined

for 2.2.2.2 from 10.1.1.X to 1.3.3.2, regardless of the egress interface.


285

k OK:

k OK:



Interface Mode: NAT


As member of loopback group: loopback.1

Zone Name: Untrust





Zone Name: Untrust




2. DIP PoolNetwork > Interfaces > Edit (for loopback.1) > DIP > New: Enter the followin

ID: 5

IP Address Range: 1.3.3.2 ~ 1.3.3.2



Address Name: r-office



Zone: Untrust


286

then click OK:

then click OK:

OK :

k Return to set the advanced page:

.2-1.3.3.2)/port-xlate


4. RoutesNetwork > Routing > Routing Entries > trust-vr New: Enter the following, and


Gateway: (select)





Gateway: (select)



5. PolicyPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click

Source Address:



Address Book Entry: (select), r-office

Service: ANY

Action: Permit

> Advanced: Enter the following, and then clicoptions and return to the basic configuration

NAT:


DIP On: (select), 10 (1.3.3


287

gateway 1.1.1.250 gateway 1.2.2.250

c dip-id 10 permit


CLI

1. Interfacesset interface loopback.1 zone untrustset interface loopback.1 ip 1.3.3.1/30


set interface ethernet2 zone untrustset interface ethernet2 ip 1.1.1.1/24set interface ethernet2 loopback-group loopback.1

set interface ethernet3 zone untrustset interface ethernet3 ip 1.2.2.1/24set interface ethernet3 loopback-group loopback.1

2. DIP Poolset interface loopback.1 dip 10 1.3.3.2 1.3.3.2

3. Addressset address untrust r-office 2.2.2.2/32

4. Routesset vrouter trust-vr route 0.0.0.0/0 interface ethernet2set vrouter trust-vr route 0.0.0.0/0 interface ethernet3

5. Policyset policy from trust to untrust any r-office any nat srsave


288

ilability (HA) in an active/active ultaneously. A problem can

DIP pool located on one VSI. VSD group to which the VSI is of that VSD group—cannot use

:14

Master VSD 1

ackup VSD 1

DIP Pool ID 71.1.1.101 � 1.1.1.150


DIP GroupsWhen you group two NetScreen devices into a redundant cluster to provide high avaconfiguration, both devices share the same configuration and both process traffic simarise when you define a policy to perform network address translation (NAT) using aBecause that VSI is active only on the NetScreen device acting as the master of thebound, any traffic sent to the other NetScreen device—the one acting as the backup that DIP pool and is dropped.

VSD Group: 0 VSD Group: 1

Untrust Zone

Trust Zone

Untrust Zone VSIs

Trust Zone VSIsethernet1

10.1.1.1/24ethernet110.1.1.2/2

ethernet21.1.1.1/24

ethernet3:11.1.1.2/24

Device B

Device A BMaster VSD 0

Backup VSD 0

Problematic use of a DIP pool in a policy when in an NSRP cluster: set policy name out-nat from trust to untrust any any any nat src dip-id 7 permit

Because the DIP pool is located on the Untrust zone VSI for VSD group 1 (of which Device B is the master), Device A (the backup of VSD group 1) drops traffic that it receives at ethernet1 (10.1.1.1/24) matching policy �out-nat�.

NSRP Cluster


289

for each VSD group—and ch VSI uses its own VSD pool

e 10, “High Availability”.

14

3:124

Master VSD 1

Backup VSD 1

DIP Pool ID 7.1.1.101 � 1.1.1.150


To solve this problem, you can create two DIP pools—one on the Untrust zone VSI combine the two DIP pools into one DIP group, which you reference in the policy. Eaeven though the policy specifies the DIP group.

Note: For more information about setting up NetScreen devices for HA, see Volum


Untrust Zone

Trust Zone

Untrust Zone VSIs

Trust Zone VSIs ethernet110.1.1.1/24

ethernet1:10.1.1.2/2

ethernet31.1.1.1/24

ethernet1.1.1.2/

Device B

Device AMaster VSD 0

Backup VSD 0

1

By combining the DIP pools located on both Untrust zone VSIs (for VSD groups 0 and 1) into one DIP group, Devices A and B can both process traffic matching policy �out-nat�, which references not an interface-specific DIP pool but the shared DIP group.

DIP Pool ID 81.1.1.151 � 210.1.1.200

DIP Group 9

Recommended use of a DIP group in a policy when in an NSRP cluster: set policy name out-nat from trust to untrust any any any nat dip-id 9 permit

NSRP Cluster


290

d B) in an active/active HA pair.

.30 – 1.1.1.39) on ethernet3:1. a policy.

luster, created VSD group 1 luster), and configured the

efer to Volume 10, “High



he CLI.


Example: DIP GroupIn this example, you provide NAT services on two NetScreen devices (Devices A an

You create two DIP pools—DIP 5 (1.1.1.20 – 1.1.1.29) on ethernet3 and DIP 6 (1.1.1You then combine them into a DIP group identified as DIP 7, which you reference in

The VSIs for VSD groups 0 and 1 are as follows:

• Untrust zone VSI ethernet3 1.1.1.1/24 (VSD group 0)

• Untrust zone VSI ethernet3:1 1.1.1.2/24 (VSD group 1)

• Trust zone VSI ethernet1 10.1.1.1/24 (VSD group 0)

• Trust zone VSI ethernet1:1 10.1.1.1/24 (VSD group 1)

This example assumes that you have already set up Devices A and B in an NSRP c(NetScreen automatically creates VSD group 0 when you put a device in an NSRP cabove interfaces. (For information about configuring NetScreen devices for NSRP, rAvailability”.)

WebUI

1. DIP PoolsNetwork > Interfaces > Edit (for ethernet3) > DIP > New: Enter the following

ID: 5

IP Address Range: 1.1.1.20 – 1.1.1.29


Network > Interfaces > Edit (for ethernet3:1) > DIP > New: Enter the followin

ID: 6

IP Address Range: 1.1.1.30 – 1.1.1.39


Note: At the time of this release, you can only define a DIP group through t


291

OK :

k Return to set the advanced page:

-id 7 permit



Source Address:




Service: ANY

Action: Permit

> Advanced: Enter the following, and then clicoptions and return to the basic configuration

NAT:


DIP On: (select), 7

CLI

1. DIP Pools

set interface ethernet3 dip 5 1.1.1.20 1.1.1.29set interface ethernet3:1 dip 6 1.1.1.30 1.1.1.39

2. DIP Groups

set dip group 7 member 5set dip group 7 member 6

3. Policyset policy from trust to untrust any any any nat src dipsave

Chapter 5 Building Blocks for Policies Schedules

292

to define when they are in enforce network security.

the Policy Configuration dialog e must be unique and is limited

asis.

d time. You can specify up to

es.

ny’s Internet access for can then associate with a policy f regular business hours.


SCHEDULESA schedule is a configurable object that you can associate with one or more policieseffect. Through the application of schedules, you can control network traffic flow and

When you define a schedule, enter values for the following parameters:

Schedule Name: The name that appears in the Schedule drop-down list in box. Choose a descriptive name to help you identify the schedule. The namto 19 characters.

Comment: Any additional information that you want to add.

Recurring: Enable this when you want the schedule to repeat on a weekly b

Start and End Times: You must configure both a start time and an entwo time periods within the same day.

Once: Enable this when you want the schedule to start and end only once.

mm/dd/yyyy hh:mm: You must enter both start and stop dates and tim

Example: Recurring ScheduleIn this example, there is a short-term employee named Tom who is using the compapersonal pursuits after work. You create a schedule for non-business hours that you to deny outbound TCP/IP traffic from that worker’s computer (10.1.1.5/32) outside o

WebUI

1. ScheduleObjects > Schedules > New: Enter the following, and then click OK :

Schedule Name: After Hours

Comment: For non-business hours

Recurring: (select)


293
Period 1:

Period 2:

Week Day Start Time End TimeSunday 00:00 23:59

Monday 00:00 06:00

Tuesday 00:00 06:00

Wednesday 00:00 06:00

Thursday 00:00 06:00

Friday 00:00 06:00

Saturday 00:00 23:59

Week Day Start Time End TimeSunday 17:00 23:59

Monday 17:00 23:59

Tuesday 17:00 23:59

Wednesday 17:00 23:59

Thursday 17:00 23:59

Friday 17:00 23:59

Saturday 17:00 23:59


294

OK :



Address Name: Tom

Comment: Temp



Zone: Trust


Name: No Net

Source Address:

Address Book Entry: (select), Tom



Service: HTTP

Action: Deny

Schedule: After Hours


295

stop 23:59stop 06:00 start 17:00

stop 06:00 start 17:00

00 stop 06:00 start

0 stop 06:00 start

stop 06:00 start 17:00

0 stop 23:59 comment

ule “after hours”


CLI

1. Scheduleset schedule “after hours” recurrent sunday start 00:00 set schedule “after hours” recurrent monday start 00:00

stop 23:59set schedule “after hours” recurrent tuesday start 00:00

stop 23:59set schedule “after hours” recurrent wednesday start 00:

17:00 stop 23:59set schedule “after hours” recurrent thursday start 00:0

17:00 stop 23:59set schedule “after hours” recurrent friday start 00:00

stop 23:59set schedule “after hours” recurrent saturday start 00:0

“for non-business hours”

2. Addressset address trust tom 10.1.1.5/32 “temp”

3. Policyset policy from trust to untrust tom any http deny schedsave


296

6

297

Chapter 6

nes (interzone traffic)1 and—to the same zone (intrazone eate interzone policies that ssing a NetScreen device, you

a policy are related. It is


Policies

The default behavior of a NetScreen device is to deny all traffic between security zoexcept for traffic within the Untrust zone—allow all traffic between interfaces bound traffic). To permit selected interzone traffic to cross a NetScreen device you must croverride the default behavior. Similarly, to prevent selected intrazone traffic from cromust create intrazone policies.

This chapter describes what policies do and how the various elements that comprisedivided into the following sections:

• “Basic Elements” on page 299

• “Three Types of Policies” on page 300

– “Interzone Policies” on page 300

– “Intrazone Policies” on page 301

– “Global Policies” on page 301

• “Policy Set Lists” on page 302

• “Policies Defined” on page 303

– “Policies and Rules” on page 303

– “Anatomy of a Policy” on page 305

• “Policies Applied” on page 317

– “Viewing Policies” on page 317

– “Creating Policies” on page 319

– “Entering a Policy Context” on page 336

1. By default, the NetScreen-5XP and NetScreen-5XT permit traffic from the Trust zone to the Untrust zone.

Chapter 6 Policies

298

onfigure multicast policies. For


– “Multiple Items per Policy Component” on page 337

– “Address Negation” on page 338

– “Modifying and Disabling Policies” on page 342

– “Policy Verification” on page 343

– “Reordering Policies” on page 344

– “Removing a Policy” on page 345

Note: If you configure multicast routing on a NetScreen device, you might have to cinformation about multicast policies, see “Multicast Policies” on page 6 -204.

Chapter 6 Policies Basic Elements

299

n two points. The type of traffic basic elements of a policy. stitute the core section of a

e zone to a destination zone)

fic meeting the first four criteria:

any address in the Trust zone

zone)

” stands for a predefined

ddress book)

all)


BASIC ELEMENTSA policy permits, denies, or tunnels2 specified types of traffic unidirectionally betwee(or “service”), the location of the two endpoints, and the invoked action compose theAlthough there can be other components, the required elements, which together conpolicy, are as follows:

• Direction – The direction of traffic between two security zones (from a sourc

• Source address – The address from which traffic initiates

• Destination address – The address to which traffic is sent

• Service – The type of traffic transmitted

• Action – The action that the NetScreen device performs when it receives trafdeny, permit, reject, or tunnel

For example, the policy stated in the following CLI command permits FTP traffic fromto an FTP server named “server1” in the DMZ zone:

set policy from trust to untrust any server1 ftp permit

• Direction: from trust to untrust (that is, from the Trust zone to the Untrust

• Source Address: any (that is, any address in the Trust zone. The term “anyaddress that applies to any address in a zone)

• Destination Address: server1 (a user-defined address in the Untrust zone a

• Service: ftp (File Transfer Protocol)

• Action: permit (that NetScreen device permits this traffic to traverse its firew

2. The “tunnel” action—(VPN or L2TP tunnel)—contains the concept of “permit” implicitly.

Chapter 6 Policies Three Types of Policies

300

c that you want to permit from

affic that you want to permit to

resses, regardless of their

ne policies to deny, permit, , a NetScreen device maintains replies to service requests. For to server B in the Untrust zone, creen device checks the TP request, the NetScreen t A in the Trust zone. To permit must create a second policy

Untrust ZoneServer B

HTTP replyHTTP request

device rejects the HTTP request e there is no policy permitting it.


THREE TYPES OF POLICIESYou can control the flow of traffic through the following three kinds of policies:

• Through the creation of interzone policies, you can regulate the kind of traffione security zone to another.

• Through the creation of intrazone policies, you can also control the kind of trcross interfaces bound to the same zone.

• Through the creation of global policies, you can regulate traffic between addsecurity zones.

Interzone PoliciesInterzone policies provide traffic control between security zones. You can set interzoreject, or tunnel traffic from one zone to another. Using stateful inspection techniquesa table of active TCP sessions and active UDP “pseudo” sessions so that it can allowexample, if you have a policy allowing HTTP requests from host A in the Trust zone when the NetScreen device receives HTTP replies from server B to host A, the NetSreceived packet against its table. Finding the packet to be a reply to an approved HTdevice allows the packet from server B in the Untrust zone to cross the firewall to hostraffic initiated by server B to host A (not just replies to traffic initiated by host A), youfrom server B in the Untrust zone to host A in the Trust zone.

Trust ZoneHost A

set policy from trust to untrust �host A� �server B� http permit

HTTP requestNetScreen Device

Note: The NetScreenfrom server B becaus

Chapter 6 Policies Three Types of Policies

301

rity zone. The source and ces on the NetScreen device.

low traffic initiated at either end

(NAT-src) when it is set at the policy-based NAT-src and es a mapped IP (MIP) as the e 7, “Address Translation”.)

rce and destination zones. bal zone address “any”. These ess to or from multiple zones,

ses all addresses in all zones.

ess translation (NAT-src), VPN ation address in a global policy.

Server B10.1.2.30

4


Intrazone PoliciesIntrazone policies provide traffic control between interfaces bound to the same secudestination addresses are in the same security zone, but reached via different interfaLike interzone policies, intrazone policies control traffic flowing unidirectionally. To alof a data path, you must create two policies—one policy for each direction.

Intrazone policies do not support VPN tunnels or source network address translationinterface level (set interface interface nat). However, intrazone policies do supportNAT-dst. They also support destination address translation when the policy referencdestination address. (For information about NAT-src, NAT-dst, and MIPs, see Volum

Global PoliciesUnlike interzone and intrazone policies, global policies do not reference specific souGlobal policies reference user-defined Global zone addresses or the predefined Gloaddresses can span multiple security zones. For example, if you want to provide accyou can create a global policy with the Global zone address “any”, which encompas

Note: At the time of this release, global policies do not support source network addrtunnels, or Transparent mode. You can, however, specify a MIP or VIP as the destin

Host A10.1.1.5

set policy from trust to trust �host A� �server B� any permitset policy from trust to trust �server B� �host A� any permit

LAN 110.1.1.0/24

LAN 210.1.2.0/24


ethernet410.1.2.1/2

Trust Zone

Layer 2 Switches

Chapter 6 Policies Policy Set Lists

302

wing kinds of policies:

otes the ingress interface, and e then performs a route lookup that interface is bound. Using

consulting the policy set lists in

rms a policy lookup in the

forms a policy lookup in the

d does not find a match, the

d does not find a match, the unset/set policy

d does not find a match, the the packet: unset/set zone

ou must position more specific Reordering Policies” on page


POLICY SET LISTSA NetScreen device maintains three different policy set lists, one for each of the follo

• Interzone policies

• Intrazone policies

• Global policies

When the NetScreen device receives a packet initiating a new session, the device nthereby learns the source zone to which that interface is bound. The NetScreen devicto determine the egress interface, and thus determines the destination zone to whichthe source and destination zones, the NetScreen device can perform a policy lookup,the following order:

1. If the source and destination zones are different, the NetScreen device perfointerzone policy set list.

(or)

If the source and destination zones are the same, the NetScreen device perintrazone policy set list.

2. If the NetScreen device performs the interzone or intrazone policy lookup anNetScreen device then checks the global policy set list for a match.

3. If the NetScreen device performs the interzone and global policy lookups anNetScreen device then applies the default permit/deny policy to the packet: default-permit-all.

(or)

If the NetScreen device performs the intrazone and global policy lookups anNetScreen device then applies the intrazone blocking setting for that zone tozone block .

The NetScreen device searches each policy set list from top to bottom. Therefore, ypolicies above less specific policies in the list. (For information on policy order, see “344.)

Chapter 6 Policies Policies Defined

303

all traffic must pass through this lists—for interzone policies,

nreachable message to the or the traffic attempting to cross and exit, and when and where

logical rule consists of a set of onsume memory resources.

on address, and service ly apparent from the creation of

gical rules

. The rules make use of the t produces 125 logical rules

ts

erated by the single policy. By ations, the NetScreen device with its components.

tem do not affect policies set in


POLICIES DEFINEDA firewall provides a network boundary with a single point of entry and exit. Because point, you can screen and direct that traffic through the implementation of policy set intrazone policies, and global policies.

Policies allow you to deny, permit, reject (deny and send a TCP RST or ICMP port usource host), encrypt and decrypt, authenticate, prioritize, schedule, filter, and monitfrom one security zone to another. You decide which users and what data can enterthey can go.

Policies and RulesA single user-defined policy produces one or more logical rules internally, and each components—source address, destination address, and service. The components cThe logical rules that reference the components do not.

Depending on the use of multiple entries or groups for the source address, destinaticomponents in a policy, the number of logical rules can be much larger than is readithe single policy. For example, the following policy produces 125 logical rules:

1 policy: 5 source addresses x 5 destination addresses x 5 services = 125 lo

However, the NetScreen device does not duplicate components for each logical rulesame set of components in various combinations. For example, the above policy tharesults in only 15 components:

5 source addresses + 5 destination addresses + 5 services = 15 componen

These 15 components combine in various ways to produce the 125 logical rules genallowing multiple logical rules to use the same set of components in different combinconsumes far fewer resources than if each logical rule had a one-to-one relationship

Note: For NetScreen devices that support virtual systems, policies set in the root sysvirtual systems.


304

ents that the NetScreen device ts. Also, by allowing a large create more policies—and the dedicated components.


Because the installation time of a new policy is proportional to the number of componadds, removes, or modifies, policy installation becomes faster with fewer componennumber of logical rules to share a small set of components, NetScreen allows you toNetScreen device to create more rules—than would be possible if each rule required


305
Anatomy of a PolicyA policy must contain the following elements:

• ID (automatically generated, but can be user-defined in the CLI)• Zones (source and destination)• Addresses (source and destination)• Services• Action (deny, permit, reject, tunnel)

A policy can also contain the following elements:

• Application

• Name• VPN Tunneling• L2TP Tunneling• Deep Inspection• Placement at the Top of the Policy List• Source Address Translation• Destination Address Translation• User Authentication• HA Session Backup• URL Filtering• Logging• Counting• Traffic Alarm Threshold• Schedules• Antivirus Scanning• Traffic Shaping

The remainder of this section examines each of the above elements in turn.


306

tomatically assigns it. You can t policy id number … After you modify the policy. (For more

(a security zone), a logical al or logical entity that performs rity zones (interzone policy) or ation, see “Zones” on page 29,

their location in relation to the 55.255.255.255, indicating that ask to indicate which bits are he relevant hosts and networks

r address book entries. When device applies the policy to ponents that comprise those

when you use address groups on page 303.)

as standard and accepted TCP The ScreenOS includes


IDEvery policy has an ID number, whether you define one or the NetScreen device auonly define an ID number for a policy through the set policy command in the CLI: seknow the ID number, you can enter the policy context to issue further commands to information about policy contexts, see “Entering a Policy Context” on page 336.)

ZonesA zone can be a segment of network space to which security measures are applied segment to which a VPN tunnel interface is bound (a tunnel zone), or either a physica specific function (a function zone). A policy allows traffic to flow between two secubetween two interfaces bound to the same zone (intrazone policy). (For more inform“Interzone Policies” on page 300, and “Intrazone Policies” on page 301.)

AddressesAddresses are objects that identify network devices such as hosts and networks by firewall—in one of the security zones. Individual hosts are specified using the mask 2all 32 bits of the address are significant. Networks are specified using their subnet msignificant. To create a policy for specific addresses, you must first create entries for tin the address book.

You can also create address groups and apply policies to them as you would to otheusing address groups as elements of policies, be aware that because the NetScreeneach address in the group, the number of available internal logical rules and the comrules can become depleted more quickly than expected. This is a danger especially for both the source and destination. (For more information, see “Policies and Rules”

ServicesServices are objects that identify application protocols using layer 4 information suchand UDP port numbers for application services like Telnet, FTP, SMTP, and HTTP. predefined core Internet services. Additionally, you can define custom services.


307

, authenticated, logged, or

drops the packet and sends a destination unreachable, port ther than TCP and UDP, the is also what occurs when the

ckets. For an IPSec VPN L2TP tunnel to use. For

usly presented criteria: zones

an another RST.

col is TCP, the source IP ed) packet. When the ingress ress in the ICMP message is s interface is operating at Layer e is that of the ingress interface.

r the L2TP tunnel.


You can define policies that specify which services are permitted, denied, encryptedcounted.

ActionAn action is an object that describes what the firewall does to the traffic it receives.

• Deny blocks the packet from traversing the firewall.

• Permit allows the packet to pass the firewall.

• Reject blocks the packet from traversing the firewall. The NetScreen deviceTCP reset (RST) segment to the source host for TCP traffic3 and an ICMP “unreachable” message (type 3, code 3) for UDP traffic. For types of traffic oNetScreen device drops the packet without notifying the source host, which action is “deny”.

• Tunnel encapsulates outgoing IP packets and decapsulates incoming IP patunnel, specify which VPN tunnel to use. For an L2TP tunnel, specify which L2TP-over-IPSec, specify both an IPSec VPN tunnel and an L2TP tunnel4.

The NetScreen device applies the specified action on traffic that matches the previo(source and destination), addresses (source and destination), and service.

3. The NetScreen device sends a TCP RST after receiving (and dropping) a TCP segment with any code bit set other th

Note: When the ingress interface is operating at Layer 2 or 3 and the protoaddress in the TCP RST is the destination IP address in the original (droppinterface is operating at Layer 2 and the protocol is UDP, the source IP addalso the destination IP address in the original packet. However, if the ingres3 and the protocol is UDP, then the source IP address in the ICMP messag

4. For L2TP-over-IPSec, the source and destination addresses for the IPSec VPN tunnel must be the same as those fo


308

vice that you reference in a r, for custom services, you must n application layer gateway

source and destination ports

r the ALG that you want to apply

ustom Services to

ing its purpose.

nfigured. In the WebUI, the see all available tunnels with 01 and “Dialup VPNs” on page

AT, then the administrators of olicies in total). When the VPN

olicy configurations is the same ne policy and then select the

e names you create for


ApplicationThe application option specifies the Layer 7 application that maps to the Layer 4 serpolicy. A predefined service already has a mapping to a Layer 7 application. Howevelink the service to an application explicitly, especially if you want the policy to apply a(ALG5) or Deep Inspection to the custom service.

Applying an ALG to a custom service, involves the following two steps:

• Define a custom service with a name, timeout value, transport protocol, and

• When configuring a policy, reference that service and the application type fo

For information about applying Deep Inspection to a custom service, see “Mapping CApplications” on page 4 -173.

NameYou can give a policy a descriptive name to provide a convenient means for identify

VPN TunnelingYou can apply a single policy or multiple policies to any VPN tunnel that you have coVPN Tunnel option provides a drop-down list of all such tunnels. In the CLI, you canthe get vpn command. (For more information, see “Site-to-Site VPNs” on page 5 -15 -231.)

When the VPN configurations at both ends of a VPN tunnel are using policy-based-Nboth gateway devices each need to create an inbound and an outbound policy (four ppolicies constitute a matching pair (that is, everything in the inbound and outbound pexcept that the source and destination addresses are reversed), you can configure o

5. NetScreen supports ALGs for numerous services, including DNS, FTP, H.323, HTTP, RSH, SIP, telnet, and TFTP.

Note: For information regarding ScreenOS naming conventions—which apply to thpolicies—see “Naming Conventions and Character Types” on page xii.


309

tomatically for the opposite s cleared by default. For the is selected by default, and any

(L2TP) tunnel that you have els. In the CLI, you can display ll available tunnels with the get have the same endpoints—to c.

Transport Layers by examining ayer6. The goal of Deep

ight be present in traffic that the

group (or groups) to use and Inspection” on page 4 -131.)

e are multiple entries for any of

the Application Layer is Layer 7. The n layers.


Modify matching bidirectional VPN policy check box to create a second policy audirection. For the configuration of a new policy, the matching VPN policy check box imodification of an existing policy that is a member of a matching pair, the check boxchanges made to one policy are propagated to the other.

L2TP TunnelingYou can apply a single policy or multiple policies to any Layer 2 Tunneling Protocol configured. In the WebUI, the L2TP option provides a drop-down list of all such tunnstatus of active L2TP tunnels with the get l2tp tunn_str active command, and see al2tp all command. You can also combine a VPN tunnel and an L2TP tunnel—if bothcreate a tunnel combining the characteristics of each. This is called L2TP-over-IPSe

Deep InspectionDeep Inspection is a mechanism for filtering the traffic permitted at the Network and not only these layers but the content and protocol characteristics at the Application LInspection is the detection and prevention any attacks or anomalous behavior that mNetScreen firewall permits.

To configure a policy for attack protection, you must make two choices: which attackwhich attack action to take if an attack is detected. (For more information, see “Deep

Note: This option is only available through the WebUI. It is not supported when therthe following policy components: source address, destination address, or service.

Note: A NetScreen device in Transparent mode does not support L2TP.

6. In the Open Systems Interconnection (OSI) model, the Network Layer is Layer 3, the Transport Layer is Layer 4, andOSI model is a networking industry standard model of network protocol architecture. The OSI model consists of seve


310

ist. If you need to reposition the Policies” on page 344. To avoid u can select the Position at olicy top …) in the CLI.

c, you can translate the source dress can come from either a dress translation (PAT). To Translation” on page 7 -15.

T-dst, you can translate the t can also support destination tion Network Address

as network address translation e” on page 122.


Placement at the Top of the Policy ListBy default, NetScreen positions a newly created policy at the bottom of a policy set lpolicy, you can use either of the policy reordering methods explained in “Reordering the extra step of repositioning a newly created policy to the top of a policy set list, yoTop option in the WebUI, or use the keyword top in the set policy command (set p

Source Address TranslationYou can apply source address translation (NAT-src) at the policy level. With NAT-sraddress on either incoming or outgoing network and VPN traffic. The new source addynamic IP (DIP) pool or the egress interface. NAT-src also supports source port adlearn about all the NAT-src options that are available, see “Source Network Address

Destination Address TranslationYou can apply destination address translation (NAT-dst) at the policy level. With NAdestination address on either incoming or outgoing network and VPN traffic. NAT-dsport mapping. To learn about all the NAT-dst options that are available, see “DestinaTranslation” on page 7 -33.

Note: You can also perform source address translation at the interface level, known(NAT). For information about interface level NAT-src, or simply NAT, see “NAT Mod


311

/her identity by supplying a user tunnel. The NetScreen device perform the authentication

er to log on when it receives d

g traffic through the NetScreen

e destination address, the

.

uth user and the destination

ntication is required for each IP

hen after the NetScreen device e NetScreen device without


User Authentication Selecting this option requires the auth user at the source address to authenticate hisname and password before traffic is allowed to traverse the firewall or enter the VPNcan use the local database or an external RADIUS, SecurID, or LDAP auth server tocheck.

NetScreen provides two authentication schemes:

• Run-time authentication, in which the NetScreen device prompts an auth usHTTP, FTP or Telnet traffic matching a policy that has authentication enable

• WebAuth, in which a user must authenticate himself or herself before sendindevice

Run-Time Authentication

The run-time authentication process proceeds as follows:

1. When the auth user sends an HTTP, FTP or Telnet connection request to thNetScreen device intercepts the packet and buffers it.

2. The NetScreen device sends the auth user a login prompt.

3. The auth user responds to this prompt with his/her user name and password

4. The NetScreen device authenticates the auth user’s login information.

If the authentication is successful, a connection is established between the aaddress.

Note: If a policy requiring authentication applies to a subnet of IP addresses, autheaddress in that subnet.

If a host supports multiple auth user accounts (as with a Unix host running Telnet), tauthenticates the first user, all other users from that host can pass traffic through thbeing authenticated, having inherited the privileges of the first user.


312

ing services: Telnet, HTTP, or tication process. You can use

ore of the three services xample, you can create a .323 services. Then, when you

e policy are valid.

server.

.

r’s login information.

auth user to initiate traffic to uth method.

ervice.

rencing Auth Users in Policies”


For the initial connection request, a policy must include one or all of the three followFTP. Only a policy with one or all of these services is capable of initiating the authenany of the following services in a policy involving user authentication:

• Any (because “any” includes all three required services)

• Telnet, or FTP, or HTTP

• A service group that includes the service or services you want, plus one or mrequired to initiate the authentication process (Telnet, FTP, or HTTP). For ecustom service group named “Login” that supports FTP, Netmeeting, and Hcreate the policy, specify “Login” as the service.

For any connection following a successful authentication, all services specified in th

Pre-Policy Check Authentication (WebAuth)

The WebAuth authentication process proceeds as follows:

1. The auth user makes an HTTP connection to the IP address of the WebAuth

2. The NetScreen device sends the auth user a login prompt.

3. The auth user responds to this prompt with his/her user name and password

4. The NetScreen device or an external auth server authenticates the auth use

If the authentication attempt is successful, the NetScreen device permits thedestinations as specified in policies that enforce authentication via the WebA

Note: A policy with authentication enabled does not support DNS (port 53) as the s

Note: For more information about these two user authentication methods, see “Refeon page 8 -42.


313

ecting a specific user group, s, see “Group Expressions” on UI, select the Allow Any

can specify which sessions to up, apply a policy with the HA

k box. In the CLI, use the evices in an NSRP cluster back

ss and prevent access to figure one of the following URL

request and then determines ring profile bound to the firewall

uest in a TCP connection to ermit access to different sites

which the auth user logs on. If uses a single IP address for all eceive the same privileges.


You can restrict or expand the range of auth users to which the policy applies by sellocal or external user, or group expression. (For information about group expressionpage 8 -6.) If you do not reference an auth user or user group in a policy (in the Weboption), the policy applies to all auth users in the specified auth server.

HA Session BackupWhen two NetScreen devices are in an NSRP cluster for high availability (HA), you backup and which not to backup. For traffic whose sessions you do not want backedsession backup option disabled. In the WebUI, clear the HA Session Backup checno-session-backup argument in the set policy command. By default, NetScreen dup sessions.

URL FilteringURL filtering, which is also called web filtering, enables you to manage Internet acceinappropriate web content. When you enable URL filtering in a policy, you must confiltering solutions:

• Integrated URL filtering, where the NetScreen device intercepts each HTTPwhether to permit or block access to a requested site based on the URL filtepolicy.

• Redirect URL filtering, where the NetScreen device sends the first HTTP reqeither a Websense server or a SurfControl server, enabling you to block or pbased on their URLs, domain names, and IP addresses..

Note: NetScreen links authentication privileges with the IP address of the host fromthe NetScreen device authenticates one user from a host behind a NAT device thatNAT assignments, then users at other hosts behind that NAT device automatically r

Note: For more information on URL filtering, see “URL Filtering” on page 4 -106.


314

hich that particular policy eports > Policies > (for the command.

r of bytes of traffic to which this graphs for a policy in the see).

exceeds a specified number of etScreen device to monitor the

. You can configure schedules ontrolling the flow of network cerned about employees outbound FTP-Put and MAIL

the set schedule command.

en Devices” on page 3 -73.

at the current time is not within hite background.


LoggingWhen you enable logging in a policy, the NetScreen device logs all connections to wapplies. You can view the logs through either the WebUI or CLI. In the WebUI, click Rpolicy whose log you want to see). In the CLI, use the get log traffic policy id_num

CountingWhen you enable counting in a policy, the NetScreen device counts the total numbepolicy applies and records the information in historical graphs. To view the historicalWebUI, click Reports > Policies > (for the policy whose traffic count you want to

Traffic Alarm ThresholdYou can set a threshold that triggers an alarm when the traffic permitted by the policybytes per second, bytes per minute, or both. Because the traffic alarm requires the Ntotal number of bytes, you must also enable the counting feature.

SchedulesBy associating a schedule to a policy, you can determine when the policy is in effecton a recurring basis and as a one-time event. Schedules provide a powerful tool in ctraffic and in enforcing network security. For an example of the latter, if you were contransmitting important data outside the company, you might set a policy that blockedtraffic after normal business hours.

In the WebUI, define schedules in the Objects > Schedules section. In the CLI, use

Note: For more information about viewing logs and graphs, see “Monitoring NetScre

Note: For more information about traffic alarms, see “Traffic Alarms” on page 3 -92.

Note: In the WebUI, scheduled policies appear with a gray background to indicate ththe defined schedule. When a scheduled policy becomes active, it appears with a w


315

ilter FTP, HTTP, IMAP, POP3, nd sends a message reporting

ffic shaping parameters include:

ps). Traffic below this threshold ent or shaping mechanism.

on in kilobits per second (kbps).

aximum settings, the only if there is no other higher

for tagging (or “marking”) traffic priority levels to the DiffServ aps to the first three bits (0111) yte (see RFC 1349), in the IP to (0000) in the ToS DiffServ

page 4 -81.

this threshold lead to dropped t.

ee “Traffic Shaping” on


Antivirus ScanningSome NetScreen devices support an internal AV scanner that you can configure to fand SMTP traffic. If the embedded AV scanner detects a virus, it drops the packet athe virus to the client initiating the traffic.

Traffic ShapingYou can set parameters for the control and shaping of traffic for each policy. The tra

Guaranteed Bandwidth: Guaranteed throughput in kilobits per second (kbpasses with the highest priority without being subject to any traffic managem

Maximum Bandwidth: Secured bandwidth available to the type of connectiTraffic beyond this threshold is throttled and dropped.

Traffic Priority: When traffic bandwidth falls between the guaranteed and mNetScreen device passes higher priority traffic first, and lower priority traffic priority traffic. There are eight priority levels.

DiffServ Codepoint Marking: Differentiated Services (DiffServ) is a systemat a position within a hierarchy of priority. You can map the eight NetScreensystem. By default, the highest priority (priority 0) in the NetScreen system min the DiffServ field (see RFC 2474), or the IP precedence field in the ToS bpacket header. The lowest priority (priority 7) in the NetScreen system mapssystem.

Note: (For more information about antivirus scanning, see “Antivirus Scanning” on

Note: It is advised that you do not use rates less than 10 kbps. Rates belowpackets and excessive retries that defeat the purpose of traffic managemen

Note: For a more detailed discussion of traffic management and shaping, spage 347.


316

erv system, use the following

er3 number4 number5

OS DiffServ system), number1

ut the second three bits in the are preserved and handled

figurable only from the CLI.


To change the mapping between the NetScreen priority levels and the DiffSCLI command:

set traffic-shaping ip_precedence number0 number1 number2 numbnumber6 number7

where number0 is the mapping for priority 0 (the highest priority in the Tis the mapping for priority 1, and so forth.

To subsume IP precedence into class selector codepoints—that is, to zero oDiffServ field and thus insure that priority levels you set with ip_precedencecorrectly by downstream routers—use the following CLI command:

set traffic-shaping dscp-class-selector

Note: The set traffic-shaping dscp-class-selector command is con

Chapter 6 Policies Policies Applied

317

ering and reordering, and

ies by source and destination cking Go . In the CLI, use the

mary of policy components.

c to which the policy applies.

to which the policy applies.

to which the policy applies. It et (RST) segment to the source ination unreachable, port ) for UDP traffic. For types of

etScreen device drops the packet h is also what occurs when the

-based source or destination or NAT-dst) on all traffic to which


POLICIES APPLIEDThis section describes the management of policies: viewing, creating, modifying, ordremoving policies.

Viewing PoliciesTo view policies through the WebUI, click Policies . You can sort the displayed policzones by choosing zone names from the From and To drop-down lists and then cliget policy [ all | from zone to zone | global | id number ] command.

Policy IconsWhen viewing a list of policies, the WebUI uses icons to provide you a graphical sumThe table below defines the different icons used in the policies page.

Icon Function Description

Permit The NetScreen device passes all traffi

Deny The NetScreen device blocks all traffic

Reject The NetScreen device blocks all trafficdrops the packet and sends a TCP reshost for TCP traffic and an ICMP �destunreachable� message (type 3, code 3traffic other than TCP and UDP, the Nwithout notifying the source host, whicaction is �deny�.

Policy-level NAT The NetScreen device performs policynetwork address translation (NAT-src the policy applies.


318

ll outbound VPN traffic and which the policy applies.

pposite direction.

rself when initiating a connection.

to which the policy applies to its

Inspection (DI) on all traffic to

Inspection and antivirus licy applies.

to which the policy applies to an

ll outbound L2TP traffic and o which the policy applies.

for syslog and e-mail, if enabled.

) the amount of traffic to which the


Encapsulation and Decapsulation

The NetScreen device encapsulates adecapsulates all inbound VPN traffic to

Bidirectional VPN policies

A matching VPN policy exists for the o

Authentication The user must authenticate himself/he

Antivirus The NetScreen device sends all trafficinternal antivirus (AV) scanner.

Deep Inspection The NetScreen device performs Deepwhich the policy applies.

Deep Inspection and Antivirus

The NetScreen device performs Deepprotection on all traffic to which the po

URL Filtering The NetScreen device sends all trafficexternal URL filtering server.

L2TP The NetScreen device encapsulates adecapsulates all inbound L2TP traffic t

Logging All traffic is logged and made available

Counting The NetScreen device counts (in bytespolicy applies.



319

, or tunnel traffic between those creen device is the only n addresses referenced in the

n addresses in the Global zone

d Untrust zones—you need to Untrust to Trust. Depending on and destination addresses are

—root or virtual. To define a . (For information about shared

a threshold that you have set, the e traffic log for this policy. Clicking ated in the Reports section.


Creating PoliciesTo allow traffic to flow between two zones, you create policies to deny, permit, rejectzones. You can also create policies to control traffic within the same zone if the NetSnetwork device that can route the intrazone traffic between the source and destinatiopolicy. You can also create global policies, which make use of source and destinatioaddress book.

To allow bidirectional traffic between two zones—for example, between the Trust ancreate a policy that goes from Trust to Untrust, and then create a second policy fromyour needs, the policies can use the same or different IP addresses, only the sourcereversed.

Policy LocationYou can define policies between any zones that are located within the same systempolicy between the root system and a vsys, one of the zones must be a shared zonezones in relation to virtual systems, see Volume 9, “Virtual Systems”.)

Alarm When the amount of traffic surpasses NetScreen device makes an entry in ththe icon takes you to the traffic log loc



320

a local mail server in the DMZ m the internal users to traverse

n the local mail server in the

you must first design the and assign the interfaces IP

ess 10.1.1.0/24.

ss 1.2.2.5/32.

ddress 2.2.2.5/32.

d services MAIL and POP3.

ternal router at 1.1.1.250

e transmission, retrieval, and


Example: Interzone Policies Mail ServiceIn this example, you create three policies to control the flow of e-mail traffic.

The first policy allows internal users in the Trust zone to send and retrieve e-mail fromzone. This policy permits the services MAIL (that is, SMTP) and POP3 originating frothe NetScreen firewall to reach the local mail server.

The second and third policies permit the service MAIL to traverse the firewall betweeDMZ zone and a remote mail server in the Untrust zone.

However, before creating policies to control traffic between different security zones, environment in which to apply those policies. First, you first bind interfaces to zonesaddresses:

• Bind ethernet1 to the Trust zone and assign it IP address 10.1.1.1/24.

• Bind ethernet2 to the DMZ zone and assign it IP address 1.2.2.1/24.

• Bind ethernet3 to the Untrust zone and assign it IP address 1.1.1.1/24.

All security zones are in the trust-vr routing domain.

Second, you create addresses for use in the policies:

• Define an address in the Trust zone named “corp_net” and assign it IP addr

• Define an address in the DMZ zone named “mail_svr” and assign it IP addre

• Define an address in the Untrust zone named “r-mail_svr” and assign it IP a

Third, you create a service group named “MAIL-POP3” containing the two predefine

Fourth, you configure a default route in the trust-vr routing domain pointing to the exthrough ethernet3.

After completing steps 1 – 4, you can then create the policies necessary to permit thdelivery of e-mail in and out of your protected network.


321

k Apply :

k OK:

k OK :


WebUI


Zone Name: Trust




Interface Mode: NAT


Zone Name: DMZStatic IP: (select this option when present)IP Address/Netmask: 1.2.2.1/24


Zone Name: UntrustStatic IP: (select this option when present)IP Address/Netmask: 1.1.1.1/24


Address Name: corp_net



Zone: Trust


322

ing services, and then click OK :

he service from the Available lumn.


then click OK:



Address Name: mail_svr



Zone: DMZ


Address Name: r-mail_svr



Zone: Untrust

3. Service GroupObjects > Services > Group: Enter the following group name, move the follow

Group Name: MAIL-POP3

Select MAIL and use the << button to move tMembers column to the Group Members co

Select POP3 and use the << button to move Members column to the Group Members co



Gateway: (select)




323

lick OK:

OK:

OK:


5. PoliciesPolicies > (From: Trust, To: Untrust) > New : Enter the following, and then c

Source Address:

Address Book Entry: (select), corp_net


Address Book Entry: (select), mail_svr

Service: Mail-POP3

Action: Permit

Policies > (From: DMZ, To: Untrust) New: Enter the following, and then click

Source Address:



Address Book Entry: (select), r-mail_svr

Service: MAIL

Action: Permit


Source Address:

Address Book Entry: (select), r-mail_svr



Service: MAIL

Action: Permit


324

gateway 1.1.1.250

permitpermitpermit


CLI

1. Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet2 zone dmzset interface ethernet2 ip 1.2.2.1/24set interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24

2. Addressesset address trust corp_net 10.1.1.0/24set address dmz mail_svr 1.2.2.5/32set address untrust r-mail_svr 2.2.2.5/32

3. Service Groupset group service MAIL-POP3 set group service MAIL-POP3 add mailset group service MAIL-POP3 add pop3


5. Policiesset policy from trust to dmz corp_net mail_svr MAIL-POP3set policy from dmz to untrust mail_svr r-mail_svr MAIL set policy from untrust to dmz r-mail_svr mail_svr MAIL save


325

and both are in the Trust zone.

AIL, and POP3.

themselves via WebAuth. (For on page 8 -41.)

Z zone.

the DMZ zone.

s “sys-admins”) who have


Example: Interzone Policy SetA small software firm, ABC Design, has divided its internal network into two subnets,These two subnets are:

• Engineering (with the defined address “Eng”)

• The rest of the company (with the defined address “Office”).

It also has a DMZ zone for its Web and mail servers.

The following example presents a typical set of policies for the following users:

• “Eng” can use all the services for outbound traffic except FTP-Put, IMAP, M

• “Office” can use e-mail and access the Internet, provided they authenticate information about WebAuth user authentication, see “Authentication Users”

• Everyone in the Trust zone can access the Web and mail servers in the DM

• A remote mail server in the Untrust zone can access the local mail server in

• There is also a group of system administrators (with the user-defined addrescomplete user and administrative access to the servers in the DMZ zone.

External Router

Internal Router

NetScreen

www.abc.commail.abc.com

Eng. LANOffice LAN

Trust Zone

Untrust Zone

DMZ Zone

Internet


326

d the interfaces, addresses, g these, see “Interfaces” on Dynamic Routing.”.

ActionAP, MAIL, POP3) Reject

Permit

HTTP, HTTPS) Permit(+ WebAuth)

ActionPermit

S) Permit

ActionL, POP3) Permit

HTTP, HTTPS) Permit

Permit

ActionPermit


This example focuses only on policies and assumes that you have already configureservice groups, and routes that must be in place. For more information on configurinpage 51, “Addresses” on page 139, “Service Groups” on page 266, and Volume 6, “

From Zone - Src Addr To Zone - Dest Addr ServiceTrust - Any Untrust - Any Com (service group: FTP-Put, IM

Trust - Eng Untrust - Any Any

Trust - Office Untrust - Any Internet (service group: FTP-Get,

From Zone - Src Addr To Zone - Dest Addr ServiceUntrust - Any DMZ - mail.abc.com MAIL

Untrust - Any DMZ - www.abc.com Web (service group: HTTP, HTTP

From Zone - Src Addr To Zone - Dest Addr ServiceTrust - Any DMZ - mail.abc.com e-mail (service group: IMAP, MAI

Trust - Any DMZ - www.abc.com Internet (service group: FTP-Get,

Trust - sys-admins DMZ - Any Any

From Zone - Src Addr To Zone - Dest Addr ServiceDMZ - mail.abc.com Untrust - Any MAIL

Note: The default policy is to deny all.


327

OK :

OK :



WebUI

1. From Trust, To Untrust


Source Address:

Address Book Entry: (select), Eng



Service: ANY

Action: Permit


Source Address:

Address Book Entry: (select), Office



Service: Internet7

Action: Permit


Authentication: (select)

WebAuth: (select)

7. “Internet” is a service group with the following members: FTP-Get, HTTP, and HTTPS.


328

OK :

OK:

olicy denies everything.



Source Address:




Service: Com8

Action: Reject


2. From Untrust, To DMZPolicies > (From: Untrust, To: DMZ) New: Enter the following, and then click

Source Address:



Address Book Entry: (select), mail.abc.com

Service: MAIL

Action: Permit

8. “Com” is a service group with the following members: FTP-Put, MAIL, IMAP, and POP3.

Note: For traffic from the Untrust zone to the Trust zone, the default deny p


329

OK:

K :



Source Address:



Address Book Entry: (select), www.abc.com

Service: Web9

Action: Permit

3. From Trust, To DMZPolicies > (From: Trust, To: DMZ) New: Enter the following, and then click O

Source Address:




Service: e-mail10

Action: Permit

9. “Web” is a service group with the following members: HTTP and HTTPS.

10. “e-mail” is a service group with the following members: MAIL, IMAP, and POP3.


330

K :

K :

OK:



Source Address:



Address Book Entry: (select), www.abc.com

Service: Internet

Action: Permit


Source Address:

Address Book Entry: (select), sys-admins



Service: ANY

Action: Permit

4. From DMZ, To UntrustPolicies > (From: DMZ, To: Untrust) New: Enter the following, and then click

Source Address:




Service: MAIL

Action: Permit


331

rmit webauth

mitit

rmitermit

mit


CLI

1. From Trust, To Untrustset policy from trust to untrust eng any any permitset policy from trust to untrust office any Internet11 peset policy top from trust to untrust any any Com12 reject

2. From Untrust, To DMZset policy from untrust to dmz any mail.abc.com mail perset policy from untrust to dmz any www.abc.com Web13 perm

3. From Trust, To DMZset policy from trust to dmz any mail.abc.com e-mail14 peset policy from trust to dmz any www.abc.com Internet11 pset policy from trust to dmz sys-admins any any permit

4. From DMZ, To Untrustset policy from dmz to untrust mail.abc.com any mail persave

11. “Internet” is a service group with the following members: FTP-Get, HTTP, and HTTPS.

12. “Com” is a service group with the following members: FTP-Put, MAIL, IMAP, and POP3.

13. “Web” is a service group with the following members: HTTP and HTTPS.

14. “e-mail” is a service group with the following members: MAIL, IMAP, and POP3.


332

ess to a confidential server on ive it IP address 10.1.1.1/24. nable intrazone blocking in the

y stores its financial records ment are located (10.1.5.0/24).

k Apply :

k Apply :


Example: Intrazone PoliciesIn this example, you create an intrazone policy to permit a group of accountants accthe corporate LAN in the Trust zone. You first bind ethernet1 to the Trust zone and gYou then bind ethernet2 to the Trust zone and assign it IP address 10.1.5.1/24. You eTrust zone. Next, you define two addresses—one for a server on which the compan(10.1.1.100/32) and another for the subnet on which hosts for the accounting departYou then create an intrazone policy to permit access to the server from those hosts.

WebUI

1. Trust Zone � Interfaces and BlockingNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic

Zone Name: Trust




Interface Mode: NAT


Zone Name: Trust




Interface Mode: NAT

Network > Zones > Edit (for Trust): Enter the following, and then click OK:

Block Intra-Zone Traffic: (select)


333

k OK :



Address Name: Hamilton



Zone: Trust


Address Name: accounting



Zone: Trust

3. PolicyPolicies > (From: Trust, To: Trust) > New : Enter the following, and then clic

Source Address:

Address Book Entry: (select), accounting


Address Book Entry: (select), Hamilton

Service: ANY

Action: Permit


334

ermit


CLI

1. Trust Zone � Interfaces and Blockingset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 nat


set zone trust block

2. Addressesset address trust Hamilton 10.1.1.100/32set address trust accounting 10.1.5.0/24

3. Policyset policy from trust to trust accounting Hamilton any psave


335

s the company Web site, which any security zones. In this

mplished (where n = number of

lick OK:


Example: Global PolicyIn this example, you create a global policy so that every host in every zone can accesis www.juniper.net15. Using a global policy is a convenient shortcut when there are mexample, one global policy accomplishes what n interzone policies would have accozones).

WebUI

1. Global AddressObjects > Addresses > List > New: Enter the following, and then click OK :

Address Name: server1


Domain Name: (select), www.juniper.net

Zone: Global

2. PolicyPolicies > (From: Global, To: Global) > New : Enter the following, and then c

Source Address:



Address Book Entry: (select), server1

Service: HTTP

Action: Permit

15. To use a domain name instead of an IP address, be sure to have DNS service configured on the NetScreen device.


336

n enter the context of the policy ing policy:

permit attack

estination address, another r the pertinent commands:

not remove them all. For server1 because then no

ss server2

ss server1

ss server2ss server1


CLI

1. Global Addressset address global server1 www.juniper.net

2. Policyset policy global any server1 http permitsave

Entering a Policy ContextWhen configuring a policy through the CLI, after you first create a policy, you can theto make additions and modifications. For example, perhaps you first create the follow

set policy id 1 from trust to untrust host1 server1 HTTPHIGH:HTTP:SIGS action close

If you want to make some changes to the policy, such as adding another source or dservice, or another attack group, you can enter the context for policy 1 and then ente

set policy id 1ns(policy:1)-> set src-address host2ns(policy:1)-> set dst-address server2ns(policy:1)-> set service FTPns(policy:1)-> set attack CRITICAL:HTTP:SIGS

You can also remove multiple items for a single policy component as long as you doexample, you can remove server2 from the above configuration, but not server2 anddestination address would remain:

ns(policy:1)-> unset dst-addre

ns(policy:1)-> unset dst-addre

ns(policy:1)-> unset dst-addrens(policy:1)-> unset dst-addre

!!

"

You can remove either server2,

or you can remove server1,

but you cannot remove them both.


337

n addresses or services is to at group in a policy. You can an simply add extra items

omponent to which you want to tton. Select an item in the ive Members” column. You can policy configuration page.

ally add anything else to it. ould it occur.


Multiple Items per Policy ComponentScreenOS allows you to add multiple items to the following components of a policy:

• Source address• Destination address• Service• Attack group

In pre-ScreenOS 5.0.0 releases, the only way to have multiple source and destinatiofirst create an address or service group with multiple members and then reference thstill use address and service groups in policies in ScreenOS 5.0.0. In addition, you cdirectly to a policy component.

To add multiple items to a policy component, do either of the following:

WebUI

To add more addresses and services, click the Multiple button next to the cadd more items. To add more attack groups, click the Attack Protection bu“Available Members” column, and then use the << key to move it to the “Actrepeat this action with other items. When finished, click OK to return to the

CLI

Enter the policy context with the following command:

set policy id number

Then use one of the following commands as appropriate:

ns(policy:number)-> set src-address stringns(policy:number)-> set dst-address stringns(policy:number)-> set service stringns(policy:number)-> set attack string

Note: If the first address or service referenced in a policy is “Any”, you cannot logicNetScreen prevents this kind of misconfiguration and displays an error message sh


338

d as either the source or ess to everyone except the tion option.

Multiple button next to either

tion address.

zone access to all FTP servers specifications for one another.

to apply it. First, you enable fore the NetScreen device

Trust zone.

in the negated component.

eir FTP server because the n firewall to reach their own


Address NegationYou can configure a policy so that it applies to all addresses except the one specifiedestination. For example, you might want to create a policy that permits Internet acc“P-T_contractors” address group. To accomplish this, you can use the address nega

In the WebUI, this option is available on the pop-up that appears when you click theSource Address or Destination Address on the policy configuration page.

In the CLI, you insert an exclamation point ( ! ) immediately before source or destina

Example: Destination Address NegationIn this example, you create an intrazone policy that allows all addresses in the Trustexcept to an FTP server named “vulcan”, which engineering uses to post functional

However, before creating the policy, you must first design the environment in which intrazone blocking for the Trust zone. Intrazone blocking requires a policy lookup bepasses traffic between two interfaces bound to the same zone.

Second, you bind two interfaces to the Trust zone and assign them IP addresses:

• You bInd ethernet1 to the Trust zone and assign it IP address 10.1.1.1/24.

• You bind ethernet4 to the Trust zone and assign it IP address 10.1.2.1/24.

Third, you create an address (10.1.2.5/32) for the FTP server named “vulcan” in the

After completing these two steps , you can then create the intrazone policies.

Note: Address negation occurs at the policy component level, applying to all items

Note: You do not have to create a policy for the engineering department to reach thengineers are also in the 10.1.2.0/24 subnet and do not have to cross the NetScreeserver.


339

k Apply :

FTP Server�vulcan�10.1.2.5

t424


WebUI

1. Intrazone BlockingNetwork > Zones > Edit (for Trust): Enter the following, and then click OK:


Block Intra-Zone Traffic: (select)

2. Trust Zone Interfaces


Zone Name: Trust




Interface Mode: NAT

Trust ZoneIntrazone Blocking Enabled

10.1.2.0/24(Engineering)

10.1.1.0/24(Rest of Corporate)

etherne10.1.2.1/


Internal Switches


340

k Apply :

K :

g check box, and then click OK ge.



Zone Name: Trust




Interface Mode: NAT


Address Name: vulcan



Zone: Trust

4. PolicyPolicies > (From: Trust, To: Trust) New: Enter the following, and then click O

Source Address:



Address Book Entry: (select), vulcan

> Click Multiple , select the Negate Followinto return to the basic policy configuration pa

Service: FTP

Action: Permit


341
CLI

1. Intrazone Blockingset zone trust block

2. Trust Zone Interfacesset interface ethernet1 zone trustset interface ethernet1 ip 10.1.1.1/24set interface ethernet1 nat


3. Addressset address trust vulcan 10.1.2.5/32

4. Policyset policy from trust to trust any !vulcan ftp permitsave


342

ebUI, click the Edit link in the age that appears for that policy,

olicy is enabled. To disable it,

that you want to disable.

r the policy that you want to


Modifying and Disabling PoliciesAfter you create a policy, you can always return to it to make modifications. In the WConfigure column for the policy that you want to change. In the Policy configuration pmake your changes, and then click OK . In the CLI, use the set policy command.

ScreenOS also provides a means for enabling and disabling policies. By default, a pdo the following:

WebUI

Policies: Clear the Enable check box in the Configure column for the policy

The row of text for a disabled policy appears as grey.

CLI

set policy id id_num disablesave

Note: To enable the policy again, select Enable in the Configure column foenable (WebUI), or type unset policy id id_num disable (CLI).


343

. It is possible for one policy to

ty

list, when it finds a match for e NetScreen device never specific “dst-A” address in

the Trust zone bound for dst-A

ing the more specific one first:

yt

s where there are dozens or pot. To check if there is any

responsibility to correct the

adows another policy. In the ther do shadow it:

permit permitdeny

ore a subsequent policy. Because the and destination address, and service ist and never reaches the second one.


Policy VerificationScreenOS offers a tool for verifying that the order of policies in the policy list is valideclipse, or “shadow”, another policy. Consider the following example:

set policy id 1 from trust to untrust any any HTTP permiset policy id 2 from trust to untrust any dst-A HTTP den

Because the NetScreen device performs a policy lookup starting from the top of the traffic received, it does not look any lower in the policy list. In the above example, threaches policy 2 because the destination address “any” in policy 1 includes the morepolicy 2. When an HTTP packet arrives at the NetScreen device from an address inin the Untrust zone, the NetScreen device always first finds a match with policy 1.

To correct the above example, you can simply reverse the order of the policies, putt

set policy id 2 from trust to untrust any dst-A HTTP denset policy id 1 from trust to untrust any any HTTP permi

Of course, this example is purposefully simple to illustrate the basic concept. In casehundreds of policies, the eclipsing of one policy by another might not be so easy to spolicy shadowing16 in your policy list, you can use the following CLI command:

exec policy verify

This command reports the shadowing and shadowed policies. It is then the admin’s situation.

The policy verification tool cannot detect the case where a combination of policies shfollowing example, no single policy shadows policy 3; however, policies 1 and 2 toge

set group address trust grp1 add host1set group address trust grp1 add host2set policy id 1 from trust to untrust host1 server1 HTTPset policy id 2 from trust to untrust host2 server1 HTTPset policy id 3 from trust to untrust grp1 server1 HTTP

16. The concept of policy “shadowing” refers to the situation where a policy higher in the policy list always takes effect befpolicy lookup always uses the first policy it finds that matches the five-part tuple of source and destination zone, sourcetype, if another policy applies to the same tuple (or a subset of the tuple), the policy lookup uses the first policy in the l


344

eginning with the first one listed g through the list. Because the

y in the list, you must arrange t preclude the application of a fic one does.)

an option that allows you to WebUI, select the Position at olicy top …

arrows or by clicking the single

in the list, enter the ID number

nd a table displaying the other

n, contains arrows pointing to oints to the location in the list

.


Reordering PoliciesThe NetScreen device checks all attempts to traverse the firewall against policies, bin the policy set for the appropriate list (see “Policy Set Lists” on page 302) and movinNetScreen device applies the action specified in the policy to the first matching policthem from the most specific to the most general. (Whereas a specific policy does nomore general policy located down the list, a general policy appearing before a speci

By default, a newly created policy appears at the bottom of a policy set list. There isposition a policy at the top of the list instead. In the Policy configuration page in the Top check box. In the CLI, add the key word top to the set policy command: set p

To move a policy to a different position in the list, do either of the following:

WebUI

There are two ways to reorder policies in the WebUI: by clicking the circulararrow in the Configure column for the policy you want to move.

If you click the circular arrows:

A User Prompt dialog box appears.

To move the policy to the very end of the list, enter <-1>. To move it upof the policy above which you want to move the policy in question.

Click OK to execute the move.

If you click the single arrow:

A Policy Move page appears displaying the policy you want to move apolicies.

In the table displaying the other policies, the first column, Move Locatiovarious locations where you can move the policy. Click the arrow that pwhere you want to move the policy.

The Policy List page reappears with the policy you moved in its new position


345

UI, click Remove in the prompts for confirmation to and.


CLI

set policy move id_num { before | after } numbersave

Removing a PolicyIn addition to modifying and repositioning a policy, you can also delete it. In the WebConfigure column for the policy that you want to remove. When the system messageproceed with the removal, click Yes. In the CLI, use the unset policy id_num comm


346

7

347

Chapter 7

age limited bandwidth without


Traffic Shaping

This chapter discusses the various ways you can use your NetScreen device to mancompromising quality and availability of the network to all of your users.

The topics discussed include:

• “Applying Traffic Shaping” on page 348

– “Managing Bandwidth at the Policy Level” on page 348

• “Setting Service Priorities” on page 355

Chapter 7 Traffic Shaping Applying Traffic Shaping

348

very user and application on an capacity at a guaranteed g policies and by applying

.

dwidth, the maximum interface is allocated to the is sharable by any other traffic. ft over on a priority basis (up to

ping for a specific policy, while shaping policy to that particular

or which you have turned off affic-shaping mode off. You system to turn on traffic quire it.

gle physical interface bound to r more subinterfaces or more

mation about DS Codepoint Marking,


APPLYING TRAFFIC SHAPINGTraffic shaping is the allocation of the appropriate amount of network bandwidth to einterface. The appropriate amount of bandwidth is defined as cost-effective carryingQuality of Service (QoS). You can use a NetScreen device to shape traffic by creatinappropriate rate controls to each class of traffic going through the NetScreen device

Managing Bandwidth at the Policy LevelTo classify traffic, you create a policy which specifies the amount of guaranteed banbandwidth, and the priority for each class of traffic. The physical bandwidth of everyguaranteed bandwidth parameter for all policies. If there is any bandwidth left over, itIn other words, each policy gets its guaranteed bandwidth and shares whatever is lethe limit of its maximum bandwidth specification).

The traffic shaping function applies to traffic from all policies. If you turn off traffic shatraffic shaping is still turned on for other policies, the system applies a default traffic policy, with the following parameters:

• Guaranteed bandwidth 0

• Unlimited maximum bandwidth

• Priority of 7 (the lowest priority setting)1

If you do not want the system to assign this default traffic shaping policy to policies ftraffic shaping, then turn off traffic shaping system wide via the CLI command set trcan set traffic shaping to automatic: set traffic-shaping mode auto . This allows theshaping when a policy requires it, and turn off traffic shaping when policies do not re

Note: You can only apply traffic shaping to policies whose destination zone has a sinit. NetScreen does not support traffic shaping if the destination zone contains one othan one physical interface.

1. You can enable a mapping of the NetScreen priority levels to the DiffServ Codepoint Marking system. For more inforsee “Traffic Shaping” on page 6-315.


349

partments on the same subnet. trust zone.

k OK:

k OK:

s.

Internet

st Zone

DMZ Zone


Example: Traffic ShapingIn this example, you partition 45Mbps of bandwidth on a T3 interface among three deThe interface ethernet1 is bound to the Trust zone and ethernet3 is bound to the Un

WebUI

1. Bandwidth on InterfacesNetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic

Traffic Bandwidth: 450002



2. If you do not specify bandwidth settings on an interface, NetScreen uses whatever the available physical bandwidth i

Marketing: 10 Mbps In, 10 Mbps Out

Sales: 5 Mbps In, 10 Mbps Out

Support: 5 Mbps In, 5 Mbps Out

DMZ for Servers

Router Router

T3�45 Mbps

Trust Zone Untru


350

OK :


000

00

OK :


2. Bandwidth in PoliciesPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click

Name: Marketing Traffic Shaping

Source Address:

Address Book Entry: (select), Marketing



Service: Any

Action: Permit

VPN Tunnel: None3


Traffic Shaping: (select)

Guaranteed Bandwidth: 10

Maximum Bandwidth: 150


Name: Sales Traffic Shaping Policy

Source Address:

Address Book Entry: (select), Sales



Service: Any

3. You can also enable traffic shaping in policies referencing VPN tunnels.


351


0

OK :


OK :


Action: Permit






Name: Support Traffic Shaping Policy

Source Address:

Address Book Entry: (select), Support



Service: Any

Action: Permit






Name: Allow Incoming Access to Marketing

Source Address:





352


0

OK :



Service: Any

Action: Permit






Name: Allow Incoming Access to Sales

Source Address:




Service: Any

Action: Permit






353

OK :




Name: Allow Incoming Access to Support

Source Address:




Service: Any

Action: Permit






354

untrust marketing any

t to untrust sales any

ust to untrust support

m untrust to trust any w 10000trust to trust any 00untrust to trust any 000

s.


CLI

To enable traffic shaping by policy, do the following:

1. Bandwidth on Interfaces

set interface ethernet1 bandwidth 450004

set interface ethernet3 bandwidth 45000

2. Bandwidth in Policiesset policy name “Marketing Traffic Shaping” from trust to

any permit traffic gbw 10000 priority 0 mbw 15000 set policy name “Sales Traffic Shaping Policy” from trus

any permit traffic gbw 10000 priority 0 mbw 10000set policy name “Support Traffic Shaping Policy” from tr

any any permit traffic gbw 5000 priority 0 mbw 10000set policy name “Allow Incoming Access to Marketing” fro

marketing any permit traffic gbw 10000 priority 0 mbset policy name “Allow Incoming Access to Sales” from un

sales any permit traffic gbw 5000 priority 0 mbw 100set policy name “Allow Incoming Access to Support” from

support any permit traffic gbw 5000 priority 0 mbw 5save

4. If you do not specify bandwidth settings on an interface, NetScreen uses whatever the available physical bandwidth i

Chapter 7 Traffic Shaping Setting Service Priorities

355

ing on the bandwidth that is not g is a feature that allows all hile ensuring that important

allows NetScreen to buffer

other policies is queued on the ompete for bandwidth in a

policies with high priority before til all traffic requests have been dropped.

o manage all of traffic on your d so on. The NetScreen device

he policy configuration process data if the guaranteed e.


SETTING SERVICE PRIORITIESThe traffic shaping feature on NetScreen devices allows you to perform priority queuallocated to guaranteed bandwidth, or unused guaranteed bandwidth. Priority queuinyour users and applications to have access to available bandwidth as they need it, wtraffic can get through, if necessary at the expense of less important traffic. Queuingtraffic in up to eight different priority queues. These eight queues are:

• High priority

• 2nd priority

• 3rd priority

• 4th priority

• 5th priority

• 6th priority

• 7th priority

• Low priority (default)

The priority setting for a policy means that the bandwidth not already guaranteed to basis of high priority first and low priority last. Policies with the same priority setting cround robin fashion. The NetScreen device processes all of the traffic from all of the processing any traffic from policies with the next lower priority setting, and so on, unprocessed. If traffic requests exceed available bandwidth, the lowest priority traffic is

If you do not allocate any guaranteed bandwidth, then you can use priority queuing tnetwork. That is, all high priority traffic is sent before any 2nd priority traffic is sent, anprocesses low priority traffic only after all other traffic has been processed.

Caution: Be careful not to allocate more bandwidth than the interface can support. Tdoes not prevent you from creating unsupported policy configurations. You can losebandwidth on contending policies surpasses the traffic bandwidth set on the interfac


356

artments—Support, Sales, and

firewall, the NetScreen device interface ethernet1 is bound to

Internet

ust Zone

DMZ Zone


Example: Priority QueuingIn this example, you configure the guaranteed and maximum bandwidth for three depMarketing— as follows:

If all three departments send and receive traffic concurrently through the NetScreenmust allocate 20 Mbps of bandwidth to fulfill the guaranteed policy requirements. Thethe Trust zone and ethernet3 is bound to the Untrust zone.

Outbound Guaranteed

Inbound Guaranteed

Combined Guaranteed

Priority

Support 5*

* Megabits per second (Mbps)

5 10 High

Sales 2.5 3.5 6 2

Marketing 2.5 1.5 4 3

Total 10 10 20

Marketing: 2.5 Mbps Out, 1.5Mbps In, 3rd Priority

Sales: 2.5 Mbps Out, 3.5 Mbps In, 2nd Priority

Support: 5Mbps Out, 5Mbps In, High Priority

DMZ for Servers

Router Router

T3 (45 Mbps)

Trust ZoneUntr


357

OK:


(select)

depoint Marking maps the NetScreen on about DS Codepoint Marking, see


WebUI

1. Bandwidth on InterfacesInterfaces > Edit (for ethernet1): Enter the following, and then click OK:


Interfaces > Edit (for ethernet3): Enter the following, and then click OK:


2. Bandwidth in PoliciesPolicies > (From: Trust, To: Untrust) New: Enter the following, and then click

Name: Sup-out

Source Address:




Service: Any

Action: Permit





Traffic Priority: High priority

DiffServ Codepoint Marking5:

5. Differentiated Services (DS) is a system for tagging (or “marking”) traffic at a position within a hierarchy of priority. DS Copriority level of the policy to the first three bits of codepoint in the DS field in the IP packet header. For more informati“Traffic Shaping” on page 315.


358

OK :


nable

OK :



Name: Sal-out

Source Address:




Service: Any

Action: Permit





Traffic Priority: 2nd priority

DiffServ Codepoint Marking: E


Name: Mar-out

Source Address:




Service: Any

Action: Permit


359


select)

OK:


select)






Traffic Priority: 3rd priority

DiffServ Codepoint Marking: (


Name: Sup-in

Source Address:




Service: Any

Action: Permit





Traffic Priority: High priority



360

OK:


select)

OK :



Name: Sal-in

Source Address:




Service: Any

Action: Permit





Traffic Priority: 2nd priority



Name: Mar-in

Source Address:




Service: Any

Action: Permit


361


select)

y any permit traffic

any permit traffic gbw

any any permit traffic

any permit traffic gbw

ny permit traffic gbw

ng any permit traffic






Traffic Priority: 3rd priority


CLI

1. Bandwidth on Interfacesset interface ethernet1 bandwidth 40000set interface ethernet3 bandwidth 40000

2. Bandwidth in Policiesset policy name sup-out from trust to untrust support an

gbw 5000 priority 0 mbw 40000 dscp enableset policy name sal-out from trust to untrust sales any

2500 priority 2 mbw 40000 dscp enableset policy name mar-out from trust to untrust marketing

gbw 2500 priority 3 mbw 40000 dscp enableset policy name sup-in from untrust to trust any support

5000 priority 0 mbw 40000 dscp enableset policy name sal-in from untrust to trust any sales a

3500 priority 2 mbw 40000 dscp enableset policy name mar-in from untrust to trust any marketi

gbw 1500 priority 3 mbw 40000 dscp enablesave


362

8

363

Chapter 8

fecting the following areas of a

412

0


System Parameters

This chapter focuses on the concepts involved in establishing system parameters afNetScreen security appliance:

• “Domain Name System Support” on page 365

– “DNS Lookup” on page 366

– “DNS Status Table” on page 367

– “Dynamic DNS” on page 370

– “Proxy DNS Address Splitting” on page 373

• “DHCP” on page 376

– “DHCP Server” on page 378

– “DHCP Relay Agent” on page 388

– “DHCP Client” on page 394

– “TCP/IP Settings Propagation” on page 396

• “PPPoE” on page 399

– “Multiple PPPoE Sessions over a Single Interface” on page 405

– “PPPoE and High Availability” on page 410

• “Upgrading and Downgrading Firmware” on page 411

– “Requirements to Upgrade and Downgrade Device Firmware” on page

– “Downloading New Firmware” on page 413

– “Upgrading NetScreen Devices in an NSRP Configuration” on page 42

– “Authenticating Firmware and DI Files” on page 431

Chapter 8 System Parameters

364

8


• “Downloading and Uploading Configurations” on page 435

– “Saving and Importing Configurations” on page 435

– “Configuration Rollback” on page 437

– “Locking the Configuration File” on page 440

• “Setting NetScreen-Security Manager Bulk-CLI” on page 443

• “License Keys” on page 444

• “Registration and Activation of Subscription Services” on page 446

– “Temporary Service” on page 446

– “AV, URL Filtering, and DI Bundled with a New Device” on page 447

– “AV, URL Filtering, and DI Upgrade to an Existing Device” on page 44

– “DI Upgrade Only” on page 449

• “System Clock” on page 450

– “Date and Time” on page 450

– “Time Zone” on page 450

– “NTP” on page 451

Chapter 8 System Parameters Domain Name System Support

365

ou to use domain names as ddresses associated with

e (such as www.juniper.net) in 8. DNS translation is supported

ddresses for DNS servers (the

ol (DHCP) server (see “DHCP” age on the WebUI or through


DOMAIN NAME SYSTEM SUPPORTThe NetScreen device incorporates Domain Name System (DNS) support allowing ywell as IP addresses for identifying locations. A DNS server keeps a table of the IP adomain names. Using DNS makes it possible to reference locations by domain namaddition to using the routable IP address, which for www.juniper.net is 207.17.137.6in all the following programs:

• Address Book

• Syslog

• E-mail

• WebTrends

• Websense

• LDAP

• SecurID

• RADIUS

• NetScreen Security Manager

Before you can use DNS for domain name/address resolution, you must enter the aprimary and secondary DNS servers) in the NetScreen device.

Note: When enabling the NetScreen device as a Dynamic Host Configuration Protocon page 376), you must also enter the IP addresses for DNS servers in the DHCP pthe set interface interface dhcp command in the CLI.


366

h a specified DNS server at the

oughout the day

DNS table, you can also define

IP address mapping, it stores lved in a DNS lookup:

ntries. The other programs

ain name table has changed the exec dns refresh CLI

, the NetScreen device displays the DNS name lookup failed.

IKE gateway through the ype a CLI command that .


DNS LookupThe NetScreen device refreshes all the entries in its DNS table by checking them witfollowing times:

• After an HA failover occurs

• At a regularly scheduled time of day and at regularly scheduled intervals thr

• When you manually command the device to perform a DNS lookup

– WebUI: Network > DNS: Click Refresh DNS cache.

– CLI: exec dns refresh

In addition to the existing method of setting a time for a daily automatic refresh of thean interval of time from 4 hours to 24 hours.

When the NetScreen device connects to the DNS server to resolve a domain name/that entry in its DNS status table. The following list contains some of the details invo

• When a DNS lookup returns multiple entries, the address book accepts all elisted on page 365 accept only the first one.

• The NetScreen device reinstalls all policies if it finds that anything in the domwhen you refresh a lookup using the Refresh button in the WebUI or enter command.

• If a DNS server fails, the NetScreen device looks up everything again.

• If a lookup fails, the NetScreen device removes it from the cache table.

• If the domain name lookup fails when adding addresses to the address bookan error message stating that you have successfully added the address but

Note: When you add a fully-qualified domain name (FQDN) such as an address or WebUI, the NetScreen device resolves it when you click Apply or OK . When you treferences an FQDN, the NetScreen device attempts to resolve it when you enter it


367

e NetScreen device to do at a

nd enter time <hh:mm>

P addresses, whether the The report format looks like the

Lookup000 16:45:33

000 16:45:38


The NetScreen device must do a new lookup once a day, which you can schedule thspecified time:

WebUI

Network > DNS: Enter the following, and then click Apply :

DNS refresh every day at: Select check box a

CLI

set dns host schedule time_strsave

DNS Status TableThe DNS status table reports all the domain names looked up, their corresponding Ilookup was successful, and when each domain name/IP address was last resolved. example below:

Name IP Address Status Last www.yahoo.com

www.hotbot.com

204.71.200.74204.71.200.75204.71.200.67204.71.200.68209.185.151.28209.185.151.210216.32.228.18

Success

Success

8/13/2

8/13/2


368

and 24.0.0.3 are entered in the s scheduled to refresh the DNS

DNS Server.64.38 Server3

Internet


To view the DNS status table, do either of the following:

WebUI

Network > DNS > Show DNS Table

CLI

get dns host report

Example: DNS Server and Refresh ScheduleTo implement DNS functionality, the IP addresses for the DNS servers at 24.1.64.38NetScreen device, protecting a single host in a home office. The NetScreen device isettings stored in its DNS status table everyday at 11:00 P.M.

WebUI


Primary DNS Server: 24.0.0.3

Secondary DNS Server: 24.1.64.38

DNS Refresh: (select)

Every Day at: 23:00

Secondary24.1

Primary DNS24.0.0.

Trust Zone Untrust Zone


369

hours beginning at 12:01 AM


CLI

set dns host dns1 24.0.0.3set dns host dns2 24.1.64.38set dns host schedule 23:00save

Example: Setting a DNS Refresh IntervalIn this example, you configure the NetScreen device to refresh its DNS table every 4every day.

WebUI


DNS Refresh: (select)

Every Day at: 12:01

Interval: 4

CLI

set dns host schedule 12:01 interval 4save


370

ddresses for registered domain ly change the IP address for a om the internet can access the ly changed. This change is ynamically-changed addresses nformation, periodically or in

he server uses this account

might change. When a change ww.my_host.com), either

mewhat different configurations

Web Serverw.my_host.com

Trust Zone


Dynamic DNSDynamic DNS (DDNS) is a mechanism that allows clients to dynamically update IP anames. This update is useful when an ISP uses PPP, DHCP, or XAuth to dynamicalCPE router (such as a NetScreen device) that protects a web server. Thus, clients frweb server using a domain name, even if the IP address of the CPE router previousmade possible by a DDNS server such as dyndns.org or ddo.jp, which contains the dand their associated domain names. The CPE updates the DDNS servers with this iresponse to IP address changes.

To use DDNS, create an account (username and password) on the DDNS server. Tinformation to configure the client device.

In the diagram shown above, it is possible that the IP address for interface ethernet7happens, the client can still access the protected Web server using the host name (wthrough the dyndns.org server or the ddo.jp server. Each of these servers require soon the NetScreen device.

NetScreen Device (CPE Router)

Client

DDNS Server

ww

dyndns.org or ddo.jp

ethernet7

Internet

Note: The Untrust zone is not shown.


371

e device uses the dyndns.org t using the Host Name setting, nds an update to the ddo.jp

inutes, and the allowable range is DNS entry from its cache. In addition, he recommended value is 10 minutes


Example: DDNS Setup for dyndns ServerIn the following example, you configure a NetScreen device for DDNS operation. Thserver to resolve changed addresses. For this server, you specify the protected hoswhich explicitly binds to the DNS interface (ethernet7); therefore, when the device seserver, it associates the Host Name with the IP address of the interface.

WebUI

Network > DNS > DDNS > New: Enter the following, and then click OK :

ID: 12

Server Settings

Server Type: dyndns

Server Name: dyndns.org

Refresh Interval: 24

Minimum Update Interval: 151

Account Settings

Username: swordfish

Password: ad93lvb

Bind to Interface: ethernet7

Host Name: www.my_host.com

1. This setting specifies the minimum time interval (expressed in minutes) between DDNS updates. The default is 10 m1-1440. In some cases, the device might not update the interval because the DNS server first needs to timeout the Dif you set the Minimum Update Interval to a very low value, then the NetScreen device might lock you out; therefore, tor more.


372

refresh-interval 24

.my_host.com

ses the ddo.jp server to resolve ame for the DDNS entry, tomatically derives the host me of my_host to derived DNS.


CLI

set dns ddnsset dns ddns enableset dns ddns id 12 server dyndns.org server-type dyndns

minimum-update-interval 15set dns ddns id 12 src-interface ethernet7 host-name wwwset dns ddns id 12 username swordfish password ad93lvbsave

Example: DDNS Setup for ddo ServerIn the following example, you configure a NetScreen device for DDNS. The device uaddresses. For the ddo.jp server, you specify the protected host FQDN as the Userninstead of specifying the protected host using the Host Name setting. The service auname from the Username value. For example, the ddo.jp server translates a user namy_host.ddo.jp. Make sure that the registered domain name on ddo.jp matches the

WebUI

Network > DNS > DDNS > New: Enter the following, and then click OK :

ID: 25

Server Settings

Server Type: ddo

Server Name: juniper.net

Refresh Interval: 24

Minimum Update Interval: 15

Account Settings

Username: my_host

Password: ad93lvb

Bind to Interface: ethernet7


373

-interval 24

e split DNS queries. Using this ccording to partial or complete

iple network connectivity, and it er network.

t for the corporate domain all others go to the ISP DNS revent corporate domain

erface, thus preventing ple, DNS queries bound for the res such as authentication,


CLI

set dns ddnsset dns ddns enableset dns ddns id 25 server ddo.jp server-type ddo refresh

minimum-update-interval 15set dns ddns id 25 src-interface ethernet7set dns ddns id 25 username my_host password ad93lvbsave

Proxy DNS Address SplittingThe proxy DNS feature provides a transparent mechanism that allows clients to maktechnique, the proxy selectively redirects the DNS queries to specific DNS servers, adomain names. This is useful when VPN tunnels or PPPoE virtual links provide multis necessary to direct some DNS queries to one network, and other queries to anoth

The most important advantages of a DNS proxy are as follows.

• Domain lookups are usually more efficient. For example, DNS queries mean(such as acme.com) could go to the corporate DNS server exclusively, whileserver, thus reducing the load on the corporate server. In addition, this can pinformation from leaking into the internet.

• DNS proxy allows you to transmit selected DNS queries through a tunnel intmalicious users from learning about internal network configuration. For examcorporate server can pass through a tunnel interface, and use security featuencryption, and anti-replay.


374

queries to different servers.

out through tunnel interface

tomatically directs the query to the query to IP address 3.1.1.2.)

g.com goes out through tunnel

evice directs the query to this query to IP address 3.1.1.5.)

s and go out through interface

tomatically bypasses the ery to IP address

2.1.1.212.1.1.34

CorporateDNS Servers

cme_eng.com => 3.1.1.5


Example: Splitting DNS RequestsThe following commands create two proxy-DNS entries that selectively forward DNS

• Any DNS query with a FQDN containing the domain name acme.com goes tunnel.1, to the corporate DNS server at IP address 2.1.1.21.

For example, if a host sends a DNS query for www.acme.com, the device authis server. (For this example, assume for this case that the server resolves

• Any DNS query with a FQDN containing the domain name acme_engineerininterface tunnel.1 to the DNS server at IP address 2.1.1.34.

For example, if a host sends a DNS query for intranet.acme_eng.com, the dserver. (For this example, assume for this case that the server resolves the

• All other DNS queries (denoted by an asterisk) bypass the corporate serverethernet3 to the DNS server at IP address 1.1.1.23.

For example, if the host and domain name is www.juniper.net, the device aucorporate servers and directs the query to this server, which resolves the qu207.17.137.68.

tunnel.1

ethernet3

acme_eng.com

*

1.1.1.23netscreen.com => 63.126.135.170 netscreen.com

63.126.135.170

acme.com => 3.1.1.2

a

ISP DNS Servers

acme.com

Internet


375

tunnel.1

face tunnel.1

et3 primary-server


WebUI1. Network > DNS > Proxy: Enter the following, and then click Apply :

Initialize DNS Proxy: Enable

Enable DNS Proxy: Enable2. Network > DNS > Proxy > New: Enter the following, and then click OK:

Domain Name: acme.com

Outgoing Interface: tunnel.1


3. Network > DNS > Proxy > New: Enter the following, and then click OK:

Domain Name: acme_eng.com

Outgoing Interface: tunnel.1


4. Network > DNS > Proxy > New: Enter the following, and then click OK:

Domain Name: *

Outgoing Interface: ethernet3


CLIset dns proxyset dns proxy enableset interface ethernet3 proxy dnsset dns server-select domain acme.com outgoing-interface

primary-server 2.1.1.21set dns server-select domain acme_eng.com outgoing-inter

primary-server 2.1.1.34set dns server-select domain * outgoing-interface ethern

1.1.1.23save

Chapter 8 System Parameters DHCP

376

on network administrators by uiring administrators to assign, hine on a network, DHCP does ed, reassigns unused ich a host is connected.

a dynamically assigned IP

cating dynamic IP addresses to e.

agents, receiving DHCP y physical or VLAN interface in

ously act as a DHCP client, a single interface. For example, tionally, you can configure the server module, for use when

uch as workstations in a zone, s and WINS servers.


DHCPDynamic Host Configuration Protocol (DHCP) was designed to reduce the demandsautomatically assigning the TCP/IP settings for the hosts on a network. Instead of reqconfigure, track, and change (when necessary) all the TCP/IP settings for every macit all automatically. Furthermore, DHCP ensures that duplicate addresses are not usaddresses, and automatically assigns IP addresses appropriate for the subnet on wh

Different NetScreen devices support different DHCP roles:

• DHCP Client: Some NetScreen devices can act as DHCP clients, receivingaddress for any physical interface in any zone.

• DHCP Server: Some NetScreen devices can also act as DHCP servers, allohosts (acting as DHCP clients) on any physical or VLAN interface in any zon

• DHCP Relay Agent: Some NetScreen devices can also act as DHCP relayinformation from a DHCP server and relaying that information to hosts on anany zone.

• DHCP Client/Server/Relay Agent: Some NetScreen devices can simultaneserver, and relay agent. Note that you can only configure one DHCP role on you cannot configure the DHCP client and server on the same interface. OpDHCP client module to forward TCP/IP settings that it receives to the DHCPproviding TCP settings to hosts in the Trust zone acting as DHCP clients.

Note: While using the DHCP server module to assign addresses to hosts syou can still use fixed IP addresses for other machines such as mail server


377

nfiguration settings and a P server, it provides the

0.0/0, the DHCP server module erface2.

maps a NetBIOS name used in ased network.

stribution of administrative data

.

m resource locator (URL) to an

ers SMTP messages to a mail

incoming mail. A POP3 server

groups.

that zone and assigned an IP address.

parameters has a specified IP he DHCP server.


DHCP consists of two components: a protocol for delivering host-specific TCP/IP comechanism for allocating IP addresses. When the NetScreen device acts as a DHCfollowing TCP/IP settings to each host when that host boots up:

• Default gateway IP address and netmask. If you leave these settings as 0.0.automatically uses the IP address and netmask of the default Trust zone int

• The IP addresses of the following servers:

– WINS servers (2):3 A Windows Internet Naming Service (WINS) servera Windows NT network environment to an IP address used on an IP-b

– NetInfo servers (2): NetInfo is an Apple network service used for the diwithin a LAN.

– NetInfo tag (1): The identifying tag used by the Apple NetInfo database

– DNS servers (3): A Domain Name System (DNS) server maps a uniforIP address.

– SMTP server (1): A Simple Mail Transfer Protocol (SMTP) server delivserver, such as a POP3 server, which stores the incoming mail.

– POP3 server (1): A Post Office Protocol version 3 (POP3) server storesmust work conjointly with an SMTP server.

– News server (1): A news server receives and stores postings for news

2. On devices that can have multiple interfaces bound to the Trust zone, the default interface is the first interface bound to

3. The number in parentheses indicates the number of servers supported.

Note: If a DHCP client to which the NetScreen device is passing the aboveaddress, that address overrides all the dynamic information received from t


378

N interface in any zone. When asks in two modes:

or “leases”) an IP address from mined period of time or until the .)

om an address pool exclusively

address pools.

with reserved IP addresses, he Trust zone, has IP address

w DHCP address assignments. You

CP in flash memory. ignments.


DHCP ServerA NetScreen appliance can support up to eight DHCP servers on any physical or VLAacting as a DHCP server, a NetScreen device allocates IP addresses and subnet m

• In Dynamic mode, the NetScreen device, acting as a DHCP server, assigns (an address pool4 to a host DHCP client. The IP address is leased for a deterclient relinquishes the address. (To define an unlimited lease period, enter 0

• In Reserved mode, the NetScreen device assigns a designated IP address frto a specific client every time that client goes online.

Example: NetScreen Device as DHCP ServerUsing DHCP, the 172.16.10.0/24 network in the Trust zone is sectioned into three IP

• 172.16.10.10 through 172.16.10.19

• 172.16.10.120 through 172.16.10.129

• 172.16.10.210 through 172.16.10.219

The DHCP server assigns all IP addresses dynamically, except for two workstationsand four servers that have static IP addresses. The interface ethernet1 is bound to t172.16.10.1/24, and is in NAT mode. The domain name is dynamic.com.

4. An address pool is a defined range of IP addresses within the same subnet from which the NetScreen device can dracan group up to 255 IP addresses.

Note: The NetScreen device saves every IP address assigned through DHConsequently, rebooting the NetScreen device does not affect address ass


379

and POP3 ServersFixed IPs

.25 and 172.16.10.10

NS ServersFixed IPs2.16.10.2402.16.10.241


WebUI


Address Name: DNS#1

Comment: Primary DNS Server



Zone: Trust

Trust Zone

Address Pool172-16.10.10 � 172.16.10.19

Address Pool172-16.10.210 � 172.16.10.219

Address Pool172-16.10.120 � 172.16.10.129

172.16.10.0/24LAN

Reserved IP172.16.10.11

MAC: 12:34:ab:cd:56:78

Reserved IP172.16.10.112

MAC: ab:cd:12:34:ef:gh

SMTP

172.16.10

D

1717

ethernet1172.16.10.1/24 (NAT)


380

Address Name: DNS#2

Comment: Secondary DNS Server



Zone: Trust


Address Name: SMTP

Comment: SMTP Server



Zone: Trust


Address Name: POP3

Comment: POP3 Server



Zone: Trust


381

and then click Apply:5

then click Return to set the onfiguration page:

then click OK :

k set for ethernet1 to its clients settings to the DHCP server module he Gateway and Netmask fields.


2. DHCP ServerNetwork > DHCP > Edit (for ethernet1) > DHCP Server: Enter the following,

Lease: Unlimited (select)

WINS#1: 0.0.0.0

DNS#1: 172.16.10.240

> Advanced Options: Enter the following, andadvanced options and return to the basic c

WINS#2: 0.0.0.0

DNS#2: 172.16.10.241

DNS#3: 0.0.0.0

SMTP: 172.16.10.25

POP3: 172.16.10.110

NEWS: 0.0.0.0

NetInfo Server #1: 0.0.0.0

NetInfo Server #2: 0.0.0.0

NetInfo Tag: (leave field empty)

Domain Name: dynamic.com

> Addresses > New: Enter the following, and

Dynamic: (select)

IP Address Start: 172.16.10.10

IP Address End: 172.16.10.19

5. If you leave the Gateway and Netmask fields as 0.0.0.0, the DHCP server module sends the IP address and netmas(172.16.10.1 and 255.255.255.0 in this example). However, if you enable the DHCP client module to forward TCP/IP(see “TCP/IP Settings Propagation” on page 396), then you must manually enter 172.16.10.1 and 255.255.255.0 in t


382

then click OK :

then click OK :

then click OK :

78

then click OK :

gh



Dynamic: (select)




Dynamic: (select)




Reserved: (select)

IP Address: 172.16.10.11

Ethernet Address: 1234 abcd 56


Reserved: (select)

IP Address: 172.16.10.112

Ethernet Address: abcd 1234 ef


383

ver”erver”

namic.com6

0.2400.2410.250.11072.16.10.19172.16.10.129172.16.10.2191234abcd5678 abcd1234efgh

ss and netmask for ethernet1 settings to the DHCP server module 1 dhcp server option gateway


CLI

1. Addressesset address trust dns1 172.16.10.240/32 “primary dns serset address trust dns2 172.16.10.241/32 “secondary dns sset address trust snmp 172.16.10.25/32 “snmp server”set address trust pop3 172.16.10.110/32 “pop3 server”

2. DHCP Server

set interface ethernet1 dhcp server option domainname dyset interface ethernet1 dhcp server option lease 0set interface ethernet1 dhcp server option dns1 172.16.1set interface ethernet1 dhcp server option dns2 172.16.1set interface ethernet1 dhcp server option smtp 172.16.1set interface ethernet1 dhcp server option pop3 172.16.1set interface ethernet1 dhcp server ip 172.16.10.10 to 1set interface ethernet1 dhcp server ip 172.16.10.120 to set interface ethernet1 dhcp server ip 172.16.10.210 to set interface ethernet1 dhcp server ip 172.16.10.11 mac set interface ethernet1 dhcp server ip 172.16.10.112 macset interface ethernet1 dhcp server servicesave

6. If you do not set an IP address for the gateway or a netmask, the DHCP server module sends its clients the IP addre(172.16.10.1 and 255.255.255.0 in this example). However, if you enable the DHCP client module to forward TCP/IP(see “TCP/IP Settings Propagation” on page 396), then you must manually set these options: set interface ethernet172.16.10.1 and set interface ethernet1 dhcp server option netmask 255.255.255.0.


384

tions that identify the servers or s of the primary and secondary

tions and BOOTP Vendor

om DHCP server options. For onfiguration information which le custom options.


DHCP Server OptionsWhen you specify DHCP servers for an interface, you may need to specify certain opprovide information used by the servers. For example, you can specify the IP addresDNS servers, or set the IP address lease time.

The following are predefined DHCP services, as described in RFC 2132, “DHCP OpExtensions”.

In situations where the predefined server options do not suffice, you can define custexample, for certain VoIP (Voice-over IP) configurations, it is necessary send extra cis not supported by predefined server options. In such cases, you must define suitab

Terminology NetScreen CLI Terminology Option CodeSubnet Mask netmask 1

Router Option gateway 3

Domain Name Server dns1, dns2, dns3 6

Domain Name domainname 15

NetBIOS over TCP/IP Name Server Option

wins1, wins2 44

IP Address Lease Time lease 51

SMTP Server Option smtp 69

POP3 Server Option pop3 70

NNTP Server Option news 71

(N/A) nis1, nis2 112

(N/A) nistag 113


385

t as DHCP clients. The phones

ver”erver”

namic.com

0.2400.241ring “Server 4”1.1.1.1teger 200472.16.10.19

embers in the cluster maintain ew master unit maintains all the ation of existing DHCP n resynchronize the DHCP rp rto-mirror sync.


Example: Custom DHCP Server OptionsIn the following example, you create DHCP server definitions for IP phones which acuse the following custom options:

• Option code 444, containing string “Server 4”

• Option code 66, containing IP address 1.1.1.1

• Option code 160, containing integer 2004

CLI

1. Addressesset address trust dns1 172.16.10.240/32 “primary dns serset address trust dns2 172.16.10.241/32 “secondary dns s

2. DHCP Serverset interface ethernet1 dhcp server option domainname dyset interface ethernet1 dhcp server option lease 0set interface ethernet1 dhcp server option dns1 172.16.1set interface ethernet1 dhcp server option dns2 172.16.1set interface ethernet1 dhcp server option custom 444 stset interface ethernet1 dhcp server option custom 66 ip set interface ethernet1 dhcp server option custom 160 inset interface ethernet1 dhcp server ip 172.16.10.10 to 1

DHCP Server in an NSRP ClusterWhen the master unit in a redundant NSRP cluster functions as a DHCP server, all mall DHCP configurations and IP address assignments. In the event of a failover, the nDHCP assignments. However, termination of HA communication disrupts synchronizassignments among the cluster members. After restoring HA communication, you caassignments by using the following CLI command on both units in the cluster: set ns


386

see if there is already a DHCP s from starting if another DHCP s out DHCP boot requests at ts, it then starts its local DHCP

generates a message because another DHCP server

HCP server.

ce: Auto, Enable, or Disable7. er at bootup. You can configure he NetScreen DHCP server to ice does not check if there is an off.

creen devices that support the DHCP


DHCP Server DetectionWhen a DHCP server on a NetScreen device starts up, the system can first check toserver on the interface. ScreenOS automatically stops the local DHCP server processerver is detected on the network. To detect another DHCP server, the device sendtwo-second intervals. If the device does not receive any response to its boot requesserver process.

If the NetScreen device receives a response from another DHCP server, the systemindicating that the DHCP service is enabled on the NetScreen device but not startedis present on the network. The log message includes the IP address of the existing D

You can set one of three operational modes for DHCP server detection on an interfaAuto mode causes the Netscreen device to always check for an existing DHCP servthe device to not attempt to detect another DHCP server on an interface by setting tEnable or Disable mode. In Enable mode, the DHCP server is always on and the devexisting DHCP server on the network. In Disable mode, the DHCP server is always

7. Auto mode is the default DHCP server detection mode for NetScreen-5XP and NetScreen-5XT devices. For other NetSserver, Enable mode is the default DHCP server detection mode.


387

existing DHCP server on the

and then click OK :

ut checking to see if there is an

and then click OK :

mand activates the DHCP server on the NetScreen

nset interface interface dhcp lso deletes any existing DHCP


Example: Turning On DHCP Server DetectionIn this example, you set the DHCP server on the ethernet1 interface to check for an interface first before starting up.

WebUI

Network > DHCP > Edit (for ethernet1) > DHCP Server: Enter the following,

Server Mode: Auto (select)

CLI

set interface ethernet1 dhcp server autosave

Example: Turning Off DHCP Server DetectionIn this example, you set the DHCP server on the ethernet1 interface to start up withoexisting DHCP server on the network.

WebUI

Network > DHCP > Edit (for ethernet1) > DHCP Server: Enter the following,

Server Mode: Enable (select)

CLI

set interface ethernet1 dhcp server enablesave

Note: Issuing the CLI command set interface interface dhcp server service comserver. If the DHCP server detection mode for the interface is set to Auto, the DHCPdevice starts only if it does not find an existing server on the network. Issuing the userver service command disables the DHCP server on the NetScreen device and aconfiguration.


388

s and assignments between en the NetScreen device and

on a NetScreen device, s on the same interface. When er Route mode or Transparent nother zone for the predefined ide in the V1-Trust zone, while eeded for interfaces in

agent unicasts an address s to the client the first response

en device as a DHCP relay l when traveling over the

e does not generate DHCP ss allocations.


DHCP Relay AgentWhen acting as a DHCP relay agent, the NetScreen device forwards DHCP requesthosts in one zone and a DHCP server in another zone. The DHCP messages betwethe DHCP server can be transmitted in the open or through a VPN tunnel.

You can configure a DHCP relay agent on one or more physical or VLAN interfacesalthough you cannot configure DHCP relay agent and DHCP server or client functionthe NetScreen device functions as a DHCP relay agent, its interfaces must be in eithmode. For interfaces in Route mode, you must configure a policy from one zone to aservice DHCP-Relay. For interfaces in Transparent mode, the DHCP client must resthe DHCP server can reside in either the V1-Untrust or V1-DMZ zone. No policy is nTransparent mode.

You can configure up to three DHCP servers for each DHCP relay agent. The relay request from a DHCP client to all configured DHCP servers. The relay agent forwardreceived from a server.

The following simplified illustration presents the process involved in using a NetScreagent. Note that to ensure security, the DHCP messages pass through a VPN tunneuntrusted network.

Note: When a NetScreen device acts as a DHCP relay agent, the NetScreen devicallocation status reports because the remote DHCP server controls all the IP addre


389

rver at 194.2.9.10 and relays it n the DHCP server. The VPN tunnel between the local whose Untrust zone interface IP address 180.10.10.1/24, and IP address 1.1.1.1/24. All


Example: NetScreen Device as DHCP Relay AgentIn this example, a NetScreen device receives its DHCP information from a DHCP seto hosts in the Trust zone. The hosts receive IP addresses from an IP pool defined oaddress range is 180.10.10.2—180.10.10.254. The DHCP messages pass through aNetScreen device and the DHCP server, located behind a remote NetScreen deviceIP address is 2.2.2.2/24. The interface ethernet1 is bound to the Trust zone, has the is in Route mode. The interface ethernet3 is bound to the Untrust zone and has the security zones are in the trust-vr routing domain.

Host RelayAgent

DHCPServer

Request Request

Assignment Assignment

Release Release

TrustZone

1

2

3

VPN Tunnel in Untrust Zone


390

DHCPServer

194.2.9.10

IP Pool180.10.10.2 � 180.10.10.254

mote NetScreen Device


WebUI

1. InterfacesInterfaces > Edit (for ethernet1): Enter the following, and then click Apply:

Zone: Trust





Interfaces > Edit (for ethernet3): Enter the following, and then click OK:

Zone: Untrust



Internet

VPN TunnelRouter

1.1.1.250

ethernet1180.10.10.1/24

ethernet31.1.1.1/24


Local NetScreen Device Re

DHCP Relay Agent


391

click OK:

2.2


lect)g2-3des-shation)




Address Name: DHCP Server



Zone: Untrust

3. VPNVPNs > AutoKey Advanced > Gateway > New: Enter the following, and then

Gateway Name: dhcp server

Security Level: Custom

Remote Gateway Type:

Static IP: (select), Address/Hostname: 2.2.

Outgoing Interface: ethernet3


Security Level: User Defined: Custom (se

Phase1 Proposal: rsa-Mode (Initiator): Main (ID Protec

VPNs > AutoKey IKE > New: Enter the following, and then click OK :

VPN Name: to_dhcp

Security Level: Compatible

Remote Gateway:

Predefined: (select), to_dhcp


Bind to: None


392

wing, and then click Apply:

.2.9.10

N: (select)

then click OK:

OK :

r

)

traffic. In this example, the NetScreen n the illustration for this example, the


4. DHCP Relay AgentNetwork > DHCP > Edit (for ethernet1) > DHCP Relay Agent: Enter the follo

Relay Agent Server IP or Domain Name: 194

Use Trust Zone Interface as Source IP for VP



Gateway: (select)




Source Address:



Address Book Entry: (select), DHCP Serve

Service: DHCP-Relay

Action: Tunnel

Tunnel VPN: to_dhcp

Modify matching outgoing VPN policy: (select

8. Setting a route to the external router designated as the default gateway is essential for both outbound VPN and networkdevice sends encapsulated VPN traffic to this router as the first hop along its route to the remote NetScreen device. Iconcept is presented by depicting the tunnel passing through the router.


393

nterface ethernet3

es-sha

0

gateway 1.1.1.250

lay tunnel vpn to_dhcplay tunnel vpn to_dhcp


CLI

1. Interfacesset interface ethernet1 zone trust set interface ethernet1 ip 180.10.10.1/24set interface ethernet1 routeset interface ethernet3 zone untrust set interface ethernet3 ip 1.1.1.1/24

2. Addressset address untrust dhcp_server 194.2.9.10/32

3. VPNset ike gateway “dhcp server” ip 2.2.2.2 main outgoing-i

proposal rsa-g2-3des-shaset vpn to_dhcp gateway “dhcp server” proposal g2-esp-3d

4. DHCP Relay Agentset interface ethernet1 dhcp relay server-name 194.2.9.1set interface ethernet1 dhcp relay vpn


6. Policiesset policy from trust to untrust any dhcp_server dhcp-reset policy from untrust to trust dhcp_server any dhcp-resave


394

ically from a DHCP server for a single security zone, you can to the same network segment.

work segment, the first address to the same IP address, IKE is

IP address. When the net mask, gateway IP address, .2.5.

t, or a DHCP client at the same


DHCP ClientWhen acting as a DHCP client, the NetScreen device receives an IP address dynamany physical interface in any security zone. If there are multiple interfaces bound to configure a DHCP client for each interface as long as each interface is not connectedIf you configure a DHCP client for two interfaces that are connected to the same netassigned by a DHCP server is used. (If the DHCP client receives an address updatenot rekeyed.)

Example: NetScreen Device as DHCP ClientIn this example, the interface bound to the Untrust zone has a dynamically assignedNetScreen device requests its IP address from its ISP, it receives its IP address, suband the length of its lease for the address. The IP address of the DHCP server is 2.2

Note: While some NetScreen devices can act as a DHCP server, DHCP relay agentime, you cannot configure more than one DHCP role on a single interface.

Trust Zone

1. IP address requested for ethernet3 (Untrust zone)

2. IP address assigned ISP

(DHCP Server)

InternetUntrust Zone

Internal LAN

2.2.2.5


395

and then click OK .


WebUI

Network > Interfaces > Edit (for ethernet3): Select Obtain IP using DHCP9,

CLI

set interface ethernet3 dhcp clientset interface ethernet3 dhcp settings server 2.2.2.5save

Note: Before setting up a site for DHCP service, you must have the following:

• Digital subscriber line (DSL) modem and line

• Account with ISP

9. You cannot specify the IP address of the DHCP server through the WebUI; however, you can do so through the CLI.


396

t, receiving its TCP/IP settings HCP server. Some NetScreen

lients in any zone. When a an transfer the TCP/IP settings settings include the IP address owing servers:

device resides on a specific interface 5XT, the default DHCP server resides et2 interface for Home-Work and

DHCP Server

terface: DHCP Client

DHCP Clients

rface: DHCP Serverdresses dynamically from ISP.

0.1.1.1/0HCP Range:0.1.1.50 - 10.1.1.200


TCP/IP Settings PropagationSome NetScreen devices can act as a Dynamic Host Control Protocol (DHCP) clienand the IP address for any physical interface in any security zone from an external Ddevices can act as a DHCP server, providing TCP/IP settings and IP addresses to cNetScreen device acts both as a DHCP client and a DHCP server simultaneously, it clearned through its DHCP client module to its default DHCP server module10. TCP/IPof the default gateway and a subnet mask, and IP addresses for any or all of the foll

10. While you can configure up to eight DHCP servers on any physical or VLAN interface, the default DHCP server on theon each platform. On the NetScreen-5XP, the default DHCP server resides on the Trust interface. On the NetScreen-on the Trust interface for Trust-Untrust port mode, the ethernet1 interface for Dual-Untrust port mode, and the ethernCombined port modes. For other devices, the default DHCP server resides on the ethernet1 interface.

• DNS (3) • SMTP (1)

• WINS (2) • POP3 (1)

• NetInfo (2) • News (1)

Untrust Zone In

Trust Zone

Untrust Zone

TCP/IP Settings and Untrust Zone Interface IP Address

TCP/IP Settings

Trust Zone Inte

The NetScreen device is both a client of the DHCP server in the Untrust zone and a DHCP server to the clients in the Trust zone.

It takes the TCP/IP settings that it receives as a DHCP client and forwards them as a DHCP server to the clients in the Trust zone.

ISP

Receives IP ad

1D1


397

eceives from the DHCP client command. You can also

the ethernet3 interface and as net1 interface.)

terface and its TCP/IP settings e NetScreen device to transfer

IP settings that it receives from

r IP addresses with the

that it does not receive from the

wing IP Pool to the hosts acting

ehavior on some NetScreen devices),


You can configure the DHCP server module to propagate all TCP/IP settings that it rmodule using the set interface interface dhcp-client settings update-dhcpserveroverride any setting with a different one.

Example: Forwarding TCP/IP SettingsIn this example, you configure the NetScreen device to act both as a DHCP client ona DHCP server on the ethernet1 interface. (The default DHCP server is on the ether

As a DHCP client, the NetScreen device receives an IP address for the ethernet3 infrom an external DHCP server at 211.3.1.6. You enable the DHCP client module in ththe TCP/IP settings it receives to the DHCP server module.

You configure the NetScreen DHCP server module to do the following with the TCP/the DHCP client module:

• Forward the DNS IP addresses to its DHCP clients in the Trust zone.

• Override the default gateway11, netmask, and SMTP server and POP3 servefollowing:

– 10.1.1.1 (this is the IP address of the ethernet1 interface)

– 255.255.255.0 (this is the netmask for the ethernet1 interface)

– SMTP: 211.1.8.150

– POP3: 211.1.8.172

You also configure the DHCP server module to deliver the following TCP/IP settings DHCP client module:

• Primary WINS server: 10.1.2.42

• Secondary WINS server: 10.1.5.90

Finally, you configure the DHCP server module to assign IP addresses from the folloas DHCP clients in the Trust zone: 10.1.1.50 – 10.1.1.200.

11. If the DHCP server is already enabled on the Trust interface and has a defined pool of IP addresses (which is default byou must first delete the IP address pool before you can change the default gateway and netmask.


398

3.1.6server

1.155.255.04290172150.1.200


WebUI

CLI

1. DHCP Clientset interface ethernet3 dhcp-client settings server 211.set interface ethernet3 dhcp-client settings update-dhcpset interface ethernet3 dhcp-client settings autoconfigset interface ethernet3 dhcp-client enable

2. DHCP Serverset interface ethernet1 dhcp server option gateway 10.1.set interface ethernet1 dhcp server option netmask 255.2set interface ethernet1 dhcp server option wins1 10.1.2.set interface ethernet1 dhcp server option wins2 10.1.5.set interface ethernet1 dhcp server option pop3 211.1.8.set interface ethernet1 dhcp server option smtp 211.1.8.set interface ethernet1 dhcp server ip 10.1.1.50 to 10.1set interface ethernet1 dhcp server servicesave

Note: You can only set this feature through the CLI.

Chapter 8 System Parameters PPPoE

399

lly used for dialup connections, stomer premises equipment. nd type of service are handled to operate compatibly on DSL, et access.

r all interfaces. You configure a nd bind the instance to an the Untrust zone, you can

2, you can configure the primary you can configure PPPoE for

n device for PPPoE

or its Untrust zone interface resses for the three hosts in its CP server. The Trust zone

ode.


PPPOEPPP-over-Ethernet (PPPoE) merges the Point-to-Point Protocol (PPP), which is usuawith the Ethernet protocol, which can connect multiple users at a site to the same cuWhile many users can share the same physical connection, access control, billing, aon a per-user basis. Some NetScreen devices support a PPPoE client, allowing themEthernet Direct, and cable networks run by ISPs using PPPoE for their clients’ Intern

On devices that support PPPoE, you can configure a PPPoE client instance on any ospecific instance of PPPoE with a user name and password and other parameters, ainterface. When there are two Ethernet interfaces (a primary and a backup) bound toconfigure one or both interfaces for PPPoE. For example, in Dual Untrust port mode1

interface (ethernet3) for DHCP and the backup interface (ethernet2) for PPPoE. Or, both the primary and backup interfaces.

Example: Setting Up PPPoEThe following example illustrates how to define the untrusted interface of a NetScreeconnections, and how to initiate PPPoE service.

In this example, the NetScreen device receives a dynamically assigned IP address f(ethernet3) from the ISP, and the NetScreen device also dynamically assigns IP addTrust zone. In this case, the NetScreen device acts both as a PPPoE client and a DHinterface must be in either NAT mode or Route mode. In this example, it is in NAT m

12. Port modes are supported on some NetScreen appliances, such as the NetScreen-5XT.


400

wing:

k OK:

Internet

Untrust Zone


Before setting up the site in this example for PPPoE service, you must have the follo

• Digital subscriber line (DSL) modem and line

• Account with ISP

• User name and password (obtained from the ISP)

WebUI

1. Interfaces and PPPoENetwork > Interfaces > Edit (for ethernet1): Enter the following, and then clic

Zone: Trust



NetScreenDevice

DSL Modem

ISP

DSL Line

HubDSLAM

AC

Primary DNS Server

Secondary DNS ServerTrust ZoneDHCP Range:

172.16.30.2 - 172.16.30.5

Untrust (ethernet3): DHCP mode Trust Interface: 172.16.30.10/24


401

k OK:

click Connect .

nd then click Apply .

then click Apply :

k Return:

es the IP addresses for the (DNS) servers. When the gs overwrite the local settings

tings, you can use the CLI

n the IP addresses of the DNS in the Trust zone.



Zone: Untrust

Obtain IP using PPPoE: (select)

User Name/Password: <name>/<password>

Network > Interfaces > Edit (for ethernet3): To test your PPPoE connection,

2. DHCP ServerNetwork > Interfaces > Edit (for ethernet1) > DHCP: Select DHCP Server, a

Network > Interfaces > Edit (for ethernet1) > DHCP: Enter the following, and

Lease: 1 hour

Gateway: 0.0.0.0

Netmask: 0.0.0.0

DNS#1: 0.0.0.0

> Advanced: Enter the following, and then clic

DNS#2: 0.0.0.0

Domain Name: (leave blank)

Note: When you initiate a PPPoE connection, your ISP automatically providUntrust zone interface and the IP addresses for the Domain Name Service NetScreen device receives DNS addresses via PPPoE, the new DNS settinby default. If you do not want the new DNS settings to replace the local setcommand unset pppoe dhcp-updateserver to disable this behavior.If you use a static IP address for the Untrust zone interface, you must obtaiservers and manually enter them on the NetScreen device and on the hosts


402

wing, and then click OK:

workstations.

the ISP, gets the IP addresses

s. They get an IP address for

zone automatically goes

ne, the NetScreen device from the ISP to the hosts.

P, you must manually enter the


Network > Interfaces > DHCP (for ethernet1) > New Address: Enter the follo

Dynamic: (select)



3. Activating PPPoE on the NetScreen DeviceTurn off the power to the DSL modem, the NetScreen device, and the three

Turn on the DSL modem.

Turn on the NetScreen device.

The NetScreen device makes a PPPoE connection to the ISP and, through for the DNS servers.

4. Activating DHCP on the Internal NetworkTurn on the workstations.

The workstations automatically receive the IP addresses for the DNS serverthemselves when they attempt a TCP/IP connection.

Every TCP/IP connection that a host in the Trust zone makes to the Untrustthrough the PPPoE encapsulation process.

Note: When you use DHCP to assign IP addresses to hosts in the Trust zoautomatically forwards the IP addresses of the DNS servers that it receives

If the IP addresses for the hosts are not dynamically assigned through DHCIP addresses for the DNS servers on each host.


403

2.16.30.5

workstations.

s. They get an IP address for

zone automatically goes


CLI

1. Interfaces and PPPoEset interface ethernet1 zone trustset interface ethernet1 ip 172.16.30.10/24set interface ethernet3 zone untrustset pppoe interface ethernet3set pppoe username name_str password pswd_str

To test your PPPoE connection:

exec pppoe connectget pppoe

2. DHCP Serverset interface ethernet1 dhcp server serviceset interface ethernet1 dhcp server ip 172.16.30.2 to 17set interface ethernet1 dhcp server option lease 60save

3. Activating PPPoE on the NetScreen DeviceTurn off the power to the DSL modem, the NetScreen device, and the three

Turn on the DSL modem.

Turn on the NetScreen device.

4. Activating DHCP on the Internal NetworkTurn on the workstations.

The workstations automatically receive the IP addresses for the DNS serverthemselves when they attempt a TCP/IP connection.

Every TCP/IP connection that a host in the Trust zone makes to the Untrustthrough the PPPoE encapsulation process.


404

terfacesple, you configure PPPoE for


Example: Configuring PPPoE on Primary and Backup Untrust InFor this example, the NetScreen-5XT is in Dual Untrust mode. In the following examboth the primary (ethernet3) and backup (ethernet2) interfaces to the Untrust zone.

WebUI

PPPoE Configuration for ethernet3 Interface

Network > PPPoE > New: Enter the following, and then click OK:

PPPoE instance: eth3-pppoe

Bound to interface: ethernet3 (select)

Username: user1

Password: 123456

Authentication: Any (select)

Access Concentrator: ac-11

PPPoE Configuration for ethernet2 Interface

Network > PPPoE > New: Enter the following, and then click OK:

PPPoE instance: eth2-pppoe

Bound to interface: ethernet2 (select)

Username: user2

Password: 654321

Authentication: Any (select)

Access Concentrator: ac-22


405

ith the same MAC address) for nection with one ISP, and u can establish these usly to different ISPs.

ed only by number of nterfaces can support multiple parameters separately for each


CLI

1. PPPoE Configuration for ethernet3 Interfaceset pppoe name eth3-pppoe username user1 password 123456set pppoe name eth3-pppoe ac ac-11set pppoe name eth3-pppoe authentication anyset pppoe name eth3-pppoe interface ethernet3

2. PPPoE Configuration for ethernet2 Interfaceset pppoe name eth2-pppoe username user2 password 654321set pppoe name eth2-pppoe ac ac-22set pppoe name eth2-pppoe authentication anyset pppoe name eth2-pppoe interface ethernet2save

Multiple PPPoE Sessions over a Single InterfaceSome NetScreen devices support creation of multiple PPPoE sub-interfaces (each wa given physical interface. This support allows you to establish a private network conconnect to the Internet through a different ISP using the same physical interface. Yoconnections using different username or domain names or be connected simultaneo

The maximum number of concurrent PPPoE sessions on a physical interface is limitsub-interfaces allowed by the device. There is no restriction on how many physical isessions. You can specify username, static-ip, idle-timeout, auto-connect and other PPPoE instance or session.


406

ce does not use a VLAN tag to ds the sub-interface to PPPoE an host multiple PPPoE r (AC), therefore allowing rface. For more information on

ncentrators

erface (e.g. ethernet7)

isp_1ac

isp_2ac

isp_3ac

Three PPPoE Session


Untagged InterfacesTo support a PPPoE session, a sub-interface must be untagged. An untagged interfaidentify a VLAN for a sub-interface. Instead, it uses a feature called encap, which binencapsulation. Thus, by hosting multiple sub-interfaces, a single physical interface cinstances. You can configure each instance to go to a specified Access Concentratoseparate entities such as ISPs to manage the PPPoE sessions through a single inteVLANs and VLAN tags, see Volume 9, “Virtual Systems”.

Multiple Sub-Interfaces

Access Co

Single Physical Int

isp_2acisp_1ac

isp_2isp_3

isp_1

isp_3ac


ethernet7

Three PPPoE Instancese7

e7.1e7.2


407

entrator (AC) for each, then

o interface ethernet7. The AC is

ub-interface ethernet7.1. The

-interface ethernet7.2. The AC

click OK:

OK:

OK:


Example: Multiple PPPoE InstancesIn the following example you define three PPPoE instances, specify an Access Concinitiate each instance.

• Instance isp_1, username “user1@domain1”, password “swordfish”, bound tnamed “isp_1ac”.

• Instance isp_2, username “user2@domain2”, password “marlin”, bound to sAC is named “isp_2ac”.

• Instance isp_3, username “user3@domain3”, password “trout”, bound to subis named “isp_3ac”.

WebUI

Interface and Sub-Interfaces

1. Network > Interfaces > Edit (for ethernet7): Enter the following, and then

Zone Name: Untrust

2. Network > Interfaces > New (Sub-IF): Enter the following, and then click


Zone Name: Untrust

3. Network > Interfaces > New (Sub-IF): Enter the following, and then click


Zone Name: Untrust


408
PPPoE Instances and AC

4. Network > PPPoE > New: Enter the following, and then click OK:

PPPoE Instance: isp_1

Enable: Enable

Bound to Interface: ethernet7

Username: user1@domain1

Access Concentrator: isp_1ac



Enable: Enable

Bound to Interface: ethernet7.1





Enable: Enable

Bound to Interface: ethernet7.2



PPPoE Initiation

7. Network > PPPoE > Connect (for isp_1)




409

rdfish

lin

ut


CLI

1. Interface and Sub-Interfacesset interface ethernet7 zone untrustset interface ethernet7.1 encap pppoe zone untrustset interface ethernet7.2 encap pppoe zone untrust

2. PPPoE Instances and ACsset pppoe name isp_1 username user1@domain1 password swoset pppoe name isp_1 interface ethernet7set pppoe name isp_1 ac isp_1acset pppoe name isp_2 username user2@domain2 password marset pppoe name isp_2 interface ethernet7.1set pppoe name isp_2 ac isp_2acset pppoe name isp_3 username user3@domain3 password troset pppoe name isp_3 interface ethernet7.2set pppoe name isp_3 ac isp_3acsave

3. PPPoE Initiationexec pppoe name isp_1 connectexec pppoe name isp_2 connectexec pppoe name isp_3 connect


410

over of a PPPoE connection. ith the backup device. Because to make a new PPPoE ith the Access Concentrator N connections, and these mation about high availability


PPPoE and High AvailabilityTwo NetScreen devices that support PPPoE in Active/Passive mode can handle failUpon initiation of the connection, the master device synchronizes its PPPoE state wthe passive device uses the same IP address as the master device, it does not haveconnection once it becomes the master. Therefore, it can maintain communication wafter failure of the master. This is necessary when the PPPoE interface supports VPconnections must continue, using the same interface IP after failover. For more inforconfigurations, see Volume 10, “High Availability”.

Chapter 8 System Parameters Upgrading and Downgrading Firmware

411

single device or on devices

e 420425

n you need to upgrade to 5.0.0

e existing configuration file and d to downgrade.


UPGRADING AND DOWNGRADING FIRMWAREThis section describes three methods to upgrade a NetScreen device:

• Web User Interface (WebUI)

• Command Line Interface (CLI)

• Boot Loader or ScreenOS Loader

The procedures vary depending on whether you are downloading the firmware on a configured for High Availability.

The section contains the following:

• “Requirements to Upgrade and Downgrade Device Firmware” on page 412– “NetScreen-Security Manager Server Connection” on page 413

• “Downloading New Firmware” on page 413– “Uploading New Firmware” on page 416– “Using the Boot/OS Loader” on page 418

• “Upgrading NetScreen Devices in an NSRP Configuration” on page 420– “Upgrading Devices in an NSRP Active/Passive Configuration” on pag– “Upgrading Devices in an NSRP Active/Active Configuration” on page

• “Authenticating Firmware and DI Files” on page 431– “Obtaining the Authentication Certificate” on page 431– “Loading the Authentication Certificate” on page 432– “Authenticating ScreenOS Firmware” on page 433– “Authenticating a DI Attack Object Database File” on page 434

Note: If you have a version that was released prior to 5.0.0 (for example 4.0.X), thebefore you can upgrade your NetScreen with the 5.1.0 ScreenOS firmware.

Important: Before you begin the process of upgrading a NetScreen device, save thalso make sure that you have access to a ScreenOS 5.0.0 firmware in case you nee


412

arereen device firmware. You can

from ScreenOS 5.1.0 to er.

site and saved locally on your

omputer

site and saved to the TFTP

sfer data, namely from the

ge the NetScreen device)

mputer

uniper Networks recommends ation.


Requirements to Upgrade and Downgrade Device FirmwThis section lists what is required to perform the upgrade or the downgrade of NetScuse one of three methods to upgrade a NetScreen device or to downgrade a deviceScreenOS 5.0.0: the WebUI, the CLI, or through the Boot Loader or ScreenOS Load

To use the WebUI, you must have:

• Root or read-write privileges to the NetScreen device

• Network access to the NetScreen device from your computer

• An Internet browser installed on your computer

• The new ScreenOS firmware (downloaded from the Juniper Networks Web computer)

To use the CLI, you must have:


• A console connection or Telnet access to the NetScreen device from your c

• A TFTP server installed on your computer

• The new ScreenOS firmware (downloaded from the Juniper Networks Web server directory on your computer)

To upgrade or downgrade through the boot loader, you must have:


• A TFTP server installed on your computer or on your local network

• An Ethernet connection from your computer to the NetScreen device (to tranTFTP server on your computer)

• A console connection from your computer to the NetScreen device (to mana

• The new ScreenOS firmware saved to the TFTP server directory on your co

Note: You can upgrade or downgrade a NetScreen device locally or remotely, but Jthat you perform the upgrade or downgrade of a NetScreen device at the device loc


413

he following sections: RP Configuration” on page 420.

ty Manager 2004 server, then s:

ice not being able to connect to reenOS release.

cent ScreenOS firmware. You wnloads, you must be a red your NetScreen product, r Networks Web site.

loaded onto the device are lost. remain.


To upgrade or downgrade a NetScreen device, see the step-by-step procedures in t“Uploading New Firmware” on page 416 or “Upgrading NetScreen Devices in an NS

NetScreen-Security Manager Server ConnectionIf the NetScreen device you want to downgrade is connected to a NetScreen-Securibefore you downgrade the device, you must first execute the following CLI command

unset nsm enableunset nsm init otpunset nsm init idunset nsm server primarydelete nsm keyssave

Failing to execute these commands before downgrading the device results in the devthe NetScreen-Security Manager server the next time you upgrade it to the latest Sc

Downloading New FirmwareBefore you begin the upgrade of the NetScreen devices, you must have the most recan obtain the firmware from the Juniper Networks Web site. To access firmware doregistered customer with an active user ID and password. If you have not yet registethen you must do so before proceeding. You can register your product on the Junipe

Note: When you downgrade to ScreenOS 5.0.0, any ScreenOS 5.1.0 keys that you However, keys that you loaded onto the device prior to upgrading to ScreenOS 5.1.0


414

eb browser. Click Support >


To get the latest ScreenOS firmware, enter http://www.juniper.net/support in your WCustomer Support Center, and then follow these steps:

1. Log in by entering your user ID and password, and then click LOGIN.

2. Under My Technical Assistance Center, click Download Software.

Juniper prepares a list of available downloads.

3. Click Continue.

The File Download page appears.

File Download Page

Product Links

http://www.juniper.net/support


415

ware Zip file.

rm the upgrade.

e firmware to any directory.

the firmware to the root TFTP talled on your computer, then , then you must use the WebUI


4. Click the product link for the firmware you want to download.

The Upgrades page appears.

5. Click the link for the ScreenOS version you want to download.

The Upgrades page appears.

6. Click the upgrade link.

The Download File dialog box appears.

7. Click Save and then navigate to the location where you want to save the firm

You must save the firmware onto the computer from which you want to perfo

– If you want to upgrade the NetScreen device using the WebUI, save th

– If you want to upgrade the NetScreen devices using the CLI, then saveserver directory on the computer. If you do not have a TFTP server insyou can download one from the Internet. If no TFTP server is availableto load the new firmware onto the NetScreen device.


416

de from ScreenOS 5.1.0 to etScreen device.

taining the new firmware, see

the Management IP address in eges.

e.

cfg.txt), and then click Save.

pe the path to its location in the

complete when the device

device ScreenOS firmware in

than ScreenOS 5.0.0, then you . Make sure that you save your


Uploading New FirmwareFollowing are the procedures to upgrade a single NetScreen device and to downgraScreenOS 5.0.0. These procedures are independent of the operating mode of the N

Using the WebUIPerform the following steps to load firmware with the WebUI:

1. Make sure that you have the new ScreenOS firmware. For information on ob“Downloading New Firmware” on page 413.

2. Log in to the NetScreen device by opening a Web browser and then enteringthe Address field. Log in as the root admin or an admin with read-write privil

3. Save the existing configuration:

a. Go to Configuration > Update > Config File, and then click Save to Fil

b. In the File Download dialog box, click Save.

c. Navigate to the location where you want to save the configuration file (

4. Configuration > Update > ScreenOS/Keys > Select Firmware Update.

5. Click Browse to navigate to the location of the new ScreenOS firmware or tyLoad File field.

6. Click Apply.

A message box appears with information on the upgrade time.

7. Click OK to continue.

The NetScreen device reboots automatically. The upgrade or downgrade is displays the login page in the browser.

8. Log in to the NetScreen device. You can verify the version of the NetScreenthe Device Information section of the WebUI Home page.

Note: If you are upgrading a NetScreen device from a firmware version that is earliermust upgrade the firmware to ScreenOS 5.0.0 before upgrading it to ScreenOS 5.1.0existing configuration so previously entered data is not lost when upgrading.


417

taining the new firmware, see

e Shell (SSH) or HyperTerminal admin with read-write

t1 | tftp } command.

er application.

h, where the IP address is that

device. Execute the reset

ScreenOS firmware.

o { flash | slot1 | tftp }


Using the CLI

Perform the following steps to load firmware with the CLI:

1. Make sure that you have the new ScreenOS firmware. For information on ob“Downloading New Firmware” on page 413.

2. Log in to the NetScreen device using an application such as Telnet or Securif directly connected through the console port. Log in as the root admin or anprivileges.

3. Save the existing configuration by executing the save config to { flash | slo

4. Run the TFTP server on your computer by double-clicking on the TFTP serv

5. On the NetScreen device, enter save soft from tftp ip_addr filename to flasof your computer and the filename is that of the ScreenOS firmware.

6. When the upgrade or downgrade is complete, you must reset the NetScreencommand and enter y at the prompt to reset the device.

7. Wait a few minutes, and then log in to the Netscreen device again.

8. Use the get system command to verify the version of the NetScreen device

9. Upload the configuration file that you saved in step 3 with the save config tcommand.


418

critical hardware

nsole port on the NetScreen ables you to manage the

port 1 or to the management f data between the computer,

er directory on your computer. are” on page 413.

er application. You can

minal. Log in as the root admin

e” on the console display, press

firmware to flash memory. Use

ad the firmware saved in


Using the Boot/OS LoaderThe Boot/OS Loader brings up the hardware system, performs basic and sometimesconfigurations, and loads system software used to run a NetScreen device.

Perform the following steps to load firmware with the Boot/OS Loader:

1. Connect your computer to the NetScreen device:

a. Using a serial cable, connect the serial port on your computer to the codevice. This connection, in combination with a terminal application, enNetScreen device.

b. Using an Ethernet cable, connect the network port on your computer toport on the NetScreen device13. This connection enables the transfer othe TFTP server, and the NetScreen device.

2. Make sure that you have the new ScreenOS firmware stored in the TFTP servFor information on obtaining the new firmware, see “Downloading New Firmw

3. Run the TFTP server on your computer by double-clicking on the TFTP servminimize its window but it must be active in the background.

4. Log in to the NetScreen device using a terminal emulator such as HyperTeror an admin with read-write privileges.

5. Reboot the NetScreen device.

6. When you see “Hit any key to run loader” or “Hit any key to load new firmwarany key on your computer keyboard to interrupt the bootup process.

Note: On the NetScreen-500, you cannot use this process to save ScreenOS 5.1.0the WebUI or CLI to save ScreenOS 5.1.0 firmware to flash memory.

13. Which port you connect to depends on the NetScreen device model.

Note: If you do not interrupt the NetScreen device in time, it proceeds to loflash memory.


419

that you want to load.pecified file from the external e, then the file is instead a Compact Flash card, then an me.

et as the TFTP server.

es of “rtatatatatatata...” running P server window. When the was successful.

on:

lly if you do not interrupt the

ame at the following prompt:

input the name in the TFTP

et; otherwise, the TFTP loader

the boot file name used by the , and NetScreen-5000 Series e on-board flash disk for the a limit for saving firmware files


7. At the Boot File Name prompt, enter the file name of the ScreenOS firmwareIf you type slot1: before the specified file name, then the loader reads the sCompact Flash or memory card. If you do not type slot1: before the filenamdownloaded from the TFTP server. If the NetScreen device does not supporterror message is displayed and the console prompts you to retype the filena

8. At the Self IP Address prompt, enter an IP address that is on the same subn

9. At the TFTP IP Address prompt, enter the IP address of the TFTP server.

An indication that the firmware is loading successfully is the display of a serion the terminal emulator screen and a series of symbols running on the TFTfirmware installation is complete, a message informs you that the installation

Saving Multiple Firmware Images with Boot Loader

After firmware is downloaded successfully, the console displays the following questi

Save to on-board flash disk? (y/[n]/m)

Answering y (yes) saves the file as the default firmware. This image runs automaticabootup process.

Answering m (multiple) saves the file as a multiple firmware. You must select a file n

Please input multiple firmware file name [BIMINITE.D]: test.d

The name in brackets is the recommended name automatically generated after you server. If you do not enter a name, then the recommended name is used.

Note: The Self IP address and TFTP IP address must be in the same subnrejects the Self IP address and then prompts you to re-enter it.

Note: You must enter a name that is DOS 8.3 compatible. The maximum length of Loader cannot exceed 63 characters. Only the NetScreen-5GT, NetScreen-ISG200supports multiple firmware. You can assign a maximum of three firmware files to thNetScreen-5GT. The NetScreen-ISG2000 and NetScreen-5000 Series do not haveto the on-board flash disk.


420

you must upgrade each device different NSRP configurations:

e master and device B is the

nts to Upgrade and Downgrade firmware to which you are

creenOS 5.0.0, you must ocedures in this section 1.0.

are. Doing so could result in


Upgrading NetScreen Devices in an NSRP ConfigurationFor NetScreen devices in an NetScreen Redundancy Protocol (NSRP) configuration,individually. This section describes two different upgrade procedures addressing twoNSRP active/passive and NSRP active/active.

Upgrading Devices in an NSRP Active/Passive ConfigurationThe following illustrates a basic NSRP active/passive configuration where device A is thbackup.

Before you begin, please read the requirements to perform an upgrade (“RequiremeDevice Firmware” on page 412). Also, make sure that you download the ScreenOS upgrading each device.

Note: If you are upgrading a NetScreen device from a release that is earlier than Supgrade the device to ScreenOS 5.0.0 before upgrading to ScreenOS 5.1.0. The prdescribe how to upgrade a NetScreen device from ScreenOS 5.0.0 to ScreenOS 5.

Warning: Do not power off your NetScreen device while it is upgrading to new firmwpermanent damage to your device.

NSRP Active/Passive

Device A (master) Device B (backup)

HA Link

VSD Group 0


421

(note that for some of these

n obtaining the firmware, see

orer or Netscape) and entering in or an admin with read-write

ile.

e (cfg.txt), and then click Save.

pdate.

or type the path to its location


Upgrade Procedure

To upgrade two devices in an NSRP active/passive configuration, follow these stepssteps you can only use the CLI):

A. Upgrade Device B to ScreenOS 5.1.0

B. Fail Over Device A to Device B (CLI only)

C. Upgrade Device A to ScreenOS 5.1.0

D. Synchronize Device A (CLI only)

E. Fail Over Device B to Device A (CLI only)

A. Upgrade Device B to ScreenOS 5.1.0

WebUI

1. Make sure that you have the ScreenOS 5.1.0 firmware. For information o“Downloading New Firmware” on page 413.

2. Log in to device B by opening a Web browser (for example Internet Explthe Management IP address in the Address field. Log in as the root admprivileges.


a. Go to Configuration > Update > Config File, and then click Save to F


c. Navigate to the location where you want to save the configuration fil

4. Go to Configuration > Update > ScreenOS/Keys and select Firmware U

5. Click Browse to navigate to the location of the ScreenOS 5.1.0 firmwarein the Load File field.

6. Click Apply.



422

hen the device displays the

een device ScreenOS firmware


SH) or HyperTerminal if directly in with read-write privileges.

| slot1 | tftp } command.

server application.

flash. Where the IP address is ware.

xecute the reset command and

vice ScreenOS firmware.



The NetScreen device reboots automatically. The upgrade is complete wlogin page in the browser.

8. Log in to the NetScreen device. You can verify the version of the NetScrin the Device Information section of the WebUI Home page.

CLI


2. Log in to device B using an application such as Telnet or Secure Shell (Sconnected through the console port. Log in as the root admin or an adm

3. Save the existing configuration by executing the save config to { flash

4. Run the TFTP server on your computer by double-clicking on the TFTP

5. On the NetScreen device, enter save soft from tftp ip_addr filename tothat of your computer and the filename is that of the ScreenOS 5.1.0 firm

6. When the upgrade is complete, you must reset the NetScreen device. Eenter y at the prompt to reset the device.


8. Use the get system command to verify the version of the NetScreen de


423

to execute depends on whether

e ineligible

ode backup

ice to immediately assume


ile.


pdate.


enOS Reference Guide, Volume 8.


B. Fail Over Device A to Device B (CLI only)

Manually fail over the master device to the backup device.

1. Log in to the master device.

2. Issue one of the following CLI commands. The command that you need or not the preempt14 option is enabled on the master device.

– If the preempt feature is enabled: exec nsrp vsd-group 0 mod

– If the preempt option is not enabled: exec nsrp vsd-group 0 m

Either command forces the master device to step down and the backup devmastership.

C. Upgrade Device A to ScreenOS 5.1.0

WebUI


2. Log in to NetScreen device A.







6. Click Apply.


14. For more information on the preempt option and NSRP in general, refer to the NetScreen Concepts & Examples Scre


424


eenOS firmware version on the



server application.



g the get system command.

nchronize the two devices. On nd to synchronize the RTOs

ackup device. Follow the same t that you log in to device B and




8. Log in to the NetScreen device. You can verify the NetScreen device ScrWebUI Home page, in the Device Information section.

CLI








8. You can verify the NetScreen device ScreenOS firmware version by usin

D. Synchronize Device A (CLI only)

After you complete the upgrade of device A to ScreenOS 5.1.0, manually sydevice A (backup), issue the exec nsrp sync rto all from peer CLI commafrom device B (master).

E. Fail Over Device B to Device A (CLI only)

After synchronizing the devices, manually fail over the master device to the bsteps as in “B. Fail Over Device A to Device B (CLI only)” on page 423 excepfail over device B instead of failing over device A.


425

reen devices into two Virtual roup and the backup in the sical device is master of both d.

master of VSD 0 and backup

nts to Upgrade and Downgrade 5.1.0 firmware.

are. Doing so could result in

Link

e A

e B


Upgrading Devices in an NSRP Active/Active ConfigurationThis upgrade section applies to an NSRP configuration where you paired two NetScSecurity Devices (VSD) groups, with each physical device being the master in one gother. To upgrade, you first have to fail over one of the devices so that only one phyVSD groups. You then upgrade the backup device first and the master device secon

The following illustrates a typical NSRP active/active configuration where device A isfor VSD 1, and device B is master of VSD 1 and backup for VSD 0.

Before you begin, please read the requirements to perform an upgrade (“RequiremeDevice Firmware” on page 412). Also, make sure that you download the ScreenOS

Warning: Do not power off your NetScreen device while it is upgrading to new firmwpermanent damage to your device.

HA

NSRP Active/Active

Devic

Devic


(backup)

(backup)

(master)

(master)


426

note that for some of these

A in VSD group 1.

SH) or HyperTerminal if directly in with read-write privileges.

ecute depends on whether or

e ineligible

ode backup

ssume mastership of VSD 1. At r both VSD 0 and 1.

enOS Reference Guide, Volume 8.


Upgrade Procedure

To upgrade two devices in an NSRP active/active configuration, follow these steps (steps you can only use the CLI):

A. Fail Over Device B in VSD 1 to Device A in VSD 1 (CLI only)

B. Upgrade Device B to ScreenOS 5.1.0

C. Fail Over Device A to Device B (CLI only)

D. Upgrade Device A to ScreenOS 5.1.0

E. Synchronize Device A (CLI only)

F. Fail Over Device B in VSD 0 to Device A in VSD 0 (CLI only)

A. Fail Over Device B in VSD 1 to Device A in VSD 1 (CLI only)

Manually fail over the master device B in VSD group 1 to the backup device

1. Log in to device B using an application such as Telnet or Secure Shell (Sconnected through the console port. Log in as the root admin or an adm

2. Issue one of the following CLI commands. The command you need to exnot the preempt15 option is enabled on the master device.



Either command forces device B to step down and device A to immediately athis point, device A is master of both VSD 0 and 1 and device B is backup fo

15. For more information on the preempt option and NSRP in general, refer to the NetScreen Concepts & Examples Scre


427


ternet Explorer or Netscape) the root admin or an admin with

ile.


pdate.





B. Upgrade Device B to ScreenOS 5.1.0

WebUI


1. Log in to NetScreen device B by opening a Web browser (for example Inand entering the Management IP address in the Address field. Log in as read-write privileges.







5. Click Apply.






428



server application.




ing one of the following CLI not the preempt option is

e ineligible

ode backup


e ineligible

ode backup

for both VSD 0 and 1.


CLI


2. Log in to device B.







C. Fail Over Device A to Device B (CLI only)

Manually fail over device A completely to device B.

1. Log in to device A.

2. Fail over master device A in VSD 0 to backup device B in VSD 0 by issucommands. The command you need to execute depends on whether or enabled on the master device.



3. Fail over master device A in VSD 1 to backup device B in VSD 1 by issucommands. The command you need to execute depends on whether or enabled on the master device.



At this point, device B is master of both VSD 0 and 1 and device A is backup


429


ile.


pdate.





D. Upgrade Device A to ScreenOS 5.1.0

WebUI









6. Click Apply.






430



server application.




chronize the two devices. On hronize the RTOs from device B.

P active/active configuration.


e ineligible

ode backup

B is master of VSD 1 and


CLI









E. Synchronize Device A (CLI only)

After you complete the upgrade of device A to ScreenOS 5.1.0, manually syndevice A, issue the exec nsrp sync rto all from peer CLI command to sync

F. Fail Over Device B in VSD 0 to Device A in VSD 0 (CLI only)

As the final step, you have to reinstate the two NetScreen devices in an NSR


2. Fail over master device B in VSD 0 to backup device A in VSD 0 by issucommands. The command you need to execute depends on whether or enabled on the master device.



At this point, device A is master of VSD 0 and backup for VSD 1, and devicebackup for VSD 0.


431

porated into each ScreenOS s NetScreen firewall/VPN to the device and Deep e device.

tability. If you attempt to save a saving it to flash memory.

ave auto start enabled on their

ttp://www.juniper.net/support/.

password, and then click

t-click Download the e_key.zip file to a local

ount, you can set one up online by ions.


Authenticating Firmware and DI FilesBeginning with ScreenOS 2.6.1r1, an image authentication signature has been incorbuild. If you load the authentication certificate (imagekey.cer) into a Juniper Networkdevice, then it can authenticate ScreenOS firmware when you attempt to save themInspection (DI) attack object database files when you attempt to download them to th

Authenticating an image and DI attack object database provides both security and smodified or corrupted ScreenOS image or database, then the device rejects it before

Obtaining the Authentication CertificateYou can get the authentication certificate zip file from the following two sources:

• The documentation CD that ships with your NetScreen device:

1. Insert the documentation CD in your CD drive.

It starts automatically. (For Macintosh users and PC users who do not hsystems, double-click index.htm to open the CD.)

2. Click Explore CD-ROM Contents.

3. Open the extra folder.

The image_key.zip file is in this folder.

• The Customer Support area of the Juniper Networks Web site16:

1. Open a Web browser and enter the following URL in the Address field: h

2. In the Login to Support Center section, enter your user customer ID andLOGIN .

3. In the Download Software section, click ScreenOS Software .

4. At the top of the page there is a section titled Image Authentication. RighAuthentication Certificate, select Save Target As, and save the imagdirectory.

16. You must be a registered customer to access the Customer Support area. If you do not already have a customer accvisiting http://www.juniper.net/support/, clicking Login Assistance, and then following the online registration instruct




432

o files from image_key.zip:

ether you want to load it on the

rm its integrity by calculating a g MD5 message digest:

On UNIX/Linux, you can use a

ntication certificate before it is to the NetScreen device.

certificate on the NetScreen

k Apply :

)

, or click Browse to navigate to n click Open .


Once you have obtained the certificate zip file, do the following:

1. Use a data compression utility such as WinZip to extract the following twimagekey.cer and image_key_readme.pdf 17.

2. Save imagekey.cer to either of the following locations, depending on whNetScreen device using the WebUI or CLI:

– WebUI – a local directory

– CLI – the root directory of a TFTP server

Loading the Authentication CertificateBefore loading the authentication certificate on the NetScreen device, you can conficryptographic checksum, or message digest, and then comparing it with the followin

AC359646EDD723F541AA0E52E015E8F0

A free MD5 utility for Windows is FastSum, which is available at www.fastsum.com. program such as md5sum to calculate the message digest.

When the authentication certificate is loaded, the firmware is checked with the autherun or saved. if the firmware fails authentication, then it is rejected to be uploaded on

When you feel confident about the integrity of the authentication certificate, load thedevice by doing either of the following:

WebUI1. Make an HTTP connection to the NetScreen device, and then log in.

2. Configuration > Update > ScreenOS/Keys: Enter the following, and then clic

Image Key Update (See Online Help): (select

Load File: Enter the location of imagekey.certhe file location, select imagekey.cer, and the

17. The readme file contains essentially the same information as in this section.

http://www.fastsum.com


433

en log in.

enOS signature embedded in

ot Loader/OS Loader displays

jected, and then either prompts

ice does not attempt to the certificate, enter the delete


CLI

1. If necessary, start the TFTP server.

2. Make a console, Telnet, or SSH connection to the NetScreen device, and th

3. Enter the following CLI command:

save image-key tftp ip_addr imagekey.cer

in which ip_addr is the address of the TFTP server.

Authenticating ScreenOS FirmwareDownload the NetScreen device uses the authentication certificate to check the Screthe file. On the console, you see one of the following two results:

• The NetScreen device can successfully authenticate the firmware, so the Bothe following message:

Loaded Successfully! . . .

Image authenticated!

• If the NetScreen device cannot authenticate the ScreenOS firmware, it is reyou to load different firmware or it automatically reboots:

********Invalid DSA signature

*******Bogus Image - not authenticated.

Note: If the authentication certificate is not loaded, then the NetScreen devauthenticate a ScreenOS firmware or DI attack object database. To removecrypto auth-key command.


434

n (DI), the NetScreen device uthentication effort produces

ject database and makes the

to flash.

g event log entry:

WebUI and the authentication

able to verify its integrity.

ice does not attempt to e certificate, enter the delete

Log Reference Guide.


Authenticating a DI Attack Object Database FileThe next time you attempt to download an attack object database for Deep Inspectiouses the authentication certificate to check the signature embedded in the file. The aone of the following two results:

• The NetScreen device successfully authenticates the downloaded attack obfollowing event log entry:

Attack database version <number> has been authenticated and saved

• The authentication check fails, and the NetScreen device makes the followin

Attack database was rejected because the authentication check failed.

Additionally, if you attempt to download the database manually through the check fails, then the following pop-up message appears:

Rejected DI attack database because the authentication check was un

Note: If the authentication certificate is not loaded, then the NetScreen devauthenticate a ScreenOS image or DI attack object database. To remove thcrypto auth-key command.

For information about event log messages, refer to the NetScreen Message

Chapter 8 System Parameters Downloading and Uploading Configurations

435

s. The WebUI allows you to NetScreen devices, you can

d to revert to the saved backup

stribution of configuration

n click Save .


DOWNLOADING AND UPLOADING CONFIGURATIONSWhen making changes to the configuration, it is good practice to backup your settingdownload the configuration to any local directory as a backup precaution. With someuse the CLI to download the configuration to a TFTP server or flash card. If you neeconfiguration, then you can upload it onto the NetScreen device.

The section contains the following:

• “Saving and Importing Configurations” on page 435

• “Configuration Rollback” on page 437

– “Last-Known-Good Configuration” on page 437

– “Automatic and Manual Configuration Rollback” on page 438

– “Loading a New Configuration File” on page 439

• “Locking the Configuration File” on page 440

– “Adding Comments to a Configuration File” on page 441

Saving and Importing ConfigurationsThe ability to save and import configuration settings provides the means for mass ditemplates.

To save a configuration:

WebUI

1. Configuration > Update > Config File: Click Save to File.

A system message prompts you to open the file or save it to your computer.

2. Click Save .

3. Browse to the location where you want to save the configuration file, and the


436

me [ from interface ]

ply:

f you want to combine both the lace Current Configuration if

e the current configuration.

cation or click Browse to lick Open .

sh [ merge [ from


CLI

save config from flash to { tftp ip_addr | slot } filena

To import a configuration:

WebUI

Configuration > Update > Config File: Enter the following, and then click Ap

Select Merge to Current Configuration inew and the current configurations, or Repyou want the new configuration to overwrit

> New Configuration File: Enter the configuration file lonavigate to the file location, select the file, and then c

CLI

save config from { tftp ip_addr | slot } filename to flainterface ] ]

Note: On some NetScreen devices, you must specify slot1 or slot2.

Note: On some NetScreen devices, you must specify slot1 or slot2.


437

re of the NetScreen device or n rollback to revert to a

file saved in flash memory so en the NetScreen CLI and then $.cfg. If you do not see this file,

-known-good command. This e current configuration file.

creen device supports this

iguration file is a good way to the configuration.


Configuration RollbackIn the event that you load a configuration file that causes problems, such as the failuremote users losing the ability to manage the device, you can perform a configuratioLast-Known-Good (LKG) configuration file that was saved in flash memory.

Last-Known-Good ConfigurationBefore performing a configuration rollback, make sure you have a LKG configurationthat the NetScreen device can revert to it if errors occur. To check for the LKG file, optype the get config rollback command. The filename for a LKG configuration is $lkgthen it does not exist so you must create it.

To save a configuration file to flash as the LKG:

1. Ensure that the current configuration on the NetScreen device is good.

2. Save the current configuration to flash memory with the save config to lastcommand overwrites the existing LKG configuration in flash memory with th

Note: Not all NetScreen devices support configuration rollback. To see if your NetSfeature, please refer to the relevant data sheet for your platform.

Note: Regularly saving the configuration on the NetScreen device as the LKG confbackup your latest changes to the configuration and maintain an up-to-date copy of


438

n or you can perform the n device to rollback to the LKG

disabled after every startup, nable automatic configuration e the exec config rollback

d.

indicate this state:

just the device host name:

nfig rollback command. If it is

utput is:

he flash.


Automatic and Manual Configuration RollbackYou can enable the NetScreen device to revert automatically to the LKG configuratiorollback manually. The automatic configuration rollback feature enables the NetScreeconfiguration if there is a problem with a newly loaded configuration.

The automatic configuration rollback feature is disabled by default. Furthermore, it isregardless of whether it was enabled or disabled before starting up the device. To erollback, use the exec config rollback enable command. To disable the feature, usdisable command.

To perform a manual configuration rollback, use the exec config rollback comman

After you enable the configuration rollback feature, the command prompt changes to

ns-> exec config rollback enable

ns(rollback enabled)->

When you disable the configuration rollback feature, the command prompt returns to

ns(rollback enabled)-> exec config rollback disable

ns->

To verify that the automatic configuration rollback feature is enabled, use the get coenabled, then the first line of the get config rollback output is:

config rollback is enabled

Otherwise, the first line of the output is:

config rollback is disabled

If an LKG configuration file exists, then the second line of the get config rollback o

Last-known-good config file flash:/$lkg$.cfg exists in t

Note: The WebUI does not support the configuration rollback feature.


439

is:

ist.

ation by any of the following

)

n rollback feature, and what to

fig to last-known-good

ec config rollback enable t other users from overwriting it,

n, see “Upgrading and

ccur:

each and manage the n you power it on, the configuration rollback feature is lly load the LKG file.

case, you need to reset the it reads the flash memory file, information prompts the


If an LKG configuration file does not exist, the second—and final—line of the output

Last-known-good config file flash:/$lkg$.cfg does not ex

When the configuration rollback feature is enabled, you can trigger the rollback operactions:

• Rebooting the NetScreen device (by turning the power off and then on again

• Resetting the NetScreen device (by entering the reset command)

• Entering the exec config rollback command

Loading a New Configuration FileThe following describes how to load a new configuration file, enable the configuratiodo if the new configuration file causes problems.

1. Using the CLI, save the current configuration as the LKG with the save concommand.

2. Enable automatic configuration rollback on the NetScreen device with the excommand. Enabling this feature simultaneously locks the LKG file to prevenand consequently disrupting an ongoing configuration rollback.

3. Load the new configuration file using the WebUI or CLI. For more informatioDowngrading Firmware” on page 411.

4. Test the new configuration file by issuing commands. A few scenarios can o

– The new configuration is running correctly.

– The new configuration is defective and as a result, you can no longer rNetScreen device. In this case, you have to power off the device. WheNetScreen device reads the flash memory file, which indicates that the enabled. That information prompts the NetScreen device to automatica

– You notice problems with or errors in the new configuration file. In thisNetScreen device with the reset command. When the device reboots,which indicates that the configuration rollback feature is enabled. ThatNetScreen device to automatically load the LKG file.


440

o become inoperable. In this oots, it reads the flash memory hat information prompts the

by other admins or before arts a lock timer. If the device utomatically reboots, using the

configuration of the device ezing for an indefinite period of

ce (for example, through Telnet ration, and then save the new

if loading a new configuration e setup, if loading a new

er you save the configuration to

ot available on the WebUI.


– The new configuration is defective and causes the NetScreen device tcase, the NetScreen device reboots automatically. When the device rebfile, which indicates that the configuration rollback feature is enabled. TNetScreen device to automatically load the LKG file.

Locking the Configuration FileYou can lock a configuration file in flash memory to prevent it from being overwrittenimporting a new configuration file. When you lock the configuration file, the device stdoes not receive a CLI command within a previously specified lockout period, then it aconfiguration that was locked in flash memory. It is good practice to lock the currentbefore you start importing a configuration file. This action prevents the device from fretime due to a failure in the import process.

When you lock the configuration file, you and any other admin connected to the devior the WebUI) cannot save to the configuration file. You must first unlock the configuconfiguration commands with the save command.

CLI

To lock the configuration file:

exec config lock start

To unlock the file:

exec config lock end

Note: NetScreen Redundancy Protocol (NSRP)—In an active/active setup,file fails, then both NetScreen devices revert to the LKG. In an active/passivconfiguration file fails, then only the master unit reverts to the LKG. Only aftfile does the master unit synchronize the backup unit.

Note: You can lock/unlock a configuration file through the CLI only. This feature is n


441

n that was previously locked in

eparate line of text or at the end y a space. When the comment save the file onto a NetScreen ely replacing the existing ng with the number symbol and

bol in either RAM of flash

s

ask 255.255.255.255ask 255.255.255.255ask 255.255.255.255

vice does not treat it as a the NetScreen device does not cause it appears within


To abort the lockout and immediately reboot the device with the configuratioflash:

exec config lock abort

To change the default lockout period (5 minutes):

set config lock timeout <number>

Adding Comments to a Configuration FileYou can add comments to an external configuration file. The comments can be in a sof one line. The comment must begin with the number symbol ( # ) and be followed bis at the end of a line, a space must also come before the number symbol. When youdevice—either by merging the new configuration with the existing one or by completconfiguration with the new one—the device parses the configuration for lines beginniremoves any comments.

The NetScreen device does not save any comments introduced with the number symmemory. For example, if an external configuration file contains the following lines:

set interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24 # change IP addres# add new MIP addressesset interface ethernet3 mip 1.1.1.10 host 10.1.1.10 netmset interface ethernet3 mip 1.1.1.11 host 10.1.1.11 netmset interface ethernet3 mip 1.1.1.12 host 10.1.1.12 netm# all MIPs use the trust-vr routing domain by default

Note: If the number symbol appears within quotation marks, then the NetScreen despecial marker but as part of an object name and does not remove it. For example, delete “#5 server” in the command set address trust “#5 server” 10.1.1.5/32 bequotation marks.


442

mments are gone):

ask 255.255.255.255ask 255.255.255.255ask 255.255.255.255

lnet session, then the


When you view the configuration after you load the file, you see the following (the co

set interface ethernet3 zone untrustset interface ethernet3 ip 1.1.1.1/24set interface ethernet3 mip 1.1.1.10 host 10.1.1.10 netmset interface ethernet3 mip 1.1.1.11 host 10.1.1.11 netmset interface ethernet3 mip 1.1.1.12 host 10.1.1.12 netm

Also, if you paste a block of commands that includes comments into a console or TeNetScreen device discards all comments immediately upon running the commands.

Chapter 8 System Parameters Setting NetScreen-Security Manager Bulk-CLI

443

etScreen-Security Manager hrough all of the configured ion. If not, then the Agent waits . The range for the is 60 seconds.

nditions:

successful message to the

Manager.

rting message to the cenarios for error instructions:

ommands and reboots.

remaining CLI commands.

the Agent checks if the bulk-cli

tinues to execute the remaining


SETTING NETSCREEN-SECURITY MANAGER BULK-CLISetting the bulk-CLI determines how and when the device performs rollback if the Nconnection drops during an update session. When this happens, the Agent iterates tNetScreen-Security Manager servers once to see if it can establish another connectfor the specified time period before it reboots the device to roll back the configurationreboot-timeout value is 60 through 86400 seconds. The default reboot-timeout value

The Agent checks the NetScreen-Security Manager connection status under two co

• All of the CLI commands are executed and need to send a successful or unNetScreen-Security Manager.

• An error occurs, therefore it needs to be reported to the NetScreen-Security

If an error is generated during the CLI execution, then the Agent sends an error-repoNetScreen-Security Manager, and then waits for error instructions. There are three s

• If the Agent is instructed to stop, then it stops executing the remaining CLI c

• If the Agent is instructed to continue, then it continues the execution for the

• If there is no Agent instruction within the specified reboot-timeout value, thenreboot-timeout is enabled or disabled.

– If enabled, then a reboot occurs immediately.

– If disabled, then the Agent does not reboot the device. The device conCLI commands.

To set the reboot-timeout value, use the following command:

set nsmgmt bulkcli reboot_timeout number

in which the unit value for number is in seconds.

To disable the reboot-timeout, use the following command:

set nsmgmt bulkcli reboot_timeout disable

Chapter 8 System Parameters License Keys

444

ce without having to upgrade to eatures already loaded in the

port the activation of optional ich features are currently .

or contact Juniper Networks

nt.


LICENSE KEYSThe license key feature allows you to expand the capabilities of your NetScreen devia different device or system image. You can purchase a key that unlocks specified ffirmware, such as the following:

• User capacity

• Virtual systems, zones, and virtual routers

• HA

Each NetScreen device ships with a standard set of features enabled and might supfeatures or the increased capacity of existing features. For information regarding whavailable for upgrading, refer to the latest marketing literature from Juniper Networks

The procedure for obtaining and applying a license key is as follows:

1. Contact the value-added reseller (VAR) who sold you the NetScreen devicedirectly.

2. Provide the serial number of your device and state the feature option you wa

The license key is generated and then sent to you via e-mail.

3. Enter the key through either the WebUI or CLI. (See the following example.)

Chapter 8 System Parameters License Keys

445

own to the point where it now ilities of the device by obtaining e726ca050192 and is in a text

Apply :

eys, select A2010002.txt, and


Example: Expanding User CapacityA small company using a single NetScreen device with a license for 10 users has grneeds an unrestricted user license. The NetScreen administrator expands the capaba firmware key for an unrestricted number of users. The license key number is 6a48file named “A2010002.txt” located at C:\netscreen\keys.

WebUI

Configuration > Update > ScreenOS/Keys: Do the following, and then click

License Key Update: (select)

Load File: C:\netscreen\keys\A2010002.txt

Or

Click Browse and navigate to C:\netscreen\kthen click Open.

CLI

exec license-key capacity 6a48e726ca050192reset

Chapter 8 System Parameters Registration and Activation of Subscription Services

446

vice for antivirus (AV) patterns, to the service, register for the your services on the device. services and what the services

ry grace period. During this

I service, you must start a nfiguration > Update >

as pre-installed temporary

e does not have a temporary

n as possible after purchasing


REGISTRATION AND ACTIVATION OF SUBSCRIPTION SERVICESBefore your Juniper Networks NetScreen device can receive regular subscription serDeep Inspection (DI) signatures, or URL Filtering, you must purchase a subscriptionservice, and then retrieve the subscription key. Retrieving the subscription activatesHow the service activation process works depends upon the way you purchased theare.

Temporary ServiceTo allow you time to for AV or DI services, the NetScreen device provides a temporaperiod, the device can obtain services on a temporary basis.

• No NetScreen device comes with DI already enabled. To obtain temporary DWebUI session and click the Retrieve Subscriptions Now button in the CoScreenOS/Keys page. This provides a one-time, one-day DI key.

• If your device has AV service bundled at time of purchase, then the device hservice. This temporary service lasts up to 60 days.

• No NetScreen device comes with URL Filtering already enabled. This featurservice.

Warning! To avoid service interruption, you must perform registration as sooyour subscription. Registration ensures continuation of the subscription.


447

d DI services, then perform the

etting Started Guide and the

scription, so you can go ahead eceive your full paid

ys:

figuration > Update >

services. For instructions on n page 4 -81, “URL Filtering” on


AV, URL Filtering, and DI Bundled with a New DeviceIf you purchased a new NetScreen device that already has the AV, URL Filtering, anfollowing steps to activate the services.

1. Configure the device for internet connectivity. (For instructions, refer to the GUser’s Guide for your NetScreen device.)

2. Register the device at the following site:

www.juniper.net/support

Devices with bundled AV services come with a temporary, pre-installed suband use the service immediately. However, you must register the device to rsubscription.

3. Retrieve the subscription key on the device. You can do this either of two wa

– In WebUI, click the Retrieve Subscriptions Now button from the ConScreenOS/Keys page.

– Using the CLI, run the following command:

exec license-key update

4. You must reset the device after the Key has been loaded.

You can now configure the device to automatically or manually retrieve the signatureconfiguring your NetScreen device for these services, refer to “Antivirus Scanning” opage 4 -106, and “Deep Inspection” on page 4 -131.

http://www.netscreen.com/cso


448

device, perform the following

ail, from Juniper Networks or ument that contains information

following site:

, then go on to Step 5.

up to four hours for the system

ys:


services. For instructions on n page 4 -81, “URL Filtering” on


AV, URL Filtering, and DI Upgrade to an Existing DeviceIf you purchase AV, URL Filtering, and DI services to add to your existing NetScreensteps to activate the services.

1. After ordering the services, you should receive a support certificate, via e-myour authorized NetScreen device reseller. This certificate is a readable docyou need to register your device.

2. Make sure the device is registered. If it is not currently registered, go to the


3. Register the support certificate to the device.

4. If you are subscribing and registering for the DI service or URL Filtering only

If you are subscribing and registering for the AV service, then you must waitto process the registration before proceeding with Step 5.

5. Confirm that your device has internet connectivity.






You can now configure the device to automatically or manually retrieve the signatureconfiguring your NetScreen device for these services, refer to “Antivirus Scanning” opage 4 -106, and “Deep Inspection” on page 4 -131.



449

ately from the DI service, then

, from Juniper Networks or your t that contains information you

following site:

ys:


ure service. For instructions on e 4 -131.


DI Upgrade OnlyIf you purchased DI services only, and you purchased your NetScreen device separperform the following steps to activate the service.

1. After ordering the service, you should receive a support certificate, via e-mailauthorized NetScreen device reseller. This certificate is a readable documenneed to register your device.

2. Make sure the device is registered. If it is not currently registered, go to the


3. Register the support certificate to the device.

4. Confirm that your device has internet connectivity.






You can now configure the device to automatically or manually retrieve the DI signatconfiguring your NetScreen device for this service, refer to “Deep Inspection” on pag


Chapter 8 System Parameters System Clock

450

er things, the time on your re are many ways that you can st set the system clock to the gure up to three NTP servers te its system clock.

ough the WebUI, you do this by

saving time option on your

t saving time or No to

command “set clock

the NetScreen device is behind e NetScreen device is Pacific


SYSTEM CLOCKIt is important that your NetScreen device always be set to the right time. Among othNetScreen device affects the set up of VPN tunnels and the timing of schedules. Theensure that the NetScreen device always maintains the accurate time. First, you mucurrent time. Next, you can enable the daylight saving time option and you can confi(one primary and two backups) from which the NetScreen device can regularly upda

Date and TimeTo set the clock to the current time and date, you can use the WebUI or the CLI. Thrsynchronizing the system clock with the clock on your computer:

1. Configuration > Date/Time: Click the Sync Clock with Client button.

A pop-up message prompts you to specify if you have enabled the daylight computer clock.

2. Click Yes to synchronize the system clock and adjust it according to daylighsynchronize the system clock without adjusting it for daylight saving time.

Through the CLI, you set the clock by manually entering the date and time using thismm/dd/yyyy hh:mm:ss”.

Time ZoneYou set the time zone by specifying the number of hours by which the local time for or ahead of GMT (Greenwich Mean Time). For example, if the local time zone for thStandard Time, it is 8 hours behind GMT. Therefore, you have to set the clock to -8.

If you set the time zone using the WebUI:

Configuration > Date/Time > Set Time Zone_hours_minutes from GMT


451

(Network Time Protocol) to o this manually or configure the t you specify.

er and two backup servers. ally, it queries each configured he query is not successful, the rom one of the NTP servers server before it terminates the

e CLI, you can specify a ice queries that server only. If nfigured on the NetScreen name.


If you set the time zone using the CLI:

ns -> set clock timezone number (a number from -12 to 12)

or

ns-> set ntp timezone number (a number from -12 to 12)

NTPTo ensure that the NetScreen device always maintains the right time, it can use NTPsynchronize its system clock with that of an NTP server over the Internet. You can dNetScreen device to perform this synchronization automatically at time intervals tha

Multiple NTP ServersYou can configure up to three NTP servers on a NetScreen device: one primary servWhen you configure the NetScreen device to synchronize its system clock automaticNTP server sequentially. The device always queries the primary NTP server first. If tdevice then queries the first backup NTP server and so on until it gets a valid reply fconfigured on the NetScreen device. The device makes four attempts on each NTP update and logs the failure.

When you manually synchronize the system clock, and you can only do this using thparticular NTP server or none at all. If you specify a NTP server, the NetScreen devyou do not specify a NTP server, the NetScreen device queries each NTP server codevice sequentially. You can specify a NTP server using its IP address or its domain


452

n seconds). The maximum time device system clock and the the NTP server time if the time justment value that you set. For evice system clock is 4:00:00 o is acceptable and the

ue you set, the NetScreen r configured on the NetScreen

figured NTP servers, it econds and the range is 0 (no

e CLI, the NetScreen device ly, the NetScreen device

justment is, and the type of stem clock update.

s message appears only after Screen device.

ing the system clock of NSRP s sub-second resolution. essing delays, Juniper abled on both cluster members RP time synchronization

ressing Ctrl-C on the keyboard.


Maximum Time AdjustmentFor automatic synchronization, you can specify a maximum time adjustment value (iadjustment value represents the acceptable time difference between the NetScreentime received from an NTP server. The NetScreen device only adjusts its clock with difference between its clock and the NTP server time is within the maximum time adexample, if the maximum time adjustment value is 3 seconds, and the time on the dand the NTP server sends 4:00:02 as the time, the difference in time between the twNetScreen device can update its clock. If the time adjustment is greater than the valdevice does not synchronize its clock and proceeds to try the first backup NTP servedevice. If the NetScreen device does not receive a valid reply after trying all the congenerates an error message in the event log. The default value for this feature is 3 slimit) to 3600 (one hour).

When you manually synchronize the system clock, and you can only do this using thdoes not verify the maximum time adjustment value. Instead, if it receives a valid repdisplays a message informing you of which NTP server it reached, what the time adauthentication method used. The message also asks you to confirm or cancel the sy

If the NetScreen device does not receive a reply, it displays a timeout message. Thithe device unsuccessfully attempted to reach all NTP servers configured on the Net

NTP and NSRPThe NetScreen Redundancy Protocol (NSRP) contains a mechanism for synchronizcluster members. Although the resolution for synchronization is in seconds, NTP haBecause the time on each cluster member might differ by a few seconds due to procNetworks recommends that you disable NSRP time synchronization when NTP is enand they can each update their system clock from an NTP server. To disable the NSfunction, enter the following command:

set ntp no-ha-sync

Note: When issuing requests using the CLI, you can cancel the current request by p


453

stment Valueve-minute intervals from NTP adjustment value of 2 seconds.

e Server (NTP): (select)


Example: Configuring NTP Servers and a Maximum Time AdjuIn the following example you configure the NetScreen device to update its clock at fiservers at IP addresses 1.1.1.1, 1.1.1.2, and 1.1.1.3. You also set a maximum time

WebUI

Configuration > Date/Time: Enter the following, and then click Apply :

Automatically synchronize with an Internet Tim

Update system clock every minutes: 5

Maximum time adjustment seconds: 2

Primary Server IP/Name: 1.1.1.1

Backup Server1 IP/Name: 1.1.1.2

Backup Server2 IP/Name: 1.1.1.3

CLI

set clock ntpset ntp server 1.1.1.1set ntp server backup1 1.1.1.2set ntp server backup2 1.1.1.3set ntp interval 5set ntp max-adjustment 2save


454

of NTP packets. You do not TP traffic. It does not prevent

shared key to each NTP server a checksum, with which the

.

de the authentication r and must authenticate all NTP een a NetScreen device and a must first exchange a key id in different ways such as via

perate as in Required mode by etScreen device then operates ithout including a key id and uthentication fails, the


Secure NTP ServersYou can secure NTP traffic by using MD5-based checksum to provide authenticationneed to create an IPSec tunnel. This type of authentication ensures the integrity of Noutside parties from viewing the data, but prevents anyone from tampering with it.

To enable the authentication of NTP traffic, you must assign a unique key id and preyou configure on a NetScreen device. The key id and preshared key serve to createNetScreen device and the NTP server can authenticate the data.

Authentication Types

There are two types of authentication for NTP traffic: required and preferred

When you select Required authentication, the NetScreen device must incluinformation—key id and checksum—in every packet it sends to a NTP servepackets it receives from a NTP server. Before authentication can occur betwNTP server, the administrators of the NetScreen device and the NTP serverand a preshared key. They have to exchange these manually and can do soe-mail or telephone.

When you select Preferred authentication, the NetScreen device must first otrying to authenticate all NTP traffic. If all attempts to authenticate fail, the Nas if you selected no authentication. It sends out packets to a NTP server wchecksum. Essentially, although there is a preference for authentication, if aNetScreen device still permits NTP traffic.

Index

IX-I

nsviiiration xies xiiUI ix314

ess groups 144ice groups 267s 35ervices 149–151ot and vsys 149

pectionenticating downloads 431–434

s 3527, 133, 399t 376385 agent 376

er 376e 447, 448, 449315DS Codepoint Marking, 270–273ort 272ps 288–291ifying a DIP pool 273271

s 310

ess splitting 374ain lookups 373mic DNS 370

up 366y DNS address splitting 373er 401s table 367eling to servers 373


IndexAaccess policies

See policiesaddress book

adding addresses 140editing group entries 145entries 140groups 142modifying addresses 141removing addresses 146See also addresses

address groups 142, 306creating 144editing 145options 143removing entries 146

address negation 338addresses

address book entries 140defined 306in policies 306private 65public 64

aggregate interfaces 54alarms

thresholds 314ALG 200

for custom services 308MS RPC 159RTSP 165SIP 196SIP NAT 209Sun RPC 156

application, in policies 308ARP 107

ingress IP address 110auth users

pre-policy auth 312run-time auth process 311run-time authentication 311WebAuth 312

authenticationAllow Any 313policies 311users 311

authentication certificate 431–434MD5 message digest 432

AV service 447, 448

Bbandwidth 315

default priority 355guaranteed 315, 348, 356managing 348maximum 315, 356maximum specification 348priority levels 355priority queues 355unlimited maximum 348

bulk-CLI 443

Ccharacter types, ScreenOS supported xiiCLI

conventions viiidelete crypto auth-key 434set arp always-on-dest 95, 101

clock, system 450–454See also system clock

configurationadding comments 441backing up 435downloading the uploading 435LKG 437loading 439locking 440rollback 437–439, 440saving 435saving and importing 435

conventioCLIillustnamWeb

countingcreating

addrservzone

custom sin ro

DDeep Ins

authdefining

zoneDHCP 1

clienHArelayserv

DI servicDiffServ

See DIP 131

fix-pgroumodPATpool

DNS 365addrdomdynalookproxservstatutunn

Index

IX-II

te 64te address ranges 65

ic 64ndary 72ing on interfaces 80

DIP poolsgmic option 82

re on egress interface 96–98re on ingress interface 99–102ct failure threshold 82ting traffic 80–102

ed interfaces 81orted interfaces 81ed IP failure threshold 8281

ht 82rnet Service Provider 373

ies 309wn-Good configurationLKG configurationeys 444–445t-known-good) 437figuration 43714 interfaces 74

ent interfaceMGT interfacerface 55

ne with interface-based NAT 124 ALGed 159ice groups 163ices 160ia sessions, SIP 196


Domain name systemSee DNS

DS Codepoint Marking 348, 357, 358DSL 395, 400Dynamic IP pools

See DIP poolsdyndns.org and ddo.jp 370

Eediting

address groups 145policies 342zones 36

Ffirmware

authenticating 431–433Function Zone Interfaces 55

HA Interface 55Management Interface 55

Ggatekeeper devices 177graphs, historical 314group

addresses 142services 266

HHA

DHCP 385Virtual HA Interface 55See also NSRP

High AvailabilitySee HA

historical graphs 314Home zone 47

IICMP services 154

message code 154message type 154

iconsdefined 317policy 317

illustrationconventions xi

interface monitoringinterfaces 87–94loops 88security zones 94

interfacesaddressing 64aggregate 54binding to zone 63default 66DIP 270down, logically 78down, physically 78HA 55IP tracking (See IP tracking)L3 security zones 64loopback 74MGT 55modifying 68monitoring connection 80physical 3redundant 54secondary IP address 72state changes 78–102tunnel 33, 56, 56–60unbinding from zone 67up, logically 78up, physically 78viewing interface table 61Virtual HA 55VSI 54

IP addressesdefining for each port 140host ID 65L3 security zones 64–65network ID 65

privaprivapublsecotrack

IP poolsSee

IP trackindynafailufailuobjererousharsupptrackvsysweig

ISP - Inte

LL2TP

policLast-Kno

See license kLKG (lasLKG conlogging 3loopback

MManagem

See MGT inteMIP 13

to zoMS RPC

definservserv

multimed

Index

IX-III

ices in 147, 306owing 343c logging 314c shaping 315el 307s 300–301al systems 303 dialup user groups 306s 308sed NATel interfaces 56ress TranslationPATes 39–5099–410

iguration 404 availability 410iple instances 407iple session per interface 405p 399ueuing 355ddresses 65dresses 64

43eout value 443

, "Type of Service in the Internet Protocol Suite" 315, “Address Allocation for Private Internets” 65, "Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers" 315443configuration 437–439de 130–135

face settings 131

een secondary IP addresses 72


Nnames

conventions xiiNAT mode 122–129

interface settings 125traffic to Untrust zone 103, 124

NAT-srcRoute mode Route mode

NAT-src 130negation, address 338NetInfo 377netmasks 306

uses of 65network, bandwidth 348NSM

bulk-CLI 443reboot-timeout 443

NSRPconfiguration rollback 440DHCP 385DIP groups 288–291HA session backup 313NTP synchronization 452redundant interfaces 54VSIs 54

NTP 451–454authentication types 454max time adjustment 452maximum time adjustment 452multiple servers 451NSRP synchronization 452secure servers 454server configuration 453servers 451

Ppacket flow 12–14PAT 271pinholes 202policies 3

actions 307address groups 306address negation 338addresses 306addresses in 306

alarms 314application 308authentication 311bidirectional VPNs 308, 318changing 342counting 314Deep Inspection 309deny 307DIP groups 289disabling 342enabling 342functions of 297global 301, 319, 335HA session backup 313icons 317ID 306internal rules 303interzone 300, 319, 320, 325intrazone 301, 319, 332L2TP 309L2TP tunnels 309location 319lookup sequence 302management 317managing bandwidth 348maximum limit 143multiple items per component 337name 308NAT-dst 310NAT-src 310order 344permit 307policy context 336policy set lists 302policy verification 343position at top 310, 344reject 307removing 345reordering 344required elements 299root system 303schedules 314security zones 306service book 147service groups 266services 306

servshadtraffitraffitunntypevirtuVPNVPN

policy-batunn

Port AddSee

port modPPPoE 3

confhighmultmultsetu

priority qprivate apublic ad

QQoS 348

Rreboot 4reboot-timRFCs

1349

1918

2474

rollbackrollback, Route mo

interrouting

betw

Index

IX-IV

y in private zone 232y in public zone 236 intrazone 252st intrazone 246

g a DIP pool 225g incoming DIP 219g interface DIP 221full-mesh VPN 256

ting 411aces 4ting (root system) 70ting 71ionsled services 447

retrieval 448tration and activation 446–449

ice activation 448, 449orary service 446 ALGcenarios 156ed 156ices 157ertificate 448, 449lock 450–454 & time 450 with client 450 zone 450arameters 363–453

450te 110, 113

ting 314ing 314ity 315ing 348

aping 347–361matic 348face requirement 348ice priorities 355ent mode 104–121/trace-route 108king non-ARP traffic 106


RSH ALG 156RTSP ALG

defined 165request methods 167server in private domain 171server in public domain 174status codes 169

rules, derived from polices 303run-time authentication 311

Sschedules 292, 314SCREEN

MGT zone 32ScreenOS

function zones 38global zone 32Home-Work zone 47interfaces physical 3overview 1–28packet flow 12–14policies 3port modes 39security zone interfaces 3security zones 2, 32security zones, global 2security zones, predefined 2subinterfaces 4tunnel zones 33updating 411virtual systems 11zones 29–38

SDP 200–202secondary IP addresses 72security zones 2

destination zone determination 14global 2interfaces 3, 53physical interfaces 53predefined 2source zone determination 13subinterfaces 53

service bookadding service 149custom service 147

custom service (CLI) 149modifying entries (CLI) 151modifying entries (WebUI) 268pre-configured services 147removing entries (CLI) 151service groups (WebUI) 266

service groups 266–269creating 267deleting 269modifying 268

services 147custom 149–151custom ALGs 308custom in vsys 149defined 306drop-down list 147ICMP 154in policies 306modifying timeout 153timeout threshold 152

shadowed policies 343SIP 196–207

ALG 200, 205connection information 201defined 196inactivity timeouts 205media announcements 202media inactivity timeout 205, 207messages 196multimedia sessions 196pinholes 200request method types 197Request Methods 197response codes 199responses 199RTCP 202RTP 202SDP 200–202session inactivity timeout 205signaling 200signaling inactivity timeout 205, 207

SIP NATcall setup 209, 216defined 209incoming, with MIP 225, 229proxy in DMZ 240

proxproxtrustuntruusinusinusinwith

softwareupda

subinterfcreadele

subscriptbundkey regisservtemp

Sun RPCcall sdefinserv

support csystem c

datesynctime

system, p

Ttime zonetrace-routraffic

counloggpriorshap

traffic shautointerserv

TransparARPbloc

Index

IX-V

arding traffic between 5duction 5

olicy auth process 312

entions ixe 47

–38tion 38al 32r 2 105rity 32el 33N 38, 105


blocking non-IP traffic 106broadcast traffic 106flood 108routes 106unicast options 108

tunnel interfaces 56definition 56policy-based NAT 56

Uunknown unicast options 107–113

ARP 110–113flood 108–109trace-route 110, 113

untagged interfaces 406URL filtering 313URL filtering service 447, 448

VVIP 13

to zone with interface-based NAT 124Virtual HA interface 55virtual routers

See VRsvirtual system 11VLAN zone 105VLAN1

Interface 105, 114Zones 105

VLANstags 4

voice-over IPbandwidth management 264defined 177

VPNspolicies 308to zone with interface-based NAT 124tunnel zones 33

VRsforwintro

WWebAuth

pre-pWebUI

convWork zon

Zzones 29

funcglobLayesecutunnVLA

Index

IX-VI

Documents

Netscreen Concepts and Examples