Professional Documents
Culture Documents
Volume 1:
Overview
www.juniper.net
Copyright Notice
Copyright 2012 Juniper Networks, Inc. All rights reserved.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and
other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks,
registered trademarks, or registered service marks are the property of their respective owners.
All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any
obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication
without notice.
FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A
digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the
equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and
used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential
area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency
energy. If it is not installed in accordance with Juniper Networks installation instructions, it may cause interference with radio and television reception.
This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC
rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no
guarantee that interference will not occur in a particular installation.
If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user
is encouraged to try to correct the interference by one or more of the following measures:
Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.
Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED
WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED
WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.
ii
Table of Contents
Volume 1:
Overview
About the Concepts & Examples ScreenOS Reference Guide
xlvii
Volume 2:
Fundamentals
About This Volume
ix
Document Conventions.................................................................................... x
Web User Interface Conventions .............................................................. x
Command Line Interface Conventions ...................................................... x
Naming Conventions and Character Types .............................................. xi
Illustration Conventions .......................................................................... xii
Requesting Technical Support ........................................................................ xii
Self-Help Online Tools and Resources..................................................... xiii
Opening a Case with JTAC ...................................................................... xiii
Document Feedback ..................................................................................... xiii
Chapter 1
ScreenOS Architecture
iii
Zones
25
Interfaces
35
iv
Table of Contents
Table of Contents
Interface Modes
81
Transparent Mode.......................................................................................... 82
Zone Settings........................................................................................... 83
VLAN Zone........................................................................................ 83
Predefined Layer 2 Zones .................................................................83
Traffic Forwarding ................................................................................... 83
Forwarding IPv6 traffic ..................................................................... 84
Unknown Unicast Options ....................................................................... 85
Flood Method.................................................................................... 86
ARP/Trace-Route Method .................................................................. 87
Configuring VLAN1 Interface for Management .................................. 90
Configuring Transparent Mode.......................................................... 92
NAT Mode...................................................................................................... 95
Inbound and Outbound NAT Traffic ........................................................ 97
Interface Settings..................................................................................... 98
Configuring NAT Mode ............................................................................ 98
Route Mode..................................................................................................101
Interface Settings...................................................................................102
Configuring Route Mode ........................................................................102
Chapter 5
105
Addresses ....................................................................................................105
Address Entries .....................................................................................106
Adding an Address ..........................................................................106
Modifying an Address .....................................................................107
Deleting an Address ........................................................................107
Address Groups .....................................................................................107
Creating an Address Group .............................................................109
Editing an Address Group Entry ......................................................110
Removing a Member and a Group...................................................110
Services........................................................................................................110
Predefined Services ...............................................................................111
Internet Control Messaging Protocol ...............................................112
Handling ICMP Unreachable Errors .................................................114
Internet-Related Predefined Services...............................................115
Microsoft Remote Procedure Call Services ......................................116
Dynamic Routing Protocols.............................................................118
Streaming Video..............................................................................118
Sun Remote Procedure Call Services ...............................................119
Table of Contents
Policies
161
Basic Elements.............................................................................................162
Three Types of Policies ................................................................................163
Interzone Policies ..................................................................................163
Intrazone Policies ..................................................................................163
Global Policies .......................................................................................164
Policy Set Lists .............................................................................................165
Policies Defined ...........................................................................................166
Policies and Rules..................................................................................166
Anatomy of a Policy ..............................................................................167
vi
Table of Contents
Table of Contents
ID....................................................................................................168
Zones ..............................................................................................168
Addresses .......................................................................................168
Wildcard Addresses.........................................................................168
Services...........................................................................................169
Action .............................................................................................169
Application......................................................................................170
Name ..............................................................................................170
VPN Tunneling ................................................................................170
L2TP Tunneling ...............................................................................171
Deep Inspection ..............................................................................171
Placement at the Top of the Policy List ...........................................171
Session Limiting..............................................................................171
Source Address Translation.............................................................172
Destination Address Translation......................................................172
No Hardware Session ......................................................................172
User Authentication ........................................................................172
HA Session Backup .........................................................................174
Web Filtering ..................................................................................174
Logging ...........................................................................................175
Counting .........................................................................................175
Traffic Alarm Threshold ..................................................................175
Schedules........................................................................................175
Antivirus Scanning ..........................................................................175
Traffic Shaping................................................................................176
Policies Applied............................................................................................177
Viewing Policies.....................................................................................177
Searching Policies..................................................................................177
Creating Policies ....................................................................................178
Creating Interzone Policies Mail Service ..........................................178
Creating an Interzone Policy Set .....................................................181
Creating Intrazone Policies..............................................................185
Creating a Global Policy ..................................................................187
Entering a Policy Context ......................................................................188
Multiple Items per Policy Component....................................................188
Setting Address Negation.......................................................................189
Modifying and Disabling Policies ...........................................................192
Policy Verification..................................................................................192
Reordering Policies................................................................................193
Removing a Policy .................................................................................194
Chapter 7
Traffic Shaping
195
vii
System Parameters
219
Table of Contents
Table of Contents
Index..........................................................................................................................IX-I
Volume 3:
Administration
About This Volume
vii
Administration
ix
Initiating Connectivity Between NSM Agent and the MGT System ........... 27
Enabling, Disabling, and Unsetting NSM Agent........................................ 28
Setting the Primary Server IP Address of the Management System ......... 29
Setting Alarm and Statistics Reporting..................................................... 29
Configuration Synchronization ................................................................ 30
Example: Viewing the Configuration State ........................................ 31
Example: Retrieving the Configuration Hash..................................... 31
Retrieving the Configuration Timestamp ................................................. 31
Controlling Administrative Traffic .................................................................. 32
MGT and VLAN1 Interfaces...................................................................... 33
Example: Administration Through the MGT Interface .......................33
Example: Administration Through the VLAN1 Interface .................... 33
Setting Administrative Interface Options ................................................. 34
Setting Manage IPs for Multiple Interfaces ............................................... 35
Levels of Administration ................................................................................ 37
Root Administrator .................................................................................. 37
Role Attributes .................................................................................. 38
Read/Write Administrator........................................................................ 39
Read-Only Administrator......................................................................... 39
Virtual System Administrator................................................................... 39
Virtual System Read-Only Administrator ................................................. 40
Defining Admin Users .................................................................................... 40
Example: Adding a Read-Only Admin ..................................................... 40
Example: Modifying an Admin ................................................................ 40
Example: Deleting an Admin ................................................................... 41
Example: Configuring Admin Accounts for Dialup Connections............... 41
Example: Clearing an Admins Sessions .................................................. 42
Securing Administrative Traffic ...................................................................... 42
Changing the Port Number ...................................................................... 43
Changing the Admin Login Name and Password ..................................... 44
Example: Changing an Admin Users Login Name and Password ..... 45
Example: Changing Your Own Password .......................................... 45
Setting the Minimum Length of the Root Admin Password ............... 46
Resetting the Device to the Factory Default Settings................................ 46
Restricting Administrative Access ............................................................ 47
Example: Restricting Administration to a Single Workstation............ 47
Example: Restricting Administration to a Subnet .............................. 47
Restricting the Root Admin to Console Access .................................. 47
Monitoring Admin access.................................................................. 48
VPN Tunnels for Administrative Traffic....................................................49
Administration Through a Route-Based Manual Key VPN Tunnel ...... 50
Administration Through a Policy-Based Manual Key VPN Tunnel...... 53
Password Policy ............................................................................................. 57
Setting a Password Policy ........................................................................ 57
Removing a Password Policy ................................................................... 58
Viewing a Password Policy ...................................................................... 58
Recovering from a Rejected Default Admin Password ............................. 58
Creating a Login Banner................................................................................. 59
Chapter 2
61
Table of Contents
Table of Contents
Volume 4:
Attack Detection and Defense Mechanisms
About This Volume
ix
Document Conventions.................................................................................... x
Web User Interface Conventions .............................................................. x
Command Line Interface Conventions ...................................................... x
Naming Conventions and Character Types .............................................. xi
Table of Contents
xi
Protecting a Network
Stages of an Attack........................................................................................... 2
Detection and Defense Mechanisms ................................................................ 2
Exploit Monitoring ........................................................................................... 5
Example: Monitoring Attacks from the Untrust Zone................................. 5
Chapter 2
Reconnaissance Deterrence
29
xii
Table of Contents
Table of Contents
Chapter 4
59
Fragment Reassembly.................................................................................... 60
Malicious URL Protection......................................................................... 60
Application Layer Gateway ...................................................................... 61
Example: Blocking Malicious URLs in Packet Fragments ................... 62
Antivirus Scanning ......................................................................................... 64
External AV Scanning .............................................................................. 64
Scanning Modes................................................................................ 65
Load-Balancing ICAP Scan Servers ....................................................65
Internal AV Scanning ............................................................................... 66
AV Scanning of IM Traffic ........................................................................ 67
IM Clients.......................................................................................... 67
IM Server .......................................................................................... 68
IM Protocols ...................................................................................... 69
Instant Messaging Security Issues ..................................................... 69
IM Security Issues ............................................................................. 69
Scanning Chat Messages ................................................................... 70
......................................................................................................... 70
Scanning File Transfers ..................................................................... 70
AV Scanning Results ................................................................................ 71
Policy-Based AV Scanning ....................................................................... 72
Scanning Application Protocols................................................................ 73
Scanning FTP Traffic ......................................................................... 74
Scanning HTTP Traffic ...................................................................... 75
Scanning IMAP and POP3 Traffic ...................................................... 77
Scanning SMTP Traffic ...................................................................... 79
Redirecting Traffic to ICAP AV Scan Servers...................................... 81
Updating the AV Pattern Files for the Embedded Scanner .......................82
Subscribing to the AV Signature Service ............................................ 82
Updating AV Patterns from a Server.................................................. 83
Updating AV Patterns from a Proxy Server ....................................... 85
AV Scanner Global Settings...................................................................... 85
AV Resource Allotment ..................................................................... 85
Fail-Mode Behavior ........................................................................... 86
AV Warning Message ........................................................................ 86
AV Notify Mail................................................................................... 87
Maximum Content Size and Maximum Messages (Internal AV Only) 87
HTTP Keep-Alive ............................................................................... 88
HTTP Trickling (Internal AV Only) ..................................................... 89
AV Profiles............................................................................................... 90
Assigning an AV Profile to a Firewall Policy....................................... 91
Initiating an AV Profile for Internal AV .............................................. 92
Example: (Internal AV) Scanning for All Traffic Types .......................92
Example: AV Scanning for SMTP and HTTP Traffic Only................... 92
AV Profile Settings............................................................................. 93
Antispam Filtering.......................................................................................... 98
Blacklists and Whitelists .......................................................................... 98
Basic Configuration.................................................................................. 99
Filtering Spam Traffic........................................................................ 99
Dropping Spam Messages .................................................................99
Defining a Blacklist ................................................................................100
Defining a Whitelist ...............................................................................100
Defining a Default Action.......................................................................101
Enabling a Spam-Blocking List Server ....................................................101
Table of Contents
xiii
Testing Antispam...................................................................................101
Web Filtering ...............................................................................................102
Using the CLI to Initiate Web-Filtering Modes ........................................102
Integrated Web Filtering ........................................................................103
SurfControl Servers .........................................................................104
Web-Filtering Cache........................................................................104
Configuring Integrated Web Filtering ..............................................105
Example: Integrated Web Filtering..................................................110
Redirect Web Filtering ...........................................................................112
Virtual System Support....................................................................113
Configuring Redirect Web Filtering .................................................114
Example: Redirect Web Filtering.....................................................117
Chapter 5
Deep Inspection
121
Overview .....................................................................................................122
Attack Object Database Server .....................................................................126
Predefined Signature Packs ...................................................................126
Updating Signature Packs ......................................................................127
Before You Start Updating Attack Objects .......................................128
Immediate Update ..........................................................................128
Automatic Update ...........................................................................129
Automatic Notification and Immediate Update ...............................130
Manual Update................................................................................131
Updating DI Patterns from a Proxy Server ......................................133
Attack Objects and Groups ...........................................................................134
Supported Protocols ..............................................................................135
Stateful Signatures .................................................................................137
TCP Stream Signatures ..........................................................................138
Protocol Anomalies................................................................................139
Attack Object Groups.............................................................................139
Changing Severity Levels.................................................................140
Disabling Attack Objects........................................................................141
Attack Actions..............................................................................................142
Example: Attack ActionsClose Server, Close, Close Client ............143
Brute Force Attack Actions ....................................................................150
Brute Force Attack Objects..............................................................151
Brute Force Attack Target................................................................151
Brute Force Attack Timeout.............................................................151
Example 1.......................................................................................152
Example 2.......................................................................................152
Example 3.......................................................................................153
Attack Logging .............................................................................................153
Example: Disabling Logging per Attack Group.................................153
Mapping Custom Services to Applications ....................................................155
Example: Mapping an Application to a Custom Service...................156
Example: Application-to-Service Mapping for HTTP Attacks ............158
Customized Attack Objects and Groups........................................................159
User-Defined Stateful Signature Attack Objects......................................159
Regular Expressions........................................................................160
Example: User-Defined Stateful Signature Attack Objects ...............161
TCP Stream Signature Attack Objects ....................................................163
Example: User-Defined Stream Signature Attack Object..................164
Configurable Protocol Anomaly Parameters ..........................................165
Example: Modifying Parameters .....................................................165
xiv
Table of Contents
Table of Contents
Negation ......................................................................................................166
Example: Attack Object Negation....................................................166
Granular Blocking of HTTP Components ......................................................171
ActiveX Controls....................................................................................172
Java Applets...........................................................................................172
EXE Files ...............................................................................................172
ZIP Files.................................................................................................172
Example: Blocking Java Applets and .exe Files................................173
Chapter 6
175
xv
xvi
Table of Contents
Table of Contents
Enabling IDP..........................................................................................233
Example: Configuring a Firewall Rule for Standalone IDP ...............234
Configuring Role-Based Administration .................................................234
Example: Configuring an IDP-Only Administrator ...........................235
Managing IDP ..............................................................................................236
About Attack Database Updates.............................................................236
Downloading Attack Database Updates .................................................236
Using Updated Attack Objects .........................................................237
Updating the IDP Engine.................................................................237
Viewing IDP Logs...................................................................................239
ISG-IDP Devices ...........................................................................................240
Compiling a Policy.................................................................................240
Policy Size Multiplier .......................................................................240
Unloading Existing Policies .............................................................241
Chapter 7
243
A-I
Index..........................................................................................................................IX-I
Volume 5:
Virtual Private Networks
About This Volume
vii
xvii
AutoKey IKE........................................................................................ 7
Key Protection .................................................................................... 8
Security Associations ................................................................................. 8
Tunnel Negotiation........................................................................................... 9
Phase 1...................................................................................................... 9
Main and Aggressive Modes .............................................................. 10
Diffie-Hellman Exchange................................................................... 11
Phase 2.................................................................................................... 11
Perfect Forward Secrecy ................................................................... 12
Replay Protection.............................................................................. 12
IKE and IPsec Packets .................................................................................... 13
IKE Packets ............................................................................................. 13
IPsec Packets........................................................................................... 16
IKE Version 2........................................................................................... 18
Initial Exchanges............................................................................... 18
CREATE_CHILD_SA Exchange .......................................................... 20
Informational Exchanges .................................................................. 20
Enabling IKEv2 on a Security Device ....................................................... 20
Example: Configuring an IKEv2 Gateway .......................................... 21
Authentication Using Extensible Authentication Protocol .................. 25
IKEv2 EAP Passthrough ........................................................................... 26
Example............................................................................................ 26
Chapter 2
29
59
xviii
Table of Contents
Table of Contents
91
173
Dialup ..........................................................................................................174
Policy-Based Dialup VPN, AutoKey IKE..................................................174
Route-Based Dialup VPN, Dynamic Peer................................................180
Policy-Based Dialup VPN, Dynamic Peer ...............................................187
Bidirectional Policies for Dialup VPN Users............................................192
Group IKE ID................................................................................................197
Group IKE ID with Certificates ...............................................................197
Wildcard and Container ASN1-DN IKE ID Types....................................199
Creating a Group IKE ID (Certificates) ....................................................201
Setting a Group IKE ID with Preshared Keys..........................................206
Shared IKE ID ..............................................................................................212
Chapter 6
219
Table of Contents
xix
Chapter 7
247
NAT-Traversal ..............................................................................................248
Probing for NAT.....................................................................................249
Traversing a NAT Device .......................................................................251
UDP Checksum......................................................................................253
Keepalive Packets..................................................................................253
Initiator/Responder Symmetry ..............................................................253
Enabling NAT-Traversal .........................................................................255
Using IKE IDs with NAT-Traversal..........................................................256
VPN Monitoring ...........................................................................................258
Rekey and Optimization Options...........................................................259
Source Interface and Destination Address .............................................260
Policy Considerations ............................................................................261
Configuring the VPN Monitoring Feature ...............................................261
SNMP VPN Monitoring Objects and Traps .............................................269
Multiple Tunnels per Tunnel Interface ..........................................................271
Route-to-Tunnel Mapping ......................................................................271
Remote Peers Addresses ......................................................................273
Manual and Automatic Table Entries .....................................................274
Manual Table Entries.......................................................................274
Automatic Table Entries ..................................................................274
Setting VPNs on a Tunnel Interface to Overlapping Subnets............276
Binding Automatic Route and NHTB Table Entries ..........................294
Using OSPF for Automatic Route Table Entries ...............................306
Redundant VPN Gateways............................................................................307
VPN Groups ...........................................................................................308
Monitoring Mechanisms ........................................................................309
IKE Heartbeats ................................................................................310
Dead Peer Detection .......................................................................310
IKE Recovery Procedure..................................................................311
TCP SYN-Flag Checking .........................................................................313
Creating Redundant VPN Gateways.................................................314
Creating Back-to-Back VPNs .........................................................................320
Creating Hub-and-Spoke VPNs .....................................................................327
Chapter 8
337
Overview .....................................................................................................337
How It Works...............................................................................................337
NHRP Messages.....................................................................................338
AC-VPN Tunnel Initiation .......................................................................339
Configuring AC-VPN ..............................................................................340
Network Address Translation ..........................................................340
Configuration on the Hub................................................................340
Configuration on Each Spoke ..........................................................341
Example ................................................................................................342
xx
Table of Contents
Table of Contents
Index..........................................................................................................................IX-I
Volume 6:
Voice-over-Internet Protocol
About This Volume
vii
Overview ......................................................................................................... 1
Alternate Gatekeeper ....................................................................................... 2
Examples ......................................................................................................... 2
Example: Gatekeeper in the Trust Zone ..................................................... 2
Example: Gatekeeper in the Untrust Zone ................................................. 4
Example: Outgoing Calls with NAT ............................................................ 5
Example: Incoming Calls with NAT............................................................ 8
Example: Gatekeeper in the Untrust Zone with NAT................................ 10
Chapter 2
15
Overview ....................................................................................................... 15
SIP Request Methods ............................................................................... 16
Classes of SIP Responses ......................................................................... 18
SIP Application Layer Gateway ................................................................ 19
Session Description Protocol Sessions ..................................................... 20
Pinhole Creation ...................................................................................... 21
Session Inactivity Timeout....................................................................... 22
SIP Attack Protection ............................................................................... 23
Example: SIP Protect Deny ............................................................... 23
Example: Signaling-Inactivity and Media-Inactivity Timeouts ............ 24
Example: UDP Flooding Protection ................................................... 24
Example: SIP Connection Maximum ................................................. 25
SIP with Network Address Translation ........................................................... 25
Outgoing Calls ......................................................................................... 26
Incoming Calls......................................................................................... 26
Forwarded Calls....................................................................................... 27
Call Termination ...................................................................................... 27
Call Re-INVITE Messages ......................................................................... 27
Call Session Timers.................................................................................. 27
Call Cancellation ...................................................................................... 27
Forking .................................................................................................... 28
SIP Messages ........................................................................................... 28
SIP Headers ............................................................................................. 28
SIP Body.................................................................................................. 30
SIP NAT Scenario..................................................................................... 30
Table of Contents
xxi
Examples ....................................................................................................... 32
Incoming SIP Call Support Using the SIP Registrar................................... 33
Example: Incoming Call (Interface DIP)............................................. 34
Example: Incoming Call (DIP Pool)....................................................37
Example: Incoming Call with MIP ..................................................... 39
Example: Proxy in the Private Zone .................................................. 41
Example: Proxy in the Public Zone ................................................... 44
Example: Three-Zone, Proxy in the DMZ .......................................... 46
Example: Untrust Intrazone .............................................................. 49
Example: Trust Intrazone.................................................................. 53
Example: Full-Mesh VPN for SIP........................................................ 55
Bandwidth Management for VoIP Services .............................................. 64
Chapter 3
67
Overview ....................................................................................................... 67
MGCP Security ............................................................................................... 68
About MGCP................................................................................................... 68
Entities in MGCP...................................................................................... 68
Endpoint ........................................................................................... 69
Connection ....................................................................................... 69
Call.................................................................................................... 69
Call Agent ......................................................................................... 69
Commands..............................................................................................70
Response Codes ...................................................................................... 72
Examples ....................................................................................................... 73
Media Gateway in Subscribers HomesCall Agent at the ISP ................. 73
ISP-Hosted Service................................................................................... 76
Chapter 4
81
Overview ....................................................................................................... 81
SCCP Security ................................................................................................ 82
About SCCP.................................................................................................... 83
SCCP Components................................................................................... 83
SCCP Client ....................................................................................... 83
Call Manager ..................................................................................... 83
Cluster ..............................................................................................83
SCCP Transactions................................................................................... 84
Client Initialization ............................................................................ 84
Client Registration............................................................................. 84
Call Setup.......................................................................................... 85
Media Setup ...................................................................................... 85
SCCP Control Messages and RTP Flow..................................................... 86
SCCP Messages........................................................................................ 87
Examples ....................................................................................................... 87
Example: Call Manager/TFTP Server in the Trust Zone...................... 88
Example: Call Manager/TFTP Server in the Untrust Zone .................. 90
Example: Three-Zone, Call Manager/TFTP Server in the DMZ ........... 92
Example: Intrazone, Call Manager/TFTP Server in Trust Zone ........... 95
Example: Intrazone, Call Manager/TFTP Server in Untrust Zone ....... 99
Example: Full-Mesh VPN for SCCP ..................................................101
Chapter 5
111
Overview .....................................................................................................111
xxii
Table of Contents
Table of Contents
Volume 7:
Routing
About This Volume
ix
Document Conventions.................................................................................... x
Web User Interface Conventions .............................................................. x
Command Line Interface Conventions ...................................................... x
Naming Conventions and Character Types .............................................. xi
Illustration Conventions .......................................................................... xii
Requesting Technical Support ........................................................................ xii
Self-Help Online Tools and Resources..................................................... xiii
Opening a Case with JTAC ...................................................................... xiii
Document Feedback ..................................................................................... xiii
Chapter 1
Static Routing
Overview ......................................................................................................... 2
How Static Routing Works ......................................................................... 2
When to Configure Static Routes ............................................................... 3
Configuring Static Routes........................................................................... 5
Setting Static Routes ........................................................................... 5
Setting a Static Route for a Tunnel Interface ....................................... 9
Adding Descriptions to Static Routes................................................. 10
Enabling Gateway Tracking ..................................................................... 11
Forwarding Traffic to the Null Interface ......................................................... 11
Preventing Route Lookup in Other Routing Tables .................................. 12
Preventing Tunnel Traffic from Being Sent on Non-Tunnel Interfaces...... 12
Preventing Loops Created by Summarized Routes................................... 12
Permanently Active Routes ............................................................................ 13
Changing Routing Preference with Equal Cost Multipath................................ 13
Chapter 2
Routing
15
Overview ....................................................................................................... 16
Virtual Router Routing Tables......................................................................... 17
Destination-Based Routing Table ............................................................. 18
Source-Based Routing Table .................................................................... 19
Source Interface-Based Routing Table...................................................... 21
Creating and Modifying Virtual Routers.......................................................... 23
Modifying Virtual Routers ........................................................................ 23
Assigning a Virtual Router ID ................................................................... 24
Forwarding Traffic Between Virtual Routers ............................................ 25
Configuring Two Virtual Routers .............................................................. 26
Creating and Deleting Virtual Routers...................................................... 27
Creating a Custom Virtual Router ...................................................... 28
Deleting a Custom Virtual Router ...................................................... 28
Table of Contents
xxiii
47
Overview ....................................................................................................... 48
Areas ....................................................................................................... 48
Router Classification ................................................................................ 49
Hello Protocol .......................................................................................... 49
Network Types ........................................................................................ 50
Broadcast Networks .......................................................................... 50
Point-to-Point Networks .................................................................... 50
Point-to-Multipoint Networks ............................................................ 50
Link-State Advertisements ....................................................................... 51
Basic OSPF Configuration .............................................................................. 51
Creating and Removing an OSPF Routing Instance ................................. 52
Creating an OSPF Instance................................................................ 52
Removing an OSPF Instance ............................................................. 53
Creating and Deleting an OSPF Area ....................................................... 53
Creating an OSPF Area...................................................................... 54
Deleting an OSPF Area...................................................................... 54
Assigning Interfaces to an OSPF Area ...................................................... 55
Assigning Interfaces to Areas ............................................................ 55
Configuring an Area Range ............................................................... 55
Enabling OSPF on Interfaces ................................................................... 56
Enabling OSPF on Interfaces............................................................. 56
Disabling OSPF on an Interface......................................................... 56
Verifying the Configuration...................................................................... 57
Redistributing Routes into Routing Protocols ................................................. 58
Summarizing Redistributed Routes ................................................................ 59
Summarizing Redistributed Routes.......................................................... 59
Global OSPF Parameters ................................................................................ 60
Advertising the Default Route .................................................................. 61
Virtual Links ............................................................................................ 61
Creating a Virtual Link....................................................................... 62
Creating an Automatic Virtual Link....................................................63
Setting OSPF Interface Parameters ................................................................ 64
xxiv
Table of Contents
Table of Contents
Security Configuration.................................................................................... 66
Authenticating Neighbors ........................................................................ 66
Configuring a Clear-Text Password....................................................66
Configuring an MD5 Password .......................................................... 66
Configuring an OSPF Neighbor List.......................................................... 67
Rejecting Default Routes.......................................................................... 68
Protecting Against Flooding ..................................................................... 68
Configuring the Hello Threshold........................................................ 68
Configuring the LSA Threshold .......................................................... 69
Enabling Reduced Flooding............................................................... 69
Creating an OSPF Demand Circuit on a Tunnel Interface ............................... 69
Point-to-Multipoint Tunnel Interface............................................................... 70
Setting the OSPF Link-Type ..................................................................... 70
Disabling the Route-Deny Restriction ...................................................... 71
Creating a Point-to-Multipoint Network....................................................71
Chapter 4
75
Overview ....................................................................................................... 76
Basic RIP Configuration.................................................................................. 77
Creating and Deleting a RIP Instance....................................................... 77
Creating a RIP Instance ..................................................................... 78
Deleting a RIP Instance ..................................................................... 78
Enabling and Disabling RIP on Interfaces ................................................ 78
Enabling RIP on an Interface............................................................. 79
Disabling RIP on an Interface............................................................ 79
Redistributing Routes .............................................................................. 79
Viewing RIP Information................................................................................ 80
Viewing the RIP Database........................................................................ 80
Viewing RIP Details ................................................................................. 81
Viewing RIP Neighbor Information .......................................................... 82
Viewing RIP Details for a Specific Interface ............................................. 83
Global RIP Parameters ................................................................................... 84
Advertising the Default Route ........................................................................ 85
Configuring RIP Interface Parameters ............................................................ 86
Security Configuration.................................................................................... 87
Authenticating Neighbors by Setting a Password ..................................... 87
Configuring Trusted Neighbors ................................................................ 88
Rejecting Default Routes.......................................................................... 89
Protecting Against Flooding ..................................................................... 89
Configuring an Update Threshold...................................................... 90
Enabling RIP on Tunnel Interfaces ....................................................90
Optional RIP Configurations........................................................................... 91
Setting the RIP Version ............................................................................ 91
Enabling and Disabling a Prefix Summary............................................... 93
Enabling a Prefix Summary............................................................... 93
Disabling a Prefix Summary.............................................................. 94
Setting Alternate Routes .......................................................................... 94
Demand Circuits on Tunnel Interfaces..................................................... 95
Configuring a Static Neighbor .................................................................. 97
Configuring a Point-to-Multipoint Tunnel Interface......................................... 97
Chapter 5
103
Overview .....................................................................................................104
Table of Contents
xxv
Policy-Based Routing
137
Table of Contents
Table of Contents
Multicast Routing
155
Overview .....................................................................................................155
Multicast Addresses ...............................................................................156
Reverse Path Forwarding.......................................................................156
Multicast Routing on Security Devices..........................................................157
Multicast Routing Table .........................................................................157
Configuring a Static Multicast Route ......................................................158
Access Lists ...........................................................................................159
Configuring Generic Routing Encapsulation on Tunnel Interfaces ..........159
Multicast Policies..........................................................................................161
Chapter 8
163
Overview .....................................................................................................164
Hosts .....................................................................................................164
Multicast Routers ...................................................................................165
IGMP on Security Devices ............................................................................165
Enabling and Disabling IGMP on Interfaces ...........................................165
Enabling IGMP on an Interface........................................................165
Disabling IGMP on an Interface .......................................................166
Configuring an Access List for Accepted Groups ....................................166
Configuring IGMP ..................................................................................167
Verifying an IGMP Configuration ...........................................................169
IGMP Operational Parameters ...............................................................170
IGMP Proxy..................................................................................................171
Membership Reports Upstream to the Source........................................172
Configuring IGMP Proxy ........................................................................173
Configuring IGMP Proxy on an Interface................................................174
Multicast Policies for IGMP and IGMP Proxy Configurations ..................175
Creating a Multicast Group Policy for IGMP .....................................175
Creating an IGMP Proxy Configuration............................................176
Setting Up an IGMP Sender Proxy .........................................................182
Table of Contents
xxvii
Chapter 9
189
Overview .....................................................................................................190
PIM-SM ..................................................................................................192
Multicast Distribution Trees.............................................................192
Designated Router...........................................................................193
Mapping Rendezvous Points to Groups ...........................................193
Forwarding Traffic on the Distribution Tree ....................................194
PIM-SSM ................................................................................................196
Configuring PIM-SM on Security Devices......................................................196
Enabling and Deleting a PIM-SM Instance for a VR ................................197
Enabling PIM-SM Instance...............................................................197
Deleting a PIM-SM Instance.............................................................197
Enabling and Disabling PIM-SM on Interfaces........................................197
Enabling PIM-SM on an Interface ....................................................198
Disabling PIM-SM on an Interface ...................................................198
Multicast Group Policies.........................................................................198
Static-RP-BSR Messages ..................................................................198
Join-Prune Messages .......................................................................199
Defining a Multicast Group Policy for PIM-SM .................................199
Setting a Basic PIM-SM Configuration...........................................................200
Verifying the Configuration ..........................................................................204
Configuring Rendezvous Points....................................................................206
Configuring a Static Rendezvous Point ..................................................206
Configuring a Candidate Rendezvous Point ...........................................207
Security Considerations................................................................................208
Restricting Multicast Groups ..................................................................208
Restricting Multicast Sources .................................................................209
Restricting Rendezvous Points...............................................................210
PIM-SM Interface Parameters.......................................................................211
Defining a Neighbor Policy ....................................................................211
Defining a Bootstrap Border ..................................................................212
Configuring a Proxy Rendezvous Point ........................................................212
PIM-SM and IGMPv3 ....................................................................................222
Chapter 10
223
Overview .....................................................................................................223
Configuring ICMP Router Discovery Protocol ...............................................224
Enabling ICMP Router Discovery Protocol .............................................224
Configuring ICMP Router Discovery Protocol from the WebUI...............224
Configuring ICMP Router Discovery Protocol from the CLI ....................225
Advertising an Interface ..................................................................225
Broadcasting the Address................................................................225
Setting a Maximum Advertisement Interval ....................................225
Setting a Minimum Advertisement Interval .....................................225
Setting an Advertisement Lifetime Value.........................................226
Setting a Response Delay ................................................................226
Setting an Initial Advertisement Interval .........................................226
Setting a Number of Initial Advertisement Packets..........................226
Disabling IRDP .............................................................................................227
Viewing IRDP Settings..................................................................................227
xxviii
Table of Contents
Table of Contents
Index..........................................................................................................................IX-I
Volume 8:
Address Translation
About This Volume
Document Conventions................................................................................... vi
Web User Interface Conventions ............................................................. vi
Command Line Interface Conventions ..................................................... vi
Naming Conventions and Character Types ............................................. vii
Illustration Conventions ......................................................................... viii
Requesting Technical Support ....................................................................... viii
Self-Help Online Tools and Resources....................................................... ix
Opening a Case with JTAC ........................................................................ ix
Document Feedback ....................................................................................... ix
Chapter 1
Address Translation
13
27
xxix
63
Mapped IP Addresses..................................................................................... 63
MIP and the Global Zone ......................................................................... 64
Example: MIP on an Untrust Zone Interface...................................... 65
Example: Reaching a MIP from Different Zones................................ 67
Example: Adding a MIP to a Tunnel Interface ................................... 70
MIP-Same-as-Untrust ............................................................................... 70
Example: MIP on the Untrust Interface ............................................. 71
MIP and the Loopback Interface .............................................................. 73
Example: MIP for Two Tunnel Interfaces .......................................... 74
MIP Grouping .......................................................................................... 79
Example: MIP Grouping with Multi-Cell Policy................................... 79
Virtual IP Addresses ....................................................................................... 80
VIP and the Global Zone .......................................................................... 82
Example: Configuring Virtual IP Servers............................................ 82
Example: Editing a VIP Configuration ............................................... 84
Example: Removing a VIP Configuration........................................... 84
Example: VIP with Custom and Multiple-Port Services ...................... 85
Index..........................................................................................................................IX-I
Volume 9:
User Authentication
About This Volume
vii
Authentication
xxx
Table of Contents
Table of Contents
Authentication Servers
13
Infranet Authentication
43
Table of Contents
xxxi
Authentication Users
53
73
95
Overview ....................................................................................................... 96
Supported EAP Types..................................................................................... 96
Enabling and Disabling 802.1X Authentication .............................................. 97
Ethernet Interfaces .................................................................................. 97
Wireless Interfaces .................................................................................. 97
Configuring 802.1X Settings........................................................................... 98
Configuring 802.1X Port Control ............................................................. 98
Configuring 802.1X Control Mode ........................................................... 99
Setting the Maximum Number of Simultaneous Users............................. 99
Configuring the Reauthentication Period ...............................................100
Enabling EAP Retransmissions ..............................................................100
Configuring EAP Retransmission Count .................................................100
Configuring EAP Retransmission Period ................................................101
Configuring the Silent (Quiet) Period .....................................................101
xxxii
Table of Contents
Table of Contents
Volume 10:
Virtual Systems
About This Volume
Document Conventions.................................................................................... v
Web User Interface Conventions .............................................................. v
Command Line Interface Conventions ..................................................... vi
Naming Conventions and Character Types .............................................. vi
Illustration Conventions ......................................................................... viii
Requesting Technical Support ....................................................................... viii
Self-Help Online Tools and Resources....................................................... ix
Opening a Case with JTAC ........................................................................ ix
Document Feedback ....................................................................................... ix
Chapter 1
Virtual Systems
Overview ......................................................................................................... 2
Vsys Objects .................................................................................................... 4
Creating a Virtual System Object and Admin ............................................. 4
Setting a Default Virtual Router for a Virtual System.................................. 6
Binding Zones to a Shared Virtual Router .................................................. 6
Defining Identical Names for Zones Across Vsys.............................................. 7
Logging In as a Virtual System Admin.............................................................. 8
Virtual System Profiles ..................................................................................... 9
Virtual System Session Counters.............................................................. 10
Virtual System Session Information ......................................................... 11
Behavior in High-Availability Pairs ........................................................... 11
Creating a Vsys Profile............................................................................. 11
Setting Resource Limits ........................................................................... 12
Adding Session Limits Through Virtual-System Profile Assignment.......... 13
Setting a Session Override ....................................................................... 14
Overriding a Session Limit Reached Alarm ....................................... 15
Deleting a Vsys Profile ............................................................................. 15
Table of Contents
xxxiii
Traffic Sorting
33
Overview ....................................................................................................... 33
Sorting Traffic.......................................................................................... 33
Sorting Through Traffic............................................................................ 34
Dedicated and Shared Interfaces ............................................................. 39
Dedicated Interfaces ......................................................................... 39
Shared Interfaces .............................................................................. 39
Importing and Exporting Physical Interfaces.................................................. 41
Importing a Physical Interface to a Virtual System................................... 41
Exporting a Physical Interface from a Virtual System .............................. 42
Chapter 3
43
Overview ....................................................................................................... 43
VLANs...................................................................................................... 44
VLANs with Vsys...................................................................................... 44
VLANs with VSDs..................................................................................... 45
Example: Binding VLAN Group with VSD .......................................... 46
Configuring Layer 2 Virtual Systems .............................................................. 46
Example 1: Configuring a Single Port ................................................ 48
Example 2: Configuring Two 4-Port Aggregates with Separate Untrust
Zones ......................................................................................... 51
Example 3: Configuring Two 4-Port Aggregates that Share One
Untrusted Zone........................................................................... 58
Defining Subinterfaces and VLAN Tags .......................................................... 64
Communicating Between Virtual Systems...................................................... 67
VLAN Retagging ............................................................................................. 70
Configuring VLAN Retagging.................................................................... 71
Example............................................................................................ 72
xxxiv
Table of Contents
Table of Contents
Chapter 4
75
Overview ....................................................................................................... 75
Managing Inter-Vsys Traffic with a Shared DMZ Zone .................................... 76
Example............................................................................................ 77
Designating an IP Range to the Root System ................................................. 77
Configuring IP-Based Traffic Classification ..................................................... 78
Index..........................................................................................................................IX-I
Volume 11:
High Availability
About This Volume
Document Conventions................................................................................... vi
Web User Interface Conventions ............................................................. vi
Command Line Interface Conventions ..................................................... vi
Naming Conventions and Character Types ............................................. vii
Illustration Conventions ......................................................................... viii
Requesting Technical Support ....................................................................... viii
Self-Help Online Tools and Resources....................................................... ix
Opening a Case with JTAC ........................................................................ ix
Document Feedback ....................................................................................... ix
Chapter 1
Table of Contents
xxxv
49
xxxvi
Table of Contents
Table of Contents
Index..........................................................................................................................IX-I
Volume 12:
WAN, DSL, Dial, and Wireless
About This Volume
ix
Document Conventions.................................................................................... x
Web User Interface Conventions .............................................................. x
Command Line Interface Conventions ...................................................... x
Naming Conventions and Character Types .............................................. xi
Illustration Conventions .......................................................................... xii
Requesting Technical Support ........................................................................ xii
Self-Help Online Tools and Resources..................................................... xiii
Opening a Case with JTAC ...................................................................... xiii
Document Feedback ..................................................................................... xiii
Chapter 1
xxxvii
xxxviii
Table of Contents
Table of Contents
73
xxxix
Chapter 3
117
123
Overview .....................................................................................................124
Wireless Product Interface Naming Differences.....................................125
Basic Wireless Network Feature Configuration.............................................125
Creating a Service Set Identifier.............................................................125
Suppressing SSID Broadcast............................................................126
Isolating a Client .............................................................................126
Setting the Operation Mode for a 2.4 GHz Radio Transceiver ................127
Setting the Operation Mode for a 5GHz Radio Transceiver ....................127
Configuring Minimum Data Transmit Rate ............................................128
Configuring Transmit Power..................................................................129
Reactivating a WLAN Configuration.......................................................129
Configuring Authentication and Encryption for SSIDs ..................................130
Configuring Wired Equivalent Privacy ...................................................130
Multiple WEP Keys..........................................................................131
Configuring Open Authentication ....................................................132
Configuring WEP Shared-Key Authentication ..................................134
Configuring Wi-Fi Protected Access .......................................................135
Configuring 802.1X Authentication for WPA and WPA2 .................136
Configuring Preshared Key Authentication for WPA and WPA2 ......136
Specifying Antenna Use ...............................................................................137
Setting the Country Code, Channel, and Frequency .....................................138
Using Extended Channels ............................................................................138
Performing a Site Survey..............................................................................139
Locating Available Channels.........................................................................139
Setting an Access Control List Entry .............................................................140
Configuring Super G .....................................................................................140
Configuring Atheros XR (Extended Range) ...................................................141
Configuring Wi-Fi Multimedia Quality of Service ..........................................142
Enabling WMM ......................................................................................142
Configuring WMM Quality of Service .....................................................142
Access Categories............................................................................143
WMM Default Settings.....................................................................143
Example..........................................................................................145
Configuring Advanced Wireless Parameters.................................................146
Configuring Aging Interval .....................................................................146
Configuring Beacon Interval ..................................................................147
Configuring Delivery Traffic Indication Message Period .........................148
Configuring Burst Threshold ..................................................................148
Configuring Fragment Threshold ...........................................................148
Configuring Request to Send Threshold .................................................149
Configuring Clear to Send Mode ............................................................149
Configuring Clear to Send Rate ..............................................................150
Configuring Clear to Send Type .............................................................150
Configuring Slot Time ............................................................................151
Configuring Preamble Length ................................................................151
Working with Wireless Interfaces.................................................................152
Binding an SSID to a Wireless Interface.................................................152
xl
Table of Contents
Table of Contents
Wireless Information
A-I
Volume 13:
General Packet Radio Service
About This Volume
Document Conventions.................................................................................... v
Web User Interface Conventions .............................................................. v
Command Line Interface Conventions ..................................................... vi
Naming Conventions and Character Types .............................................. vi
Illustration Conventions ......................................................................... viii
Requesting Technical Support ....................................................................... viii
Self-Help Online Tools and Resources....................................................... ix
Opening a Case with JTAC ........................................................................ ix
Document Feedback ....................................................................................... ix
Chapter 1
GPRS
Table of Contents
xli
Volume 14:
Dual-Stack Architecture with IPv6
About This Volume
ix
Document Audience......................................................................................... x
xlii
Table of Contents
Table of Contents
Document Conventions.................................................................................... x
Web User Interface Conventions .............................................................. x
Command Line Interface Conventions ...................................................... x
Naming Conventions and Character Types .............................................. xi
Illustration Conventions .......................................................................... xii
Requesting Technical Support ........................................................................ xii
Self-Help Online Tools and Resources..................................................... xiii
Opening a Case with JTAC ...................................................................... xiii
Document Feedback ..................................................................................... xiii
Chapter 1
Overview ......................................................................................................... 2
IPv6 Addressing ............................................................................................... 2
Notation .................................................................................................... 2
Prefixes ..................................................................................................... 3
Address Types ........................................................................................... 3
Unicast Addresses ............................................................................... 3
Anycast Addresses .............................................................................. 4
Multicast Addresses............................................................................. 4
IPv6 Headers.................................................................................................... 4
Basic Header ............................................................................................. 4
Extension Headers..................................................................................... 5
IPv6 Packet Handling ....................................................................................... 6
IPv6 Router and Host Modes............................................................................ 7
IPv6 Tunneling Guidelines................................................................................ 8
Chapter 2
IPv6 Configuration
Overview ....................................................................................................... 10
Address Autoconfiguration ...................................................................... 10
Extended Unique Identifier ............................................................... 10
Router Advertisement Messages ....................................................... 11
Router Solicitation Messages ............................................................. 11
Prefix Lists ........................................................................................ 11
Neighbor Discovery ................................................................................. 12
Neighbor Cache Table ....................................................................... 12
Neighbor Unreachability Detection ................................................... 13
Neighbor Entry Categories ................................................................ 13
Neighbor Reachability States............................................................. 13
How Reachability State Transitions Occur......................................... 15
Enabling an IPv6 Environment ...................................................................... 17
Enabling IPv6 at the Device Level............................................................ 17
Disabling IPv6 at the Device Level ........................................................... 18
Configuring an IPv6 Host ............................................................................... 18
Binding the IPv6 Interface to a Zone........................................................ 19
Enabling IPv6 Host Mode ........................................................................ 19
Setting an Interface Identifier .................................................................. 19
Configuring Address Autoconfiguration ................................................... 20
Configuring Neighbor Discovery .............................................................. 20
Configuring an IPv6 Router ............................................................................ 20
Binding the IPv6 Interface to a Zone........................................................ 21
Enabling IPv6 Router Mode ..................................................................... 21
Setting an Interface Identifier .................................................................. 21
Setting Address Autoconfiguration........................................................... 22
Table of Contents
xliii
35
Overview ....................................................................................................... 36
Dynamic Host Configuration Protocol Version 6 ............................................ 36
Device-Unique Identification.................................................................... 36
Identity Association Prefix Delegation-Identification................................ 37
Prefix Features ........................................................................................ 37
Server Preference .................................................................................... 38
Configuring a DHCPv6 Server.................................................................. 38
Configuring a DHCPv6 Client................................................................... 40
Configuring DHCPv6 Relay Agent ............................................................ 41
Setting up a DHCPv6 relay agent ...................................................... 42
Relay Agent Behavior .............................................................................. 42
Viewing DHCPv6 Settings ........................................................................ 44
Configuring Domain Name System Servers....................................................45
Requesting DNS and DNS Search List Information .................................. 46
Setting Proxy DNS Address Splitting ........................................................ 47
Configuring PPPoE ......................................................................................... 49
Setting Fragmentation.................................................................................... 50
Chapter 4
53
Overview ....................................................................................................... 54
xliv
Table of Contents
Table of Contents
Address Translation
85
Overview ....................................................................................................... 86
Translating Source IP Addresses .............................................................. 87
DIP from IPv6 to IPv4 ....................................................................... 87
DIP from IPv4 to IPv6 ....................................................................... 87
Translating Destination IP Addresses....................................................... 88
MIP from IPv6 to IPv4....................................................................... 88
MIP from IPv4 to IPv6....................................................................... 89
Configuration Examples ................................................................................. 90
IPv6 Hosts to Multiple IPv4 Hosts ............................................................ 90
IPv6 Hosts to a Single IPv4 Host .............................................................. 92
IPv4 Hosts to Multiple IPv6 Hosts ............................................................ 94
IPv4 Hosts to a Single IPv6 Host .............................................................. 95
Translating Addresses for Domain Name System Servers........................ 97
Table of Contents
xlv
Chapter 6
101
Overview .....................................................................................................102
Configuring Manual Tunneling .....................................................................103
Configuring 6to4 Tunneling..........................................................................106
6to4 Routers..........................................................................................106
6to4 Relay Routers ................................................................................107
Tunnels to Remote Native Hosts............................................................108
Tunnels to Remote 6to4 Hosts...............................................................111
Chapter 7
IPsec Tunneling
115
Overview .....................................................................................................116
IPsec 6in6 Tunneling....................................................................................116
IPsec 4in6 Tunneling....................................................................................119
IPsec 6in4 Tunneling....................................................................................124
Manual Tunneling with Fragmentation Enabled ...........................................128
IPv6 to IPv6 Route-Based VPN Tunnel ...................................................129
IPv4 to IPv6 Route-Based VPN Tunnel ...................................................131
Chapter 8
135
Overview .....................................................................................................136
RADIUSv6..............................................................................................136
Single Client, Single Server..............................................................136
Multiple Clients, Single Server .........................................................136
Single Client, Multiple Servers .........................................................137
Multiple Hosts, Single Server ...........................................................137
IPsec Access Session Management ........................................................138
IPsec Access Session .......................................................................138
Enabling and Disabling IAS Functionality ........................................140
Releasing an IAS Session.................................................................140
Limiting IAS Settings .......................................................................140
Dead Peer Detection..............................................................................141
Configuration Examples ...............................................................................142
XAuth with RADIUS ...............................................................................142
RADIUS with XAuth Route-Based VPN...................................................143
RADIUS with XAuth and Domain Name Stripping .................................147
IP Pool Range Assignment.....................................................................151
RADIUS Retries......................................................................................157
Calling-Station-Id ...................................................................................157
IPsec Access Session..............................................................................158
Dead Peer Detection..............................................................................167
Appendix A
Switching
A-I
Index..........................................................................................................................IX-I
xlvi
Table of Contents
Content Security: Protects users from malicious URLs and provides embedded
antivirus scanning and Web filtering. In addition, works with third-party
products to provide external antivirus scanning, antispam, and Web filtering.
xlvii
NOTE:
LAN
Internet
Redundancy: The backup device
maintains identical configuration
and sessions as those on the
primary device to assume the place
of the primary device if necessary.
(Note: Interfaces, routing paths,
power supplies, and fans can also
be redundant.)
Dynamic Routing:
The routing table
automatically updates by
communicating with
dynamic routing peers.
Dst
0.0.0.0/0
1.1.1.0/24
1.2.1.0/24
10.1.0.0/16
10.2.2.0/24
10.3.3.0/24
Use
1.1.1.250
eth3
eth2
trust-vr
tunnel.1
tunnel.2
The ScreenOS system provides all the features needed to set up and manage any
security appliance or system. This document is a reference guide for configuring
and managing a Juniper Networks security device through ScreenOS.
xlviii
Volume Organization
The Concepts & Examples ScreenOS Reference Guide is a multi-volume manual. The
following information outlines and summarizes the material in each volume:
Volume 1: Overview
Table of Contents contains a master table of contents for all volumes in the
manual.
Volume 2: Fundamentals
Chapter 2, Zones, explains security zones, tunnel zones, and function zones.
Chapter 5, Building Blocks for Policies, discusses the elements used for
creating policies and virtual private networks (VPNs): addresses (including VIP
addresses), services, and DIP pools. It also presents several example
configurations that support the H.323 protocol.
Chapter 7, Traffic Shaping, explains how you can prioritize services and
manage bandwidth at the interface and policy levels.
Volume Organization
xlix
Volume 3: Administration
Volume Organization
Volume 7: Routing
Chapter 1, Static Routing, describes the ScreenOS routing table, the basic
routing process on the security device, and how to configure static routes on
security devices.
Volume Organization
li
Chapter 3, Open Shortest Path First, describes how to configure the OSPF
dynamic routing protocol on security devices.
lii
Volume Organization
Chapter 5, IKE, XAuth, and L2TP Users, explains how to define IKE, XAuth,
and L2TP users. Although the XAuth section focuses primarily on using the
security device as an XAuth server, it also includes a subsection on configuring
select security devices to act as an XAuth client.
Volume Organization
liii
Chapter 3, ISP Failover and Dial Recovery, describes how to set priority and
define conditions for ISP failover and how to configure a dialup recovery
solution.
liv
Volume Organization
Chapter 4, Static and Dynamic Routing, explains how to set up static and
dynamic routing. This chapter explains ScreenOS support for Routing
Information Protocol-Next Generation (RIPng).
Appendix A, Switching, lists options for using the security device as a switch
to pass IPv6 traffic.
Document Conventions
This document uses the conventions described in the following sections:
To open Online Help for configuration settings, click the question mark (?) in the
upper left of the screen.
The navigation tree also provides a Help > Config Guide configuration page to help
you configure security policies and Internet Protocol Security (IPSec). Select an
option from the list, and follow the instructions on the page. Click the ? character in
the upper left for Online Help on the Config Guide.
Document Conventions
lv
If there is more than one choice, each choice is separated by a pipe ( | ). For
example, the following command means set the management options for the
ethernet1, the ethernet2, or the ethernet3 interface:
set interface { ethernet1 | ethernet2 | ethernet3 } manage
NOTE:
When entering a keyword, you only have to type enough letters to identify the
word uniquely. Typing set adm u whee j12fmt54 will enter the command set
admin user wheezer j12fmt54. However, all the commands documented in this
guide are presented in their entirety.
If a name string includes one or more spaces, the entire string must be
enclosed within double quotes; for example:
set address trust local LAN 10.1.1.0/24
Any leading spaces or trailing text within a set of double quotes are trimmed;
for example, local LAN becomes local LAN.
NOTE:
lvi
Document Conventions
A console connection only supports SBCS. The WebUI supports both SBCS and
MBCS, depending on the character sets that your browser supports.
Illustration Conventions
Figure 2 shows the basic set of images used in illustrations throughout this volume.
Figure 2: Images in Illustrations
Autonomous System
or
Virtual Routing Domain
Internet
Policy Engine
Router
Juniper Networks
Security Devices
Switch
Hub
lvii
Download the latest versions of software and review your release notes
http://www.juniper.net/customers/csc/software/
To verify service entitlement by product serial number, use our Serial Number
Entitlement (SNE) Tool
https://tools.juniper.net/SerialNumberEntitlementSearch/
Document Feedback
If you find any errors or omissions in this document, please contact Juniper
Networks at techpubs-comments@juniper.net.
lviii
Document Feedback
Master Index
Numerics
3DES ............................................................................. 5-6
3DES encryption .................................................... 14-125
4in6 tunneling
basic setup ....................................................... 14-119
definition .......................................................... 14-119
6in4 tunneling ........................................................ 14-115
basic setup ....................................................... 14-124
over IPv4 WAN ................................................ 14-124
6over4 tunneling
addresses, handling ........................................ 14-103
definition .......................................................... 14-102
manual tunneling ............................................ 14-103
types ................................................................. 14-102
when to use ..................................................... 14-102
6to4
addresses .................................. 14-8, 14-106, 14-112
hosts ................................................................. 14-111
relay routers ........................................14-106, 14-107
routers .............................................................. 14-106
tunneling .............................................14-102, 14-106
tunneling, description ..................................... 14-106
A
AAL5
encapsulations ................................................... 12-74
multiplexing ....................................................... 12-82
Access Concentrator (AC) ....................................... 14-49
access control list
See ACL
access lists
for routes .............................................................. 7-42
IGMP ................................................................... 7-166
multicast routing ............................................... 7-159
PIM-SM ............................................................... 7-208
Access Point Name
See APN
access policies
See policies
ACL .......................................................................... 12-140
ActiveX controls, blocking ...................................... 4-172
address books
addresses
adding............................................................ 2-106
modifying ...................................................... 2-107
IX-I
IX-II
Master Index
Master Index
pre-policy.............................................................. 9-55
auth users, run-time
auth process ......................................................... 9-54
authentication ...................................................... 9-54
user groups, external .......................................... 9-62
user groups, local ................................................ 9-58
users, external ..................................................... 9-60
users, local ........................................................... 9-57
auth users, WebAuth ................................................. 9-55
user groups, external .......................................... 9-67
user groups, local ................................................ 9-66
with SSL (user groups, external) ........................ 9-69
authentication .............................14-116, 14-119, 14-142
algorithms ........................5-6, 5-63, 5-67, 5-70, 5-73
Allow Any ........................................................... 2-174
NSRP ................................................................... 11-31
NSRP-Lite ............................................................ 11-17
policies ................................................................ 2-172
prioritizing ............................................................ 9-32
users .................................................................... 2-173
Authentication and Encryption
Wi-Fi Protected Access
See WPA
Wireless Equivalent Privacy
See WEP
authentication and encryption
multiple WEP keys .......................................... 12-131
RADIUS server, using ...................................... 12-131
Authentication Header (AH) ....................................... 5-5
authentication servers
See auth servers
authentication users
See auth users
autoconfiguration
address autoconfiguration ................................ 14-10
router advertisement messages ...................... 14-11
stateless .............................................................. 14-10
AutoKey IKE VPN......................................3-49, 3-91, 5-7
AutoKey IKE VPN management ................................ 5-7
Autonomous System (AS) numbers....................... 7-109
AV objects,timeout .................................................... 4-93
AV scanning
AV resources per client ....................................... 4-85
content
size ................................................................... 4-88
decompression .................................................... 4-94
fail-mode .............................................................. 4-86
file extensions ...................................................... 4-94
FTP ........................................................................ 4-74
HTTP ..................................................................... 4-75
HTTP keep-alive ................................................... 4-88
HTTP trickling ...................................................... 4-89
IMAP ..................................................................... 4-77
message drop....................................................... 4-88
Master Index
IX-III
B
back store ................................................................. 3-106
backdoor rulebase
adding to Security Policy.................................. 4-211
overview ............................................................. 4-211
backdoor rules ...........................................4-211 to 4-215
configuring actions ........................................... 4-213
configuring Match columns ............................. 4-212
configuring operation ....................................... 4-213
configuring services .......................................... 4-213
configuring severity .......................................... 4-215
configuring source and destination ................ 4-213
configuring targets ............................................ 4-215
configuring zones .............................................. 4-212
bandwidth ................................................................ 2-176
guaranteed .................................. 2-176, 2-195, 2-201
managing ........................................................... 2-195
maximum ................................... 2-176, 2-195, 2-201
maximum, unlimited........................................ 2-196
priority
default ........................................................... 2-200
levels.............................................................. 2-200
queues ........................................................... 2-199
banners ....................................................................... 9-10
BGP
AS-path access list ............................................. 7-122
communities ...................................................... 7-130
confederations ................................................... 7-129
configurations, security .................................... 7-119
configurations, verifying .................................. 7-115
external .............................................................. 7-107
internal ............................................................... 7-107
IPv4 routes, advertising between IPv6 peers 7-118
IPv6 routes, advertising between IPv4 peers 7-118
load-balancing ..................................................... 7-38
message types ................................................... 7-106
neighbors, authenticating ................................ 7-119
neighbors, enabling address families ............. 7-117
neighbors, viewing advertised and received routes
7-116
IX-IV
Master Index
C
CA certificates ...................................................5-33, 5-36
cables, serial ............................................................... 3-23
call-answer-time, Apple iChat ALG ........................ 6-112
captive portal, configuring........................................ 9-48
C-bit parity mode..................................................... 12-13
Certificate Revocation List ...............................5-34, 5-45
loading .................................................................. 5-34
certificates .................................................................... 5-7
CA.................................................................5-33, 5-36
loading .................................................................. 5-39
loading CRL .......................................................... 5-34
local....................................................................... 5-36
requesting ............................................................ 5-37
revocation ...................................................5-36, 5-45
via email ............................................................... 5-36
Challenge Handshake Authentication Protocol .... 12-36
See CHAP
channels, finding available ................................... 12-139
CHAP ........................................ 5-222, 5-225, 9-87, 12-36
Chargen .................................................................... 4-135
CLI ........................................................ 3-12, 14-28, 14-30
set arp always-on-dest ...............................2-75, 2-78
set vip multi -port ................................................ 8-81
Master Index
clock, system
See system clock
cluster names, NSRP ....................................11-13, 11-31
clusters ...........................................................11-13, 11-37
clusters, Unified Access Control .............................. 9-43
Coldstart Synchronization ...................................... 11-23
command line interface
See CLI
common names ......................................................... 9-30
CompactFlash ............................................................ 3-62
compatibility-mode option, T3 interfaces ............ 12-20
configuration
ADSL 2/2+ PIM ................................................. 12-82
full-mesh............................................................. 11-64
virtual circuits .................................................... 12-79
VPI/VCI pair........................................................ 12-79
configuration examples
6to4 host, tunneling to a ................................ 14-112
access lists and route maps ............................. 14-65
DNS server information, requesting ............... 14-46
IPv4 tunneling over IPv6 (autokey IKE) ....... 14-121
IPv6
requests to multiple IPv4 hosts .................. 14-91
to an IPv4 network over IPv4 ................... 14-117
tunneling over IPv4 (autokey IKE) ........... 14-125
manual tunneling ............................................ 14-104
native host, tunneling to ................................ 14-108
PPPoE instance, configuring ............................ 14-49
prefixes, delegating ................................14-38, 14-40
static route redistribution ................................. 14-65
configuration settings, browser requirements ......... 3-5
connection policy for Infranet Enforcer, configuring ....
9-46
D
Data Encryption Standard (DES)................................ 5-6
data messages ............................................................ 11-7
databases, local ............................................. 9-15 to 9-16
DDNS servers ........................................................... 2-222
DDO
servers ................................................................ 2-222
servers, setting up DDNS for ........................... 2-224
DDoS ........................................................................... 4-29
decompression ........................................................... 4-94
deep inspection (DI) ................................. 4-140 to 4-163
attack actions ...................................... 4-142 to 4-150
attack object database ....................... 4-126 to 4-133
attack object groups .......................................... 4-139
attack object negation....................................... 4-166
attack objects ..................................................... 4-123
changing severity .............................................. 4-140
context ..................................................................... 4-I
custom attack objects ....................................... 4-159
custom services .................................. 4-155 to 4-159
custom signatures .............................. 4-160 to 4-163
disabling attack objects .................................... 4-141
license keys ........................................................ 4-124
logging attack object groups ............................ 4-153
overview ............................................................. 4-122
pattern files, using ............................................. 4-124
protocol anomalies ............................................ 4-139
reenabling attack objects.................................. 4-141
regular expressions ............................ 4-160 to 4-161
signature packs .................................................. 4-126
stateful signatures ............................................. 4-137
stream signatures .............................................. 4-138
demand circuits, RIP ................................................. 7-95
denial of service
See DoS
Master Index
IX-V
IX-VI
Master Index
E
EAP messages ............................................................ 5-26
Echo .......................................................................... 4-135
ECMP..................................................................7-38, 7-60
election support ....................................................... 11-65
email alert notification .....................................3-77, 3-84
Encapsulating Security Payload
See ESP
encapsulation .............................. 14-107, 14-115, 14-121
encryption .................................................14-116, 14-119
3DES ................................................................. 14-125
AES128 ............................................................. 14-125
algorithms .............................. 5-6, 5-63, 5-66 to 5-73
NSRP ................................................................... 11-31
NSRP-Lite ........................................................... 11-17
Master Index
F
factory defaults, resetting devices to ...................... 3-46
fail-mode..................................................................... 4-86
failover ........................................................11-49 to 11-92
Active/Active ...................................................... 11-14
Active/Passive .................................................... 11-14
devices ................................................................ 11-64
dual Untrust interfaces ..........................11-53, 11-55
object monitoring .............................................. 11-58
virtual systems................................................... 11-64
VSD groups ........................................................ 11-63
fallback priorities, assigning ..................................... 9-32
file extensions, AV scanning .................................... 4-94
filter source route .................................................... 3-108
FIN scans .................................................................... 4-16
FIN without ACK flag................................................. 4-15
Finger ........................................................................ 4-135
floods
ICMP...................................................................... 4-52
session table......................................................... 4-30
SYN .................................................4-40 to 4-45, 4-50
UDP ....................................................................... 4-53
fragment reassembly ................................... 4-60 to 4-63
full-mesh configuration ........................................... 11-64
function zone interfaces ........................................... 2-38
HA ......................................................................... 2-38
management ........................................................ 2-38
G
G-ARP .......................................................................... 2-45
Gatekeeper Confirm (GCF) messages ........................ 6-2
Generic Routing Encapsulation (GRE) ................... 7-159
Gi interface ................................................................. 13-2
global unicast addresses ......................... 14-106, 14-124
global zones................................................................ 8-82
Gn interface ................................................................ 13-2
Gopher ...................................................................... 4-135
Gp interface ................................................................ 13-2
GPRS Tunneling Protocol (GTP)
See GTP
graphs, historical ..................................................... 2-175
group expressions ............................................ 9-5 to 9-9
operators ................................................................ 9-6
server support ...................................................... 9-14
users ........................................................................ 9-6
group IKE ID
certificates ........................................... 5-197 to 5-206
preshared keys ................................... 5-206 to 5-212
groups
addresses ............................................................ 2-107
services ............................................................... 2-141
VLAN ................................................................... 11-46
VSD ..................................................................... 11-46
GTP
Access Point Name (APN) filtering .................. 13-14
GTP-in-GTP packet filtering .............................. 13-13
IMSI prefix filtering ........................................... 13-16
inspection objects................................... 13-4 to 13-6
IP fragmentation................................................ 13-13
packet sanity check ............................................. 13-7
policy-based ......................................................... 13-4
protocol ................................................................ 13-2
standards .............................................................. 13-8
stateful inspection ............................................. 13-24
tunnel timeout ................................................... 13-25
GTP messages .......................................................... 13-10
length, filtering by ............................................... 13-8
rate, limiting by ................................................. 13-11
type, filtering by .................................................. 13-9
types ...................................................... 13-9 to 13-10
versions 0 and 1 ................................................ 13-10
GTP traffic
Master Index
IX-VII
H
HA
See high availability
See also NSRP
hanging GTP tunnel................................................. 13-25
hardware sessions ................................................... 2-139
hash-based message authentication code ................ 5-6
hashing, Secure Hashing Algorithm (SHA) ......... 14-125
heartbeats
HA physical link .................................................. 11-7
RTO ....................................................................... 11-7
Help files ....................................................................... 3-5
high availability ..............................................13-4, 13-25
Active/Active ...................................................... 11-14
Active/Passive .................................................... 11-14
cabling ..................................................11-28 to 11-31
data link ............................................................... 11-8
DHCP .................................................................. 2-234
interfaces, virtual HA .......................................... 2-39
IP tracking .......................................................... 11-60
link probes ........................................................... 11-9
messages .............................................................. 11-7
virtual interfaces ............................................... 11-30
high availability interfaces
aggregate............................................................ 11-51
cabling network as HA links ............................ 11-30
redundant .......................................................... 11-50
high-watermark threshold ........................................ 4-33
historical graphs ...................................................... 2-175
HMAC ............................................................................ 5-6
host mode ...................................................14-49, 14-120
HTTP
blocking components .........................4-171 to 4-173
keep-alive ............................................................. 4-88
session timeout ................................................... 4-34
trickling ................................................................ 4-89
HTTP session ID .......................................................... 3-7
HyperText Transfer Protocol
See HTTP
I
iChat ALG.................................................................. 6-111
ICMP ......................................................................... 4-136
fragments ........................................................... 4-244
large packets ...................................................... 4-245
ICMP floods ................................................................ 4-52
ICMP services ........................................................... 2-127
IX-VIII
Master Index
Master Index
interfaces
addressing ............................................................ 2-47
aggregate .................................................. 2-37, 11-51
binding to zone .................................................... 2-45
connections, monitoring .................................... 2-63
dedicated ................................................ 10-39, 10-75
default ................................................................... 2-49
DHCPv6 .............................................................. 14-35
DIP ...................................................................... 2-143
down, logically ..................................................... 2-61
down, physically .................................................. 2-61
dual routing tables ............................................. 14-54
extended............................................................. 5-152
function zone ....................................................... 2-38
Gi ........................................................................... 13-2
Gn .......................................................................... 13-2
Gp .......................................................................... 13-2
HA function zone................................................. 2-38
HA, dual ................................................................ 11-8
interface tables, viewing ..................................... 2-43
IP tracking (See IP tracking)
L3 security zones ................................................. 2-47
loopback ............................................................... 2-58
manageable .......................................................... 3-35
management options .......................................... 3-32
MGT ....................................................................... 2-38
MIP ........................................................................ 8-64
modifying ............................................................. 2-49
ND ....................................................................... 14-27
NDP ..................................................................... 14-28
NUD .................................................................... 14-27
null ........................................................................ 5-97
physical
exporting from vsys ..................................... 10-42
importing to vsys ......................................... 10-41
in security zones ............................................ 2-36
policy-based NAT tunnel .................................... 2-39
PPPoE ................................................................. 14-49
redundant ................................................. 2-37, 11-50
secondary IP addresses ...................................... 2-51
shared ..................................................... 10-39, 10-75
state changes ....................................................... 2-61
tunnel ..............................................2-39, 2-39 to 2-43
up, logically .......................................................... 2-61
up, physically ....................................................... 2-61
viewing interface tables ...................................... 2-43
VIP ......................................................................... 8-80
virtual HA ................................................. 2-39, 11-30
VLAN1 ................................................................... 2-83
VSI ......................................................................... 2-38
VSIs ..................................................................... 11-27
zones, unbinding from ....................................... 2-46
interfaces, enabling IGMP on ................................. 7-165
interfaces, monitoring .......................2-68 to 2-74, 11-32
Master Index
IX-IX
IX-X
Master Index
J
Java applets, blocking ............................................. 4-172
K
keepalive
Master Index
L
L2TP .................................................. 5-219 to 5-246, 13-3
access concentrator: See LAC
address assignments........................................... 9-91
bidirectional ....................................................... 5-222
compulsory configuration ................................ 5-219
decapsulation ..................................................... 5-223
default parameters ............................................ 5-225
encapsulation..................................................... 5-222
external auth server ............................................ 9-91
hello signal ..............................................5-230, 5-235
Keep Alive ...............................................5-230, 5-235
L2TP-only on Windows 2000 .......................... 5-221
local database ...................................................... 9-91
network server: See LNS
operational mode .............................................. 5-222
RADIUS server ................................................... 5-225
ScreenOS support ............................................. 5-221
SecurID server ................................................... 5-225
tunnel.................................................................. 5-227
user authentication ............................................. 9-91
voluntary configuration .................................... 5-219
Windows 2000 tunnel authentication .5-230, 5-235
L2TP policies ............................................................ 2-171
L2TP users .................................................................. 9-91
server support...................................................... 9-14
with XAuth ............................................................. 9-5
L2TP-over-IPsec .................................... 5-4, 5-227, 5-232
bidirectional ....................................................... 5-222
tunnel.................................................................. 5-227
LAC ............................................................................ 5-219
NetScreen-Remote 5.0...................................... 5-219
Windows 2000 .................................................. 5-219
land attacks ................................................................ 4-54
lawful interception .................................................. 13-34
Layer 2 Tunneling Protocol
See L2TP
LDAP ................................................... 4-136, 9-29 to 9-30
common name identifiers.................................. 9-30
distinguished names ........................................... 9-30
server ports .......................................................... 9-30
structure ............................................................... 9-29
user types supported .......................................... 9-30
license keys .............................................................. 2-252
advanced mode ................................................. 4-124
attack pattern update ....................................... 4-124
M
MAC addresses ..................................14-12, 14-20, 14-28
main mode ................................................................. 5-10
malicious URL protection ............................ 4-60 to 4-63
Manage IP ................................................................... 2-98
manage IP ................................................................... 3-35
Manage IP, VSD group 0 ........................................... 11-3
management client IP addresses ............................. 3-47
Management information base II
See MIB II
management methods
CLI ......................................................................... 3-12
console.................................................................. 3-23
SSL........................................................................... 3-8
Telnet .................................................................... 3-12
WebUI ..................................................................... 3-5
management options
Master Index
IX-XI
IX-XII
Master Index
Master Index
N
NACN password for Infranet Enforcer connection
policy ........................................................................ 9-46
NAT
definition ................................................................ 8-1
IPsec and NAT ................................................... 5-248
NAT servers........................................................ 5-248
NAT-src with NAT-dst .............................8-50 to 8-61
NAT mode ................................ 2-95 to 2-100, 11-3, 13-4
interface settings ................................................. 2-98
traffic to Untrust zone................................2-81, 2-97
NAT vector error ...................................................... 3-108
NAT-dst ...........................................................8-28 to 8-61
address shifting ..................................................... 8-5
packet flow ...............................................8-29 to 8-31
port mapping ...................................... 8-4, 8-28, 8-47
route considerations ..................... 8-29, 8-32 to 8-34
unidirectional translation ............................8-6, 8-10
VPNs ................................................................... 5-152
with MIPs or VIPs .................................................. 8-3
NAT-dst, addresses
range to range ............................................8-10, 8-44
range to single IP..........................................8-9, 8-41
ranges ..................................................................... 8-4
shifting .........................................................8-28, 8-44
NAT-dst, single IP
with port mapping ................................................ 8-8
without port mapping ........................................... 8-9
NAT-dst, translation
one-to-many......................................................... 8-38
one-to-one ............................................................ 8-35
native hosts ...............................................14-106, 14-108
NAT-Protocol Translation ....................................... 2-128
NAT-PT ...........................................................2-128, 14-85
NAT-PT, IPsec, when to use ................................. 14-116
NAT-src ................................................... 8-1, 8-13 to 8-26
Master Index
IX-XIII
IX-XIV
Master Index
Master Index
O
objects
attack objects ..................................................... 4-215
attack objects, creating custom ....................... 4-218
attack objects, protocol anomaly .................... 4-216
attack objects, signature ................................... 4-216
objects, monitoring ................................................. 11-58
OCSP (Online Certificate Status Protocol) .............. 5-45
client ..................................................................... 5-45
responder ............................................................. 5-45
Open Shortest Path First
See OSPF
operating systems, probing hosts for..........4-14 to 4-16
operational modes
NAT ....................................................................... 13-4
route ..................................................................... 13-3
transparent........................................................... 13-3
OSPF
broadcast networks............................................. 7-50
configuration steps.............................................. 7-51
ECMP support ...................................................... 7-60
flooding, protecting against ............................... 7-68
flooding, reduced LSA......................................... 7-69
global parameters ............................................... 7-60
hello protocol ....................................................... 7-49
interface parameters........................................... 7-64
interfaces, assigning to areas............................. 7-55
interfaces, tunnel ................................................ 7-70
link-state advertisements ................................... 7-48
link-type, setting .................................................. 7-70
load-balancing ..................................................... 7-38
LSA suppression .................................................. 7-69
neighbors, authenticating................................... 7-66
neighbors, filtering .............................................. 7-67
not so stubby area............................................... 7-49
point-to-multipoint .............................................. 7-70
point-to-point network........................................ 7-50
security configuration ......................................... 7-66
stub area............................................................... 7-49
virtual links .......................................................... 7-61
OSPF areas ................................................................. 7-48
defining................................................................. 7-53
interfaces, assigning to ....................................... 7-55
OSPF routers
adjacency ............................................................. 7-49
backup designated .............................................. 7-49
creating OSPF instance in VR ............................ 7-52
designated ............................................................ 7-49
types ..................................................................... 7-49
OSPF routes
default, rejecting .................................................. 7-68
redistributed, summarizing ................................ 7-59
redistributing........................................................ 7-58
route-deny restriction, disabling........................ 7-71
Overbilling attacks
description ......................................................... 13-26
prevention ........................................... 13-26 to 13-31
prevention, configuring .................................... 13-30
solutions ............................................................. 13-28
P
packet flow .................................................... 2-10 to 2-12
inbound VPN ........................................... 5-79 to 5-81
outbound VPN ..................................................... 5-79
policy-based VPN.................................... 5-81 to 5-82
route-based VPN ..................................... 5-76 to 5-81
packet flow, NAT-dst .................................... 8-29 to 8-31
packets ...................................................................... 3-108
address spoofing attack .................................... 3-106
collision................................................... 3-105, 3-106
denied ................................................................. 3-108
dropped .................................................. 3-107, 3-108
fragmented ......................................................... 3-108
incoming ............................................................ 3-105
Internet Control Message Protocol (ICMP) .... 3-104,
3-107
Master Index
IX-XV
IX-XVI
Master Index
Master Index
Q
QoS ............................................................................ 2-195
R
RA .............................................................................. 14-11
RADIUS ..................................... 3-44, 4-136, 9-19 to 9-22
auth server objects .............................................. 9-33
dictionary file ......................................................... 9-2
dictionary files ..................................................... 9-21
L2TP .................................................................... 5-225
object properties.................................................. 9-20
ports ...................................................................... 9-20
retry timeout ........................................................ 9-20
shared secret ........................................................ 9-20
RADIUSv6 ............................................................... 14-136
rate limiting, GTP-C messages ............................... 13-11
reachability states .................................................... 14-14
reachability states, transitions ............................... 14-15
reassembly, Apple iChat ALG ................................. 6-113
reconnaissance ............................................... 4-7 to 4-26
address sweep ....................................................... 4-8
FIN scans .............................................................. 4-16
IP options ............................................................. 4-11
port scan................................................................. 4-9
Master Index
IX-XVII
IX-XVIII
Master Index
Master Index
S
SA policy ................................................................... 3-108
SAs................................................................ 5-8, 5-9, 5-11
check in packet flow ........................................... 5-78
SCEP (Simple Certificate Enrollment Protocol) ...... 5-41
schedules .......................................................2-159, 2-175
SCP
enabling ................................................................ 3-22
example client command .................................. 3-22
SCREEN
address sweep ....................................................... 4-8
bad IP options, drop ......................................... 4-246
drop unknown MAC addresses.......................... 4-45
FIN with no ACK.................................................. 4-17
FIN without ACK flag, drop ................................ 4-15
ICMP
fragments, block .......................................... 4-244
ICMP floods .......................................................... 4-52
IP options ............................................................. 4-11
IP packet fragments, block .............................. 4-248
IP spoofing ...............................................4-20 to 4-25
land attacks .......................................................... 4-54
large ICMP packets, block ................................ 4-245
loose source route IP option, detect ................. 4-26
Ping of Death ....................................................... 4-55
port scan ................................................................ 4-9
source route IP option, deny ............................. 4-26
strict source route IP option, detect .................. 4-26
SYN and FIN flags set ......................................... 4-14
SYN floods ................................................4-40 to 4-45
SYN fragments, detect ...................................... 4-249
Master Index
IX-XIX
IX-XX
Master Index
in vsys................................................................. 2-123
session ID ..................................................................... 3-7
session idle timeout .................................................. 9-18
session limits..................................................4-30 to 4-33
destination-based .......................................4-31, 4-32
source-based ...............................................4-30, 4-32
session table floods ..........................................4-19, 4-30
session timeout
HTTP ..................................................................... 4-34
session timeouts
TCP........................................................................ 4-33
UDP ....................................................................... 4-34
SHA-1 ............................................................................ 5-6
Shared DMZ Zone .................................................... 10-76
shared VRs ............................................................... 10-39
shared zones ............................................................ 10-39
signature packs, DI .................................................. 4-126
signatures
stateful ................................................................ 4-137
SIP
ALG ..............................................................6-19, 6-22
connection information ...................................... 6-20
defined ................................................................. 6-15
media announcements ....................................... 6-20
messages .............................................................. 6-16
multimedia sessions ........................................... 6-15
pinholes ................................................................ 6-19
request methods ................................................. 6-16
response codes .................................................... 6-18
RTCP ..................................................................... 6-20
RTP ....................................................................... 6-20
SDP ...........................................................6-19 to 6-20
signaling ............................................................... 6-19
SIP NAT
call setup .....................................................6-25, 6-30
defined ................................................................. 6-25
DIP pool, using a ................................................. 6-37
DIP, using incoming ........................................... 6-33
DIP, using interface ............................................ 6-34
incoming, with MIP ....................................6-37, 6-39
proxy in DMZ....................................................... 6-46
proxy in private zone ................................6-41, 6-88
proxy in public zone ........................................... 6-44
Trust intrazone .................................................... 6-53
untrust intrazone ........................................6-49, 6-95
VPN, using full-mesh................................6-55, 6-101
SIP timeouts
inactivity ............................................................... 6-22
media inactivity ..........................................6-23, 6-24
session inactivity ................................................. 6-22
signaling inactivity .....................................6-23, 6-24
site survey .............................................................. 12-139
Site-Local Aggregator (SLA) .........................14-37, 14-39
SKEYSEED .................................................................. 5-19
Master Index
Master Index
IX-XXI
T
T3 interfaces
C-bit parity mode .............................................. 12-13
CSU compatibility ............................................. 12-20
TACACS+
auth server objects .............................................. 9-38
clients retries ....................................................... 9-32
clients timeout ..................................................... 9-32
object properties ................................................. 9-32
ports...................................................................... 9-32
retry timeout........................................................ 9-32
shared secret ....................................................... 9-32
tags, VLANs .................................................................. 2-3
TCP
packet without flags ............................................ 4-16
session timeouts.................................................. 4-33
stream signatures.............................................. 4-163
SYN flag checking ............................................. 5-313
TCP proxy................................................................. 3-108
teardrop attacks ......................................................... 4-56
Telnet ...............................................................3-12, 4-136
Telnet management options .................................... 3-32
Telnet, logging in with .............................................. 3-13
templates
security policy ................................................... 4-190
TFTP .......................................................................... 4-136
the ............................................................................... 9-46
three-way handshakes .............................................. 4-40
threshold
low-watermark .................................................... 4-33
thresholds
high-watermark ................................................... 4-33
time zone ................................................................. 2-257
timeout ..................................................................... 13-25
admin users ......................................................... 9-18
auth users............................................................. 9-18
timestamp IP option ................................................. 4-13
TLS .............................................................................. 5-25
token codes ................................................................ 9-27
Top-Level Aggregator (TLA) .................................... 14-37
trace-route .................................................................. 2-87
traffic
counting ....................................................2-175, 13-4
IP-based.............................................................. 10-75
logging .......................................................2-175, 13-4
IX-XXII
Master Index
prioritizing............................................................ 4-35
priority ................................................................ 2-176
redirecting HTTP with WebAuth ....................... 9-56
shaping ............................................................... 2-195
sorting...................................................10-33 to 10-41
through traffic, vsys sorting ...............10-34 to 10-37
VLAN-based.............................. 10-42, 10-43 to 10-70
traffic alarms ..................................................3-75 to 3-77
traffic shaping .......................................................... 2-195
service priorities ................................................ 2-199
traffic, prioritizing critical ......................................... 4-37
transparent mode .................... 2-82 to 2-95, 10-44, 13-3
ARP/trace-route ................................................... 2-85
blocking non-ARP traffic .................................... 2-83
blocking non-IP traffic ........................................ 2-83
broadcast traffic .................................................. 2-83
flood ...................................................................... 2-85
routes .................................................................... 2-84
unicast options .................................................... 2-85
transparent mode, drop unknown MAC addresses.......
4-45
U
UAC clusters ............................................................... 9-43
UDP
checksum ........................................................... 5-253
NAT-T encapsulation......................................... 5-248
UDP session timeouts ............................................... 4-34
Unified Access Control (UAC) ................................... 9-43
unified access control solution
overview of ...........................................................9-vii
unknown protocols.................................................. 4-247
unknown unicast options .............................2-85 to 2-90
ARP ...........................................................2-87 to 2-90
flood ..........................................................2-86 to 2-87
trace-route ............................................................ 2-87
updating IDP engine................................................ 4-237
upstream routers ..................................................... 14-38
URL filtering
Master Index
V
VC .............................................................................. 12-74
VCI ............................................................................. 12-74
vendor IDs, VSA ......................................................... 9-22
vendor-specific attributes ......................................... 9-21
verified mode ........................................................... 13-15
Verisign ....................................................................... 5-45
VIP ............................................................................... 2-11
configuring ........................................................... 8-82
definition ................................................................ 8-6
editing ................................................................... 8-84
global zones ......................................................... 8-82
reachable from other zones ............................... 8-82
removing .............................................................. 8-84
required information .......................................... 8-82
VIP services
custom and multi-port ............................8-85 to 8-88
custom, low port numbers ................................. 8-81
VIP, to zone with interface-based NAT ................... 2-97
virtual adapters .......................................................... 9-76
virtual channel identifier
See VCI
virtual circuit
See VC
virtual HA interfaces.......................................2-39, 11-30
virtual IP
See VIP
virtual path identifier
See VPI
Virtual Path Identifier/Virtual Channel Identifier
See VPI/VCI
virtual private networks
See VPNs
Virtual Router Redundancy Protocol (VRRP) ....... 11-65
Master Index
IX-XXIII
IX-XXIV
Master Index
W
Web filtering ...................... 2-174, 4-102, 4-112 to 4-119
applying profiles to policies ............................. 4-109
blocked URL message....................................... 4-116
blocked URL message type .............................. 4-116
cache................................................................... 4-104
communication timeout ................................... 4-115
integrated ........................................................... 4-103
profiles ................................................................ 4-107
redirect ............................................................... 4-112
routing ................................................................ 4-117
server status ....................................................... 4-117
servers per vsys ................................................. 4-113
SurfControl
CPA servers................................................... 4-103
SCFP .............................................................. 4-114
server name .................................................. 4-115
server port .................................................... 4-115
SurfControl servers ........................................... 4-104
URL categories ................................................... 4-106
Websense server name and server port ........ 4-115
Web user interface
See WebUI
WebAuth ............................................................9-14, 9-55
external user groups ........................................... 9-67
pre-policy auth process ...................................... 9-55
redirecting HTTP traffic ...................................... 9-56
user groups, local ................................................ 9-66
with SSL (user groups, external) ........................ 9-69
Master Index
X
XAuth
authentication .................................................. 14-142
bypass-auth .......................................................... 9-77
client authentication ........................................... 9-90
defined .................................................................. 9-76
query remote settings ......................................... 9-77
ScreenOS as client............................................... 9-90
TCP/IP assignments ............................................ 9-78
virtual adapters .................................................... 9-76
VPN idletime ........................................................ 9-79
VPN monitoring ................................................. 5-260
when to use ...................................................... 14-136
XAuth addresses
assignments ......................................................... 9-76
authentication, and ............................................. 9-86
IP address lifetime.................................. 9-78 to 9-79
timeout ................................................................. 9-78
XAuth users ................................................... 9-76 to 9-90
authentication ...................................................... 9-76
local authentication ............................................. 9-79
local group authentication .................................. 9-81
server support ...................................................... 9-14
with L2TP ............................................................... 9-5
XAuth, external
auth server queries.............................................. 9-77
user authentication ............................................. 9-82
user group authentication .................................. 9-83
XR, configuring ...................................................... 12-141
Y
Yahoo! Messenger ................................................... 4-137
Z
zip files, blocking ..................................................... 4-172
zombie agents .................................................. 4-29, 4-31
zones .....................................................2-25 to 2-33, 10-6
defining................................................................. 2-30
editing ................................................................... 2-31
function ................................................................ 2-33
function, MGT interface ...................................... 2-38
global .................................................................... 2-28
global security ........................................................ 2-2
Layer 2 .................................................................. 2-83
Master Index
IX-XXV
IX-XXVI
Master Index