Top Banner
Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www.juniper.net Part Number: 530-017767-01, Revision 02 Concepts & Examples ScreenOS Reference Guide Volume 1: Overview Release 6.0.0, Rev. 02
82
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Juniper Overview SSG500

Concepts & ExamplesScreenOS Reference Guide

Volume 1:Overview

Release 6.0.0, Rev. 02

Juniper Networks, Inc.

1194 North Mathilda Avenue

Sunnyvale, CA 94089

USA

408-745-2000

www.juniper.net

Part Number: 530-017767-01, Revision 02

Page 2: Juniper Overview SSG500

ii

Copyright Notice

Copyright © 2007 Juniper Networks, Inc. All rights reserved.

Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

FCC Statement

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.

The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with Juniper Networks’ installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.

If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

Reorient or relocate the receiving antenna.

Increase the separation between the equipment and receiver.

Consult the dealer or an experienced radio/TV technician for help.

Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.

Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.

Disclaimer

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.

Page 3: Juniper Overview SSG500

Table of Contents

Volume 1:Overview

About the Concepts & Examples ScreenOS Reference Guide xlv

Volume Organization .................................................................................. xlviiDocument Conventions.................................................................................. liii

Web User Interface Conventions ............................................................. liiiCommand Line Interface Conventions..................................................... liiiNaming Conventions and Character Types .............................................. livIllustration Conventions............................................................................ lv

Technical Documentation and Support .......................................................... lvi

Master Index...........................................................................................................IX-I

Volume 2:Fundamentals

About This Volume ix

Document Conventions....................................................................................xWeb User Interface Conventions ...............................................................xCommand Line Interface Conventions.......................................................xNaming Conventions and Character Types ............................................... xiIllustration Conventions........................................................................... xii

Technical Documentation and Support ......................................................... xiii

Chapter 1 ScreenOS Architecture 1

Security Zones .................................................................................................2Security Zone Interfaces...................................................................................3

Physical Interfaces.....................................................................................3Subinterfaces.............................................................................................3

Virtual Routers .................................................................................................4Policies.............................................................................................................5Virtual Private Networks ..................................................................................6Virtual Systems ................................................................................................9Packet-Flow Sequence....................................................................................10Jumbo Frames................................................................................................13ScreenOS Architecture Example.....................................................................14

Example: (Part 1) Enterprise with Six Zones............................................14Example: (Part 2) Interfaces for Six Zones...............................................16Example: (Part 3) Two Routing Domains .................................................18Example: (Part 4) Policies ........................................................................20

Table of Contents iii

Page 4: Juniper Overview SSG500

iv

Concepts & Examples ScreenOS Reference Guide

Chapter 2 Zones 25

Viewing Preconfigured Zones.........................................................................26Security Zones ...............................................................................................28

Global Zone .............................................................................................28SCREEN Options......................................................................................28

Binding a Tunnel Interface to a Tunnel Zone..................................................29Configuring Security Zones and Tunnel Zones ...............................................30

Creating a Zone .......................................................................................30Modifying a Zone.....................................................................................31Deleting a Zone .......................................................................................32

Function Zones ..............................................................................................33

Chapter 3 Interfaces 35

Interface Types ..............................................................................................36Logical Interfaces.....................................................................................36

Physical Interfaces ............................................................................36Wireless Interfaces............................................................................36Bridge Group Interfaces.....................................................................37Subinterfaces ....................................................................................37Aggregate Interfaces .........................................................................37Redundant Interfaces ........................................................................37Virtual Security Interfaces .................................................................38

Function Zone Interfaces .........................................................................38Management Interfaces.....................................................................38High Availability Interfaces................................................................38

Tunnel Interfaces.....................................................................................39Deleting Tunnel Interfaces ................................................................42

Viewing Interfaces .........................................................................................43Configuring Security Zone Interfaces .............................................................44

Binding an Interface to a Security Zone ...................................................44Unbinding an Interface from a Security Zone ..........................................45Addressing an L3 Security Zone Interface................................................46

Public IP Addresses ...........................................................................47Private IP Addresses..........................................................................47Addressing an Interface ....................................................................48

Modifying Interface Settings ....................................................................48Creating a Subinterface in the Root System.............................................49Deleting a Subinterface............................................................................50

Creating a Secondary IP Address ...................................................................50Backup System Interfaces ..............................................................................51

Configuring a Backup Interface................................................................52Configuring an IP Tracking Backup Interface.....................................52Configuring a Tunnel-if Backup Interface ..........................................53Configuring a Route Monitoring Backup Interface .............................57

Loopback Interfaces .......................................................................................58Creating a Loopback Interface .................................................................59Setting the Loopback Interface for Management......................................59Setting BGP on a Loopback Interface .......................................................59Setting VSIs on a Loopback Interface.......................................................60Setting the Loopback Interface as a Source Interface...............................60

Interface State Changes..................................................................................61Physical Connection Monitoring ..............................................................63Tracking IP Addresses .............................................................................63

Table of Contents

Page 5: Juniper Overview SSG500

Table of Contents

Interface Monitoring ................................................................................68Monitoring Two Interfaces ................................................................69Monitoring an Interface Loop............................................................70

Security Zone Monitoring ........................................................................73Down Interfaces and Traffic Flow............................................................74

Failure on the Egress Interface ..........................................................75Failure on the Ingress Interface.........................................................76

Chapter 4 Interface Modes 79

Transparent Mode..........................................................................................80Zone Settings...........................................................................................81

VLAN Zone........................................................................................81Predefined Layer 2 Zones .................................................................81

Traffic Forwarding ...................................................................................81Unknown Unicast Options.......................................................................82

Flood Method....................................................................................83ARP/Trace-Route Method ..................................................................84Configuring VLAN1 Interface for Management..................................87Configuring Transparent Mode..........................................................89

NAT Mode......................................................................................................92Inbound and Outbound NAT Traffic ........................................................94Interface Settings.....................................................................................95Configuring NAT Mode ............................................................................95

Route Mode....................................................................................................98Interface Settings.....................................................................................99Configuring Route Mode..........................................................................99

Chapter 5 Building Blocks for Policies 103

Addresses ....................................................................................................103Address Entries .....................................................................................104

Adding an Address ..........................................................................104Modifying an Address .....................................................................105Deleting an Address ........................................................................105

Address Groups .....................................................................................105Creating an Address Group .............................................................107Editing an Address Group Entry ......................................................108Removing a Member and a Group...................................................108

Services........................................................................................................109Predefined Services ...............................................................................109

Internet Control Messaging Protocol ...............................................110Handling ICMP Unreachable Errors .................................................113Internet-Related Predefined Services...............................................114Microsoft Remote Procedure Call Services ......................................115Dynamic Routing Protocols.............................................................117Streaming Video..............................................................................117Sun Remote Procedure Call Services ...............................................118Security and Tunnel Services ..........................................................118IP-Related Services..........................................................................119Instant Messaging Services..............................................................119Management Services .....................................................................119Mail Services ...................................................................................120UNIX Services .................................................................................120Miscellaneous Services ....................................................................121

Table of Contents v

Page 6: Juniper Overview SSG500

vi

Concepts & Examples ScreenOS Reference Guide

Custom Services ....................................................................................121Adding a Custom Service ................................................................122Modifying a Custom Service............................................................123Removing a Custom Service............................................................123

Setting a Service Timeout ......................................................................123Service Timeout Configuration and Lookup.....................................123Contingencies .................................................................................124Example..........................................................................................126

Defining a Custom Internet Control Message Protocol Service...............126Remote Shell ALG..................................................................................127Sun Remote Procedure Call Application Layer Gateway.........................127

Typical RPC Call Scenario................................................................127Customizing Sun RPC Services........................................................128

Customizing Microsoft Remote Procedure Call ALG...............................129Real-Time Streaming Protocol Application Layer Gateway.....................130

RTSP Request Methods ...................................................................131RTSP Status Codes ..........................................................................133Configuring a Media Server in a Private Domain.............................134Configuring a Media Server in a Public Domain ..............................136

Service Groups.......................................................................................138Modifying a Service Group ..............................................................139Removing a Service Group ..............................................................140

Dynamic IP Pools.........................................................................................140Port Address Translation .......................................................................141Creating a DIP Pool with PAT ................................................................142Modifying a DIP Pool .............................................................................143Sticky DIP Addresses .............................................................................143Using DIP in a Different Subnet .............................................................144Using a DIP on a Loopback Interface .....................................................149Creating a DIP Group.............................................................................153

Setting a Recurring Schedule........................................................................156

Chapter 6 Policies 159

Basic Elements.............................................................................................160Three Types of Policies ................................................................................161

Interzone Policies ..................................................................................161Intrazone Policies ..................................................................................161Global Policies .......................................................................................162

Policy Set Lists .............................................................................................163Policies Defined ...........................................................................................164

Policies and Rules..................................................................................164Anatomy of a Policy ..............................................................................165

ID....................................................................................................166Zones ..............................................................................................166Addresses .......................................................................................166Services...........................................................................................166Action .............................................................................................167Application......................................................................................167Name ..............................................................................................168VPN Tunneling ................................................................................168L2TP Tunneling ...............................................................................168Deep Inspection ..............................................................................169Placement at the Top of the Policy List ...........................................169Source Address Translation.............................................................169

Table of Contents

Page 7: Juniper Overview SSG500

Table of Contents

Destination Address Translation......................................................169User Authentication ........................................................................170HA Session Backup .........................................................................171Web Filtering ..................................................................................172Logging ...........................................................................................172Counting .........................................................................................172Traffic Alarm Threshold ..................................................................172Schedules........................................................................................172Antivirus Scanning ..........................................................................173Traffic Shaping................................................................................173

Policies Applied............................................................................................174Viewing Policies.....................................................................................174Creating Policies ....................................................................................174

Creating Interzone Policies Mail Service ..........................................175Creating an Interzone Policy Set .....................................................178Creating Intrazone Policies..............................................................182Creating a Global Policy ..................................................................184

Entering a Policy Context ......................................................................185Multiple Items per Policy Component....................................................185Setting Address Negation.......................................................................186Modifying and Disabling Policies ...........................................................189Policy Verification..................................................................................189Reordering Policies................................................................................190Removing a Policy.................................................................................191

Chapter 7 Traffic Shaping 193

Managing Bandwidth at the Policy Level ......................................................193Setting Traffic Shaping .................................................................................194Setting Service Priorities ..............................................................................198Setting Priority Queuing...............................................................................199Ingress Policing............................................................................................203Shaping Traffic on Virtual Interfaces ............................................................203

Interface-Level Traffic Shaping ..............................................................204Policy-Level Traffic Shaping...................................................................205Packet Flow ...........................................................................................206Example: Route-Based VPN with Ingress Policing..................................206Example: Policy-Based VPN with Ingress Policing..................................210

Traffic Shaping Using a Loopback Interface .................................................214DSCP Marking and Shaping..........................................................................214

Chapter 8 System Parameters 217

Domain Name System Support ....................................................................217DNS Lookup ..........................................................................................218DNS Status Table ...................................................................................219

Setting the DNS Server and Refresh Schedule .................................219Setting a DNS Refresh Interval ........................................................220

Dynamic Domain Name System............................................................220Setting Up DDNS for a DynDNS Server ...........................................221Setting Up DDNS for a DDO Server .................................................222

Proxy DNS Address Splitting..................................................................222Dynamic Host Configuration Protocol ..........................................................225

Configuring a DHCP Server....................................................................226Customizing DHCP Server Options .................................................230

Table of Contents vii

Page 8: Juniper Overview SSG500

viii

Concepts & Examples ScreenOS Reference Guide

Placing the DHCP Server in an NSRP Cluster...................................231DHCP Server Detection ...................................................................231Enabling DHCP Server Detection ....................................................232Disabling DHCP Server Detection....................................................232

Assigning a Security Device as a DHCP Relay Agent ..............................233Forwarding All DHCP Packets .........................................................237Configuring Next-Server-IP..............................................................237

Using a Security Device as a DHCP Client..............................................238Propagating TCP/IP Settings ..................................................................240Configuring DHCP in Virtual Systems ....................................................242

Setting DHCP Message Relay in Virtual Systems ..........................................242Point-to-Point Protocol over Ethernet ...........................................................243

Setting Up PPPoE ..................................................................................243Configuring PPPoE on Primary and Backup Untrust Interfaces..............246Configuring Multiple PPPoE Sessions over a Single Interface .................247PPPoE and High Availability ..................................................................250

License Keys ................................................................................................250Registration and Activation of Subscription Services ....................................251

Trial Service...........................................................................................252Updating Subscription Keys...................................................................252Adding Antivirus, Web Filtering, Anti-Spam, and Deep Inspection to an

Existing or a New Device ................................................................253System Clock ...............................................................................................253

Date and Time.......................................................................................254Daylight Saving Time.............................................................................254Time Zone .............................................................................................254Network Time Protocol..........................................................................255

Configuring Multiple NTP Servers....................................................255Configuring a Backup NTP Server....................................................255Maximum Time Adjustment............................................................256NTP and NSRP ................................................................................256Setting a Maximum Time Adjustment Value to an NTP Server ........257Securing NTP Servers ......................................................................257

Index..........................................................................................................................IX-I

Volume 3:Administration

About This Volume vii

Document Conventions.................................................................................. viiWeb User Interface Conventions ............................................................. viiCommand Line Interface Conventions.................................................... viiiNaming Conventions and Character Types ............................................. viiiIllustration Conventions.............................................................................x

Technical Documentation and Support ........................................................... xi

Chapter 1 Administration 1

Management via the Web User Interface .........................................................2WebUI Help ...............................................................................................2

Copying the Help Files to a Local Drive ...............................................3Pointing the WebUI to the New Help Location ....................................3

HyperText Transfer Protocol......................................................................4

Table of Contents

Page 9: Juniper Overview SSG500

Table of Contents

Session ID..................................................................................................4Secure Sockets Layer .................................................................................5

SSL Configuration................................................................................7Redirecting HTTP to SSL .....................................................................8

Management via the Command Line Interface.................................................9Telnet ........................................................................................................9Securing Telnet Connections ...................................................................10Secure Shell .............................................................................................11

Client Requirements..........................................................................12Basic SSH Configuration on the Device .............................................13Authentication ..................................................................................14SSH and Vsys ....................................................................................16Host Key ...........................................................................................16Example: SSHv1 with PKA for Automated Logins .............................17

Secure Copy ............................................................................................18Serial Console..........................................................................................19Remote Console ......................................................................................20

Remote Console Using V.92 Modem Port..........................................20Remote Console Using an AUX Port..................................................21

Modem Port ............................................................................................22Management via NetScreen-Security Manager ...............................................22

Initiating Connectivity Between NSM Agent and the MGT System ...........23Enabling, Disabling, and Unsetting NSM Agent........................................24Setting the Primary Server IP Address of the Management System .........25Setting Alarm and Statistics Reporting.....................................................25Configuration Synchronization ................................................................26

Example: Viewing the Configuration State ........................................27Example: Retrieving the Configuration Hash.....................................27

Retrieving the Configuration Timestamp .................................................27Controlling Administrative Traffic ..................................................................28

MGT and VLAN1 Interfaces......................................................................29Example: Administration Through the MGT Interface .......................29Example: Administration Through the VLAN1 Interface ....................29

Setting Administrative Interface Options .................................................30Setting Manage IPs for Multiple Interfaces ...............................................31

Levels of Administration ................................................................................33Root Administrator ..................................................................................33Read/Write Administrator........................................................................34Read-Only Administrator.........................................................................34Virtual System Administrator...................................................................34Virtual System Read-Only Administrator .................................................35

Defining Admin Users ....................................................................................35Example: Adding a Read-Only Admin .....................................................35Example: Modifying an Admin ................................................................35Example: Deleting an Admin...................................................................36Example: Configuring Admin Accounts for Dialup Connections...............36Example: Clearing an Admin’s Sessions ..................................................37

Securing Administrative Traffic ......................................................................37Changing the Port Number ......................................................................38Changing the Admin Login Name and Password .....................................39

Example: Changing an Admin User’s Login Name and Password .....40Example: Changing Your Own Password ..........................................40Setting the Minimum Length of the Root Admin Password ...............41

Resetting the Device to the Factory Default Settings................................41

Table of Contents ix

Page 10: Juniper Overview SSG500

x T

Concepts & Examples ScreenOS Reference Guide

Restricting Administrative Access............................................................42Example: Restricting Administration to a Single Workstation............42Example: Restricting Administration to a Subnet ..............................42Restricting the Root Admin to Console Access ..................................42

VPN Tunnels for Administrative Traffic....................................................43Administration Through a Route-Based Manual Key VPN Tunnel ......44Administration Through a Policy-Based Manual Key VPN Tunnel......47

Password Policy .............................................................................................51Setting a Password Policy ........................................................................51Removing a Password Policy ...................................................................52Viewing a Password Policy ......................................................................52Recovering from a Rejected Default Admin Password .............................52

Creating a Login Banner.................................................................................53

Chapter 2 Monitoring Security Devices 55

Storing Log Information .................................................................................55Event Log.......................................................................................................56

Viewing the Event Log by Severity Level and Keyword............................57Sorting and Filtering the Event Log..........................................................58Downloading the Event Log.....................................................................59

Example: Downloading the Entire Event Log ....................................59Example: Downloading the Event Log for Critical Events ..................60

Traffic Log......................................................................................................60Viewing the Traffic Log............................................................................61

Example: Viewing Traffic Log Entries................................................61Sorting and Filtering the Traffic Log ..................................................63Example: Sorting the Traffic Log by Time .........................................63

Downloading the Traffic Log....................................................................63Removing the Reason for Close Field ......................................................64

Self Log ..........................................................................................................66Viewing the Self Log ................................................................................66

Sorting and Filtering the Self Log ......................................................66Example: Filtering the Self Log by Time............................................67

Downloading the Self Log ........................................................................67Downloading the Asset Recovery Log ............................................................68Traffic Alarms ................................................................................................68

Example: Policy-Based Intrusion Detection..............................................69Example: Compromised System Notification...........................................70Example: Sending E-mail Alerts...............................................................71

Syslog ............................................................................................................71Example: Enabling Multiple Syslog Servers..............................................72Enabling WebTrends for Notification Events ...........................................73

Simple Network Management Protocol ..........................................................73Implementation Overview.......................................................................76Defining a Read/Write SNMP Community ...............................................77

VPN Tunnels for Self-Initiated Traffic .............................................................78Example: Self-Generated Traffic Through a Route-Based Tunnel..............79Example: Self-Generated Traffic Through a Policy-Based Tunnel .............86

Viewing Screen Counters ...............................................................................92

able of Contents

Page 11: Juniper Overview SSG500

Table of Contents

Index..........................................................................................................................IX-I

Volume 4:Attack Detection and Defense Mechanisms

About This Volume ix

Document Conventions....................................................................................xWeb User Interface Conventions ...............................................................xCommand Line Interface Conventions.......................................................xNaming Conventions and Character Types ............................................... xiIllustration Conventions........................................................................... xii

Technical Documentation and Support ......................................................... xiii

Chapter 1 Protecting a Network 1

Stages of an Attack...........................................................................................2Detection and Defense Mechanisms ................................................................2Exploit Monitoring ...........................................................................................5

Example: Monitoring Attacks from the Untrust Zone.................................5

Chapter 2 Reconnaissance Deterrence 7

IP Address Sweep ............................................................................................8Port Scanning...................................................................................................9Network Reconnaissance Using IP Options ....................................................10Operating System Probes...............................................................................12

SYN and FIN Flags Set .............................................................................12FIN Flag Without ACK Flag ......................................................................13TCP Header Without Flags Set .................................................................14

Evasion Techniques .......................................................................................15FIN Scan..................................................................................................15Non-SYN Flags.........................................................................................15IP Spoofing ..............................................................................................18

Example: L3 IP Spoof Protection.......................................................20Example: L2 IP Spoof Protection.......................................................22

IP Source Route Options..........................................................................23

Chapter 3 Denial-of-Service Attack Defenses 27

Firewall DoS Attacks ......................................................................................28Session Table Flood .................................................................................28

Source-Based and Destination-Based Session Limits .........................28Example: Source-Based Session Limiting ..........................................29Example: Destination-Based Session Limiting ...................................30Aggressive Aging...............................................................................30Example: Aggressively Aging Out Sessions........................................32

SYN-ACK-ACK Proxy Flood......................................................................32Network DoS Attacks .....................................................................................34

SYN Flood................................................................................................34Example: SYN Flood Protection ........................................................40

SYN Cookie..............................................................................................44ICMP Flood..............................................................................................46UDP Flood ...............................................................................................47Land Attack .............................................................................................48

OS-Specific DoS Attacks .................................................................................49

Table of Contents xi

Page 12: Juniper Overview SSG500

xii

Concepts & Examples ScreenOS Reference Guide

Ping of Death...........................................................................................49Teardrop Attack.......................................................................................50WinNuke .................................................................................................51

Chapter 4 Content Monitoring and Filtering 53

Fragment Reassembly....................................................................................54Malicious URL Protection.........................................................................54Application Layer Gateway ......................................................................55

Example: Blocking Malicious URLs in Packet Fragments ...................56Antivirus Scanning .........................................................................................58

External AV Scanning ..............................................................................58Scanning Modes................................................................................60Load-Balancing ICAP Scan Servers ....................................................60

Internal AV Scanning ...............................................................................61AV Scanning of IM Traffic ........................................................................63

IM Clients..........................................................................................63IM Server ..........................................................................................64IM Protocols ......................................................................................64Instant Messaging Security Issues .....................................................65IM Security Issues .............................................................................65Scanning Chat Messages ...................................................................65Scanning File Transfers .....................................................................66

AV Scanning Results ................................................................................67Policy-Based AV Scanning .......................................................................68Scanning Application Protocols................................................................69

Scanning FTP Traffic .........................................................................70Scanning HTTP Traffic ......................................................................71Scanning IMAP and POP3 Traffic ......................................................73Scanning SMTP Traffic ......................................................................74Redirecting Traffic to ICAP AV Scan Servers......................................76

Updating the AV Pattern Files for the Embedded Scanner .......................78Subscribing to the AV Signature Service ............................................78Updating AV Patterns........................................................................79

AV Scanner Global Settings......................................................................80AV Resource Allotment .....................................................................81Fail-Mode Behavior ...........................................................................81Maximum Content Size and Maximum Messages (Internal AV Only) 82HTTP Keep-Alive ...............................................................................83HTTP Trickling (Internal AV Only) .....................................................84

AV Profiles...............................................................................................86Assigning an AV Profile to a Firewall Policy.......................................87Initiating an AV Profile for Internal AV ..............................................87Example: (Internal AV) Scanning for All Traffic Types .......................88Example: AV Scanning for SMTP and HTTP Traffic Only...................88AV Profile Settings.............................................................................89

Anti-Spam Filtering ........................................................................................93Black Lists and White Lists ......................................................................93Basic Configuration..................................................................................94

Filtering Spam Traffic........................................................................94Dropping Spam Messages .................................................................94

Defining a Black List ................................................................................95Defining a White List ...............................................................................95Defining a Default Action.........................................................................95Enabling a Spam-Blocking List Server ......................................................96

Table of Contents

Page 13: Juniper Overview SSG500

Table of Contents

Testing Anti-Spam ...................................................................................96Web Filtering .................................................................................................97

Using the CLI to Initiate Web-Filtering Modes ..........................................97Integrated Web Filtering..........................................................................98

SurfControl Servers ...........................................................................99Web-Filtering Cache..........................................................................99Configuring Integrated Web Filtering ..............................................100Example: Integrated Web Filtering..................................................105

Redirect Web Filtering...........................................................................107Virtual System Support....................................................................108Configuring Redirect Web Filtering .................................................109Example: Redirect Web Filtering.....................................................112

Chapter 5 Deep Inspection 115

Overview .....................................................................................................116Attack Object Database Server .....................................................................120

Predefined Signature Packs ...................................................................120Updating Signature Packs ......................................................................121

Before You Start Updating Attack Objects .......................................122Immediate Update ..........................................................................122Automatic Update ...........................................................................123Automatic Notification and Immediate Update ...............................124Manual Update................................................................................125

Attack Objects and Groups...........................................................................127Supported Protocols ..............................................................................129Stateful Signatures .................................................................................132TCP Stream Signatures ..........................................................................133Protocol Anomalies................................................................................133Attack Object Groups.............................................................................134

Changing Severity Levels.................................................................134Example: Deep Inspection for P2P..................................................135

Disabling Attack Objects........................................................................137Attack Actions..............................................................................................138

Example: Attack Actions—Close Server, Close, Close Client............139Brute Force Attack Actions ....................................................................146

Brute Force Attack Objects..............................................................146Brute Force Attack Target................................................................147Brute Force Attack Timeout.............................................................147Example 1.......................................................................................148Example 2.......................................................................................148Example 3.......................................................................................149

Attack Logging .............................................................................................149Example: Disabling Logging per Attack Group.................................149

Mapping Custom Services to Applications....................................................152Example: Mapping an Application to a Custom Service...................153Example: Application-to-Service Mapping for HTTP Attacks............155

Customized Attack Objects and Groups........................................................156User-Defined Stateful Signature Attack Objects......................................156

Regular Expressions........................................................................157Example: User-Defined Stateful Signature Attack Objects ...............158

TCP Stream Signature Attack Objects ....................................................160Example: User-Defined Stream Signature Attack Object..................161

Configurable Protocol Anomaly Parameters ..........................................162Example: Modifying Parameters .....................................................162

Table of Contents xiii

Page 14: Juniper Overview SSG500

xiv

Concepts & Examples ScreenOS Reference Guide

Negation ......................................................................................................163Example: Attack Object Negation....................................................163

Granular Blocking of HTTP Components ......................................................167ActiveX Controls....................................................................................168Java Applets...........................................................................................168EXE Files ...............................................................................................168ZIP Files.................................................................................................168

Example: Blocking Java Applets and .exe Files................................169

Chapter 6 Intrusion Detection and Prevention 171

IDP-Capable Security Devices.......................................................................172Traffic Flow in an IDP-capable Device..........................................................173Configuring Intrusion Detection and Prevention ..........................................174

Preconfiguration Tasks ..........................................................................174Example 1: Basic IDP Configuration ......................................................175Example 2: Configuring IDP for Active–Passive Failover .......................177Example 3: Configuring IDP for Active–Active Failover .........................179

Configuring Security Policies ........................................................................182About Security Policies ..........................................................................182Managing Security Policies ....................................................................182Installing Security Policies .....................................................................183

Using IDP Rulebases ....................................................................................183Role-Based Administration of IDP Rulebases .........................................184Configuring Objects for IDP Rules..........................................................184Using Security Policy Templates ............................................................185

Enabling IDP in Firewall Rules .....................................................................185Enabling IDP..........................................................................................186Specifying Inline or Inline Tap Mode .....................................................186

Configuring IDP Rules ..................................................................................187Adding the IDP Rulebase .......................................................................188Matching Traffic ....................................................................................189

Source and Destination Zones.........................................................189Source and Destination Address Objects .........................................189Example: Setting Source and Destination........................................190Example: Setting Multiple Sources and Destinations .......................190Services...........................................................................................190Example: Setting Default Services ...................................................191Example: Setting Specific Services ..................................................191Example: Setting Nonstandard Services ..........................................192Terminal Rules ................................................................................193Example: Setting Terminal Rules.....................................................193

Defining Actions ....................................................................................195Setting Attack Objects............................................................................196

Adding Attack Objects Individually..................................................196Adding Attack Objects by Category .................................................196Example: Adding Attack Objects by Service ....................................196Adding Attack Objects by Operating System...................................196Adding Attack Objects by Severity ..................................................197

Setting IP Action ....................................................................................197Choosing an IP Action .....................................................................198Choosing a Blocking Option ............................................................198Setting Logging Options ..................................................................198Setting Timeout Options .................................................................198

Setting Notification ................................................................................198

Table of Contents

Page 15: Juniper Overview SSG500

Table of Contents

Setting Logging ...............................................................................199Setting an Alert ...............................................................................199Logging Packets ..............................................................................199

Setting Severity......................................................................................199Setting Targets.......................................................................................200Entering Comments...............................................................................200

Configuring Exempt Rules............................................................................200Adding the Exempt Rulebase.................................................................201Defining a Match ...................................................................................202

Source and Destination Zones.........................................................202Source and Destination Address Objects .........................................202Example: Exempting a Source/Destination Pair ..............................203

Setting Attack Objects............................................................................203Example: Exempting Specific Attack Objects ..................................203

Setting Targets.......................................................................................203Entering Comments...............................................................................204Creating an Exempt Rule from the Log Viewer ......................................204

Configuring Backdoor Rules .........................................................................205Adding the Backdoor Rulebase ..............................................................205Defining a Match ...................................................................................206

Source and Destination Zones.........................................................206Source and Destination Address Objects .........................................207Services...........................................................................................207

Setting the Operation ............................................................................207Setting Actions.......................................................................................207Setting Notification ................................................................................208

Setting Logging ...............................................................................208Setting an Alert ...............................................................................208Logging Packets ..............................................................................208

Setting Severity......................................................................................209Setting Targets.......................................................................................209Entering Comments...............................................................................209

Configuring IDP Attack Objects ....................................................................209About IDP Attack Object Types..............................................................209

Signature Attack Objects .................................................................210Protocol Anomaly Attack Objects ....................................................210Compound Attack Objects...............................................................210

Viewing Predefined IDP Attack Objects and Groups ..............................210Viewing Predefined Attacks.............................................................211Viewing Predefined Groups .............................................................211

Creating Custom IDP Attack Objects......................................................212Creating a Signature Attack Object..................................................214Creating a Protocol Anomaly Attack................................................219Creating a Compound Attack ..........................................................220Editing a Custom Attack Object.......................................................222Deleting a Custom Attack Object.....................................................222

Creating Custom IDP Attack Groups ......................................................223Configuring Static Groups................................................................223Configuring Dynamic Groups ..........................................................224Example: Creating a Dynamic Group ..............................................225Updating Dynamic Groups ..............................................................226Editing a Custom Attack Group .......................................................227Deleting a Custom Attack Group .....................................................227

Configuring the Device as a Standalone IDP Device .....................................227

Table of Contents xv

Page 16: Juniper Overview SSG500

xvi

Concepts & Examples ScreenOS Reference Guide

Enabling IDP..........................................................................................227Example: Configuring a Firewall Rule for Standalone IDP ...............228

Configuring Role-Based Administration .................................................228Example: Configuring an IDP-Only Administrator ...........................229

Managing IDP ..............................................................................................230About Attack Database Updates.............................................................230Downloading Attack Database Updates .................................................230

Using Updated Attack Objects .........................................................231Updating the IDP Engine.................................................................231

Viewing IDP Logs...................................................................................233

Chapter 7 Suspicious Packet Attributes 235

ICMP Fragments ..........................................................................................236Large ICMP Packets......................................................................................237Bad IP Options .............................................................................................238Unknown Protocols......................................................................................239IP Packet Fragments ....................................................................................240SYN Fragments ............................................................................................241

Appendix A Contexts for User-Defined Signatures A-I

Index..........................................................................................................................IX-I

Volume 5:Virtual Private Networks

About This Volume vii

Document Conventions................................................................................. viiiWeb User Interface Conventions ............................................................ viiiCommand Line Interface Conventions.................................................... viiiNaming Conventions and Character Types ............................................... ixIllustration Conventions.............................................................................x

Technical Documentation and Support ........................................................... xi

Chapter 1 Internet Protocol Security 1

Introduction to Virtual Private Networks ..........................................................2IPSec Concepts ................................................................................................3

Modes........................................................................................................4Transport Mode ..................................................................................4Tunnel Mode.......................................................................................4

Protocols ...................................................................................................5Authentication Header ........................................................................6Encapsulating Security Payload...........................................................6

Key Management ......................................................................................7Manual Key.........................................................................................7AutoKey IKE........................................................................................7

Security Associations .................................................................................8Tunnel Negotiation...........................................................................................8

Phase 1......................................................................................................9Main and Aggressive Modes ................................................................9Diffie-Hellman Exchange...................................................................10

Phase 2....................................................................................................11

Table of Contents

Page 17: Juniper Overview SSG500

Table of Contents

Perfect Forward Secrecy ...................................................................11Replay Protection..............................................................................12

IKE and IPSec Packets....................................................................................12IKE Packets .............................................................................................12IPSec Packets ..........................................................................................15

Chapter 2 Public Key Cryptography 19

Introduction to Public Key Cryptography .......................................................20Signing a Certificate.................................................................................20Verifying a Digital Signature ....................................................................20

Public Key Infrastructure................................................................................22Certificates and CRLs .....................................................................................24

Requesting a Certificate Manually............................................................26Loading Certificates and Certificate Revocation Lists ...............................28Configuring CRL Settings .........................................................................29Obtaining a Local Certificate Automatically .............................................30Automatic Certificate Renewal.................................................................33Key-Pair Generation.................................................................................34

Online Certificate Status Protocol...................................................................34Specifying a Certificate Revocation Check Method ..................................35Viewing Status Check Attributes ..............................................................36Specifying an Online Certificate Status Protocol Responder URL .............36Removing Status Check Attributes...........................................................36

Self-Signed Certificates...................................................................................37Certificate Validation ...............................................................................38Manually Creating Self-Signed Certificates ...............................................39Setting an Admin-Defined Self-Signed Certificate ....................................40Certificate Auto-Generation......................................................................44Deleting Self-Signed Certificates ..............................................................45

Chapter 3 Virtual Private Network Guidelines 47

Cryptographic Options ...................................................................................48Site-to-Site Cryptographic Options ...........................................................48Dialup VPN Options.................................................................................55

Route-Based and Policy-Based Tunnels ..........................................................62Packet Flow: Site-to-Site VPN .........................................................................63Tunnel Configuration Guidelines ....................................................................69Route-Based Virtual Private Network Security Considerations ........................71

Null Route................................................................................................71Dialup or Leased Line ..............................................................................73VPN Failover to Leased Line or Null Route...............................................74Decoy Tunnel Interface ...........................................................................76Virtual Router for Tunnel Interfaces.........................................................77Reroute to Another Tunnel ......................................................................77

Chapter 4 Site-to-Site Virtual Private Networks 79

Site-to-Site VPN Configurations ......................................................................80Route-Based Site-to-Site VPN, AutoKey IKE .............................................86Policy-Based Site-to-Site VPN, AutoKey IKE .............................................95Route-Based Site-to-Site VPN, Dynamic Peer .........................................101Policy-Based Site-to-Site VPN, Dynamic Peer.........................................109Route-Based Site-to-Site VPN, Manual Key.............................................118Policy-Based Site-to-Site VPN, Manual Key.............................................124

Table of Contents xvii

Page 18: Juniper Overview SSG500

xviii

Concepts & Examples ScreenOS Reference Guide

Dynamic IKE Gateways Using FQDN ...........................................................129Aliases ...................................................................................................130Setting AutoKey IKE Peer with FQDN....................................................131

VPN Sites with Overlapping Addresses.........................................................140Transparent Mode VPN ................................................................................151

Chapter 5 Dialup Virtual Private Networks 159

Dialup ..........................................................................................................160Policy-Based Dialup VPN, AutoKey IKE..................................................160Route-Based Dialup VPN, Dynamic Peer................................................166Policy-Based Dialup VPN, Dynamic Peer ...............................................173Bidirectional Policies for Dialup VPN Users............................................178

Group IKE ID................................................................................................183Group IKE ID with Certificates ...............................................................183Wildcard and Container ASN1-DN IKE ID Types....................................185Creating a Group IKE ID (Certificates) ....................................................187Setting a Group IKE ID with Preshared Keys..........................................192

Shared IKE ID ..............................................................................................198

Chapter 6 Layer 2 Tunneling Protocol 205

Introduction to L2TP ....................................................................................205Packet Encapsulation and Decapsulation .....................................................208

Encapsulation ........................................................................................208Decapsulation........................................................................................209

Setting L2TP Parameters..............................................................................211L2TP and L2TP-over-IPSec ...........................................................................213

Configuring L2TP...................................................................................213Configuring L2TP-over-IPSec .................................................................218Bidirectional L2TP-over-IPSec ................................................................225

Chapter 7 Advanced Virtual Private Network Features 231

NAT-Traversal ..............................................................................................232Probing for NAT.....................................................................................233Traversing a NAT Device .......................................................................235UDP Checksum......................................................................................237Keepalive Packets..................................................................................237Initiator/Responder Symmetry ..............................................................237Enabling NAT-Traversal .........................................................................239Using IKE IDs with NAT-Traversal..........................................................239

VPN Monitoring ...........................................................................................241Rekey and Optimization Options...........................................................242Source Interface and Destination Address .............................................243Policy Considerations ............................................................................244Configuring the VPN Monitoring Feature ...............................................244SNMP VPN Monitoring Objects and Traps .............................................252

Multiple Tunnels per Tunnel Interface..........................................................254Route-to-Tunnel Mapping ......................................................................255Remote Peers’ Addresses ......................................................................256Manual and Automatic Table Entries .....................................................257

Manual Table Entries.......................................................................257Automatic Table Entries ..................................................................257Setting VPNs on a Tunnel Interface to Overlapping Subnets............259Binding Automatic Route and NHTB Table Entries ..........................278

Table of Contents

Page 19: Juniper Overview SSG500

Table of Contents

Using OSPF for Automatic Route Table Entries ...............................290Redundant VPN Gateways............................................................................291

VPN Groups ...........................................................................................292Monitoring Mechanisms ........................................................................293

IKE Heartbeats ................................................................................294Dead Peer Detection .......................................................................294IKE Recovery Procedure..................................................................295

TCP SYN-Flag Checking .........................................................................297Creating Redundant VPN Gateways.................................................298

Creating Back-to-Back VPNs .........................................................................304Creating Hub-and-Spoke VPNs .....................................................................311

Chapter 8 AutoConnect-Virtual Private Networks 321

Overview .....................................................................................................321How It Works...............................................................................................321

NHRP Messages.....................................................................................322AC-VPN Tunnel Initiation.......................................................................323Configuring AC-VPN ..............................................................................324

Network Address Translation ..........................................................324Configuration on the Hub................................................................324Configuration on each Spoke ..........................................................325

Example ................................................................................................326

Index..........................................................................................................................IX-I

Volume 6:Voice-over-Internet Protocol

About This Volume v

Document Conventions................................................................................... viWeb User Interface Conventions .............................................................. viCommand Line Interface Conventions...................................................... viNaming Conventions and Character Types .............................................. viiIllustration Conventions.......................................................................... viii

Technical Documentation and Support ........................................................... ix

Chapter 1 H.323 Application Layer Gateway 1

Overview .........................................................................................................1Examples .........................................................................................................2

Example: Gatekeeper in the Trust Zone.....................................................2Example: Gatekeeper in the Untrust Zone .................................................3Example: Outgoing Calls with NAT ............................................................4Example: Incoming Calls with NAT............................................................7Example: Gatekeeper in the Untrust Zone with NAT................................10

Chapter 2 Session Initiation Protocol Application Layer Gateway 13

Overview .......................................................................................................13SIP Request Methods ...............................................................................14Classes of SIP Responses .........................................................................16SIP Application Layer Gateway ................................................................17Session Description Protocol Sessions .....................................................18Pinhole Creation ......................................................................................19

Table of Contents xix

Page 20: Juniper Overview SSG500

xx

Concepts & Examples ScreenOS Reference Guide

Session Inactivity Timeout.......................................................................20SIP Attack Protection ...............................................................................21

Example: SIP Protect Deny ...............................................................21Example: Signaling-Inactivity and Media-Inactivity Timeouts ............22Example: UDP Flooding Protection ...................................................22Example: SIP Connection Maximum.................................................23

SIP with Network Address Translation ...........................................................23Outgoing Calls .........................................................................................24Incoming Calls.........................................................................................24Forwarded Calls.......................................................................................25Call Termination......................................................................................25Call Re-INVITE Messages .........................................................................25Call Session Timers..................................................................................25Call Cancellation ......................................................................................25Forking....................................................................................................26SIP Messages ...........................................................................................26SIP Headers .............................................................................................26SIP Body..................................................................................................28SIP NAT Scenario.....................................................................................28

Examples .......................................................................................................30Incoming SIP Call Support Using the SIP Registrar...................................31

Example: Incoming Call (Interface DIP).............................................32Example: Incoming Call (DIP Pool)....................................................35Example: Incoming Call with MIP .....................................................37Example: Proxy in the Private Zone ..................................................39Example: Proxy in the Public Zone ...................................................42Example: Three-Zone, Proxy in the DMZ ..........................................44Example: Untrust Intrazone ..............................................................47Example: Trust Intrazone..................................................................51Example: Full-Mesh VPN for SIP........................................................53

Bandwidth Management for VoIP Services ..............................................62

Chapter 3 Media Gateway Control Protocol Application Layer Gateway 65

Overview .......................................................................................................65MGCP Security ...............................................................................................66About MGCP...................................................................................................66

Entities in MGCP......................................................................................66Endpoint ...........................................................................................67Connection .......................................................................................67Call....................................................................................................67Call Agent .........................................................................................67

Commands..............................................................................................68Response Codes ......................................................................................70

Examples .......................................................................................................71Media Gateway in Subscribers’ Homes—Call Agent at the ISP.................71ISP-Hosted Service...................................................................................74

Chapter 4 Skinny Client Control Protocol Application Layer Gateway 79

Overview .......................................................................................................79SCCP Security ................................................................................................80About SCCP....................................................................................................81

SCCP Components...................................................................................81SCCP Client .......................................................................................81

Table of Contents

Page 21: Juniper Overview SSG500

Table of Contents

Call Manager .....................................................................................81Cluster ..............................................................................................81

SCCP Transactions...................................................................................82Client Initialization ............................................................................82Client Registration.............................................................................82Call Setup..........................................................................................83Media Setup ......................................................................................83

SCCP Control Messages and RTP Flow.....................................................84SCCP Messages........................................................................................85

Examples .......................................................................................................85Example: Call Manager/TFTP Server in the Trust Zone......................86Example: Call Manager/TFTP Server in the Untrust Zone ..................88Example: Three-Zone, Call Manager/TFTP Server in the DMZ ...........90Example: Intrazone, Call Manager/TFTP Server in Trust Zone...........93Example: Intrazone, Call Manager/TFTP Server in Untrust Zone .......97Example: Full-Mesh VPN for SCCP ....................................................99

Index..........................................................................................................................IX-I

Volume 7:Routing

About This Volume ix

Document Conventions....................................................................................xWeb User Interface Conventions ...............................................................xCommand Line Interface Conventions.......................................................xNaming Conventions and Character Types ............................................... xiIllustration Conventions........................................................................... xii

Technical Documentation and Support ......................................................... xiii

Chapter 1 Static Routing 1

Overview .........................................................................................................2How Static Routing Works .........................................................................2When to Configure Static Routes ...............................................................3Configuring Static Routes...........................................................................5

Setting Static Routes ...........................................................................5Setting a Static Route for a Tunnel Interface .......................................9

Enabling Gateway Tracking .....................................................................10Forwarding Traffic to the Null Interface .........................................................11

Preventing Route Lookup in Other Routing Tables ..................................11Preventing Tunnel Traffic from Being Sent on Non-Tunnel Interfaces......11Preventing Loops Created by Summarized Routes...................................11

Permanently Active Routes ............................................................................12Changing Routing Preference with Equal Cost Multipath................................12

Chapter 2 Routing 13

Overview .......................................................................................................14Virtual Router Routing Tables.........................................................................15

Destination-Based Routing Table .............................................................16Source-Based Routing Table ....................................................................17Source Interface-Based Routing Table......................................................19

Creating and Modifying Virtual Routers..........................................................21

Table of Contents xxi

Page 22: Juniper Overview SSG500

xxii

Concepts & Examples ScreenOS Reference Guide

Modifying Virtual Routers ........................................................................21Assigning a Virtual Router ID...................................................................22Forwarding Traffic Between Virtual Routers ............................................23Configuring Two Virtual Routers..............................................................23Creating and Deleting Virtual Routers......................................................25

Creating a Custom Virtual Router ......................................................26Deleting a Custom Virtual Router ......................................................26

Virtual Routers and Virtual Systems.........................................................26Creating a Virtual Router in a Vsys ....................................................27Sharing Routes Between Virtual Routers ...........................................28

Limiting the Number of Routing Table Entries.........................................29Routing Features and Examples.....................................................................30

Route Selection........................................................................................30Setting a Route Preference ................................................................30Route Metrics ....................................................................................31Changing the Default Route Lookup Sequence ..................................32Route Lookup in Multiple Virtual Routers ..........................................34

Configuring Equal Cost Multipath Routing ...............................................35Route Redistribution................................................................................37

Configuring a Route Map...................................................................38Route Filtering ..................................................................................39Configuring an Access List ................................................................40Redistributing Routes into OSPF .......................................................40

Exporting and Importing Routes Between Virtual Routers .......................42Configuring an Export Rule ...............................................................42Configuring Automatic Export...........................................................43

Chapter 3 Open Shortest Path First 45

Overview .......................................................................................................46Areas .......................................................................................................46Router Classification ................................................................................47Hello Protocol ..........................................................................................47Network Types ........................................................................................48

Broadcast Networks ..........................................................................48Point-to-Point Networks ....................................................................48Point-to-Multipoint Networks ............................................................48

Link-State Advertisements .......................................................................49Basic OSPF Configuration ..............................................................................49

Creating and Removing an OSPF Routing Instance .................................50Creating an OSPF Instance................................................................50Removing an OSPF Instance .............................................................51

Creating and Deleting an OSPF Area .......................................................51Creating an OSPF Area......................................................................52Deleting an OSPF Area......................................................................52

Assigning Interfaces to an OSPF Area......................................................53Assigning Interfaces to Areas ............................................................53Configuring an Area Range ...............................................................53

Enabling OSPF on Interfaces ...................................................................54Enabling OSPF on Interfaces.............................................................54Disabling OSPF on an Interface.........................................................54

Verifying the Configuration......................................................................55Redistributing Routes into Routing Protocols .................................................56Summarizing Redistributed Routes ................................................................57

Summarizing Redistributed Routes..........................................................58

Table of Contents

Page 23: Juniper Overview SSG500

Table of Contents

Global OSPF Parameters ................................................................................58Advertising the Default Route ..................................................................59Virtual Links ............................................................................................59

Creating a Virtual Link.......................................................................60Creating an Automatic Virtual Link....................................................61

Setting OSPF Interface Parameters ................................................................62Security Configuration....................................................................................64

Authenticating Neighbors ........................................................................64Configuring a Clear-Text Password....................................................64Configuring an MD5 Password ..........................................................64

Configuring an OSPF Neighbor List..........................................................65Rejecting Default Routes..........................................................................66Protecting Against Flooding .....................................................................66

Configuring the Hello Threshold........................................................66Configuring the LSA Threshold..........................................................67Enabling Reduced Flooding...............................................................67

Creating an OSPF Demand Circuit on a Tunnel Interface ...............................67Point-to-Multipoint Tunnel Interface...............................................................68

Setting the OSPF Link-Type .....................................................................68Disabling the Route-Deny Restriction ......................................................69Creating a Point-to-Multipoint Network....................................................69

Chapter 4 Routing Information Protocol 73

Overview .......................................................................................................74Basic RIP Configuration..................................................................................75

Creating and Deleting a RIP Instance.......................................................76Creating a RIP Instance.....................................................................76Deleting a RIP Instance .....................................................................76

Enabling and Disabling RIP on Interfaces ................................................77Enabling RIP on an Interface.............................................................77Disabling RIP on an Interface............................................................77

Redistributing Routes ..............................................................................77Viewing RIP Information................................................................................79

Viewing the RIP Database........................................................................79Viewing RIP Details .................................................................................80Viewing RIP Neighbor Information ..........................................................81Viewing RIP Details for a Specific Interface .............................................82

Global RIP Parameters ...................................................................................83Advertising the Default Route ........................................................................84Configuring RIP Interface Parameters ............................................................85Security Configuration....................................................................................86

Authenticating Neighbors by Setting a Password .....................................86Configuring Trusted Neighbors ................................................................87Rejecting Default Routes..........................................................................88Protecting Against Flooding .....................................................................88

Configuring an Update Threshold......................................................89Enabling RIP on Tunnel Interfaces ....................................................89

Optional RIP Configurations...........................................................................90Setting the RIP Version ............................................................................90Enabling and Disabling a Prefix Summary...............................................92

Enabling a Prefix Summary...............................................................92Disabling a Prefix Summary..............................................................93

Setting Alternate Routes ..........................................................................93Demand Circuits on Tunnel Interfaces.....................................................94

Table of Contents xxiii

Page 24: Juniper Overview SSG500

xxiv

Concepts & Examples ScreenOS Reference Guide

Configuring a Static Neighbor ..................................................................96Configuring a Point-to-Multipoint Tunnel Interface.........................................97

Chapter 5 Border Gateway Protocol 103

Overview .....................................................................................................104Types of BGP Messages .........................................................................104Path Attributes.......................................................................................105External and Internal BGP .....................................................................105

Basic BGP Configuration...............................................................................106Creating and Enabling a BGP Instance...................................................107

Creating a BGP Routing Instance.....................................................107Removing a BGP Instance ...............................................................108

Enabling and Disabling BGP on Interfaces .............................................108Enabling BGP on Interfaces .............................................................108Disabling BGP on Interfaces ............................................................108

Configuring BGP Peers and Peer Groups................................................109Configuring a BGP Peer ...................................................................110Configuring an IBGP Peer Group .....................................................110

Verifying the BGP Configuration ............................................................112Security Configuration..................................................................................113

Authenticating BGP Neighbors...............................................................113Rejecting Default Routes........................................................................114

Optional BGP Configurations........................................................................115Redistributing Routes into BGP..............................................................116Configuring an AS-Path Access List........................................................116Adding Routes to BGP............................................................................117

Conditional Route Advertisement....................................................118Setting the Route Weight.................................................................118Setting Route Attributes ..................................................................119

Route-Refresh Capability .......................................................................119Requesting an Inbound Routing Table Update ................................120Requesting an Outbound Routing Table Update..............................120

Configuring Route Reflection .................................................................120Configuring a Confederation..................................................................122BGP Communities .................................................................................124Route Aggregation .................................................................................125

Aggregating Routes with Different AS-Paths....................................125Suppressing More-Specific Routes in Updates .................................126Selecting Routes for Path Attribute..................................................127Changing Attributes of an Aggregated Route ...................................128

Chapter 6 Policy-Based Routing 129

Policy-Based Routing Overview....................................................................130Extended Access-Lists............................................................................130Match Groups ........................................................................................130Action Groups........................................................................................131

Route Lookup with Policy-Based Routing .....................................................132Configuring Policy-Based Routing ................................................................132

Configuring an Extended Access List .....................................................133Configuring a Match Group....................................................................134Configuring an Action Group .................................................................135Configuring a PBR Policy .......................................................................136Binding a Policy-Based Routing Policy ...................................................136

Table of Contents

Page 25: Juniper Overview SSG500

Table of Contents

Binding a Policy-Based Routing Policy to an Interface.....................136Binding a Policy-Based Routing Policy to a Zone .............................136Binding a Policy-Based Routing Policy to a Virtual Router ...............137

Viewing Policy-Based Routing Output ..........................................................137Viewing an Extended Access List...........................................................137Viewing a Match Group..........................................................................138Viewing an Action Group .......................................................................138Viewing a Policy-Based Routing Policy Configuration ............................139Viewing a Complete Policy-Based Routing Configuration.......................139

Advanced PBR Example...............................................................................140Routing..................................................................................................141PBR Elements........................................................................................142

Extended Access Lists .....................................................................143Match Groups..................................................................................143Action Group...................................................................................143PBR Policies ....................................................................................144

Interface Binding ...................................................................................144Advanced PBR with High Availability and Scalability....................................145

Resilient PBR Solution ...........................................................................145Scalable PBR Solution ............................................................................145

Chapter 7 Multicast Routing 147

Overview .....................................................................................................147Multicast Addresses ...............................................................................148Reverse Path Forwarding.......................................................................148

Multicast Routing on Security Devices..........................................................149Multicast Routing Table .........................................................................149Configuring a Static Multicast Route ......................................................150Access Lists ...........................................................................................151Configuring Generic Routing Encapsulation on Tunnel Interfaces ..........151

Multicast Policies..........................................................................................153

Chapter 8 Internet Group Management Protocol 155

Overview .....................................................................................................156Hosts .....................................................................................................156Multicast Routers ...................................................................................157

IGMP on Security Devices ............................................................................157Enabling and Disabling IGMP on Interfaces ...........................................157

Enabling IGMP on an Interface........................................................158Disabling IGMP on an Interface.......................................................158

Configuring an Access List for Accepted Groups ....................................158Configuring IGMP ..................................................................................159Verifying an IGMP Configuration ...........................................................161IGMP Operational Parameters ...............................................................162

IGMP Proxy..................................................................................................163Membership Reports Upstream to the Source........................................164Multicast Data Downstream to Receivers...............................................165Configuring IGMP Proxy ........................................................................166Configuring IGMP Proxy on an Interface................................................166Multicast Policies for IGMP and IGMP Proxy Configurations ..................168

Creating a Multicast Group Policy for IGMP .....................................168Creating an IGMP Proxy Configuration............................................168

Setting Up an IGMP Sender Proxy .........................................................175

Table of Contents xxv

Page 26: Juniper Overview SSG500

xxvi

Concepts & Examples ScreenOS Reference Guide

Chapter 9 Protocol Independent Multicast 181

Overview .....................................................................................................182PIM-SM..................................................................................................183

Multicast Distribution Trees.............................................................183Designated Router...........................................................................184Mapping Rendezvous Points to Groups ...........................................184Forwarding Traffic on the Distribution Tree ....................................185

PIM-SSM ................................................................................................187Configuring PIM-SM on Security Devices......................................................187

Enabling and Deleting a PIM-SM Instance for a VR................................188Enabling PIM-SM Instance...............................................................188Deleting a PIM-SM Instance.............................................................188

Enabling and Disabling PIM-SM on Interfaces........................................188Enabling PIM-SM on an Interface ....................................................189Disabling PIM-SM on an Interface ...................................................189

Multicast Group Policies.........................................................................189Static-RP-BSR Messages ..................................................................189Join-Prune Messages .......................................................................190Defining a Multicast Group Policy for PIM-SM .................................190

Setting a Basic PIM-SM Configuration...........................................................191Verifying the Configuration ..........................................................................195Configuring Rendezvous Points....................................................................197

Configuring a Static Rendezvous Point ..................................................197Configuring a Candidate Rendezvous Point ...........................................198

Security Considerations................................................................................199Restricting Multicast Groups ..................................................................199Restricting Multicast Sources .................................................................200Restricting Rendezvous Points...............................................................201

PIM-SM Interface Parameters.......................................................................202Defining a Neighbor Policy ....................................................................202Defining a Bootstrap Border ..................................................................203

Configuring a Proxy Rendezvous Point ........................................................204PIM-SM and IGMPv3 ....................................................................................213

Chapter 10 ICMP Router Discovery Protocol 215

Overview .....................................................................................................215Configuring ICMP Router Discovery Protocol ...............................................216

Enabling ICMP Router Discovery Protocol .............................................216Configuring ICMP Router Discovery Protocol from the WebUI...............216Configuring ICMP Router Discovery Protocol from the CLI ....................217

Advertising an Interface ..................................................................217Broadcasting the Address................................................................217Setting a Maximum Advertisement Interval ....................................217Setting a Minimum Advertisement Interval .....................................217Setting an Advertisement Lifetime Value.........................................218Setting a Response Delay ................................................................218Setting an Initial Advertisement Interval .........................................218Setting a Number of Initial Advertisement Packets..........................218

Disabling IRDP.............................................................................................219Viewing IRDP Settings..................................................................................219

Table of Contents

Page 27: Juniper Overview SSG500

Table of Contents

Index..........................................................................................................................IX-I

Volume 8:Address Translation

About This Volume v

Document Conventions................................................................................... viWeb User Interface Conventions .............................................................. viCommand Line Interface Conventions...................................................... viNaming Conventions and Character Types .............................................. viiIllustration Conventions.......................................................................... viii

Technical Documentation and Support ........................................................... ix

Chapter 1 Address Translation 1

Introduction to Address Translation .................................................................1Source Network Address Translation .........................................................1Destination Network Address Translation..................................................3

Policy-Based NAT-Dst..........................................................................4Mapped IP...........................................................................................6Virtual IP .............................................................................................6

Policy-Based Translation Options .....................................................................7Example: NAT-Src from a DIP Pool with PAT.............................................7Example: NAT-Src From a DIP Pool Without PAT ......................................7Example: NAT-Src from a DIP Pool with Address Shifting..........................8Example: NAT-Src from the Egress Interface IP Address............................8Example: NAT-Dst to a Single IP Address with Port Mapping.....................8Example: NAT-Dst to a Single IP Address Without Port Mapping ...............9Example: NAT-Dst from an IP Address Range to a Single IP Address.........9Example: NAT-Dst Between IP Address Ranges.......................................10

Directional Nature of NAT-Src and NAT-Dst ...................................................10

Chapter 2 Source Network Address Translation 13

Introduction to NAT-Src .................................................................................13NAT-Src from a DIP Pool with PAT Enabled ...................................................15

Example: NAT-Src with PAT Enabled.......................................................15NAT-Src from a DIP Pool with PAT Disabled ..................................................18

Example: NAT-Src with PAT Disabled ......................................................18NAT-Src from a DIP Pool with Address Shifting..............................................20

Example: NAT-Src with Address Shifting .................................................21NAT-Src from the Egress Interface IP Address................................................24

Example: NAT-Src Without DIP ...............................................................24

Chapter 3 Destination Network Address Translation 27

Introduction to NAT-Dst .................................................................................28Packet Flow for NAT-Dst..........................................................................29Routing for NAT-Dst ................................................................................32

Example: Addresses Connected to One Interface..............................33Example: Addresses Connected to One Interface

But Separated by a Router ..........................................................34Example: Addresses Separated by an Interface.................................34

NAT-Dst—One-to-One Mapping .....................................................................35Example: One-to-One Destination Translation.........................................36

Table of Contents xxvii

Page 28: Juniper Overview SSG500

xxviii

Concepts & Examples ScreenOS Reference Guide

Translating from One Address to Multiple Addresses...............................38Example: One-to-Many Destination Translation ................................38

NAT-Dst—Many-to-One Mapping ...................................................................41Example: Many-to-One Destination Translation.......................................41

NAT-Dst—Many-to-Many Mapping .................................................................44Example: Many-to-Many Destination Translation ....................................45

NAT-Dst with Port Mapping............................................................................47Example: NAT-Dst with Port Mapping .....................................................47

NAT-Src and NAT-Dst in the Same Policy .......................................................50Example: NAT-Src and NAT-Dst Combined..............................................50

Chapter 4 Mapped and Virtual Addresses 63

Mapped IP Addresses.....................................................................................63MIP and the Global Zone .........................................................................64

Example: MIP on an Untrust Zone Interface......................................65Example: Reaching a MIP from Different Zones................................67Example: Adding a MIP to a Tunnel Interface ...................................70

MIP-Same-as-Untrust ...............................................................................70Example: MIP on the Untrust Interface .............................................71

MIP and the Loopback Interface ..............................................................73Example: MIP for Two Tunnel Interfaces ..........................................74

MIP Grouping ..........................................................................................79Example: MIP Grouping with Multi-Cell Policy...................................79

Virtual IP Addresses .......................................................................................80VIP and the Global Zone ..........................................................................82

Example: Configuring Virtual IP Servers............................................82Example: Editing a VIP Configuration ...............................................84Example: Removing a VIP Configuration...........................................84Example: VIP with Custom and Multiple-Port Services ......................85

Index..........................................................................................................................IX-I

Volume 9:User Authentication

About This Guide vii

Document Conventions................................................................................. viiiWeb User Interface Conventions ............................................................ viiiCommand Line Interface Conventions.................................................... viiiNaming Conventions and Character Types ............................................... ixIllustration Conventions.............................................................................x

Technical Documentation and Support ........................................................... xi

Chapter 1 Authentication 1

User Authentication Types ...............................................................................1Admin Users ....................................................................................................2Multiple-Type Users..........................................................................................4Group Expressions ...........................................................................................5

Example: Group Expressions (AND)...........................................................6Example: Group Expressions (OR) .............................................................8Example: Group Expressions (NOT)...........................................................9

Banner Customization....................................................................................10

Table of Contents

Page 29: Juniper Overview SSG500

Table of Contents

Example: Customizing a WebAuth Banner ..............................................10Login Banner..................................................................................................10

Example: Creating a Login Banner...........................................................11

Chapter 2 Authentication Servers 13

Authentication Server Types ..........................................................................13Local Database...............................................................................................15

Example: Local Database Timeout...........................................................16External Authentication Servers .....................................................................17

Auth Server Object Properties..................................................................18Auth Server Types..........................................................................................19

Remote Authentication Dial-In User Service ............................................19RADIUS Auth Server Object Properties..............................................20Supported User Types and Features ..................................................20RADIUS Dictionary File .....................................................................21RADIUS Access Challenge .................................................................22Supported RADIUS Enhancements for Auth and XAuth Users...........24

SecurID....................................................................................................27SecurID Auth Server Object Properties..............................................28Supported User Types and Features ..................................................28

Lightweight Directory Access Protocol .....................................................29LDAP Auth Server Object Properties .................................................30Supported User Types and Features ..................................................30

Terminal Access Control Access Control System Plus (TACACS+)...........30TACACS+Server Object Properties ...................................................32

Prioritizing Admin Authentication ..................................................................32Defining Auth Server Objects .........................................................................33

Example: RADIUS Auth Server ................................................................33Example: SecurID Auth Server.................................................................35Example: LDAP Auth Server ....................................................................36Example: TACACS+ Auth Server.............................................................38

Defining Default Auth Servers ........................................................................39Example: Changing Default Auth Servers ................................................39

Chapter 3 Infranet Authentication 41

Unified Access Control Solution .....................................................................42How the Firewall Works with the Infranet Controller .....................................43Configuring for Infranet Authentication..........................................................44

Chapter 4 Authentication Users 45

Referencing Auth Users in Policies .................................................................46Run-Time Authentication.........................................................................46Pre-Policy Check Authentication (WebAuth) ............................................47

Referencing Auth User Groups in Policies ......................................................48Example: Run-Time Authentication (Local User) ......................................49Example: Run-Time Authentication (Local User Group) ...........................50Example: Run-Time Authentication (External User) .................................51Example: Run-Time Authentication (External User Group) ......................53Example: Local Auth User in Multiple Groups ..........................................55Example: WebAuth (Local User Group) ....................................................58Example: WebAuth (External User Group) ...............................................59Example: WebAuth + SSL Only (External User Group) ...........................61

Table of Contents xxix

Page 30: Juniper Overview SSG500

xxx

Concepts & Examples ScreenOS Reference Guide

Chapter 5 IKE, XAuth, and L2TP Users 65

IKE Users and User Groups ............................................................................65Example: Defining IKE Users...................................................................66Example: Creating an IKE User Group .....................................................67Referencing IKE Users in Gateways .........................................................68

XAuth Users and User Groups ........................................................................68Event Logging for IKE Mode ....................................................................69XAuth Users in IKE Negotiations..............................................................70

Example: XAuth Authentication (Local User) .....................................71Example: XAuth Authentication (Local User Group) ..........................73Example: XAuth Authentication (External User) ................................74Example: XAuth Authentication (External User Group)......................76Example: XAuth Authentication and Address

Assignments (Local User Group) .................................................79XAuth Client ............................................................................................83

Example: Security Device as an XAuth Client....................................83L2TP Users and User Groups..........................................................................84

Example: Local and External L2TP Auth Servers......................................84

Chapter 6 Extensible Authentication for Wireless and Ethernet Interfaces 89

Overview .......................................................................................................90Supported EAP Types.....................................................................................90Enabling and Disabling 802.1X Authentication ..............................................91

Ethernet Interfaces ..................................................................................91Wireless Interfaces ..................................................................................91

Configuring 802.1X Settings...........................................................................92Configuring 802.1X Port Control .............................................................92Configuring 802.1X Control Mode ...........................................................93Setting the Maximum Number of Simultaneous Users.............................93Configuring the Reauthentication Period .................................................94Enabling EAP Retransmissions ................................................................94Configuring EAP Retransmission Count ...................................................95Configuring EAP Retransmission Period ..................................................95Configuring the Silent (Quiet) Period .......................................................95

Configuring Authentication Server Options ....................................................96Specifying an Authentication Server ........................................................96

Ethernet Interfaces............................................................................96Wireless Interfaces............................................................................97

Setting the Account Type.........................................................................97Enabling Zone Verification.......................................................................98

Viewing 802.1X Information..........................................................................98Viewing 802.1X Global Configuration Information ..................................98Viewing 802.1X Information for an Interface ..........................................99Viewing 802.1X Statistics ........................................................................99Viewing 802.1X Session Statistics..........................................................100Viewing 802.1X Session Details.............................................................100

Configuration Examples...............................................................................101Configuring the Security Device with a Directly Connected Client and

RADIUS Server ................................................................................101Configuring a Security Device with a Hub Between a Client and the Security

Device.............................................................................................102Configuring the Authentication Server with a Wireless Interface ...........104

Table of Contents

Page 31: Juniper Overview SSG500

Table of Contents

Index..........................................................................................................................IX-I

Volume 10:Virtual Systems

About This Volume v

Document Conventions.................................................................................... vWeb User Interface Conventions ............................................................... vCommand Line Interface Conventions...................................................... viNaming Conventions and Character Types ............................................... viIllustration Conventions.......................................................................... viii

Technical Documentation and Support ........................................................... ix

Chapter 1 Virtual Systems 1

Overview .........................................................................................................2Vsys Objects ....................................................................................................4

Creating a Vsys Object and Admin ............................................................4Setting a Default Virtual Router for a Vsys .................................................6Binding Zones to a Shared Virtual Router ..................................................6

Logging In as a Vsys Admin .............................................................................7Virtual System Profiles .....................................................................................8

Vsys Session Counters ...............................................................................9Vsys Session Information ..........................................................................9Behavior in High-Availability Pairs ...........................................................10Creating a Vsys Profile.............................................................................10Setting Resource Limits ...........................................................................10Adding Session Limits Through Vsys Profile Assignment .........................12Setting a Session Override .......................................................................13

Overriding a Session Limit Reached Alarm .......................................13Deleting a Vsys Profile .............................................................................13Viewing Vsys Settings ..............................................................................14

Viewing Overrides.............................................................................14Viewing a Profile ...............................................................................15Viewing Session Statistics..................................................................16

Sharing and Partitioning CPU Resources ........................................................16Configuring CPU Weight ..........................................................................17Fair Mode Packet Flow ............................................................................18Returning from Fair Mode to Shared Mode..............................................19Enabling the CPU Limit Feature...............................................................19Measuring CPU Use .................................................................................20Setting the Shared to Fair Mode CPU Utilization Threshold......................22Configuring a Method to Return to Shared Mode.....................................25Setting a Fixed Root Vsys CPU Weight.....................................................26

Vsys and Virtual Private Networks .................................................................26Viewing Security Associations..................................................................27Viewing IKE Cookies................................................................................27

Policy Scheduler.............................................................................................28Creating a Policy Scheduler .....................................................................28Binding a Policy Schedule to a Policy.......................................................29Viewing Policy Schedules.........................................................................29Deleting a Policy Schedule.......................................................................30

Table of Contents xxxi

Page 32: Juniper Overview SSG500

xxxii

Concepts & Examples ScreenOS Reference Guide

Chapter 2 Traffic Sorting 31

Overview .......................................................................................................31Sorting Traffic..........................................................................................31Sorting Through Traffic............................................................................32Dedicated and Shared Interfaces .............................................................37

Dedicated Interfaces .........................................................................37Shared Interfaces ..............................................................................37

Importing and Exporting Physical Interfaces..................................................39Importing a Physical Interface to a Virtual System...................................39Exporting a Physical Interface from a Virtual System ..............................40

Chapter 3 VLAN-Based Traffic Classification 41

Overview .......................................................................................................41VLANs......................................................................................................42VLANs with Vsys......................................................................................42

Configuring Layer 2 Virtual Systems ..............................................................43Example 1: Configuring a Single Port ................................................45Example 2: Configuring Two 4-Port Aggregates with Separate Untrust

Zones .........................................................................................49Example 3: Configuring Two 4-Port Aggregates that Share One

Untrusted Zone...........................................................................55Defining Subinterfaces and VLAN Tags ..........................................................62Communicating Between Virtual Systems......................................................65VLAN Retagging .............................................................................................68

Example:...........................................................................................69

Chapter 4 IP-Based Traffic Classification 71

Overview .......................................................................................................71Designating an IP Range to the Root System .................................................72Configuring IP-Based Traffic Classification .....................................................73

Index..........................................................................................................................IX-I

Volume 11:High Availability

About This Volume v

Document Conventions................................................................................... viWeb User Interface Conventions .............................................................. viCommand Line Interface Conventions...................................................... viNaming Conventions and Character Types .............................................. viiIllustration Conventions.......................................................................... viii

Technical Documentation and Support ........................................................... ix

Chapter 1 NetScreen Redundancy Protocol 1

High Availability Overview...............................................................................1NSRP Overview................................................................................................3

NSRP Default Settings................................................................................4NSRP-Lite ..................................................................................................4NSRP-Lite Default Settings .........................................................................6Basic NSRP Settings...................................................................................6

Table of Contents

Page 33: Juniper Overview SSG500

Table of Contents

Control Link Messages ........................................................................6Data Link Messages.............................................................................7Dynamic Routing Advisory..................................................................8Dual Link Probes.................................................................................8

NSRP Clusters ................................................................................................10Cluster Names .........................................................................................11

Active/Passive Configuration .............................................................11Active/Active Configuration ...............................................................12Active/Active Full-Mesh Configuration ...............................................14

NSRP Cluster Authentication and Encryption...........................................15Run-Time Objects ....................................................................................16RTO Mirror Operational States ................................................................17NSRP Cluster Synchronization .................................................................18

File Synchronization..........................................................................18Configuration Synchronization..........................................................19Route Synchronization ......................................................................19Run-Time Object Synchronization.....................................................20System Clock Synchronization ..........................................................20

VSD Groups....................................................................................................21Preempt Option.......................................................................................21Member States ........................................................................................22Heartbeat Message ..................................................................................23VSI and Static Routes...............................................................................24

Configuration Examples.................................................................................25Cabling Devices for Active/Active Full-Mesh NSRP...................................25Creating an NSRP Cluster ........................................................................28Configuring an Active/Passive NSRP Cluster ............................................30Configuring an Active/Active NSRP Cluster ..............................................34Synchronizing RTOs Manually .................................................................39Configuring Manual Link Probes ..............................................................40Configuring Automatic Link Probes .........................................................40

Chapter 2 Interface Redundancy and Failover 41

Redundant Interfaces and Zones....................................................................42Holddown Time Settings..........................................................................42Aggregate Interfaces ................................................................................43

Interface Failover ...........................................................................................44Backup Interface Traffic...........................................................................44Primary Interface Traffic .........................................................................45Automatic Traffic Failover .......................................................................45Serial Interfaces.......................................................................................46

Default Route Deletion ......................................................................46Default Route Addition......................................................................46Policy Deactivation ...........................................................................47

Monitoring Failover .................................................................................47Interface Failover with IP Tracking ..........................................................48Active-to-Backup Tunnel Failover.............................................................48Interface Failover with VPN Tunnel Monitoring .......................................48

NSRP Object Monitoring to Trigger Failover ...................................................50Security Module.......................................................................................51Physical Interface ....................................................................................51Zone Objects ...........................................................................................52Tracked IP Objects...................................................................................52Track IP for Device Failover.....................................................................54

Table of Contents xxxiii

Page 34: Juniper Overview SSG500

xxxiv

Concepts & Examples ScreenOS Reference Guide

Virtual Security Device Group Failover ...........................................................56Virtual System Failover ..................................................................................56Device Failover ..............................................................................................57Configuration Examples.................................................................................58

Configuring Track IP for Device Failover..................................................59Configuring a Redundant VPN Tunnel .....................................................61Configuring Virtual Security Interfaces.....................................................65Configuring Dual Active Tunnels..............................................................68Configuring Interface Failover Using Track IP ..........................................72Configuring Tunnel Failover Weights .......................................................76Configuring Virtual System Failover.........................................................82

Index..........................................................................................................................IX-I

Volume 12:WAN, DSL, Dial, and Wireless

About This Volume ix

Document Conventions....................................................................................xWeb User Interface Conventions ...............................................................xCommand Line Interface Conventions.......................................................xNaming Conventions and Character Types ............................................... xiIllustration Conventions........................................................................... xii

Technical Documentation and Support ......................................................... xiii

Chapter 1 Wide Area Networks 1

WAN Overview ................................................................................................1Serial .........................................................................................................2T1..............................................................................................................3E1..............................................................................................................3T3..............................................................................................................4E3..............................................................................................................4ISDN..........................................................................................................5

WAN Interface Options ....................................................................................7Hold Time..................................................................................................8Frame Checksum.......................................................................................9Idle-cycle Flag............................................................................................9Start/End Flag ............................................................................................9Line Encoding..........................................................................................10

Alternate Mark Inversion Encoding ...................................................10B8ZS and HDB3 Line Encoding .........................................................11Byte Encoding...................................................................................11Line Buildout.....................................................................................11

Framing Mode .........................................................................................12Superframe for T1.............................................................................12Extended Superframe for T1 .............................................................12C-Bit Parity Framing for T3 ...............................................................13

Clocking ..................................................................................................13Clocking Mode ..................................................................................13Clocking Source ................................................................................14Internal Clock Rate............................................................................14Transmit Clock Inversion ..................................................................16

Signal Handling .......................................................................................16

Table of Contents

Page 35: Juniper Overview SSG500

Table of Contents

Loopback Signal ......................................................................................17Remote and Local Loopback .............................................................17Loopback Mode.................................................................................18CSU Compatibility Mode ..................................................................20Remote Loopback Response .............................................................21FEAC Response.................................................................................21

Time Slots................................................................................................22Fractional T1.....................................................................................22Fractional E1.....................................................................................22

Bit Error Rate Testing ..............................................................................23ISDN Options...........................................................................................24

Switch Type ......................................................................................24SPID..................................................................................................24TEI Negotiation .................................................................................25Calling Number .................................................................................25T310 Value........................................................................................25Send Complete..................................................................................26

BRI Mode.................................................................................................26Leased-Line Mode .............................................................................26Dialer Enable ....................................................................................26

Dialer Options .........................................................................................27Disabling a WAN Interface.......................................................................28

WAN Interface Encapsulation.........................................................................28Point-to-Point Protocol.............................................................................29Frame Relay ............................................................................................29Cisco-High-Level Data Link Control (Cisco-HDLC) ....................................30Basic Encapsulation Options....................................................................30

Unnumbered Interfaces ....................................................................31Protocol Maximum Transmission Unit Configuration ........................31Static IP Address Configuration .........................................................31Keepalives.........................................................................................32

PPP Encapsulation Options......................................................................33PPP Access Profile.............................................................................33PPP Authentication Method...............................................................34Password ..........................................................................................35

PPP Authentication Protocols ..................................................................35Challenge Handshake Authentication Protocol ..................................35Password Authentication Protocol.....................................................36Local Database User..........................................................................36

Frame Relay Encapsulation Options ........................................................36Keepalive Messages ..........................................................................37Frame Relay LMI Type ......................................................................37Creating and Configuring PVCs .........................................................38Inverse Address Resolution Protocol .................................................39

Multilink Encapsulation ..................................................................................40Overview.................................................................................................40Basic Multilink Bundle Configuration .......................................................41

Bundle Identifier ...............................................................................41Drop Timeout....................................................................................41Fragment Threshold..........................................................................42Minimum Links .................................................................................43Basic Configuration Steps..................................................................43Maximum Received Reconstructed Unit............................................44Sequence-Header Format..................................................................44

Table of Contents xxxv

Page 36: Juniper Overview SSG500

xxxvi

Concepts & Examples ScreenOS Reference Guide

Multilink Frame Relay Configuration Options ..........................................45Basic Configuration Steps..................................................................45Link Assignment for MLFR ................................................................46Acknowledge Retries.........................................................................46Acknowledge Timer ..........................................................................46Hello Timer .......................................................................................47

WAN Interface Configuration Examples .........................................................47Configuring a Serial Interface ..................................................................47Configuring a T1 Interface .......................................................................48Configuring an E1 Interface .....................................................................49Configuring a T3 Interface .......................................................................49Configuring an E3 Interface .....................................................................50Configuring a Device for ISDN Connectivity ............................................51Step 1: Selecting the ISDN Switch Type ...................................................51Step 2: Configuring a PPP Profile.............................................................51Step 3: Setting Up the ISDN BRI Interface................................................52

Dialing Out to a Single Destination Only ...........................................52Dialing Out Using the Dialer Interface ...............................................53Using Leased-Line Mode....................................................................56

Step 4: Routing Traffic to the Destination ................................................56Encapsulation Configuration Examples ..........................................................58

Configuring PPP Encapsulation................................................................58Configuring MLPPP Encapsulation ...........................................................59Configuring Frame Relay Encapsulation ..................................................61Configuring MLFR Encapsulation .............................................................61Configuring Cisco HDLC Encapsulation....................................................63

Chapter 2 Digital Subscriber Line 65

Digital Subscriber Line Overview ...................................................................65Asynchronous Transfer Mode ..................................................................66

ATM Quality of Service......................................................................67Point-to-Point Protocol over ATM ......................................................68Multilink Point-to-Point Protocol........................................................69

Discrete Multitone for DSL Interfaces ......................................................69Annex Mode ............................................................................................70Virtual Circuits .........................................................................................71

VPI/VCI and Multiplexing Method......................................................71PPPoE or PPPoA ...............................................................................72

Static IP Address and Netmask ................................................................72ADSL Interface ...............................................................................................73G.SHDSL Interface..........................................................................................74

Loopback Mode .......................................................................................75Operation, Administration, and Maintenance ..........................................75Signal-to-Noise Ratio................................................................................76

ADSL Configuration Examples .......................................................................77Example 1: (Small Business/Home) PPPoA on ADSL Interface.................78Example 2: (Small Business/Home) 1483 Bridging on ADSL Interface .....80Example 3: (Small Business) 1483 Routing on ADSL Interface.................82Example 4: (Small Business/Home) Dialup Backup ..................................84Example 5: (Small Business/Home) Ethernet Backup...............................87Example 6: (Small Business/Home) ADSL Backup....................................90Example 7: (Small Business) MLPPP ADSL...............................................93Example 8: (Small Business) Allow Access to Local Servers .....................95Example 9: (Branch Office) VPN Tunnel Through ADSL...........................97

Table of Contents

Page 37: Juniper Overview SSG500

Table of Contents

Example 10: (Branch Office) Secondary VPN Tunnel .............................101

Chapter 3 ISP Failover and Dial Recovery 109

Setting ISP Priority for Failover ....................................................................109Defining Conditions for ISP Failover ............................................................110Configuring a Dialup Recovery Solution .......................................................110

Chapter 4 Wireless Local Area Network 115

Overview .....................................................................................................116Wireless Product Interface Naming Differences.....................................117

Basic Wireless Network Feature Configuration.............................................117Creating a Service Set Identifier.............................................................117

Suppressing SSID Broadcast............................................................118Isolating a Client .............................................................................118

Setting the Operation Mode for a 2.4 GHz Radio Transceiver ................119Setting the Operation Mode for a 5GHz Radio Transceiver ....................119Configuring Minimum Data Transmit Rate ............................................120Configuring Transmit Power..................................................................121Reactivating a WLAN Configuration.......................................................121

Configuring Authentication and Encryption for SSIDs ..................................122Configuring Wired Equivalent Privacy ...................................................122

Multiple WEP Keys..........................................................................123Configuring Open Authentication....................................................124Configuring WEP Shared-Key Authentication ..................................126

Configuring Wi-Fi Protected Access .......................................................127Configuring 802.1X Authentication for WPA and WPA2 .................128Configuring Preshared Key Authentication for WPA and WPA2 ......128

Specifying Antenna Use ...............................................................................129Setting the Country Code, Channel, and Frequency .....................................130Using Extended Channels ............................................................................130Performing a Site Survey..............................................................................131Locating Available Channels.........................................................................131Setting an Access Control List Entry.............................................................132Configuring Super G .....................................................................................133Configuring Atheros XR (Extended Range) ...................................................133Configuring Wi-Fi Multimedia Quality of Service ..........................................134

Enabling WMM......................................................................................134Configuring WMM Quality of Service .....................................................134

Access Categories............................................................................135WMM Default Settings.....................................................................135Example..........................................................................................137

Configuring Advanced Wireless Parameters.................................................138Configuring Aging Interval .....................................................................138Configuring Beacon Interval ..................................................................139Configuring Delivery Traffic Indication Message Period.........................140Configuring Burst Threshold ..................................................................140Configuring Fragment Threshold ...........................................................140Configuring Request to Send Threshold .................................................141Configuring Clear to Send Mode ............................................................141Configuring Clear to Send Rate..............................................................142Configuring Clear to Send Type .............................................................142Configuring Slot Time............................................................................143Configuring Preamble Length ................................................................143

Table of Contents xxxvii

Page 38: Juniper Overview SSG500

xxxviii

Concepts & Examples ScreenOS Reference Guide

Working with Wireless Interfaces.................................................................144Binding an SSID to a Wireless Interface.................................................144Binding a Wireless Interface to a Radio .................................................144Creating Wireless Bridge Groups............................................................145Disabling a Wireless Interface................................................................146

Viewing Wireless Configuration Information................................................146Configuration Examples...............................................................................147

Example 1: Open Authentication and WEP Encryption .........................147Example 2: WPA-PSK Authentication with Passphrase and

Automatic Encryption .....................................................................147Example 3: WLAN in Transparent Mode................................................148Example 4: Multiple and Differentiated Profiles.....................................151

Appendix A Wireless Information A-I

802.11a Channel Numbers ...........................................................................A-I802.11b and 802.11g Channels ................................................................. A-IIITurbo-Mode Channel Numbers .................................................................. A-IV

Index..........................................................................................................................IX-I

Volume 13:General Packet Radio Service

About This Volume v

Document Conventions.................................................................................... vWeb User Interface Conventions ............................................................... vCommand Line Interface Conventions...................................................... viNaming Conventions and Character Types ............................................... viIllustration Conventions.......................................................................... viii

Technical Documentation and Support ........................................................... ix

Chapter 1 GPRS 1

The Security Device as a GPRS Tunneling Protocol Firewall .............................2Gp and Gn Interfaces .................................................................................3Gi Interface................................................................................................3Operational Modes ....................................................................................4Virtual System Support ..............................................................................5

Policy-Based GPRS Tunneling Protocol.............................................................5Example: Configuring Policies to Enable GTP Inspection ...........................6

GPRS Tunneling Protocol Inspection Object .....................................................7Example: Creating a GTP Inspection Object...............................................8

GTP Message Filtering ......................................................................................8Packet Sanity Check ..................................................................................8Message-Length Filtering ...........................................................................9

Example: Setting GTP Message Lengths ..............................................9Message-Type Filtering ............................................................................10

Example: Permitting and Denying Message Types ............................10Supported Message Types .................................................................10

Message-Rate Limiting.............................................................................12Example: Setting a Rate Limit ...........................................................12

Sequence Number Validation ..................................................................13Example: Enabling Sequence Number Validation..............................13

Table of Contents

Page 39: Juniper Overview SSG500

Table of Contents

IP Fragmentation.....................................................................................13GTP-in-GTP Packet Filtering .....................................................................13

Example: Enabling GTP-in-GTP Packet Filtering ................................13Deep Inspection ......................................................................................14

Example: Enabling Deep Inspection on the TEID ..............................14GTP Information Elements.............................................................................14

Access Point Name Filtering ....................................................................15Example: Setting an APN and a Selection Mode................................16

IMSI Prefix Filtering.................................................................................16Example: Setting a Combined IMSI Prefix and APN Filter .................17

Radio Access Technology ........................................................................17Example: Setting an RAT and APN Filter ...........................................17

Routing Area Identity and User Location Information..............................18Example: Setting an RAI and APN Filter............................................18Example: Setting a ULI and APN Filter ..............................................18

APN Restriction .......................................................................................18IMEI-SV....................................................................................................19

Example: Setting an IMEI-SV and APN Filter .....................................19Protocol and Signaling Requirements ......................................................19Combination Support for IE Filtering .......................................................20Supported R6 Information Elements .......................................................203GPP R6 IE Removal ...............................................................................22

Example: R6 Removal.......................................................................23GTP Tunnels...................................................................................................23

GTP Tunnel Limiting ................................................................................23Example: Setting GTP Tunnel Limits .................................................23

Stateful Inspection ...................................................................................23GTP Tunnel Establishment and Teardown.........................................24Inter SGSN Routing Area Update .......................................................24

Tunnel Failover for High Availability........................................................24Hanging GTP Tunnel Cleanup ..................................................................25

Example: Setting the Timeout for GTP Tunnels .................................25SGSN and GGSN Redirection ..........................................................................26Overbilling-Attack Prevention ........................................................................26

Overbilling-Attack Description .................................................................26Overbilling-Attack Solution ......................................................................28

Example: Configuring the Overbilling Attack Prevention Feature ......29GTP Traffic Monitoring...................................................................................31

Traffic Logging.........................................................................................31Example: Enabling GTP Packet Logging ............................................32

Traffic Counting.......................................................................................33Example: Enabling GTP Traffic Counting...........................................33

Lawful Interception..................................................................................34Example: Enabling Lawful Interception.............................................34

Index..........................................................................................................................IX-I

Volume 14:Dual-Stack Architecture with IPv6

About This Volume vii

Document Audience...................................................................................... viiiDocument Conventions................................................................................. viii

Table of Contents xxxix

Page 40: Juniper Overview SSG500

xl

Concepts & Examples ScreenOS Reference Guide

Web User Interface Conventions ............................................................ viiiCommand Line Interface Conventions.................................................... viiiNaming Conventions and Character Types ............................................... ixIllustration Conventions.............................................................................x

Technical Documentation and Support ........................................................... xi

Chapter 1 Internet Protocol Version 6 Introduction 1

Overview .........................................................................................................2IPv6 Addressing ...............................................................................................2

Notation ....................................................................................................2Prefixes .....................................................................................................3Address Types ...........................................................................................3

Unicast Addresses ...............................................................................3Anycast Addresses ..............................................................................4Multicast Addresses.............................................................................4

IPv6 Headers....................................................................................................4Basic Header .............................................................................................4Extension Headers.....................................................................................5

IPv6 Packet Handling .......................................................................................6IPv6 Router and Host Modes............................................................................7IPv6 Tunneling Guidelines................................................................................8

Chapter 2 IPv6 Configuration 9

Overview .......................................................................................................11Address Autoconfiguration ......................................................................11

Extended Unique Identifier ...............................................................11Router Advertisement Messages .......................................................12Router Solicitation Messages .............................................................12Prefix Lists ........................................................................................12

Neighbor Discovery .................................................................................13Neighbor Cache Table .......................................................................13Neighbor Unreachability Detection ...................................................13Neighbor Entry Categories ................................................................14Neighbor Reachability States.............................................................14How Reachability State Transitions Occur.........................................15

Enabling an IPv6 Environment ......................................................................18Enabling IPv6 at the Device Level............................................................18Disabling IPv6 at the Device Level ...........................................................19

Configuring an IPv6 Host ...............................................................................19Binding the IPv6 Interface to a Zone........................................................20Enabling IPv6 Host Mode ........................................................................20Setting an Interface Identifier ..................................................................20Configuring Address Autoconfiguration ...................................................21Configuring Neighbor Discovery ..............................................................21

Configuring an IPv6 Router ............................................................................22Binding the IPv6 Interface to a Zone........................................................22Enabling IPv6 Router Mode .....................................................................22Setting an Interface Identifier ..................................................................23Setting Address Autoconfiguration...........................................................23

Outgoing Router Advertisements Flag ...............................................23Managed Configuration Flag..............................................................24Other Parameters Configuration Flag ................................................24

Disabling Address Autoconfiguration .......................................................24

Table of Contents

Page 41: Juniper Overview SSG500

Table of Contents

Setting Advertising Time Intervals ...........................................................25Advertised Reachable Time Interval ..................................................25Advertised Retransmit Time Interval.................................................26Maximum Advertisement Interval.....................................................26Minimum Advertisement Interval .....................................................26Advertised Default Router Lifetime ...................................................27

Advertising Packet Characteristics ...........................................................27Link MTU Value.................................................................................27Current Hop Limit .............................................................................28

Advertising Router Characteristics ...........................................................28Link Layer Address Setting................................................................28Advertised Router Preference............................................................28

Configuring Neighbor Discovery Parameters ...........................................29Neighbor Unreachability Detection ...................................................29MAC Session-Caching........................................................................29Static Neighbor Cache Entries ...........................................................30Base Reachable Time ........................................................................30Probe Time .......................................................................................31Retransmission Time ........................................................................31Duplicate Address Detection Retry Count..........................................31

Viewing IPv6 Interface Parameters ................................................................32Viewing Neighbor Discovery Configurations ............................................32Viewing the Current RA Configuration.....................................................32

Configuration Examples.................................................................................33IPv6 Router .............................................................................................33IPv6 Host.................................................................................................33

Chapter 3 Connection and Network Services 35

Overview .......................................................................................................36Dynamic Host Configuration Protocol Version 6 ............................................36

Device-Unique Identification....................................................................36Identity Association Prefix Delegation-Identification................................37Prefix Features ........................................................................................37Server Preference ....................................................................................38Configuring a DHCPv6 Server..................................................................38Configuring a DHCPv6 Client...................................................................40Viewing DHCPv6 Settings ........................................................................41

Configuring Domain Name System Servers....................................................42Requesting DNS and DNS Search List Information ..................................43Setting Proxy DNS Address Splitting........................................................44

Configuring PPPoE.........................................................................................46Setting Fragmentation....................................................................................47

Chapter 4 Static and Dynamic Routing 49

Overview .......................................................................................................50Dual Routing Tables.................................................................................50Static and Dynamic Routing ....................................................................51Upstream and Downstream Prefix Delegation.........................................51

Static Routing.................................................................................................52RIPng Configuration.......................................................................................53

Creating and Deleting a RIPng Instance...................................................54Creating a RIPng Instance .................................................................54Deleting a RIPng Instance .................................................................54

Table of Contents xli

Page 42: Juniper Overview SSG500

xlii

Concepts & Examples ScreenOS Reference Guide

Enabling and Disabling RIPng on Interfaces ............................................55Enabling RIPng on an Interface.........................................................55Disabling RIPng on an Interface ........................................................55

Global RIPng Parameters ...............................................................................56Advertising the Default Route ..................................................................56Rejecting Default Routes..........................................................................57Configuring Trusted Neighbors ................................................................57Redistributing Routes ..............................................................................58Protecting Against Flooding by Setting an Update Threshold...................59

RIPng Interface Parameters ...........................................................................60Route, Interface, and Offset Metrics ........................................................60

Access Lists and Route Maps.............................................................61Static Route Redistribution................................................................61

Configuring Split Horizon with Poison Reverse........................................64Viewing Routing and RIPng Information ........................................................64

Viewing the Routing Table.......................................................................65Viewing the RIPng Database....................................................................65Viewing RIPng Details by Virtual Router ..................................................66Viewing RIPng Details by Interface..........................................................67Viewing RIPng Neighbor Information ......................................................68

Configuration Examples.................................................................................69Enabling RIPng on Tunnel Interfaces.......................................................69Avoiding Traffic Loops to an ISP Router...................................................71

Configuring the Customer Premises Equipment................................71Configuring the Gateway...................................................................75Configuring the ISP Router................................................................78

Setting a Null Interface Redistribution to OSPF........................................79Redistributing Discovered Routes to OSPF ..............................................80Setting Up OSPF-Summary Import ..........................................................80

Chapter 5 Address Translation 81

Overview .......................................................................................................82Translating Source IP Addresses ..............................................................83

DIP from IPv6 to IPv4 .......................................................................83DIP from IPv4 to IPv6 .......................................................................83

Translating Destination IP Addresses.......................................................84MIP from IPv6 to IPv4.......................................................................84MIP from IPv4 to IPv6.......................................................................85

Configuration Examples.................................................................................86IPv6 Hosts to Multiple IPv4 Hosts ............................................................86IPv6 Hosts to a Single IPv4 Host ..............................................................88IPv4 Hosts to Multiple IPv6 Hosts ............................................................90IPv4 Hosts to a Single IPv6 Host ..............................................................91Translating Addresses for Domain Name System Servers........................93

Chapter 6 IPv6 in an IPv4 Environment 97

Overview .......................................................................................................98Configuring Manual Tunneling .......................................................................99Configuring 6to4 Tunneling..........................................................................102

6to4 Routers..........................................................................................1026to4 Relay Routers ................................................................................103Tunnels to Remote Native Hosts............................................................104Tunnels to Remote 6to4 Hosts...............................................................107

Table of Contents

Page 43: Juniper Overview SSG500

Table of Contents

Chapter 7 IPSec Tunneling 111

Overview .....................................................................................................112IPSec 6in6 Tunneling ...................................................................................112IPSec 4in6 Tunneling ...................................................................................115IPSec 6in4 Tunneling ...................................................................................120Manual Tunneling with Fragmentation Enabled ...........................................124

IPv6 to IPv6 Route-Based VPN Tunnel ...................................................125IPv4 to IPv6 Route-Based VPN Tunnel ...................................................127

Chapter 8 IPv6 XAuth User Authentication 131

Overview .....................................................................................................132RADIUSv6..............................................................................................132

Single Client, Single Server..............................................................132Multiple Clients, Single Server .........................................................132Single Client, Multiple Servers .........................................................133Multiple Hosts, Single Server ...........................................................133

IPSec Access Session Management........................................................134IPSec Access Session.......................................................................134Enabling and Disabling IAS Functionality ........................................136Releasing an IAS Session.................................................................136Limiting IAS Settings .......................................................................136

Dead Peer Detection..............................................................................137Configuration Examples...............................................................................138

XAuth with RADIUS...............................................................................138RADIUS with XAuth Route-Based VPN...................................................139RADIUS with XAuth and Domain Name Stripping .................................143IP Pool Range Assignment.....................................................................147RADIUS Retries......................................................................................153Calling-Station-Id ...................................................................................153IPSec Access Session .............................................................................154Dead Peer Detection..............................................................................163

Appendix A Switching A-I

Index..........................................................................................................................IX-I

Table of Contents xliii

Page 44: Juniper Overview SSG500

xliv

Concepts & Examples ScreenOS Reference Guide

Table of Contents

Page 45: Juniper Overview SSG500

About the Concepts & Examples ScreenOS Reference Guide

Juniper Networks security devices integrate the following firewall, virtual private network (VPN), and traffic-shaping features to provide flexible protection for security zones when connecting to the Internet:

Firewall: A firewall screens traffic crossing the boundary between a private LAN and the public network, such as the Internet.

Layered Security: The layered security solution is deployed at different locations to repel attacks. If one layer fails, the next one catches the attack. Some functions help protect remote locations with site-to-site VPNs. Devices deployed at the perimeter repel network-based attacks. Another layer, using Intrusion Detection Prevention (IDP) and Deep Inspection, automatically detects and prevents attacks from inflicting damages.

Network segmentation, the final security layer (also known as virtualization), divides the network up into secure domains to protect critical resources from unauthorized roaming users and network attacks.

Content Security: Protects users from malicious URLs and provides embedded antivirus scanning and web filtering. In addition, works with third-party products to provide external antivirus scanning, anti-spam, and web filtering.

VPN: A VPN provides a secure communications channel between two or more remote network appliances.

Integrated Networking Functions: Dynamic routing protocols learn reachability and advertise dynamically changing network topologies. In addition, traffic shaping functionality allows administrative monitoring and control of traffic passing across the Juniper Networks firewall to maintain a network’s quality-of-service (QoS) level.

Centralized Management: The Netscreen-Security Manager tool simplifies configuration, deployment, and management of security devices.

Redundancy: High availability of interfaces, routing paths, security devices, and—on high-end Juniper Networks devices—power supplies and fans, to avoid a single point of failure in any of these areas.

xlv

Page 46: Juniper Overview SSG500

Concepts & Examples ScreenOS Reference Guide

xlvi

Figure 1: Key Features in ScreenOS

The ScreenOS system provides all the features needed to set up and manage any security appliance or system. This document is a reference guide for configuring and managing a Juniper Networks security device through ScreenOS.

NOTE: For information about Juniper Networks’ compliance with Federal Information Processing Standards (FIPS) and for instructions on setting a FIPS-compliant security device in FIPS mode, refer to the platform-specific Cryptographic Module Security Policy document on the documentation CD.

0.0.0.0/0 1.1.1.2501.1.1.0/24 eth31.2.1.0/24 eth210.1.0.0/16 trust-vr10.2.2.0/24 tunnel.110.3.3.0/24 tunnel.2

Untrust Zone

Internet

LAN LAN

Redundancy: The backup device maintains identical configuration and sessions as those on the primary device to assume the place of the primary device if necessary. (Note: Interfaces, routing paths, power supplies, and fans can also be redundant.)

VPNs: Secure communication tunnels between sites for traffic passing through the Internet

Firewall: Screening traffic between the protected LAN and the Internet

Integrated Networking Functions: Performs routing functions and communicates and interacts with routing devices in the environment

Traffic Shaping: Efficient prioritization of traffic as it traverses the firewall

Dynamic Routing: The routing table automatically updates by communicating with dynamic routing peers.

Dst UseLAN

Trust Zone

Backup Device

Page 47: Juniper Overview SSG500

About the Concepts & Examples ScreenOS Reference Guide

Volume Organization

The Concepts & Examples ScreenOS Reference Guide is a multi-volume manual. The following information outlines and summarizes the material in each volume:

Volume 1: Overview

“Table of Contents” contains a master table of contents for all volumes in the manual.

“Master Index” is an index of all volumes in the manual.

Volume 2: Fundamentals

Chapter 1, “ScreenOS Architecture,” presents the fundamental elements of the architecture in ScreenOS and concludes with a four-part example illustrating an enterprise-based configuration incorporating most of those elements. In this and all subsequent chapters, each concept is accompanied by illustrative examples.

Chapter 2, “Zones,” explains security zones, tunnel zones, and function zones.

Chapter 3, “Interfaces,” describes the various physical, logical, and virtual interfaces on security devices.

Chapter 4, “Interface Modes,” explains the concepts behind Transparent, Network Address Translation (NAT), and Route interface operational modes.

Chapter 5, “Building Blocks for Policies,” discusses the elements used for creating policies and virtual private networks (VPNs): addresses (including VIP addresses), services, and DIP pools. It also presents several example configurations support for the H.323 protocol.

Chapter 6, “Policies,” explores the components and functions of policies and offers guidance on their creation and application.

Chapter 7, “Traffic Shaping,” explains how you can manage bandwidth at the interface and policy levels and prioritize services.

Chapter 8, “System Parameters,” presents the concepts behind Domain Name System (DNS) addressing, using Dynamic Host Configuration Protocol (DHCP) to assign or relay TCP/IP settings, downloading and uploading system configurations and software, and setting the system clock.

Volume Organization xlvii

Page 48: Juniper Overview SSG500

Concepts & Examples ScreenOS Reference Guide

xlviii

Volume 3: Administration

Chapter 1, “Administration,” explains the different means available for managing a security device both locally and remotely. This chapter also explains the privileges pertaining to each of the four levels of network administrators that can be defined.

Chapter 2, “Monitoring Security Devices,” explains various monitoring methods and provides guidance in interpreting monitoring output.

Volume 4: Attack Detection and Defense Mechanisms

Chapter 1, “Protecting a Network,” outlines the basic stages of an attack and the firewall options available to combat the attacker at each stage.

Chapter 2, “Reconnaissance Deterrence,” describes the options available for blocking IP address sweeps, port scans, and attempts to discover the type of operating system (OS) of a targeted system.

Chapter 3, “Denial-of-Service Attack Defenses,” explains firewall, network, and OS-specific DoS attacks and how ScreenOS mitigates such attacks.

Chapter 4, “Content Monitoring and Filtering,” describes how to protect HyperText Transfer Protocol (HTTP) users from malicious uniform resource locators (URLs) and how to configure the security device to work with third party products to provide antivirus scanning and web filtering.

Chapter 5, “Deep Inspection,” describes how to configure the security device to obtain Deep Inspection (DI) attack object updates, how to create user-defined attack objects and attack object groups, and how to apply IDP at the policy level.

Chapter 6, “Intrusion Detection and Prevention,” describes Juniper Networks Intrusion Detection and Prevention (IDP) technology which can both detect and then stop attacks when deployed inline to your network. The chapter describes how to apply IDP at the policy level to drop malicious packets or connections before the attacks can enter your network.

Chapter 7, “Suspicious Packet Attributes,” explains a number of SCREEN options that block potentially dangerous packets.

Appendix A, “Contexts for User-Defined Signatures,” provides a list and descriptions of contexts that you can specify when defining a stateful signature attack object.

Volume Organization

Page 49: Juniper Overview SSG500

About the Concepts & Examples ScreenOS Reference Guide

Volume 5: Virtual Private Networks

Chapter 1, “Internet Protocol Security,” provides background information about IPSec, presents a flow sequence for Phase 1 in IKE negotiations in Aggressive and Main modes, and concludes with information about IKE and IPSec packet encapsulation.

Chapter 2, “Public Key Cryptography,” provides information about how to obtain and load digital certificates and certificate revocation lists (CRLs).

Chapter 3, “Virtual Private Network Guidelines,” offers some useful information to help in the selection of the available VPN options. It also presents a packet flow chart to demystify VPN packet processing.

Chapter 4, “Site-to-Site Virtual Private Networks,” provides extensive examples VPN configurations connecting two private networks.

Chapter 5, “Dialup Virtual Private Networks,” provides extensive examples of client-to-LAN communication using AutoKey IKE. It also details group IKE ID and shared IKE ID configurations.

Chapter 6, “Layer 2 Tunneling Protocol,” explains the Layer 2 Tunneling Protocol and its use alone and in conjunction with IPSec (L2TP-over-IPSec).

Chapter 7, “Advanced Virtual Private Network Features,” contains information and examples for the more advanced VPN configurations, such as NAT-Traversal, VPN monitoring, binding multiple tunnels to a single tunnel interface, and hub-and-spoke and back-to-back tunnel designs.

Chapter 8, “AutoConnect-Virtual Private Networks,” describes how ScreenOS uses Next Hop Resolution Protocol (NHRP) messages to enable security devices to set up AutoConnect VPNs as needed. The chapter provides an example of a typical scenario in which AC-VPN might be used.

Volume 6: Voice-over-Internet Protocol

Chapter 1, “H.323 Application Layer Gateway,” describes the H.323 protocol and provides examples of typical scenarios.

Chapter 2, “Session Initiation Protocol Application Layer Gateway,” describes the Session Initiation Protocol (SIP) and shows how the SIP ALG processes calls in Route and Network Address Translation (NAT) modes. Examples of typical scenarios follow a summary of the SIP architecture.

Chapter 3, “Media Gateway Control Protocol Application Layer Gateway,” presents an overview of the Media Gateway Control Protocol (MGCP) ALG and lists the firewall security features of the implementation. Examples of typical scenarios follow a summary of the MGCP architecture.

Chapter 4, “Skinny Client Control Protocol Application Layer Gateway,” presents an overview of the Skinny Client Control Protocol (SCCP) ALG and lists the firewall security features of the implementation. Examples of typical scenarios follow a summary of the SCCP architecture.

Volume Organization xlix

Page 50: Juniper Overview SSG500

Concepts & Examples ScreenOS Reference Guide

l V

Volume 7: Routing

Chapter 1, “Static Routing,” describes the ScreenOS routing table, the basic routing process on the security device, and how to configure static routes on security devices.

Chapter 2, “Routing,” explains how to configure virtual routers on security devices and how to redistribute routing table entries between protocols or between virtual routers.

Chapter 3, “Open Shortest Path First,” describes how to configure the OSPF dynamic routing protocol on security devices.

Chapter 4, “Routing Information Protocol,” describes how to configure the RIP dynamic routing protocol on security devices.

Chapter 5, “Border Gateway Protocol,” describes how to configure the BGP dynamic routing protocol on security devices.

Chapter 6, “Policy-Based Routing,” explains how to force interesting traffic along a specific path in the network.

Chapter 7, “Multicast Routing,” introduces basic multicast routing concepts.

Chapter 8, “Internet Group Management Protocol,” describes how to configure the Internet Group Management Protocol (IGMP) on security devices.

Chapter 9, “Protocol Independent Multicast,” describes how to configure the Protocol Independent Multicast (PIM) routing protocol on security devices.

Chapter 10, “ICMP Router Discovery Protocol,” explains how to set up an Internet Control Messages Protocol (ICMP) message exchange between a host and a router.

Volume 8: Address Translation

Chapter 1, “Address Translation,” gives an overview of the various translation options, which are covered in detail in subsequent chapters.

Chapter 2, “Source Network Address Translation,” describes NAT-src, the translation of the source IP address in a packet header, with and without Port Address Translation (PAT).

Chapter 3, “Destination Network Address Translation,” describes NAT-dst, the translation of the destination IP address in a packet header, with and without destination port address mapping. This section also includes information about the packet flow when doing NAT-src, routing considerations, and address shifting.

Chapter 4, “Mapped and Virtual Addresses,” describes the mapping of one destination IP address to another based on IP address alone (mapped IP) or based on destination IP address and destination port number (virtual IP).

olume Organization

Page 51: Juniper Overview SSG500

About the Concepts & Examples ScreenOS Reference Guide

Volume 9: User Authentication

Chapter 1, “Authentication,” details the various authentication methods and uses that ScreenOS supports.

Chapter 2, “Authentication Servers,” presents the options of using one of three possible types of external authentication server—RADIUS, SecurID, or LDAP—or the internal database and shows how to configure the security device to work with each type.

Chapter 3, “Infranet Authentication,” details how the security device is deployed in a unified access control (UAC) solution. Juniper Networks unified access control solution (UAC) secures and assures the delivery of applications and services across an enterprise infranet.

Chapter 4, “Authentication Users,” explains how to define profiles for authentication users and how to add them to user groups stored either locally or on an external RADIUS authentication server.

Chapter 5, “IKE, XAuth, and L2TP Users,” explains how to define IKE, XAuth, and L2TP users. Although the XAuth section focusses primarily on using the security device as an XAuth server, it also includes a subsection on configuring select security devices to act as an XAuth client.

Chapter 6, “Extensible Authentication for Wireless and Ethernet Interfaces,” explains the options available for and examples of how to use Extensible Authentication Protocol to provide authentication for Ethernet and wireless interfaces.

Volume 10: Virtual Systems

Chapter 1, “Virtual Systems,” discusses virtual systems, objects, and administrative tasks.

Chapter 2, “Traffic Sorting,” explains how ScreenOS sorts traffic.

Chapter 3, “VLAN-Based Traffic Classification,” describes VLAN-based traffic classification for virtual systems, and VLAN retagging.

Chapter 4, “IP-Based Traffic Classification,” explains IP-based traffic classification for virtual systems.

Volume 11: High Availability

Chapter 1, “NetScreen Redundancy Protocol,” explains how to cable, configure, and manage Juniper Networks security devices in a redundant group to provide high availability (HA) using the NetScreen Redundancy Protocol (NSRP).

Chapter 2, “Interface Redundancy and Failover,” describes the various ways in which Juniper Networks security devices provide interface redundancy.

Volume Organization li

Page 52: Juniper Overview SSG500

Concepts & Examples ScreenOS Reference Guide

lii

Volume 12: WAN, DSL, Dial, and Wireless

Chapter 1, “Wide Area Networks,” describes how to configure a wide area network (WAN).

Chapter 2, “Digital Subscriber Line,” describes the Asymmetric Digital Subscriber Line (ADSL) interface on the security device. ADSL is a Digital Subscriber Line (DSL) technology that allows existing telephone lines to carry both voice telephone service and high-speed digital transmission.

Chapter 3, “ISP Failover and Dial Recovery,” describes how to set priority and define conditions for ISP failover and how to configure a dialup recovery solution.

Chapter 4, “Wireless Local Area Network,” describes the wireless interfaces on Juniper Networks wireless devices and provides example configurations.

Appendix A, “Wireless Information,” lists available channels, frequencies, and regulatory domains and lists the channels that are available on wireless devices for each country.

Volume 13: General Packet Radio Service

Chapter 1, “GPRS,” describes the GPRS Tunneling Protocol (GTP) features in ScreenOS and demonstrates how to configure GTP functionality on a Juniper Networks security device.

Volume 14: Dual-Stack Architecture with IPv6

Chapter 1, “Internet Protocol Version 6 Introduction,” explains IPv6 headers, concepts, and tunneling guidelines.

Chapter 2, “IPv6 Configuration,” explains how to configure an interface for operation as an IPv6 router or host.

Chapter 3, “Connection and Network Services,” explains how to configure Dynamic Host Configuration protocol version 6 (DHCPv6), Domain Name Services (DNS), Point-to-Point Protocol over Ethernet (PPPoE), and fragmentation.

Chapter 4, “Static and Dynamic Routing,” explains how to set up static and dynamic routing. This chapter explains ScreenOS support for Routing Information Protocol-Next Generation (RIPng).

Chapter 5, “Address Translation,” explains how to use Network Address Translation (NAT) with dynamic IP (DIP) and mapped-IP (MIP) addresses to traverse IPv4/IPv6 boundaries.

Chapter 6, “IPv6 in an IPv4 Environment,” explains manual and dynamic tunneling.

Chapter 7, “IPSec Tunneling,” explains how to configure IPSec tunneling to connect dissimilar hosts.

Volume Organization

Page 53: Juniper Overview SSG500

About the Concepts & Examples ScreenOS Reference Guide

Chapter 8, “IPv6 XAuth User Authentication,” explains how to configure Remote Authentication Dial In User Service (RADIUS) and IPSec Access Session (IAS) management.

Appendix A, “Switching,” lists options for using the security device as a switch to pass IPv6 traffic.

Document Conventions

This document uses the conventions described in the following sections:

“Web User Interface Conventions” on page liii

“Command Line Interface Conventions” on page liii

“Naming Conventions and Character Types” on page liv

“Illustration Conventions” on page lv

Web User Interface ConventionsIn the Web user interface (WebUI), the set of instructions for each task is divided into navigational path and configuration settings. To open a WebUI page where you can enter configuration settings, you navigate to it by clicking on a menu item in the navigation tree on the left side of the screen, then on subsequent items. As you proceed, your navigation path appears at the top of the screen, each page separated by angle brackets.

The following shows the WebUI path and parameters for defining an address:

Policy > Policy Elements > Addresses > List > New: Enter the following, then click OK:

Address Name: addr_1IP Address/Domain Name:

IP/Netmask: (select), 10.2.2.5/32Zone: Untrust

To open Online Help for configuration settings, click on the question mark (?) in the upper left of the screen.

The navigation tree also provides a Help > Config Guide configuration page to help you configure security policies and Internet Protocol Security (IPSec). Select an option from the dropdown menu and follow the instructions on the page. Click the ? character in the upper left for Online Help on the Config Guide.

Command Line Interface ConventionsThe following conventions are used to present the syntax of command line interface (CLI) commands in examples and in text.

In examples:

Anything inside square brackets [ ] is optional.

Document Conventions liii

Page 54: Juniper Overview SSG500

Concepts & Examples ScreenOS Reference Guide

liv

Anything inside braces { } is required.

If there is more than one choice, each choice is separated by a pipe ( | ). For example:

set interface { ethernet1 | ethernet2 | ethernet3 } manage

Variables are in italic type:

set admin user name1 password xyz

In text, commands are in boldface type and variables are in italic type.

Naming Conventions and Character TypesScreenOS employs the following conventions regarding the names of objects—such as addresses, admin users, auth servers, IKE gateways, virtual systems, VPN tunnels, and zones—defined in ScreenOS configurations:

If a name string includes one or more spaces, the entire string must be enclosed within double quotes; for example:

set address trust “local LAN” 10.1.1.0/24

Any leading spaces or trailing text within a set of double quotes are trimmed; for example, “ local LAN ” becomes “local LAN”.

Multiple consecutive spaces are treated as a single space.

Name strings are case-sensitive, although many CLI keywords are case-insensitive. For example, “local LAN” is different from “local lan”.

ScreenOS supports the following character types:

Single-byte character sets (SBCS) and multiple-byte character sets (MBCS). Examples of SBCS are ASCII, European, and Hebrew. Examples of MBCS—also referred to as double-byte character sets (DBCS)—are Chinese, Korean, and Japanese.

ASCII characters from 32 (0x20 in hexadecimals) to 255 (0xff), except double quotes ( “ ), which have special significance as an indicator of the beginning or end of a name string that includes spaces.

NOTE: When entering a keyword, you only have to type enough letters to identify the word uniquely. Typing set adm u whee j12fmt54 will enter the command set admin user wheezer j12fmt54. However, all the commands documented here are presented in their entirety.

NOTE: A console connection only supports SBCS. The WebUI supports both SBCS and MBCS, depending on the character sets that your browser supports.

Document Conventions

Page 55: Juniper Overview SSG500

About the Concepts & Examples ScreenOS Reference Guide

Illustration ConventionsThe following figure shows the basic set of images used in illustrations throughout this volume.

Figure 2: Images in Illustrations

Autonomous SystemorVirtual Routing Domain

Security Zone Interfaces:White = Protected Zone Interface (example = Trust Zone)Black = Outside Zone Interface(example = Untrust Zone)

Juniper NetworksSecurity Devices

Hub

Switch

Router

Server

VPN Tunnel

Generic Network Device

Dynamic IP (DIP) PoolInternet

Local Area Network (LAN) with a Single SubnetorSecurity Zone

Tunnel Interface

Policy Engine

Document Conventions lv

Page 56: Juniper Overview SSG500

Concepts & Examples ScreenOS Reference Guide

lvi

Technical Documentation and Support

To obtain technical documentation for any Juniper Networks product, visit www.juniper.net/techpubs/.

For technical support, open a support case using the Case Manager link at http://www.juniper.net/customers/support/ or call 1-888-314-JTAC (within the United States) or 1-408-745-9500 (outside the United States).

If you find any errors or omissions in this document, please contact Juniper Networks at [email protected].

Technical Documentation and Support

Page 57: Juniper Overview SSG500

Master Index

Numerics3DES ............................................................................. 5-63DES encryption.................................................... 14-1214in6 tunneling

basic setup ....................................................... 14-115definition .......................................................... 14-115

6in4 tunneling........................................................ 14-111basic setup ....................................................... 14-120over IPv4 WAN................................................ 14-120

6over4 tunnelingaddresses, handling .......................................... 14-99definition ............................................................ 14-98manual tunneling .............................................. 14-99types ................................................................... 14-98when to use ....................................................... 14-98

6to4addresses .................................. 14-8, 14-102, 14-108hosts ................................................................. 14-107relay routers........................................14-102, 14-103routers .............................................................. 14-102tunneling ...............................................14-98, 14-102tunneling, description..................................... 14-102

AAAL5 encapsulations............................................... 12-66AAL5 multiplexing ................................................... 12-74Access Concentrator (AC)........................................ 14-46access control list

See ACLaccess lists

for routes.............................................................. 7-40IGMP ................................................................... 7-158multicast routing ............................................... 7-151PIM-SM ............................................................... 7-199

Access Point NameSee APN

access policiesSee policies

ACL .......................................................................... 12-132ActiveX controls, blocking ...................................... 4-168address books

addressesadding............................................................ 2-104modifying...................................................... 2-105removing....................................................... 2-108

entries ................................................................. 2-104group entries, editing........................................ 2-108groups ................................................................. 2-105See also addresses

address groups ............................................. 2-105, 2-166creating............................................................... 2-107editing................................................................. 2-108entries, removing .............................................. 2-108options................................................................ 2-106

address negation...................................................... 2-186address sweep.............................................................. 4-8address translation

See NAT, NAT-dst, and NAT-srcaddresses

address book entries.......................... 2-104 to 2-108autoconfiguration .............................................. 14-11defined................................................................ 2-166in policies ........................................................... 2-166IP lifetime for XAuth users ................................. 9-70IP, host and network IDs.................................... 2-47L2TP assignments ............................................... 9-84link-local ............................................................. 14-12MAC .............................................14-13, 14-21, 14-29private................................................................... 2-47public .................................................................... 2-47splitting............................................................... 14-44

addresses, handling4in6 tunneling ................................................. 14-1166to4 tunneling ................................................. 14-104destination address translation ....................... 14-84DIP from IPv4 to IPv6....................................... 14-84DIP from IPv6 to IPv4....................................... 14-83IPv4 hosts to a single IPv6 host..................... 14-113IPv6 hosts to multiple IPv4 hosts .................... 14-87manual tunneling .............................................. 14-99

addresses, overlapping ranges ................... 10-63, 10-72addresses, XAuth

assignments ......................................................... 9-68authentication, and ............................................. 9-79timeout ................................................................. 9-70

admin users.................................................................. 9-2prioritizing authentication.................................. 9-32privileges from RADIUS........................................ 9-2server support...................................................... 9-14timeout ................................................................. 9-18

Master Index IX-I

Page 58: Juniper Overview SSG500

IX-II

Concepts & Examples ScreenOS Reference Guide

administrationCLI........................................................................... 3-9restricting ............................................................. 3-42WebUI .................................................................... 3-2

administration, vsys.................................................. 10-7administrative traffic................................................. 3-29admins........................................................................ 10-2

changing passwords ..................................10-4, 10-7types ..................................................................... 10-4

ADSLconfiguring interface ........................................ 12-73overview............................................................. 12-73VPN tunnel......................................................... 12-97

Advanced Encryption Standard (AES)....................... 5-6AES................................................................................ 5-6AES128 encryption ............................................... 14-121agents, zombie..................................................4-27, 4-29aggregate interfaces .......................................2-37, 11-43aggressive aging ............................................4-30 to 4-32Aggressive mode ....................................................... 5-10AH ..........................................................................5-3, 5-5AIM............................................................................ 4-130alarms

email alert ............................................................ 3-68reporting to NetScreen-Security Manager........ 3-25thresholds ............................................................ 3-69traffic ........................................................3-68 to 3-71

alarms, thresholds ................................................... 2-172ALG.....................................................................4-55, 6-17

SIP......................................................................... 6-13SIP NAT ................................................................ 6-23

ALGsfor custom services........................................... 2-167MS RPC............................................................... 2-129RTSP ................................................................... 2-130Sun RPC ............................................................. 2-127

America Online Instant MessagingSee AIM

anti-replay checking .........................................5-52, 5-59APN

filtering ............................................................... 13-15selection mode .................................................. 13-15

Application Layer GatewaySee ALG

application option, in policies................................ 2-167ARP ..................................................................2-82, 11-52

broadcasts.......................................................... 11-29lookup................................................................. 11-38

ARP, ingress IP address............................................. 2-84asset recovery log...................................................... 3-68assigning priorities .................................................... 9-32Asynchronous Transfer Mode

See ATMATM ........................................................................... 12-67

ATM Adaptation Layer 5.......................................... 12-74attack actions .............................................4-138 to 4-146

close.................................................................... 4-138close client ......................................................... 4-138close server ........................................................ 4-138drop .................................................................... 4-138drop packet ........................................................ 4-138ignore.................................................................. 4-138none.................................................................... 4-139

attack database updatesdownloading ...................................................... 4-230overview............................................................. 4-230

attack object database ..............................4-120 to 4-127auto notification and manual update.............. 4-124automatic update .............................................. 4-123changing the default URL................................. 4-126immediate update............................................. 4-122manual update........................................4-125, 4-126

attack object groups ................................................ 4-134applied in policies ............................................. 4-128changing severity .............................................. 4-134Help URLs .......................................................... 4-131logging ................................................................ 4-149severity levels .................................................... 4-134

attack objects ................................. 4-117, 4-127 to 4-133brute force.......................................................... 4-146custom................................................................ 4-212disabling ............................................................. 4-137IDP ...................................................................... 4-184negation ............................................................. 4-163overview............................................................. 4-209protocol anomalies ................................4-133, 4-162protocol anomaly .............................................. 4-210re-enabling ......................................................... 4-137signature............................................................. 4-210stateful signatures ............................................. 4-132stream signatures.............................................. 4-133TCP stream signatures...................................... 4-160

attack protectionpolicy level ............................................................. 4-4security zone level ................................................ 4-4

attackscommon objectives............................................... 4-1detection and defense options ..................4-2 to 4-4DOS...........................................................4-27 to 4-51ICMP

floods............................................................... 4-46fragments...................................................... 4-236

IP packet fragments.......................................... 4-240Land ...................................................................... 4-48large ICMP packets............................................ 4-237Ping of Death....................................................... 4-49Replay................................................................... 5-12session table floods....................................4-17, 4-28

Master Index

Page 59: Juniper Overview SSG500

Master Index

stages of ................................................................. 4-2SYN floods................................................4-34 to 4-39SYN fragments................................................... 4-241Teardrop............................................................... 4-50UDP floods ........................................................... 4-47unknown MAC addresses................................... 4-39unknown protocols ........................................... 4-239WinNuke .............................................................. 4-51

attacks, Overbilling....................................13-26 to 13-28auth servers ....................................................9-13 to 9-40

addresses ............................................................. 9-18authentication process ....................................... 9-17backup .................................................................. 9-18default..........................................................9-39, 9-40defining ....................................................9-33 to 9-40external ................................................................ 9-17ID number............................................................ 9-18idle timeout.......................................................... 9-18LDAP.........................................................9-29 to 9-30maximum number.............................................. 9-14SecurID ................................................................. 9-27SecurID, defining................................................. 9-35types ..................................................................... 9-18XAuth queries ...................................................... 9-69

auth servers, objectsnames ................................................................... 9-18properties ............................................................. 9-18

auth servers, RADIUS ....................................9-19 to 9-22defining ................................................................ 9-33user-type support ................................................ 9-20

auth servers, TACACS+defining ................................................................ 9-38

auth table entry.......................................................... 9-43auth users .......................................................9-45 to 9-64

admin ..................................................................... 9-2groups..........................................................9-45, 9-48IKE ...............................................................9-14, 9-65in policies ............................................................. 9-46L2TP...................................................................... 9-84local database ..........................................9-15 to 9-16logins, with different............................................. 9-5manual key .......................................................... 9-14multiple-type.......................................................... 9-4pre-policy auth................................................... 2-171run-time auth process....................................... 2-170run-time authentication.................................... 2-170server support...................................................... 9-14timeout ................................................................. 9-18types and applications................................9-1 to 9-5user types............................................................. 9-13WebAuth ...................................................2-171, 9-14XAuth.................................................................... 9-68

auth users, authenticationauth servers, with................................................ 9-14

point of ................................................................... 9-1pre-policy.............................................................. 9-47

auth users, run-timeauth process......................................................... 9-46authentication...................................................... 9-46user groups, external .......................................... 9-53user groups, local ................................................ 9-50users, external ..................................................... 9-51users, local ........................................................... 9-49

auth users, WebAuth.................................................. 9-47user groups, external .......................................... 9-59user groups, local ................................................ 9-58with SSL (user groups, external) ........................ 9-61

authentication .............................14-112, 14-115, 14-138algorithms ........................5-6, 5-51, 5-54, 5-57, 5-61Allow Any ........................................................... 2-171NSRP ................................................................... 11-28NSRP-Lite............................................................ 11-15policies................................................................ 2-170prioritizing............................................................ 9-32users.................................................................... 2-170

Authentication and EncryptionMultiple WEP Keys.......................................... 12-123Wi-Fi Protected Access

See WPAWireless Equivalent Privacy

See WEPauthentication and encryption, using RADIUS server...

12-123Authentication Header (AH) ....................................... 5-5authentication servers

See auth serversauthentication users

See auth usersautoconfiguration

address autoconfiguration................................ 14-11router advertisement messages ...................... 14-12stateless .............................................................. 14-11

AutoKey IKE VPN ......................................3-43, 3-79, 5-7management.......................................................... 5-7

Autonomous System (AS) numbers ....................... 7-107AV objects

timeout ................................................................. 4-88AV scanning ................................................... 4-58 to 4-85

AV resources per client....................................... 4-81decompression .................................................... 4-89fail-mode .............................................................. 4-81file extensions...................................................... 4-90FTP ........................................................................ 4-70HTTP ..................................................................... 4-71HTTP keep-alive................................................... 4-83HTTP trickling ...................................................... 4-84IMAP ..................................................................... 4-73MIME..................................................................... 4-72

Master Index IX-III

Page 60: Juniper Overview SSG500

IX-IV

Concepts & Examples ScreenOS Reference Guide

POP3..................................................................... 4-73SMTP .................................................................... 4-74subscription ......................................................... 4-78

Bback store ................................................................... 3-94backdoor rulebase

adding to Security Policy.................................. 4-205overview............................................................. 4-205

backdoor rules ...........................................4-205 to 4-209configuring actions ........................................... 4-207configuring Match columns ............................. 4-206configuring operation ....................................... 4-207configuring services .......................................... 4-207configuring severity .......................................... 4-209configuring source and destination ................ 4-207configuring targets ............................................ 4-209configuring zones.............................................. 4-206

bandwidth ................................................................ 2-173guaranteed.................................. 2-173, 2-193, 2-199managing ........................................................... 2-193maximum ................................... 2-173, 2-193, 2-199maximum, unlimited........................................ 2-194priority

default ........................................................... 2-198levels.............................................................. 2-198queues ........................................................... 2-198

banners....................................................................... 9-10BGP

AS-path access list............................................. 7-116communities...................................................... 7-124confederations................................................... 7-122configurations, security .................................... 7-113configurations, verifying .................................. 7-112external .............................................................. 7-105internal ............................................................... 7-105load-balancing ..................................................... 7-36message types ................................................... 7-104neighbors, authenticating ................................ 7-113parameters......................................................... 7-115path attributes ................................................... 7-105protocol overview ............................................. 7-104regular expressions........................................... 7-116virtual router, creating an instance in ............ 7-107

BGP routesadding................................................................. 7-117aggregation ........................................................ 7-125attributes, setting .............................................. 7-119conditional advertisement ............................... 7-118default, rejecting ............................................... 7-114redistributing ..................................................... 7-116reflection ............................................................ 7-120suppressing........................................................ 7-126weight, setting ................................................... 7-118

BGP routes, aggregateaggregation ........................................................ 7-125AS-Path in........................................................... 7-127AS-Set in ............................................................. 7-125attributes of........................................................ 7-128

BGP, configuringpeer groups ........................................................ 7-109peers ................................................................... 7-109steps.................................................................... 7-106

BGP, enablingin VR ................................................................... 7-107on interface........................................................ 7-108

bit stream ................................................................... 3-93bridge groups

logical interface ................................................... 2-37unbinding ............................................................. 2-46

browser requirements................................................. 3-2brute force

attack actions..................................................... 4-146brute force attack objects ....................................... 4-146bypass-auth ................................................................ 9-69

CCA certificates ...................................................5-22, 5-25cables, serial............................................................... 3-19C-bit parity mode..................................................... 12-13Certificate Revocation List ...............................5-23, 5-34

loading.................................................................. 5-23certificates .................................................................... 5-7

CA.................................................................5-22, 5-25loading.................................................................. 5-28loading CRL.......................................................... 5-23local....................................................................... 5-25requesting ............................................................ 5-26revocation ...................................................5-25, 5-34via email............................................................... 5-25

Challenge Handshake Authentication ProtocolSee CHAP

channels, finding available ................................... 12-131CHAP.................................................... 5-208, 5-211, 9-79Chargen .................................................................... 4-129CLI .......................................................... 3-9, 14-30, 14-32CLI, set arp always-on-dest..............................2-74, 2-77CLI, set vip multi -port .............................................. 8-82clock, system

See system clockcluster names, NSRP ....................................11-11, 11-28clusters...........................................................11-11, 11-34command line interface

See CLIcommon names......................................................... 9-30CompactFlash ............................................................ 3-56compatibility-mode option

T3 interfaces ...................................................... 12-20

Master Index

Page 61: Juniper Overview SSG500

Master Index

configurationADSL 2/2+ PIM................................................. 12-73virtual circuits .................................................... 12-71VPI/VCI pair........................................................ 12-71

configuration examples6to4 host, tunneling to a ................................ 14-108access lists and route maps ............................. 14-61DNS server information, requesting ............... 14-43IPv4 tunneling over IPv6 (autokey IKE) ....... 14-117IPv6 requests to multiple IPv4 hosts .............. 14-87IPv6 to an IPv4 network over IPv4 ............... 14-113IPv6 tunneling over IPv4 (autokey IKE) ....... 14-121manual tunneling ............................................ 14-100native host, tunneling to ................................ 14-104PPPoE instance, configuring............................ 14-46prefixes, delegating................................14-38, 14-40static route redistribution................................. 14-61

configuration settings, browser requirements.......... 3-2configurations

full-mesh............................................................. 11-56connection policy for Infranet Enforcer, configuring.....

9-42console........................................................................ 3-56containers ................................................................. 5-186content filtering ...........................................4-53 to 4-114control messages ..................................................... 11-13

HA ......................................................................... 11-7HA physical link heartbeats ............................... 11-7RTO heartbeats.................................................... 11-7

cookies, SYN............................................................... 4-44country codes and channels ................................ 12-130country codes and channels, regulatory domain for.....

12-130CRL

See Certificate Revocation Listcryptographic options ...................................5-48 to 5-61

anti-replay checking...................................5-52, 5-59authentication algorithms ..... 5-51, 5-54, 5-57, 5-61authentication types ..................................5-50, 5-56certificate bit lengths .................................5-50, 5-56dialup ........................................................5-55 to 5-61dialup VPN recommendations........................... 5-61encryption algorithms ..................5-51 to 5-57, 5-61ESP...............................................................5-54, 5-60IKE ID ................................ 5-51 to 5-52, 5-57 to 5-58IPSec protocols ...........................................5-53, 5-60key methods ........................................................ 5-49PFS ...............................................................5-53, 5-59Phase 1 modes ...........................................5-49, 5-56site-to-site .................................................5-48 to 5-55site-to-site VPN recommendations.................... 5-55Transport mode................................................... 5-60Tunnel mode........................................................ 5-60

CSU compatibility, T3 interfaces............................ 12-20

custom services........................................................ 2-121custom services, in root and vsys .......................... 2-122Customer Premises Equipment (CPE) ..... 14-39, 14-134

DData Encryption Standard (DES)................................ 5-6data messages............................................................ 11-7databases, local ............................................. 9-15 to 9-16DDoS ........................................................................... 4-27decompression, AV scanning ................................... 4-89Deep Inspection (DI) ................................ 4-134 to 4-160

attack actions...................................... 4-138 to 4-146attack object database ....................... 4-120 to 4-127attack object groups.......................................... 4-134attack object negation....................................... 4-163attack objects ..................................................... 4-117changing severity .............................................. 4-134context..................................................................... 4-Icustom attack objects ....................................... 4-156custom services .................................. 4-152 to 4-156custom signatures .............................. 4-157 to 4-160disabling attack objects .................................... 4-137license keys........................................................ 4-118logging attack object groups ............................ 4-149overview ............................................................. 4-116protocol anomalies............................................ 4-133re-enabling attack objects ................................ 4-137regular expressions ............................ 4-157 to 4-158signature packs.................................................. 4-120stateful signatures ............................................. 4-132stream signatures .............................................. 4-133

demand circuits, RIP ................................................. 7-94Denial-of-Service

See DoSDES................................................................................ 5-6destination gateway................................................. 14-99device failover .......................................................... 11-57devices, resetting to factory defaults ....................... 3-41Device-Unique Identification (DUID) ..................... 14-36DHCP........................................ 2-96, 2-100, 2-243, 4-129

client ................................................................... 2-225HA ....................................................................... 2-231PXE scenario...................................................... 2-237relay agent ......................................................... 2-225server .................................................................. 2-225

DHCPv6client and server................................................ 14-36delegated prefixes ............................................. 14-38purposes ............................................................. 14-35TLA and SLA....................................................... 14-37

dictionary file, RADIUS ............................................... 9-2Diffie-Hellman............................................................ 5-10Diffie-Hellman groups ........................................... 14-121DiffServ ..............................................2-173, 2-200, 2-214

Master Index IX-V

Page 62: Juniper Overview SSG500

IX-VI

Concepts & Examples ScreenOS Reference Guide

See also DS Codepoint Markingdigital signature ......................................................... 5-20DIP ...........................................2-98, 2-140 to 2-143, 3-95

fix-port................................................................ 2-142groups...................................................2-153 to 2-155PAT ..........................................................2-141, 2-142pools ................................................................... 2-169pools, modifying ............................................... 2-143

DIP poolsaddress considerations....................................... 8-14extended interfaces .......................................... 5-140NAT for VPNs..................................................... 5-140NAT-src................................................................... 8-1size........................................................................ 8-14

Discard...................................................................... 4-129Discrete multitone

See DMTdissimilar IP stacks.......................................14-84, 14-86distinguished name (DN)........................................ 5-183distinguished names ................................................. 9-30DMT ...............................................................12-69, 12-70DN ............................................................................. 5-183DNS ................................................................2-217, 4-129

addresses, splitting ........................................... 2-223lookups ............................................................... 2-218lookups, domain ............................................... 2-223servers ................................................................ 2-244servers, tunneling to ......................................... 2-223status table......................................................... 2-219

DNS, L2TP settings.................................................. 5-211Domain Name System

See DNSDomain Name System (DNS)

DHCP client host ............................................... 14-43DHCPv6 search list ........................................... 14-36domain lookups................................................. 14-44IPv4 or IPv6 addresses ..................................... 14-42partial domain names ...................................... 14-36proxy .................................................................. 14-44refresh ................................................................ 14-42search list ........................................................... 14-43servers .............................................................. 14-132servers, tunneling to ......................................... 14-44

Domain Name System (DNS) addressessplitting....................................................14-44, 14-45translating .......................................................... 14-93

DoSfirewall......................................................4-28 to 4-33network ....................................................4-34 to 4-48OS-specific ...............................................4-49 to 4-51session table floods....................................4-17, 4-28

DoS attacks ....................................................4-27 to 4-51drop-no-rpf-route ....................................................... 4-19DS Codepoint Marking..................... 2-194, 2-200, 2-214

DSL.................................................................2-239, 2-244dual-stack architecture ............................................ 14-50

networks, dissimilar.......................................... 14-50routing tables..................................................... 14-50WAN backbones, dissimilar............................. 14-50

Duplicate Address Detection (DAD)function .............................................................. 14-31Retry Count........................................................ 14-31

Dynamic IPSee DIP

dynamic IP ............................................................... 14-82Dynamic IP (DIP) pools................................2-143, 2-169dynamic IP, from IPv6 to IPv4 ............................... 14-83dynamic packet filtering............................................. 4-3

EEcho .......................................................................... 4-129ECMP..................................................................7-36, 7-59email alert notification.....................................3-71, 3-73Encapsulating Security Payload

See ESPencapsulation.............................. 14-103, 14-111, 14-117encryption .................................................14-112, 14-115

3DES ................................................................. 14-121AES128............................................................. 14-121algorithms .............................. 5-6, 5-51, 5-54 to 5-61NSRP................................................................... 11-28NSRP-Lite ........................................................... 11-15

encryption, SecurID .................................................. 9-28endpoint host state mode

Base Reachable Time........................................ 14-30Duplicate Address Detection (DAD)................ 14-31Probe Forever state........................................... 14-31Probe Time ........................................................ 14-31Reachable Time................................................. 14-30Retransmission Time........................................ 14-31Stale mode ......................................................... 14-30

ESP ................................................................. 5-3, 5-5, 5-6authenticate only................................................. 5-54encrypt and authenticate ..........................5-54, 5-60encrypt only......................................................... 5-54

evasion............................................................4-15 to 4-25event log ..................................................................... 3-56exe files, blocking .................................................... 4-168exempt rulebase

adding to Security Policy.................................. 4-201overview............................................................. 4-200

exempt rules ..............................................4-200 to 4-204configuring ......................................................... 4-201configuring attacks............................................ 4-203configuring from the Log Viewer .................... 4-204configuring Match columns ............................. 4-202configuring source and destination ................ 4-202configuring targets ............................................ 4-203

Master Index

Page 63: Juniper Overview SSG500

Master Index

configuring zones.............................................. 4-202exploits

See attacksextended channels, setting for WLAN................. 12-130

Ffactory defaults, resetting devices to ....................... 3-41fail-mode..................................................................... 4-81failover

devices................................................................ 11-57dual Untrust interfaces ..........................11-44, 11-47object monitoring.............................................. 11-50virtual systems................................................... 11-56VSD groups ........................................................ 11-56

fallbackassigning priorities .............................................. 9-32

file extensions, AV scanning..................................... 4-90filter source route ...................................................... 3-96FIN scans .................................................................... 4-15FIN without ACK flag................................................. 4-13Finger........................................................................ 4-129floods

ICMP ..................................................................... 4-46session table ........................................................ 4-28SYN .................................................4-34 to 4-39, 4-44UDP....................................................................... 4-47

fragment reassembly ....................................4-54 to 4-57full-mesh configuration........................................... 11-56function zone interfaces ........................................... 2-38

HA ......................................................................... 2-38management........................................................ 2-38

Ggatekeeper devices ...................................................... 6-1Generic Routing Encapsulation (GRE) ................... 7-151Gi interface ................................................................. 13-2global unicast addresses ..........................14-102, 14-120global zones................................................................ 8-82Gn interface................................................................ 13-2Gopher ...................................................................... 4-129Gp interface................................................................ 13-2GPRS Tunneling Protocol (GTP)

See GTPgraphs, historical...................................................... 2-172group expressions..............................................9-5 to 9-9

operators ................................................................ 9-5server support...................................................... 9-14users ....................................................................... 9-5

group IKE IDcertificates............................................5-183 to 5-192preshared keys ....................................5-192 to 5-198

groupsaddresses ........................................................... 2-105services............................................................... 2-138

GTPAccess Point Name (APN) filtering .................. 13-15GTP-in-GTP packet filtering .............................. 13-13IMSI prefix filtering ........................................... 13-16inspection objects................................... 13-5 to 13-7IP fragmentation................................................ 13-13packet sanity check............................................. 13-8policy-based ......................................................... 13-5protocol ................................................................ 13-2standards.............................................................. 13-9stateful inspection ............................................. 13-23tunnel timeout ................................................... 13-25

GTP messages........................................................... 13-10length, filtering by ............................................... 13-9rate, limiting by ................................................. 13-12type, filtering by ................................................ 13-10types ................................................................... 13-10versions 0 and 1 ................................................ 13-10

GTP trafficcounting.............................................................. 13-33logging ................................................................ 13-31

GTP tunnelsfailover................................................................ 13-24limiting................................................................ 13-23timeout ............................................................... 13-25

HHA

DHCP .................................................................. 2-231interfaces, virtual HA .......................................... 2-39See high availabilitySee also NSRP

hanging GTP tunnel ................................................. 13-25hash-based message authentication code ................ 5-6hashing, Secure Hashing Algorithm (SHA) ......... 14-121heartbeats

HA physical link................................................... 11-7RTO....................................................................... 11-7

Help files ....................................................................... 3-2high availability

cabling ................................................. 11-25 to 11-28data link................................................................ 11-7IP tracking .......................................................... 11-52link probes ........................................................... 11-9messages .............................................................. 11-7virtual interfaces................................................ 11-27

high availability (HA) ..................................... 13-4, 13-24high availability failover

active/active ....................................................... 11-12active/passive..................................................... 11-11

high availability interfacesaggregate ............................................................ 11-43cabling network as HA links ............................ 11-27redundant........................................................... 11-42

Master Index IX-VII

Page 64: Juniper Overview SSG500

IX-VIII

Concepts & Examples ScreenOS Reference Guide

high-watermark threshold ........................................ 4-30historical graphs ...................................................... 2-172HMAC............................................................................ 5-6Host mode...................................................14-46, 14-116HTTP

blocking components .........................4-167 to 4-169keep-alive ............................................................. 4-83session timeout ................................................... 4-31trickling ................................................................ 4-84

HTTP, session ID.......................................................... 3-4HyperText Transfer Protocol (HTTP), session ID ..... 3-4

IICMP ......................................................................... 4-129

fragments........................................................... 4-236large packets...................................................... 4-237

ICMP floods................................................................ 4-46ICMP services........................................................... 2-126

message codes .................................................. 2-126message types ................................................... 2-126

IDENT ....................................................................... 4-129Identity Association Prefix Delegation Identification

(IAPD-ID).....................................................14-37, 14-39Ident-Reset ................................................................. 3-28idle session timeout .................................................. 9-18IDP

basic configuration ........................................... 4-174configuring device for standalone IDP ........... 4-227configuring inline or inline tap mode............. 4-186enabling in firewall rule.................................... 4-185

IDP attack objects.................................................... 4-184IDP engine

updating ............................................................. 4-231IDP modes................................................................ 4-186IDP rulebase

adding to Security Policy.................................. 4-188overview............................................................. 4-187

IDP rulebasesrole-based administration ................................ 4-184types ................................................................... 4-183

IDP rules ................................................................... 4-187configuring......................................................... 4-189configuring actions ........................................... 4-195configuring address objects ............................. 4-184configuring attack severity............................... 4-199configuring attacks............................................ 4-196configuring IDP attack objects......................... 4-184configuring IP actions....................................... 4-197configuring Match columns ............................. 4-189configuring notification .................................... 4-199configuring service objects .............................. 4-184configuring services .......................................... 4-190configuring source and destination ................ 4-189configuring targets ............................................ 4-200

configuring terminal rules................................ 4-193entering comments.................... 4-200, 4-204, 4-209

IDP-capable system................................................. 4-172IEEE 802.1Q VLAN standard.................................. 10-41IGMP

access lists, using .............................................. 7-158configuration, basic .......................................... 7-159configuration, verifying .................................... 7-161host messages ................................................... 7-156interfaces, enabling on ..................................... 7-157parameters..............................................7-161, 7-162policies, multicast.............................................. 7-168querier ................................................................ 7-157

IGMP proxies............................................................ 7-163on interfaces ...................................................... 7-166sender................................................................. 7-175

IKE.................................................. 5-7, 5-86, 5-95, 5-160group IKE ID user................................5-183 to 5-198group IKE ID, container.................................... 5-186group IKE ID, wildcards ................................... 5-186heartbeats .......................................................... 5-294hello messages .................................................. 5-294IKE ID ................................ 5-51 to 5-52, 5-57 to 5-58IKE ID recommendations................................... 5-70IKE ID, Windows 2000..........................5-219, 5-227local ID, ASN1-DN ............................................. 5-185Phase 1 proposals, predefined ............................ 5-9Phase 2 proposals, predefined .......................... 5-11proxy IDs.............................................................. 5-11redundant gateways ...........................5-291 to 5-304remote ID, ASN1-DN ........................................ 5-185shared IKE ID user ..............................5-198 to 5-204

IKE users............................................... 9-14, 9-65 to 9-68defining ................................................................ 9-66groups................................................................... 9-66groups, and .......................................................... 9-65groups, defining .................................................. 9-67IKE ID ..........................................................9-65, 9-79server support...................................................... 9-14with other user types ............................................ 9-4

IMSI prefix filtering.................................................. 13-16inactive SA.................................................................. 3-96Infranet authentication ............................................. 9-44Infranet Controller

actions .................................................................. 9-43overview............................................................... 9-42resource policies.................................................. 9-43

Infranet Enforcerconnection policy, configuring .......................... 9-42overview............................................................... 9-42

inline mode .............................................................. 4-186inline tap mode........................................................ 4-186in-short error .............................................................. 3-93inspections ................................................................... 4-3

Master Index

Page 65: Juniper Overview SSG500

Master Index

Instant Messaging.................................................... 4-130AIM...................................................................... 4-130IRC ...................................................................... 4-130MSN Messenger................................................. 4-130Yahoo! Messenger ............................................. 4-130

interfacesaddressing............................................................ 2-46aggregate...................................................2-37, 11-43binding to zone ................................................... 2-44connections, monitoring .................................... 2-63dedicated.................................................10-37, 10-71default................................................................... 2-48DHCPv6.............................................................. 14-35DIP ...................................................................... 2-140down, logically..................................................... 2-61down, physically ................................................. 2-61dual routing tables ............................................ 14-50extended ............................................................ 5-140function zone....................................................... 2-38Gi ........................................................................... 13-2Gn.......................................................................... 13-2Gp.......................................................................... 13-2HA function zone ................................................ 2-38HA, dual................................................................ 11-8interface tables, viewing .................................... 2-43IP tracking (See IP tracking)L3 security zones................................................. 2-46loopback............................................................... 2-58manageable ......................................................... 3-31management options.......................................... 3-28MGT....................................................................... 2-38MIP........................................................................ 8-64modifying............................................................. 2-48monitoring ......................................................... 11-29ND....................................................................... 14-29NDP..................................................................... 14-30NUD .................................................................... 14-29null ........................................................................ 5-85physical in security zones .................................. 2-36physical, exporting from vsys ......................... 10-40physical, importing to vsys .............................. 10-39policy-based NAT tunnel .................................... 2-39PPPoE ................................................................. 14-46redundant..................................................2-37, 11-42secondary IP addresses ...................................... 2-50shared......................................................10-37, 10-71state changes ....................................................... 2-61tunnel..............................................2-39, 2-39 to 2-42up, logically .......................................................... 2-61up, physically....................................................... 2-61viewing interface table ....................................... 2-43VIP......................................................................... 8-80virtual HA ..................................................2-39, 11-27VLAN1................................................................... 2-81

VSI ......................................................................... 2-38VSIs ..................................................................... 11-24zones, unbinding from ....................................... 2-45

interfaces, enabling IGMP on ................................. 7-157interfaces, monitoring .................................. 2-68 to 2-73

loops ..................................................................... 2-69security zones ...................................................... 2-73

Interior Gateway Protocol (IGP).............................. 14-51internal flash storage................................................. 3-56Internet Group Management Protocol

See IGMPInternet Key Exchange

See IKEInternet Protocol (IP) addresses

See IP addressesInternet Service Provider (ISP) .......2-223, 14-36, 14-44,

14-98intrusion detection and prevention, defined........ 4-171IP

packet fragments............................................... 4-240IP addresses

extended............................................................. 5-140host IDs................................................................. 2-47interfaces, tracking on ........................................ 2-63L3 security zones.................................... 2-46 to 2-47Manage ................................................................. 2-95manage IP ............................................................ 3-31NetScreen-Security Manager servers ................ 3-25network IDs.......................................................... 2-47ports, defining for each .................................... 2-104private................................................................... 2-46private address ranges........................................ 2-47public .................................................................... 2-46secondary................................................... 2-50, 2-51secondary, routing between .............................. 2-51

IP addresses, virtual................................................... 8-80IP options....................................................... 4-10 to 4-11

attributes ................................................. 4-10 to 4-11incorrectly formatted ........................................ 4-238loose source route .........................4-10, 4-23 to 4-25record route ......................................................... 4-11security ....................................................... 4-10, 4-11source route ......................................................... 4-23stream ID.............................................................. 4-11strict source route..........................4-11, 4-23 to 4-25timestamp ............................................................ 4-11

IP poolsSee DIP pools

IP SecuritySee IPSec

IP spoofing..................................................... 4-18 to 4-23drop-no-rpf-route................................................. 4-19Layer 2........................................................ 4-19, 4-22Layer 3........................................................ 4-18, 4-20

Master Index IX-IX

Page 66: Juniper Overview SSG500

IX-X

Concepts & Examples ScreenOS Reference Guide

IP tracking ...................................................11-52, 12-111dynamic option ................................................... 2-64interfaces, shared................................................ 2-64interfaces, supported.......................................... 2-63object failure threshold....................................... 2-65ping and ARP..................................................... 11-52rerouting traffic .......................................2-63 to 2-78vsys....................................................................... 2-64weights ................................................................. 2-65

IP tracking, failureegress interface, on ................................2-75 to 2-76ingress interface, on ...............................2-76 to 2-78tracked IP threshold............................................ 2-64

IP-based traffic classification ................................. 10-71IPSec

AH........................................................ 5-2, 5-53, 5-60digital signature................................................... 5-20ESP....................................................... 5-2, 5-53, 5-60L2TP-over-IPSec .................................................... 5-4SAs ......................................................... 5-2, 5-8, 5-11SPI........................................................................... 5-2Transport mode ..................5-4, 5-208, 5-213, 5-218tunnel ..................................................................... 5-2Tunnel mode ......................................................... 5-4tunnel negotiation................................................. 5-8

IPSec Access Session (IAS) ................................... 14-134IPv4

addresses, mapped................................14-82, 14-87WAN ................................................................. 14-112

IPv4 to IPv6host mapping..................................................... 14-91network mapping.............................................. 14-90

IPv4/IPv6 boundaries.................... 14-81 to 14-86, 14-90IPv6

addresses, SLA .................................................. 14-37addresses, TLA .................................................. 14-37backbone...............................................14-85, 14-115networks, island.............................................. 14-112

IPv6 to IPv4 host mapping..................................... 14-88IPv6/IPv4 boundaries................................14-82 to 14-88IRC............................................................................. 4-130ISP ............................................................................. 2-223

failover holddown timer................................. 12-110priority.............................................................. 12-109

ISP IP address and netmask................................... 12-72

JJava applets, blocking ............................................. 4-168

Kkeepalive

frequency, NAT-T .............................................. 5-237L2TP.................................................................... 5-216

keys

manual.....................................................5-118, 5-124preshared ........................................................... 5-160

keys, license ............................................................. 2-250keys, vsys.................................................................. 10-37

LL2TP .................................................. 5-205 to 5-230, 13-3

access concentrator: See LACaddress assignments .......................................... 9-84bidirectional ....................................................... 5-208compulsory configuration ................................ 5-205decapsulation..................................................... 5-209default parameters............................................ 5-211encapsulation..................................................... 5-208external auth server............................................ 9-84hello signal ..............................................5-216, 5-221Keep Alive ...............................................5-216, 5-221L2TP-only on Windows 2000 .......................... 5-207local database ...................................................... 9-84network server: See LNSoperational mode.............................................. 5-208RADIUS server ................................................... 5-211ScreenOS support ............................................. 5-207SecurID server ................................................... 5-211tunnel.................................................................. 5-213user authentication ............................................. 9-84voluntary configuration .................................... 5-205Windows 2000 tunnel authentication .5-216, 5-221

L2TP policies ............................................................ 2-168L2TP users .................................................................. 9-84

server support...................................................... 9-14with XAuth ............................................................. 9-4

L2TP-over-IPSec .................................... 5-4, 5-213, 5-218bidirectional ....................................................... 5-208tunnel.................................................................. 5-213

LAC ............................................................................ 5-205NetScreen-Remote 5.0...................................... 5-205Windows 2000 .................................................. 5-205

Land attacks ............................................................... 4-48lawful interception................................................... 13-34Layer 2 Tunneling Protocol

See L2TPLDAP ................................................... 4-129, 9-29 to 9-30

common name identifiers.................................. 9-30distinguished names ........................................... 9-30server ports .......................................................... 9-30structure ............................................................... 9-29user types supported .......................................... 9-30

license keys .............................................................. 2-250advanced mode................................................. 4-118attack pattern update ....................................... 4-118

Lightweight Directory Access ProtocolSee LDAP

link-local addresses ......................................14-12, 14-14

Master Index

Page 67: Juniper Overview SSG500

Master Index

Link-State Advertisement (LSA) suppression .......... 7-67LNS ............................................................................ 5-205load sharing.............................................................. 11-82load-balancing by path cost.............................7-36, 7-59local certificate........................................................... 5-25local database

IKE users .............................................................. 9-66timeout ................................................................. 9-16user types supported .......................................... 9-16

log entriesenabling in IDP rules ........................................ 4-233

Log Viewercreating an exempt rule ................................... 4-204

logging ................................................2-172, 3-55 to 3-68asset recovery log ............................................... 3-68attack object groups.......................................... 4-149CompactFlash (PCMCIA) .................................... 3-56console ................................................................. 3-56email ..................................................................... 3-56event log............................................................... 3-56internal ................................................................. 3-56NetScreen-Security Manager.............................. 3-25self log .................................................................. 3-66SNMP ...........................................................3-56, 3-73syslog...........................................................3-56, 3-72USB ....................................................................... 3-56WebTrends..................................................3-56, 3-73

logging, traffic ............................................................ 13-5loopback interfaces ................................................... 2-58loose source route IP option...............4-10, 4-23 to 4-25low-watermark threshold.......................................... 4-31LPR spooler .............................................................. 4-129

MMAC addresses.................................. 14-13, 14-21, 14-29Main mode ................................................................... 5-9malicious URL protection .............................4-54 to 4-57Manage IP................................................................... 2-95manage IP .................................................................. 3-31manage IP, VSD group 0 ........................................... 11-3management client IP addresses............................. 3-42Management information base II

See MIB IImanagement methods

CLI ........................................................................... 3-9console ................................................................. 3-19SSL .......................................................................... 3-5Telnet...................................................................... 3-9WebUI..................................................................... 3-2

management optionsinterfaces.............................................................. 3-28manageable ......................................................... 3-31MGT interface ...................................................... 3-29NetScreen-Security Manager.............................. 3-28

ping ....................................................................... 3-28SNMP .................................................................... 3-28SSH........................................................................ 3-28SSL......................................................................... 3-28Telnet .................................................................... 3-28Transparent mode............................................... 3-29VLAN1................................................................... 3-29WebUI................................................................... 3-28

manual 6over4 tunneling........................................ 14-98Manual Key

management.......................................................... 5-7manual keys ........................................5-118, 5-124, 9-14manual keys, VPNs .......................................... 3-43, 3-79manual tunneling..................................................... 14-99mapped IP

See MIPmapped IP (MIP) .......................................... 14-82, 14-84

IPv4 hosts to a single IPv6 host....................... 14-91IPv4 hosts to multiple IPv6 hosts .................... 14-90IPv6 hosts to a single IPv4 host....................... 14-88IPv6 hosts to multiple IPv4 hosts .................... 14-86IPv6-to-IPv4 network mapping........................ 14-86MIP from IPv6 to IPv4 ...................................... 14-84

mappinghost, IPv4 to IPv6 .............................................. 14-91host, IPv6 to IPv4 .............................................. 14-88network, IPv4 to IPv6 ....................................... 14-90

Maximum Transmission Unit (MTU) ..................... 14-12MD5............................................................................... 5-6Message Digest version 5 (MD5)................................ 5-6messages

alert ....................................................................... 3-57control................................................................. 11-13critical ................................................................... 3-57data ....................................................................... 11-7debug .................................................................... 3-57emergency ........................................................... 3-56error ...................................................................... 3-57HA ......................................................................... 11-7info ........................................................................ 3-57notification ........................................................... 3-57warning................................................................. 3-57WebTrends........................................................... 3-73

MGT interface ............................................................. 2-38MGT interface, management options ...................... 3-29MIB files, importing ................................................. 5-252MIB II................................................................. 3-28, 3-74Microsoft Network Instant Messenger

See MSN Instant MessengerMicrosoft-Remote Procedure Call

See MS-RPCMIME, AV scanning.................................................... 4-72MIP .................................................................... 2-11, 8-63

address ranges..................................................... 8-66

Master Index IX-XI

Page 68: Juniper Overview SSG500

IX-XII

Concepts & Examples ScreenOS Reference Guide

bidirectional translation ....................................... 8-6definition................................................................ 8-6global zone........................................................... 8-64grouping, multi-cell policies............................... 8-79reachable from other zones............................... 8-67same-as-untrust interface.......................8-70 to 8-73

MIP, creatingaddresses ............................................................. 8-65on tunnel interface.............................................. 8-70on zone interface ................................................ 8-65

MIP, defaultnetmasks.............................................................. 8-66virtual routers ...................................................... 8-66

MIP, to zone with interface-based NAT ................... 2-94MIP, virtual systems ................................................ 10-31MIP, VPNs ................................................................. 5-140Mobile Station (MS) mode ...................................... 13-15mode config ............................................................... 9-69mode, Transparent .................................................. 10-42modem ports ....................................................3-20, 3-22modes

Aggressive............................................................ 5-10Host .......................................................14-46, 14-116L2TP operational ............................................... 5-208Main........................................................................ 5-9NAT and Route .................................................... 11-3NAT, traffic to Untrust zone............................... 2-79Phase 1 cryptographic...............................5-49, 5-56preempt.............................................................. 11-21Router................................................................. 14-52Stale .................................................................... 14-30Transparent ......................................................... 2-80Transport.................... 5-4, 5-60, 5-208, 5-213, 5-218Tunnel ...........................................................5-4, 5-60

modes, operationalNAT....................................................................... 13-4Route .................................................................... 13-4Transparent ......................................................... 13-4

modes, selectionAPN..................................................................... 13-15Mobile Station (MS)........................................... 13-15Network.............................................................. 13-15Verified............................................................... 13-15

modulus...................................................................... 5-10MS RPC ALG, defined.............................................. 2-129MSN Messenger ....................................................... 4-130MS-RPC..................................................................... 4-131multicast

addresses ........................................................... 7-148distribution trees ............................................... 7-183policies ............................................................... 7-153policies for IGMP ............................................... 7-168reverse path forwarding................................... 7-148routing tables..................................................... 7-149

static routes........................................................ 7-150multicast routing

IGMP ................................................................... 7-155PIM...................................................................... 7-181

multimedia sessions, SIP .......................................... 6-13multiplexing, configuring........................................ 12-71

NNAT

definition................................................................ 8-1IPSec and NAT................................................... 5-232NAT servers........................................................ 5-232NAT-src with NAT-dst .............................8-50 to 8-61

NAT mode................................... 2-92 to 2-97, 11-3, 13-4interface settings ................................................. 2-95traffic to Untrust zone ...............................2-79, 2-94

NAT vector error......................................................... 3-95NAT-dst ............................................................8-28 to 8-61

address shifting ..................................................... 8-5packet flow...............................................8-29 to 8-31port mapping...................................... 8-4, 8-28, 8-47route considerations ..................... 8-29, 8-32 to 8-34unidirectional translation ............................8-6, 8-10VPNs ................................................................... 5-140with MIPs or VIPs.................................................. 8-3

NAT-dst, addressesrange to range ............................................8-10, 8-44range to single IP .........................................8-9, 8-41ranges ..................................................................... 8-4shifting.........................................................8-28, 8-44

NAT-dst, single IPwith port mapping ................................................ 8-8without port mapping........................................... 8-9

NAT-dst, translationone-to-many ........................................................ 8-38one-to-one ............................................................ 8-35

native hosts ...............................................14-102, 14-104NAT-PT....................................................................... 14-81NAT-PT, IPSec, when to use .................................. 14-112NAT-src ....................................................8-1, 8-13 to 8-25

egress interface ............................... 8-8, 8-24 to 8-25fixed port........................................ 8-14, 8-18 to 8-19interface-based ...................................................... 8-2VPNs ................................................................... 5-142

NAT-src, addressesshifting......................................................8-20 to 8-24shifting, range considerations ........................... 8-20

NAT-src, DIP pools ....................................................... 8-1fixed port................................................................ 8-7with address shifting............................................. 8-8with PAT........................................... 8-7, 8-15 to 8-17

NAT-src, Route mode ................................................. 2-98NAT-src, translation

port addresses ....................................................... 8-2

Master Index

Page 69: Juniper Overview SSG500

Master Index

unidirectional................................................8-6, 8-10NAT-T ...........................................................5-232 to 5-239

enabling.............................................................. 5-239IKE packet .......................................................... 5-235initiator and responder..................................... 5-237IPSec packet....................................................... 5-236keepalive frequency.......................................... 5-237obstacles for VPNs ............................................ 5-235probing for NAT...................................5-233 to 5-234

NAT-TraversalSee NAT-T

negation, address .................................................... 2-186negation, Deep Inspection (DI) .............................. 4-163Neighbor Advertisement (NA) ................................ 14-30Neighbor Cache table ........... 14-13, 14-15, 14-25, 14-30Neighbor Cache table, neighbor entry categories 14-14Neighbor Discovery (ND)........................................ 14-29

Accept Incoming RAs ....................................... 14-21age of neighbor entry ....................................... 14-13bypassing MAC session-caching...................... 14-29definition ............................................................ 14-13enabling.............................................................. 14-29Neighbor Cache table ............................14-13, 14-29neighbor reachability state............................... 14-13neighbor reachability status............................. 14-30packets currently queued for transmission.... 14-13reachability status ............................................. 14-29

Neighbor Discovery (ND), displaying .................... 14-32Neighbor Discovery Parameter (NDP)........14-21, 14-30Neighbor Solicitation (NS)............................14-14, 14-31

setting ................................................................. 14-30Neighbor Unreachability Detection (NUD) ........... 14-13

Neighbor Cache table ....................................... 14-25Neighbor Unreachability Detection (NUD), Neighbor

Cache table ............................................................ 14-13NetBIOS .................................................................... 4-131NetInfo ...................................................................... 2-226netmasks .........................................................2-47, 2-166netmasks, MIP default............................................... 8-66NetScreen Redundancy Protocol

See NSRPNetScreen Reliable Transport Protocol

See NRTPNetScreen-Remote

AutoKey IKE VPN.............................................. 5-160dynamic peer..........................................5-166, 5-173NAT-T option ..................................................... 5-232

NetScreen-Security Managerdefinition .............................................................. 3-22enabling NSM Agent ........................................... 3-24initial connectivity setup .................................... 3-23logging .................................................................. 3-25management options.......................................... 3-28management system ....................... 3-22, 3-23, 3-25

NSM Agent ................................................. 3-22, 3-25reporting events ........................................ 3-25, 3-26UI........................................................................... 3-22

Network Address Translation (NAT) ......................... 3-95Network Address Translation-Port Translation

DIP addresses, translating................................ 14-84DIP from IPv6 to IPv4....................................... 14-83dynamic IP (DIP) ............................................... 14-82IPv4 hosts to a single IPv6 host....................... 14-91IPv4 hosts to multiple IPv6 hosts .................... 14-90IPv6 hosts to a single IPv4 host....................... 14-88IPv6 hosts to multiple IPv4 hosts .................... 14-86MIP...................................................................... 14-82MIP from IPv4 to IPv6 ...................................... 14-85outgoing service requests..................... 14-82, 14-86source address translation ............................... 14-83when to use........................................................ 14-82

Network Address Translation-Port Translation (NAT-PT).................................................................. 14-81

Network mode ......................................................... 13-15network, bandwidth ................................................ 2-193next-hop gateway .................................................... 14-31NFS ............................................................................ 4-129NHTB table ................................................ 5-254 to 5-258

addressing scheme............................................ 5-256automatic entries............................................... 5-257manual entries................................................... 5-257mapping routes to tunnels ............................... 5-255

NNTP ......................................................................... 4-129NRTP ......................................................................... 11-19NSM Agent........................................................ 3-22, 3-23

enabling................................................................ 3-24reporting events .................................................. 3-25

NSRP ........................................................................... 11-1ARP broadcasts.................................................. 11-29ARP lookup......................................................... 11-38backup ................................................................ 11-11cabling ................................................. 11-25 to 11-28clear cluster command ..................................... 11-10config sync ......................................................... 11-19control messages..................................... 11-7, 11-13debug cluster command................................... 11-10default settings .................................................... 11-6DHCP .................................................................. 2-231DIP groups........................................... 2-153 to 2-155full-mesh configuration......................... 11-25, 11-56HA session backup ............................................ 2-171hold-down time ..................................... 11-35, 11-38interface monitoring ......................................... 11-29load sharing ....................................................... 11-82manage IP .......................................................... 11-52master................................................................. 11-11NAT and Route modes........................................ 11-3NTP synchronization............................. 2-256, 11-20

Master Index IX-XIII

Page 70: Juniper Overview SSG500

IX-XIV

Concepts & Examples ScreenOS Reference Guide

packet forwarding and dynamic routing.......... 11-8preempt mode................................................... 11-21priority numbers ............................................... 11-21redundant interfaces .......................................... 2-37redundant ports .................................................. 11-3RTOs................................................................... 11-34secondary path.................................................. 11-29secure communications ................................... 11-28virtual systems ....................................11-56 to 11-86VSD groups ................................. 4-181, 11-21, 11-34VSIs ..............................................................2-38, 11-2VSIs, static routes...................................11-24, 11-68

NSRP clusters ................................................11-30, 11-34names......................................................11-11, 11-28

NSRP datalink ........................................................................ 11-7messages.............................................................. 11-7

NSRP HAcabling, network interfaces ............................. 11-27interfaces ............................................................. 11-6ports, redundant interfaces ............................. 11-42session backup .................................................. 11-16

NSRP portsfailover ............................................................... 11-42

NSRP RTOs.................................................11-16 to 11-17states .................................................................. 11-17sync .................................................................... 11-20

NSRP synchronizationNTP, NSRP ......................................................... 11-20RTOs................................................................... 11-20

NSRP-Lite.................................................................. 11-19clusters ............................................................... 11-11secure communications ................................... 11-15

NSRP-Lite synchronizationdisabling............................................................. 11-19

NTP ................................................. 2-255 to 2-257, 4-130authentication types ......................................... 2-257maximum time adjustment............................. 2-256multiple servers................................................. 2-255NSRP synchronization...................................... 2-256secure servers.................................................... 2-257servers ................................................................ 2-255

NTP, NSRP synchronization ................................... 11-20Null interface, defining routes with ......................... 7-11null route .................................................................... 5-85

Oobjects

attack objects..................................................... 4-209attack objects, creating custom....................... 4-212attack objects, protocol anomaly .................... 4-210attack objects, signature .................................. 4-210

objects, monitoring ................................................. 11-50OCSP (Online Certificate Status Protocol) .............. 5-34

client ..................................................................... 5-34responder ............................................................. 5-34

Open Shortest Path FirstSee OSPF

operating systems, probing hosts for ..........4-12 to 4-14operational modes

NAT ....................................................................... 13-4Route .................................................................... 13-4Transparent.......................................................... 13-4

OSPFbroadcast networks ............................................ 7-48configuration steps.............................................. 7-49ECMP support ...................................................... 7-59flooding, protecting against ............................... 7-66flooding, reduced LSA......................................... 7-67global parameters ............................................... 7-58hello protocol....................................................... 7-47interface parameters .......................................... 7-62interfaces, assigning to areas ............................ 7-53interfaces, tunnel ................................................ 7-68link-state advertisements ................................... 7-46link-type, setting.................................................. 7-68load-balancing ..................................................... 7-36LSA suppression .................................................. 7-67neighbors, authenticating .................................. 7-64neighbors, filtering.............................................. 7-65not so stubby area .............................................. 7-47point-to-multipoint .............................................. 7-68point-to-point network........................................ 7-48security configuration......................................... 7-64stub area............................................................... 7-47virtual links .......................................................... 7-59

OSPF areas ................................................................. 7-46defining ................................................................ 7-51interfaces, assigning to....................................... 7-53

OSPF routersadjacency ............................................................. 7-47backup designated .............................................. 7-47creating OSPF instance in VR............................ 7-50designated............................................................ 7-47types ..................................................................... 7-47

OSPF routesdefault, rejecting.................................................. 7-66redistributed, summarizing................................ 7-57redistributing ....................................................... 7-56route-deny restriction, disabling ....................... 7-69

Overbilling attacksdescription ......................................................... 13-26prevention............................................13-26 to 13-31prevention, configuring .................................... 13-29solutions ............................................................. 13-28

PP2P ............................................................................ 4-131

Master Index

Page 71: Juniper Overview SSG500

Master Index

BitTorrent ........................................................... 4-131DC ....................................................................... 4-131eDonkey ............................................................. 4-131FastTrack............................................................ 4-131Gnutella .............................................................. 4-131KaZaa.................................................................. 4-131MLdonkey .......................................................... 4-131Skype .................................................................. 4-131SMB..................................................................... 4-131WinMX................................................................ 4-131

packet flow .....................................................2-10 to 2-12inbound VPN............................................5-66 to 5-68outbound VPN ..................................................... 5-66policy-based VPN ....................................5-68 to 5-69route-based VPN......................................5-63 to 5-68

packet flow, NAT-dst ......................................8-29 to 8-31packets........................................................................ 3-96

address spoofing attack...................................... 3-94collision .......................................................3-93, 3-94denied................................................................... 3-95dropped .......................................................3-95, 3-96fragmented .......................................................... 3-96incoming .............................................................. 3-93Internet Control Message Protocol (ICMP) ...... 3-92,

3-94IPSec ..................................................................... 3-95land attack ........................................................... 3-95Network Address Translation (NAT) ................. 3-95Point to Point Tunneling Protocol (PPTP) ........ 3-94received............................................. 3-93, 3-94, 3-95transmitted underrun ......................................... 3-93unreceivable................................................3-93, 3-94unroutable............................................................ 3-95

PAP .................................................................5-208, 5-211parent connection ..................................................... 3-95Password Authentication Protocol

See PAPpasswords

forgetting.............................................................. 3-39root admin ........................................................... 3-41

passwords, changing admin’s .........................10-4, 10-7PAT....................................................................2-141, 8-14PCMCIA....................................................................... 3-56Peer-to-Peer

See P2PPerfect Forward Secrecy

See PFSPFS ........................................................... 5-11, 5-53, 5-59Phase 1 ......................................................................... 5-9

proposals ................................................................ 5-9proposals, predefined ........................................... 5-9

Phase 2 ....................................................................... 5-11proposals .............................................................. 5-11proposals, predefined ......................................... 5-11

physical interfacelogical interface ................................................... 2-36

physical interfacesC-bit parity mode .............................................. 12-13CSU compatibility.............................................. 12-20exporting from vsys .......................................... 10-40importing to vsys............................................... 10-39

PIM-SM...................................................................... 7-183configuration steps............................................ 7-187configuring rendezvous points ........................ 7-197designated router .............................................. 7-184IGMPv3 ............................................................... 7-213instances, creating ............................................ 7-188interface parameters......................................... 7-202proxy RP............................................................. 7-204rendezvous points ............................................. 7-184security configurations ..................................... 7-199traffic, forwarding ............................................. 7-185

PIM-SSM.................................................................... 7-187ping management options ....................................... 3-28Ping of Death ............................................................. 4-49pinholes ...................................................................... 6-19PKI ............................................................................... 5-22PKI keys ........................................................................ 3-6point-to-multipoint configuration

OSPF ..................................................................... 7-68Point-to-Point Protocol

See PPPPoint-to-Point Protocol (PPP) .................................. 14-46Point-to-Point Protocol over ATM

See PPPoAPoint-to-Point Protocol over Ethernet

See PPPoEPoint-to-Point Protocol over Ethernet (PPPoE) ..... 14-46Point-to-Point Tunneling Protocol (PPTP) ................ 3-94policies ................................................................ 2-3, 13-5

actions ................................................................ 2-167address groups................................................... 2-166address negation ............................................... 2-186addresses............................................................ 2-166addresses in ....................................................... 2-166alarms ................................................................. 2-172application, linking service to explicitly ......... 2-167authentication.................................................... 2-170bidirectional VPNs................................. 2-168, 5-125changing ............................................................. 2-189context................................................................ 4-120core section.............................................. 4-17, 4-118counting.............................................................. 2-172Deep Inspection (DI) ......................................... 2-169deny .................................................................... 2-167DIP groups.......................................................... 2-154disabling ............................................................. 2-189editing................................................................. 2-189

Master Index IX-XV

Page 72: Juniper Overview SSG500

IX-XVI

Concepts & Examples ScreenOS Reference Guide

enabling.............................................................. 2-189functions of........................................................ 2-159global ........................................... 2-162, 2-174, 2-184HA session backup............................................ 2-171ID ........................................................................ 2-166internal rules...................................................... 2-164interzone ..........................2-161, 2-174, 2-175, 2-178intrazone ..................................... 2-161, 2-174, 2-182L2TP.................................................................... 2-168L2TP tunnels...................................................... 2-168lookup sequence ............................................... 2-163management ..................................................... 2-174managing bandwidth........................................ 2-193maximum limit ................................................. 2-107multicast............................................................. 7-153multiple items per component........................ 2-185name .................................................................. 2-168NAT-dst............................................................... 2-169NAT-src............................................................... 2-169order ................................................................... 2-190permit................................................................. 2-167policy context .................................................... 2-185policy set lists .................................................... 2-163position at top ........................................2-169, 2-190reject................................................................... 2-167removing............................................................ 2-191reordering .......................................................... 2-190required elements............................................. 2-160root system........................................................ 2-164schedules............................................................ 2-172security zones.................................................... 2-166service book....................................................... 2-109service groups ................................................... 2-138services............................................................... 2-166services in ...............................................2-109, 2-166shadowing...............................................2-189, 2-190traffic logging..................................................... 2-172traffic shaping.................................................... 2-173tunnel ................................................................. 2-167types .....................................................2-161 to 2-162verifying ............................................................. 2-189virtual systems .................................................. 2-164VPN dialup user groups.................................... 2-166VPNs ................................................................... 2-168

policies, configuring .................................................. 13-6policy-based NAT

See NAT-dst and NAT-srcpolicy-based NAT, tunnel interfaces......................... 2-39policy-based VPNs..................................................... 5-62Port Address Translation

See PATport scan....................................................................... 4-9Portmapper .............................................................. 4-130ports

failover................................................................ 11-42mapping ........................................................8-4, 8-28numbers ............................................................... 8-87primary trusted and untrusted ........................ 11-42redundant............................................................. 11-3secondary trusted and untrusted .................... 11-42

ports, modem ...................................................3-20, 3-22ports, trunk............................................................... 10-42PPP.................................................................5-206, 12-66PPPoA................................................. 12-66, 12-68, 12-74PPPoE.............................................................12-66, 12-74PPPoE - Point-to-Point Protocol over Ethernet ..... 14-46preempt mode ......................................................... 11-21prefix lists ................................................................. 14-12preshared key............................................................... 5-7preshared keys......................................................... 5-160priority queuing ....................................................... 2-198private addresses....................................................... 2-47probe......................................................................... 14-31Probe Time............................................................... 14-31probes

network .................................................................. 4-8open ports .............................................................. 4-9operating systems......................................4-12, 4-14

proposalsPhase 1 ..........................................................5-9, 5-69Phase 2 ........................................................5-11, 5-69

protocol anomalies .................................................. 4-133ALGs.................................................................... 4-131basic network protocols ................................... 4-129configuring parameters .................................... 4-162Instant Messaging applications........................ 4-130P2P applications................................................ 4-131supported protocols ............................4-129 to 4-132

protocol distribution, reporting to NetScreen-Security Manager ................................................................... 3-25

Protocol Independent MulticastSee PIM

protocolsCHAP .................................................................. 5-208IGP ...................................................................... 14-51NRTP................................................................... 11-19NSRP..................................................................... 11-1PAP ..................................................................... 5-208PPP...........................................................5-206, 14-46PPPoE ................................................................. 14-46VRRP................................................................... 11-53

protocols, CHAP......................................................... 9-79proxy IDs .................................................................... 5-11

matching .....................................................5-63, 5-69VPNs and NAT .....................................5-140 to 5-141

public addresses ........................................................ 2-47Public key infrastructure

See PKI

Master Index

Page 73: Juniper Overview SSG500

Master Index

Public/private key pair .............................................. 5-23PXE............................................................................ 2-237PXE server ................................................................ 2-237

QQoS............................................................................ 2-193

RRA - Router Advertisement..................................... 14-12RADIUS ..................................... 3-39, 4-130, 9-19 to 9-22

auth server objects.............................................. 9-33dictionary file......................................................... 9-2dictionary files ..................................................... 9-21L2TP.................................................................... 5-211object properties ................................................. 9-20ports...................................................................... 9-20retry timeout........................................................ 9-20shared secret ....................................................... 9-20

RADIUSv6............................................................... 14-132rate limiting, GTP-C messages................................ 13-12reachability states.................................................... 14-14reachability states, transitions................................ 14-15reconnaissance ................................................4-7 to 4-25

address sweep ....................................................... 4-8FIN scans.............................................................. 4-15IP options ............................................................. 4-10port scan ................................................................ 4-9SYN and FIN flags set ......................................... 4-12TCP packet without flags.................................... 4-14

record route IP option ............................................... 4-11redundant gateways ..................................5-291 to 5-304

recovery procedure........................................... 5-295TCP SYN flag checking ..................................... 5-297

regular expressions ...................................4-157 to 4-158rekey option, VPN monitoring ............................... 5-242Remote Authentication Dial-in User Service

See RADIUSremote termination point ........................14-104, 14-107replay protection........................................................ 5-12request packets, outgoing from IPv6 to IPv4 ....... 14-84requirements, basic functional................................. 10-4Retransmission Time .............................................. 14-31rexec.......................................................................... 4-130RFC 1777, Lightweight Directory Access Protocol.. 9-29RFCs

0792, Internet Control Message Protocol ....... 2-1261038, Revised IP Security Option .................... 4-101349, Type of Service in the Internet Protocol Suite ..

2-1731918, Address Allocation for Private Internets . 2-472132, DHCP Options and BOOTP Vendor Extensions

2-2302326, Real Time Streaming Protocol (RTSP) . 2-130,

2-134

2474, Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers ....... 2-173

791, Internet Protocol..................................... 4-10793, Transmission Control Protocol................. 4-13

RIPauthenticating neighbors.................................... 7-86configuration...................................................... 14-53database ............................................................... 7-93demand circuit configuration............................. 7-94filtering neighbors ............................................... 7-87flooding, protecting against ................... 7-88, 14-59global parameters.................................... 7-83, 14-56instances, creating in VR........................ 7-76, 14-54interface parameters............................... 7-85, 14-60interfaces, enabling on ........................... 7-77, 14-55load-balancing...................................................... 7-36neighbors, filtering ............................................ 14-57point-to-multipoint .............................................. 7-97prefix summary................................................... 7-92versions ................................................................ 7-90versions, protocol ................................................ 7-90

RIP routesalternate ............................................................... 7-93default, rejecting................................................ 14-57redistributing............................................ 7-77, 14-58rejecting default................................................... 7-88summary, configuring ........................................ 7-92

RIP, configuringdemand circuits ................................................... 7-95security ................................................................. 7-86steps...................................................................... 7-75

RIP, viewingdatabase ................................................... 7-80, 14-66interface details ................................................... 7-82neighbor information.............................. 7-81, 14-68protocol details ........................................ 7-80, 14-66

RIPng............................................................. 14-49, 14-51interface cost metric ............................. 14-60, 14-62metric calculation.............................................. 14-62offset metric........................................... 14-60, 14-62route metric ........................................... 14-60, 14-62route redistribution ........................................... 14-51

rlogin ......................................................................... 4-130role-based administration

configuring IDP-only administrator................. 4-228IDP rulebases ..................................................... 4-184

root admin, logging in............................................... 3-42route lookup

multiple VRs......................................................... 7-34sequence .............................................................. 7-32

Route mode .............................. 2-98 to 2-101, 11-3, 13-4interface settings ................................................. 2-99NAT-src ................................................................. 2-98

route tracking ......................................................... 12-111

Master Index IX-XVII

Page 74: Juniper Overview SSG500

IX-XVII

Concepts & Examples ScreenOS Reference Guide

route-based VPNs ..........................................5-62 to 5-63Router Advertisement (RA)..................................... 14-12Router mode ............................................................ 14-52Router Solicitation (RS) ........................................... 14-12routers

upstream............................................................ 14-38virtual ....................................................14-50, 14-102

routesexporting.............................................................. 7-42filtering ................................................................. 7-39importing ............................................................. 7-42maps..................................................................... 7-38metrics ................................................................. 7-31null ........................................................................ 5-85preference............................................................ 7-30redistributing ....................................................... 7-37selection ............................................................... 7-30

Routing Information ProtocolSee RIP

routing tables ............................................................. 7-15lookup................................................................... 7-32lookup in multiple VRs ....................................... 7-34multicast............................................................. 7-149route selection ..................................................... 7-30types ..................................................................... 7-15

routing, multicast .................................................... 7-147RSA authentication................................................ 14-121rsh ............................................................................. 4-130RSH ALG ................................................................... 2-127RTOs............................................................11-16 to 11-17

operational states.............................................. 11-17peers ................................................................... 11-22synchronization................................................. 11-20

RTSP.......................................................................... 4-130RTSP ALG

defined ............................................................... 2-130request methods ............................................... 2-131server in private domain.................................. 2-134server in public domain ................................... 2-136status codes ....................................................... 2-133

rules, derived from policies.................................... 2-164run-time authentication.................................2-170, 9-46Run-Time Objects

See RTOs

SSA policy..................................................................... 3-96SAs........................................................................5-8, 5-11

check in packet flow........................................... 5-65SCEP (Simple Certificate Enrollment Protocol) ...... 5-30schedules.......................................................2-156, 2-172SCP

enabling................................................................ 3-18example client command .................................. 3-18

SCREENaddress sweep ....................................................... 4-8bad IP options, drop ......................................... 4-238drop unknown MAC addresses.......................... 4-39FIN with no ACK.................................................. 4-15FIN without ACK flag, drop................................ 4-13ICMP

fragments, block .......................................... 4-236ICMP floods.......................................................... 4-46IP options ............................................................. 4-10IP packet fragments, block .............................. 4-240IP spoofing ...............................................4-18 to 4-23Land attacks......................................................... 4-48large ICMP packets, block ................................ 4-237loose source route IP option, detect ................. 4-25Ping of Death....................................................... 4-49port scan ................................................................ 4-9source route IP option, deny ............................. 4-25strict source route IP option, detect.................. 4-25SYN and FIN flags set ......................................... 4-12SYN floods................................................4-34 to 4-39SYN fragments, detect...................................... 4-241SYN-ACK-ACK proxy floods ............................... 4-32TCP packet without flags, detect ....................... 4-14Teardrop............................................................... 4-50UDP floods ........................................................... 4-47unknown protocols, drop................................. 4-239VLAN and MGT zones........................................... 4-2WinNuke attacks ................................................. 4-51

SCREEN, MGT zone ................................................... 2-28ScreenOS

function zones ..................................................... 2-33global zone........................................................... 2-28overview................................................................. 2-1packet flow...............................................2-10 to 2-12policies.................................................................... 2-3RADIUS vendor IDs............................................. 9-22security zones...............................................2-2, 2-28security zones, global ........................................... 2-2security zones, predefined................................... 2-2tunnel zones ........................................................ 2-29virtual systems ...................................................... 2-9VRs........................................................................ 10-6zones .............................................. 2-25 to 2-33, 10-6

ScreenOS interfacessecurity zones........................................................ 2-3subinterfaces.......................................................... 2-3

SDP..................................................................6-17 to 6-18secondary IP addresses ............................................ 2-51secondary path ........................................................ 11-29Secure Copy

See SCPSecure Hash Algorithm-1

See SHA-1

I Master Index

Page 75: Juniper Overview SSG500

Master Index

Secure ShellSee SSH

Secure Sockets LayerSee SSL

SecurID ....................................................................... 9-27ACE servers.......................................................... 9-28auth server object................................................ 9-35authentication port ............................................. 9-28authenticator........................................................ 9-27encryption types ................................................. 9-28L2TP.................................................................... 5-211token codes.......................................................... 9-27Use Duress option ............................................... 9-28user type support ................................................ 9-28

SecurID clientsretries.................................................................... 9-28timeout ................................................................. 9-28

security associationsSee SAs

Security Associations (SA) ........................................ 3-95security IP option .............................................4-10, 4-11Security Policies ....................................................... 4-182security policies

rulebase execution ............................................ 4-185rulebases ............................................................ 4-182rules .................................................................... 4-182templates............................................................ 4-185

security zones .............................................................. 2-2determination, destination zone ....................... 2-12determination, source zone ............................... 2-10global ...................................................................... 2-2predefined.............................................................. 2-2See zones

security zones, interfaces ........................................... 2-3physical ................................................................ 2-36

selection modesAPN..................................................................... 13-15Mobile Station (MS) ........................................... 13-15Network.............................................................. 13-15Verified ............................................................... 13-15

self log......................................................................... 3-66sequence-number validation.................................. 13-13serial cables................................................................ 3-19Server Message Block

See SMBservers, auth

See auth serversservers, SecurID ACE................................................. 9-28service book

entries, modifying (CLI).................................... 2-123entries, removing (CLI) ..................................... 2-123

service book, service groups (WebUI) ..................... 6-63service book, services

adding................................................................. 2-122

custom ................................................................ 2-109custom (CLI) ....................................................... 2-122preconfigured..................................................... 2-109

service groups ........................................... 2-138 to 2-140creating............................................................... 2-138deleting............................................................... 2-140modifying ........................................................... 2-139

service groups (WebUI) ........................................... 2-138service provider, information from........................ 12-66service requests, outgoing .......................... 14-86, 14-88services ..................................................................... 2-109

custom ................................................................ 4-152defined................................................................ 2-166dropdown list..................................................... 2-109ICMP.................................................................... 2-126in policies ........................................................... 2-166timeout threshold .............................................. 2-123

services, custom....................................................... 2-121ALGs .................................................................... 2-167in vsys................................................................. 2-122

session ID ..................................................................... 3-4session idle timeout................................................... 9-18session limits................................................. 4-28 to 4-30

destination-based ...................................... 4-29, 4-30source-based .............................................. 4-28, 4-29

session table floods ......................................... 4-17, 4-28session timeout

HTTP ..................................................................... 4-31session timeouts

TCP........................................................................ 4-31UDP....................................................................... 4-31

SHA-1 ............................................................................ 5-6shared VRs................................................................ 10-37shared zones ............................................................ 10-37signature packs, DI .................................................. 4-120signatures

stateful ................................................................ 4-132SIP

ALG.............................................................. 6-17, 6-20connection information...................................... 6-18defined.................................................................. 6-13media announcements ....................................... 6-18messages .............................................................. 6-14multimedia sessions ........................................... 6-13pinholes ................................................................ 6-17request methods.................................................. 6-14response codes .................................................... 6-16RTCP ..................................................................... 6-18RTP........................................................................ 6-18SDP .......................................................... 6-17 to 6-18signaling ............................................................... 6-17

SIP NATcall setup .................................................... 6-23, 6-28defined.................................................................. 6-23

Master Index IX-XIX

Page 76: Juniper Overview SSG500

IX-XX

Concepts & Examples ScreenOS Reference Guide

DIP pool, using a ................................................. 6-35DIP, using incoming ........................................... 6-31DIP, using interface ............................................ 6-32incoming, with MIP ...................................6-35, 6-37proxy in DMZ ...................................................... 6-44proxy in private zone ................................6-39, 6-86proxy in public zone........................................... 6-42trust intrazone ..................................................... 6-51untrust intrazone........................................6-47, 6-93VPN, using full-mesh .................................6-53, 6-99

SIP timeoutsinactivity .............................................................. 6-20media inactivity..........................................6-21, 6-22session inactivity................................................. 6-20signaling inactivity .....................................6-21, 6-22

site survey .............................................................. 12-131Site-Local Aggregator (SLA) .........................14-37, 14-39SMB

NetBIOS.............................................................. 4-131SMTP server IP........................................................... 3-71SNMP .................................................................3-28, 3-73

cold start trap ...................................................... 3-74configuration ....................................................... 3-77encryption...................................................3-76, 3-78management options ......................................... 3-28MIB files, importing .......................................... 5-252VPN monitoring ................................................ 5-252

SNMP communityprivate .................................................................. 3-77public .................................................................... 3-77

SNMP traps100, hardware problems.................................... 3-74200, firewall problems ....................................... 3-74300, software problems ..................................... 3-74400, traffic problems.......................................... 3-74500, VPN problems............................................. 3-74allow or deny....................................................... 3-76system alarm....................................................... 3-74traffic alarm ......................................................... 3-74types ..................................................................... 3-74

SNMPTRAP............................................................... 4-130software keys ........................................................... 10-37source address translation...................................... 14-83source interface-based routing (SIBR) ..................... 7-19source route ............................................................... 3-96source-based routing (SBR) ...................................... 7-17SSH...................................................... 3-11 to 3-16, 4-130

authentication method priority ......................... 3-15automated logins ................................................ 3-17connection procedure ........................................ 3-12forcing PKA authentication only ....................... 3-16loading public keys, CLI ..................................... 3-15loading public keys, TFTP .........................3-15, 3-17loading public keys, WebUI ............................... 3-15

management options.......................................... 3-28password authentication .................................... 3-14PKA ....................................................................... 3-15PKA authentication ............................................. 3-14

SSIDbinding to wireless interface.......................... 12-144

SSL......................................................................3-5, 4-130SSL Handshake Protocol

See SSLHPSSL management options......................................... 3-28SSL, with WebAuth .................................................... 9-62SSLHP............................................................................ 3-5state transitions

endpoint host..................................................... 14-15next-hop gateway router .................................. 14-16static entry ......................................................... 14-18tunnel gateway .................................................. 14-17

stateful .......................................................................... 4-3inspection............................................................... 4-3signatures........................................................... 4-132

stateless address autoconfiguration ...................... 14-11static IP address....................................................... 12-74static routing ............................................7-2, 7-2 to 7-10

configuring ............................................................. 7-5multicast............................................................. 7-150Null interface, forwarding on............................. 7-11using ....................................................................... 7-3

statistics, reporting to NSM....................................... 3-26stream ID IP option ................................................... 4-11stream signatures .................................................... 4-133strict source route IP option ............... 4-11, 4-23 to 4-25subinterfaces .....................................................2-3, 10-62

configuring (vsys) .............................................. 10-62creating (root system)......................................... 2-49creating (vsys).................................................... 10-62deleting................................................................. 2-50multiple per vsys ............................................... 10-62

subnets, overlapping ............................................... 10-63subrate option.......................................................... 12-20subscriptions

registration and activation .................2-251 to 2-253temporary service ............................................. 2-252

Sun RPC ALGcall scenarios ..................................................... 2-127defined ............................................................... 2-127

Super G ................................................................... 12-133SurfControl ......................................................4-98, 4-107SYN and FIN flags set................................................ 4-12SYN checking ....................................... 4-15, 4-15 to 4-18

asymmetric routing ............................................ 4-16reconnaissance hole ........................................... 4-17session interruption ............................................ 4-17session table floods............................................. 4-17

SYN cookies................................................................ 4-44

Master Index

Page 77: Juniper Overview SSG500

Master Index

SYN floods ......................................................4-34 to 4-39alarm threshold ................................................... 4-38attack threshold................................................... 4-37attacks .................................................................. 4-34destination threshold .......................................... 4-38drop unknown MAC addresses.......................... 4-39queue size ............................................................ 4-39source threshold.................................................. 4-38SYN cookies ......................................................... 4-44threshold .............................................................. 4-35timeout ................................................................. 4-39

SYN fragments ......................................................... 4-241SYN-ACK-ACK proxy floods ...................................... 4-32synchronization

configuration...................................................... 11-19RTOs ................................................................... 11-20

syslog ...............................................................3-56, 4-130encryption............................................................ 3-78facility ................................................ 3-72, 3-81, 3-88host ....................................................................... 3-72host name ............................... 3-72, 3-73, 3-81, 3-88messages.............................................................. 3-71port .................................................... 3-72, 3-81, 3-88security facility ................................. 3-72, 3-81, 3-88

system clock...............................................2-253 to 2-257date & time ........................................................ 2-254sync with client ................................................. 2-254time zone ........................................................... 2-254

system parameters .................................................. 2-257

TT3 interfaces

C-bit parity mode .............................................. 12-13CSU compatibility.............................................. 12-20

TACACS+auth server objects.............................................. 9-38clients retries ....................................................... 9-32clients timeout..................................................... 9-32object properties ................................................. 9-32ports...................................................................... 9-32retry timeout........................................................ 9-32shared secret ....................................................... 9-32

tags, VLANs .................................................................. 2-3TCP

packet without flags............................................ 4-14session timeouts.................................................. 4-31stream signatures.............................................. 4-160SYN flag checking ............................................. 5-297

TCP proxy ................................................................... 3-96Teardrop attacks ........................................................ 4-50Telnet .................................................................3-9, 4-130Telnet management options .................................... 3-28Telnet, logging in via ................................................. 3-10templates

security policy.................................................... 4-185TFTP .......................................................................... 4-130three-way handshakes............................................... 4-34threshold

low-watermark..................................................... 4-31thresholds

high-watermark ................................................... 4-30time zone.................................................................. 2-254timeout...................................................................... 13-25

admin users ......................................................... 9-18auth users ............................................................. 9-18

timestamp IP option.................................................. 4-11token codes ................................................................ 9-27Top-Level Aggregator (TLA)..................................... 14-37trace-route .................................................................. 2-85traffic

counting.................................................... 2-172, 13-5IP-based.............................................................. 10-71logging ...................................................... 2-172, 13-5priority ................................................................ 2-173shaping ............................................................... 2-193sorting.................................................. 10-31 to 10-39through traffic, vsys sorting .............. 10-32 to 10-35VLAN-based..............................10-40, 10-41 to 10-68

traffic alarms ................................................. 3-68 to 3-71traffic shaping .......................................................... 2-193

automatic ........................................................... 2-194service priorities ................................................ 2-198

Transparent mode ........2-80 to 2-92, 10-42, 10-43, 13-4ARP/trace-route ................................................... 2-83blocking non-ARP traffic..................................... 2-81blocking non-IP traffic ........................................ 2-81broadcast traffic................................................... 2-81drop unknown MAC addresses.......................... 4-39flood ...................................................................... 2-83routes .................................................................... 2-82unicast options .................................................... 2-83

Transparent mode, management options............... 3-29Transport mode......................... 5-4, 5-208, 5-213, 5-218Triple DES

See 3DEStrunk ports................................................................ 10-42trunk ports, Transparent mode .............................. 10-42trustee administrator............................................. 12-109tunnel interfaces ........................................................ 2-39

definition .............................................................. 2-39policy-based NAT................................................. 2-39

Tunnel mode ................................................................ 5-4tunnel termination points..................................... 14-102tunnel tracking ....................................................... 12-111

UUDP

checksum ........................................................... 5-237

Master Index IX-XXI

Page 78: Juniper Overview SSG500

IX-XXII

Concepts & Examples ScreenOS Reference Guide

NAT-T encapsulation ........................................ 5-232session timeouts.................................................. 4-31

unified access control solutionoverview of ..........................................1-li, 9-vii, 9-41

unknown protocols.................................................. 4-239unknown unicast options .............................2-82 to 2-87

ARP ...........................................................2-84 to 2-87flood..........................................................2-83 to 2-84trace-route............................................................ 2-85

updating IDP engine ............................................... 4-231upstream routers ..................................................... 14-38URL filtering

See web filteringUSB.............................................................................. 3-56users

admin ..................................................................... 9-2admin, timeout.................................................... 9-18group IKE ID ........................................5-183 to 5-198groups, server support ....................................... 9-14IKE

See IKE usersL2TP..........................................................9-84 to 9-87multiple-type.......................................................... 9-4shared IKE ID ......................................5-198 to 5-204WebAuth .............................................................. 9-14XAuth........................................................9-68 to 9-82

users, authSee auth users

users, IKESee IKE users

users, multiple administrative.................................. 3-33

VVC.............................................................................. 12-66VCI............................................................................. 12-66vendor IDs, VSA......................................................... 9-22vendor-specific attributes ......................................... 9-21Verified mode........................................................... 13-15Verisign ....................................................................... 5-34VIP............................................................................... 2-11

configuring........................................................... 8-82definition................................................................ 8-6editing .................................................................. 8-84global zones......................................................... 8-82reachable from other zones............................... 8-82removing.............................................................. 8-84required information .......................................... 8-81

VIP servicescustom and multi-port............................8-85 to 8-88custom, low port numbers................................. 8-82

VIP, to zone with interface-based NAT .................... 2-94virtual adapters.......................................................... 9-68virtual channel identifier

See VCI

virtual circuitSee VC

virtual HA interfaces.......................................2-39, 11-27virtual IP

See VIPvirtual path identifier

See VPIVirtual Path Identifier/Virtual Channel Identifier

See VPI/VCIvirtual private networks

See VPNsvirtual routers..............................................14-50, 14-102

See VRsvirtual routers, MIP default ....................................... 8-66virtual routers, RIP.....................................14-53 to 14-70virtual security device groups

See VSD groupsvirtual security interface

See VSIvirtual system support .............................................. 13-5virtual systems............................................................. 2-9

admins.................................................................. 3-34failover................................................................ 11-56load sharing ....................................................... 11-82manageability and security of ......................... 10-73NSRP................................................................... 11-56read-only admins ................................................ 3-34VIP....................................................................... 10-31

VLAN zone.................................................................. 2-81VLAN1

interface ......................................................2-81, 2-87zones .................................................................... 2-81

VLAN1, management options.................................. 3-29VLAN-based traffic classification .10-40, 10-41 to 10-68VLANs

communicating with another VLAN 10-39, 10-65 to 10-68

creating.................................................10-43 to 10-64subinterfaces...................................................... 10-62tag ............................................................10-43, 10-62Transparent mode .................................10-42, 10-43trunking.............................................................. 10-42VLAN-based traffic classification ......10-40, 10-41 to

10-68VLANs, tags .................................................................. 2-3VNC ........................................................................... 4-130voice-over IP

bandwidth management.................................... 6-62VPI ............................................................................. 12-66VPI/VCI

configuring ......................................................... 12-71values.................................................................. 12-74

VPN idletime .............................................................. 9-71VPN monitoring ........................... 5-241 to 5-252, 12-111

Master Index

Page 79: Juniper Overview SSG500

Master Index

destination address.............................5-243 to 5-245destination address, XAuth.............................. 5-243ICMP echo requests .......................................... 5-252outgoing interface ...............................5-243 to 5-245policies................................................................ 5-244rekey option............................................5-242, 5-258routing design...................................................... 5-71SNMP .................................................................. 5-252status changes ........................................5-241, 5-244

VPNsAggressive mode ................................................. 5-10AutoKey IKE........................................ 3-43, 3-79, 5-7configuration tips ....................................5-69 to 5-71cryptographic options.............................5-48 to 5-61Diffie-Hellman exchange.................................... 5-10Diffie-Hellman groups......................................... 5-10for administrative traffic .................................... 3-78FQDN aliases ..................................................... 5-130FQDN for gateways.............................5-129 to 5-140Main mode............................................................. 5-9manual key .......................................................... 3-79manual keys......................................................... 3-43MIP...................................................................... 5-140multiple tunnels per tunnel interface5-254 to 5-289NAT for overlapping addresses .........5-140 to 5-151NAT-dst............................................................... 5-140NAT-src ............................................................... 5-142packet flow...............................................5-63 to 5-69Phase 1 ................................................................... 5-9Phase 2 ................................................................. 5-11policies................................................................ 2-168policies for bidirectional ................................... 5-125proxy IDs, matching ........................................... 5-69redundant gateways ...........................5-291 to 5-304redundant groups, recovery procedure.......... 5-295replay protection ................................................. 5-12route- vs policy-based......................................... 5-62SAs .......................................................................... 5-8to zone with interface-based NAT..................... 2-94Transport mode..................................................... 5-4tunnel always up ............................................... 5-242tunnel zones ........................................................ 2-29VPN groups ........................................................ 5-292VPN monitoring and rekey .............................. 5-242

VRRP ......................................................................... 11-53VRs ........................................................7-37 to 7-42, 10-6

access lists............................................................ 7-40BGP .......................................................7-106 to 7-113ECMP .................................................................... 7-36forwarding traffic between .................................. 2-4introduction ........................................................... 2-4modifying............................................................. 7-22on vsys ................................................................. 7-26OSPF .........................................................7-49 to 7-67

RIP............................................................ 7-75 to 7-90route metrics........................................................ 7-31router IDs ............................................................. 7-22SBR........................................................................ 7-17shared ................................................................. 10-37shared, creating a.............................................. 10-38SIBR....................................................................... 7-19using two.............................................................. 7-23

VRs, routesexporting .............................................................. 7-42filtering ................................................................. 7-39importing.............................................................. 7-42maps ..................................................................... 7-38preference ............................................................ 7-30redistribution ....................................................... 7-37selection ............................................................... 7-30

VRs, routing tableslookup ................................................................... 7-32lookup in multiple VRs ....................................... 7-34maximum entries................................................ 7-29

VSA attribute types .................................................... 9-22VSAs............................................................................. 9-21VSD groups ................................................... 4-181, 11-21

failover................................................................ 11-56heartbeats............................................... 11-23, 11-29hold-down time ..................................... 11-35, 11-38member states.................................... 11-22 to 11-23priority numbers ............................................... 11-21

VSIs.................................................................. 11-2, 11-21multiple VSIs per VSD group............................ 11-56static routes........................................................ 11-24

vsysadmin.................................................................... 10-7keys..................................................................... 10-37objects, creating .................................................. 10-4

Wweb browser requirements......................................... 3-2web filtering ...................................2-172, 4-107 to 4-114

applying profiles to policies ............................. 4-104blocked URL message....................................... 4-111blocked URL message type .............................. 4-111cache..................................................................... 4-99communication timeout ................................... 4-110integrated ............................................................. 4-98profiles................................................................ 4-102redirect ............................................................... 4-107routing ................................................................ 4-112server status....................................................... 4-112servers per vsys................................................. 4-108SurfControl CPA servers ..................................... 4-98SurfControl SCFP............................................... 4-109SurfControl server name .................................. 4-110SurfControl server port ..................................... 4-110

Master Index IX-XXIII

Page 80: Juniper Overview SSG500

IX-XXIV

Concepts & Examples ScreenOS Reference Guide

SurfControl servers ............................................. 4-99URL categories................................................... 4-101Websense server name.................................... 4-110Websense server port....................................... 4-110

Web user interfaceSee WebUI

WebAuth ............................................................9-14, 9-47external user groups ........................................... 9-59pre-policy auth process ...................................... 9-47user groups, local ................................................ 9-58with SSL (user groups, external)........................ 9-61

WebAuth, pre-policy auth process ......................... 2-171WebTrends.........................................................3-56, 3-73

encryption...................................................3-73, 3-78messages.............................................................. 3-73

WebUI ................................................................3-2, 14-32Help files ................................................................ 3-2management options ......................................... 3-28

WebUI, on sample client, downstream router ..... 14-40WEP ........................................................................ 12-122Whois........................................................................ 4-130wildcards .......................................................5-186, 13-15WinNuke attacks ....................................................... 4-51WINS

L2TP settings ..................................................... 5-211WINS server ........................................................... 14-132Wired Equivalent Privacy

See WEPwireless bridge groups .......................................... 12-145wireless interface

logical interface ................................................... 2-36wireless interfaces

binding SSID to ............................................... 12-144binding to radio............................................... 12-144configuring....................................................... 12-144disabling........................................................... 12-146

Wireless Local Area NetworkSee WLAN

WLANaccess control list ............................................ 12-132advanced parameters ..................................... 12-138aging interval ................................................... 12-138authentication and encryption ...................... 12-122beacon interval................................................ 12-139bridge groups................................................... 12-145burst threshold ................................................ 12-140Clear to Send mode ........................................ 12-141Clear to Send rate ........................................... 12-142Clear to Send type........................................... 12-142configurations, reactivating ........................... 12-133configuring Super G ........................................ 12-133country codes and channels .......................... 12-130DTIM................................................................. 12-140extended channels.......................................... 12-130

finding available channels.............................. 12-131fragment threshold ......................................... 12-140preamble length .............................................. 12-143Request to Send threshold ............................. 12-141site survey ........................................................ 12-131slot time ........................................................... 12-143viewing wireless configuration information 12-146WMM ................................................................ 12-134XR ..................................................................... 12-133

WLAN WAP operation modes802.11b clients, configuring .......................... 12-119802.11g clients, configuring .......................... 12-119

WLAN, wireless interfacesbinding ............................................................. 12-144

WMMaccess categories............................................. 12-135configuring quality of service ........................ 12-134default settings ................................................ 12-135enabling............................................................ 12-134

XXAuth

authentication.................................................. 14-138bypass-auth.......................................................... 9-69client authentication ........................................... 9-83defined ................................................................. 9-68query remote settings......................................... 9-69ScreenOS as client .............................................. 9-83TCP/IP assignments ............................................ 9-70virtual adapters.................................................... 9-68VPN idletime........................................................ 9-71VPN monitoring................................................. 5-243when to use ..................................................... 14-132

XAuth addressesassignments ......................................................... 9-68authentication, and............................................. 9-79IP address lifetime ..................................9-70 to 9-71timeout ................................................................. 9-70

XAuth users ....................................................9-68 to 9-82authentication...................................................... 9-68local authentication............................................. 9-71local group authentication.................................. 9-73server support...................................................... 9-14with L2TP ............................................................... 9-4

XAuth, externalauth server queries ............................................. 9-69user authentication ............................................. 9-74user group authentication .................................. 9-76

XR, configuring ...................................................... 12-133

YYahoo! Messenger.................................................... 4-130

Master Index

Page 81: Juniper Overview SSG500

Master Index

Zzip files, blocking ..................................................... 4-168zombie agents...................................................4-27, 4-29zones .....................................................2-25 to 2-33, 10-6

defining ................................................................ 2-30editing................................................................... 2-31function ................................................................ 2-33function, MGT interface...................................... 2-38global .................................................................... 2-28global security........................................................ 2-2Layer 2.................................................................. 2-81shared................................................................. 10-37tunnel.................................................................... 2-29VLAN............................................................2-33, 2-81vsys ....................................................................... 10-6

zones, global............................................................... 8-82zones, ScreenOS ............................................2-25 to 2-33

predefined.............................................................. 2-2security interfaces ................................................. 2-3

zones, security ....................................................2-2, 2-28determination, destination zone ....................... 2-12determination, source zone ............................... 2-10global ...................................................................... 2-2interfaces, monitoring ........................................ 2-73interfaces, physical ............................................. 2-36

Master Index IX-XXV

Page 82: Juniper Overview SSG500

IX-XXV

Concepts & Examples ScreenOS Reference Guide

I Master Index