1.Concepts & ExamplesScreenOS Reference GuideRelease 6.3.0, Rev. 01Juniper Networks, Inc. CA 940891194 North MathildaAvenue Sunnyvale , USA 408-745-2000Revision 01Published: 2009-08-21

2. Juniper Networks, the Juniper Networks logo, JUNOS, NetScreen, ScreenOS, and Steel-Belted Radius are registered trademarks of Juniper Networks, Inc. inthe United States and other countries. JUNOSe is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, orregistered service marks are the property of their respective owners.Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, orotherwise revise this publication without notice.Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensedto Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347,6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.Copyright 2009, Juniper Networks, Inc.All rights reserved. Printed in USA.Revision HistoryAugust 2009Revision 01Content subject to change. The information in this document is current as of the date listed in the revision history.SOFTWARE LICENSEThe terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchase order or, to theextent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks. By using this software, youindicate that you understand and agree to be bound by those terms and conditions.Generally speaking, the software license restricts the manner in which you are permitted to use the software and may contain prohibitions against certainuses. The software license may state conditions under which the license is automatically terminated. You should consult the license for further details.For complete product documentation, please see the Juniper Networks Web site at www.juniper.net/techpubs.ii 3. END USER LICENSE AGREEMENTREAD THIS END USER LICENSE AGREEMENT (AGREEMENT) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING,INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMEROR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THISAGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE,AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customers principal office is located in the Americas) or Juniper Networks(Cayman) Limited (if the Customers principal office is located outside the Americas) (such applicable entity being referred to herein as Juniper), and (ii)the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (Customer)(collectively, the Parties).2. The Software. In this Agreement, Software means the program modules and features of the Juniper or Juniper-supplied software, for which Customerhas paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customerpurchased from Juniper or an authorized Juniper reseller. Software also includes updates, upgrades and new releases of such software. EmbeddedSoftware means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacementswhich are subsequently embedded in or loaded onto the equipment.3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusiveand non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniperor an authorized Juniper reseller.b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customerhas paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall usesuch Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of theSteel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whethersuch computers or virtualizations are physically contained on a single chassis.c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limits toCustomers use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions, calls,connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features,functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing,temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Softwareto be used only in conjunction with other specific Software. Customers use of the Software shall be subject to all such limitations and purchase of all applicablelicenses.d. For any trial copy of the Software, Customers right to use the Software expires 30 days after download, installation or use of the Software. Customermay operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trialperiod by re-installing the Software after the 30-day trial period.e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customers enterprise network.Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support anycommercial network access services.The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicablelicense(s) for the Software from Juniper or an authorized Juniper reseller.4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shallnot: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except asnecessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software, in any form, to any third party; (d) removeany proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) distribute any copy ofthe Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any locked or key-restrictedfeature, function, service, application, operation, or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, evenif such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniperto any third party; (h) use the Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniperreseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that theCustomer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software toany third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnishsuch records to Juniper and certify its compliance with this Agreement. iii 4. 6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customershall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includesrestricting access to the Software to Customer employees and contractors having a need to use the Software for Customers internal business purposes.7. Ownership. Juniper and Junipers licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software,associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest inthe Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statement thataccompanies the Software (the Warranty Statement). Nothing in this Agreement shall give rise to any obligation to support the Software. Support servicesmay be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTEDBY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES,OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER ORJUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANYJUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW,JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDINGANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPERWARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION,OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Junipers or its suppliers or licensors liability to Customer, whetherin contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, orif the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniperhas set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the samereflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss),and that the same form an essential basis of the bargain between the Parties.9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the licensegranted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customerspossession or control.10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase ofthe license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper priorto invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of anyapplicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniperwith valid tax receipts and other required documentation showing Customers payment of any withholding taxes; completing appropriate applications thatwould reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder.Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages relatedto any liability incurred by Juniper as a result of Customers non-compliance or delay with its responsibilities herein. Customers obligations under thisSection shall survive termination or expiration of this Agreement.11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreignagency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, orwithout all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryptionor other capabilities restricting Customers ability to export the Software without an export license.12. Commercial Computer Software. The Software is commercial computer software and is provided with restricted rights. Use, duplication, or disclosureby the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4, FAR 12.212,FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.13. Interface Information. To the extent required by applicable law, and at Customers written request, Juniper shall provide Customer with the interfaceinformation needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any.Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicableterms and conditions upon which Juniper makes such information available.14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technologyare embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendorshall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with theSoftware and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under andsubject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License(GPL) or the GNU Library General Public License (LGPL)), Juniper will make such source code portions (including Juniper modifications, as appropriate)available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, anda copy of the LGPL at http://www.gnu.org/licenses/lgpl.html.15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisionsof the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Partieshereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreementconstitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneousiv 5. agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of aseparate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflictwith terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to inwriting by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of theremainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the Englishversion will govern. (For Canada: Les parties aux prsents confirment leur volont que cette convention de mme que tous les documents y compris toutavis qui sy rattach, soient redigs en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will bein the English language)). v 6. vi 7. Abbreviated Table of ContentsPart 1Overview Chapter 1About the Concepts & Examples ScreenOS Reference Guide3Part 2Fundamentals Chapter 2ScreenOS Architecture17 Chapter 3Zones43 Chapter 4Interfaces 51 Chapter 5Interface Modes99 Chapter 6Building Blocks for Policies129 Chapter 7Policies197 Chapter 8Traffic Shaping 233 Chapter 9System Parameters 263Part 3Administration Chapter 10 Administration309 Chapter 11 Monitoring Security Devices 371Part 4Attack Detection and Defense Mechanisms Chapter 12 Protecting a Network433 Chapter 13 Reconnaissance Deterrence 439 Chapter 14 Denial of Service Attack Defenses 463 Chapter 15 Content Monitoring and Filtering495 Chapter 16 Deep Inspection 559 Chapter 17 Intrusion Detection and Prevention615 Chapter 18 Suspicious Packet Attributes697Part 5Virtual Private Networks Chapter 19 Internet Protocol Security707 Chapter 20 Public Key Cryptography 741 Chapter 21 Virtual Private Network Guidelines769 Chapter 22 Site-to-Site Virtual Private Networks 801 Chapter 23 Dialup Virtual Private Networks 887 Chapter 24 Layer 2 Tunneling Protocol933 Chapter 25 Advanced Virtual Private Network Features 961Abbreviated Table of Contents vii 8. Concepts & Examples ScreenOS Reference Guide Chapter 26AutoConnect-Virtual Private Networks 1059Part 6 Voice-over-Internet Protocol Chapter 27H.323 Application Layer Gateway1091 Chapter 28Session Initiation Protocol Application Layer Gateway1105 Chapter 29Media Gateway Control Protocol Application Layer Gateway 1157 Chapter 30Skinny Client Control Protocol Application Layer Gateway 1171 Chapter 31Apple iChat Application Layer Gateway1203Part 7 Routing Chapter 32Static Routing 1221 Chapter 33Routing1235 Chapter 34Open Shortest Path First 1269 Chapter 35Routing Information Protocol 1307 Chapter 36Border Gateway Protocol1337 Chapter 37Policy-Based Routing 1373 Chapter 38Multicast Routing1391 Chapter 39Internet Group Management Protocol 1399 Chapter 40Protocol Independent Multicast 1425 Chapter 41ICMP Router Discovery Protocol 1461Part 8 Address Translation Chapter 42Address Translation1469 Chapter 43Source Network Address Translation 1481 Chapter 44Destination Network Address Translation1499 Chapter 45Mapped and Virtual Addresses 1535Part 9 User Authentication Chapter 46Authentication 1565 Chapter 47Authentication Servers 1577 Chapter 48Infranet Authentication1607 Chapter 49Authentication Users 1615 Chapter 50IKE, XAuth, and L2TP Users 1637 Chapter 51Extensible Authentication for Wireless and Ethernet Interfaces 1661Part 10Virtual Systems Chapter 52Virtual Systems1679 Chapter 53Traffic Sorting1713 Chapter 54VLAN-Based Traffic Classification1723 Chapter 55IP-Based Traffic Classification1757viii 9. Abbreviated Table of ContentsPart 11High AvailabilityChapter 56 NetScreen Redundancy Protocol1765Chapter 57 Interface Redundancy and Failover1817Part 12WAN, DSL, Dial, and WirelessChapter 58 Wide Area Networks 1869Chapter 59 Digital Subscriber Line1949Chapter 60 ISP Failover and Dial Recovery 1995Chapter 61 Wireless Local Area Network2001Part 13General Packet Radio ServiceChapter 62 GPRS 2049Part 14Dual-Stack Architecture with IPv6Chapter 63 Internet Protocol Version 6 Introduction 2089Chapter 64 IPv6 Configuration 2097Chapter 65 Connection and Network Services2123Chapter 66 Static and Dynamic Routing 2141Chapter 67 Address Translation2173Chapter 68 IPv6 in an IPv4 Environment2189Chapter 69 IPsec Tunneling2203Chapter 70 IPv6 XAuth User Authentication 2223Part 15AppendixesAppendix A Contexts for User-Defined Signatures 2263Appendix B Wireless Information 2267Appendix C Switching2275Part 16Index Index2279Abbreviated Table of Contents ix 10. Concepts & Examples ScreenOS Reference Guidex 11. Table of ContentsPart 1OverviewChapter 1 About the Concepts & Examples ScreenOS Reference Guide3Part Organization ............................................................................................4Document Conventions .................................................................................10Web User Interface Conventions .............................................................10Command Line Interface Conventions ....................................................11Naming Conventions and Character Types .............................................11Illustration Conventions ..........................................................................12Requesting Technical Support .......................................................................12Self-Help Online Tools and Resources .....................................................13Opening a Case with JTAC ......................................................................13Document Feedback .....................................................................................13Part 2FundamentalsChapter 2 ScreenOS Architecture 17Security Zones ...............................................................................................17Security Zone Interfaces ................................................................................18Physical Interfaces ..................................................................................19Subinterfaces ..........................................................................................19Virtual Routers ..............................................................................................19Policies ..........................................................................................................20Virtual Private Networks ................................................................................22Virtual Systems .............................................................................................26Packet-Flow Sequence ...................................................................................27Jumbo Frames ...............................................................................................30ScreenOS Architecture Example ....................................................................31Example: (Part 1) Enterprise with Six Zones ...........................................31 WebUI ..............................................................................................32 CLI ....................................................................................................32Example: (Part 2) Interfaces for Six Zones ..............................................33 WebUI ..............................................................................................33 CLI ....................................................................................................34 Table of Contents xi 12. Concepts & Examples ScreenOS Reference Guide Example: (Part 3) Two Routing Domains ................................................35WebUI ..............................................................................................36CLI ....................................................................................................36 Example: (Part 4) Policies .......................................................................37WebUI ..............................................................................................38CLI ....................................................................................................40Chapter 3Zones43 Viewing Preconfigured Zones ........................................................................43 Security Zones ...............................................................................................45 Global Zone .............................................................................................45 SCREEN Options .....................................................................................45 Binding a Tunnel Interface to a Tunnel Zone .................................................46 WebUI ....................................................................................................47 CLI ..........................................................................................................47 Configuring Security Zones and Tunnel Zones ...............................................47 Creating a Zone ......................................................................................47 WebUI ..............................................................................................48 CLI ....................................................................................................48 Modifying a Zone ....................................................................................48 WebUI ..............................................................................................49 CLI ....................................................................................................49 Deleting a Zone .......................................................................................49 WebUI ..............................................................................................49 CLI ....................................................................................................49 Function Zones ..............................................................................................50Chapter 4Interfaces 51 Interface Types ..............................................................................................51 Logical Interfaces ....................................................................................51Physical Interfaces ............................................................................52Wireless Interfaces ...........................................................................52Bridge Group Interfaces ....................................................................52Subinterfaces ....................................................................................53Aggregate Interfaces .........................................................................53Redundant Interfaces .......................................................................53Virtual Security Interfaces .................................................................53 Function Zone Interfaces ........................................................................54Management Interfaces ....................................................................54High Availability Interfaces ...............................................................54 Tunnel Interfaces ....................................................................................54Deleting Tunnel Interfaces ................................................................58 Viewing Interfaces .........................................................................................59 Configuring Security Zone Interfaces .............................................................60 Binding an Interface to a Security Zone ..................................................60WebUI ..............................................................................................61CLI ....................................................................................................61xii Table of Contents 13. Table of Contents WebUI ..............................................................................................61 CLI ....................................................................................................62Unbinding an Interface from a Security Zone .........................................62 WebUI ..............................................................................................62 CLI ....................................................................................................62 WebUI ..............................................................................................62 CLI ....................................................................................................62Addressing an L3 Security Zone Interface ...............................................63 Public IP Addresses ..........................................................................63 Private IP Addresses .........................................................................64 Addressing an Interface ....................................................................64Modifying Interface Settings ...................................................................65 WebUI ..............................................................................................65 CLI ....................................................................................................66Creating a Subinterface in the Root System ............................................66 WebUI ..............................................................................................66 CLI ....................................................................................................66Deleting a Subinterface ...........................................................................67 WebUI ..............................................................................................67 CLI ....................................................................................................67Creating a Secondary IP Address ...................................................................67WebUI ....................................................................................................68CLI ..........................................................................................................68Backup System Interfaces .............................................................................68Configuring a Backup Interface ...............................................................69 Configuring an IP Tracking Backup Interface ....................................69 Configuring a Tunnel-if Backup Interface ..........................................70 Configuring a Route Monitoring Backup Interface ............................74Loopback Interfaces ......................................................................................75Creating a Loopback Interface ................................................................76 WebUI ..............................................................................................76 CLI ....................................................................................................76Setting the Loopback Interface for Management .....................................76 WebUI ..............................................................................................76 CLI ....................................................................................................76Setting BGP on a Loopback Interface ......................................................76 WebUI ..............................................................................................77 CLI ....................................................................................................77Setting VSIs on a Loopback Interface ......................................................77 WebUI ..............................................................................................77 CLI ....................................................................................................77Setting the Loopback Interface as a Source Interface ..............................77 WebUI ..............................................................................................77 CLI ....................................................................................................78Interface State Changes .................................................................................78Physical Connection Monitoring .............................................................80Tracking IP Addresses .............................................................................81 WebUI ..............................................................................................84 CLI ....................................................................................................84Table of Contents xiii 14. Concepts & Examples ScreenOS Reference GuideInterface Monitoring ...............................................................................85WebUI ..............................................................................................86CLI ....................................................................................................86WebUI ..............................................................................................88CLI ....................................................................................................88WebUI ..............................................................................................89CLI ....................................................................................................91Security Zone Monitoring ........................................................................91WebUI ..............................................................................................91CLI ....................................................................................................92Down Interfaces and Traffic Flow ...........................................................92Failure on the Egress Interface .........................................................93Failure on the Ingress Interface ........................................................94Chapter 5Interface Modes 99 Transparent Mode .........................................................................................99 Zone Settings ........................................................................................102 VLAN Zone .....................................................................................102 Predefined Layer 2 Zones ...............................................................102 Traffic Forwarding ................................................................................103 Forwarding IPv6 traffic ...................................................................104 Unknown Unicast Options ....................................................................104 Flood Method .................................................................................105 ARP/Trace-Route Method ................................................................106 Configuring VLAN1 Interface for Management ...............................109 Configuring Transparent Mode .......................................................113 NAT Mode ...................................................................................................116 Inbound and Outbound NAT Traffic ......................................................118 Interface Settings ..................................................................................118 Configuring NAT Mode ..........................................................................119 WebUI ............................................................................................120 CLI ..................................................................................................121 Route Mode .................................................................................................122 Interface Settings ..................................................................................125 Configuring Route Mode .......................................................................125 WebUI ............................................................................................126 CLI ..................................................................................................127xiv Table of Contents 15. Table of ContentsChapter 6 Building Blocks for Policies 129Addresses ....................................................................................................129Address Entries .....................................................................................130 Adding an Address .........................................................................130 Modifying an Address .....................................................................130 Deleting an Address .......................................................................131Address Groups .....................................................................................131 Creating an Address Group .............................................................133 Editing an Address Group Entry .....................................................133 Removing a Member and a Group ..................................................134Services .......................................................................................................134Predefined Services ..............................................................................134 Internet Control Messaging Protocol ...............................................136 Handling ICMP Unreachable Errors ................................................139 Internet-Related Predefined Services ..............................................139 Microsoft Remote Procedure Call Services ......................................140 Dynamic Routing Protocols ............................................................143 Streaming Video .............................................................................144 Sun Remote Procedure Call Services ..............................................144 Security and Tunnel Services ..........................................................145 IP-Related Services .........................................................................145 Instant Messaging Services .............................................................146 Management Services ....................................................................146 Mail Services ..................................................................................147 UNIX Services .................................................................................148 Miscellaneous Services ...................................................................148Custom Services ...................................................................................149 Adding a Custom Service ................................................................149 Modifying a Custom Service ...........................................................150 Removing a Custom Service ...........................................................151Setting a Service Timeout .....................................................................151 Service Timeout Configuration and Lookup ....................................151 Contingencies .................................................................................152 Example .........................................................................................153Defining a Custom Internet Control Message Protocol Service ..............154 WebUI ............................................................................................154 CLI ..................................................................................................155Remote Shell Application Layer Gateway ..............................................155Sun Remote Procedure Call Application Layer Gateway ........................155 Typical RPC Call Scenario ...............................................................155 Customizing Sun RPC Services .......................................................156Customizing Microsoft Remote Procedure Call Application Layer Gateway .........................................................................................157 WebUI ............................................................................................157 CLI ..................................................................................................158Real-Time Streaming Protocol Application Layer Gateway ....................158 Dual-Stack Environment .................................................................162 RTSP Request Methods ...................................................................162Table of Contents xv 16. Concepts & Examples ScreenOS Reference GuideRTSP Status Codes ..........................................................................164Configuring a Media Server in a Private Domain ............................165Configuring a Media Server in a Public Domain ..............................167Stream Control Transmission Protocol Application Layer Gateway .......171SCTP Protocol Filtering .........................................................................172Point-to-Point Tunneling Protocol Application Layer Gateway ...............172Configuring the PPTP ALG ..............................................................174Service Groups ......................................................................................174Creating a Service Group ................................................................175WebUI ............................................................................................175CLI ..................................................................................................175WebUI ............................................................................................175CLI ..................................................................................................176WebUI ............................................................................................176CLI ..................................................................................................176Creating a Session Cache to Accelerate HTTP Traffic ............................176WebUI ............................................................................................177CLI ..................................................................................................177 Dynamic IP Pools ........................................................................................177Port Address Translation .......................................................................178Creating a DIP Pool with PAT ................................................................178WebUI ............................................................................................179CLI ..................................................................................................179Modifying a DIP Pool ............................................................................180WebUI ............................................................................................180CLI ..................................................................................................180Sticky DIP Addresses ............................................................................180Using DIP in a Different Subnet ............................................................181WebUI (Branch Office A) ................................................................182WebUI (Branch Office B) ................................................................184CLI (Branch Office A) ......................................................................185CLI (Branch Office B) ......................................................................186Using a DIP on a Loopback Interface ....................................................186WebUI ............................................................................................188CLI ..................................................................................................190Creating a DIP Group ............................................................................190WebUI ............................................................................................193CLI ..................................................................................................193 Setting a Recurring Schedule .......................................................................194WebUI ..................................................................................................194CLI ........................................................................................................196Chapter 7Policies 197 Basic Elements ............................................................................................197 Three Types of Policies ................................................................................198 Interzone Policies .................................................................................198 Intrazone Policies .................................................................................199 Global Policies .......................................................................................200 Policy Set Lists ............................................................................................200xvi Table of Contents 17. Table of ContentsPolicies Defined ...........................................................................................201Policies and Rules .................................................................................201Anatomy of a Policy ..............................................................................202 ID ...................................................................................................202 Zones .............................................................................................203 Addresses .......................................................................................203 Wildcard Addresses ........................................................................203 Services ..........................................................................................204 Action .............................................................................................204 Application .....................................................................................205 Name .............................................................................................205 VPN Tunneling ...............................................................................205 L2TP Tunneling ..............................................................................206 Deep Inspection .............................................................................206 Placement at the Top of the Policy List ...........................................206 Session Limiting .............................................................................207 Sending a TCP Session Close Notification .......................................207 Source Network Address Translation ..............................................207 Destination Network Address Translation .......................................208 No Hardware Session .....................................................................208 User Authentication ........................................................................208 HA Session Backup .........................................................................210 Web Filtering ..................................................................................210 Logging ..........................................................................................210 Counting .........................................................................................211 Traffic Alarm Threshold ..................................................................211 Schedules .......................................................................................211 Antivirus Scanning .........................................................................211 Traffic Shaping ...............................................................................212Policies Applied ...........................................................................................213Viewing Policies ....................................................................................213Searching Policies .................................................................................213Creating Policies ...................................................................................214 Creating Interzone Policies Mail Service .........................................214 Creating an Interzone Policy Set .....................................................217 Creating Intrazone Policies .............................................................222 Creating a Global Policy ..................................................................224Entering a Policy Context ......................................................................225Multiple Items per Policy Component ...................................................225 WebUI ............................................................................................226 CLI ..................................................................................................226Setting Address Negation ......................................................................226 WebUI ............................................................................................227 CLI ..................................................................................................228Modifying and Disabling Policies ..........................................................229 WebUI ............................................................................................229 CLI ..................................................................................................229Policy Verification .................................................................................229Table of Contents xvii 18. Concepts & Examples ScreenOS Reference GuideReordering Policies ...............................................................................230 WebUI ............................................................................................231 CLI ..................................................................................................231Removing a Policy ................................................................................231Chapter 8 Traffic Shaping233Managing Bandwidth at the Policy Level .....................................................234Setting Traffic Shaping ................................................................................234 WebUI ..................................................................................................235 CLI ........................................................................................................237Setting Service Priorities ..............................................................................238Traffic Shaping for an ALG ..........................................................................239Setting Priority Queuing ..............................................................................240 WebUI ..................................................................................................241 CLI ........................................................................................................244Ingress Policing ...........................................................................................244Shaping Traffic on Virtual Interfaces ............................................................245 Interface-Level Traffic Shaping ..............................................................245 Policy-Level Traffic Shaping ..................................................................247 Packet Flow ..........................................................................................247 Example: Route-Based VPN with Ingress Policing .................................248 WebUI (Configuration for Device1) .................................................248 CLI (Configuration for the Device1) ................................................249 WebUI (Configuration for Device2) .................................................250 CLI (Configuration for the Device2) ................................................251 Example: Policy-Based VPN with Ingress Policing .................................252 WebUI (Configuration for Device1) .................................................252 CLI (Configuration for Device1) ......................................................253 WebUI (Configuration for Device2) .................................................254 CLI (Configuration for Device2) ......................................................255Traffic Shaping Using a Loopback Interface .................................................256DSCP Marking and Shaping .........................................................................256 Enabling Differentiated Services Code Point .........................................257 WebUI ............................................................................................257 CLI ..................................................................................................257Quality of Service Classification Based on Incoming Markings ....................259 WebUI ..................................................................................................260 CLI ........................................................................................................260DSCP Marking for Self-initiated Traffic ........................................................261Chapter 9 System Parameters263Domain Name System Support ...................................................................263 DNS Lookup ..........................................................................................264WebUI ............................................................................................265CLI ..................................................................................................265 DNS Status Table ..................................................................................265WebUI ............................................................................................265CLI ..................................................................................................265xviii Table of Contents 19. Table of ContentsWebUI ............................................................................................266CLI ..................................................................................................266WebUI ............................................................................................266CLI ..................................................................................................266 Dynamic Domain Name System ...........................................................266Setting Up DDNS for a Dynamic DNS Server ..................................268Setting Up DDNS for a DDO Server ................................................269 Proxy DNS Address Splitting .................................................................269WebUI ............................................................................................270CLI ..................................................................................................271Dynamic Host Configuration Protocol .........................................................271 Configuring a DHCP Server ...................................................................273WebUI ............................................................................................274CLI ..................................................................................................276CLI ..................................................................................................277WebUI ............................................................................................278CLI ..................................................................................................279WebUI ............................................................................................279CLI ..................................................................................................279 Assigning a Security Device as a DHCP Relay Agent .............................279WebUI ............................................................................................281CLI ..................................................................................................283WebUI ............................................................................................285CLI ..................................................................................................285 Using a Security Device as a DHCP Client .............................................285WebUI ............................................................................................286CLI ..................................................................................................286 Propagating TCP/IP Settings ..................................................................286WebUI ............................................................................................288CLI ..................................................................................................288 Configuring DHCP in Virtual Systems ...................................................289Setting DHCP Message Relay in Virtual Systems ..........................................289Point-to-Point Protocol over Ethernet ..........................................................290 Setting Up PPPoE ..................................................................................290WebUI ............................................................................................291CLI ..................................................................................................292 Configuring PPPoE on Primary and Backup Untrust Interfaces .............293WebUI ............................................................................................293CLI ..................................................................................................293 Configuring Multiple PPPoE Sessions over a Single Interface ................294WebUI ............................................................................................295CLI ..................................................................................................296 PPPoE and High Availability ..................................................................296License Keys ...............................................................................................297 WebUI ..................................................................................................298 CLI ........................................................................................................298Table of Contents xix 20. Concepts & Examples ScreenOS Reference Guide Configuration Files ......................................................................................298 Uploading Configuration Files ...............................................................298 WebUI ............................................................................................299 CLI ..................................................................................................299 Downloading Configuration Files ..........................................................299 WebUI ............................................................................................299 CLI ..................................................................................................299 Registration and Activation of Subscription Services ...................................300 Trial Service ..........................................................................................300 Updating Subscription Keys ..................................................................300 Adding Antivirus, Web Filtering, Antispam, and Deep Inspection to an Existing or a New Device ................................................................301 System Clock ...............................................................................................301 Date and Time ......................................................................................302 Daylight Saving Time ............................................................................302 Time Zone ............................................................................................302 Network Time Protocol .........................................................................303 Configuring Multiple NTP Servers ...................................................303 Configuring a Backup NTP Server ...................................................303 Device as an NTP Server ................................................................304 Maximum Time Adjustment ...........................................................304 NTP and NSRP ................................................................................305 Setting a Maximum Time Adjustment Value to an NTP Server .......305 Securing NTP Servers .....................................................................306Part 3 AdministrationChapter 10 Administration 309 Federal Information Processing Standards (FIPS) ........................................309Power-On Self-Test ...............................................................................310 Config-Data Integrity Test ...............................................................311 Firmware Integrity Test ..................................................................311Self-Test on Demand by Administrator .................................................311Self-Test After Key Generation ..............................................................311Periodic Self-Test ..................................................................................312 Management with the Web User Interface ..................................................312WebUI Help ..........................................................................................313 Copying the Help Files to a Local Drive ..........................................313 Pointing the WebUI to the New Help Location ................................313HyperText Transfer Protocol .................................................................314Session ID .............................................................................................314Secure Sockets Layer ............................................................................315 SSL Configuration ...........................................................................317 Redirecting HTTP to SSL .................................................................318 Management with the Command Line Interface ..........................................319Telnet ...................................................................................................320Securing Telnet Connections .................................................................321xx Table of Contents 21. Table of ContentsSecure Shell ..........................................................................................321 Client Requirements .......................................................................322 Basic SSH Configuration on the Device ...........................................323 Authentication ................................................................................324 Binding a PKA key to administrator ...............................................325 Binding a PKA certificate to administrator ......................................326 SSH and Vsys .................................................................................326 Host Key ........................................................................................327 Host Certificate ...............................................................................328 Example: SSHv1 with PKA for Automated Logins ...........................328Secure Copy ..........................................................................................329 WebUI ............................................................................................330 CLI ..................................................................................................330Serial Console .......................................................................................330Remote Console ....................................................................................331 Remote Console Using V.92 Modem Port .......................................331 Remote Console Using an AUX Port ...............................................332Modem Port ..........................................................................................333Management with the Network and Security Manager ................................333Initiating Connectivity Between NSM Agent and the MGT System .........334Enabling, Disabling, and Unsetting NSM Agent .....................................335 WebUI ............................................................................................335 CLI ..................................................................................................336 WebUI ............................................................................................336 CLI ..................................................................................................336Setting the Primary Server IP Address of the Management System .......336 WebUI ............................................................................................336 CLI ..................................................................................................336Setting Alarm and Statistics Reporting ..................................................336 WebUI ............................................................................................337 CLI ..................................................................................................337Configuration Synchronization ..............................................................338 Example: Viewing the Configuration State ......................................338 Example: Retrieving the Configuration Hash ..................................338Retrieving the Configuration Timestamp ..............................................339 WebUI ............................................................................................339 CLI ..................................................................................................339Controlling Administrative Traffic ................................................................339MGT and VLAN1 Interfaces ...................................................................340 Example: Administration Through the MGT Interface .....................341 Example: Administration Through the VLAN1 Interface .................341Setting Administrative Interface Options ..............................................342 WebUI ............................................................................................342 CLI ..................................................................................................343Setting Manage IPs for Multiple Interfaces ............................................343 WebUI ............................................................................................344 CLI ..................................................................................................345Levels of Administration ..............................................................................345Root Administrator ...............................................................................345 Role Attributes ................................................................................346Read/Write Administrator .....................................................................347 Table of Contents xxi 22. Concepts & Examples ScreenOS Reference Guide Read-Only Administrator ......................................................................347 Virtual System Administrator ................................................................347 Virtual System Read-Only Administrator ...............................................348 Defining Admin Users .................................................................................348 Example: Adding a Read-Only Admin ...................................................348WebUI ............................................................................................348CLI ..................................................................................................349 Example: Modifying an Admin .............................................................349WebUI ............................................................................................349CLI ..................................................................................................349 Example: Deleting an Admin ................................................................349WebUI ............................................................................................349CLI ..................................................................................................349 Example: Configuring Admin Accounts for Dialup Connections ............349WebUI ............................................................................................350CLI ..................................................................................................350 Example: Clearing an Admins Sessions ................................................350WebUI ............................................................................................351CLI ..................................................................................................351 Securing Administrative Traffic ...................................................................351 WebUI ..................................................................................................351 CLI ........................................................................................................351 Changing the Port Number ...................................................................352WebUI ............................................................................................352CLI ..................................................................................................352 Changing the Admin Login Name and Password ..................................352Example: Changing an Admin Users Login Name and Password .................................................................................353Example: Changing Your Own Password .......................................354Setting the Minimum Length of the Root Admin Password ............354 Resetting the Device to the Factory Default Settings .............................354 Restricting Administrative Access .........................................................355Example: Restricting Administration to a Single Workstation .........355Example: Restricting Administration to a Subnet ...........................356Restricting the Root Admin to Console Access ...............................356Monitoring Admin access ...............................................................356 VPN Tunnels for Administrative Traffic .................................................358Administration Through a Route-Based Manual Key VPN Tunnel ....358Administration Through a Policy-Based Manual Key VPN Tunnel ..............................................................................362 Password Policy ..........................................................................................366 Setting a Password Policy .....................................................................367CLI ..................................................................................................367 Removing a Password Policy ................................................................367CLI ..................................................................................................367 Viewing a Password Policy ....................................................................368 Recovering from a Rejected Default Admin Password ..........................368CLI ..................................................................................................368 Creating a Login Banner ..............................................................................368xxii Table of Contents 23. Table of ContentsChapter 11 Monitoring Security Devices371 Storing Log Information ..............................................................................371 Event Log ....................................................................................................372Viewing the Event Log by Severity Level and Keyword .........................373WebUI ............................................................................................373CLI ..................................................................................................373WebUI ............................................................................................373CLI ..................................................................................................373WebUI ............................................................................................374CLI ..................................................................................................374Sorting and Filtering the Event Log .......................................................374WebUI ............................................................................................375CLI ..................................................................................................375Downloading the Event Log ..................................................................375Example: Downloading the Entire Event Log ..................................375Example: Downloading the Event Log for Critical Events ...............376 Traffic Log ...................................................................................................376WebUI ..................................................................................................376CLI ........................................................................................................377WebUI ..................................................................................................377CLI ........................................................................................................377Viewing the Traffic Log .........................................................................377WebUI ............................................................................................377CLI ..................................................................................................377WebUI ............................................................................................377CLI ..................................................................................................378WebUI ............................................................................................379CLI ..................................................................................................379WebUI ............................................................................................379CLI ..................................................................................................379Removing the Reason for Close Field ....................................................379WebUI ............................................................................................381CLI ..................................................................................................381 Self Log .......................................................................................................381WebUI ..................................................................................................381CLI ........................................................................................................381Viewing the Self Log .............................................................................382WebUI ............................................................................................382CLI ..................................................................................................382WebUI ............................................................................................383CLI ..................................................................................................383Storing Debug Information ...................................................................383Downloading the Self Log .....................................................................384WebUI ............................................................................................384CLI ..................................................................................................384 Downloading the Asset Recovery Log ..........................................................384WebUI ..................................................................................................384CLI ........................................................................................................385 Table of Contents xxiii 24. Concepts & Examples ScreenOS Reference Guide Traffic Alarms ..............................................................................................385 Example: Policy-Based Intrusion Detection ...........................................385WebUI ............................................................................................385CLI ..................................................................................................386 Example: Compromised System Notification ........................................386WebUI ............................................................................................386CLI ..................................................................................................387 Example: Sending Email Alerts .............................................................387WebUI ............................................................................................387CLI ..................................................................................................387 Security Alarms and Audit Logs ...................................................................388 Enabling Security Alarms ......................................................................388WebUI ............................................................................................389CLI ..................................................................................................389WebUI ............................................................................................389CLI ..................................................................................................389CLI ..................................................................................................390 Setting Potential-Violation Security Alarms ...........................................390Example: Configuring a Device to Trigger a Potential-ViolationAlarm .......................................................................................391 Configuring Exclude Rules ....................................................................391Example: Setting an Exclude Rule to Exclude an Event for the AuditLog ...........................................................................................392 Syslog ..........................................................................................................392 Enabling Syslog on Backup Devices ......................................................393WebUI ............................................................................................393CLI ..................................................................................................394 Example: Enabling Multiple Syslog Servers ...........................................394WebUI ............................................................................................394CLI ..................................................................................................394 WebTrends ...........................................................................................395WebUI ............................................................................................396CLI ..................................................................................................396 Simple Network Management Protocol .......................................................397 SNMPv1 and SNMPv2c Implementation Overview ...............................399 SNMPv3 Implementation Overview ......................................................400 Defining a Read/Write SNMP Community .............................................401WebUI ............................................................................................401CLI ..................................................................................................402 Configuring a MIB Filter in the SNMP Community ................................402Example .........................................................................................403 Example: Configuring an SNMPv3 packet .............................................404WebUI ............................................................................................404CLI ..................................................................................................406 VPN Tunnels for Self-Initiated Traffic ...........................................................407 Example: Self-Generated Traffic Through a Route-Based Tunnel ...........408WebUI (Device-A) ...........................................................................409CLI (Device-A) .................................................................................411xxiv Table of Contents 25. Table of Contents WebUI (Device-B) ...........................................................................412 CLI (Device-B) .................................................................................414 Example: Self-Generated Traffic Through a Policy-Based Tunnel ...........415 WebUI (Device-A) ...........................................................................417 CLI (Device-A) .................................................................................419 WebUI (Device-B) ...........................................................................420 CLI (Device-B) .................................................................................421 Viewing Screen Counters .............................................................................422 WebUI ..................................................................................................429 CLI ........................................................................................................429Part 4 Attack Detection and Defense MechanismsChapter 12 Protecting a Network433 Stages of an Attack ......................................................................................434 Detection and Defense Mechanisms ............................................................434 Exploit Monitoring .......................................................................................436 Example: Monitoring Attacks from the Untrust Zone ............................437 WebUI ............................................................................................437 CLI ..................................................................................................437Chapter 13 Reconnaissance Deterrence 439 IP Address Sweep ........................................................................................439 WebUI ..................................................................................................440 CLI ........................................................................................................440 Port Scanning ..............................................................................................440 WebUI ..................................................................................................441 CLI ........................................................................................................441 TCP/UDP Sweep Protection .........................................................................442 WebUI: .................................................................................................442 CLI: .......................................................................................................443 Network Reconnaissance Using IP Options .................................................443 WebUI ..................................................................................................445 CLI ........................................................................................................445Table of Contents xxv 26. Concepts & Examples ScreenOS Reference Guide Operating System Probes ............................................................................446 SYN and FIN Flags Set ..........................................................................446 WebUI ............................................................................................446 CLI ..................................................................................................446 FIN Flag Without ACK Flag ....................................................................447 WebUI ............................................................................................447 CLI ..................................................................................................447 TCP Header Without Flags Set ..............................................................448 WebUI ............................................................................................448 CLI ..................................................................................................448 Evasion Techniques .....................................................................................448 FIN Scan ...............................................................................................449 Non-SYN Flags ......................................................................................449 IP Spoofing ...........................................................................................454 Example: L3 IP Spoof Protection ....................................................456 Example: L2 IP Spoof Protection ....................................................459 IP Source Route Options .......................................................................460 WebUI ............................................................................................462 CLI ..................................................................................................462 WebUI ............................................................................................462 CLI ..................................................................................................462Chapter 14 Denial of Service Attack Defenses 463 Firewall DoS Attacks ....................................................................................463 Session Table Flood ..............................................................................463Source-Based and Destination-Based Session Limits .......................464Example: Source-Based Session Limiting ........................................465Example: Destination-Based Session Limiting ................................466Aggressive Aging ............................