Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.net Part Number: 530-017767-01, Revision 02 Concepts & Examples ScreenOS Reference Guide Volume 1: Overview Release 6.0.0, Rev. 02
Nov 08, 2014
Concepts & ExamplesScreenOS Reference Guide
Volume 1:Overview
Release 6.0.0, Rev. 02
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Part Number: 530-017767-01, Revision 02
ii
Copyright Notice
Copyright © 2007 Juniper Networks, Inc. All rights reserved.
Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Juniper Networks’ installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.
If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna.
Increase the separation between the equipment and receiver.
Consult the dealer or an experienced radio/TV technician for help.
Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.
Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.
Table of Contents
Volume 1:Overview
About the Concepts & Examples ScreenOS Reference Guide xlv
Volume Organization .................................................................................. xlviiDocument Conventions.................................................................................. liii
Web User Interface Conventions ............................................................. liiiCommand Line Interface Conventions..................................................... liiiNaming Conventions and Character Types .............................................. livIllustration Conventions............................................................................ lv
Technical Documentation and Support .......................................................... lvi
Master Index...........................................................................................................IX-I
Volume 2:Fundamentals
About This Volume ix
Document Conventions....................................................................................xWeb User Interface Conventions ...............................................................xCommand Line Interface Conventions.......................................................xNaming Conventions and Character Types ............................................... xiIllustration Conventions........................................................................... xii
Technical Documentation and Support ......................................................... xiii
Chapter 1 ScreenOS Architecture 1
Security Zones .................................................................................................2Security Zone Interfaces...................................................................................3
Physical Interfaces.....................................................................................3Subinterfaces.............................................................................................3
Virtual Routers .................................................................................................4Policies.............................................................................................................5Virtual Private Networks ..................................................................................6Virtual Systems ................................................................................................9Packet-Flow Sequence....................................................................................10Jumbo Frames................................................................................................13ScreenOS Architecture Example.....................................................................14
Example: (Part 1) Enterprise with Six Zones............................................14Example: (Part 2) Interfaces for Six Zones...............................................16Example: (Part 3) Two Routing Domains .................................................18Example: (Part 4) Policies ........................................................................20
Table of Contents iii
iv
Concepts & Examples ScreenOS Reference Guide
Chapter 2 Zones 25
Viewing Preconfigured Zones.........................................................................26Security Zones ...............................................................................................28
Global Zone .............................................................................................28SCREEN Options......................................................................................28
Binding a Tunnel Interface to a Tunnel Zone..................................................29Configuring Security Zones and Tunnel Zones ...............................................30
Creating a Zone .......................................................................................30Modifying a Zone.....................................................................................31Deleting a Zone .......................................................................................32
Function Zones ..............................................................................................33
Chapter 3 Interfaces 35
Interface Types ..............................................................................................36Logical Interfaces.....................................................................................36
Physical Interfaces ............................................................................36Wireless Interfaces............................................................................36Bridge Group Interfaces.....................................................................37Subinterfaces ....................................................................................37Aggregate Interfaces .........................................................................37Redundant Interfaces ........................................................................37Virtual Security Interfaces .................................................................38
Function Zone Interfaces .........................................................................38Management Interfaces.....................................................................38High Availability Interfaces................................................................38
Tunnel Interfaces.....................................................................................39Deleting Tunnel Interfaces ................................................................42
Viewing Interfaces .........................................................................................43Configuring Security Zone Interfaces .............................................................44
Binding an Interface to a Security Zone ...................................................44Unbinding an Interface from a Security Zone ..........................................45Addressing an L3 Security Zone Interface................................................46
Public IP Addresses ...........................................................................47Private IP Addresses..........................................................................47Addressing an Interface ....................................................................48
Modifying Interface Settings ....................................................................48Creating a Subinterface in the Root System.............................................49Deleting a Subinterface............................................................................50
Creating a Secondary IP Address ...................................................................50Backup System Interfaces ..............................................................................51
Configuring a Backup Interface................................................................52Configuring an IP Tracking Backup Interface.....................................52Configuring a Tunnel-if Backup Interface ..........................................53Configuring a Route Monitoring Backup Interface .............................57
Loopback Interfaces .......................................................................................58Creating a Loopback Interface .................................................................59Setting the Loopback Interface for Management......................................59Setting BGP on a Loopback Interface .......................................................59Setting VSIs on a Loopback Interface.......................................................60Setting the Loopback Interface as a Source Interface...............................60
Interface State Changes..................................................................................61Physical Connection Monitoring ..............................................................63Tracking IP Addresses .............................................................................63
Table of Contents
Table of Contents
Interface Monitoring ................................................................................68Monitoring Two Interfaces ................................................................69Monitoring an Interface Loop............................................................70
Security Zone Monitoring ........................................................................73Down Interfaces and Traffic Flow............................................................74
Failure on the Egress Interface ..........................................................75Failure on the Ingress Interface.........................................................76
Chapter 4 Interface Modes 79
Transparent Mode..........................................................................................80Zone Settings...........................................................................................81
VLAN Zone........................................................................................81Predefined Layer 2 Zones .................................................................81
Traffic Forwarding ...................................................................................81Unknown Unicast Options.......................................................................82
Flood Method....................................................................................83ARP/Trace-Route Method ..................................................................84Configuring VLAN1 Interface for Management..................................87Configuring Transparent Mode..........................................................89
NAT Mode......................................................................................................92Inbound and Outbound NAT Traffic ........................................................94Interface Settings.....................................................................................95Configuring NAT Mode ............................................................................95
Route Mode....................................................................................................98Interface Settings.....................................................................................99Configuring Route Mode..........................................................................99
Chapter 5 Building Blocks for Policies 103
Addresses ....................................................................................................103Address Entries .....................................................................................104
Adding an Address ..........................................................................104Modifying an Address .....................................................................105Deleting an Address ........................................................................105
Address Groups .....................................................................................105Creating an Address Group .............................................................107Editing an Address Group Entry ......................................................108Removing a Member and a Group...................................................108
Services........................................................................................................109Predefined Services ...............................................................................109
Internet Control Messaging Protocol ...............................................110Handling ICMP Unreachable Errors .................................................113Internet-Related Predefined Services...............................................114Microsoft Remote Procedure Call Services ......................................115Dynamic Routing Protocols.............................................................117Streaming Video..............................................................................117Sun Remote Procedure Call Services ...............................................118Security and Tunnel Services ..........................................................118IP-Related Services..........................................................................119Instant Messaging Services..............................................................119Management Services .....................................................................119Mail Services ...................................................................................120UNIX Services .................................................................................120Miscellaneous Services ....................................................................121
Table of Contents v
vi
Concepts & Examples ScreenOS Reference Guide
Custom Services ....................................................................................121Adding a Custom Service ................................................................122Modifying a Custom Service............................................................123Removing a Custom Service............................................................123
Setting a Service Timeout ......................................................................123Service Timeout Configuration and Lookup.....................................123Contingencies .................................................................................124Example..........................................................................................126
Defining a Custom Internet Control Message Protocol Service...............126Remote Shell ALG..................................................................................127Sun Remote Procedure Call Application Layer Gateway.........................127
Typical RPC Call Scenario................................................................127Customizing Sun RPC Services........................................................128
Customizing Microsoft Remote Procedure Call ALG...............................129Real-Time Streaming Protocol Application Layer Gateway.....................130
RTSP Request Methods ...................................................................131RTSP Status Codes ..........................................................................133Configuring a Media Server in a Private Domain.............................134Configuring a Media Server in a Public Domain ..............................136
Service Groups.......................................................................................138Modifying a Service Group ..............................................................139Removing a Service Group ..............................................................140
Dynamic IP Pools.........................................................................................140Port Address Translation .......................................................................141Creating a DIP Pool with PAT ................................................................142Modifying a DIP Pool .............................................................................143Sticky DIP Addresses .............................................................................143Using DIP in a Different Subnet .............................................................144Using a DIP on a Loopback Interface .....................................................149Creating a DIP Group.............................................................................153
Setting a Recurring Schedule........................................................................156
Chapter 6 Policies 159
Basic Elements.............................................................................................160Three Types of Policies ................................................................................161
Interzone Policies ..................................................................................161Intrazone Policies ..................................................................................161Global Policies .......................................................................................162
Policy Set Lists .............................................................................................163Policies Defined ...........................................................................................164
Policies and Rules..................................................................................164Anatomy of a Policy ..............................................................................165
ID....................................................................................................166Zones ..............................................................................................166Addresses .......................................................................................166Services...........................................................................................166Action .............................................................................................167Application......................................................................................167Name ..............................................................................................168VPN Tunneling ................................................................................168L2TP Tunneling ...............................................................................168Deep Inspection ..............................................................................169Placement at the Top of the Policy List ...........................................169Source Address Translation.............................................................169
Table of Contents
Table of Contents
Destination Address Translation......................................................169User Authentication ........................................................................170HA Session Backup .........................................................................171Web Filtering ..................................................................................172Logging ...........................................................................................172Counting .........................................................................................172Traffic Alarm Threshold ..................................................................172Schedules........................................................................................172Antivirus Scanning ..........................................................................173Traffic Shaping................................................................................173
Policies Applied............................................................................................174Viewing Policies.....................................................................................174Creating Policies ....................................................................................174
Creating Interzone Policies Mail Service ..........................................175Creating an Interzone Policy Set .....................................................178Creating Intrazone Policies..............................................................182Creating a Global Policy ..................................................................184
Entering a Policy Context ......................................................................185Multiple Items per Policy Component....................................................185Setting Address Negation.......................................................................186Modifying and Disabling Policies ...........................................................189Policy Verification..................................................................................189Reordering Policies................................................................................190Removing a Policy.................................................................................191
Chapter 7 Traffic Shaping 193
Managing Bandwidth at the Policy Level ......................................................193Setting Traffic Shaping .................................................................................194Setting Service Priorities ..............................................................................198Setting Priority Queuing...............................................................................199Ingress Policing............................................................................................203Shaping Traffic on Virtual Interfaces ............................................................203
Interface-Level Traffic Shaping ..............................................................204Policy-Level Traffic Shaping...................................................................205Packet Flow ...........................................................................................206Example: Route-Based VPN with Ingress Policing..................................206Example: Policy-Based VPN with Ingress Policing..................................210
Traffic Shaping Using a Loopback Interface .................................................214DSCP Marking and Shaping..........................................................................214
Chapter 8 System Parameters 217
Domain Name System Support ....................................................................217DNS Lookup ..........................................................................................218DNS Status Table ...................................................................................219
Setting the DNS Server and Refresh Schedule .................................219Setting a DNS Refresh Interval ........................................................220
Dynamic Domain Name System............................................................220Setting Up DDNS for a DynDNS Server ...........................................221Setting Up DDNS for a DDO Server .................................................222
Proxy DNS Address Splitting..................................................................222Dynamic Host Configuration Protocol ..........................................................225
Configuring a DHCP Server....................................................................226Customizing DHCP Server Options .................................................230
Table of Contents vii
viii
Concepts & Examples ScreenOS Reference Guide
Placing the DHCP Server in an NSRP Cluster...................................231DHCP Server Detection ...................................................................231Enabling DHCP Server Detection ....................................................232Disabling DHCP Server Detection....................................................232
Assigning a Security Device as a DHCP Relay Agent ..............................233Forwarding All DHCP Packets .........................................................237Configuring Next-Server-IP..............................................................237
Using a Security Device as a DHCP Client..............................................238Propagating TCP/IP Settings ..................................................................240Configuring DHCP in Virtual Systems ....................................................242
Setting DHCP Message Relay in Virtual Systems ..........................................242Point-to-Point Protocol over Ethernet ...........................................................243
Setting Up PPPoE ..................................................................................243Configuring PPPoE on Primary and Backup Untrust Interfaces..............246Configuring Multiple PPPoE Sessions over a Single Interface .................247PPPoE and High Availability ..................................................................250
License Keys ................................................................................................250Registration and Activation of Subscription Services ....................................251
Trial Service...........................................................................................252Updating Subscription Keys...................................................................252Adding Antivirus, Web Filtering, Anti-Spam, and Deep Inspection to an
Existing or a New Device ................................................................253System Clock ...............................................................................................253
Date and Time.......................................................................................254Daylight Saving Time.............................................................................254Time Zone .............................................................................................254Network Time Protocol..........................................................................255
Configuring Multiple NTP Servers....................................................255Configuring a Backup NTP Server....................................................255Maximum Time Adjustment............................................................256NTP and NSRP ................................................................................256Setting a Maximum Time Adjustment Value to an NTP Server ........257Securing NTP Servers ......................................................................257
Index..........................................................................................................................IX-I
Volume 3:Administration
About This Volume vii
Document Conventions.................................................................................. viiWeb User Interface Conventions ............................................................. viiCommand Line Interface Conventions.................................................... viiiNaming Conventions and Character Types ............................................. viiiIllustration Conventions.............................................................................x
Technical Documentation and Support ........................................................... xi
Chapter 1 Administration 1
Management via the Web User Interface .........................................................2WebUI Help ...............................................................................................2
Copying the Help Files to a Local Drive ...............................................3Pointing the WebUI to the New Help Location ....................................3
HyperText Transfer Protocol......................................................................4
Table of Contents
Table of Contents
Session ID..................................................................................................4Secure Sockets Layer .................................................................................5
SSL Configuration................................................................................7Redirecting HTTP to SSL .....................................................................8
Management via the Command Line Interface.................................................9Telnet ........................................................................................................9Securing Telnet Connections ...................................................................10Secure Shell .............................................................................................11
Client Requirements..........................................................................12Basic SSH Configuration on the Device .............................................13Authentication ..................................................................................14SSH and Vsys ....................................................................................16Host Key ...........................................................................................16Example: SSHv1 with PKA for Automated Logins .............................17
Secure Copy ............................................................................................18Serial Console..........................................................................................19Remote Console ......................................................................................20
Remote Console Using V.92 Modem Port..........................................20Remote Console Using an AUX Port..................................................21
Modem Port ............................................................................................22Management via NetScreen-Security Manager ...............................................22
Initiating Connectivity Between NSM Agent and the MGT System ...........23Enabling, Disabling, and Unsetting NSM Agent........................................24Setting the Primary Server IP Address of the Management System .........25Setting Alarm and Statistics Reporting.....................................................25Configuration Synchronization ................................................................26
Example: Viewing the Configuration State ........................................27Example: Retrieving the Configuration Hash.....................................27
Retrieving the Configuration Timestamp .................................................27Controlling Administrative Traffic ..................................................................28
MGT and VLAN1 Interfaces......................................................................29Example: Administration Through the MGT Interface .......................29Example: Administration Through the VLAN1 Interface ....................29
Setting Administrative Interface Options .................................................30Setting Manage IPs for Multiple Interfaces ...............................................31
Levels of Administration ................................................................................33Root Administrator ..................................................................................33Read/Write Administrator........................................................................34Read-Only Administrator.........................................................................34Virtual System Administrator...................................................................34Virtual System Read-Only Administrator .................................................35
Defining Admin Users ....................................................................................35Example: Adding a Read-Only Admin .....................................................35Example: Modifying an Admin ................................................................35Example: Deleting an Admin...................................................................36Example: Configuring Admin Accounts for Dialup Connections...............36Example: Clearing an Admin’s Sessions ..................................................37
Securing Administrative Traffic ......................................................................37Changing the Port Number ......................................................................38Changing the Admin Login Name and Password .....................................39
Example: Changing an Admin User’s Login Name and Password .....40Example: Changing Your Own Password ..........................................40Setting the Minimum Length of the Root Admin Password ...............41
Resetting the Device to the Factory Default Settings................................41
Table of Contents ix
x T
Concepts & Examples ScreenOS Reference Guide
Restricting Administrative Access............................................................42Example: Restricting Administration to a Single Workstation............42Example: Restricting Administration to a Subnet ..............................42Restricting the Root Admin to Console Access ..................................42
VPN Tunnels for Administrative Traffic....................................................43Administration Through a Route-Based Manual Key VPN Tunnel ......44Administration Through a Policy-Based Manual Key VPN Tunnel......47
Password Policy .............................................................................................51Setting a Password Policy ........................................................................51Removing a Password Policy ...................................................................52Viewing a Password Policy ......................................................................52Recovering from a Rejected Default Admin Password .............................52
Creating a Login Banner.................................................................................53
Chapter 2 Monitoring Security Devices 55
Storing Log Information .................................................................................55Event Log.......................................................................................................56
Viewing the Event Log by Severity Level and Keyword............................57Sorting and Filtering the Event Log..........................................................58Downloading the Event Log.....................................................................59
Example: Downloading the Entire Event Log ....................................59Example: Downloading the Event Log for Critical Events ..................60
Traffic Log......................................................................................................60Viewing the Traffic Log............................................................................61
Example: Viewing Traffic Log Entries................................................61Sorting and Filtering the Traffic Log ..................................................63Example: Sorting the Traffic Log by Time .........................................63
Downloading the Traffic Log....................................................................63Removing the Reason for Close Field ......................................................64
Self Log ..........................................................................................................66Viewing the Self Log ................................................................................66
Sorting and Filtering the Self Log ......................................................66Example: Filtering the Self Log by Time............................................67
Downloading the Self Log ........................................................................67Downloading the Asset Recovery Log ............................................................68Traffic Alarms ................................................................................................68
Example: Policy-Based Intrusion Detection..............................................69Example: Compromised System Notification...........................................70Example: Sending E-mail Alerts...............................................................71
Syslog ............................................................................................................71Example: Enabling Multiple Syslog Servers..............................................72Enabling WebTrends for Notification Events ...........................................73
Simple Network Management Protocol ..........................................................73Implementation Overview.......................................................................76Defining a Read/Write SNMP Community ...............................................77
VPN Tunnels for Self-Initiated Traffic .............................................................78Example: Self-Generated Traffic Through a Route-Based Tunnel..............79Example: Self-Generated Traffic Through a Policy-Based Tunnel .............86
Viewing Screen Counters ...............................................................................92
able of Contents
Table of Contents
Index..........................................................................................................................IX-I
Volume 4:Attack Detection and Defense Mechanisms
About This Volume ix
Document Conventions....................................................................................xWeb User Interface Conventions ...............................................................xCommand Line Interface Conventions.......................................................xNaming Conventions and Character Types ............................................... xiIllustration Conventions........................................................................... xii
Technical Documentation and Support ......................................................... xiii
Chapter 1 Protecting a Network 1
Stages of an Attack...........................................................................................2Detection and Defense Mechanisms ................................................................2Exploit Monitoring ...........................................................................................5
Example: Monitoring Attacks from the Untrust Zone.................................5
Chapter 2 Reconnaissance Deterrence 7
IP Address Sweep ............................................................................................8Port Scanning...................................................................................................9Network Reconnaissance Using IP Options ....................................................10Operating System Probes...............................................................................12
SYN and FIN Flags Set .............................................................................12FIN Flag Without ACK Flag ......................................................................13TCP Header Without Flags Set .................................................................14
Evasion Techniques .......................................................................................15FIN Scan..................................................................................................15Non-SYN Flags.........................................................................................15IP Spoofing ..............................................................................................18
Example: L3 IP Spoof Protection.......................................................20Example: L2 IP Spoof Protection.......................................................22
IP Source Route Options..........................................................................23
Chapter 3 Denial-of-Service Attack Defenses 27
Firewall DoS Attacks ......................................................................................28Session Table Flood .................................................................................28
Source-Based and Destination-Based Session Limits .........................28Example: Source-Based Session Limiting ..........................................29Example: Destination-Based Session Limiting ...................................30Aggressive Aging...............................................................................30Example: Aggressively Aging Out Sessions........................................32
SYN-ACK-ACK Proxy Flood......................................................................32Network DoS Attacks .....................................................................................34
SYN Flood................................................................................................34Example: SYN Flood Protection ........................................................40
SYN Cookie..............................................................................................44ICMP Flood..............................................................................................46UDP Flood ...............................................................................................47Land Attack .............................................................................................48
OS-Specific DoS Attacks .................................................................................49
Table of Contents xi
xii
Concepts & Examples ScreenOS Reference Guide
Ping of Death...........................................................................................49Teardrop Attack.......................................................................................50WinNuke .................................................................................................51
Chapter 4 Content Monitoring and Filtering 53
Fragment Reassembly....................................................................................54Malicious URL Protection.........................................................................54Application Layer Gateway ......................................................................55
Example: Blocking Malicious URLs in Packet Fragments ...................56Antivirus Scanning .........................................................................................58
External AV Scanning ..............................................................................58Scanning Modes................................................................................60Load-Balancing ICAP Scan Servers ....................................................60
Internal AV Scanning ...............................................................................61AV Scanning of IM Traffic ........................................................................63
IM Clients..........................................................................................63IM Server ..........................................................................................64IM Protocols ......................................................................................64Instant Messaging Security Issues .....................................................65IM Security Issues .............................................................................65Scanning Chat Messages ...................................................................65Scanning File Transfers .....................................................................66
AV Scanning Results ................................................................................67Policy-Based AV Scanning .......................................................................68Scanning Application Protocols................................................................69
Scanning FTP Traffic .........................................................................70Scanning HTTP Traffic ......................................................................71Scanning IMAP and POP3 Traffic ......................................................73Scanning SMTP Traffic ......................................................................74Redirecting Traffic to ICAP AV Scan Servers......................................76
Updating the AV Pattern Files for the Embedded Scanner .......................78Subscribing to the AV Signature Service ............................................78Updating AV Patterns........................................................................79
AV Scanner Global Settings......................................................................80AV Resource Allotment .....................................................................81Fail-Mode Behavior ...........................................................................81Maximum Content Size and Maximum Messages (Internal AV Only) 82HTTP Keep-Alive ...............................................................................83HTTP Trickling (Internal AV Only) .....................................................84
AV Profiles...............................................................................................86Assigning an AV Profile to a Firewall Policy.......................................87Initiating an AV Profile for Internal AV ..............................................87Example: (Internal AV) Scanning for All Traffic Types .......................88Example: AV Scanning for SMTP and HTTP Traffic Only...................88AV Profile Settings.............................................................................89
Anti-Spam Filtering ........................................................................................93Black Lists and White Lists ......................................................................93Basic Configuration..................................................................................94
Filtering Spam Traffic........................................................................94Dropping Spam Messages .................................................................94
Defining a Black List ................................................................................95Defining a White List ...............................................................................95Defining a Default Action.........................................................................95Enabling a Spam-Blocking List Server ......................................................96
Table of Contents
Table of Contents
Testing Anti-Spam ...................................................................................96Web Filtering .................................................................................................97
Using the CLI to Initiate Web-Filtering Modes ..........................................97Integrated Web Filtering..........................................................................98
SurfControl Servers ...........................................................................99Web-Filtering Cache..........................................................................99Configuring Integrated Web Filtering ..............................................100Example: Integrated Web Filtering..................................................105
Redirect Web Filtering...........................................................................107Virtual System Support....................................................................108Configuring Redirect Web Filtering .................................................109Example: Redirect Web Filtering.....................................................112
Chapter 5 Deep Inspection 115
Overview .....................................................................................................116Attack Object Database Server .....................................................................120
Predefined Signature Packs ...................................................................120Updating Signature Packs ......................................................................121
Before You Start Updating Attack Objects .......................................122Immediate Update ..........................................................................122Automatic Update ...........................................................................123Automatic Notification and Immediate Update ...............................124Manual Update................................................................................125
Attack Objects and Groups...........................................................................127Supported Protocols ..............................................................................129Stateful Signatures .................................................................................132TCP Stream Signatures ..........................................................................133Protocol Anomalies................................................................................133Attack Object Groups.............................................................................134
Changing Severity Levels.................................................................134Example: Deep Inspection for P2P..................................................135
Disabling Attack Objects........................................................................137Attack Actions..............................................................................................138
Example: Attack Actions—Close Server, Close, Close Client............139Brute Force Attack Actions ....................................................................146
Brute Force Attack Objects..............................................................146Brute Force Attack Target................................................................147Brute Force Attack Timeout.............................................................147Example 1.......................................................................................148Example 2.......................................................................................148Example 3.......................................................................................149
Attack Logging .............................................................................................149Example: Disabling Logging per Attack Group.................................149
Mapping Custom Services to Applications....................................................152Example: Mapping an Application to a Custom Service...................153Example: Application-to-Service Mapping for HTTP Attacks............155
Customized Attack Objects and Groups........................................................156User-Defined Stateful Signature Attack Objects......................................156
Regular Expressions........................................................................157Example: User-Defined Stateful Signature Attack Objects ...............158
TCP Stream Signature Attack Objects ....................................................160Example: User-Defined Stream Signature Attack Object..................161
Configurable Protocol Anomaly Parameters ..........................................162Example: Modifying Parameters .....................................................162
Table of Contents xiii
xiv
Concepts & Examples ScreenOS Reference Guide
Negation ......................................................................................................163Example: Attack Object Negation....................................................163
Granular Blocking of HTTP Components ......................................................167ActiveX Controls....................................................................................168Java Applets...........................................................................................168EXE Files ...............................................................................................168ZIP Files.................................................................................................168
Example: Blocking Java Applets and .exe Files................................169
Chapter 6 Intrusion Detection and Prevention 171
IDP-Capable Security Devices.......................................................................172Traffic Flow in an IDP-capable Device..........................................................173Configuring Intrusion Detection and Prevention ..........................................174
Preconfiguration Tasks ..........................................................................174Example 1: Basic IDP Configuration ......................................................175Example 2: Configuring IDP for Active–Passive Failover .......................177Example 3: Configuring IDP for Active–Active Failover .........................179
Configuring Security Policies ........................................................................182About Security Policies ..........................................................................182Managing Security Policies ....................................................................182Installing Security Policies .....................................................................183
Using IDP Rulebases ....................................................................................183Role-Based Administration of IDP Rulebases .........................................184Configuring Objects for IDP Rules..........................................................184Using Security Policy Templates ............................................................185
Enabling IDP in Firewall Rules .....................................................................185Enabling IDP..........................................................................................186Specifying Inline or Inline Tap Mode .....................................................186
Configuring IDP Rules ..................................................................................187Adding the IDP Rulebase .......................................................................188Matching Traffic ....................................................................................189
Source and Destination Zones.........................................................189Source and Destination Address Objects .........................................189Example: Setting Source and Destination........................................190Example: Setting Multiple Sources and Destinations .......................190Services...........................................................................................190Example: Setting Default Services ...................................................191Example: Setting Specific Services ..................................................191Example: Setting Nonstandard Services ..........................................192Terminal Rules ................................................................................193Example: Setting Terminal Rules.....................................................193
Defining Actions ....................................................................................195Setting Attack Objects............................................................................196
Adding Attack Objects Individually..................................................196Adding Attack Objects by Category .................................................196Example: Adding Attack Objects by Service ....................................196Adding Attack Objects by Operating System...................................196Adding Attack Objects by Severity ..................................................197
Setting IP Action ....................................................................................197Choosing an IP Action .....................................................................198Choosing a Blocking Option ............................................................198Setting Logging Options ..................................................................198Setting Timeout Options .................................................................198
Setting Notification ................................................................................198
Table of Contents
Table of Contents
Setting Logging ...............................................................................199Setting an Alert ...............................................................................199Logging Packets ..............................................................................199
Setting Severity......................................................................................199Setting Targets.......................................................................................200Entering Comments...............................................................................200
Configuring Exempt Rules............................................................................200Adding the Exempt Rulebase.................................................................201Defining a Match ...................................................................................202
Source and Destination Zones.........................................................202Source and Destination Address Objects .........................................202Example: Exempting a Source/Destination Pair ..............................203
Setting Attack Objects............................................................................203Example: Exempting Specific Attack Objects ..................................203
Setting Targets.......................................................................................203Entering Comments...............................................................................204Creating an Exempt Rule from the Log Viewer ......................................204
Configuring Backdoor Rules .........................................................................205Adding the Backdoor Rulebase ..............................................................205Defining a Match ...................................................................................206
Source and Destination Zones.........................................................206Source and Destination Address Objects .........................................207Services...........................................................................................207
Setting the Operation ............................................................................207Setting Actions.......................................................................................207Setting Notification ................................................................................208
Setting Logging ...............................................................................208Setting an Alert ...............................................................................208Logging Packets ..............................................................................208
Setting Severity......................................................................................209Setting Targets.......................................................................................209Entering Comments...............................................................................209
Configuring IDP Attack Objects ....................................................................209About IDP Attack Object Types..............................................................209
Signature Attack Objects .................................................................210Protocol Anomaly Attack Objects ....................................................210Compound Attack Objects...............................................................210
Viewing Predefined IDP Attack Objects and Groups ..............................210Viewing Predefined Attacks.............................................................211Viewing Predefined Groups .............................................................211
Creating Custom IDP Attack Objects......................................................212Creating a Signature Attack Object..................................................214Creating a Protocol Anomaly Attack................................................219Creating a Compound Attack ..........................................................220Editing a Custom Attack Object.......................................................222Deleting a Custom Attack Object.....................................................222
Creating Custom IDP Attack Groups ......................................................223Configuring Static Groups................................................................223Configuring Dynamic Groups ..........................................................224Example: Creating a Dynamic Group ..............................................225Updating Dynamic Groups ..............................................................226Editing a Custom Attack Group .......................................................227Deleting a Custom Attack Group .....................................................227
Configuring the Device as a Standalone IDP Device .....................................227
Table of Contents xv
xvi
Concepts & Examples ScreenOS Reference Guide
Enabling IDP..........................................................................................227Example: Configuring a Firewall Rule for Standalone IDP ...............228
Configuring Role-Based Administration .................................................228Example: Configuring an IDP-Only Administrator ...........................229
Managing IDP ..............................................................................................230About Attack Database Updates.............................................................230Downloading Attack Database Updates .................................................230
Using Updated Attack Objects .........................................................231Updating the IDP Engine.................................................................231
Viewing IDP Logs...................................................................................233
Chapter 7 Suspicious Packet Attributes 235
ICMP Fragments ..........................................................................................236Large ICMP Packets......................................................................................237Bad IP Options .............................................................................................238Unknown Protocols......................................................................................239IP Packet Fragments ....................................................................................240SYN Fragments ............................................................................................241
Appendix A Contexts for User-Defined Signatures A-I
Index..........................................................................................................................IX-I
Volume 5:Virtual Private Networks
About This Volume vii
Document Conventions................................................................................. viiiWeb User Interface Conventions ............................................................ viiiCommand Line Interface Conventions.................................................... viiiNaming Conventions and Character Types ............................................... ixIllustration Conventions.............................................................................x
Technical Documentation and Support ........................................................... xi
Chapter 1 Internet Protocol Security 1
Introduction to Virtual Private Networks ..........................................................2IPSec Concepts ................................................................................................3
Modes........................................................................................................4Transport Mode ..................................................................................4Tunnel Mode.......................................................................................4
Protocols ...................................................................................................5Authentication Header ........................................................................6Encapsulating Security Payload...........................................................6
Key Management ......................................................................................7Manual Key.........................................................................................7AutoKey IKE........................................................................................7
Security Associations .................................................................................8Tunnel Negotiation...........................................................................................8
Phase 1......................................................................................................9Main and Aggressive Modes ................................................................9Diffie-Hellman Exchange...................................................................10
Phase 2....................................................................................................11
Table of Contents
Table of Contents
Perfect Forward Secrecy ...................................................................11Replay Protection..............................................................................12
IKE and IPSec Packets....................................................................................12IKE Packets .............................................................................................12IPSec Packets ..........................................................................................15
Chapter 2 Public Key Cryptography 19
Introduction to Public Key Cryptography .......................................................20Signing a Certificate.................................................................................20Verifying a Digital Signature ....................................................................20
Public Key Infrastructure................................................................................22Certificates and CRLs .....................................................................................24
Requesting a Certificate Manually............................................................26Loading Certificates and Certificate Revocation Lists ...............................28Configuring CRL Settings .........................................................................29Obtaining a Local Certificate Automatically .............................................30Automatic Certificate Renewal.................................................................33Key-Pair Generation.................................................................................34
Online Certificate Status Protocol...................................................................34Specifying a Certificate Revocation Check Method ..................................35Viewing Status Check Attributes ..............................................................36Specifying an Online Certificate Status Protocol Responder URL .............36Removing Status Check Attributes...........................................................36
Self-Signed Certificates...................................................................................37Certificate Validation ...............................................................................38Manually Creating Self-Signed Certificates ...............................................39Setting an Admin-Defined Self-Signed Certificate ....................................40Certificate Auto-Generation......................................................................44Deleting Self-Signed Certificates ..............................................................45
Chapter 3 Virtual Private Network Guidelines 47
Cryptographic Options ...................................................................................48Site-to-Site Cryptographic Options ...........................................................48Dialup VPN Options.................................................................................55
Route-Based and Policy-Based Tunnels ..........................................................62Packet Flow: Site-to-Site VPN .........................................................................63Tunnel Configuration Guidelines ....................................................................69Route-Based Virtual Private Network Security Considerations ........................71
Null Route................................................................................................71Dialup or Leased Line ..............................................................................73VPN Failover to Leased Line or Null Route...............................................74Decoy Tunnel Interface ...........................................................................76Virtual Router for Tunnel Interfaces.........................................................77Reroute to Another Tunnel ......................................................................77
Chapter 4 Site-to-Site Virtual Private Networks 79
Site-to-Site VPN Configurations ......................................................................80Route-Based Site-to-Site VPN, AutoKey IKE .............................................86Policy-Based Site-to-Site VPN, AutoKey IKE .............................................95Route-Based Site-to-Site VPN, Dynamic Peer .........................................101Policy-Based Site-to-Site VPN, Dynamic Peer.........................................109Route-Based Site-to-Site VPN, Manual Key.............................................118Policy-Based Site-to-Site VPN, Manual Key.............................................124
Table of Contents xvii
xviii
Concepts & Examples ScreenOS Reference Guide
Dynamic IKE Gateways Using FQDN ...........................................................129Aliases ...................................................................................................130Setting AutoKey IKE Peer with FQDN....................................................131
VPN Sites with Overlapping Addresses.........................................................140Transparent Mode VPN ................................................................................151
Chapter 5 Dialup Virtual Private Networks 159
Dialup ..........................................................................................................160Policy-Based Dialup VPN, AutoKey IKE..................................................160Route-Based Dialup VPN, Dynamic Peer................................................166Policy-Based Dialup VPN, Dynamic Peer ...............................................173Bidirectional Policies for Dialup VPN Users............................................178
Group IKE ID................................................................................................183Group IKE ID with Certificates ...............................................................183Wildcard and Container ASN1-DN IKE ID Types....................................185Creating a Group IKE ID (Certificates) ....................................................187Setting a Group IKE ID with Preshared Keys..........................................192
Shared IKE ID ..............................................................................................198
Chapter 6 Layer 2 Tunneling Protocol 205
Introduction to L2TP ....................................................................................205Packet Encapsulation and Decapsulation .....................................................208
Encapsulation ........................................................................................208Decapsulation........................................................................................209
Setting L2TP Parameters..............................................................................211L2TP and L2TP-over-IPSec ...........................................................................213
Configuring L2TP...................................................................................213Configuring L2TP-over-IPSec .................................................................218Bidirectional L2TP-over-IPSec ................................................................225
Chapter 7 Advanced Virtual Private Network Features 231
NAT-Traversal ..............................................................................................232Probing for NAT.....................................................................................233Traversing a NAT Device .......................................................................235UDP Checksum......................................................................................237Keepalive Packets..................................................................................237Initiator/Responder Symmetry ..............................................................237Enabling NAT-Traversal .........................................................................239Using IKE IDs with NAT-Traversal..........................................................239
VPN Monitoring ...........................................................................................241Rekey and Optimization Options...........................................................242Source Interface and Destination Address .............................................243Policy Considerations ............................................................................244Configuring the VPN Monitoring Feature ...............................................244SNMP VPN Monitoring Objects and Traps .............................................252
Multiple Tunnels per Tunnel Interface..........................................................254Route-to-Tunnel Mapping ......................................................................255Remote Peers’ Addresses ......................................................................256Manual and Automatic Table Entries .....................................................257
Manual Table Entries.......................................................................257Automatic Table Entries ..................................................................257Setting VPNs on a Tunnel Interface to Overlapping Subnets............259Binding Automatic Route and NHTB Table Entries ..........................278
Table of Contents
Table of Contents
Using OSPF for Automatic Route Table Entries ...............................290Redundant VPN Gateways............................................................................291
VPN Groups ...........................................................................................292Monitoring Mechanisms ........................................................................293
IKE Heartbeats ................................................................................294Dead Peer Detection .......................................................................294IKE Recovery Procedure..................................................................295
TCP SYN-Flag Checking .........................................................................297Creating Redundant VPN Gateways.................................................298
Creating Back-to-Back VPNs .........................................................................304Creating Hub-and-Spoke VPNs .....................................................................311
Chapter 8 AutoConnect-Virtual Private Networks 321
Overview .....................................................................................................321How It Works...............................................................................................321
NHRP Messages.....................................................................................322AC-VPN Tunnel Initiation.......................................................................323Configuring AC-VPN ..............................................................................324
Network Address Translation ..........................................................324Configuration on the Hub................................................................324Configuration on each Spoke ..........................................................325
Example ................................................................................................326
Index..........................................................................................................................IX-I
Volume 6:Voice-over-Internet Protocol
About This Volume v
Document Conventions................................................................................... viWeb User Interface Conventions .............................................................. viCommand Line Interface Conventions...................................................... viNaming Conventions and Character Types .............................................. viiIllustration Conventions.......................................................................... viii
Technical Documentation and Support ........................................................... ix
Chapter 1 H.323 Application Layer Gateway 1
Overview .........................................................................................................1Examples .........................................................................................................2
Example: Gatekeeper in the Trust Zone.....................................................2Example: Gatekeeper in the Untrust Zone .................................................3Example: Outgoing Calls with NAT ............................................................4Example: Incoming Calls with NAT............................................................7Example: Gatekeeper in the Untrust Zone with NAT................................10
Chapter 2 Session Initiation Protocol Application Layer Gateway 13
Overview .......................................................................................................13SIP Request Methods ...............................................................................14Classes of SIP Responses .........................................................................16SIP Application Layer Gateway ................................................................17Session Description Protocol Sessions .....................................................18Pinhole Creation ......................................................................................19
Table of Contents xix
xx
Concepts & Examples ScreenOS Reference Guide
Session Inactivity Timeout.......................................................................20SIP Attack Protection ...............................................................................21
Example: SIP Protect Deny ...............................................................21Example: Signaling-Inactivity and Media-Inactivity Timeouts ............22Example: UDP Flooding Protection ...................................................22Example: SIP Connection Maximum.................................................23
SIP with Network Address Translation ...........................................................23Outgoing Calls .........................................................................................24Incoming Calls.........................................................................................24Forwarded Calls.......................................................................................25Call Termination......................................................................................25Call Re-INVITE Messages .........................................................................25Call Session Timers..................................................................................25Call Cancellation ......................................................................................25Forking....................................................................................................26SIP Messages ...........................................................................................26SIP Headers .............................................................................................26SIP Body..................................................................................................28SIP NAT Scenario.....................................................................................28
Examples .......................................................................................................30Incoming SIP Call Support Using the SIP Registrar...................................31
Example: Incoming Call (Interface DIP).............................................32Example: Incoming Call (DIP Pool)....................................................35Example: Incoming Call with MIP .....................................................37Example: Proxy in the Private Zone ..................................................39Example: Proxy in the Public Zone ...................................................42Example: Three-Zone, Proxy in the DMZ ..........................................44Example: Untrust Intrazone ..............................................................47Example: Trust Intrazone..................................................................51Example: Full-Mesh VPN for SIP........................................................53
Bandwidth Management for VoIP Services ..............................................62
Chapter 3 Media Gateway Control Protocol Application Layer Gateway 65
Overview .......................................................................................................65MGCP Security ...............................................................................................66About MGCP...................................................................................................66
Entities in MGCP......................................................................................66Endpoint ...........................................................................................67Connection .......................................................................................67Call....................................................................................................67Call Agent .........................................................................................67
Commands..............................................................................................68Response Codes ......................................................................................70
Examples .......................................................................................................71Media Gateway in Subscribers’ Homes—Call Agent at the ISP.................71ISP-Hosted Service...................................................................................74
Chapter 4 Skinny Client Control Protocol Application Layer Gateway 79
Overview .......................................................................................................79SCCP Security ................................................................................................80About SCCP....................................................................................................81
SCCP Components...................................................................................81SCCP Client .......................................................................................81
Table of Contents
Table of Contents
Call Manager .....................................................................................81Cluster ..............................................................................................81
SCCP Transactions...................................................................................82Client Initialization ............................................................................82Client Registration.............................................................................82Call Setup..........................................................................................83Media Setup ......................................................................................83
SCCP Control Messages and RTP Flow.....................................................84SCCP Messages........................................................................................85
Examples .......................................................................................................85Example: Call Manager/TFTP Server in the Trust Zone......................86Example: Call Manager/TFTP Server in the Untrust Zone ..................88Example: Three-Zone, Call Manager/TFTP Server in the DMZ ...........90Example: Intrazone, Call Manager/TFTP Server in Trust Zone...........93Example: Intrazone, Call Manager/TFTP Server in Untrust Zone .......97Example: Full-Mesh VPN for SCCP ....................................................99
Index..........................................................................................................................IX-I
Volume 7:Routing
About This Volume ix
Document Conventions....................................................................................xWeb User Interface Conventions ...............................................................xCommand Line Interface Conventions.......................................................xNaming Conventions and Character Types ............................................... xiIllustration Conventions........................................................................... xii
Technical Documentation and Support ......................................................... xiii
Chapter 1 Static Routing 1
Overview .........................................................................................................2How Static Routing Works .........................................................................2When to Configure Static Routes ...............................................................3Configuring Static Routes...........................................................................5
Setting Static Routes ...........................................................................5Setting a Static Route for a Tunnel Interface .......................................9
Enabling Gateway Tracking .....................................................................10Forwarding Traffic to the Null Interface .........................................................11
Preventing Route Lookup in Other Routing Tables ..................................11Preventing Tunnel Traffic from Being Sent on Non-Tunnel Interfaces......11Preventing Loops Created by Summarized Routes...................................11
Permanently Active Routes ............................................................................12Changing Routing Preference with Equal Cost Multipath................................12
Chapter 2 Routing 13
Overview .......................................................................................................14Virtual Router Routing Tables.........................................................................15
Destination-Based Routing Table .............................................................16Source-Based Routing Table ....................................................................17Source Interface-Based Routing Table......................................................19
Creating and Modifying Virtual Routers..........................................................21
Table of Contents xxi
xxii
Concepts & Examples ScreenOS Reference Guide
Modifying Virtual Routers ........................................................................21Assigning a Virtual Router ID...................................................................22Forwarding Traffic Between Virtual Routers ............................................23Configuring Two Virtual Routers..............................................................23Creating and Deleting Virtual Routers......................................................25
Creating a Custom Virtual Router ......................................................26Deleting a Custom Virtual Router ......................................................26
Virtual Routers and Virtual Systems.........................................................26Creating a Virtual Router in a Vsys ....................................................27Sharing Routes Between Virtual Routers ...........................................28
Limiting the Number of Routing Table Entries.........................................29Routing Features and Examples.....................................................................30
Route Selection........................................................................................30Setting a Route Preference ................................................................30Route Metrics ....................................................................................31Changing the Default Route Lookup Sequence ..................................32Route Lookup in Multiple Virtual Routers ..........................................34
Configuring Equal Cost Multipath Routing ...............................................35Route Redistribution................................................................................37
Configuring a Route Map...................................................................38Route Filtering ..................................................................................39Configuring an Access List ................................................................40Redistributing Routes into OSPF .......................................................40
Exporting and Importing Routes Between Virtual Routers .......................42Configuring an Export Rule ...............................................................42Configuring Automatic Export...........................................................43
Chapter 3 Open Shortest Path First 45
Overview .......................................................................................................46Areas .......................................................................................................46Router Classification ................................................................................47Hello Protocol ..........................................................................................47Network Types ........................................................................................48
Broadcast Networks ..........................................................................48Point-to-Point Networks ....................................................................48Point-to-Multipoint Networks ............................................................48
Link-State Advertisements .......................................................................49Basic OSPF Configuration ..............................................................................49
Creating and Removing an OSPF Routing Instance .................................50Creating an OSPF Instance................................................................50Removing an OSPF Instance .............................................................51
Creating and Deleting an OSPF Area .......................................................51Creating an OSPF Area......................................................................52Deleting an OSPF Area......................................................................52
Assigning Interfaces to an OSPF Area......................................................53Assigning Interfaces to Areas ............................................................53Configuring an Area Range ...............................................................53
Enabling OSPF on Interfaces ...................................................................54Enabling OSPF on Interfaces.............................................................54Disabling OSPF on an Interface.........................................................54
Verifying the Configuration......................................................................55Redistributing Routes into Routing Protocols .................................................56Summarizing Redistributed Routes ................................................................57
Summarizing Redistributed Routes..........................................................58
Table of Contents
Table of Contents
Global OSPF Parameters ................................................................................58Advertising the Default Route ..................................................................59Virtual Links ............................................................................................59
Creating a Virtual Link.......................................................................60Creating an Automatic Virtual Link....................................................61
Setting OSPF Interface Parameters ................................................................62Security Configuration....................................................................................64
Authenticating Neighbors ........................................................................64Configuring a Clear-Text Password....................................................64Configuring an MD5 Password ..........................................................64
Configuring an OSPF Neighbor List..........................................................65Rejecting Default Routes..........................................................................66Protecting Against Flooding .....................................................................66
Configuring the Hello Threshold........................................................66Configuring the LSA Threshold..........................................................67Enabling Reduced Flooding...............................................................67
Creating an OSPF Demand Circuit on a Tunnel Interface ...............................67Point-to-Multipoint Tunnel Interface...............................................................68
Setting the OSPF Link-Type .....................................................................68Disabling the Route-Deny Restriction ......................................................69Creating a Point-to-Multipoint Network....................................................69
Chapter 4 Routing Information Protocol 73
Overview .......................................................................................................74Basic RIP Configuration..................................................................................75
Creating and Deleting a RIP Instance.......................................................76Creating a RIP Instance.....................................................................76Deleting a RIP Instance .....................................................................76
Enabling and Disabling RIP on Interfaces ................................................77Enabling RIP on an Interface.............................................................77Disabling RIP on an Interface............................................................77
Redistributing Routes ..............................................................................77Viewing RIP Information................................................................................79
Viewing the RIP Database........................................................................79Viewing RIP Details .................................................................................80Viewing RIP Neighbor Information ..........................................................81Viewing RIP Details for a Specific Interface .............................................82
Global RIP Parameters ...................................................................................83Advertising the Default Route ........................................................................84Configuring RIP Interface Parameters ............................................................85Security Configuration....................................................................................86
Authenticating Neighbors by Setting a Password .....................................86Configuring Trusted Neighbors ................................................................87Rejecting Default Routes..........................................................................88Protecting Against Flooding .....................................................................88
Configuring an Update Threshold......................................................89Enabling RIP on Tunnel Interfaces ....................................................89
Optional RIP Configurations...........................................................................90Setting the RIP Version ............................................................................90Enabling and Disabling a Prefix Summary...............................................92
Enabling a Prefix Summary...............................................................92Disabling a Prefix Summary..............................................................93
Setting Alternate Routes ..........................................................................93Demand Circuits on Tunnel Interfaces.....................................................94
Table of Contents xxiii
xxiv
Concepts & Examples ScreenOS Reference Guide
Configuring a Static Neighbor ..................................................................96Configuring a Point-to-Multipoint Tunnel Interface.........................................97
Chapter 5 Border Gateway Protocol 103
Overview .....................................................................................................104Types of BGP Messages .........................................................................104Path Attributes.......................................................................................105External and Internal BGP .....................................................................105
Basic BGP Configuration...............................................................................106Creating and Enabling a BGP Instance...................................................107
Creating a BGP Routing Instance.....................................................107Removing a BGP Instance ...............................................................108
Enabling and Disabling BGP on Interfaces .............................................108Enabling BGP on Interfaces .............................................................108Disabling BGP on Interfaces ............................................................108
Configuring BGP Peers and Peer Groups................................................109Configuring a BGP Peer ...................................................................110Configuring an IBGP Peer Group .....................................................110
Verifying the BGP Configuration ............................................................112Security Configuration..................................................................................113
Authenticating BGP Neighbors...............................................................113Rejecting Default Routes........................................................................114
Optional BGP Configurations........................................................................115Redistributing Routes into BGP..............................................................116Configuring an AS-Path Access List........................................................116Adding Routes to BGP............................................................................117
Conditional Route Advertisement....................................................118Setting the Route Weight.................................................................118Setting Route Attributes ..................................................................119
Route-Refresh Capability .......................................................................119Requesting an Inbound Routing Table Update ................................120Requesting an Outbound Routing Table Update..............................120
Configuring Route Reflection .................................................................120Configuring a Confederation..................................................................122BGP Communities .................................................................................124Route Aggregation .................................................................................125
Aggregating Routes with Different AS-Paths....................................125Suppressing More-Specific Routes in Updates .................................126Selecting Routes for Path Attribute..................................................127Changing Attributes of an Aggregated Route ...................................128
Chapter 6 Policy-Based Routing 129
Policy-Based Routing Overview....................................................................130Extended Access-Lists............................................................................130Match Groups ........................................................................................130Action Groups........................................................................................131
Route Lookup with Policy-Based Routing .....................................................132Configuring Policy-Based Routing ................................................................132
Configuring an Extended Access List .....................................................133Configuring a Match Group....................................................................134Configuring an Action Group .................................................................135Configuring a PBR Policy .......................................................................136Binding a Policy-Based Routing Policy ...................................................136
Table of Contents
Table of Contents
Binding a Policy-Based Routing Policy to an Interface.....................136Binding a Policy-Based Routing Policy to a Zone .............................136Binding a Policy-Based Routing Policy to a Virtual Router ...............137
Viewing Policy-Based Routing Output ..........................................................137Viewing an Extended Access List...........................................................137Viewing a Match Group..........................................................................138Viewing an Action Group .......................................................................138Viewing a Policy-Based Routing Policy Configuration ............................139Viewing a Complete Policy-Based Routing Configuration.......................139
Advanced PBR Example...............................................................................140Routing..................................................................................................141PBR Elements........................................................................................142
Extended Access Lists .....................................................................143Match Groups..................................................................................143Action Group...................................................................................143PBR Policies ....................................................................................144
Interface Binding ...................................................................................144Advanced PBR with High Availability and Scalability....................................145
Resilient PBR Solution ...........................................................................145Scalable PBR Solution ............................................................................145
Chapter 7 Multicast Routing 147
Overview .....................................................................................................147Multicast Addresses ...............................................................................148Reverse Path Forwarding.......................................................................148
Multicast Routing on Security Devices..........................................................149Multicast Routing Table .........................................................................149Configuring a Static Multicast Route ......................................................150Access Lists ...........................................................................................151Configuring Generic Routing Encapsulation on Tunnel Interfaces ..........151
Multicast Policies..........................................................................................153
Chapter 8 Internet Group Management Protocol 155
Overview .....................................................................................................156Hosts .....................................................................................................156Multicast Routers ...................................................................................157
IGMP on Security Devices ............................................................................157Enabling and Disabling IGMP on Interfaces ...........................................157
Enabling IGMP on an Interface........................................................158Disabling IGMP on an Interface.......................................................158
Configuring an Access List for Accepted Groups ....................................158Configuring IGMP ..................................................................................159Verifying an IGMP Configuration ...........................................................161IGMP Operational Parameters ...............................................................162
IGMP Proxy..................................................................................................163Membership Reports Upstream to the Source........................................164Multicast Data Downstream to Receivers...............................................165Configuring IGMP Proxy ........................................................................166Configuring IGMP Proxy on an Interface................................................166Multicast Policies for IGMP and IGMP Proxy Configurations ..................168
Creating a Multicast Group Policy for IGMP .....................................168Creating an IGMP Proxy Configuration............................................168
Setting Up an IGMP Sender Proxy .........................................................175
Table of Contents xxv
xxvi
Concepts & Examples ScreenOS Reference Guide
Chapter 9 Protocol Independent Multicast 181
Overview .....................................................................................................182PIM-SM..................................................................................................183
Multicast Distribution Trees.............................................................183Designated Router...........................................................................184Mapping Rendezvous Points to Groups ...........................................184Forwarding Traffic on the Distribution Tree ....................................185
PIM-SSM ................................................................................................187Configuring PIM-SM on Security Devices......................................................187
Enabling and Deleting a PIM-SM Instance for a VR................................188Enabling PIM-SM Instance...............................................................188Deleting a PIM-SM Instance.............................................................188
Enabling and Disabling PIM-SM on Interfaces........................................188Enabling PIM-SM on an Interface ....................................................189Disabling PIM-SM on an Interface ...................................................189
Multicast Group Policies.........................................................................189Static-RP-BSR Messages ..................................................................189Join-Prune Messages .......................................................................190Defining a Multicast Group Policy for PIM-SM .................................190
Setting a Basic PIM-SM Configuration...........................................................191Verifying the Configuration ..........................................................................195Configuring Rendezvous Points....................................................................197
Configuring a Static Rendezvous Point ..................................................197Configuring a Candidate Rendezvous Point ...........................................198
Security Considerations................................................................................199Restricting Multicast Groups ..................................................................199Restricting Multicast Sources .................................................................200Restricting Rendezvous Points...............................................................201
PIM-SM Interface Parameters.......................................................................202Defining a Neighbor Policy ....................................................................202Defining a Bootstrap Border ..................................................................203
Configuring a Proxy Rendezvous Point ........................................................204PIM-SM and IGMPv3 ....................................................................................213
Chapter 10 ICMP Router Discovery Protocol 215
Overview .....................................................................................................215Configuring ICMP Router Discovery Protocol ...............................................216
Enabling ICMP Router Discovery Protocol .............................................216Configuring ICMP Router Discovery Protocol from the WebUI...............216Configuring ICMP Router Discovery Protocol from the CLI ....................217
Advertising an Interface ..................................................................217Broadcasting the Address................................................................217Setting a Maximum Advertisement Interval ....................................217Setting a Minimum Advertisement Interval .....................................217Setting an Advertisement Lifetime Value.........................................218Setting a Response Delay ................................................................218Setting an Initial Advertisement Interval .........................................218Setting a Number of Initial Advertisement Packets..........................218
Disabling IRDP.............................................................................................219Viewing IRDP Settings..................................................................................219
Table of Contents
Table of Contents
Index..........................................................................................................................IX-I
Volume 8:Address Translation
About This Volume v
Document Conventions................................................................................... viWeb User Interface Conventions .............................................................. viCommand Line Interface Conventions...................................................... viNaming Conventions and Character Types .............................................. viiIllustration Conventions.......................................................................... viii
Technical Documentation and Support ........................................................... ix
Chapter 1 Address Translation 1
Introduction to Address Translation .................................................................1Source Network Address Translation .........................................................1Destination Network Address Translation..................................................3
Policy-Based NAT-Dst..........................................................................4Mapped IP...........................................................................................6Virtual IP .............................................................................................6
Policy-Based Translation Options .....................................................................7Example: NAT-Src from a DIP Pool with PAT.............................................7Example: NAT-Src From a DIP Pool Without PAT ......................................7Example: NAT-Src from a DIP Pool with Address Shifting..........................8Example: NAT-Src from the Egress Interface IP Address............................8Example: NAT-Dst to a Single IP Address with Port Mapping.....................8Example: NAT-Dst to a Single IP Address Without Port Mapping ...............9Example: NAT-Dst from an IP Address Range to a Single IP Address.........9Example: NAT-Dst Between IP Address Ranges.......................................10
Directional Nature of NAT-Src and NAT-Dst ...................................................10
Chapter 2 Source Network Address Translation 13
Introduction to NAT-Src .................................................................................13NAT-Src from a DIP Pool with PAT Enabled ...................................................15
Example: NAT-Src with PAT Enabled.......................................................15NAT-Src from a DIP Pool with PAT Disabled ..................................................18
Example: NAT-Src with PAT Disabled ......................................................18NAT-Src from a DIP Pool with Address Shifting..............................................20
Example: NAT-Src with Address Shifting .................................................21NAT-Src from the Egress Interface IP Address................................................24
Example: NAT-Src Without DIP ...............................................................24
Chapter 3 Destination Network Address Translation 27
Introduction to NAT-Dst .................................................................................28Packet Flow for NAT-Dst..........................................................................29Routing for NAT-Dst ................................................................................32
Example: Addresses Connected to One Interface..............................33Example: Addresses Connected to One Interface
But Separated by a Router ..........................................................34Example: Addresses Separated by an Interface.................................34
NAT-Dst—One-to-One Mapping .....................................................................35Example: One-to-One Destination Translation.........................................36
Table of Contents xxvii
xxviii
Concepts & Examples ScreenOS Reference Guide
Translating from One Address to Multiple Addresses...............................38Example: One-to-Many Destination Translation ................................38
NAT-Dst—Many-to-One Mapping ...................................................................41Example: Many-to-One Destination Translation.......................................41
NAT-Dst—Many-to-Many Mapping .................................................................44Example: Many-to-Many Destination Translation ....................................45
NAT-Dst with Port Mapping............................................................................47Example: NAT-Dst with Port Mapping .....................................................47
NAT-Src and NAT-Dst in the Same Policy .......................................................50Example: NAT-Src and NAT-Dst Combined..............................................50
Chapter 4 Mapped and Virtual Addresses 63
Mapped IP Addresses.....................................................................................63MIP and the Global Zone .........................................................................64
Example: MIP on an Untrust Zone Interface......................................65Example: Reaching a MIP from Different Zones................................67Example: Adding a MIP to a Tunnel Interface ...................................70
MIP-Same-as-Untrust ...............................................................................70Example: MIP on the Untrust Interface .............................................71
MIP and the Loopback Interface ..............................................................73Example: MIP for Two Tunnel Interfaces ..........................................74
MIP Grouping ..........................................................................................79Example: MIP Grouping with Multi-Cell Policy...................................79
Virtual IP Addresses .......................................................................................80VIP and the Global Zone ..........................................................................82
Example: Configuring Virtual IP Servers............................................82Example: Editing a VIP Configuration ...............................................84Example: Removing a VIP Configuration...........................................84Example: VIP with Custom and Multiple-Port Services ......................85
Index..........................................................................................................................IX-I
Volume 9:User Authentication
About This Guide vii
Document Conventions................................................................................. viiiWeb User Interface Conventions ............................................................ viiiCommand Line Interface Conventions.................................................... viiiNaming Conventions and Character Types ............................................... ixIllustration Conventions.............................................................................x
Technical Documentation and Support ........................................................... xi
Chapter 1 Authentication 1
User Authentication Types ...............................................................................1Admin Users ....................................................................................................2Multiple-Type Users..........................................................................................4Group Expressions ...........................................................................................5
Example: Group Expressions (AND)...........................................................6Example: Group Expressions (OR) .............................................................8Example: Group Expressions (NOT)...........................................................9
Banner Customization....................................................................................10
Table of Contents
Table of Contents
Example: Customizing a WebAuth Banner ..............................................10Login Banner..................................................................................................10
Example: Creating a Login Banner...........................................................11
Chapter 2 Authentication Servers 13
Authentication Server Types ..........................................................................13Local Database...............................................................................................15
Example: Local Database Timeout...........................................................16External Authentication Servers .....................................................................17
Auth Server Object Properties..................................................................18Auth Server Types..........................................................................................19
Remote Authentication Dial-In User Service ............................................19RADIUS Auth Server Object Properties..............................................20Supported User Types and Features ..................................................20RADIUS Dictionary File .....................................................................21RADIUS Access Challenge .................................................................22Supported RADIUS Enhancements for Auth and XAuth Users...........24
SecurID....................................................................................................27SecurID Auth Server Object Properties..............................................28Supported User Types and Features ..................................................28
Lightweight Directory Access Protocol .....................................................29LDAP Auth Server Object Properties .................................................30Supported User Types and Features ..................................................30
Terminal Access Control Access Control System Plus (TACACS+)...........30TACACS+Server Object Properties ...................................................32
Prioritizing Admin Authentication ..................................................................32Defining Auth Server Objects .........................................................................33
Example: RADIUS Auth Server ................................................................33Example: SecurID Auth Server.................................................................35Example: LDAP Auth Server ....................................................................36Example: TACACS+ Auth Server.............................................................38
Defining Default Auth Servers ........................................................................39Example: Changing Default Auth Servers ................................................39
Chapter 3 Infranet Authentication 41
Unified Access Control Solution .....................................................................42How the Firewall Works with the Infranet Controller .....................................43Configuring for Infranet Authentication..........................................................44
Chapter 4 Authentication Users 45
Referencing Auth Users in Policies .................................................................46Run-Time Authentication.........................................................................46Pre-Policy Check Authentication (WebAuth) ............................................47
Referencing Auth User Groups in Policies ......................................................48Example: Run-Time Authentication (Local User) ......................................49Example: Run-Time Authentication (Local User Group) ...........................50Example: Run-Time Authentication (External User) .................................51Example: Run-Time Authentication (External User Group) ......................53Example: Local Auth User in Multiple Groups ..........................................55Example: WebAuth (Local User Group) ....................................................58Example: WebAuth (External User Group) ...............................................59Example: WebAuth + SSL Only (External User Group) ...........................61
Table of Contents xxix
xxx
Concepts & Examples ScreenOS Reference Guide
Chapter 5 IKE, XAuth, and L2TP Users 65
IKE Users and User Groups ............................................................................65Example: Defining IKE Users...................................................................66Example: Creating an IKE User Group .....................................................67Referencing IKE Users in Gateways .........................................................68
XAuth Users and User Groups ........................................................................68Event Logging for IKE Mode ....................................................................69XAuth Users in IKE Negotiations..............................................................70
Example: XAuth Authentication (Local User) .....................................71Example: XAuth Authentication (Local User Group) ..........................73Example: XAuth Authentication (External User) ................................74Example: XAuth Authentication (External User Group)......................76Example: XAuth Authentication and Address
Assignments (Local User Group) .................................................79XAuth Client ............................................................................................83
Example: Security Device as an XAuth Client....................................83L2TP Users and User Groups..........................................................................84
Example: Local and External L2TP Auth Servers......................................84
Chapter 6 Extensible Authentication for Wireless and Ethernet Interfaces 89
Overview .......................................................................................................90Supported EAP Types.....................................................................................90Enabling and Disabling 802.1X Authentication ..............................................91
Ethernet Interfaces ..................................................................................91Wireless Interfaces ..................................................................................91
Configuring 802.1X Settings...........................................................................92Configuring 802.1X Port Control .............................................................92Configuring 802.1X Control Mode ...........................................................93Setting the Maximum Number of Simultaneous Users.............................93Configuring the Reauthentication Period .................................................94Enabling EAP Retransmissions ................................................................94Configuring EAP Retransmission Count ...................................................95Configuring EAP Retransmission Period ..................................................95Configuring the Silent (Quiet) Period .......................................................95
Configuring Authentication Server Options ....................................................96Specifying an Authentication Server ........................................................96
Ethernet Interfaces............................................................................96Wireless Interfaces............................................................................97
Setting the Account Type.........................................................................97Enabling Zone Verification.......................................................................98
Viewing 802.1X Information..........................................................................98Viewing 802.1X Global Configuration Information ..................................98Viewing 802.1X Information for an Interface ..........................................99Viewing 802.1X Statistics ........................................................................99Viewing 802.1X Session Statistics..........................................................100Viewing 802.1X Session Details.............................................................100
Configuration Examples...............................................................................101Configuring the Security Device with a Directly Connected Client and
RADIUS Server ................................................................................101Configuring a Security Device with a Hub Between a Client and the Security
Device.............................................................................................102Configuring the Authentication Server with a Wireless Interface ...........104
Table of Contents
Table of Contents
Index..........................................................................................................................IX-I
Volume 10:Virtual Systems
About This Volume v
Document Conventions.................................................................................... vWeb User Interface Conventions ............................................................... vCommand Line Interface Conventions...................................................... viNaming Conventions and Character Types ............................................... viIllustration Conventions.......................................................................... viii
Technical Documentation and Support ........................................................... ix
Chapter 1 Virtual Systems 1
Overview .........................................................................................................2Vsys Objects ....................................................................................................4
Creating a Vsys Object and Admin ............................................................4Setting a Default Virtual Router for a Vsys .................................................6Binding Zones to a Shared Virtual Router ..................................................6
Logging In as a Vsys Admin .............................................................................7Virtual System Profiles .....................................................................................8
Vsys Session Counters ...............................................................................9Vsys Session Information ..........................................................................9Behavior in High-Availability Pairs ...........................................................10Creating a Vsys Profile.............................................................................10Setting Resource Limits ...........................................................................10Adding Session Limits Through Vsys Profile Assignment .........................12Setting a Session Override .......................................................................13
Overriding a Session Limit Reached Alarm .......................................13Deleting a Vsys Profile .............................................................................13Viewing Vsys Settings ..............................................................................14
Viewing Overrides.............................................................................14Viewing a Profile ...............................................................................15Viewing Session Statistics..................................................................16
Sharing and Partitioning CPU Resources ........................................................16Configuring CPU Weight ..........................................................................17Fair Mode Packet Flow ............................................................................18Returning from Fair Mode to Shared Mode..............................................19Enabling the CPU Limit Feature...............................................................19Measuring CPU Use .................................................................................20Setting the Shared to Fair Mode CPU Utilization Threshold......................22Configuring a Method to Return to Shared Mode.....................................25Setting a Fixed Root Vsys CPU Weight.....................................................26
Vsys and Virtual Private Networks .................................................................26Viewing Security Associations..................................................................27Viewing IKE Cookies................................................................................27
Policy Scheduler.............................................................................................28Creating a Policy Scheduler .....................................................................28Binding a Policy Schedule to a Policy.......................................................29Viewing Policy Schedules.........................................................................29Deleting a Policy Schedule.......................................................................30
Table of Contents xxxi
xxxii
Concepts & Examples ScreenOS Reference Guide
Chapter 2 Traffic Sorting 31
Overview .......................................................................................................31Sorting Traffic..........................................................................................31Sorting Through Traffic............................................................................32Dedicated and Shared Interfaces .............................................................37
Dedicated Interfaces .........................................................................37Shared Interfaces ..............................................................................37
Importing and Exporting Physical Interfaces..................................................39Importing a Physical Interface to a Virtual System...................................39Exporting a Physical Interface from a Virtual System ..............................40
Chapter 3 VLAN-Based Traffic Classification 41
Overview .......................................................................................................41VLANs......................................................................................................42VLANs with Vsys......................................................................................42
Configuring Layer 2 Virtual Systems ..............................................................43Example 1: Configuring a Single Port ................................................45Example 2: Configuring Two 4-Port Aggregates with Separate Untrust
Zones .........................................................................................49Example 3: Configuring Two 4-Port Aggregates that Share One
Untrusted Zone...........................................................................55Defining Subinterfaces and VLAN Tags ..........................................................62Communicating Between Virtual Systems......................................................65VLAN Retagging .............................................................................................68
Example:...........................................................................................69
Chapter 4 IP-Based Traffic Classification 71
Overview .......................................................................................................71Designating an IP Range to the Root System .................................................72Configuring IP-Based Traffic Classification .....................................................73
Index..........................................................................................................................IX-I
Volume 11:High Availability
About This Volume v
Document Conventions................................................................................... viWeb User Interface Conventions .............................................................. viCommand Line Interface Conventions...................................................... viNaming Conventions and Character Types .............................................. viiIllustration Conventions.......................................................................... viii
Technical Documentation and Support ........................................................... ix
Chapter 1 NetScreen Redundancy Protocol 1
High Availability Overview...............................................................................1NSRP Overview................................................................................................3
NSRP Default Settings................................................................................4NSRP-Lite ..................................................................................................4NSRP-Lite Default Settings .........................................................................6Basic NSRP Settings...................................................................................6
Table of Contents
Table of Contents
Control Link Messages ........................................................................6Data Link Messages.............................................................................7Dynamic Routing Advisory..................................................................8Dual Link Probes.................................................................................8
NSRP Clusters ................................................................................................10Cluster Names .........................................................................................11
Active/Passive Configuration .............................................................11Active/Active Configuration ...............................................................12Active/Active Full-Mesh Configuration ...............................................14
NSRP Cluster Authentication and Encryption...........................................15Run-Time Objects ....................................................................................16RTO Mirror Operational States ................................................................17NSRP Cluster Synchronization .................................................................18
File Synchronization..........................................................................18Configuration Synchronization..........................................................19Route Synchronization ......................................................................19Run-Time Object Synchronization.....................................................20System Clock Synchronization ..........................................................20
VSD Groups....................................................................................................21Preempt Option.......................................................................................21Member States ........................................................................................22Heartbeat Message ..................................................................................23VSI and Static Routes...............................................................................24
Configuration Examples.................................................................................25Cabling Devices for Active/Active Full-Mesh NSRP...................................25Creating an NSRP Cluster ........................................................................28Configuring an Active/Passive NSRP Cluster ............................................30Configuring an Active/Active NSRP Cluster ..............................................34Synchronizing RTOs Manually .................................................................39Configuring Manual Link Probes ..............................................................40Configuring Automatic Link Probes .........................................................40
Chapter 2 Interface Redundancy and Failover 41
Redundant Interfaces and Zones....................................................................42Holddown Time Settings..........................................................................42Aggregate Interfaces ................................................................................43
Interface Failover ...........................................................................................44Backup Interface Traffic...........................................................................44Primary Interface Traffic .........................................................................45Automatic Traffic Failover .......................................................................45Serial Interfaces.......................................................................................46
Default Route Deletion ......................................................................46Default Route Addition......................................................................46Policy Deactivation ...........................................................................47
Monitoring Failover .................................................................................47Interface Failover with IP Tracking ..........................................................48Active-to-Backup Tunnel Failover.............................................................48Interface Failover with VPN Tunnel Monitoring .......................................48
NSRP Object Monitoring to Trigger Failover ...................................................50Security Module.......................................................................................51Physical Interface ....................................................................................51Zone Objects ...........................................................................................52Tracked IP Objects...................................................................................52Track IP for Device Failover.....................................................................54
Table of Contents xxxiii
xxxiv
Concepts & Examples ScreenOS Reference Guide
Virtual Security Device Group Failover ...........................................................56Virtual System Failover ..................................................................................56Device Failover ..............................................................................................57Configuration Examples.................................................................................58
Configuring Track IP for Device Failover..................................................59Configuring a Redundant VPN Tunnel .....................................................61Configuring Virtual Security Interfaces.....................................................65Configuring Dual Active Tunnels..............................................................68Configuring Interface Failover Using Track IP ..........................................72Configuring Tunnel Failover Weights .......................................................76Configuring Virtual System Failover.........................................................82
Index..........................................................................................................................IX-I
Volume 12:WAN, DSL, Dial, and Wireless
About This Volume ix
Document Conventions....................................................................................xWeb User Interface Conventions ...............................................................xCommand Line Interface Conventions.......................................................xNaming Conventions and Character Types ............................................... xiIllustration Conventions........................................................................... xii
Technical Documentation and Support ......................................................... xiii
Chapter 1 Wide Area Networks 1
WAN Overview ................................................................................................1Serial .........................................................................................................2T1..............................................................................................................3E1..............................................................................................................3T3..............................................................................................................4E3..............................................................................................................4ISDN..........................................................................................................5
WAN Interface Options ....................................................................................7Hold Time..................................................................................................8Frame Checksum.......................................................................................9Idle-cycle Flag............................................................................................9Start/End Flag ............................................................................................9Line Encoding..........................................................................................10
Alternate Mark Inversion Encoding ...................................................10B8ZS and HDB3 Line Encoding .........................................................11Byte Encoding...................................................................................11Line Buildout.....................................................................................11
Framing Mode .........................................................................................12Superframe for T1.............................................................................12Extended Superframe for T1 .............................................................12C-Bit Parity Framing for T3 ...............................................................13
Clocking ..................................................................................................13Clocking Mode ..................................................................................13Clocking Source ................................................................................14Internal Clock Rate............................................................................14Transmit Clock Inversion ..................................................................16
Signal Handling .......................................................................................16
Table of Contents
Table of Contents
Loopback Signal ......................................................................................17Remote and Local Loopback .............................................................17Loopback Mode.................................................................................18CSU Compatibility Mode ..................................................................20Remote Loopback Response .............................................................21FEAC Response.................................................................................21
Time Slots................................................................................................22Fractional T1.....................................................................................22Fractional E1.....................................................................................22
Bit Error Rate Testing ..............................................................................23ISDN Options...........................................................................................24
Switch Type ......................................................................................24SPID..................................................................................................24TEI Negotiation .................................................................................25Calling Number .................................................................................25T310 Value........................................................................................25Send Complete..................................................................................26
BRI Mode.................................................................................................26Leased-Line Mode .............................................................................26Dialer Enable ....................................................................................26
Dialer Options .........................................................................................27Disabling a WAN Interface.......................................................................28
WAN Interface Encapsulation.........................................................................28Point-to-Point Protocol.............................................................................29Frame Relay ............................................................................................29Cisco-High-Level Data Link Control (Cisco-HDLC) ....................................30Basic Encapsulation Options....................................................................30
Unnumbered Interfaces ....................................................................31Protocol Maximum Transmission Unit Configuration ........................31Static IP Address Configuration .........................................................31Keepalives.........................................................................................32
PPP Encapsulation Options......................................................................33PPP Access Profile.............................................................................33PPP Authentication Method...............................................................34Password ..........................................................................................35
PPP Authentication Protocols ..................................................................35Challenge Handshake Authentication Protocol ..................................35Password Authentication Protocol.....................................................36Local Database User..........................................................................36
Frame Relay Encapsulation Options ........................................................36Keepalive Messages ..........................................................................37Frame Relay LMI Type ......................................................................37Creating and Configuring PVCs .........................................................38Inverse Address Resolution Protocol .................................................39
Multilink Encapsulation ..................................................................................40Overview.................................................................................................40Basic Multilink Bundle Configuration .......................................................41
Bundle Identifier ...............................................................................41Drop Timeout....................................................................................41Fragment Threshold..........................................................................42Minimum Links .................................................................................43Basic Configuration Steps..................................................................43Maximum Received Reconstructed Unit............................................44Sequence-Header Format..................................................................44
Table of Contents xxxv
xxxvi
Concepts & Examples ScreenOS Reference Guide
Multilink Frame Relay Configuration Options ..........................................45Basic Configuration Steps..................................................................45Link Assignment for MLFR ................................................................46Acknowledge Retries.........................................................................46Acknowledge Timer ..........................................................................46Hello Timer .......................................................................................47
WAN Interface Configuration Examples .........................................................47Configuring a Serial Interface ..................................................................47Configuring a T1 Interface .......................................................................48Configuring an E1 Interface .....................................................................49Configuring a T3 Interface .......................................................................49Configuring an E3 Interface .....................................................................50Configuring a Device for ISDN Connectivity ............................................51Step 1: Selecting the ISDN Switch Type ...................................................51Step 2: Configuring a PPP Profile.............................................................51Step 3: Setting Up the ISDN BRI Interface................................................52
Dialing Out to a Single Destination Only ...........................................52Dialing Out Using the Dialer Interface ...............................................53Using Leased-Line Mode....................................................................56
Step 4: Routing Traffic to the Destination ................................................56Encapsulation Configuration Examples ..........................................................58
Configuring PPP Encapsulation................................................................58Configuring MLPPP Encapsulation ...........................................................59Configuring Frame Relay Encapsulation ..................................................61Configuring MLFR Encapsulation .............................................................61Configuring Cisco HDLC Encapsulation....................................................63
Chapter 2 Digital Subscriber Line 65
Digital Subscriber Line Overview ...................................................................65Asynchronous Transfer Mode ..................................................................66
ATM Quality of Service......................................................................67Point-to-Point Protocol over ATM ......................................................68Multilink Point-to-Point Protocol........................................................69
Discrete Multitone for DSL Interfaces ......................................................69Annex Mode ............................................................................................70Virtual Circuits .........................................................................................71
VPI/VCI and Multiplexing Method......................................................71PPPoE or PPPoA ...............................................................................72
Static IP Address and Netmask ................................................................72ADSL Interface ...............................................................................................73G.SHDSL Interface..........................................................................................74
Loopback Mode .......................................................................................75Operation, Administration, and Maintenance ..........................................75Signal-to-Noise Ratio................................................................................76
ADSL Configuration Examples .......................................................................77Example 1: (Small Business/Home) PPPoA on ADSL Interface.................78Example 2: (Small Business/Home) 1483 Bridging on ADSL Interface .....80Example 3: (Small Business) 1483 Routing on ADSL Interface.................82Example 4: (Small Business/Home) Dialup Backup ..................................84Example 5: (Small Business/Home) Ethernet Backup...............................87Example 6: (Small Business/Home) ADSL Backup....................................90Example 7: (Small Business) MLPPP ADSL...............................................93Example 8: (Small Business) Allow Access to Local Servers .....................95Example 9: (Branch Office) VPN Tunnel Through ADSL...........................97
Table of Contents
Table of Contents
Example 10: (Branch Office) Secondary VPN Tunnel .............................101
Chapter 3 ISP Failover and Dial Recovery 109
Setting ISP Priority for Failover ....................................................................109Defining Conditions for ISP Failover ............................................................110Configuring a Dialup Recovery Solution .......................................................110
Chapter 4 Wireless Local Area Network 115
Overview .....................................................................................................116Wireless Product Interface Naming Differences.....................................117
Basic Wireless Network Feature Configuration.............................................117Creating a Service Set Identifier.............................................................117
Suppressing SSID Broadcast............................................................118Isolating a Client .............................................................................118
Setting the Operation Mode for a 2.4 GHz Radio Transceiver ................119Setting the Operation Mode for a 5GHz Radio Transceiver ....................119Configuring Minimum Data Transmit Rate ............................................120Configuring Transmit Power..................................................................121Reactivating a WLAN Configuration.......................................................121
Configuring Authentication and Encryption for SSIDs ..................................122Configuring Wired Equivalent Privacy ...................................................122
Multiple WEP Keys..........................................................................123Configuring Open Authentication....................................................124Configuring WEP Shared-Key Authentication ..................................126
Configuring Wi-Fi Protected Access .......................................................127Configuring 802.1X Authentication for WPA and WPA2 .................128Configuring Preshared Key Authentication for WPA and WPA2 ......128
Specifying Antenna Use ...............................................................................129Setting the Country Code, Channel, and Frequency .....................................130Using Extended Channels ............................................................................130Performing a Site Survey..............................................................................131Locating Available Channels.........................................................................131Setting an Access Control List Entry.............................................................132Configuring Super G .....................................................................................133Configuring Atheros XR (Extended Range) ...................................................133Configuring Wi-Fi Multimedia Quality of Service ..........................................134
Enabling WMM......................................................................................134Configuring WMM Quality of Service .....................................................134
Access Categories............................................................................135WMM Default Settings.....................................................................135Example..........................................................................................137
Configuring Advanced Wireless Parameters.................................................138Configuring Aging Interval .....................................................................138Configuring Beacon Interval ..................................................................139Configuring Delivery Traffic Indication Message Period.........................140Configuring Burst Threshold ..................................................................140Configuring Fragment Threshold ...........................................................140Configuring Request to Send Threshold .................................................141Configuring Clear to Send Mode ............................................................141Configuring Clear to Send Rate..............................................................142Configuring Clear to Send Type .............................................................142Configuring Slot Time............................................................................143Configuring Preamble Length ................................................................143
Table of Contents xxxvii
xxxviii
Concepts & Examples ScreenOS Reference Guide
Working with Wireless Interfaces.................................................................144Binding an SSID to a Wireless Interface.................................................144Binding a Wireless Interface to a Radio .................................................144Creating Wireless Bridge Groups............................................................145Disabling a Wireless Interface................................................................146
Viewing Wireless Configuration Information................................................146Configuration Examples...............................................................................147
Example 1: Open Authentication and WEP Encryption .........................147Example 2: WPA-PSK Authentication with Passphrase and
Automatic Encryption .....................................................................147Example 3: WLAN in Transparent Mode................................................148Example 4: Multiple and Differentiated Profiles.....................................151
Appendix A Wireless Information A-I
802.11a Channel Numbers ...........................................................................A-I802.11b and 802.11g Channels ................................................................. A-IIITurbo-Mode Channel Numbers .................................................................. A-IV
Index..........................................................................................................................IX-I
Volume 13:General Packet Radio Service
About This Volume v
Document Conventions.................................................................................... vWeb User Interface Conventions ............................................................... vCommand Line Interface Conventions...................................................... viNaming Conventions and Character Types ............................................... viIllustration Conventions.......................................................................... viii
Technical Documentation and Support ........................................................... ix
Chapter 1 GPRS 1
The Security Device as a GPRS Tunneling Protocol Firewall .............................2Gp and Gn Interfaces .................................................................................3Gi Interface................................................................................................3Operational Modes ....................................................................................4Virtual System Support ..............................................................................5
Policy-Based GPRS Tunneling Protocol.............................................................5Example: Configuring Policies to Enable GTP Inspection ...........................6
GPRS Tunneling Protocol Inspection Object .....................................................7Example: Creating a GTP Inspection Object...............................................8
GTP Message Filtering ......................................................................................8Packet Sanity Check ..................................................................................8Message-Length Filtering ...........................................................................9
Example: Setting GTP Message Lengths ..............................................9Message-Type Filtering ............................................................................10
Example: Permitting and Denying Message Types ............................10Supported Message Types .................................................................10
Message-Rate Limiting.............................................................................12Example: Setting a Rate Limit ...........................................................12
Sequence Number Validation ..................................................................13Example: Enabling Sequence Number Validation..............................13
Table of Contents
Table of Contents
IP Fragmentation.....................................................................................13GTP-in-GTP Packet Filtering .....................................................................13
Example: Enabling GTP-in-GTP Packet Filtering ................................13Deep Inspection ......................................................................................14
Example: Enabling Deep Inspection on the TEID ..............................14GTP Information Elements.............................................................................14
Access Point Name Filtering ....................................................................15Example: Setting an APN and a Selection Mode................................16
IMSI Prefix Filtering.................................................................................16Example: Setting a Combined IMSI Prefix and APN Filter .................17
Radio Access Technology ........................................................................17Example: Setting an RAT and APN Filter ...........................................17
Routing Area Identity and User Location Information..............................18Example: Setting an RAI and APN Filter............................................18Example: Setting a ULI and APN Filter ..............................................18
APN Restriction .......................................................................................18IMEI-SV....................................................................................................19
Example: Setting an IMEI-SV and APN Filter .....................................19Protocol and Signaling Requirements ......................................................19Combination Support for IE Filtering .......................................................20Supported R6 Information Elements .......................................................203GPP R6 IE Removal ...............................................................................22
Example: R6 Removal.......................................................................23GTP Tunnels...................................................................................................23
GTP Tunnel Limiting ................................................................................23Example: Setting GTP Tunnel Limits .................................................23
Stateful Inspection ...................................................................................23GTP Tunnel Establishment and Teardown.........................................24Inter SGSN Routing Area Update .......................................................24
Tunnel Failover for High Availability........................................................24Hanging GTP Tunnel Cleanup ..................................................................25
Example: Setting the Timeout for GTP Tunnels .................................25SGSN and GGSN Redirection ..........................................................................26Overbilling-Attack Prevention ........................................................................26
Overbilling-Attack Description .................................................................26Overbilling-Attack Solution ......................................................................28
Example: Configuring the Overbilling Attack Prevention Feature ......29GTP Traffic Monitoring...................................................................................31
Traffic Logging.........................................................................................31Example: Enabling GTP Packet Logging ............................................32
Traffic Counting.......................................................................................33Example: Enabling GTP Traffic Counting...........................................33
Lawful Interception..................................................................................34Example: Enabling Lawful Interception.............................................34
Index..........................................................................................................................IX-I
Volume 14:Dual-Stack Architecture with IPv6
About This Volume vii
Document Audience...................................................................................... viiiDocument Conventions................................................................................. viii
Table of Contents xxxix
xl
Concepts & Examples ScreenOS Reference Guide
Web User Interface Conventions ............................................................ viiiCommand Line Interface Conventions.................................................... viiiNaming Conventions and Character Types ............................................... ixIllustration Conventions.............................................................................x
Technical Documentation and Support ........................................................... xi
Chapter 1 Internet Protocol Version 6 Introduction 1
Overview .........................................................................................................2IPv6 Addressing ...............................................................................................2
Notation ....................................................................................................2Prefixes .....................................................................................................3Address Types ...........................................................................................3
Unicast Addresses ...............................................................................3Anycast Addresses ..............................................................................4Multicast Addresses.............................................................................4
IPv6 Headers....................................................................................................4Basic Header .............................................................................................4Extension Headers.....................................................................................5
IPv6 Packet Handling .......................................................................................6IPv6 Router and Host Modes............................................................................7IPv6 Tunneling Guidelines................................................................................8
Chapter 2 IPv6 Configuration 9
Overview .......................................................................................................11Address Autoconfiguration ......................................................................11
Extended Unique Identifier ...............................................................11Router Advertisement Messages .......................................................12Router Solicitation Messages .............................................................12Prefix Lists ........................................................................................12
Neighbor Discovery .................................................................................13Neighbor Cache Table .......................................................................13Neighbor Unreachability Detection ...................................................13Neighbor Entry Categories ................................................................14Neighbor Reachability States.............................................................14How Reachability State Transitions Occur.........................................15
Enabling an IPv6 Environment ......................................................................18Enabling IPv6 at the Device Level............................................................18Disabling IPv6 at the Device Level ...........................................................19
Configuring an IPv6 Host ...............................................................................19Binding the IPv6 Interface to a Zone........................................................20Enabling IPv6 Host Mode ........................................................................20Setting an Interface Identifier ..................................................................20Configuring Address Autoconfiguration ...................................................21Configuring Neighbor Discovery ..............................................................21
Configuring an IPv6 Router ............................................................................22Binding the IPv6 Interface to a Zone........................................................22Enabling IPv6 Router Mode .....................................................................22Setting an Interface Identifier ..................................................................23Setting Address Autoconfiguration...........................................................23
Outgoing Router Advertisements Flag ...............................................23Managed Configuration Flag..............................................................24Other Parameters Configuration Flag ................................................24
Disabling Address Autoconfiguration .......................................................24
Table of Contents
Table of Contents
Setting Advertising Time Intervals ...........................................................25Advertised Reachable Time Interval ..................................................25Advertised Retransmit Time Interval.................................................26Maximum Advertisement Interval.....................................................26Minimum Advertisement Interval .....................................................26Advertised Default Router Lifetime ...................................................27
Advertising Packet Characteristics ...........................................................27Link MTU Value.................................................................................27Current Hop Limit .............................................................................28
Advertising Router Characteristics ...........................................................28Link Layer Address Setting................................................................28Advertised Router Preference............................................................28
Configuring Neighbor Discovery Parameters ...........................................29Neighbor Unreachability Detection ...................................................29MAC Session-Caching........................................................................29Static Neighbor Cache Entries ...........................................................30Base Reachable Time ........................................................................30Probe Time .......................................................................................31Retransmission Time ........................................................................31Duplicate Address Detection Retry Count..........................................31
Viewing IPv6 Interface Parameters ................................................................32Viewing Neighbor Discovery Configurations ............................................32Viewing the Current RA Configuration.....................................................32
Configuration Examples.................................................................................33IPv6 Router .............................................................................................33IPv6 Host.................................................................................................33
Chapter 3 Connection and Network Services 35
Overview .......................................................................................................36Dynamic Host Configuration Protocol Version 6 ............................................36
Device-Unique Identification....................................................................36Identity Association Prefix Delegation-Identification................................37Prefix Features ........................................................................................37Server Preference ....................................................................................38Configuring a DHCPv6 Server..................................................................38Configuring a DHCPv6 Client...................................................................40Viewing DHCPv6 Settings ........................................................................41
Configuring Domain Name System Servers....................................................42Requesting DNS and DNS Search List Information ..................................43Setting Proxy DNS Address Splitting........................................................44
Configuring PPPoE.........................................................................................46Setting Fragmentation....................................................................................47
Chapter 4 Static and Dynamic Routing 49
Overview .......................................................................................................50Dual Routing Tables.................................................................................50Static and Dynamic Routing ....................................................................51Upstream and Downstream Prefix Delegation.........................................51
Static Routing.................................................................................................52RIPng Configuration.......................................................................................53
Creating and Deleting a RIPng Instance...................................................54Creating a RIPng Instance .................................................................54Deleting a RIPng Instance .................................................................54
Table of Contents xli
xlii
Concepts & Examples ScreenOS Reference Guide
Enabling and Disabling RIPng on Interfaces ............................................55Enabling RIPng on an Interface.........................................................55Disabling RIPng on an Interface ........................................................55
Global RIPng Parameters ...............................................................................56Advertising the Default Route ..................................................................56Rejecting Default Routes..........................................................................57Configuring Trusted Neighbors ................................................................57Redistributing Routes ..............................................................................58Protecting Against Flooding by Setting an Update Threshold...................59
RIPng Interface Parameters ...........................................................................60Route, Interface, and Offset Metrics ........................................................60
Access Lists and Route Maps.............................................................61Static Route Redistribution................................................................61
Configuring Split Horizon with Poison Reverse........................................64Viewing Routing and RIPng Information ........................................................64
Viewing the Routing Table.......................................................................65Viewing the RIPng Database....................................................................65Viewing RIPng Details by Virtual Router ..................................................66Viewing RIPng Details by Interface..........................................................67Viewing RIPng Neighbor Information ......................................................68
Configuration Examples.................................................................................69Enabling RIPng on Tunnel Interfaces.......................................................69Avoiding Traffic Loops to an ISP Router...................................................71
Configuring the Customer Premises Equipment................................71Configuring the Gateway...................................................................75Configuring the ISP Router................................................................78
Setting a Null Interface Redistribution to OSPF........................................79Redistributing Discovered Routes to OSPF ..............................................80Setting Up OSPF-Summary Import ..........................................................80
Chapter 5 Address Translation 81
Overview .......................................................................................................82Translating Source IP Addresses ..............................................................83
DIP from IPv6 to IPv4 .......................................................................83DIP from IPv4 to IPv6 .......................................................................83
Translating Destination IP Addresses.......................................................84MIP from IPv6 to IPv4.......................................................................84MIP from IPv4 to IPv6.......................................................................85
Configuration Examples.................................................................................86IPv6 Hosts to Multiple IPv4 Hosts ............................................................86IPv6 Hosts to a Single IPv4 Host ..............................................................88IPv4 Hosts to Multiple IPv6 Hosts ............................................................90IPv4 Hosts to a Single IPv6 Host ..............................................................91Translating Addresses for Domain Name System Servers........................93
Chapter 6 IPv6 in an IPv4 Environment 97
Overview .......................................................................................................98Configuring Manual Tunneling .......................................................................99Configuring 6to4 Tunneling..........................................................................102
6to4 Routers..........................................................................................1026to4 Relay Routers ................................................................................103Tunnels to Remote Native Hosts............................................................104Tunnels to Remote 6to4 Hosts...............................................................107
Table of Contents
Table of Contents
Chapter 7 IPSec Tunneling 111
Overview .....................................................................................................112IPSec 6in6 Tunneling ...................................................................................112IPSec 4in6 Tunneling ...................................................................................115IPSec 6in4 Tunneling ...................................................................................120Manual Tunneling with Fragmentation Enabled ...........................................124
IPv6 to IPv6 Route-Based VPN Tunnel ...................................................125IPv4 to IPv6 Route-Based VPN Tunnel ...................................................127
Chapter 8 IPv6 XAuth User Authentication 131
Overview .....................................................................................................132RADIUSv6..............................................................................................132
Single Client, Single Server..............................................................132Multiple Clients, Single Server .........................................................132Single Client, Multiple Servers .........................................................133Multiple Hosts, Single Server ...........................................................133
IPSec Access Session Management........................................................134IPSec Access Session.......................................................................134Enabling and Disabling IAS Functionality ........................................136Releasing an IAS Session.................................................................136Limiting IAS Settings .......................................................................136
Dead Peer Detection..............................................................................137Configuration Examples...............................................................................138
XAuth with RADIUS...............................................................................138RADIUS with XAuth Route-Based VPN...................................................139RADIUS with XAuth and Domain Name Stripping .................................143IP Pool Range Assignment.....................................................................147RADIUS Retries......................................................................................153Calling-Station-Id ...................................................................................153IPSec Access Session .............................................................................154Dead Peer Detection..............................................................................163
Appendix A Switching A-I
Index..........................................................................................................................IX-I
Table of Contents xliii
xliv
Concepts & Examples ScreenOS Reference Guide
Table of Contents
About the Concepts & Examples ScreenOS Reference Guide
Juniper Networks security devices integrate the following firewall, virtual private network (VPN), and traffic-shaping features to provide flexible protection for security zones when connecting to the Internet:
Firewall: A firewall screens traffic crossing the boundary between a private LAN and the public network, such as the Internet.
Layered Security: The layered security solution is deployed at different locations to repel attacks. If one layer fails, the next one catches the attack. Some functions help protect remote locations with site-to-site VPNs. Devices deployed at the perimeter repel network-based attacks. Another layer, using Intrusion Detection Prevention (IDP) and Deep Inspection, automatically detects and prevents attacks from inflicting damages.
Network segmentation, the final security layer (also known as virtualization), divides the network up into secure domains to protect critical resources from unauthorized roaming users and network attacks.
Content Security: Protects users from malicious URLs and provides embedded antivirus scanning and web filtering. In addition, works with third-party products to provide external antivirus scanning, anti-spam, and web filtering.
VPN: A VPN provides a secure communications channel between two or more remote network appliances.
Integrated Networking Functions: Dynamic routing protocols learn reachability and advertise dynamically changing network topologies. In addition, traffic shaping functionality allows administrative monitoring and control of traffic passing across the Juniper Networks firewall to maintain a network’s quality-of-service (QoS) level.
Centralized Management: The Netscreen-Security Manager tool simplifies configuration, deployment, and management of security devices.
Redundancy: High availability of interfaces, routing paths, security devices, and—on high-end Juniper Networks devices—power supplies and fans, to avoid a single point of failure in any of these areas.
xlv
Concepts & Examples ScreenOS Reference Guide
xlvi
Figure 1: Key Features in ScreenOS
The ScreenOS system provides all the features needed to set up and manage any security appliance or system. This document is a reference guide for configuring and managing a Juniper Networks security device through ScreenOS.
NOTE: For information about Juniper Networks’ compliance with Federal Information Processing Standards (FIPS) and for instructions on setting a FIPS-compliant security device in FIPS mode, refer to the platform-specific Cryptographic Module Security Policy document on the documentation CD.
0.0.0.0/0 1.1.1.2501.1.1.0/24 eth31.2.1.0/24 eth210.1.0.0/16 trust-vr10.2.2.0/24 tunnel.110.3.3.0/24 tunnel.2
Untrust Zone
Internet
LAN LAN
Redundancy: The backup device maintains identical configuration and sessions as those on the primary device to assume the place of the primary device if necessary. (Note: Interfaces, routing paths, power supplies, and fans can also be redundant.)
VPNs: Secure communication tunnels between sites for traffic passing through the Internet
Firewall: Screening traffic between the protected LAN and the Internet
Integrated Networking Functions: Performs routing functions and communicates and interacts with routing devices in the environment
Traffic Shaping: Efficient prioritization of traffic as it traverses the firewall
Dynamic Routing: The routing table automatically updates by communicating with dynamic routing peers.
Dst UseLAN
Trust Zone
Backup Device
About the Concepts & Examples ScreenOS Reference Guide
Volume Organization
The Concepts & Examples ScreenOS Reference Guide is a multi-volume manual. The following information outlines and summarizes the material in each volume:
Volume 1: Overview
“Table of Contents” contains a master table of contents for all volumes in the manual.
“Master Index” is an index of all volumes in the manual.
Volume 2: Fundamentals
Chapter 1, “ScreenOS Architecture,” presents the fundamental elements of the architecture in ScreenOS and concludes with a four-part example illustrating an enterprise-based configuration incorporating most of those elements. In this and all subsequent chapters, each concept is accompanied by illustrative examples.
Chapter 2, “Zones,” explains security zones, tunnel zones, and function zones.
Chapter 3, “Interfaces,” describes the various physical, logical, and virtual interfaces on security devices.
Chapter 4, “Interface Modes,” explains the concepts behind Transparent, Network Address Translation (NAT), and Route interface operational modes.
Chapter 5, “Building Blocks for Policies,” discusses the elements used for creating policies and virtual private networks (VPNs): addresses (including VIP addresses), services, and DIP pools. It also presents several example configurations support for the H.323 protocol.
Chapter 6, “Policies,” explores the components and functions of policies and offers guidance on their creation and application.
Chapter 7, “Traffic Shaping,” explains how you can manage bandwidth at the interface and policy levels and prioritize services.
Chapter 8, “System Parameters,” presents the concepts behind Domain Name System (DNS) addressing, using Dynamic Host Configuration Protocol (DHCP) to assign or relay TCP/IP settings, downloading and uploading system configurations and software, and setting the system clock.
Volume Organization xlvii
Concepts & Examples ScreenOS Reference Guide
xlviii
Volume 3: Administration
Chapter 1, “Administration,” explains the different means available for managing a security device both locally and remotely. This chapter also explains the privileges pertaining to each of the four levels of network administrators that can be defined.
Chapter 2, “Monitoring Security Devices,” explains various monitoring methods and provides guidance in interpreting monitoring output.
Volume 4: Attack Detection and Defense Mechanisms
Chapter 1, “Protecting a Network,” outlines the basic stages of an attack and the firewall options available to combat the attacker at each stage.
Chapter 2, “Reconnaissance Deterrence,” describes the options available for blocking IP address sweeps, port scans, and attempts to discover the type of operating system (OS) of a targeted system.
Chapter 3, “Denial-of-Service Attack Defenses,” explains firewall, network, and OS-specific DoS attacks and how ScreenOS mitigates such attacks.
Chapter 4, “Content Monitoring and Filtering,” describes how to protect HyperText Transfer Protocol (HTTP) users from malicious uniform resource locators (URLs) and how to configure the security device to work with third party products to provide antivirus scanning and web filtering.
Chapter 5, “Deep Inspection,” describes how to configure the security device to obtain Deep Inspection (DI) attack object updates, how to create user-defined attack objects and attack object groups, and how to apply IDP at the policy level.
Chapter 6, “Intrusion Detection and Prevention,” describes Juniper Networks Intrusion Detection and Prevention (IDP) technology which can both detect and then stop attacks when deployed inline to your network. The chapter describes how to apply IDP at the policy level to drop malicious packets or connections before the attacks can enter your network.
Chapter 7, “Suspicious Packet Attributes,” explains a number of SCREEN options that block potentially dangerous packets.
Appendix A, “Contexts for User-Defined Signatures,” provides a list and descriptions of contexts that you can specify when defining a stateful signature attack object.
Volume Organization
About the Concepts & Examples ScreenOS Reference Guide
Volume 5: Virtual Private Networks
Chapter 1, “Internet Protocol Security,” provides background information about IPSec, presents a flow sequence for Phase 1 in IKE negotiations in Aggressive and Main modes, and concludes with information about IKE and IPSec packet encapsulation.
Chapter 2, “Public Key Cryptography,” provides information about how to obtain and load digital certificates and certificate revocation lists (CRLs).
Chapter 3, “Virtual Private Network Guidelines,” offers some useful information to help in the selection of the available VPN options. It also presents a packet flow chart to demystify VPN packet processing.
Chapter 4, “Site-to-Site Virtual Private Networks,” provides extensive examples VPN configurations connecting two private networks.
Chapter 5, “Dialup Virtual Private Networks,” provides extensive examples of client-to-LAN communication using AutoKey IKE. It also details group IKE ID and shared IKE ID configurations.
Chapter 6, “Layer 2 Tunneling Protocol,” explains the Layer 2 Tunneling Protocol and its use alone and in conjunction with IPSec (L2TP-over-IPSec).
Chapter 7, “Advanced Virtual Private Network Features,” contains information and examples for the more advanced VPN configurations, such as NAT-Traversal, VPN monitoring, binding multiple tunnels to a single tunnel interface, and hub-and-spoke and back-to-back tunnel designs.
Chapter 8, “AutoConnect-Virtual Private Networks,” describes how ScreenOS uses Next Hop Resolution Protocol (NHRP) messages to enable security devices to set up AutoConnect VPNs as needed. The chapter provides an example of a typical scenario in which AC-VPN might be used.
Volume 6: Voice-over-Internet Protocol
Chapter 1, “H.323 Application Layer Gateway,” describes the H.323 protocol and provides examples of typical scenarios.
Chapter 2, “Session Initiation Protocol Application Layer Gateway,” describes the Session Initiation Protocol (SIP) and shows how the SIP ALG processes calls in Route and Network Address Translation (NAT) modes. Examples of typical scenarios follow a summary of the SIP architecture.
Chapter 3, “Media Gateway Control Protocol Application Layer Gateway,” presents an overview of the Media Gateway Control Protocol (MGCP) ALG and lists the firewall security features of the implementation. Examples of typical scenarios follow a summary of the MGCP architecture.
Chapter 4, “Skinny Client Control Protocol Application Layer Gateway,” presents an overview of the Skinny Client Control Protocol (SCCP) ALG and lists the firewall security features of the implementation. Examples of typical scenarios follow a summary of the SCCP architecture.
Volume Organization xlix
Concepts & Examples ScreenOS Reference Guide
l V
Volume 7: Routing
Chapter 1, “Static Routing,” describes the ScreenOS routing table, the basic routing process on the security device, and how to configure static routes on security devices.
Chapter 2, “Routing,” explains how to configure virtual routers on security devices and how to redistribute routing table entries between protocols or between virtual routers.
Chapter 3, “Open Shortest Path First,” describes how to configure the OSPF dynamic routing protocol on security devices.
Chapter 4, “Routing Information Protocol,” describes how to configure the RIP dynamic routing protocol on security devices.
Chapter 5, “Border Gateway Protocol,” describes how to configure the BGP dynamic routing protocol on security devices.
Chapter 6, “Policy-Based Routing,” explains how to force interesting traffic along a specific path in the network.
Chapter 7, “Multicast Routing,” introduces basic multicast routing concepts.
Chapter 8, “Internet Group Management Protocol,” describes how to configure the Internet Group Management Protocol (IGMP) on security devices.
Chapter 9, “Protocol Independent Multicast,” describes how to configure the Protocol Independent Multicast (PIM) routing protocol on security devices.
Chapter 10, “ICMP Router Discovery Protocol,” explains how to set up an Internet Control Messages Protocol (ICMP) message exchange between a host and a router.
Volume 8: Address Translation
Chapter 1, “Address Translation,” gives an overview of the various translation options, which are covered in detail in subsequent chapters.
Chapter 2, “Source Network Address Translation,” describes NAT-src, the translation of the source IP address in a packet header, with and without Port Address Translation (PAT).
Chapter 3, “Destination Network Address Translation,” describes NAT-dst, the translation of the destination IP address in a packet header, with and without destination port address mapping. This section also includes information about the packet flow when doing NAT-src, routing considerations, and address shifting.
Chapter 4, “Mapped and Virtual Addresses,” describes the mapping of one destination IP address to another based on IP address alone (mapped IP) or based on destination IP address and destination port number (virtual IP).
olume Organization
About the Concepts & Examples ScreenOS Reference Guide
Volume 9: User Authentication
Chapter 1, “Authentication,” details the various authentication methods and uses that ScreenOS supports.
Chapter 2, “Authentication Servers,” presents the options of using one of three possible types of external authentication server—RADIUS, SecurID, or LDAP—or the internal database and shows how to configure the security device to work with each type.
Chapter 3, “Infranet Authentication,” details how the security device is deployed in a unified access control (UAC) solution. Juniper Networks unified access control solution (UAC) secures and assures the delivery of applications and services across an enterprise infranet.
Chapter 4, “Authentication Users,” explains how to define profiles for authentication users and how to add them to user groups stored either locally or on an external RADIUS authentication server.
Chapter 5, “IKE, XAuth, and L2TP Users,” explains how to define IKE, XAuth, and L2TP users. Although the XAuth section focusses primarily on using the security device as an XAuth server, it also includes a subsection on configuring select security devices to act as an XAuth client.
Chapter 6, “Extensible Authentication for Wireless and Ethernet Interfaces,” explains the options available for and examples of how to use Extensible Authentication Protocol to provide authentication for Ethernet and wireless interfaces.
Volume 10: Virtual Systems
Chapter 1, “Virtual Systems,” discusses virtual systems, objects, and administrative tasks.
Chapter 2, “Traffic Sorting,” explains how ScreenOS sorts traffic.
Chapter 3, “VLAN-Based Traffic Classification,” describes VLAN-based traffic classification for virtual systems, and VLAN retagging.
Chapter 4, “IP-Based Traffic Classification,” explains IP-based traffic classification for virtual systems.
Volume 11: High Availability
Chapter 1, “NetScreen Redundancy Protocol,” explains how to cable, configure, and manage Juniper Networks security devices in a redundant group to provide high availability (HA) using the NetScreen Redundancy Protocol (NSRP).
Chapter 2, “Interface Redundancy and Failover,” describes the various ways in which Juniper Networks security devices provide interface redundancy.
Volume Organization li
Concepts & Examples ScreenOS Reference Guide
lii
Volume 12: WAN, DSL, Dial, and Wireless
Chapter 1, “Wide Area Networks,” describes how to configure a wide area network (WAN).
Chapter 2, “Digital Subscriber Line,” describes the Asymmetric Digital Subscriber Line (ADSL) interface on the security device. ADSL is a Digital Subscriber Line (DSL) technology that allows existing telephone lines to carry both voice telephone service and high-speed digital transmission.
Chapter 3, “ISP Failover and Dial Recovery,” describes how to set priority and define conditions for ISP failover and how to configure a dialup recovery solution.
Chapter 4, “Wireless Local Area Network,” describes the wireless interfaces on Juniper Networks wireless devices and provides example configurations.
Appendix A, “Wireless Information,” lists available channels, frequencies, and regulatory domains and lists the channels that are available on wireless devices for each country.
Volume 13: General Packet Radio Service
Chapter 1, “GPRS,” describes the GPRS Tunneling Protocol (GTP) features in ScreenOS and demonstrates how to configure GTP functionality on a Juniper Networks security device.
Volume 14: Dual-Stack Architecture with IPv6
Chapter 1, “Internet Protocol Version 6 Introduction,” explains IPv6 headers, concepts, and tunneling guidelines.
Chapter 2, “IPv6 Configuration,” explains how to configure an interface for operation as an IPv6 router or host.
Chapter 3, “Connection and Network Services,” explains how to configure Dynamic Host Configuration protocol version 6 (DHCPv6), Domain Name Services (DNS), Point-to-Point Protocol over Ethernet (PPPoE), and fragmentation.
Chapter 4, “Static and Dynamic Routing,” explains how to set up static and dynamic routing. This chapter explains ScreenOS support for Routing Information Protocol-Next Generation (RIPng).
Chapter 5, “Address Translation,” explains how to use Network Address Translation (NAT) with dynamic IP (DIP) and mapped-IP (MIP) addresses to traverse IPv4/IPv6 boundaries.
Chapter 6, “IPv6 in an IPv4 Environment,” explains manual and dynamic tunneling.
Chapter 7, “IPSec Tunneling,” explains how to configure IPSec tunneling to connect dissimilar hosts.
Volume Organization
About the Concepts & Examples ScreenOS Reference Guide
Chapter 8, “IPv6 XAuth User Authentication,” explains how to configure Remote Authentication Dial In User Service (RADIUS) and IPSec Access Session (IAS) management.
Appendix A, “Switching,” lists options for using the security device as a switch to pass IPv6 traffic.
Document Conventions
This document uses the conventions described in the following sections:
“Web User Interface Conventions” on page liii
“Command Line Interface Conventions” on page liii
“Naming Conventions and Character Types” on page liv
“Illustration Conventions” on page lv
Web User Interface ConventionsIn the Web user interface (WebUI), the set of instructions for each task is divided into navigational path and configuration settings. To open a WebUI page where you can enter configuration settings, you navigate to it by clicking on a menu item in the navigation tree on the left side of the screen, then on subsequent items. As you proceed, your navigation path appears at the top of the screen, each page separated by angle brackets.
The following shows the WebUI path and parameters for defining an address:
Policy > Policy Elements > Addresses > List > New: Enter the following, then click OK:
Address Name: addr_1IP Address/Domain Name:
IP/Netmask: (select), 10.2.2.5/32Zone: Untrust
To open Online Help for configuration settings, click on the question mark (?) in the upper left of the screen.
The navigation tree also provides a Help > Config Guide configuration page to help you configure security policies and Internet Protocol Security (IPSec). Select an option from the dropdown menu and follow the instructions on the page. Click the ? character in the upper left for Online Help on the Config Guide.
Command Line Interface ConventionsThe following conventions are used to present the syntax of command line interface (CLI) commands in examples and in text.
In examples:
Anything inside square brackets [ ] is optional.
Document Conventions liii
Concepts & Examples ScreenOS Reference Guide
liv
Anything inside braces { } is required.
If there is more than one choice, each choice is separated by a pipe ( | ). For example:
set interface { ethernet1 | ethernet2 | ethernet3 } manage
Variables are in italic type:
set admin user name1 password xyz
In text, commands are in boldface type and variables are in italic type.
Naming Conventions and Character TypesScreenOS employs the following conventions regarding the names of objects—such as addresses, admin users, auth servers, IKE gateways, virtual systems, VPN tunnels, and zones—defined in ScreenOS configurations:
If a name string includes one or more spaces, the entire string must be enclosed within double quotes; for example:
set address trust “local LAN” 10.1.1.0/24
Any leading spaces or trailing text within a set of double quotes are trimmed; for example, “ local LAN ” becomes “local LAN”.
Multiple consecutive spaces are treated as a single space.
Name strings are case-sensitive, although many CLI keywords are case-insensitive. For example, “local LAN” is different from “local lan”.
ScreenOS supports the following character types:
Single-byte character sets (SBCS) and multiple-byte character sets (MBCS). Examples of SBCS are ASCII, European, and Hebrew. Examples of MBCS—also referred to as double-byte character sets (DBCS)—are Chinese, Korean, and Japanese.
ASCII characters from 32 (0x20 in hexadecimals) to 255 (0xff), except double quotes ( “ ), which have special significance as an indicator of the beginning or end of a name string that includes spaces.
NOTE: When entering a keyword, you only have to type enough letters to identify the word uniquely. Typing set adm u whee j12fmt54 will enter the command set admin user wheezer j12fmt54. However, all the commands documented here are presented in their entirety.
NOTE: A console connection only supports SBCS. The WebUI supports both SBCS and MBCS, depending on the character sets that your browser supports.
Document Conventions
About the Concepts & Examples ScreenOS Reference Guide
Illustration ConventionsThe following figure shows the basic set of images used in illustrations throughout this volume.
Figure 2: Images in Illustrations
Autonomous SystemorVirtual Routing Domain
Security Zone Interfaces:White = Protected Zone Interface (example = Trust Zone)Black = Outside Zone Interface(example = Untrust Zone)
Juniper NetworksSecurity Devices
Hub
Switch
Router
Server
VPN Tunnel
Generic Network Device
Dynamic IP (DIP) PoolInternet
Local Area Network (LAN) with a Single SubnetorSecurity Zone
Tunnel Interface
Policy Engine
Document Conventions lv
Concepts & Examples ScreenOS Reference Guide
lvi
Technical Documentation and Support
To obtain technical documentation for any Juniper Networks product, visit www.juniper.net/techpubs/.
For technical support, open a support case using the Case Manager link at http://www.juniper.net/customers/support/ or call 1-888-314-JTAC (within the United States) or 1-408-745-9500 (outside the United States).
If you find any errors or omissions in this document, please contact Juniper Networks at [email protected].
Technical Documentation and Support
Master Index
Numerics3DES ............................................................................. 5-63DES encryption.................................................... 14-1214in6 tunnelingbasic setup ....................................................... 14-115definition .......................................................... 14-115
6in4 tunneling........................................................ 14-111basic setup ....................................................... 14-120over IPv4 WAN................................................ 14-120
6over4 tunnelingaddresses, handling .......................................... 14-99definition ............................................................ 14-98manual tunneling .............................................. 14-99types ................................................................... 14-98when to use ....................................................... 14-98
6to4addresses .................................. 14-8, 14-102, 14-108hosts ................................................................. 14-107relay routers........................................14-102, 14-103routers .............................................................. 14-102tunneling ...............................................14-98, 14-102tunneling, description..................................... 14-102
AAAL5 encapsulations............................................... 12-66AAL5 multiplexing ................................................... 12-74Access Concentrator (AC)........................................ 14-46access control list
See ACLaccess lists
for routes.............................................................. 7-40IGMP ................................................................... 7-158multicast routing ............................................... 7-151PIM-SM ............................................................... 7-199
Access Point NameSee APN
access policiesSee policies
ACL .......................................................................... 12-132ActiveX controls, blocking ...................................... 4-168address books
addressesadding............................................................ 2-104modifying...................................................... 2-105removing....................................................... 2-108
entries ................................................................. 2-104group entries, editing........................................ 2-108groups ................................................................. 2-105See also addresses
address groups ............................................. 2-105, 2-166creating............................................................... 2-107editing................................................................. 2-108entries, removing .............................................. 2-108options................................................................ 2-106
address negation...................................................... 2-186address sweep.............................................................. 4-8address translation
See NAT, NAT-dst, and NAT-srcaddresses
address book entries.......................... 2-104 to 2-108autoconfiguration .............................................. 14-11defined................................................................ 2-166in policies ........................................................... 2-166IP lifetime for XAuth users ................................. 9-70IP, host and network IDs.................................... 2-47L2TP assignments ............................................... 9-84link-local ............................................................. 14-12MAC .............................................14-13, 14-21, 14-29private................................................................... 2-47public .................................................................... 2-47splitting............................................................... 14-44
addresses, handling4in6 tunneling ................................................. 14-1166to4 tunneling ................................................. 14-104destination address translation ....................... 14-84DIP from IPv4 to IPv6....................................... 14-84DIP from IPv6 to IPv4....................................... 14-83IPv4 hosts to a single IPv6 host..................... 14-113IPv6 hosts to multiple IPv4 hosts .................... 14-87manual tunneling .............................................. 14-99
addresses, overlapping ranges ................... 10-63, 10-72addresses, XAuth
assignments ......................................................... 9-68authentication, and ............................................. 9-79timeout ................................................................. 9-70
admin users.................................................................. 9-2prioritizing authentication.................................. 9-32privileges from RADIUS........................................ 9-2server support...................................................... 9-14timeout ................................................................. 9-18
Master Index IX-I
IX-II
Concepts & Examples ScreenOS Reference Guide
administrationCLI........................................................................... 3-9restricting ............................................................. 3-42WebUI .................................................................... 3-2
administration, vsys.................................................. 10-7administrative traffic................................................. 3-29admins........................................................................ 10-2
changing passwords ..................................10-4, 10-7types ..................................................................... 10-4
ADSLconfiguring interface ........................................ 12-73overview............................................................. 12-73VPN tunnel......................................................... 12-97
Advanced Encryption Standard (AES)....................... 5-6AES................................................................................ 5-6AES128 encryption ............................................... 14-121agents, zombie..................................................4-27, 4-29aggregate interfaces .......................................2-37, 11-43aggressive aging ............................................4-30 to 4-32Aggressive mode ....................................................... 5-10AH ..........................................................................5-3, 5-5AIM............................................................................ 4-130alarms
email alert ............................................................ 3-68reporting to NetScreen-Security Manager........ 3-25thresholds ............................................................ 3-69traffic ........................................................3-68 to 3-71
alarms, thresholds ................................................... 2-172ALG.....................................................................4-55, 6-17
SIP......................................................................... 6-13SIP NAT ................................................................ 6-23
ALGsfor custom services........................................... 2-167MS RPC............................................................... 2-129RTSP ................................................................... 2-130Sun RPC ............................................................. 2-127
America Online Instant MessagingSee AIM
anti-replay checking .........................................5-52, 5-59APN
filtering ............................................................... 13-15selection mode .................................................. 13-15
Application Layer GatewaySee ALG
application option, in policies................................ 2-167ARP ..................................................................2-82, 11-52
broadcasts.......................................................... 11-29lookup................................................................. 11-38
ARP, ingress IP address............................................. 2-84asset recovery log...................................................... 3-68assigning priorities .................................................... 9-32Asynchronous Transfer Mode
See ATMATM ........................................................................... 12-67
ATM Adaptation Layer 5.......................................... 12-74attack actions .............................................4-138 to 4-146
close.................................................................... 4-138close client ......................................................... 4-138close server ........................................................ 4-138drop .................................................................... 4-138drop packet ........................................................ 4-138ignore.................................................................. 4-138none.................................................................... 4-139
attack database updatesdownloading ...................................................... 4-230overview............................................................. 4-230
attack object database ..............................4-120 to 4-127auto notification and manual update.............. 4-124automatic update .............................................. 4-123changing the default URL................................. 4-126immediate update............................................. 4-122manual update........................................4-125, 4-126
attack object groups ................................................ 4-134applied in policies ............................................. 4-128changing severity .............................................. 4-134Help URLs .......................................................... 4-131logging ................................................................ 4-149severity levels .................................................... 4-134
attack objects ................................. 4-117, 4-127 to 4-133brute force.......................................................... 4-146custom................................................................ 4-212disabling ............................................................. 4-137IDP ...................................................................... 4-184negation ............................................................. 4-163overview............................................................. 4-209protocol anomalies ................................4-133, 4-162protocol anomaly .............................................. 4-210re-enabling ......................................................... 4-137signature............................................................. 4-210stateful signatures ............................................. 4-132stream signatures.............................................. 4-133TCP stream signatures...................................... 4-160
attack protectionpolicy level ............................................................. 4-4security zone level ................................................ 4-4
attackscommon objectives............................................... 4-1detection and defense options ..................4-2 to 4-4DOS...........................................................4-27 to 4-51ICMP
floods............................................................... 4-46fragments...................................................... 4-236
IP packet fragments.......................................... 4-240Land ...................................................................... 4-48large ICMP packets............................................ 4-237Ping of Death....................................................... 4-49Replay................................................................... 5-12session table floods....................................4-17, 4-28
Master Index
Master Index
stages of ................................................................. 4-2SYN floods................................................4-34 to 4-39SYN fragments................................................... 4-241Teardrop............................................................... 4-50UDP floods ........................................................... 4-47unknown MAC addresses................................... 4-39unknown protocols ........................................... 4-239WinNuke .............................................................. 4-51
attacks, Overbilling....................................13-26 to 13-28auth servers ....................................................9-13 to 9-40
addresses ............................................................. 9-18authentication process ....................................... 9-17backup .................................................................. 9-18default..........................................................9-39, 9-40defining ....................................................9-33 to 9-40external ................................................................ 9-17ID number............................................................ 9-18idle timeout.......................................................... 9-18LDAP.........................................................9-29 to 9-30maximum number.............................................. 9-14SecurID ................................................................. 9-27SecurID, defining................................................. 9-35types ..................................................................... 9-18XAuth queries ...................................................... 9-69
auth servers, objectsnames ................................................................... 9-18properties ............................................................. 9-18
auth servers, RADIUS ....................................9-19 to 9-22defining ................................................................ 9-33user-type support ................................................ 9-20
auth servers, TACACS+defining ................................................................ 9-38
auth table entry.......................................................... 9-43auth users .......................................................9-45 to 9-64
admin ..................................................................... 9-2groups..........................................................9-45, 9-48IKE ...............................................................9-14, 9-65in policies ............................................................. 9-46L2TP...................................................................... 9-84local database ..........................................9-15 to 9-16logins, with different............................................. 9-5manual key .......................................................... 9-14multiple-type.......................................................... 9-4pre-policy auth................................................... 2-171run-time auth process....................................... 2-170run-time authentication.................................... 2-170server support...................................................... 9-14timeout ................................................................. 9-18types and applications................................9-1 to 9-5user types............................................................. 9-13WebAuth ...................................................2-171, 9-14XAuth.................................................................... 9-68
auth users, authenticationauth servers, with................................................ 9-14
point of ................................................................... 9-1pre-policy.............................................................. 9-47
auth users, run-timeauth process......................................................... 9-46authentication...................................................... 9-46user groups, external .......................................... 9-53user groups, local ................................................ 9-50users, external ..................................................... 9-51users, local ........................................................... 9-49
auth users, WebAuth.................................................. 9-47user groups, external .......................................... 9-59user groups, local ................................................ 9-58with SSL (user groups, external) ........................ 9-61
authentication .............................14-112, 14-115, 14-138algorithms ........................5-6, 5-51, 5-54, 5-57, 5-61Allow Any ........................................................... 2-171NSRP ................................................................... 11-28NSRP-Lite............................................................ 11-15policies................................................................ 2-170prioritizing............................................................ 9-32users.................................................................... 2-170
Authentication and EncryptionMultiple WEP Keys.......................................... 12-123Wi-Fi Protected Access
See WPAWireless Equivalent Privacy
See WEPauthentication and encryption, using RADIUS server...
12-123Authentication Header (AH) ....................................... 5-5authentication servers
See auth serversauthentication users
See auth usersautoconfiguration
address autoconfiguration................................ 14-11router advertisement messages ...................... 14-12stateless .............................................................. 14-11
AutoKey IKE VPN ......................................3-43, 3-79, 5-7management.......................................................... 5-7
Autonomous System (AS) numbers ....................... 7-107AV objects
timeout ................................................................. 4-88AV scanning ................................................... 4-58 to 4-85
AV resources per client....................................... 4-81decompression .................................................... 4-89fail-mode .............................................................. 4-81file extensions...................................................... 4-90FTP ........................................................................ 4-70HTTP ..................................................................... 4-71HTTP keep-alive................................................... 4-83HTTP trickling ...................................................... 4-84IMAP ..................................................................... 4-73MIME..................................................................... 4-72
Master Index IX-III
IX-IV
Concepts & Examples ScreenOS Reference Guide
POP3..................................................................... 4-73SMTP .................................................................... 4-74subscription ......................................................... 4-78
Bback store ................................................................... 3-94backdoor rulebase
adding to Security Policy.................................. 4-205overview............................................................. 4-205
backdoor rules ...........................................4-205 to 4-209configuring actions ........................................... 4-207configuring Match columns ............................. 4-206configuring operation ....................................... 4-207configuring services .......................................... 4-207configuring severity .......................................... 4-209configuring source and destination ................ 4-207configuring targets ............................................ 4-209configuring zones.............................................. 4-206
bandwidth ................................................................ 2-173guaranteed.................................. 2-173, 2-193, 2-199managing ........................................................... 2-193maximum ................................... 2-173, 2-193, 2-199maximum, unlimited........................................ 2-194priority
default ........................................................... 2-198levels.............................................................. 2-198queues ........................................................... 2-198
banners....................................................................... 9-10BGP
AS-path access list............................................. 7-116communities...................................................... 7-124confederations................................................... 7-122configurations, security .................................... 7-113configurations, verifying .................................. 7-112external .............................................................. 7-105internal ............................................................... 7-105load-balancing ..................................................... 7-36message types ................................................... 7-104neighbors, authenticating ................................ 7-113parameters......................................................... 7-115path attributes ................................................... 7-105protocol overview ............................................. 7-104regular expressions........................................... 7-116virtual router, creating an instance in ............ 7-107
BGP routesadding................................................................. 7-117aggregation ........................................................ 7-125attributes, setting .............................................. 7-119conditional advertisement ............................... 7-118default, rejecting ............................................... 7-114redistributing ..................................................... 7-116reflection ............................................................ 7-120suppressing........................................................ 7-126weight, setting ................................................... 7-118
BGP routes, aggregateaggregation ........................................................ 7-125AS-Path in........................................................... 7-127AS-Set in ............................................................. 7-125attributes of........................................................ 7-128
BGP, configuringpeer groups ........................................................ 7-109peers ................................................................... 7-109steps.................................................................... 7-106
BGP, enablingin VR ................................................................... 7-107on interface........................................................ 7-108
bit stream ................................................................... 3-93bridge groups
logical interface ................................................... 2-37unbinding ............................................................. 2-46
browser requirements................................................. 3-2brute force
attack actions..................................................... 4-146brute force attack objects ....................................... 4-146bypass-auth ................................................................ 9-69
CCA certificates ...................................................5-22, 5-25cables, serial............................................................... 3-19C-bit parity mode..................................................... 12-13Certificate Revocation List ...............................5-23, 5-34
loading.................................................................. 5-23certificates .................................................................... 5-7
CA.................................................................5-22, 5-25loading.................................................................. 5-28loading CRL.......................................................... 5-23local....................................................................... 5-25requesting ............................................................ 5-26revocation ...................................................5-25, 5-34via email............................................................... 5-25
Challenge Handshake Authentication ProtocolSee CHAP
channels, finding available ................................... 12-131CHAP.................................................... 5-208, 5-211, 9-79Chargen .................................................................... 4-129CLI .......................................................... 3-9, 14-30, 14-32CLI, set arp always-on-dest..............................2-74, 2-77CLI, set vip multi -port .............................................. 8-82clock, system
See system clockcluster names, NSRP ....................................11-11, 11-28clusters...........................................................11-11, 11-34command line interface
See CLIcommon names......................................................... 9-30CompactFlash ............................................................ 3-56compatibility-mode option
T3 interfaces ...................................................... 12-20
Master Index
Master Index
configurationADSL 2/2+ PIM................................................. 12-73virtual circuits .................................................... 12-71VPI/VCI pair........................................................ 12-71
configuration examples6to4 host, tunneling to a ................................ 14-108access lists and route maps ............................. 14-61DNS server information, requesting ............... 14-43IPv4 tunneling over IPv6 (autokey IKE) ....... 14-117IPv6 requests to multiple IPv4 hosts .............. 14-87IPv6 to an IPv4 network over IPv4 ............... 14-113IPv6 tunneling over IPv4 (autokey IKE) ....... 14-121manual tunneling ............................................ 14-100native host, tunneling to ................................ 14-104PPPoE instance, configuring............................ 14-46prefixes, delegating................................14-38, 14-40static route redistribution................................. 14-61
configuration settings, browser requirements.......... 3-2configurations
full-mesh............................................................. 11-56connection policy for Infranet Enforcer, configuring.....
9-42console........................................................................ 3-56containers ................................................................. 5-186content filtering ...........................................4-53 to 4-114control messages ..................................................... 11-13
HA ......................................................................... 11-7HA physical link heartbeats ............................... 11-7RTO heartbeats.................................................... 11-7
cookies, SYN............................................................... 4-44country codes and channels ................................ 12-130country codes and channels, regulatory domain for.....
12-130CRL
See Certificate Revocation Listcryptographic options ...................................5-48 to 5-61
anti-replay checking...................................5-52, 5-59authentication algorithms ..... 5-51, 5-54, 5-57, 5-61authentication types ..................................5-50, 5-56certificate bit lengths .................................5-50, 5-56dialup ........................................................5-55 to 5-61dialup VPN recommendations........................... 5-61encryption algorithms ..................5-51 to 5-57, 5-61ESP...............................................................5-54, 5-60IKE ID ................................ 5-51 to 5-52, 5-57 to 5-58IPSec protocols ...........................................5-53, 5-60key methods ........................................................ 5-49PFS ...............................................................5-53, 5-59Phase 1 modes ...........................................5-49, 5-56site-to-site .................................................5-48 to 5-55site-to-site VPN recommendations.................... 5-55Transport mode................................................... 5-60Tunnel mode........................................................ 5-60
CSU compatibility, T3 interfaces............................ 12-20
custom services........................................................ 2-121custom services, in root and vsys .......................... 2-122Customer Premises Equipment (CPE) ..... 14-39, 14-134
DData Encryption Standard (DES)................................ 5-6data messages............................................................ 11-7databases, local ............................................. 9-15 to 9-16DDoS ........................................................................... 4-27decompression, AV scanning ................................... 4-89Deep Inspection (DI) ................................ 4-134 to 4-160
attack actions...................................... 4-138 to 4-146attack object database ....................... 4-120 to 4-127attack object groups.......................................... 4-134attack object negation....................................... 4-163attack objects ..................................................... 4-117changing severity .............................................. 4-134context..................................................................... 4-Icustom attack objects ....................................... 4-156custom services .................................. 4-152 to 4-156custom signatures .............................. 4-157 to 4-160disabling attack objects .................................... 4-137license keys........................................................ 4-118logging attack object groups ............................ 4-149overview ............................................................. 4-116protocol anomalies............................................ 4-133re-enabling attack objects ................................ 4-137regular expressions ............................ 4-157 to 4-158signature packs.................................................. 4-120stateful signatures ............................................. 4-132stream signatures .............................................. 4-133
demand circuits, RIP ................................................. 7-94Denial-of-Service
See DoSDES................................................................................ 5-6destination gateway................................................. 14-99device failover .......................................................... 11-57devices, resetting to factory defaults ....................... 3-41Device-Unique Identification (DUID) ..................... 14-36DHCP........................................ 2-96, 2-100, 2-243, 4-129
client ................................................................... 2-225HA ....................................................................... 2-231PXE scenario...................................................... 2-237relay agent ......................................................... 2-225server .................................................................. 2-225
DHCPv6client and server................................................ 14-36delegated prefixes ............................................. 14-38purposes ............................................................. 14-35TLA and SLA....................................................... 14-37
dictionary file, RADIUS ............................................... 9-2Diffie-Hellman............................................................ 5-10Diffie-Hellman groups ........................................... 14-121DiffServ ..............................................2-173, 2-200, 2-214
Master Index IX-V
IX-VI
Concepts & Examples ScreenOS Reference Guide
See also DS Codepoint Markingdigital signature ......................................................... 5-20DIP ...........................................2-98, 2-140 to 2-143, 3-95
fix-port................................................................ 2-142groups...................................................2-153 to 2-155PAT ..........................................................2-141, 2-142pools ................................................................... 2-169pools, modifying ............................................... 2-143
DIP poolsaddress considerations....................................... 8-14extended interfaces .......................................... 5-140NAT for VPNs..................................................... 5-140NAT-src................................................................... 8-1size........................................................................ 8-14
Discard...................................................................... 4-129Discrete multitone
See DMTdissimilar IP stacks.......................................14-84, 14-86distinguished name (DN)........................................ 5-183distinguished names ................................................. 9-30DMT ...............................................................12-69, 12-70DN ............................................................................. 5-183DNS ................................................................2-217, 4-129
addresses, splitting ........................................... 2-223lookups ............................................................... 2-218lookups, domain ............................................... 2-223servers ................................................................ 2-244servers, tunneling to ......................................... 2-223status table......................................................... 2-219
DNS, L2TP settings.................................................. 5-211Domain Name System
See DNSDomain Name System (DNS)
DHCP client host ............................................... 14-43DHCPv6 search list ........................................... 14-36domain lookups................................................. 14-44IPv4 or IPv6 addresses ..................................... 14-42partial domain names ...................................... 14-36proxy .................................................................. 14-44refresh ................................................................ 14-42search list ........................................................... 14-43servers .............................................................. 14-132servers, tunneling to ......................................... 14-44
Domain Name System (DNS) addressessplitting....................................................14-44, 14-45translating .......................................................... 14-93
DoSfirewall......................................................4-28 to 4-33network ....................................................4-34 to 4-48OS-specific ...............................................4-49 to 4-51session table floods....................................4-17, 4-28
DoS attacks ....................................................4-27 to 4-51drop-no-rpf-route ....................................................... 4-19DS Codepoint Marking..................... 2-194, 2-200, 2-214
DSL.................................................................2-239, 2-244dual-stack architecture ............................................ 14-50
networks, dissimilar.......................................... 14-50routing tables..................................................... 14-50WAN backbones, dissimilar............................. 14-50
Duplicate Address Detection (DAD)function .............................................................. 14-31Retry Count........................................................ 14-31
Dynamic IPSee DIP
dynamic IP ............................................................... 14-82Dynamic IP (DIP) pools................................2-143, 2-169dynamic IP, from IPv6 to IPv4 ............................... 14-83dynamic packet filtering............................................. 4-3
EEcho .......................................................................... 4-129ECMP..................................................................7-36, 7-59email alert notification.....................................3-71, 3-73Encapsulating Security Payload
See ESPencapsulation.............................. 14-103, 14-111, 14-117encryption .................................................14-112, 14-115
3DES ................................................................. 14-121AES128............................................................. 14-121algorithms .............................. 5-6, 5-51, 5-54 to 5-61NSRP................................................................... 11-28NSRP-Lite ........................................................... 11-15
encryption, SecurID .................................................. 9-28endpoint host state mode
Base Reachable Time........................................ 14-30Duplicate Address Detection (DAD)................ 14-31Probe Forever state........................................... 14-31Probe Time ........................................................ 14-31Reachable Time................................................. 14-30Retransmission Time........................................ 14-31Stale mode ......................................................... 14-30
ESP ................................................................. 5-3, 5-5, 5-6authenticate only................................................. 5-54encrypt and authenticate ..........................5-54, 5-60encrypt only......................................................... 5-54
evasion............................................................4-15 to 4-25event log ..................................................................... 3-56exe files, blocking .................................................... 4-168exempt rulebase
adding to Security Policy.................................. 4-201overview............................................................. 4-200
exempt rules ..............................................4-200 to 4-204configuring ......................................................... 4-201configuring attacks............................................ 4-203configuring from the Log Viewer .................... 4-204configuring Match columns ............................. 4-202configuring source and destination ................ 4-202configuring targets ............................................ 4-203
Master Index
Master Index
configuring zones.............................................. 4-202exploits
See attacksextended channels, setting for WLAN................. 12-130
Ffactory defaults, resetting devices to ....................... 3-41fail-mode..................................................................... 4-81failover
devices................................................................ 11-57dual Untrust interfaces ..........................11-44, 11-47object monitoring.............................................. 11-50virtual systems................................................... 11-56VSD groups ........................................................ 11-56
fallbackassigning priorities .............................................. 9-32
file extensions, AV scanning..................................... 4-90filter source route ...................................................... 3-96FIN scans .................................................................... 4-15FIN without ACK flag................................................. 4-13Finger........................................................................ 4-129floods
ICMP ..................................................................... 4-46session table ........................................................ 4-28SYN .................................................4-34 to 4-39, 4-44UDP....................................................................... 4-47
fragment reassembly ....................................4-54 to 4-57full-mesh configuration........................................... 11-56function zone interfaces ........................................... 2-38
HA ......................................................................... 2-38management........................................................ 2-38
Ggatekeeper devices ...................................................... 6-1Generic Routing Encapsulation (GRE) ................... 7-151Gi interface ................................................................. 13-2global unicast addresses ..........................14-102, 14-120global zones................................................................ 8-82Gn interface................................................................ 13-2Gopher ...................................................................... 4-129Gp interface................................................................ 13-2GPRS Tunneling Protocol (GTP)
See GTPgraphs, historical...................................................... 2-172group expressions..............................................9-5 to 9-9
operators ................................................................ 9-5server support...................................................... 9-14users ....................................................................... 9-5
group IKE IDcertificates............................................5-183 to 5-192preshared keys ....................................5-192 to 5-198
groupsaddresses ........................................................... 2-105services............................................................... 2-138
GTPAccess Point Name (APN) filtering .................. 13-15GTP-in-GTP packet filtering .............................. 13-13IMSI prefix filtering ........................................... 13-16inspection objects................................... 13-5 to 13-7IP fragmentation................................................ 13-13packet sanity check............................................. 13-8policy-based ......................................................... 13-5protocol ................................................................ 13-2standards.............................................................. 13-9stateful inspection ............................................. 13-23tunnel timeout ................................................... 13-25
GTP messages........................................................... 13-10length, filtering by ............................................... 13-9rate, limiting by ................................................. 13-12type, filtering by ................................................ 13-10types ................................................................... 13-10versions 0 and 1 ................................................ 13-10
GTP trafficcounting.............................................................. 13-33logging ................................................................ 13-31
GTP tunnelsfailover................................................................ 13-24limiting................................................................ 13-23timeout ............................................................... 13-25
HHA
DHCP .................................................................. 2-231interfaces, virtual HA .......................................... 2-39See high availabilitySee also NSRP
hanging GTP tunnel ................................................. 13-25hash-based message authentication code ................ 5-6hashing, Secure Hashing Algorithm (SHA) ......... 14-121heartbeats
HA physical link................................................... 11-7RTO....................................................................... 11-7
Help files ....................................................................... 3-2high availability
cabling ................................................. 11-25 to 11-28data link................................................................ 11-7IP tracking .......................................................... 11-52link probes ........................................................... 11-9messages .............................................................. 11-7virtual interfaces................................................ 11-27
high availability (HA) ..................................... 13-4, 13-24high availability failover
active/active ....................................................... 11-12active/passive..................................................... 11-11
high availability interfacesaggregate ............................................................ 11-43cabling network as HA links ............................ 11-27redundant........................................................... 11-42
Master Index IX-VII
IX-VIII
Concepts & Examples ScreenOS Reference Guide
high-watermark threshold ........................................ 4-30historical graphs ...................................................... 2-172HMAC............................................................................ 5-6Host mode...................................................14-46, 14-116HTTP
blocking components .........................4-167 to 4-169keep-alive ............................................................. 4-83session timeout ................................................... 4-31trickling ................................................................ 4-84
HTTP, session ID.......................................................... 3-4HyperText Transfer Protocol (HTTP), session ID ..... 3-4
IICMP ......................................................................... 4-129
fragments........................................................... 4-236large packets...................................................... 4-237
ICMP floods................................................................ 4-46ICMP services........................................................... 2-126
message codes .................................................. 2-126message types ................................................... 2-126
IDENT ....................................................................... 4-129Identity Association Prefix Delegation Identification
(IAPD-ID).....................................................14-37, 14-39Ident-Reset ................................................................. 3-28idle session timeout .................................................. 9-18IDP
basic configuration ........................................... 4-174configuring device for standalone IDP ........... 4-227configuring inline or inline tap mode............. 4-186enabling in firewall rule.................................... 4-185
IDP attack objects.................................................... 4-184IDP engine
updating ............................................................. 4-231IDP modes................................................................ 4-186IDP rulebase
adding to Security Policy.................................. 4-188overview............................................................. 4-187
IDP rulebasesrole-based administration ................................ 4-184types ................................................................... 4-183
IDP rules ................................................................... 4-187configuring......................................................... 4-189configuring actions ........................................... 4-195configuring address objects ............................. 4-184configuring attack severity............................... 4-199configuring attacks............................................ 4-196configuring IDP attack objects......................... 4-184configuring IP actions....................................... 4-197configuring Match columns ............................. 4-189configuring notification .................................... 4-199configuring service objects .............................. 4-184configuring services .......................................... 4-190configuring source and destination ................ 4-189configuring targets ............................................ 4-200
configuring terminal rules................................ 4-193entering comments.................... 4-200, 4-204, 4-209
IDP-capable system................................................. 4-172IEEE 802.1Q VLAN standard.................................. 10-41IGMP
access lists, using .............................................. 7-158configuration, basic .......................................... 7-159configuration, verifying .................................... 7-161host messages ................................................... 7-156interfaces, enabling on ..................................... 7-157parameters..............................................7-161, 7-162policies, multicast.............................................. 7-168querier ................................................................ 7-157
IGMP proxies............................................................ 7-163on interfaces ...................................................... 7-166sender................................................................. 7-175
IKE.................................................. 5-7, 5-86, 5-95, 5-160group IKE ID user................................5-183 to 5-198group IKE ID, container.................................... 5-186group IKE ID, wildcards ................................... 5-186heartbeats .......................................................... 5-294hello messages .................................................. 5-294IKE ID ................................ 5-51 to 5-52, 5-57 to 5-58IKE ID recommendations................................... 5-70IKE ID, Windows 2000..........................5-219, 5-227local ID, ASN1-DN ............................................. 5-185Phase 1 proposals, predefined ............................ 5-9Phase 2 proposals, predefined .......................... 5-11proxy IDs.............................................................. 5-11redundant gateways ...........................5-291 to 5-304remote ID, ASN1-DN ........................................ 5-185shared IKE ID user ..............................5-198 to 5-204
IKE users............................................... 9-14, 9-65 to 9-68defining ................................................................ 9-66groups................................................................... 9-66groups, and .......................................................... 9-65groups, defining .................................................. 9-67IKE ID ..........................................................9-65, 9-79server support...................................................... 9-14with other user types ............................................ 9-4
IMSI prefix filtering.................................................. 13-16inactive SA.................................................................. 3-96Infranet authentication ............................................. 9-44Infranet Controller
actions .................................................................. 9-43overview............................................................... 9-42resource policies.................................................. 9-43
Infranet Enforcerconnection policy, configuring .......................... 9-42overview............................................................... 9-42
inline mode .............................................................. 4-186inline tap mode........................................................ 4-186in-short error .............................................................. 3-93inspections ................................................................... 4-3
Master Index
Master Index
Instant Messaging.................................................... 4-130AIM...................................................................... 4-130IRC ...................................................................... 4-130MSN Messenger................................................. 4-130Yahoo! Messenger ............................................. 4-130
interfacesaddressing............................................................ 2-46aggregate...................................................2-37, 11-43binding to zone ................................................... 2-44connections, monitoring .................................... 2-63dedicated.................................................10-37, 10-71default................................................................... 2-48DHCPv6.............................................................. 14-35DIP ...................................................................... 2-140down, logically..................................................... 2-61down, physically ................................................. 2-61dual routing tables ............................................ 14-50extended ............................................................ 5-140function zone....................................................... 2-38Gi ........................................................................... 13-2Gn.......................................................................... 13-2Gp.......................................................................... 13-2HA function zone ................................................ 2-38HA, dual................................................................ 11-8interface tables, viewing .................................... 2-43IP tracking (See IP tracking)L3 security zones................................................. 2-46loopback............................................................... 2-58manageable ......................................................... 3-31management options.......................................... 3-28MGT....................................................................... 2-38MIP........................................................................ 8-64modifying............................................................. 2-48monitoring ......................................................... 11-29ND....................................................................... 14-29NDP..................................................................... 14-30NUD .................................................................... 14-29null ........................................................................ 5-85physical in security zones .................................. 2-36physical, exporting from vsys ......................... 10-40physical, importing to vsys .............................. 10-39policy-based NAT tunnel .................................... 2-39PPPoE ................................................................. 14-46redundant..................................................2-37, 11-42secondary IP addresses ...................................... 2-50shared......................................................10-37, 10-71state changes ....................................................... 2-61tunnel..............................................2-39, 2-39 to 2-42up, logically .......................................................... 2-61up, physically....................................................... 2-61viewing interface table ....................................... 2-43VIP......................................................................... 8-80virtual HA ..................................................2-39, 11-27VLAN1................................................................... 2-81
VSI ......................................................................... 2-38VSIs ..................................................................... 11-24zones, unbinding from ....................................... 2-45
interfaces, enabling IGMP on ................................. 7-157interfaces, monitoring .................................. 2-68 to 2-73
loops ..................................................................... 2-69security zones ...................................................... 2-73
Interior Gateway Protocol (IGP).............................. 14-51internal flash storage................................................. 3-56Internet Group Management Protocol
See IGMPInternet Key Exchange
See IKEInternet Protocol (IP) addresses
See IP addressesInternet Service Provider (ISP) .......2-223, 14-36, 14-44,
14-98intrusion detection and prevention, defined........ 4-171IP
packet fragments............................................... 4-240IP addresses
extended............................................................. 5-140host IDs................................................................. 2-47interfaces, tracking on ........................................ 2-63L3 security zones.................................... 2-46 to 2-47Manage ................................................................. 2-95manage IP ............................................................ 3-31NetScreen-Security Manager servers ................ 3-25network IDs.......................................................... 2-47ports, defining for each .................................... 2-104private................................................................... 2-46private address ranges........................................ 2-47public .................................................................... 2-46secondary................................................... 2-50, 2-51secondary, routing between .............................. 2-51
IP addresses, virtual................................................... 8-80IP options....................................................... 4-10 to 4-11
attributes ................................................. 4-10 to 4-11incorrectly formatted ........................................ 4-238loose source route .........................4-10, 4-23 to 4-25record route ......................................................... 4-11security ....................................................... 4-10, 4-11source route ......................................................... 4-23stream ID.............................................................. 4-11strict source route..........................4-11, 4-23 to 4-25timestamp ............................................................ 4-11
IP poolsSee DIP pools
IP SecuritySee IPSec
IP spoofing..................................................... 4-18 to 4-23drop-no-rpf-route................................................. 4-19Layer 2........................................................ 4-19, 4-22Layer 3........................................................ 4-18, 4-20
Master Index IX-IX
IX-X
Concepts & Examples ScreenOS Reference Guide
IP tracking ...................................................11-52, 12-111dynamic option ................................................... 2-64interfaces, shared................................................ 2-64interfaces, supported.......................................... 2-63object failure threshold....................................... 2-65ping and ARP..................................................... 11-52rerouting traffic .......................................2-63 to 2-78vsys....................................................................... 2-64weights ................................................................. 2-65
IP tracking, failureegress interface, on ................................2-75 to 2-76ingress interface, on ...............................2-76 to 2-78tracked IP threshold............................................ 2-64
IP-based traffic classification ................................. 10-71IPSec
AH........................................................ 5-2, 5-53, 5-60digital signature................................................... 5-20ESP....................................................... 5-2, 5-53, 5-60L2TP-over-IPSec .................................................... 5-4SAs ......................................................... 5-2, 5-8, 5-11SPI........................................................................... 5-2Transport mode ..................5-4, 5-208, 5-213, 5-218tunnel ..................................................................... 5-2Tunnel mode ......................................................... 5-4tunnel negotiation................................................. 5-8
IPSec Access Session (IAS) ................................... 14-134IPv4
addresses, mapped................................14-82, 14-87WAN ................................................................. 14-112
IPv4 to IPv6host mapping..................................................... 14-91network mapping.............................................. 14-90
IPv4/IPv6 boundaries.................... 14-81 to 14-86, 14-90IPv6
addresses, SLA .................................................. 14-37addresses, TLA .................................................. 14-37backbone...............................................14-85, 14-115networks, island.............................................. 14-112
IPv6 to IPv4 host mapping..................................... 14-88IPv6/IPv4 boundaries................................14-82 to 14-88IRC............................................................................. 4-130ISP ............................................................................. 2-223
failover holddown timer................................. 12-110priority.............................................................. 12-109
ISP IP address and netmask................................... 12-72
JJava applets, blocking ............................................. 4-168
Kkeepalive
frequency, NAT-T .............................................. 5-237L2TP.................................................................... 5-216
keys
manual.....................................................5-118, 5-124preshared ........................................................... 5-160
keys, license ............................................................. 2-250keys, vsys.................................................................. 10-37
LL2TP .................................................. 5-205 to 5-230, 13-3
access concentrator: See LACaddress assignments .......................................... 9-84bidirectional ....................................................... 5-208compulsory configuration ................................ 5-205decapsulation..................................................... 5-209default parameters............................................ 5-211encapsulation..................................................... 5-208external auth server............................................ 9-84hello signal ..............................................5-216, 5-221Keep Alive ...............................................5-216, 5-221L2TP-only on Windows 2000 .......................... 5-207local database ...................................................... 9-84network server: See LNSoperational mode.............................................. 5-208RADIUS server ................................................... 5-211ScreenOS support ............................................. 5-207SecurID server ................................................... 5-211tunnel.................................................................. 5-213user authentication ............................................. 9-84voluntary configuration .................................... 5-205Windows 2000 tunnel authentication .5-216, 5-221
L2TP policies ............................................................ 2-168L2TP users .................................................................. 9-84
server support...................................................... 9-14with XAuth ............................................................. 9-4
L2TP-over-IPSec .................................... 5-4, 5-213, 5-218bidirectional ....................................................... 5-208tunnel.................................................................. 5-213
LAC ............................................................................ 5-205NetScreen-Remote 5.0...................................... 5-205Windows 2000 .................................................. 5-205
Land attacks ............................................................... 4-48lawful interception................................................... 13-34Layer 2 Tunneling Protocol
See L2TPLDAP ................................................... 4-129, 9-29 to 9-30
common name identifiers.................................. 9-30distinguished names ........................................... 9-30server ports .......................................................... 9-30structure ............................................................... 9-29user types supported .......................................... 9-30
license keys .............................................................. 2-250advanced mode................................................. 4-118attack pattern update ....................................... 4-118
Lightweight Directory Access ProtocolSee LDAP
link-local addresses ......................................14-12, 14-14
Master Index
Master Index
Link-State Advertisement (LSA) suppression .......... 7-67LNS ............................................................................ 5-205load sharing.............................................................. 11-82load-balancing by path cost.............................7-36, 7-59local certificate........................................................... 5-25local database
IKE users .............................................................. 9-66timeout ................................................................. 9-16user types supported .......................................... 9-16
log entriesenabling in IDP rules ........................................ 4-233
Log Viewercreating an exempt rule ................................... 4-204
logging ................................................2-172, 3-55 to 3-68asset recovery log ............................................... 3-68attack object groups.......................................... 4-149CompactFlash (PCMCIA) .................................... 3-56console ................................................................. 3-56email ..................................................................... 3-56event log............................................................... 3-56internal ................................................................. 3-56NetScreen-Security Manager.............................. 3-25self log .................................................................. 3-66SNMP ...........................................................3-56, 3-73syslog...........................................................3-56, 3-72USB ....................................................................... 3-56WebTrends..................................................3-56, 3-73
logging, traffic ............................................................ 13-5loopback interfaces ................................................... 2-58loose source route IP option...............4-10, 4-23 to 4-25low-watermark threshold.......................................... 4-31LPR spooler .............................................................. 4-129
MMAC addresses.................................. 14-13, 14-21, 14-29Main mode ................................................................... 5-9malicious URL protection .............................4-54 to 4-57Manage IP................................................................... 2-95manage IP .................................................................. 3-31manage IP, VSD group 0 ........................................... 11-3management client IP addresses............................. 3-42Management information base II
See MIB IImanagement methods
CLI ........................................................................... 3-9console ................................................................. 3-19SSL .......................................................................... 3-5Telnet...................................................................... 3-9WebUI..................................................................... 3-2
management optionsinterfaces.............................................................. 3-28manageable ......................................................... 3-31MGT interface ...................................................... 3-29NetScreen-Security Manager.............................. 3-28
ping ....................................................................... 3-28SNMP .................................................................... 3-28SSH........................................................................ 3-28SSL......................................................................... 3-28Telnet .................................................................... 3-28Transparent mode............................................... 3-29VLAN1................................................................... 3-29WebUI................................................................... 3-28
manual 6over4 tunneling........................................ 14-98Manual Key
management.......................................................... 5-7manual keys ........................................5-118, 5-124, 9-14manual keys, VPNs .......................................... 3-43, 3-79manual tunneling..................................................... 14-99mapped IP
See MIPmapped IP (MIP) .......................................... 14-82, 14-84
IPv4 hosts to a single IPv6 host....................... 14-91IPv4 hosts to multiple IPv6 hosts .................... 14-90IPv6 hosts to a single IPv4 host....................... 14-88IPv6 hosts to multiple IPv4 hosts .................... 14-86IPv6-to-IPv4 network mapping........................ 14-86MIP from IPv6 to IPv4 ...................................... 14-84
mappinghost, IPv4 to IPv6 .............................................. 14-91host, IPv6 to IPv4 .............................................. 14-88network, IPv4 to IPv6 ....................................... 14-90
Maximum Transmission Unit (MTU) ..................... 14-12MD5............................................................................... 5-6Message Digest version 5 (MD5)................................ 5-6messages
alert ....................................................................... 3-57control................................................................. 11-13critical ................................................................... 3-57data ....................................................................... 11-7debug .................................................................... 3-57emergency ........................................................... 3-56error ...................................................................... 3-57HA ......................................................................... 11-7info ........................................................................ 3-57notification ........................................................... 3-57warning................................................................. 3-57WebTrends........................................................... 3-73
MGT interface ............................................................. 2-38MGT interface, management options ...................... 3-29MIB files, importing ................................................. 5-252MIB II................................................................. 3-28, 3-74Microsoft Network Instant Messenger
See MSN Instant MessengerMicrosoft-Remote Procedure Call
See MS-RPCMIME, AV scanning.................................................... 4-72MIP .................................................................... 2-11, 8-63
address ranges..................................................... 8-66
Master Index IX-XI
IX-XII
Concepts & Examples ScreenOS Reference Guide
bidirectional translation ....................................... 8-6definition................................................................ 8-6global zone........................................................... 8-64grouping, multi-cell policies............................... 8-79reachable from other zones............................... 8-67same-as-untrust interface.......................8-70 to 8-73
MIP, creatingaddresses ............................................................. 8-65on tunnel interface.............................................. 8-70on zone interface ................................................ 8-65
MIP, defaultnetmasks.............................................................. 8-66virtual routers ...................................................... 8-66
MIP, to zone with interface-based NAT ................... 2-94MIP, virtual systems ................................................ 10-31MIP, VPNs ................................................................. 5-140Mobile Station (MS) mode ...................................... 13-15mode config ............................................................... 9-69mode, Transparent .................................................. 10-42modem ports ....................................................3-20, 3-22modes
Aggressive............................................................ 5-10Host .......................................................14-46, 14-116L2TP operational ............................................... 5-208Main........................................................................ 5-9NAT and Route .................................................... 11-3NAT, traffic to Untrust zone............................... 2-79Phase 1 cryptographic...............................5-49, 5-56preempt.............................................................. 11-21Router................................................................. 14-52Stale .................................................................... 14-30Transparent ......................................................... 2-80Transport.................... 5-4, 5-60, 5-208, 5-213, 5-218Tunnel ...........................................................5-4, 5-60
modes, operationalNAT....................................................................... 13-4Route .................................................................... 13-4Transparent ......................................................... 13-4
modes, selectionAPN..................................................................... 13-15Mobile Station (MS)........................................... 13-15Network.............................................................. 13-15Verified............................................................... 13-15
modulus...................................................................... 5-10MS RPC ALG, defined.............................................. 2-129MSN Messenger ....................................................... 4-130MS-RPC..................................................................... 4-131multicast
addresses ........................................................... 7-148distribution trees ............................................... 7-183policies ............................................................... 7-153policies for IGMP ............................................... 7-168reverse path forwarding................................... 7-148routing tables..................................................... 7-149
static routes........................................................ 7-150multicast routing
IGMP ................................................................... 7-155PIM...................................................................... 7-181
multimedia sessions, SIP .......................................... 6-13multiplexing, configuring........................................ 12-71
NNAT
definition................................................................ 8-1IPSec and NAT................................................... 5-232NAT servers........................................................ 5-232NAT-src with NAT-dst .............................8-50 to 8-61
NAT mode................................... 2-92 to 2-97, 11-3, 13-4interface settings ................................................. 2-95traffic to Untrust zone ...............................2-79, 2-94
NAT vector error......................................................... 3-95NAT-dst ............................................................8-28 to 8-61
address shifting ..................................................... 8-5packet flow...............................................8-29 to 8-31port mapping...................................... 8-4, 8-28, 8-47route considerations ..................... 8-29, 8-32 to 8-34unidirectional translation ............................8-6, 8-10VPNs ................................................................... 5-140with MIPs or VIPs.................................................. 8-3
NAT-dst, addressesrange to range ............................................8-10, 8-44range to single IP .........................................8-9, 8-41ranges ..................................................................... 8-4shifting.........................................................8-28, 8-44
NAT-dst, single IPwith port mapping ................................................ 8-8without port mapping........................................... 8-9
NAT-dst, translationone-to-many ........................................................ 8-38one-to-one ............................................................ 8-35
native hosts ...............................................14-102, 14-104NAT-PT....................................................................... 14-81NAT-PT, IPSec, when to use .................................. 14-112NAT-src ....................................................8-1, 8-13 to 8-25
egress interface ............................... 8-8, 8-24 to 8-25fixed port........................................ 8-14, 8-18 to 8-19interface-based ...................................................... 8-2VPNs ................................................................... 5-142
NAT-src, addressesshifting......................................................8-20 to 8-24shifting, range considerations ........................... 8-20
NAT-src, DIP pools ....................................................... 8-1fixed port................................................................ 8-7with address shifting............................................. 8-8with PAT........................................... 8-7, 8-15 to 8-17
NAT-src, Route mode ................................................. 2-98NAT-src, translation
port addresses ....................................................... 8-2
Master Index
Master Index
unidirectional................................................8-6, 8-10NAT-T ...........................................................5-232 to 5-239
enabling.............................................................. 5-239IKE packet .......................................................... 5-235initiator and responder..................................... 5-237IPSec packet....................................................... 5-236keepalive frequency.......................................... 5-237obstacles for VPNs ............................................ 5-235probing for NAT...................................5-233 to 5-234
NAT-TraversalSee NAT-T
negation, address .................................................... 2-186negation, Deep Inspection (DI) .............................. 4-163Neighbor Advertisement (NA) ................................ 14-30Neighbor Cache table ........... 14-13, 14-15, 14-25, 14-30Neighbor Cache table, neighbor entry categories 14-14Neighbor Discovery (ND)........................................ 14-29
Accept Incoming RAs ....................................... 14-21age of neighbor entry ....................................... 14-13bypassing MAC session-caching...................... 14-29definition ............................................................ 14-13enabling.............................................................. 14-29Neighbor Cache table ............................14-13, 14-29neighbor reachability state............................... 14-13neighbor reachability status............................. 14-30packets currently queued for transmission.... 14-13reachability status ............................................. 14-29
Neighbor Discovery (ND), displaying .................... 14-32Neighbor Discovery Parameter (NDP)........14-21, 14-30Neighbor Solicitation (NS)............................14-14, 14-31
setting ................................................................. 14-30Neighbor Unreachability Detection (NUD) ........... 14-13
Neighbor Cache table ....................................... 14-25Neighbor Unreachability Detection (NUD), Neighbor
Cache table ............................................................ 14-13NetBIOS .................................................................... 4-131NetInfo ...................................................................... 2-226netmasks .........................................................2-47, 2-166netmasks, MIP default............................................... 8-66NetScreen Redundancy Protocol
See NSRPNetScreen Reliable Transport Protocol
See NRTPNetScreen-Remote
AutoKey IKE VPN.............................................. 5-160dynamic peer..........................................5-166, 5-173NAT-T option ..................................................... 5-232
NetScreen-Security Managerdefinition .............................................................. 3-22enabling NSM Agent ........................................... 3-24initial connectivity setup .................................... 3-23logging .................................................................. 3-25management options.......................................... 3-28management system ....................... 3-22, 3-23, 3-25
NSM Agent ................................................. 3-22, 3-25reporting events ........................................ 3-25, 3-26UI........................................................................... 3-22
Network Address Translation (NAT) ......................... 3-95Network Address Translation-Port Translation
DIP addresses, translating................................ 14-84DIP from IPv6 to IPv4....................................... 14-83dynamic IP (DIP) ............................................... 14-82IPv4 hosts to a single IPv6 host....................... 14-91IPv4 hosts to multiple IPv6 hosts .................... 14-90IPv6 hosts to a single IPv4 host....................... 14-88IPv6 hosts to multiple IPv4 hosts .................... 14-86MIP...................................................................... 14-82MIP from IPv4 to IPv6 ...................................... 14-85outgoing service requests..................... 14-82, 14-86source address translation ............................... 14-83when to use........................................................ 14-82
Network Address Translation-Port Translation (NAT-PT).................................................................. 14-81
Network mode ......................................................... 13-15network, bandwidth ................................................ 2-193next-hop gateway .................................................... 14-31NFS ............................................................................ 4-129NHTB table ................................................ 5-254 to 5-258
addressing scheme............................................ 5-256automatic entries............................................... 5-257manual entries................................................... 5-257mapping routes to tunnels ............................... 5-255
NNTP ......................................................................... 4-129NRTP ......................................................................... 11-19NSM Agent........................................................ 3-22, 3-23
enabling................................................................ 3-24reporting events .................................................. 3-25
NSRP ........................................................................... 11-1ARP broadcasts.................................................. 11-29ARP lookup......................................................... 11-38backup ................................................................ 11-11cabling ................................................. 11-25 to 11-28clear cluster command ..................................... 11-10config sync ......................................................... 11-19control messages..................................... 11-7, 11-13debug cluster command................................... 11-10default settings .................................................... 11-6DHCP .................................................................. 2-231DIP groups........................................... 2-153 to 2-155full-mesh configuration......................... 11-25, 11-56HA session backup ............................................ 2-171hold-down time ..................................... 11-35, 11-38interface monitoring ......................................... 11-29load sharing ....................................................... 11-82manage IP .......................................................... 11-52master................................................................. 11-11NAT and Route modes........................................ 11-3NTP synchronization............................. 2-256, 11-20
Master Index IX-XIII
IX-XIV
Concepts & Examples ScreenOS Reference Guide
packet forwarding and dynamic routing.......... 11-8preempt mode................................................... 11-21priority numbers ............................................... 11-21redundant interfaces .......................................... 2-37redundant ports .................................................. 11-3RTOs................................................................... 11-34secondary path.................................................. 11-29secure communications ................................... 11-28virtual systems ....................................11-56 to 11-86VSD groups ................................. 4-181, 11-21, 11-34VSIs ..............................................................2-38, 11-2VSIs, static routes...................................11-24, 11-68
NSRP clusters ................................................11-30, 11-34names......................................................11-11, 11-28
NSRP datalink ........................................................................ 11-7messages.............................................................. 11-7
NSRP HAcabling, network interfaces ............................. 11-27interfaces ............................................................. 11-6ports, redundant interfaces ............................. 11-42session backup .................................................. 11-16
NSRP portsfailover ............................................................... 11-42
NSRP RTOs.................................................11-16 to 11-17states .................................................................. 11-17sync .................................................................... 11-20
NSRP synchronizationNTP, NSRP ......................................................... 11-20RTOs................................................................... 11-20
NSRP-Lite.................................................................. 11-19clusters ............................................................... 11-11secure communications ................................... 11-15
NSRP-Lite synchronizationdisabling............................................................. 11-19
NTP ................................................. 2-255 to 2-257, 4-130authentication types ......................................... 2-257maximum time adjustment............................. 2-256multiple servers................................................. 2-255NSRP synchronization...................................... 2-256secure servers.................................................... 2-257servers ................................................................ 2-255
NTP, NSRP synchronization ................................... 11-20Null interface, defining routes with ......................... 7-11null route .................................................................... 5-85
Oobjects
attack objects..................................................... 4-209attack objects, creating custom....................... 4-212attack objects, protocol anomaly .................... 4-210attack objects, signature .................................. 4-210
objects, monitoring ................................................. 11-50OCSP (Online Certificate Status Protocol) .............. 5-34
client ..................................................................... 5-34responder ............................................................. 5-34
Open Shortest Path FirstSee OSPF
operating systems, probing hosts for ..........4-12 to 4-14operational modes
NAT ....................................................................... 13-4Route .................................................................... 13-4Transparent.......................................................... 13-4
OSPFbroadcast networks ............................................ 7-48configuration steps.............................................. 7-49ECMP support ...................................................... 7-59flooding, protecting against ............................... 7-66flooding, reduced LSA......................................... 7-67global parameters ............................................... 7-58hello protocol....................................................... 7-47interface parameters .......................................... 7-62interfaces, assigning to areas ............................ 7-53interfaces, tunnel ................................................ 7-68link-state advertisements ................................... 7-46link-type, setting.................................................. 7-68load-balancing ..................................................... 7-36LSA suppression .................................................. 7-67neighbors, authenticating .................................. 7-64neighbors, filtering.............................................. 7-65not so stubby area .............................................. 7-47point-to-multipoint .............................................. 7-68point-to-point network........................................ 7-48security configuration......................................... 7-64stub area............................................................... 7-47virtual links .......................................................... 7-59
OSPF areas ................................................................. 7-46defining ................................................................ 7-51interfaces, assigning to....................................... 7-53
OSPF routersadjacency ............................................................. 7-47backup designated .............................................. 7-47creating OSPF instance in VR............................ 7-50designated............................................................ 7-47types ..................................................................... 7-47
OSPF routesdefault, rejecting.................................................. 7-66redistributed, summarizing................................ 7-57redistributing ....................................................... 7-56route-deny restriction, disabling ....................... 7-69
Overbilling attacksdescription ......................................................... 13-26prevention............................................13-26 to 13-31prevention, configuring .................................... 13-29solutions ............................................................. 13-28
PP2P ............................................................................ 4-131
Master Index
Master Index
BitTorrent ........................................................... 4-131DC ....................................................................... 4-131eDonkey ............................................................. 4-131FastTrack............................................................ 4-131Gnutella .............................................................. 4-131KaZaa.................................................................. 4-131MLdonkey .......................................................... 4-131Skype .................................................................. 4-131SMB..................................................................... 4-131WinMX................................................................ 4-131
packet flow .....................................................2-10 to 2-12inbound VPN............................................5-66 to 5-68outbound VPN ..................................................... 5-66policy-based VPN ....................................5-68 to 5-69route-based VPN......................................5-63 to 5-68
packet flow, NAT-dst ......................................8-29 to 8-31packets........................................................................ 3-96
address spoofing attack...................................... 3-94collision .......................................................3-93, 3-94denied................................................................... 3-95dropped .......................................................3-95, 3-96fragmented .......................................................... 3-96incoming .............................................................. 3-93Internet Control Message Protocol (ICMP) ...... 3-92,
3-94IPSec ..................................................................... 3-95land attack ........................................................... 3-95Network Address Translation (NAT) ................. 3-95Point to Point Tunneling Protocol (PPTP) ........ 3-94received............................................. 3-93, 3-94, 3-95transmitted underrun ......................................... 3-93unreceivable................................................3-93, 3-94unroutable............................................................ 3-95
PAP .................................................................5-208, 5-211parent connection ..................................................... 3-95Password Authentication Protocol
See PAPpasswords
forgetting.............................................................. 3-39root admin ........................................................... 3-41
passwords, changing admin’s .........................10-4, 10-7PAT....................................................................2-141, 8-14PCMCIA....................................................................... 3-56Peer-to-Peer
See P2PPerfect Forward Secrecy
See PFSPFS ........................................................... 5-11, 5-53, 5-59Phase 1 ......................................................................... 5-9
proposals ................................................................ 5-9proposals, predefined ........................................... 5-9
Phase 2 ....................................................................... 5-11proposals .............................................................. 5-11proposals, predefined ......................................... 5-11
physical interfacelogical interface ................................................... 2-36
physical interfacesC-bit parity mode .............................................. 12-13CSU compatibility.............................................. 12-20exporting from vsys .......................................... 10-40importing to vsys............................................... 10-39
PIM-SM...................................................................... 7-183configuration steps............................................ 7-187configuring rendezvous points ........................ 7-197designated router .............................................. 7-184IGMPv3 ............................................................... 7-213instances, creating ............................................ 7-188interface parameters......................................... 7-202proxy RP............................................................. 7-204rendezvous points ............................................. 7-184security configurations ..................................... 7-199traffic, forwarding ............................................. 7-185
PIM-SSM.................................................................... 7-187ping management options ....................................... 3-28Ping of Death ............................................................. 4-49pinholes ...................................................................... 6-19PKI ............................................................................... 5-22PKI keys ........................................................................ 3-6point-to-multipoint configuration
OSPF ..................................................................... 7-68Point-to-Point Protocol
See PPPPoint-to-Point Protocol (PPP) .................................. 14-46Point-to-Point Protocol over ATM
See PPPoAPoint-to-Point Protocol over Ethernet
See PPPoEPoint-to-Point Protocol over Ethernet (PPPoE) ..... 14-46Point-to-Point Tunneling Protocol (PPTP) ................ 3-94policies ................................................................ 2-3, 13-5
actions ................................................................ 2-167address groups................................................... 2-166address negation ............................................... 2-186addresses............................................................ 2-166addresses in ....................................................... 2-166alarms ................................................................. 2-172application, linking service to explicitly ......... 2-167authentication.................................................... 2-170bidirectional VPNs................................. 2-168, 5-125changing ............................................................. 2-189context................................................................ 4-120core section.............................................. 4-17, 4-118counting.............................................................. 2-172Deep Inspection (DI) ......................................... 2-169deny .................................................................... 2-167DIP groups.......................................................... 2-154disabling ............................................................. 2-189editing................................................................. 2-189
Master Index IX-XV
IX-XVI
Concepts & Examples ScreenOS Reference Guide
enabling.............................................................. 2-189functions of........................................................ 2-159global ........................................... 2-162, 2-174, 2-184HA session backup............................................ 2-171ID ........................................................................ 2-166internal rules...................................................... 2-164interzone ..........................2-161, 2-174, 2-175, 2-178intrazone ..................................... 2-161, 2-174, 2-182L2TP.................................................................... 2-168L2TP tunnels...................................................... 2-168lookup sequence ............................................... 2-163management ..................................................... 2-174managing bandwidth........................................ 2-193maximum limit ................................................. 2-107multicast............................................................. 7-153multiple items per component........................ 2-185name .................................................................. 2-168NAT-dst............................................................... 2-169NAT-src............................................................... 2-169order ................................................................... 2-190permit................................................................. 2-167policy context .................................................... 2-185policy set lists .................................................... 2-163position at top ........................................2-169, 2-190reject................................................................... 2-167removing............................................................ 2-191reordering .......................................................... 2-190required elements............................................. 2-160root system........................................................ 2-164schedules............................................................ 2-172security zones.................................................... 2-166service book....................................................... 2-109service groups ................................................... 2-138services............................................................... 2-166services in ...............................................2-109, 2-166shadowing...............................................2-189, 2-190traffic logging..................................................... 2-172traffic shaping.................................................... 2-173tunnel ................................................................. 2-167types .....................................................2-161 to 2-162verifying ............................................................. 2-189virtual systems .................................................. 2-164VPN dialup user groups.................................... 2-166VPNs ................................................................... 2-168
policies, configuring .................................................. 13-6policy-based NAT
See NAT-dst and NAT-srcpolicy-based NAT, tunnel interfaces......................... 2-39policy-based VPNs..................................................... 5-62Port Address Translation
See PATport scan....................................................................... 4-9Portmapper .............................................................. 4-130ports
failover................................................................ 11-42mapping ........................................................8-4, 8-28numbers ............................................................... 8-87primary trusted and untrusted ........................ 11-42redundant............................................................. 11-3secondary trusted and untrusted .................... 11-42
ports, modem ...................................................3-20, 3-22ports, trunk............................................................... 10-42PPP.................................................................5-206, 12-66PPPoA................................................. 12-66, 12-68, 12-74PPPoE.............................................................12-66, 12-74PPPoE - Point-to-Point Protocol over Ethernet ..... 14-46preempt mode ......................................................... 11-21prefix lists ................................................................. 14-12preshared key............................................................... 5-7preshared keys......................................................... 5-160priority queuing ....................................................... 2-198private addresses....................................................... 2-47probe......................................................................... 14-31Probe Time............................................................... 14-31probes
network .................................................................. 4-8open ports .............................................................. 4-9operating systems......................................4-12, 4-14
proposalsPhase 1 ..........................................................5-9, 5-69Phase 2 ........................................................5-11, 5-69
protocol anomalies .................................................. 4-133ALGs.................................................................... 4-131basic network protocols ................................... 4-129configuring parameters .................................... 4-162Instant Messaging applications........................ 4-130P2P applications................................................ 4-131supported protocols ............................4-129 to 4-132
protocol distribution, reporting to NetScreen-Security Manager ................................................................... 3-25
Protocol Independent MulticastSee PIM
protocolsCHAP .................................................................. 5-208IGP ...................................................................... 14-51NRTP................................................................... 11-19NSRP..................................................................... 11-1PAP ..................................................................... 5-208PPP...........................................................5-206, 14-46PPPoE ................................................................. 14-46VRRP................................................................... 11-53
protocols, CHAP......................................................... 9-79proxy IDs .................................................................... 5-11
matching .....................................................5-63, 5-69VPNs and NAT .....................................5-140 to 5-141
public addresses ........................................................ 2-47Public key infrastructure
See PKI
Master Index
Master Index
Public/private key pair .............................................. 5-23PXE............................................................................ 2-237PXE server ................................................................ 2-237
QQoS............................................................................ 2-193
RRA - Router Advertisement..................................... 14-12RADIUS ..................................... 3-39, 4-130, 9-19 to 9-22
auth server objects.............................................. 9-33dictionary file......................................................... 9-2dictionary files ..................................................... 9-21L2TP.................................................................... 5-211object properties ................................................. 9-20ports...................................................................... 9-20retry timeout........................................................ 9-20shared secret ....................................................... 9-20
RADIUSv6............................................................... 14-132rate limiting, GTP-C messages................................ 13-12reachability states.................................................... 14-14reachability states, transitions................................ 14-15reconnaissance ................................................4-7 to 4-25
address sweep ....................................................... 4-8FIN scans.............................................................. 4-15IP options ............................................................. 4-10port scan ................................................................ 4-9SYN and FIN flags set ......................................... 4-12TCP packet without flags.................................... 4-14
record route IP option ............................................... 4-11redundant gateways ..................................5-291 to 5-304
recovery procedure........................................... 5-295TCP SYN flag checking ..................................... 5-297
regular expressions ...................................4-157 to 4-158rekey option, VPN monitoring ............................... 5-242Remote Authentication Dial-in User Service
See RADIUSremote termination point ........................14-104, 14-107replay protection........................................................ 5-12request packets, outgoing from IPv6 to IPv4 ....... 14-84requirements, basic functional................................. 10-4Retransmission Time .............................................. 14-31rexec.......................................................................... 4-130RFC 1777, Lightweight Directory Access Protocol.. 9-29RFCs
0792, Internet Control Message Protocol ....... 2-1261038, Revised IP Security Option .................... 4-101349, Type of Service in the Internet Protocol Suite ..
2-1731918, Address Allocation for Private Internets . 2-472132, DHCP Options and BOOTP Vendor Extensions
2-2302326, Real Time Streaming Protocol (RTSP) . 2-130,
2-134
2474, Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers ....... 2-173
791, Internet Protocol..................................... 4-10793, Transmission Control Protocol................. 4-13
RIPauthenticating neighbors.................................... 7-86configuration...................................................... 14-53database ............................................................... 7-93demand circuit configuration............................. 7-94filtering neighbors ............................................... 7-87flooding, protecting against ................... 7-88, 14-59global parameters.................................... 7-83, 14-56instances, creating in VR........................ 7-76, 14-54interface parameters............................... 7-85, 14-60interfaces, enabling on ........................... 7-77, 14-55load-balancing...................................................... 7-36neighbors, filtering ............................................ 14-57point-to-multipoint .............................................. 7-97prefix summary................................................... 7-92versions ................................................................ 7-90versions, protocol ................................................ 7-90
RIP routesalternate ............................................................... 7-93default, rejecting................................................ 14-57redistributing............................................ 7-77, 14-58rejecting default................................................... 7-88summary, configuring ........................................ 7-92
RIP, configuringdemand circuits ................................................... 7-95security ................................................................. 7-86steps...................................................................... 7-75
RIP, viewingdatabase ................................................... 7-80, 14-66interface details ................................................... 7-82neighbor information.............................. 7-81, 14-68protocol details ........................................ 7-80, 14-66
RIPng............................................................. 14-49, 14-51interface cost metric ............................. 14-60, 14-62metric calculation.............................................. 14-62offset metric........................................... 14-60, 14-62route metric ........................................... 14-60, 14-62route redistribution ........................................... 14-51
rlogin ......................................................................... 4-130role-based administration
configuring IDP-only administrator................. 4-228IDP rulebases ..................................................... 4-184
root admin, logging in............................................... 3-42route lookup
multiple VRs......................................................... 7-34sequence .............................................................. 7-32
Route mode .............................. 2-98 to 2-101, 11-3, 13-4interface settings ................................................. 2-99NAT-src ................................................................. 2-98
route tracking ......................................................... 12-111
Master Index IX-XVII
IX-XVII
Concepts & Examples ScreenOS Reference Guide
route-based VPNs ..........................................5-62 to 5-63Router Advertisement (RA)..................................... 14-12Router mode ............................................................ 14-52Router Solicitation (RS) ........................................... 14-12routers
upstream............................................................ 14-38virtual ....................................................14-50, 14-102
routesexporting.............................................................. 7-42filtering ................................................................. 7-39importing ............................................................. 7-42maps..................................................................... 7-38metrics ................................................................. 7-31null ........................................................................ 5-85preference............................................................ 7-30redistributing ....................................................... 7-37selection ............................................................... 7-30
Routing Information ProtocolSee RIP
routing tables ............................................................. 7-15lookup................................................................... 7-32lookup in multiple VRs ....................................... 7-34multicast............................................................. 7-149route selection ..................................................... 7-30types ..................................................................... 7-15
routing, multicast .................................................... 7-147RSA authentication................................................ 14-121rsh ............................................................................. 4-130RSH ALG ................................................................... 2-127RTOs............................................................11-16 to 11-17
operational states.............................................. 11-17peers ................................................................... 11-22synchronization................................................. 11-20
RTSP.......................................................................... 4-130RTSP ALG
defined ............................................................... 2-130request methods ............................................... 2-131server in private domain.................................. 2-134server in public domain ................................... 2-136status codes ....................................................... 2-133
rules, derived from policies.................................... 2-164run-time authentication.................................2-170, 9-46Run-Time Objects
See RTOs
SSA policy..................................................................... 3-96SAs........................................................................5-8, 5-11
check in packet flow........................................... 5-65SCEP (Simple Certificate Enrollment Protocol) ...... 5-30schedules.......................................................2-156, 2-172SCP
enabling................................................................ 3-18example client command .................................. 3-18
SCREENaddress sweep ....................................................... 4-8bad IP options, drop ......................................... 4-238drop unknown MAC addresses.......................... 4-39FIN with no ACK.................................................. 4-15FIN without ACK flag, drop................................ 4-13ICMP
fragments, block .......................................... 4-236ICMP floods.......................................................... 4-46IP options ............................................................. 4-10IP packet fragments, block .............................. 4-240IP spoofing ...............................................4-18 to 4-23Land attacks......................................................... 4-48large ICMP packets, block ................................ 4-237loose source route IP option, detect ................. 4-25Ping of Death....................................................... 4-49port scan ................................................................ 4-9source route IP option, deny ............................. 4-25strict source route IP option, detect.................. 4-25SYN and FIN flags set ......................................... 4-12SYN floods................................................4-34 to 4-39SYN fragments, detect...................................... 4-241SYN-ACK-ACK proxy floods ............................... 4-32TCP packet without flags, detect ....................... 4-14Teardrop............................................................... 4-50UDP floods ........................................................... 4-47unknown protocols, drop................................. 4-239VLAN and MGT zones........................................... 4-2WinNuke attacks ................................................. 4-51
SCREEN, MGT zone ................................................... 2-28ScreenOS
function zones ..................................................... 2-33global zone........................................................... 2-28overview................................................................. 2-1packet flow...............................................2-10 to 2-12policies.................................................................... 2-3RADIUS vendor IDs............................................. 9-22security zones...............................................2-2, 2-28security zones, global ........................................... 2-2security zones, predefined................................... 2-2tunnel zones ........................................................ 2-29virtual systems ...................................................... 2-9VRs........................................................................ 10-6zones .............................................. 2-25 to 2-33, 10-6
ScreenOS interfacessecurity zones........................................................ 2-3subinterfaces.......................................................... 2-3
SDP..................................................................6-17 to 6-18secondary IP addresses ............................................ 2-51secondary path ........................................................ 11-29Secure Copy
See SCPSecure Hash Algorithm-1
See SHA-1
I Master Index
Master Index
Secure ShellSee SSH
Secure Sockets LayerSee SSL
SecurID ....................................................................... 9-27ACE servers.......................................................... 9-28auth server object................................................ 9-35authentication port ............................................. 9-28authenticator........................................................ 9-27encryption types ................................................. 9-28L2TP.................................................................... 5-211token codes.......................................................... 9-27Use Duress option ............................................... 9-28user type support ................................................ 9-28
SecurID clientsretries.................................................................... 9-28timeout ................................................................. 9-28
security associationsSee SAs
Security Associations (SA) ........................................ 3-95security IP option .............................................4-10, 4-11Security Policies ....................................................... 4-182security policies
rulebase execution ............................................ 4-185rulebases ............................................................ 4-182rules .................................................................... 4-182templates............................................................ 4-185
security zones .............................................................. 2-2determination, destination zone ....................... 2-12determination, source zone ............................... 2-10global ...................................................................... 2-2predefined.............................................................. 2-2See zones
security zones, interfaces ........................................... 2-3physical ................................................................ 2-36
selection modesAPN..................................................................... 13-15Mobile Station (MS) ........................................... 13-15Network.............................................................. 13-15Verified ............................................................... 13-15
self log......................................................................... 3-66sequence-number validation.................................. 13-13serial cables................................................................ 3-19Server Message Block
See SMBservers, auth
See auth serversservers, SecurID ACE................................................. 9-28service book
entries, modifying (CLI).................................... 2-123entries, removing (CLI) ..................................... 2-123
service book, service groups (WebUI) ..................... 6-63service book, services
adding................................................................. 2-122
custom ................................................................ 2-109custom (CLI) ....................................................... 2-122preconfigured..................................................... 2-109
service groups ........................................... 2-138 to 2-140creating............................................................... 2-138deleting............................................................... 2-140modifying ........................................................... 2-139
service groups (WebUI) ........................................... 2-138service provider, information from........................ 12-66service requests, outgoing .......................... 14-86, 14-88services ..................................................................... 2-109
custom ................................................................ 4-152defined................................................................ 2-166dropdown list..................................................... 2-109ICMP.................................................................... 2-126in policies ........................................................... 2-166timeout threshold .............................................. 2-123
services, custom....................................................... 2-121ALGs .................................................................... 2-167in vsys................................................................. 2-122
session ID ..................................................................... 3-4session idle timeout................................................... 9-18session limits................................................. 4-28 to 4-30
destination-based ...................................... 4-29, 4-30source-based .............................................. 4-28, 4-29
session table floods ......................................... 4-17, 4-28session timeout
HTTP ..................................................................... 4-31session timeouts
TCP........................................................................ 4-31UDP....................................................................... 4-31
SHA-1 ............................................................................ 5-6shared VRs................................................................ 10-37shared zones ............................................................ 10-37signature packs, DI .................................................. 4-120signatures
stateful ................................................................ 4-132SIP
ALG.............................................................. 6-17, 6-20connection information...................................... 6-18defined.................................................................. 6-13media announcements ....................................... 6-18messages .............................................................. 6-14multimedia sessions ........................................... 6-13pinholes ................................................................ 6-17request methods.................................................. 6-14response codes .................................................... 6-16RTCP ..................................................................... 6-18RTP........................................................................ 6-18SDP .......................................................... 6-17 to 6-18signaling ............................................................... 6-17
SIP NATcall setup .................................................... 6-23, 6-28defined.................................................................. 6-23
Master Index IX-XIX
IX-XX
Concepts & Examples ScreenOS Reference Guide
DIP pool, using a ................................................. 6-35DIP, using incoming ........................................... 6-31DIP, using interface ............................................ 6-32incoming, with MIP ...................................6-35, 6-37proxy in DMZ ...................................................... 6-44proxy in private zone ................................6-39, 6-86proxy in public zone........................................... 6-42trust intrazone ..................................................... 6-51untrust intrazone........................................6-47, 6-93VPN, using full-mesh .................................6-53, 6-99
SIP timeoutsinactivity .............................................................. 6-20media inactivity..........................................6-21, 6-22session inactivity................................................. 6-20signaling inactivity .....................................6-21, 6-22
site survey .............................................................. 12-131Site-Local Aggregator (SLA) .........................14-37, 14-39SMB
NetBIOS.............................................................. 4-131SMTP server IP........................................................... 3-71SNMP .................................................................3-28, 3-73
cold start trap ...................................................... 3-74configuration ....................................................... 3-77encryption...................................................3-76, 3-78management options ......................................... 3-28MIB files, importing .......................................... 5-252VPN monitoring ................................................ 5-252
SNMP communityprivate .................................................................. 3-77public .................................................................... 3-77
SNMP traps100, hardware problems.................................... 3-74200, firewall problems ....................................... 3-74300, software problems ..................................... 3-74400, traffic problems.......................................... 3-74500, VPN problems............................................. 3-74allow or deny....................................................... 3-76system alarm....................................................... 3-74traffic alarm ......................................................... 3-74types ..................................................................... 3-74
SNMPTRAP............................................................... 4-130software keys ........................................................... 10-37source address translation...................................... 14-83source interface-based routing (SIBR) ..................... 7-19source route ............................................................... 3-96source-based routing (SBR) ...................................... 7-17SSH...................................................... 3-11 to 3-16, 4-130
authentication method priority ......................... 3-15automated logins ................................................ 3-17connection procedure ........................................ 3-12forcing PKA authentication only ....................... 3-16loading public keys, CLI ..................................... 3-15loading public keys, TFTP .........................3-15, 3-17loading public keys, WebUI ............................... 3-15
management options.......................................... 3-28password authentication .................................... 3-14PKA ....................................................................... 3-15PKA authentication ............................................. 3-14
SSIDbinding to wireless interface.......................... 12-144
SSL......................................................................3-5, 4-130SSL Handshake Protocol
See SSLHPSSL management options......................................... 3-28SSL, with WebAuth .................................................... 9-62SSLHP............................................................................ 3-5state transitions
endpoint host..................................................... 14-15next-hop gateway router .................................. 14-16static entry ......................................................... 14-18tunnel gateway .................................................. 14-17
stateful .......................................................................... 4-3inspection............................................................... 4-3signatures........................................................... 4-132
stateless address autoconfiguration ...................... 14-11static IP address....................................................... 12-74static routing ............................................7-2, 7-2 to 7-10
configuring ............................................................. 7-5multicast............................................................. 7-150Null interface, forwarding on............................. 7-11using ....................................................................... 7-3
statistics, reporting to NSM....................................... 3-26stream ID IP option ................................................... 4-11stream signatures .................................................... 4-133strict source route IP option ............... 4-11, 4-23 to 4-25subinterfaces .....................................................2-3, 10-62
configuring (vsys) .............................................. 10-62creating (root system)......................................... 2-49creating (vsys).................................................... 10-62deleting................................................................. 2-50multiple per vsys ............................................... 10-62
subnets, overlapping ............................................... 10-63subrate option.......................................................... 12-20subscriptions
registration and activation .................2-251 to 2-253temporary service ............................................. 2-252
Sun RPC ALGcall scenarios ..................................................... 2-127defined ............................................................... 2-127
Super G ................................................................... 12-133SurfControl ......................................................4-98, 4-107SYN and FIN flags set................................................ 4-12SYN checking ....................................... 4-15, 4-15 to 4-18
asymmetric routing ............................................ 4-16reconnaissance hole ........................................... 4-17session interruption ............................................ 4-17session table floods............................................. 4-17
SYN cookies................................................................ 4-44
Master Index
Master Index
SYN floods ......................................................4-34 to 4-39alarm threshold ................................................... 4-38attack threshold................................................... 4-37attacks .................................................................. 4-34destination threshold .......................................... 4-38drop unknown MAC addresses.......................... 4-39queue size ............................................................ 4-39source threshold.................................................. 4-38SYN cookies ......................................................... 4-44threshold .............................................................. 4-35timeout ................................................................. 4-39
SYN fragments ......................................................... 4-241SYN-ACK-ACK proxy floods ...................................... 4-32synchronization
configuration...................................................... 11-19RTOs ................................................................... 11-20
syslog ...............................................................3-56, 4-130encryption............................................................ 3-78facility ................................................ 3-72, 3-81, 3-88host ....................................................................... 3-72host name ............................... 3-72, 3-73, 3-81, 3-88messages.............................................................. 3-71port .................................................... 3-72, 3-81, 3-88security facility ................................. 3-72, 3-81, 3-88
system clock...............................................2-253 to 2-257date & time ........................................................ 2-254sync with client ................................................. 2-254time zone ........................................................... 2-254
system parameters .................................................. 2-257
TT3 interfaces
C-bit parity mode .............................................. 12-13CSU compatibility.............................................. 12-20
TACACS+auth server objects.............................................. 9-38clients retries ....................................................... 9-32clients timeout..................................................... 9-32object properties ................................................. 9-32ports...................................................................... 9-32retry timeout........................................................ 9-32shared secret ....................................................... 9-32
tags, VLANs .................................................................. 2-3TCP
packet without flags............................................ 4-14session timeouts.................................................. 4-31stream signatures.............................................. 4-160SYN flag checking ............................................. 5-297
TCP proxy ................................................................... 3-96Teardrop attacks ........................................................ 4-50Telnet .................................................................3-9, 4-130Telnet management options .................................... 3-28Telnet, logging in via ................................................. 3-10templates
security policy.................................................... 4-185TFTP .......................................................................... 4-130three-way handshakes............................................... 4-34threshold
low-watermark..................................................... 4-31thresholds
high-watermark ................................................... 4-30time zone.................................................................. 2-254timeout...................................................................... 13-25
admin users ......................................................... 9-18auth users ............................................................. 9-18
timestamp IP option.................................................. 4-11token codes ................................................................ 9-27Top-Level Aggregator (TLA)..................................... 14-37trace-route .................................................................. 2-85traffic
counting.................................................... 2-172, 13-5IP-based.............................................................. 10-71logging ...................................................... 2-172, 13-5priority ................................................................ 2-173shaping ............................................................... 2-193sorting.................................................. 10-31 to 10-39through traffic, vsys sorting .............. 10-32 to 10-35VLAN-based..............................10-40, 10-41 to 10-68
traffic alarms ................................................. 3-68 to 3-71traffic shaping .......................................................... 2-193
automatic ........................................................... 2-194service priorities ................................................ 2-198
Transparent mode ........2-80 to 2-92, 10-42, 10-43, 13-4ARP/trace-route ................................................... 2-83blocking non-ARP traffic..................................... 2-81blocking non-IP traffic ........................................ 2-81broadcast traffic................................................... 2-81drop unknown MAC addresses.......................... 4-39flood ...................................................................... 2-83routes .................................................................... 2-82unicast options .................................................... 2-83
Transparent mode, management options............... 3-29Transport mode......................... 5-4, 5-208, 5-213, 5-218Triple DES
See 3DEStrunk ports................................................................ 10-42trunk ports, Transparent mode .............................. 10-42trustee administrator............................................. 12-109tunnel interfaces ........................................................ 2-39
definition .............................................................. 2-39policy-based NAT................................................. 2-39
Tunnel mode ................................................................ 5-4tunnel termination points..................................... 14-102tunnel tracking ....................................................... 12-111
UUDP
checksum ........................................................... 5-237
Master Index IX-XXI
IX-XXII
Concepts & Examples ScreenOS Reference Guide
NAT-T encapsulation ........................................ 5-232session timeouts.................................................. 4-31
unified access control solutionoverview of ..........................................1-li, 9-vii, 9-41
unknown protocols.................................................. 4-239unknown unicast options .............................2-82 to 2-87
ARP ...........................................................2-84 to 2-87flood..........................................................2-83 to 2-84trace-route............................................................ 2-85
updating IDP engine ............................................... 4-231upstream routers ..................................................... 14-38URL filtering
See web filteringUSB.............................................................................. 3-56users
admin ..................................................................... 9-2admin, timeout.................................................... 9-18group IKE ID ........................................5-183 to 5-198groups, server support ....................................... 9-14IKE
See IKE usersL2TP..........................................................9-84 to 9-87multiple-type.......................................................... 9-4shared IKE ID ......................................5-198 to 5-204WebAuth .............................................................. 9-14XAuth........................................................9-68 to 9-82
users, authSee auth users
users, IKESee IKE users
users, multiple administrative.................................. 3-33
VVC.............................................................................. 12-66VCI............................................................................. 12-66vendor IDs, VSA......................................................... 9-22vendor-specific attributes ......................................... 9-21Verified mode........................................................... 13-15Verisign ....................................................................... 5-34VIP............................................................................... 2-11
configuring........................................................... 8-82definition................................................................ 8-6editing .................................................................. 8-84global zones......................................................... 8-82reachable from other zones............................... 8-82removing.............................................................. 8-84required information .......................................... 8-81
VIP servicescustom and multi-port............................8-85 to 8-88custom, low port numbers................................. 8-82
VIP, to zone with interface-based NAT .................... 2-94virtual adapters.......................................................... 9-68virtual channel identifier
See VCI
virtual circuitSee VC
virtual HA interfaces.......................................2-39, 11-27virtual IP
See VIPvirtual path identifier
See VPIVirtual Path Identifier/Virtual Channel Identifier
See VPI/VCIvirtual private networks
See VPNsvirtual routers..............................................14-50, 14-102
See VRsvirtual routers, MIP default ....................................... 8-66virtual routers, RIP.....................................14-53 to 14-70virtual security device groups
See VSD groupsvirtual security interface
See VSIvirtual system support .............................................. 13-5virtual systems............................................................. 2-9
admins.................................................................. 3-34failover................................................................ 11-56load sharing ....................................................... 11-82manageability and security of ......................... 10-73NSRP................................................................... 11-56read-only admins ................................................ 3-34VIP....................................................................... 10-31
VLAN zone.................................................................. 2-81VLAN1
interface ......................................................2-81, 2-87zones .................................................................... 2-81
VLAN1, management options.................................. 3-29VLAN-based traffic classification .10-40, 10-41 to 10-68VLANs
communicating with another VLAN 10-39, 10-65 to 10-68
creating.................................................10-43 to 10-64subinterfaces...................................................... 10-62tag ............................................................10-43, 10-62Transparent mode .................................10-42, 10-43trunking.............................................................. 10-42VLAN-based traffic classification ......10-40, 10-41 to
10-68VLANs, tags .................................................................. 2-3VNC ........................................................................... 4-130voice-over IP
bandwidth management.................................... 6-62VPI ............................................................................. 12-66VPI/VCI
configuring ......................................................... 12-71values.................................................................. 12-74
VPN idletime .............................................................. 9-71VPN monitoring ........................... 5-241 to 5-252, 12-111
Master Index
Master Index
destination address.............................5-243 to 5-245destination address, XAuth.............................. 5-243ICMP echo requests .......................................... 5-252outgoing interface ...............................5-243 to 5-245policies................................................................ 5-244rekey option............................................5-242, 5-258routing design...................................................... 5-71SNMP .................................................................. 5-252status changes ........................................5-241, 5-244
VPNsAggressive mode ................................................. 5-10AutoKey IKE........................................ 3-43, 3-79, 5-7configuration tips ....................................5-69 to 5-71cryptographic options.............................5-48 to 5-61Diffie-Hellman exchange.................................... 5-10Diffie-Hellman groups......................................... 5-10for administrative traffic .................................... 3-78FQDN aliases ..................................................... 5-130FQDN for gateways.............................5-129 to 5-140Main mode............................................................. 5-9manual key .......................................................... 3-79manual keys......................................................... 3-43MIP...................................................................... 5-140multiple tunnels per tunnel interface5-254 to 5-289NAT for overlapping addresses .........5-140 to 5-151NAT-dst............................................................... 5-140NAT-src ............................................................... 5-142packet flow...............................................5-63 to 5-69Phase 1 ................................................................... 5-9Phase 2 ................................................................. 5-11policies................................................................ 2-168policies for bidirectional ................................... 5-125proxy IDs, matching ........................................... 5-69redundant gateways ...........................5-291 to 5-304redundant groups, recovery procedure.......... 5-295replay protection ................................................. 5-12route- vs policy-based......................................... 5-62SAs .......................................................................... 5-8to zone with interface-based NAT..................... 2-94Transport mode..................................................... 5-4tunnel always up ............................................... 5-242tunnel zones ........................................................ 2-29VPN groups ........................................................ 5-292VPN monitoring and rekey .............................. 5-242
VRRP ......................................................................... 11-53VRs ........................................................7-37 to 7-42, 10-6
access lists............................................................ 7-40BGP .......................................................7-106 to 7-113ECMP .................................................................... 7-36forwarding traffic between .................................. 2-4introduction ........................................................... 2-4modifying............................................................. 7-22on vsys ................................................................. 7-26OSPF .........................................................7-49 to 7-67
RIP............................................................ 7-75 to 7-90route metrics........................................................ 7-31router IDs ............................................................. 7-22SBR........................................................................ 7-17shared ................................................................. 10-37shared, creating a.............................................. 10-38SIBR....................................................................... 7-19using two.............................................................. 7-23
VRs, routesexporting .............................................................. 7-42filtering ................................................................. 7-39importing.............................................................. 7-42maps ..................................................................... 7-38preference ............................................................ 7-30redistribution ....................................................... 7-37selection ............................................................... 7-30
VRs, routing tableslookup ................................................................... 7-32lookup in multiple VRs ....................................... 7-34maximum entries................................................ 7-29
VSA attribute types .................................................... 9-22VSAs............................................................................. 9-21VSD groups ................................................... 4-181, 11-21
failover................................................................ 11-56heartbeats............................................... 11-23, 11-29hold-down time ..................................... 11-35, 11-38member states.................................... 11-22 to 11-23priority numbers ............................................... 11-21
VSIs.................................................................. 11-2, 11-21multiple VSIs per VSD group............................ 11-56static routes........................................................ 11-24
vsysadmin.................................................................... 10-7keys..................................................................... 10-37objects, creating .................................................. 10-4
Wweb browser requirements......................................... 3-2web filtering ...................................2-172, 4-107 to 4-114
applying profiles to policies ............................. 4-104blocked URL message....................................... 4-111blocked URL message type .............................. 4-111cache..................................................................... 4-99communication timeout ................................... 4-110integrated ............................................................. 4-98profiles................................................................ 4-102redirect ............................................................... 4-107routing ................................................................ 4-112server status....................................................... 4-112servers per vsys................................................. 4-108SurfControl CPA servers ..................................... 4-98SurfControl SCFP............................................... 4-109SurfControl server name .................................. 4-110SurfControl server port ..................................... 4-110
Master Index IX-XXIII
IX-XXIV
Concepts & Examples ScreenOS Reference Guide
SurfControl servers ............................................. 4-99URL categories................................................... 4-101Websense server name.................................... 4-110Websense server port....................................... 4-110
Web user interfaceSee WebUI
WebAuth ............................................................9-14, 9-47external user groups ........................................... 9-59pre-policy auth process ...................................... 9-47user groups, local ................................................ 9-58with SSL (user groups, external)........................ 9-61
WebAuth, pre-policy auth process ......................... 2-171WebTrends.........................................................3-56, 3-73
encryption...................................................3-73, 3-78messages.............................................................. 3-73
WebUI ................................................................3-2, 14-32Help files ................................................................ 3-2management options ......................................... 3-28
WebUI, on sample client, downstream router ..... 14-40WEP ........................................................................ 12-122Whois........................................................................ 4-130wildcards .......................................................5-186, 13-15WinNuke attacks ....................................................... 4-51WINS
L2TP settings ..................................................... 5-211WINS server ........................................................... 14-132Wired Equivalent Privacy
See WEPwireless bridge groups .......................................... 12-145wireless interface
logical interface ................................................... 2-36wireless interfaces
binding SSID to ............................................... 12-144binding to radio............................................... 12-144configuring....................................................... 12-144disabling........................................................... 12-146
Wireless Local Area NetworkSee WLAN
WLANaccess control list ............................................ 12-132advanced parameters ..................................... 12-138aging interval ................................................... 12-138authentication and encryption ...................... 12-122beacon interval................................................ 12-139bridge groups................................................... 12-145burst threshold ................................................ 12-140Clear to Send mode ........................................ 12-141Clear to Send rate ........................................... 12-142Clear to Send type........................................... 12-142configurations, reactivating ........................... 12-133configuring Super G ........................................ 12-133country codes and channels .......................... 12-130DTIM................................................................. 12-140extended channels.......................................... 12-130
finding available channels.............................. 12-131fragment threshold ......................................... 12-140preamble length .............................................. 12-143Request to Send threshold ............................. 12-141site survey ........................................................ 12-131slot time ........................................................... 12-143viewing wireless configuration information 12-146WMM ................................................................ 12-134XR ..................................................................... 12-133
WLAN WAP operation modes802.11b clients, configuring .......................... 12-119802.11g clients, configuring .......................... 12-119
WLAN, wireless interfacesbinding ............................................................. 12-144
WMMaccess categories............................................. 12-135configuring quality of service ........................ 12-134default settings ................................................ 12-135enabling............................................................ 12-134
XXAuth
authentication.................................................. 14-138bypass-auth.......................................................... 9-69client authentication ........................................... 9-83defined ................................................................. 9-68query remote settings......................................... 9-69ScreenOS as client .............................................. 9-83TCP/IP assignments ............................................ 9-70virtual adapters.................................................... 9-68VPN idletime........................................................ 9-71VPN monitoring................................................. 5-243when to use ..................................................... 14-132
XAuth addressesassignments ......................................................... 9-68authentication, and............................................. 9-79IP address lifetime ..................................9-70 to 9-71timeout ................................................................. 9-70
XAuth users ....................................................9-68 to 9-82authentication...................................................... 9-68local authentication............................................. 9-71local group authentication.................................. 9-73server support...................................................... 9-14with L2TP ............................................................... 9-4
XAuth, externalauth server queries ............................................. 9-69user authentication ............................................. 9-74user group authentication .................................. 9-76
XR, configuring ...................................................... 12-133
YYahoo! Messenger.................................................... 4-130
Master Index
Master Index
Zzip files, blocking ..................................................... 4-168zombie agents...................................................4-27, 4-29zones .....................................................2-25 to 2-33, 10-6
defining ................................................................ 2-30editing................................................................... 2-31function ................................................................ 2-33function, MGT interface...................................... 2-38global .................................................................... 2-28global security........................................................ 2-2Layer 2.................................................................. 2-81shared................................................................. 10-37tunnel.................................................................... 2-29VLAN............................................................2-33, 2-81vsys ....................................................................... 10-6
zones, global............................................................... 8-82zones, ScreenOS ............................................2-25 to 2-33
predefined.............................................................. 2-2security interfaces ................................................. 2-3
zones, security ....................................................2-2, 2-28determination, destination zone ....................... 2-12determination, source zone ............................... 2-10global ...................................................................... 2-2interfaces, monitoring ........................................ 2-73interfaces, physical ............................................. 2-36
Master Index IX-XXV
IX-XXV
Concepts & Examples ScreenOS Reference Guide
I Master Index