Juniper Overview SSG500

Concepts & Examples
ScreenOS Reference Guide
Volume 1:
Overview
Release 6.0.0, Rev. 02
Juniper Networks, Inc.

1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Part Number: 530-017767-01, Revision 02
Copyright Notice
Copyright 2007 Juniper Networks, Inc. All rights reserved.
Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other
trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective
owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for
any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication
without notice.
FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A
digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the
equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and
used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential
area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency
energy. If it is not installed in accordance with Juniper Networks installation instructions, it may cause interference with radio and television reception.
This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC
rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no
guarantee that interference will not occur in a particular installation.
If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user
is encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna.
Increase the separation between the equipment and receiver.
Consult the dealer or an experienced radio/TV technician for help.
Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.
Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED
WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED
WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.
ii
Table of Contents
Volume 1:
Overview
About the Concepts & Examples ScreenOS Reference Guide
xlv
Volume Organization .................................................................................. xlvii

Document Conventions.................................................................................. liii
Web User Interface Conventions ............................................................. liii
Command Line Interface Conventions..................................................... liii
Naming Conventions and Character Types .............................................. liv
Illustration Conventions............................................................................ lv
Technical Documentation and Support .......................................................... lvi
Master Index...........................................................................................................IX-I
Volume 2:
Fundamentals
About This Volume
ix
Document Conventions.................................................................................... x
Web User Interface Conventions ............................................................... x
Command Line Interface Conventions....................................................... x
Naming Conventions and Character Types ............................................... xi
Illustration Conventions........................................................................... xii
Technical Documentation and Support ......................................................... xiii
Chapter 1
ScreenOS Architecture
Security Zones ................................................................................................. 2

Security Zone Interfaces................................................................................... 3
Physical Interfaces..................................................................................... 3
Subinterfaces............................................................................................. 3
Virtual Routers ................................................................................................. 4
Policies.............................................................................................................5
Virtual Private Networks .................................................................................. 6
Virtual Systems ................................................................................................9
Packet-Flow Sequence.................................................................................... 10
Jumbo Frames................................................................................................ 13
ScreenOS Architecture Example..................................................................... 14
Example: (Part 1) Enterprise with Six Zones............................................ 14
Example: (Part 2) Interfaces for Six Zones ............................................... 16
Example: (Part 3) Two Routing Domains ................................................. 18
Example: (Part 4) Policies ........................................................................ 20
Table of Contents
iii
Concepts & Examples ScreenOS Reference Guide
Chapter 2
Zones
25
Viewing Preconfigured Zones......................................................................... 26

Security Zones ............................................................................................... 28
Global Zone ............................................................................................. 28
SCREEN Options...................................................................................... 28
Binding a Tunnel Interface to a Tunnel Zone.................................................. 29
Configuring Security Zones and Tunnel Zones ............................................... 30
Creating a Zone ....................................................................................... 30
Modifying a Zone..................................................................................... 31
Deleting a Zone ....................................................................................... 32
Function Zones ..............................................................................................33
Chapter 3
Interfaces
35
Interface Types ..............................................................................................36

Logical Interfaces..................................................................................... 36
Physical Interfaces ............................................................................ 36
Wireless Interfaces............................................................................ 36
Bridge Group Interfaces..................................................................... 37
Subinterfaces .................................................................................... 37
Aggregate Interfaces ......................................................................... 37
Redundant Interfaces ........................................................................ 37
Virtual Security Interfaces .................................................................38
Function Zone Interfaces ......................................................................... 38
Management Interfaces..................................................................... 38
High Availability Interfaces................................................................ 38
Tunnel Interfaces..................................................................................... 39
Deleting Tunnel Interfaces ................................................................ 42
Viewing Interfaces ......................................................................................... 43
Configuring Security Zone Interfaces ............................................................. 44
Binding an Interface to a Security Zone ................................................... 44
Unbinding an Interface from a Security Zone .......................................... 45
Addressing an L3 Security Zone Interface................................................ 46
Public IP Addresses ........................................................................... 47
Private IP Addresses.......................................................................... 47
Addressing an Interface .................................................................... 48
Modifying Interface Settings .................................................................... 48
Creating a Subinterface in the Root System ............................................. 49
Deleting a Subinterface............................................................................ 50
Creating a Secondary IP Address ................................................................... 50
Backup System Interfaces .............................................................................. 51
Configuring a Backup Interface................................................................ 52
Configuring an IP Tracking Backup Interface..................................... 52
Configuring a Tunnel-if Backup Interface .......................................... 53
Configuring a Route Monitoring Backup Interface ............................. 57
Loopback Interfaces ....................................................................................... 58
Creating a Loopback Interface .................................................................59
Setting the Loopback Interface for Management...................................... 59
Setting BGP on a Loopback Interface ....................................................... 59
Setting VSIs on a Loopback Interface....................................................... 60
Setting the Loopback Interface as a Source Interface ............................... 60
Interface State Changes.................................................................................. 61
Physical Connection Monitoring .............................................................. 63
Tracking IP Addresses ............................................................................. 63
iv
Table of Contents
Table of Contents
Interface Monitoring ................................................................................ 68

Monitoring Two Interfaces ................................................................ 69
Monitoring an Interface Loop ............................................................ 70
Security Zone Monitoring ........................................................................ 73
Down Interfaces and Traffic Flow ............................................................ 74
Failure on the Egress Interface .......................................................... 75
Failure on the Ingress Interface ......................................................... 76
Chapter 4
Interface Modes
79
Transparent Mode.......................................................................................... 80
Zone Settings........................................................................................... 81
VLAN Zone........................................................................................ 81
Predefined Layer 2 Zones .................................................................81
Traffic Forwarding ................................................................................... 81
Unknown Unicast Options ....................................................................... 82
Flood Method.................................................................................... 83
ARP/Trace-Route Method .................................................................. 84
Configuring VLAN1 Interface for Management .................................. 87
Configuring Transparent Mode.......................................................... 89
NAT Mode...................................................................................................... 92
Inbound and Outbound NAT Traffic ........................................................ 94
Interface Settings..................................................................................... 95
Configuring NAT Mode ............................................................................ 95
Route Mode.................................................................................................... 98
Interface Settings..................................................................................... 99
Configuring Route Mode .......................................................................... 99
Chapter 5
Building Blocks for Policies
103
Addresses ....................................................................................................103
Address Entries .....................................................................................104
Adding an Address ..........................................................................104
Modifying an Address .....................................................................105
Deleting an Address ........................................................................105
Address Groups .....................................................................................105
Creating an Address Group .............................................................107
Editing an Address Group Entry ......................................................108
Removing a Member and a Group...................................................108
Services........................................................................................................109
Predefined Services ...............................................................................109
Internet Control Messaging Protocol ...............................................110
Handling ICMP Unreachable Errors .................................................113
Internet-Related Predefined Services...............................................114
Microsoft Remote Procedure Call Services ......................................115
Dynamic Routing Protocols.............................................................117
Streaming Video..............................................................................117
Sun Remote Procedure Call Services ...............................................118
Security and Tunnel Services ..........................................................118
IP-Related Services..........................................................................119
Instant Messaging Services..............................................................119
Management Services .....................................................................119
Mail Services ...................................................................................120
UNIX Services .................................................................................120
Miscellaneous Services ....................................................................121
Table of Contents
Custom Services ....................................................................................121

Adding a Custom Service ................................................................122
Modifying a Custom Service............................................................123
Removing a Custom Service............................................................123
Setting a Service Timeout ......................................................................123
Service Timeout Configuration and Lookup.....................................123
Contingencies .................................................................................124
Example..........................................................................................126
Defining a Custom Internet Control Message Protocol Service...............126
Remote Shell ALG ..................................................................................127
Sun Remote Procedure Call Application Layer Gateway.........................127
Typical RPC Call Scenario................................................................127
Customizing Sun RPC Services ........................................................128
Customizing Microsoft Remote Procedure Call ALG ...............................129
Real-Time Streaming Protocol Application Layer Gateway.....................130
RTSP Request Methods ...................................................................131
RTSP Status Codes ..........................................................................133
Configuring a Media Server in a Private Domain .............................134
Configuring a Media Server in a Public Domain ..............................136
Service Groups.......................................................................................138
Modifying a Service Group ..............................................................139
Removing a Service Group ..............................................................140
Dynamic IP Pools.........................................................................................140
Port Address Translation .......................................................................141
Creating a DIP Pool with PAT ................................................................142
Modifying a DIP Pool .............................................................................143
Sticky DIP Addresses .............................................................................143
Using DIP in a Different Subnet .............................................................144
Using a DIP on a Loopback Interface .....................................................149
Creating a DIP Group.............................................................................153
Setting a Recurring Schedule........................................................................156
Chapter 6
Policies
159
Basic Elements.............................................................................................160
Three Types of Policies ................................................................................161
Interzone Policies ..................................................................................161
Intrazone Policies ..................................................................................161
Global Policies .......................................................................................162
Policy Set Lists .............................................................................................163
Policies Defined ...........................................................................................164
Policies and Rules..................................................................................164
Anatomy of a Policy ..............................................................................165
ID....................................................................................................166
Zones ..............................................................................................166
Addresses .......................................................................................166
Services...........................................................................................166
Action .............................................................................................167
Application......................................................................................167
Name ..............................................................................................168
VPN Tunneling ................................................................................168
L2TP Tunneling ...............................................................................168
Deep Inspection ..............................................................................169
Placement at the Top of the Policy List ...........................................169
Source Address Translation.............................................................169
vi
Table of Contents
Table of Contents
Destination Address Translation......................................................169

User Authentication ........................................................................170
HA Session Backup .........................................................................171
Web Filtering ..................................................................................172
Logging ...........................................................................................172
Counting .........................................................................................172
Traffic Alarm Threshold ..................................................................172
Schedules........................................................................................172
Antivirus Scanning ..........................................................................173
Traffic Shaping................................................................................173
Policies Applied............................................................................................174
Viewing Policies.....................................................................................174
Creating Policies ....................................................................................174
Creating Interzone Policies Mail Service ..........................................175
Creating an Interzone Policy Set .....................................................178
Creating Intrazone Policies..............................................................182
Creating a Global Policy ..................................................................184
Entering a Policy Context ......................................................................185
Multiple Items per Policy Component....................................................185
Setting Address Negation.......................................................................186
Modifying and Disabling Policies ...........................................................189
Policy Verification..................................................................................189
Reordering Policies................................................................................190
Removing a Policy .................................................................................191
Chapter 7
Traffic Shaping
193
Managing Bandwidth at the Policy Level ......................................................193

Setting Traffic Shaping .................................................................................194
Setting Service Priorities ..............................................................................198
Setting Priority Queuing ...............................................................................199
Ingress Policing ............................................................................................203
Shaping Traffic on Virtual Interfaces ............................................................203
Interface-Level Traffic Shaping ..............................................................204
Policy-Level Traffic Shaping ...................................................................205
Packet Flow ...........................................................................................206
Example: Route-Based VPN with Ingress Policing ..................................206
Example: Policy-Based VPN with Ingress Policing..................................210
Traffic Shaping Using a Loopback Interface .................................................214
DSCP Marking and Shaping..........................................................................214
Chapter 8
System Parameters
217
Domain Name System Support ....................................................................217

DNS Lookup ..........................................................................................218
DNS Status Table ...................................................................................219
Setting the DNS Server and Refresh Schedule .................................219
Setting a DNS Refresh Interval ........................................................220
Dynamic Domain Name System............................................................220
Setting Up DDNS for a DynDNS Server ...........................................221
Setting Up DDNS for a DDO Server .................................................222
Proxy DNS Address Splitting..................................................................222
Dynamic Host Configuration Protocol ..........................................................225
Configuring a DHCP Server....................................................................226
Customizing DHCP Server Options .................................................230
Table of Contents
vii
Placing the DHCP Server in an NSRP Cluster...................................231

DHCP Server Detection ...................................................................231
Enabling DHCP Server Detection ....................................................232
Disabling DHCP Server Detection....................................................232
Assigning a Security Device as a DHCP Relay Agent ..............................233
Forwarding All DHCP Packets .........................................................237
Configuring Next-Server-IP..............................................................237
Using a Security Device as a DHCP Client..............................................238
Propagating TCP/IP Settings ..................................................................240
Configuring DHCP in Virtual Systems ....................................................242
Setting DHCP Message Relay in Virtual Systems ..........................................242
Point-to-Point Protocol over Ethernet ...........................................................243
Setting Up PPPoE ..................................................................................243
Configuring PPPoE on Primary and Backup Untrust Interfaces..............246
Configuring Multiple PPPoE Sessions over a Single Interface .................247
PPPoE and High Availability ..................................................................250
License Keys ................................................................................................250
Registration and Activation of Subscription Services ....................................251
Trial Service...........................................................................................252
Updating Subscription Keys...................................................................252
Adding Antivirus, Web Filtering, Anti-Spam, and Deep Inspection to an
Existing or a New Device ................................................................253
System Clock ...............................................................................................253
Date and Time.......................................................................................254
Daylight Saving Time.............................................................................254
Time Zone .............................................................................................254
Network Time Protocol..........................................................................255
Configuring Multiple NTP Servers....................................................255
Configuring a Backup NTP Server....................................................255
Maximum Time Adjustment............................................................256
NTP and NSRP ................................................................................256
Setting a Maximum Time Adjustment Value to an NTP Server ........257
Securing NTP Servers ......................................................................257
Index..........................................................................................................................IX-I
Volume 3:
Administration
About This Volume
vii
Document Conventions.................................................................................. vii

Web User Interface Conventions ............................................................. vii
Command Line Interface Conventions.................................................... viii
Naming Conventions and Character Types ............................................. viii
Illustration Conventions............................................................................. x
Technical Documentation and Support ........................................................... xi
Chapter 1
Administration
Management via the Web User Interface ......................................................... 2

WebUI Help ............................................................................................... 2
Copying the Help Files to a Local Drive ............................................... 3
Pointing the WebUI to the New Help Location .................................... 3
HyperText Transfer Protocol...................................................................... 4
viii
Table of Contents
Table of Contents
Session ID.................................................................................................. 4
Secure Sockets Layer ................................................................................. 5
SSL Configuration................................................................................ 7
Redirecting HTTP to SSL ..................................................................... 8
Management via the Command Line Interface................................................. 9
Telnet ........................................................................................................ 9
Securing Telnet Connections ................................................................... 10
Secure Shell ............................................................................................. 11
Client Requirements.......................................................................... 12
Basic SSH Configuration on the Device ............................................. 13
Authentication .................................................................................. 14
SSH and Vsys .................................................................................... 16
Host Key ........................................................................................... 16
Example: SSHv1 with PKA for Automated Logins ............................. 17
Secure Copy ............................................................................................ 18
Serial Console.......................................................................................... 19
Remote Console ...................................................................................... 20
Remote Console Using V.92 Modem Port.......................................... 20
Remote Console Using an AUX Port.................................................. 21
Modem Port ............................................................................................ 22
Management via NetScreen-Security Manager ............................................... 22
Initiating Connectivity Between NSM Agent and the MGT System ........... 23
Enabling, Disabling, and Unsetting NSM Agent........................................ 24
Setting the Primary Server IP Address of the Management System ......... 25
Setting Alarm and Statistics Reporting..................................................... 25
Configuration Synchronization ................................................................ 26
Example: Viewing the Configuration State ........................................ 27
Example: Retrieving the Configuration Hash..................................... 27
Retrieving the Configuration Timestamp ................................................. 27
Controlling Administrative Traffic .................................................................. 28
MGT and VLAN1 Interfaces...................................................................... 29
Example: Administration Through the MGT Interface .......................29
Example: Administration Through the VLAN1 Interface .................... 29
Setting Administrative Interface Options ................................................. 30
Setting Manage IPs for Multiple Interfaces ............................................... 31
Levels of Administration ................................................................................ 33
Root Administrator .................................................................................. 33
Read/Write Administrator........................................................................ 34
Read-Only Administrator......................................................................... 34
Virtual System Administrator................................................................... 34
Virtual System Read-Only Administrator ................................................. 35
Defining Admin Users .................................................................................... 35
Example: Adding a Read-Only Admin ..................................................... 35
Example: Modifying an Admin ................................................................ 35
Example: Deleting an Admin ................................................................... 36
Example: Configuring Admin Accounts for Dialup Connections............... 36
Example: Clearing an Admins Sessions .................................................. 37
Securing Administrative Traffic ...................................................................... 37
Changing the Port Number ...................................................................... 38
Changing the Admin Login Name and Password ..................................... 39
Example: Changing an Admin Users Login Name and Password ..... 40
Example: Changing Your Own Password .......................................... 40
Setting the Minimum Length of the Root Admin Password ............... 41
Resetting the Device to the Factory Default Settings................................ 41
Table of Contents
ix
Restricting Administrative Access ............................................................ 42

Example: Restricting Administration to a Single Workstation............ 42
Example: Restricting Administration to a Subnet .............................. 42
Restricting the Root Admin to Console Access .................................. 42
VPN Tunnels for Administrative Traffic....................................................43
Administration Through a Route-Based Manual Key VPN Tunnel ...... 44
Administration Through a Policy-Based Manual Key VPN Tunnel...... 47
Password Policy ............................................................................................. 51
Setting a Password Policy ........................................................................ 51
Removing a Password Policy ................................................................... 52
Viewing a Password Policy ...................................................................... 52
Recovering from a Rejected Default Admin Password ............................. 52
Creating a Login Banner................................................................................. 53
Chapter 2
Monitoring Security Devices
55
Storing Log Information ................................................................................. 55

Event Log ....................................................................................................... 56
Viewing the Event Log by Severity Level and Keyword............................ 57
Sorting and Filtering the Event Log.......................................................... 58
Downloading the Event Log..................................................................... 59
Example: Downloading the Entire Event Log .................................... 59
Example: Downloading the Event Log for Critical Events .................. 60
Traffic Log...................................................................................................... 60
Viewing the Traffic Log ............................................................................ 61
Example: Viewing Traffic Log Entries................................................ 61
Sorting and Filtering the Traffic Log .................................................. 63
Example: Sorting the Traffic Log by Time ......................................... 63
Downloading the Traffic Log.................................................................... 63
Removing the Reason for Close Field ...................................................... 64
Self Log .......................................................................................................... 66
Viewing the Self Log ................................................................................ 66
Sorting and Filtering the Self Log ...................................................... 66
Example: Filtering the Self Log by Time ............................................ 67
Downloading the Self Log ........................................................................ 67
Downloading the Asset Recovery Log ............................................................ 68
Traffic Alarms ................................................................................................ 68
Example: Policy-Based Intrusion Detection.............................................. 69
Example: Compromised System Notification........................................... 70
Example: Sending E-mail Alerts............................................................... 71
Syslog ............................................................................................................ 71
Example: Enabling Multiple Syslog Servers.............................................. 72
Enabling WebTrends for Notification Events ........................................... 73
Simple Network Management Protocol .......................................................... 73
Implementation Overview ....................................................................... 76
Defining a Read/Write SNMP Community ............................................... 77
VPN Tunnels for Self-Initiated Traffic ............................................................. 78
Example: Self-Generated Traffic Through a Route-Based Tunnel.............. 79
Example: Self-Generated Traffic Through a Policy-Based Tunnel ............. 86
Viewing Screen Counters ............................................................................... 92
Table of Contents
Table of Contents
Index..........................................................................................................................IX-I
Volume 4:
Attack Detection and Defense Mechanisms
About This Volume
ix
Chapter 1
Protecting a Network
Stages of an Attack........................................................................................... 2
Detection and Defense Mechanisms ................................................................ 2
Exploit Monitoring ........................................................................................... 5
Example: Monitoring Attacks from the Untrust Zone................................. 5
Chapter 2
Reconnaissance Deterrence
IP Address Sweep ............................................................................................ 8

Port Scanning................................................................................................... 9
Network Reconnaissance Using IP Options ....................................................10
Operating System Probes............................................................................... 12
SYN and FIN Flags Set ............................................................................. 12
FIN Flag Without ACK Flag ...................................................................... 13
TCP Header Without Flags Set .................................................................14
Evasion Techniques ....................................................................................... 15
FIN Scan .................................................................................................. 15
Non-SYN Flags......................................................................................... 15
IP Spoofing ..............................................................................................18
Example: L3 IP Spoof Protection ....................................................... 20
Example: L2 IP Spoof Protection ....................................................... 22
IP Source Route Options.......................................................................... 23
Chapter 3
Denial-of-Service Attack Defenses
27
Firewall DoS Attacks ...................................................................................... 28

Session Table Flood ................................................................................. 28
Source-Based and Destination-Based Session Limits ......................... 28
Example: Source-Based Session Limiting .......................................... 29
Example: Destination-Based Session Limiting ................................... 30
Aggressive Aging............................................................................... 30
Example: Aggressively Aging Out Sessions........................................ 32
SYN-ACK-ACK Proxy Flood ...................................................................... 32
Network DoS Attacks ..................................................................................... 34
SYN Flood................................................................................................ 34
Example: SYN Flood Protection ........................................................ 40
SYN Cookie..............................................................................................44
ICMP Flood ..............................................................................................46
UDP Flood ............................................................................................... 47
Land Attack ............................................................................................. 48
OS-Specific DoS Attacks ................................................................................. 49
Table of Contents
xi
Ping of Death........................................................................................... 49
Teardrop Attack....................................................................................... 50
WinNuke ................................................................................................. 51
Chapter 4
Content Monitoring and Filtering
53
Fragment Reassembly.................................................................................... 54
Malicious URL Protection......................................................................... 54
Application Layer Gateway ...................................................................... 55
Example: Blocking Malicious URLs in Packet Fragments ................... 56
Antivirus Scanning ......................................................................................... 58
External AV Scanning .............................................................................. 58
Scanning Modes................................................................................ 60
Load-Balancing ICAP Scan Servers ....................................................60
Internal AV Scanning ............................................................................... 61
AV Scanning of IM Traffic ........................................................................ 63
IM Clients.......................................................................................... 63
IM Server .......................................................................................... 64
IM Protocols ...................................................................................... 64
Instant Messaging Security Issues ..................................................... 65
IM Security Issues ............................................................................. 65
Scanning Chat Messages ................................................................... 65
Scanning File Transfers ..................................................................... 66
AV Scanning Results ................................................................................ 67
Policy-Based AV Scanning ....................................................................... 68
Scanning Application Protocols................................................................ 69
Scanning FTP Traffic ......................................................................... 70
Scanning HTTP Traffic ...................................................................... 71
Scanning IMAP and POP3 Traffic ...................................................... 73
Scanning SMTP Traffic ...................................................................... 74
Redirecting Traffic to ICAP AV Scan Servers...................................... 76
Updating the AV Pattern Files for the Embedded Scanner .......................78
Subscribing to the AV Signature Service ............................................ 78
Updating AV Patterns........................................................................ 79
AV Scanner Global Settings...................................................................... 80
AV Resource Allotment ..................................................................... 81
Fail-Mode Behavior ........................................................................... 81
Maximum Content Size and Maximum Messages (Internal AV Only) 82
HTTP Keep-Alive ............................................................................... 83
HTTP Trickling (Internal AV Only) ..................................................... 84
AV Profiles............................................................................................... 86
Assigning an AV Profile to a Firewall Policy....................................... 87
Initiating an AV Profile for Internal AV .............................................. 87
Example: (Internal AV) Scanning for All Traffic Types .......................88
Example: AV Scanning for SMTP and HTTP Traffic Only................... 88
AV Profile Settings............................................................................. 89
Anti-Spam Filtering ........................................................................................ 93
Black Lists and White Lists ...................................................................... 93
Basic Configuration.................................................................................. 94
Filtering Spam Traffic........................................................................ 94
Dropping Spam Messages .................................................................94
Defining a Black List ................................................................................ 95
Defining a White List ............................................................................... 95
Defining a Default Action......................................................................... 95
Enabling a Spam-Blocking List Server ...................................................... 96
xii
Table of Contents
Table of Contents
Testing Anti-Spam ................................................................................... 96

Web Filtering ................................................................................................. 97
Using the CLI to Initiate Web-Filtering Modes .......................................... 97
Integrated Web Filtering .......................................................................... 98
SurfControl Servers ........................................................................... 99
Web-Filtering Cache.......................................................................... 99
Configuring Integrated Web Filtering ..............................................100
Example: Integrated Web Filtering..................................................105
Redirect Web Filtering ...........................................................................107
Virtual System Support....................................................................108
Configuring Redirect Web Filtering .................................................109
Example: Redirect Web Filtering.....................................................112
Chapter 5
Deep Inspection
115
Overview .....................................................................................................116
Attack Object Database Server .....................................................................120
Predefined Signature Packs ...................................................................120
Updating Signature Packs ......................................................................121
Before You Start Updating Attack Objects .......................................122
Immediate Update ..........................................................................122
Automatic Update ...........................................................................123
Automatic Notification and Immediate Update ...............................124
Manual Update................................................................................125
Attack Objects and Groups ...........................................................................127
Supported Protocols ..............................................................................129
Stateful Signatures .................................................................................132
TCP Stream Signatures ..........................................................................133
Protocol Anomalies................................................................................133
Attack Object Groups.............................................................................134
Changing Severity Levels.................................................................134
Example: Deep Inspection for P2P..................................................135
Disabling Attack Objects........................................................................137
Attack Actions..............................................................................................138
Example: Attack ActionsClose Server, Close, Close Client ............139
Brute Force Attack Actions ....................................................................146
Brute Force Attack Objects..............................................................146
Brute Force Attack Target................................................................147
Brute Force Attack Timeout.............................................................147
Example 1.......................................................................................148
Example 2.......................................................................................148
Example 3.......................................................................................149
Attack Logging .............................................................................................149
Example: Disabling Logging per Attack Group.................................149
Mapping Custom Services to Applications ....................................................152
Example: Mapping an Application to a Custom Service...................153
Example: Application-to-Service Mapping for HTTP Attacks ............155
Customized Attack Objects and Groups........................................................156
User-Defined Stateful Signature Attack Objects......................................156
Regular Expressions........................................................................157
Example: User-Defined Stateful Signature Attack Objects ...............158
TCP Stream Signature Attack Objects ....................................................160
Example: User-Defined Stream Signature Attack Object..................161
Configurable Protocol Anomaly Parameters ..........................................162
Example: Modifying Parameters .....................................................162
Table of Contents
xiii
Negation ......................................................................................................163
Example: Attack Object Negation....................................................163
Granular Blocking of HTTP Components ......................................................167
ActiveX Controls....................................................................................168
Java Applets...........................................................................................168
EXE Files ...............................................................................................168
ZIP Files.................................................................................................168
Example: Blocking Java Applets and .exe Files................................169
Chapter 6
Intrusion Detection and Prevention
171
IDP-Capable Security Devices.......................................................................172

Traffic Flow in an IDP-capable Device..........................................................173
Configuring Intrusion Detection and Prevention ..........................................174
Preconfiguration Tasks ..........................................................................174
Example 1: Basic IDP Configuration ......................................................175
Example 2: Configuring IDP for ActivePassive Failover .......................177
Example 3: Configuring IDP for ActiveActive Failover .........................179
Configuring Security Policies ........................................................................182
About Security Policies ..........................................................................182
Managing Security Policies ....................................................................182
Installing Security Policies .....................................................................183
Using IDP Rulebases ....................................................................................183
Role-Based Administration of IDP Rulebases .........................................184
Configuring Objects for IDP Rules..........................................................184
Using Security Policy Templates ............................................................185
Enabling IDP in Firewall Rules .....................................................................185
Enabling IDP..........................................................................................186
Specifying Inline or Inline Tap Mode .....................................................186
Configuring IDP Rules ..................................................................................187
Adding the IDP Rulebase .......................................................................188
Matching Traffic ....................................................................................189
Source and Destination Zones.........................................................189
Source and Destination Address Objects .........................................189
Example: Setting Source and Destination........................................190
Example: Setting Multiple Sources and Destinations .......................190
Services...........................................................................................190
Example: Setting Default Services ...................................................191
Example: Setting Specific Services ..................................................191
Example: Setting Nonstandard Services ..........................................192
Terminal Rules ................................................................................193
Example: Setting Terminal Rules.....................................................193
Defining Actions ....................................................................................195
Setting Attack Objects............................................................................196
Adding Attack Objects Individually..................................................196
Adding Attack Objects by Category .................................................196
Example: Adding Attack Objects by Service ....................................196
Adding Attack Objects by Operating System ...................................196
Adding Attack Objects by Severity ..................................................197
Setting IP Action ....................................................................................197
Choosing an IP Action .....................................................................198
Choosing a Blocking Option ............................................................198
Setting Logging Options ..................................................................198
Setting Timeout Options .................................................................198
Setting Notification ................................................................................198
xiv
Table of Contents
Table of Contents
Setting Logging ...............................................................................199

Setting an Alert ...............................................................................199
Logging Packets ..............................................................................199
Setting Severity......................................................................................199
Setting Targets.......................................................................................200
Entering Comments...............................................................................200
Configuring Exempt Rules............................................................................200
Adding the Exempt Rulebase.................................................................201
Defining a Match ...................................................................................202
Example: Exempting a Source/Destination Pair ..............................203
Setting Attack Objects............................................................................203
Example: Exempting Specific Attack Objects ..................................203
Setting Targets.......................................................................................203
Creating an Exempt Rule from the Log Viewer ......................................204
Configuring Backdoor Rules .........................................................................205
Adding the Backdoor Rulebase ..............................................................205
Defining a Match ...................................................................................206
Services...........................................................................................207
Setting the Operation ............................................................................207
Setting Actions.......................................................................................207
Setting Notification ................................................................................208
Setting Logging ...............................................................................208
Setting an Alert ...............................................................................208
Logging Packets ..............................................................................208
Setting Severity......................................................................................209
Setting Targets.......................................................................................209
Configuring IDP Attack Objects ....................................................................209
About IDP Attack Object Types..............................................................209
Signature Attack Objects .................................................................210
Protocol Anomaly Attack Objects ....................................................210
Compound Attack Objects...............................................................210
Viewing Predefined IDP Attack Objects and Groups ..............................210
Viewing Predefined Attacks.............................................................211
Viewing Predefined Groups .............................................................211
Creating Custom IDP Attack Objects......................................................212
Creating a Signature Attack Object..................................................214
Creating a Protocol Anomaly Attack................................................219
Creating a Compound Attack ..........................................................220
Editing a Custom Attack Object.......................................................222
Deleting a Custom Attack Object.....................................................222
Creating Custom IDP Attack Groups ......................................................223
Configuring Static Groups................................................................223
Configuring Dynamic Groups ..........................................................224
Example: Creating a Dynamic Group ..............................................225
Updating Dynamic Groups ..............................................................226
Editing a Custom Attack Group .......................................................227
Deleting a Custom Attack Group .....................................................227
Configuring the Device as a Standalone IDP Device .....................................227
Table of Contents
xv
Enabling IDP..........................................................................................227
Example: Configuring a Firewall Rule for Standalone IDP ...............228
Configuring Role-Based Administration .................................................228
Example: Configuring an IDP-Only Administrator ...........................229
Managing IDP ..............................................................................................230
About Attack Database Updates.............................................................230
Downloading Attack Database Updates .................................................230
Using Updated Attack Objects .........................................................231
Updating the IDP Engine.................................................................231
Viewing IDP Logs...................................................................................233
Chapter 7
Suspicious Packet Attributes
235
ICMP Fragments ..........................................................................................236

Large ICMP Packets......................................................................................237
Bad IP Options .............................................................................................238
Unknown Protocols......................................................................................239
IP Packet Fragments ....................................................................................240
SYN Fragments ............................................................................................241
Appendix A
Contexts for User-Defined Signatures
A-I
Index..........................................................................................................................IX-I
Volume 5:
Virtual Private Networks
About This Volume
vii
Document Conventions................................................................................. viii

Web User Interface Conventions ............................................................ viii
Naming Conventions and Character Types ............................................... ix
Chapter 1
Internet Protocol Security
Introduction to Virtual Private Networks .......................................................... 2

IPSec Concepts ................................................................................................3
Modes........................................................................................................ 4
Transport Mode .................................................................................. 4
Tunnel Mode ....................................................................................... 4
Protocols ................................................................................................... 5
Authentication Header ........................................................................ 6
Encapsulating Security Payload........................................................... 6
Key Management ...................................................................................... 7
Manual Key ......................................................................................... 7
AutoKey IKE........................................................................................ 7
Security Associations ................................................................................. 8
Tunnel Negotiation........................................................................................... 8
Phase 1...................................................................................................... 9
Main and Aggressive Modes ................................................................ 9
Diffie-Hellman Exchange................................................................... 10
Phase 2.................................................................................................... 11
xvi
Table of Contents
Table of Contents
Perfect Forward Secrecy ................................................................... 11

Replay Protection.............................................................................. 12
IKE and IPSec Packets.................................................................................... 12
IKE Packets ............................................................................................. 12
IPSec Packets .......................................................................................... 15
Chapter 2
Public Key Cryptography
19
Introduction to Public Key Cryptography ....................................................... 20

Signing a Certificate................................................................................. 20
Verifying a Digital Signature .................................................................... 20
Public Key Infrastructure................................................................................ 22
Certificates and CRLs ..................................................................................... 24
Requesting a Certificate Manually............................................................ 26
Loading Certificates and Certificate Revocation Lists ............................... 28
Configuring CRL Settings ......................................................................... 29
Obtaining a Local Certificate Automatically ............................................. 30
Automatic Certificate Renewal.................................................................33
Key-Pair Generation................................................................................. 34
Online Certificate Status Protocol................................................................... 34
Specifying a Certificate Revocation Check Method .................................. 35
Viewing Status Check Attributes .............................................................. 36
Specifying an Online Certificate Status Protocol Responder URL ............. 36
Removing Status Check Attributes........................................................... 36
Self-Signed Certificates................................................................................... 37
Certificate Validation ............................................................................... 38
Manually Creating Self-Signed Certificates ............................................... 39
Setting an Admin-Defined Self-Signed Certificate .................................... 40
Certificate Auto-Generation...................................................................... 44
Deleting Self-Signed Certificates .............................................................. 45
Chapter 3
Virtual Private Network Guidelines
47
Cryptographic Options ................................................................................... 48

Site-to-Site Cryptographic Options ........................................................... 48
Dialup VPN Options................................................................................. 55
Route-Based and Policy-Based Tunnels .......................................................... 62
Packet Flow: Site-to-Site VPN ......................................................................... 63
Tunnel Configuration Guidelines .................................................................... 69
Route-Based Virtual Private Network Security Considerations ........................ 71
Null Route................................................................................................ 71
Dialup or Leased Line .............................................................................. 73
VPN Failover to Leased Line or Null Route............................................... 74
Decoy Tunnel Interface ........................................................................... 76
Virtual Router for Tunnel Interfaces......................................................... 77
Reroute to Another Tunnel ...................................................................... 77
Chapter 4
Site-to-Site Virtual Private Networks
79
Site-to-Site VPN Configurations ...................................................................... 80

Route-Based Site-to-Site VPN, AutoKey IKE ............................................. 86
Policy-Based Site-to-Site VPN, AutoKey IKE ............................................. 95
Route-Based Site-to-Site VPN, Dynamic Peer .........................................101
Policy-Based Site-to-Site VPN, Dynamic Peer.........................................109
Route-Based Site-to-Site VPN, Manual Key.............................................118
Policy-Based Site-to-Site VPN, Manual Key.............................................124
Table of Contents
xvii
Dynamic IKE Gateways Using FQDN ...........................................................129

Aliases ...................................................................................................130
Setting AutoKey IKE Peer with FQDN ....................................................131
VPN Sites with Overlapping Addresses.........................................................140
Transparent Mode VPN ................................................................................151
Chapter 5
Dialup Virtual Private Networks
159
Dialup ..........................................................................................................160
Policy-Based Dialup VPN, AutoKey IKE..................................................160
Route-Based Dialup VPN, Dynamic Peer................................................166
Policy-Based Dialup VPN, Dynamic Peer ...............................................173
Bidirectional Policies for Dialup VPN Users............................................178
Group IKE ID................................................................................................183
Group IKE ID with Certificates ...............................................................183
Wildcard and Container ASN1-DN IKE ID Types....................................185
Creating a Group IKE ID (Certificates) ....................................................187
Setting a Group IKE ID with Preshared Keys..........................................192
Shared IKE ID ..............................................................................................198
Chapter 6
Layer 2 Tunneling Protocol
205
Introduction to L2TP ....................................................................................205

Packet Encapsulation and Decapsulation .....................................................208
Encapsulation ........................................................................................208
Decapsulation........................................................................................209
Setting L2TP Parameters ..............................................................................211
L2TP and L2TP-over-IPSec ...........................................................................213
Configuring L2TP...................................................................................213
Configuring L2TP-over-IPSec .................................................................218
Bidirectional L2TP-over-IPSec ................................................................225
Chapter 7
Advanced Virtual Private Network Features
231
NAT-Traversal ..............................................................................................232
Probing for NAT.....................................................................................233
Traversing a NAT Device .......................................................................235
UDP Checksum......................................................................................237
Keepalive Packets..................................................................................237
Initiator/Responder Symmetry ..............................................................237
Enabling NAT-Traversal .........................................................................239
Using IKE IDs with NAT-Traversal..........................................................239
VPN Monitoring ...........................................................................................241
Rekey and Optimization Options...........................................................242
Source Interface and Destination Address .............................................243
Policy Considerations ............................................................................244
Configuring the VPN Monitoring Feature ...............................................244
SNMP VPN Monitoring Objects and Traps .............................................252
Multiple Tunnels per Tunnel Interface ..........................................................254
Route-to-Tunnel Mapping ......................................................................255
Remote Peers Addresses ......................................................................256
Manual and Automatic Table Entries .....................................................257
Manual Table Entries.......................................................................257
Automatic Table Entries ..................................................................257
Setting VPNs on a Tunnel Interface to Overlapping Subnets............259
Binding Automatic Route and NHTB Table Entries ..........................278
xviii
Table of Contents
Table of Contents
Using OSPF for Automatic Route Table Entries ...............................290

Redundant VPN Gateways............................................................................291
VPN Groups ...........................................................................................292
Monitoring Mechanisms ........................................................................293
IKE Heartbeats ................................................................................294
Dead Peer Detection .......................................................................294
IKE Recovery Procedure..................................................................295
TCP SYN-Flag Checking .........................................................................297
Creating Redundant VPN Gateways.................................................298
Creating Back-to-Back VPNs .........................................................................304
Creating Hub-and-Spoke VPNs .....................................................................311
Chapter 8
AutoConnect-Virtual Private Networks
321
Overview .....................................................................................................321
How It Works...............................................................................................321
NHRP Messages.....................................................................................322
AC-VPN Tunnel Initiation .......................................................................323
Configuring AC-VPN ..............................................................................324
Network Address Translation ..........................................................324
Configuration on the Hub................................................................324
Configuration on each Spoke ..........................................................325
Example ................................................................................................326
Index..........................................................................................................................IX-I
Volume 6:
Voice-over-Internet Protocol
About This Volume
Document Conventions................................................................................... vi
Web User Interface Conventions .............................................................. vi
Command Line Interface Conventions...................................................... vi
Naming Conventions and Character Types .............................................. vii
Illustration Conventions.......................................................................... viii
Technical Documentation and Support ........................................................... ix
Chapter 1
H.323 Application Layer Gateway
Overview ......................................................................................................... 1
Examples ......................................................................................................... 2
Example: Gatekeeper in the Trust Zone ..................................................... 2
Example: Gatekeeper in the Untrust Zone ................................................. 3
Example: Outgoing Calls with NAT ............................................................ 4
Example: Incoming Calls with NAT............................................................ 7
Example: Gatekeeper in the Untrust Zone with NAT................................ 10
Chapter 2
Session Initiation Protocol Application Layer Gateway
13
Overview ....................................................................................................... 13
SIP Request Methods ............................................................................... 14
Classes of SIP Responses ......................................................................... 16
SIP Application Layer Gateway ................................................................ 17
Session Description Protocol Sessions ..................................................... 18
Pinhole Creation ...................................................................................... 19
Table of Contents
xix
Session Inactivity Timeout....................................................................... 20

SIP Attack Protection ............................................................................... 21
Example: SIP Protect Deny ............................................................... 21
Example: Signaling-Inactivity and Media-Inactivity Timeouts ............ 22
Example: UDP Flooding Protection ................................................... 22
Example: SIP Connection Maximum ................................................. 23
SIP with Network Address Translation ........................................................... 23
Outgoing Calls ......................................................................................... 24
Incoming Calls......................................................................................... 24
Forwarded Calls....................................................................................... 25
Call Termination ...................................................................................... 25
Call Re-INVITE Messages ......................................................................... 25
Call Session Timers.................................................................................. 25
Call Cancellation ...................................................................................... 25
Forking .................................................................................................... 26
SIP Messages ........................................................................................... 26
SIP Headers ............................................................................................. 26
SIP Body.................................................................................................. 28
SIP NAT Scenario..................................................................................... 28
Examples ....................................................................................................... 30
Incoming SIP Call Support Using the SIP Registrar................................... 31
Example: Incoming Call (Interface DIP)............................................. 32
Example: Incoming Call (DIP Pool)....................................................35
Example: Incoming Call with MIP ..................................................... 37
Example: Proxy in the Private Zone .................................................. 39
Example: Proxy in the Public Zone ................................................... 42
Example: Three-Zone, Proxy in the DMZ .......................................... 44
Example: Untrust Intrazone .............................................................. 47
Example: Trust Intrazone.................................................................. 51
Example: Full-Mesh VPN for SIP........................................................ 53
Bandwidth Management for VoIP Services .............................................. 62
Chapter 3
Media Gateway Control Protocol Application Layer Gateway
65
Overview ....................................................................................................... 65
MGCP Security ............................................................................................... 66
About MGCP................................................................................................... 66
Entities in MGCP...................................................................................... 66
Endpoint ........................................................................................... 67
Connection ....................................................................................... 67
Call.................................................................................................... 67
Call Agent ......................................................................................... 67
Commands..............................................................................................68
Response Codes ...................................................................................... 70
Examples ....................................................................................................... 71
Media Gateway in Subscribers HomesCall Agent at the ISP ................. 71
ISP-Hosted Service................................................................................... 74
Chapter 4
Skinny Client Control Protocol Application Layer Gateway
79
Overview ....................................................................................................... 79
SCCP Security ................................................................................................ 80
About SCCP.................................................................................................... 81
SCCP Components................................................................................... 81
SCCP Client ....................................................................................... 81
xx
Table of Contents
Table of Contents
Call Manager ..................................................................................... 81

Cluster ..............................................................................................81
SCCP Transactions................................................................................... 82
Client Initialization ............................................................................ 82
Client Registration............................................................................. 82
Call Setup.......................................................................................... 83
Media Setup ...................................................................................... 83
SCCP Control Messages and RTP Flow..................................................... 84
SCCP Messages........................................................................................ 85
Examples ....................................................................................................... 85
Example: Call Manager/TFTP Server in the Trust Zone...................... 86
Example: Call Manager/TFTP Server in the Untrust Zone .................. 88
Example: Three-Zone, Call Manager/TFTP Server in the DMZ ........... 90
Example: Intrazone, Call Manager/TFTP Server in Trust Zone ........... 93
Example: Intrazone, Call Manager/TFTP Server in Untrust Zone ....... 97
Example: Full-Mesh VPN for SCCP ....................................................99
Index..........................................................................................................................IX-I
Volume 7:
Routing
About This Volume
ix
Chapter 1
Static Routing
Overview ......................................................................................................... 2
How Static Routing Works ......................................................................... 2
When to Configure Static Routes ............................................................... 3
Configuring Static Routes........................................................................... 5
Setting Static Routes ........................................................................... 5
Setting a Static Route for a Tunnel Interface ....................................... 9
Enabling Gateway Tracking ..................................................................... 10
Forwarding Traffic to the Null Interface ......................................................... 11
Preventing Route Lookup in Other Routing Tables .................................. 11
Preventing Tunnel Traffic from Being Sent on Non-Tunnel Interfaces...... 11
Preventing Loops Created by Summarized Routes................................... 11
Permanently Active Routes ............................................................................ 12
Changing Routing Preference with Equal Cost Multipath................................ 12
Chapter 2
Routing
13
Overview ....................................................................................................... 14
Virtual Router Routing Tables......................................................................... 15
Destination-Based Routing Table ............................................................. 16
Source-Based Routing Table .................................................................... 17
Source Interface-Based Routing Table...................................................... 19
Creating and Modifying Virtual Routers.......................................................... 21
Table of Contents
xxi
Modifying Virtual Routers ........................................................................ 21

Assigning a Virtual Router ID ................................................................... 22
Forwarding Traffic Between Virtual Routers ............................................ 23
Configuring Two Virtual Routers .............................................................. 23
Creating and Deleting Virtual Routers...................................................... 25
Creating a Custom Virtual Router ...................................................... 26
Deleting a Custom Virtual Router ...................................................... 26
Virtual Routers and Virtual Systems......................................................... 26
Creating a Virtual Router in a Vsys ....................................................27
Sharing Routes Between Virtual Routers ........................................... 28
Limiting the Number of Routing Table Entries ......................................... 29
Routing Features and Examples ..................................................................... 30
Route Selection........................................................................................ 30
Setting a Route Preference ................................................................ 30
Route Metrics .................................................................................... 31
Changing the Default Route Lookup Sequence .................................. 32
Route Lookup in Multiple Virtual Routers .......................................... 34
Configuring Equal Cost Multipath Routing ............................................... 35
Route Redistribution................................................................................ 37
Configuring a Route Map................................................................... 38
Route Filtering .................................................................................. 39
Configuring an Access List ................................................................ 40
Redistributing Routes into OSPF ....................................................... 40
Exporting and Importing Routes Between Virtual Routers .......................42
Configuring an Export Rule ............................................................... 42
Configuring Automatic Export........................................................... 43
Chapter 3
Open Shortest Path First
45
Overview ....................................................................................................... 46
Areas ....................................................................................................... 46
Router Classification ................................................................................ 47
Hello Protocol .......................................................................................... 47
Network Types ........................................................................................ 48
Broadcast Networks .......................................................................... 48
Point-to-Point Networks .................................................................... 48
Point-to-Multipoint Networks ............................................................ 48
Link-State Advertisements ....................................................................... 49
Basic OSPF Configuration .............................................................................. 49
Creating and Removing an OSPF Routing Instance ................................. 50
Creating an OSPF Instance................................................................ 50
Removing an OSPF Instance ............................................................. 51
Creating and Deleting an OSPF Area ....................................................... 51
Creating an OSPF Area...................................................................... 52
Deleting an OSPF Area...................................................................... 52
Assigning Interfaces to an OSPF Area ...................................................... 53
Assigning Interfaces to Areas ............................................................ 53
Configuring an Area Range ............................................................... 53
Enabling OSPF on Interfaces ................................................................... 54
Enabling OSPF on Interfaces............................................................. 54
Disabling OSPF on an Interface......................................................... 54
Verifying the Configuration...................................................................... 55
Redistributing Routes into Routing Protocols ................................................. 56
Summarizing Redistributed Routes ................................................................ 57
Summarizing Redistributed Routes.......................................................... 58
xxii
Table of Contents
Table of Contents
Global OSPF Parameters ................................................................................ 58

Advertising the Default Route .................................................................. 59
Virtual Links ............................................................................................ 59
Creating a Virtual Link....................................................................... 60
Creating an Automatic Virtual Link....................................................61
Setting OSPF Interface Parameters ................................................................ 62
Security Configuration.................................................................................... 64
Authenticating Neighbors ........................................................................ 64
Configuring a Clear-Text Password....................................................64
Configuring an MD5 Password .......................................................... 64
Configuring an OSPF Neighbor List.......................................................... 65
Rejecting Default Routes.......................................................................... 66
Protecting Against Flooding ..................................................................... 66
Configuring the Hello Threshold........................................................ 66
Configuring the LSA Threshold .......................................................... 67
Enabling Reduced Flooding............................................................... 67
Creating an OSPF Demand Circuit on a Tunnel Interface ............................... 67
Point-to-Multipoint Tunnel Interface............................................................... 68
Setting the OSPF Link-Type ..................................................................... 68
Disabling the Route-Deny Restriction ...................................................... 69
Creating a Point-to-Multipoint Network....................................................69
Chapter 4
Routing Information Protocol
73
Overview ....................................................................................................... 74
Basic RIP Configuration.................................................................................. 75
Creating and Deleting a RIP Instance....................................................... 76
Creating a RIP Instance ..................................................................... 76
Deleting a RIP Instance ..................................................................... 76
Enabling and Disabling RIP on Interfaces ................................................ 77
Enabling RIP on an Interface............................................................. 77
Disabling RIP on an Interface............................................................ 77
Redistributing Routes .............................................................................. 77
Viewing RIP Information................................................................................ 79
Viewing the RIP Database........................................................................ 79
Viewing RIP Details ................................................................................. 80
Viewing RIP Neighbor Information .......................................................... 81
Viewing RIP Details for a Specific Interface ............................................. 82
Global RIP Parameters ................................................................................... 83
Advertising the Default Route ........................................................................ 84
Configuring RIP Interface Parameters ............................................................ 85
Security Configuration.................................................................................... 86
Authenticating Neighbors by Setting a Password ..................................... 86
Configuring Trusted Neighbors ................................................................ 87
Protecting Against Flooding ..................................................................... 88
Configuring an Update Threshold...................................................... 89
Enabling RIP on Tunnel Interfaces ....................................................89
Optional RIP Configurations........................................................................... 90
Setting the RIP Version ............................................................................ 90
Enabling and Disabling a Prefix Summary............................................... 92
Enabling a Prefix Summary............................................................... 92
Disabling a Prefix Summary.............................................................. 93
Setting Alternate Routes .......................................................................... 93
Demand Circuits on Tunnel Interfaces..................................................... 94
Table of Contents
xxiii
Configuring a Static Neighbor .................................................................. 96

Configuring a Point-to-Multipoint Tunnel Interface......................................... 97
Chapter 5
Border Gateway Protocol
103
Overview .....................................................................................................104
Types of BGP Messages .........................................................................104
Path Attributes.......................................................................................105
External and Internal BGP .....................................................................105
Basic BGP Configuration...............................................................................106
Creating and Enabling a BGP Instance ...................................................107
Creating a BGP Routing Instance.....................................................107
Removing a BGP Instance ...............................................................108
Enabling and Disabling BGP on Interfaces .............................................108
Enabling BGP on Interfaces .............................................................108
Disabling BGP on Interfaces ............................................................108
Configuring BGP Peers and Peer Groups................................................109
Configuring a BGP Peer ...................................................................110
Configuring an IBGP Peer Group .....................................................110
Verifying the BGP Configuration ............................................................112
Security Configuration..................................................................................113
Authenticating BGP Neighbors ...............................................................113
Rejecting Default Routes........................................................................114
Optional BGP Configurations........................................................................115
Redistributing Routes into BGP ..............................................................116
Configuring an AS-Path Access List........................................................116
Adding Routes to BGP............................................................................117
Conditional Route Advertisement....................................................118
Setting the Route Weight.................................................................118
Setting Route Attributes ..................................................................119
Route-Refresh Capability .......................................................................119
Requesting an Inbound Routing Table Update ................................120
Requesting an Outbound Routing Table Update ..............................120
Configuring Route Reflection .................................................................120
Configuring a Confederation..................................................................122
BGP Communities .................................................................................124
Route Aggregation .................................................................................125
Aggregating Routes with Different AS-Paths ....................................125
Suppressing More-Specific Routes in Updates .................................126
Selecting Routes for Path Attribute..................................................127
Changing Attributes of an Aggregated Route ...................................128
Chapter 6
Policy-Based Routing
129
Policy-Based Routing Overview....................................................................130

Extended Access-Lists............................................................................130
Match Groups ........................................................................................130
Action Groups........................................................................................131
Route Lookup with Policy-Based Routing .....................................................132
Configuring Policy-Based Routing ................................................................132
Configuring an Extended Access List .....................................................133
Configuring a Match Group ....................................................................134
Configuring an Action Group .................................................................135
Configuring a PBR Policy .......................................................................136
Binding a Policy-Based Routing Policy ...................................................136
xxiv
Table of Contents
Table of Contents
Binding a Policy-Based Routing Policy to an Interface .....................136

Binding a Policy-Based Routing Policy to a Zone .............................136
Binding a Policy-Based Routing Policy to a Virtual Router ...............137
Viewing Policy-Based Routing Output ..........................................................137
Viewing an Extended Access List...........................................................137
Viewing a Match Group..........................................................................138
Viewing an Action Group .......................................................................138
Viewing a Policy-Based Routing Policy Configuration ............................139
Viewing a Complete Policy-Based Routing Configuration.......................139
Advanced PBR Example...............................................................................140
Routing..................................................................................................141
PBR Elements........................................................................................142
Extended Access Lists .....................................................................143
Match Groups..................................................................................143
Action Group...................................................................................143
PBR Policies ....................................................................................144
Interface Binding ...................................................................................144
Advanced PBR with High Availability and Scalability....................................145
Resilient PBR Solution ...........................................................................145
Scalable PBR Solution ............................................................................145
Chapter 7
Multicast Routing
147
Overview .....................................................................................................147
Multicast Addresses ...............................................................................148
Reverse Path Forwarding.......................................................................148
Multicast Routing on Security Devices..........................................................149
Multicast Routing Table .........................................................................149
Configuring a Static Multicast Route ......................................................150
Access Lists ...........................................................................................151
Configuring Generic Routing Encapsulation on Tunnel Interfaces ..........151
Multicast Policies..........................................................................................153
Chapter 8
Internet Group Management Protocol
155
Overview .....................................................................................................156
Hosts .....................................................................................................156
Multicast Routers ...................................................................................157
IGMP on Security Devices ............................................................................157
Enabling and Disabling IGMP on Interfaces ...........................................157
Enabling IGMP on an Interface........................................................158
Disabling IGMP on an Interface .......................................................158
Configuring an Access List for Accepted Groups ....................................158
Configuring IGMP ..................................................................................159
Verifying an IGMP Configuration ...........................................................161
IGMP Operational Parameters ...............................................................162
IGMP Proxy..................................................................................................163
Membership Reports Upstream to the Source........................................164
Multicast Data Downstream to Receivers...............................................165
Configuring IGMP Proxy ........................................................................166
Configuring IGMP Proxy on an Interface................................................166
Multicast Policies for IGMP and IGMP Proxy Configurations ..................168
Creating a Multicast Group Policy for IGMP .....................................168
Creating an IGMP Proxy Configuration............................................168
Setting Up an IGMP Sender Proxy .........................................................175
Table of Contents
xxv
Chapter 9
Protocol Independent Multicast
181
Overview .....................................................................................................182
PIM-SM ..................................................................................................183
Multicast Distribution Trees.............................................................183
Designated Router...........................................................................184
Mapping Rendezvous Points to Groups ...........................................184
Forwarding Traffic on the Distribution Tree ....................................185
PIM-SSM ................................................................................................187
Configuring PIM-SM on Security Devices......................................................187
Enabling and Deleting a PIM-SM Instance for a VR ................................188
Enabling PIM-SM Instance...............................................................188
Deleting a PIM-SM Instance.............................................................188
Enabling and Disabling PIM-SM on Interfaces........................................188
Enabling PIM-SM on an Interface ....................................................189
Disabling PIM-SM on an Interface ...................................................189
Multicast Group Policies.........................................................................189
Static-RP-BSR Messages ..................................................................189
Join-Prune Messages .......................................................................190
Defining a Multicast Group Policy for PIM-SM .................................190
Setting a Basic PIM-SM Configuration...........................................................191
Verifying the Configuration ..........................................................................195
Configuring Rendezvous Points....................................................................197
Configuring a Static Rendezvous Point ..................................................197
Configuring a Candidate Rendezvous Point ...........................................198
Security Considerations................................................................................199
Restricting Multicast Groups ..................................................................199
Restricting Multicast Sources .................................................................200
Restricting Rendezvous Points...............................................................201
PIM-SM Interface Parameters.......................................................................202
Defining a Neighbor Policy ....................................................................202
Defining a Bootstrap Border ..................................................................203
Configuring a Proxy Rendezvous Point ........................................................204
PIM-SM and IGMPv3 ....................................................................................213
Chapter 10
ICMP Router Discovery Protocol
215
Overview .....................................................................................................215
Configuring ICMP Router Discovery Protocol ...............................................216
Enabling ICMP Router Discovery Protocol .............................................216
Configuring ICMP Router Discovery Protocol from the WebUI...............216
Configuring ICMP Router Discovery Protocol from the CLI ....................217
Advertising an Interface ..................................................................217
Broadcasting the Address................................................................217
Setting a Maximum Advertisement Interval ....................................217
Setting a Minimum Advertisement Interval .....................................217
Setting an Advertisement Lifetime Value.........................................218
Setting a Response Delay ................................................................218
Setting an Initial Advertisement Interval .........................................218
Setting a Number of Initial Advertisement Packets..........................218
Disabling IRDP .............................................................................................219
Viewing IRDP Settings..................................................................................219
xxvi
Table of Contents
Table of Contents
Index..........................................................................................................................IX-I
Volume 8:
Address Translation
About This Volume
Chapter 1
Address Translation
Introduction to Address Translation ................................................................. 1

Source Network Address Translation ......................................................... 1
Destination Network Address Translation.................................................. 3
Policy-Based NAT-Dst.......................................................................... 4
Mapped IP........................................................................................... 6
Virtual IP ............................................................................................. 6
Policy-Based Translation Options ..................................................................... 7
Example: NAT-Src from a DIP Pool with PAT............................................. 7
Example: NAT-Src From a DIP Pool Without PAT ...................................... 7
Example: NAT-Src from a DIP Pool with Address Shifting.......................... 8
Example: NAT-Src from the Egress Interface IP Address............................ 8
Example: NAT-Dst to a Single IP Address with Port Mapping..................... 8
Example: NAT-Dst to a Single IP Address Without Port Mapping ............... 9
Example: NAT-Dst from an IP Address Range to a Single IP Address......... 9
Example: NAT-Dst Between IP Address Ranges ....................................... 10
Directional Nature of NAT-Src and NAT-Dst ................................................... 10
Chapter 2
Source Network Address Translation
13
Introduction to NAT-Src ................................................................................. 13

NAT-Src from a DIP Pool with PAT Enabled ................................................... 15
Example: NAT-Src with PAT Enabled....................................................... 15
NAT-Src from a DIP Pool with PAT Disabled .................................................. 18
Example: NAT-Src with PAT Disabled ...................................................... 18
NAT-Src from a DIP Pool with Address Shifting.............................................. 20
Example: NAT-Src with Address Shifting ................................................. 21
NAT-Src from the Egress Interface IP Address................................................ 24
Example: NAT-Src Without DIP ............................................................... 24
Chapter 3
Destination Network Address Translation
27
Introduction to NAT-Dst ................................................................................. 28

Packet Flow for NAT-Dst.......................................................................... 29
Routing for NAT-Dst ................................................................................ 32
Example: Addresses Connected to One Interface.............................. 33
Example: Addresses Connected to One Interface
But Separated by a Router .......................................................... 34
Example: Addresses Separated by an Interface................................. 34
NAT-DstOne-to-One Mapping ..................................................................... 35
Example: One-to-One Destination Translation......................................... 36
Table of Contents
xxvii
Translating from One Address to Multiple Addresses............................... 38

Example: One-to-Many Destination Translation ................................ 38
NAT-DstMany-to-One Mapping ................................................................... 41
Example: Many-to-One Destination Translation....................................... 41
NAT-DstMany-to-Many Mapping .................................................................44
Example: Many-to-Many Destination Translation .................................... 45
NAT-Dst with Port Mapping............................................................................ 47
Example: NAT-Dst with Port Mapping ..................................................... 47
NAT-Src and NAT-Dst in the Same Policy ....................................................... 50
Example: NAT-Src and NAT-Dst Combined.............................................. 50
Chapter 4
Mapped and Virtual Addresses
63
Mapped IP Addresses..................................................................................... 63
MIP and the Global Zone ......................................................................... 64
Example: MIP on an Untrust Zone Interface...................................... 65
Example: Reaching a MIP from Different Zones................................ 67
Example: Adding a MIP to a Tunnel Interface ................................... 70
MIP-Same-as-Untrust ............................................................................... 70
Example: MIP on the Untrust Interface ............................................. 71
MIP and the Loopback Interface .............................................................. 73
Example: MIP for Two Tunnel Interfaces .......................................... 74
MIP Grouping .......................................................................................... 79
Example: MIP Grouping with Multi-Cell Policy................................... 79
Virtual IP Addresses ....................................................................................... 80
VIP and the Global Zone .......................................................................... 82
Example: Configuring Virtual IP Servers............................................ 82
Example: Editing a VIP Configuration ............................................... 84
Example: Removing a VIP Configuration........................................... 84
Example: VIP with Custom and Multiple-Port Services ...................... 85
Index..........................................................................................................................IX-I
Volume 9:
User Authentication
About This Guide
vii

Chapter 1
Authentication
User Authentication Types ............................................................................... 1

Admin Users .................................................................................................... 2
Multiple-Type Users.......................................................................................... 4
Group Expressions ........................................................................................... 5
Example: Group Expressions (AND)........................................................... 6
Example: Group Expressions (OR) ............................................................. 8
Example: Group Expressions (NOT)........................................................... 9
Banner Customization.................................................................................... 10
xxviii
Table of Contents
Table of Contents
Example: Customizing a WebAuth Banner .............................................. 10

Login Banner.................................................................................................. 10
Example: Creating a Login Banner........................................................... 11
Chapter 2
Authentication Servers
13
Authentication Server Types .......................................................................... 13

Local Database............................................................................................... 15
Example: Local Database Timeout........................................................... 16
External Authentication Servers ..................................................................... 17
Auth Server Object Properties.................................................................. 18
Auth Server Types.......................................................................................... 19
Remote Authentication Dial-In User Service ............................................ 19
RADIUS Auth Server Object Properties.............................................. 20
Supported User Types and Features .................................................. 20
RADIUS Dictionary File ..................................................................... 21
RADIUS Access Challenge .................................................................22
Supported RADIUS Enhancements for Auth and XAuth Users ........... 24
SecurID.................................................................................................... 27
SecurID Auth Server Object Properties.............................................. 28
Lightweight Directory Access Protocol ..................................................... 29
LDAP Auth Server Object Properties ................................................. 30
Terminal Access Control Access Control System Plus (TACACS+)........... 30
TACACS+Server Object Properties ................................................... 32
Prioritizing Admin Authentication .................................................................. 32
Defining Auth Server Objects ......................................................................... 33
Example: RADIUS Auth Server ................................................................ 33
Example: SecurID Auth Server.................................................................35
Example: LDAP Auth Server .................................................................... 36
Example: TACACS+ Auth Server............................................................. 38
Defining Default Auth Servers ........................................................................ 39
Example: Changing Default Auth Servers ................................................ 39
Chapter 3
Infranet Authentication
41
Unified Access Control Solution ..................................................................... 42

How the Firewall Works with the Infranet Controller ..................................... 43
Configuring for Infranet Authentication.......................................................... 44
Chapter 4
Authentication Users
45
Referencing Auth Users in Policies .................................................................46

Run-Time Authentication......................................................................... 46
Pre-Policy Check Authentication (WebAuth) ............................................ 47
Referencing Auth User Groups in Policies ...................................................... 48
Example: Run-Time Authentication (Local User) ...................................... 49
Example: Run-Time Authentication (Local User Group) ........................... 50
Example: Run-Time Authentication (External User) ................................. 51
Example: Run-Time Authentication (External User Group) ...................... 53
Example: Local Auth User in Multiple Groups .......................................... 55
Example: WebAuth (Local User Group) ....................................................58
Example: WebAuth (External User Group) ............................................... 59
Example: WebAuth + SSL Only (External User Group) ........................... 61
Table of Contents
xxix
Chapter 5
IKE, XAuth, and L2TP Users
65
IKE Users and User Groups ............................................................................ 65

Example: Defining IKE Users................................................................... 66
Example: Creating an IKE User Group ..................................................... 67
Referencing IKE Users in Gateways ......................................................... 68
XAuth Users and User Groups ........................................................................ 68
Event Logging for IKE Mode .................................................................... 69
XAuth Users in IKE Negotiations.............................................................. 70
Example: XAuth Authentication (Local User) ..................................... 71
Example: XAuth Authentication (Local User Group) .......................... 73
Example: XAuth Authentication (External User) ................................ 74
Example: XAuth Authentication (External User Group)...................... 76
Example: XAuth Authentication and Address
Assignments (Local User Group) ................................................. 79
XAuth Client ............................................................................................ 83
Example: Security Device as an XAuth Client.................................... 83
L2TP Users and User Groups .......................................................................... 84
Example: Local and External L2TP Auth Servers...................................... 84
Chapter 6
Extensible Authentication for Wireless and Ethernet Interfaces
89
Overview ....................................................................................................... 90
Supported EAP Types..................................................................................... 90
Enabling and Disabling 802.1X Authentication .............................................. 91
Ethernet Interfaces .................................................................................. 91
Wireless Interfaces .................................................................................. 91
Configuring 802.1X Settings........................................................................... 92
Configuring 802.1X Port Control ............................................................. 92
Configuring 802.1X Control Mode ........................................................... 93
Setting the Maximum Number of Simultaneous Users............................. 93
Configuring the Reauthentication Period ................................................. 94
Enabling EAP Retransmissions ................................................................ 94
Configuring EAP Retransmission Count ................................................... 95
Configuring EAP Retransmission Period .................................................. 95
Configuring the Silent (Quiet) Period ....................................................... 95
Configuring Authentication Server Options ....................................................96
Specifying an Authentication Server ........................................................ 96
Ethernet Interfaces............................................................................ 96
Wireless Interfaces............................................................................ 97
Setting the Account Type......................................................................... 97
Enabling Zone Verification....................................................................... 98
Viewing 802.1X Information .......................................................................... 98
Viewing 802.1X Global Configuration Information .................................. 98
Viewing 802.1X Information for an Interface .......................................... 99
Viewing 802.1X Statistics ........................................................................ 99
Viewing 802.1X Session Statistics..........................................................100
Viewing 802.1X Session Details.............................................................100
Configuration Examples ...............................................................................101
Configuring the Security Device with a Directly Connected Client and
RADIUS Server ................................................................................101
Configuring a Security Device with a Hub Between a Client and the Security
Device.............................................................................................102
Configuring the Authentication Server with a Wireless Interface ...........104
xxx
Table of Contents
Table of Contents
Index..........................................................................................................................IX-I
Volume 10:
Virtual Systems
About This Volume
Document Conventions.................................................................................... v
Web User Interface Conventions ............................................................... v
Naming Conventions and Character Types ............................................... vi
Chapter 1
Virtual Systems
Overview ......................................................................................................... 2
Vsys Objects .................................................................................................... 4
Creating a Vsys Object and Admin ............................................................ 4
Setting a Default Virtual Router for a Vsys ................................................. 6
Binding Zones to a Shared Virtual Router .................................................. 6
Logging In as a Vsys Admin ............................................................................. 7
Virtual System Profiles ..................................................................................... 8
Vsys Session Counters ............................................................................... 9
Vsys Session Information .......................................................................... 9
Behavior in High-Availability Pairs ........................................................... 10
Creating a Vsys Profile............................................................................. 10
Setting Resource Limits ........................................................................... 10
Adding Session Limits Through Vsys Profile Assignment ......................... 12
Setting a Session Override ....................................................................... 13
Overriding a Session Limit Reached Alarm ....................................... 13
Deleting a Vsys Profile ............................................................................. 13
Viewing Vsys Settings .............................................................................. 14
Viewing Overrides............................................................................. 14
Viewing a Profile ............................................................................... 15
Viewing Session Statistics.................................................................. 16
Sharing and Partitioning CPU Resources ........................................................ 16
Configuring CPU Weight .......................................................................... 17
Fair Mode Packet Flow ............................................................................ 18
Returning from Fair Mode to Shared Mode.............................................. 19
Enabling the CPU Limit Feature ............................................................... 19
Measuring CPU Use ................................................................................. 20
Setting the Shared to Fair Mode CPU Utilization Threshold...................... 22
Configuring a Method to Return to Shared Mode ..................................... 25
Setting a Fixed Root Vsys CPU Weight..................................................... 26
Vsys and Virtual Private Networks .................................................................26
Viewing Security Associations.................................................................. 27
Viewing IKE Cookies................................................................................ 27
Policy Scheduler............................................................................................. 28
Creating a Policy Scheduler ..................................................................... 28
Binding a Policy Schedule to a Policy....................................................... 29
Viewing Policy Schedules......................................................................... 29
Deleting a Policy Schedule....................................................................... 30
Table of Contents
xxxi
Chapter 2
Traffic Sorting
31
Overview ....................................................................................................... 31
Sorting Traffic.......................................................................................... 31
Sorting Through Traffic............................................................................ 32
Dedicated and Shared Interfaces ............................................................. 37
Dedicated Interfaces ......................................................................... 37
Shared Interfaces .............................................................................. 37
Importing and Exporting Physical Interfaces.................................................. 39
Importing a Physical Interface to a Virtual System................................... 39
Exporting a Physical Interface from a Virtual System .............................. 40
Chapter 3
VLAN-Based Traffic Classification
41
Overview ....................................................................................................... 41
VLANs...................................................................................................... 42
VLANs with Vsys...................................................................................... 42
Configuring Layer 2 Virtual Systems .............................................................. 43
Example 1: Configuring a Single Port ................................................ 45
Example 2: Configuring Two 4-Port Aggregates with Separate Untrust
Zones ......................................................................................... 49
Example 3: Configuring Two 4-Port Aggregates that Share One
Untrusted Zone........................................................................... 55
Defining Subinterfaces and VLAN Tags .......................................................... 62
Communicating Between Virtual Systems...................................................... 65
VLAN Retagging ............................................................................................. 68
Example:........................................................................................... 69
Chapter 4
IP-Based Traffic Classification
71
Overview ....................................................................................................... 71
Designating an IP Range to the Root System ................................................. 72
Configuring IP-Based Traffic Classification ..................................................... 73
Index..........................................................................................................................IX-I
Volume 11:
High Availability
About This Volume
Chapter 1
NetScreen Redundancy Protocol
High Availability Overview ............................................................................... 1

NSRP Overview................................................................................................3
NSRP Default Settings................................................................................ 4
NSRP-Lite .................................................................................................. 4
NSRP-Lite Default Settings ......................................................................... 6
Basic NSRP Settings................................................................................... 6
xxxii
Table of Contents
Table of Contents
Control Link Messages ........................................................................ 6

Data Link Messages............................................................................. 7
Dynamic Routing Advisory.................................................................. 8
Dual Link Probes................................................................................. 8
NSRP Clusters ................................................................................................ 10
Cluster Names ......................................................................................... 11
Active/Passive Configuration ............................................................. 11
Active/Active Configuration ............................................................... 12
Active/Active Full-Mesh Configuration ............................................... 14
NSRP Cluster Authentication and Encryption........................................... 15
Run-Time Objects .................................................................................... 16
RTO Mirror Operational States ................................................................ 17
NSRP Cluster Synchronization .................................................................18
File Synchronization.......................................................................... 18
Configuration Synchronization .......................................................... 19
Route Synchronization ...................................................................... 19
Run-Time Object Synchronization..................................................... 20
System Clock Synchronization .......................................................... 20
VSD Groups.................................................................................................... 21
Preempt Option....................................................................................... 21
Member States ........................................................................................ 22
Heartbeat Message .................................................................................. 23
VSI and Static Routes............................................................................... 24
Configuration Examples ................................................................................. 25
Cabling Devices for Active/Active Full-Mesh NSRP ................................... 25
Creating an NSRP Cluster ........................................................................ 28
Configuring an Active/Passive NSRP Cluster ............................................ 30
Configuring an Active/Active NSRP Cluster .............................................. 34
Synchronizing RTOs Manually .................................................................39
Configuring Manual Link Probes .............................................................. 40
Configuring Automatic Link Probes ......................................................... 40
Chapter 2
Interface Redundancy and Failover
41
Redundant Interfaces and Zones.................................................................... 42

Holddown Time Settings.......................................................................... 42
Aggregate Interfaces ................................................................................ 43
Interface Failover ........................................................................................... 44
Backup Interface Traffic........................................................................... 44
Primary Interface Traffic ......................................................................... 45
Automatic Traffic Failover ....................................................................... 45
Serial Interfaces....................................................................................... 46
Default Route Deletion ...................................................................... 46
Default Route Addition...................................................................... 46
Policy Deactivation ........................................................................... 47
Monitoring Failover ................................................................................. 47
Interface Failover with IP Tracking .......................................................... 48
Active-to-Backup Tunnel Failover............................................................. 48
Interface Failover with VPN Tunnel Monitoring ....................................... 48
NSRP Object Monitoring to Trigger Failover ................................................... 50
Security Module....................................................................................... 51
Physical Interface .................................................................................... 51
Zone Objects ........................................................................................... 52
Tracked IP Objects................................................................................... 52
Track IP for Device Failover..................................................................... 54
Table of Contents
xxxiii
Virtual Security Device Group Failover ........................................................... 56

Virtual System Failover .................................................................................. 56
Device Failover ..............................................................................................57
Configuring Track IP for Device Failover.................................................. 59
Configuring a Redundant VPN Tunnel ..................................................... 61
Configuring Virtual Security Interfaces..................................................... 65
Configuring Dual Active Tunnels.............................................................. 68
Configuring Interface Failover Using Track IP .......................................... 72
Configuring Tunnel Failover Weights ....................................................... 76
Configuring Virtual System Failover......................................................... 82
Index..........................................................................................................................IX-I
Volume 12:
WAN, DSL, Dial, and Wireless
About This Volume
ix
Chapter 1
Wide Area Networks
WAN Overview ................................................................................................1

Serial ......................................................................................................... 2
T1.............................................................................................................. 3
E1.............................................................................................................. 3
T3.............................................................................................................. 4
E3.............................................................................................................. 4
ISDN.......................................................................................................... 5
WAN Interface Options .................................................................................... 7
Hold Time.................................................................................................. 8
Frame Checksum....................................................................................... 9
Idle-cycle Flag............................................................................................ 9
Start/End Flag ............................................................................................ 9
Line Encoding.......................................................................................... 10
Alternate Mark Inversion Encoding ................................................... 10
B8ZS and HDB3 Line Encoding ......................................................... 11
Byte Encoding................................................................................... 11
Line Buildout..................................................................................... 11
Framing Mode ......................................................................................... 12
Superframe for T1............................................................................. 12
Extended Superframe for T1 ............................................................. 12
C-Bit Parity Framing for T3 ............................................................... 13
Clocking .................................................................................................. 13
Clocking Mode .................................................................................. 13
Clocking Source ................................................................................ 14
Internal Clock Rate............................................................................ 14
Transmit Clock Inversion .................................................................. 16
Signal Handling ....................................................................................... 16
xxxiv
Table of Contents
Table of Contents
Loopback Signal ...................................................................................... 17

Remote and Local Loopback ............................................................. 17
Loopback Mode................................................................................. 18
CSU Compatibility Mode .................................................................. 20
Remote Loopback Response ............................................................. 21
FEAC Response ................................................................................. 21
Time Slots................................................................................................ 22
Fractional T1..................................................................................... 22
Fractional E1..................................................................................... 22
Bit Error Rate Testing .............................................................................. 23
ISDN Options........................................................................................... 24
Switch Type ...................................................................................... 24
SPID.................................................................................................. 24
TEI Negotiation ................................................................................. 25
Calling Number ................................................................................. 25
T310 Value........................................................................................ 25
Send Complete.................................................................................. 26
BRI Mode................................................................................................. 26
Leased-Line Mode ............................................................................. 26
Dialer Enable .................................................................................... 26
Dialer Options ......................................................................................... 27
Disabling a WAN Interface....................................................................... 28
WAN Interface Encapsulation......................................................................... 28
Point-to-Point Protocol............................................................................. 29
Frame Relay ............................................................................................ 29
Cisco-High-Level Data Link Control (Cisco-HDLC) .................................... 30
Basic Encapsulation Options.................................................................... 30
Unnumbered Interfaces .................................................................... 31
Protocol Maximum Transmission Unit Configuration ........................ 31
Static IP Address Configuration ......................................................... 31
Keepalives......................................................................................... 32
PPP Encapsulation Options...................................................................... 33
PPP Access Profile............................................................................. 33
PPP Authentication Method............................................................... 34
Password .......................................................................................... 35
PPP Authentication Protocols .................................................................. 35
Challenge Handshake Authentication Protocol .................................. 35
Password Authentication Protocol..................................................... 36
Local Database User.......................................................................... 36
Frame Relay Encapsulation Options ........................................................ 36
Keepalive Messages .......................................................................... 37
Frame Relay LMI Type ...................................................................... 37
Creating and Configuring PVCs ......................................................... 38
Inverse Address Resolution Protocol ................................................. 39
Multilink Encapsulation .................................................................................. 40
Overview ................................................................................................. 40
Basic Multilink Bundle Configuration ....................................................... 41
Bundle Identifier ............................................................................... 41
Drop Timeout.................................................................................... 41
Fragment Threshold.......................................................................... 42
Minimum Links ................................................................................. 43
Basic Configuration Steps.................................................................. 43
Maximum Received Reconstructed Unit............................................ 44
Sequence-Header Format.................................................................. 44
Table of Contents
xxxv
Multilink Frame Relay Configuration Options .......................................... 45

Basic Configuration Steps.................................................................. 45
Link Assignment for MLFR ................................................................ 46
Acknowledge Retries......................................................................... 46
Acknowledge Timer .......................................................................... 46
Hello Timer ....................................................................................... 47
WAN Interface Configuration Examples ......................................................... 47
Configuring a Serial Interface .................................................................. 47
Configuring a T1 Interface ....................................................................... 48
Configuring an E1 Interface ..................................................................... 49
Configuring a T3 Interface ....................................................................... 49
Configuring an E3 Interface ..................................................................... 50
Configuring a Device for ISDN Connectivity ............................................ 51
Step 1: Selecting the ISDN Switch Type ................................................... 51
Step 2: Configuring a PPP Profile............................................................. 51
Step 3: Setting Up the ISDN BRI Interface................................................ 52
Dialing Out to a Single Destination Only ........................................... 52
Dialing Out Using the Dialer Interface ............................................... 53
Using Leased-Line Mode.................................................................... 56
Step 4: Routing Traffic to the Destination ................................................ 56
Encapsulation Configuration Examples .......................................................... 58
Configuring PPP Encapsulation................................................................ 58
Configuring MLPPP Encapsulation ........................................................... 59
Configuring Frame Relay Encapsulation .................................................. 61
Configuring MLFR Encapsulation ............................................................. 61
Configuring Cisco HDLC Encapsulation....................................................63
Chapter 2
Digital Subscriber Line
65
Digital Subscriber Line Overview ................................................................... 65

Asynchronous Transfer Mode .................................................................. 66
ATM Quality of Service...................................................................... 67
Point-to-Point Protocol over ATM ...................................................... 68
Multilink Point-to-Point Protocol........................................................ 69
Discrete Multitone for DSL Interfaces ...................................................... 69
Annex Mode ............................................................................................ 70
Virtual Circuits ......................................................................................... 71
VPI/VCI and Multiplexing Method...................................................... 71
PPPoE or PPPoA ............................................................................... 72
Static IP Address and Netmask ................................................................ 72
ADSL Interface ............................................................................................... 73
G.SHDSL Interface.......................................................................................... 74
Loopback Mode ....................................................................................... 75
Operation, Administration, and Maintenance .......................................... 75
Signal-to-Noise Ratio................................................................................ 76
ADSL Configuration Examples ....................................................................... 77
Example 1: (Small Business/Home) PPPoA on ADSL Interface................. 78
Example 2: (Small Business/Home) 1483 Bridging on ADSL Interface ..... 80
Example 3: (Small Business) 1483 Routing on ADSL Interface................. 82
Example 4: (Small Business/Home) Dialup Backup .................................. 84
Example 5: (Small Business/Home) Ethernet Backup............................... 87
Example 6: (Small Business/Home) ADSL Backup.................................... 90
Example 7: (Small Business) MLPPP ADSL............................................... 93
Example 8: (Small Business) Allow Access to Local Servers ..................... 95
Example 9: (Branch Office) VPN Tunnel Through ADSL........................... 97
xxxvi
Table of Contents
Table of Contents
Example 10: (Branch Office) Secondary VPN Tunnel .............................101

Chapter 3
ISP Failover and Dial Recovery
109
Setting ISP Priority for Failover ....................................................................109

Defining Conditions for ISP Failover ............................................................110
Configuring a Dialup Recovery Solution .......................................................110
Chapter 4
Wireless Local Area Network
115
Overview .....................................................................................................116
Wireless Product Interface Naming Differences.....................................117
Basic Wireless Network Feature Configuration.............................................117
Creating a Service Set Identifier.............................................................117
Suppressing SSID Broadcast............................................................118
Isolating a Client .............................................................................118
Setting the Operation Mode for a 2.4 GHz Radio Transceiver ................119
Setting the Operation Mode for a 5GHz Radio Transceiver ....................119
Configuring Minimum Data Transmit Rate ............................................120
Configuring Transmit Power..................................................................121
Reactivating a WLAN Configuration.......................................................121
Configuring Authentication and Encryption for SSIDs ..................................122
Configuring Wired Equivalent Privacy ...................................................122
Multiple WEP Keys..........................................................................123
Configuring Open Authentication ....................................................124
Configuring WEP Shared-Key Authentication ..................................126
Configuring Wi-Fi Protected Access .......................................................127
Configuring 802.1X Authentication for WPA and WPA2 .................128
Configuring Preshared Key Authentication for WPA and WPA2 ......128
Specifying Antenna Use ...............................................................................129
Setting the Country Code, Channel, and Frequency .....................................130
Using Extended Channels ............................................................................130
Performing a Site Survey..............................................................................131
Locating Available Channels.........................................................................131
Setting an Access Control List Entry .............................................................132
Configuring Super G .....................................................................................133
Configuring Atheros XR (Extended Range) ...................................................133
Configuring Wi-Fi Multimedia Quality of Service ..........................................134
Enabling WMM ......................................................................................134
Configuring WMM Quality of Service .....................................................134
Access Categories............................................................................135
WMM Default Settings.....................................................................135
Example..........................................................................................137
Configuring Advanced Wireless Parameters.................................................138
Configuring Aging Interval .....................................................................138
Configuring Beacon Interval ..................................................................139
Configuring Delivery Traffic Indication Message Period .........................140
Configuring Burst Threshold ..................................................................140
Configuring Fragment Threshold ...........................................................140
Configuring Request to Send Threshold .................................................141
Configuring Clear to Send Mode ............................................................141
Configuring Clear to Send Rate ..............................................................142
Configuring Clear to Send Type .............................................................142
Configuring Slot Time ............................................................................143
Configuring Preamble Length ................................................................143
Table of Contents
xxxvii
Working with Wireless Interfaces.................................................................144

Binding an SSID to a Wireless Interface.................................................144
Binding a Wireless Interface to a Radio .................................................144
Creating Wireless Bridge Groups............................................................145
Disabling a Wireless Interface................................................................146
Viewing Wireless Configuration Information................................................146
Example 1: Open Authentication and WEP Encryption .........................147
Example 2: WPA-PSK Authentication with Passphrase and
Automatic Encryption .....................................................................147
Example 3: WLAN in Transparent Mode................................................148
Example 4: Multiple and Differentiated Profiles.....................................151
Appendix A
Wireless Information
A-I
802.11a Channel Numbers ...........................................................................A-I

802.11b and 802.11g Channels ................................................................. A-III
Turbo-Mode Channel Numbers .................................................................. A-IV
Index..........................................................................................................................IX-I
Volume 13:
General Packet Radio Service
About This Volume
Document Conventions.................................................................................... v
Web User Interface Conventions ............................................................... v
Naming Conventions and Character Types ............................................... vi
Chapter 1
GPRS
The Security Device as a GPRS Tunneling Protocol Firewall ............................. 2

Gp and Gn Interfaces ................................................................................. 3
Gi Interface................................................................................................3
Operational Modes .................................................................................... 4
Virtual System Support .............................................................................. 5
Policy-Based GPRS Tunneling Protocol............................................................. 5
Example: Configuring Policies to Enable GTP Inspection ........................... 6
GPRS Tunneling Protocol Inspection Object ..................................................... 7
Example: Creating a GTP Inspection Object............................................... 8
GTP Message Filtering ...................................................................................... 8
Packet Sanity Check .................................................................................. 8
Message-Length Filtering ........................................................................... 9
Example: Setting GTP Message Lengths .............................................. 9
Message-Type Filtering ............................................................................ 10
Example: Permitting and Denying Message Types ............................ 10
Supported Message Types .................................................................10
Message-Rate Limiting............................................................................. 12
Example: Setting a Rate Limit ........................................................... 12
Sequence Number Validation .................................................................. 13
Example: Enabling Sequence Number Validation.............................. 13
xxxviii
Table of Contents
Table of Contents
IP Fragmentation..................................................................................... 13
GTP-in-GTP Packet Filtering ..................................................................... 13
Example: Enabling GTP-in-GTP Packet Filtering ................................ 13
Deep Inspection ...................................................................................... 14
Example: Enabling Deep Inspection on the TEID .............................. 14
GTP Information Elements ............................................................................. 14
Access Point Name Filtering .................................................................... 15
Example: Setting an APN and a Selection Mode ................................ 16
IMSI Prefix Filtering ................................................................................. 16
Example: Setting a Combined IMSI Prefix and APN Filter ................. 17
Radio Access Technology ........................................................................ 17
Example: Setting an RAT and APN Filter........................................... 17
Routing Area Identity and User Location Information.............................. 18
Example: Setting an RAI and APN Filter............................................ 18
Example: Setting a ULI and APN Filter .............................................. 18
APN Restriction ....................................................................................... 18
IMEI-SV.................................................................................................... 19
Example: Setting an IMEI-SV and APN Filter ..................................... 19
Protocol and Signaling Requirements ...................................................... 19
Combination Support for IE Filtering ....................................................... 20
Supported R6 Information Elements ....................................................... 20
3GPP R6 IE Removal ............................................................................... 22
Example: R6 Removal....................................................................... 23
GTP Tunnels................................................................................................... 23
GTP Tunnel Limiting ................................................................................ 23
Example: Setting GTP Tunnel Limits ................................................. 23
Stateful Inspection ................................................................................... 23
GTP Tunnel Establishment and Teardown......................................... 24
Inter SGSN Routing Area Update ....................................................... 24
Tunnel Failover for High Availability........................................................ 24
Hanging GTP Tunnel Cleanup .................................................................. 25
Example: Setting the Timeout for GTP Tunnels ................................. 25
SGSN and GGSN Redirection .......................................................................... 26
Overbilling-Attack Prevention ........................................................................ 26
Overbilling-Attack Description .................................................................26
Overbilling-Attack Solution ...................................................................... 28
Example: Configuring the Overbilling Attack Prevention Feature ...... 29
GTP Traffic Monitoring ................................................................................... 31
Traffic Logging......................................................................................... 31
Example: Enabling GTP Packet Logging ............................................ 32
Traffic Counting....................................................................................... 33
Example: Enabling GTP Traffic Counting........................................... 33
Lawful Interception.................................................................................. 34
Example: Enabling Lawful Interception ............................................. 34
Index..........................................................................................................................IX-I
Volume 14:
Dual-Stack Architecture with IPv6
About This Volume
vii
Document Audience...................................................................................... viii

Table of Contents
xxxix

Chapter 1
Internet Protocol Version 6 Introduction
Overview ......................................................................................................... 2
IPv6 Addressing ............................................................................................... 2
Notation .................................................................................................... 2
Prefixes ..................................................................................................... 3
Address Types ........................................................................................... 3
Unicast Addresses ............................................................................... 3
Anycast Addresses .............................................................................. 4
Multicast Addresses............................................................................. 4
IPv6 Headers.................................................................................................... 4
Basic Header ............................................................................................. 4
Extension Headers..................................................................................... 5
IPv6 Packet Handling ....................................................................................... 6
IPv6 Router and Host Modes............................................................................ 7
IPv6 Tunneling Guidelines................................................................................ 8
Chapter 2
IPv6 Configuration
Overview ....................................................................................................... 11
Address Autoconfiguration ...................................................................... 11
Extended Unique Identifier ............................................................... 11
Router Advertisement Messages ....................................................... 12
Router Solicitation Messages ............................................................. 12
Prefix Lists ........................................................................................ 12
Neighbor Discovery ................................................................................. 13
Neighbor Cache Table ....................................................................... 13
Neighbor Unreachability Detection ................................................... 13
Neighbor Entry Categories ................................................................ 14
Neighbor Reachability States............................................................. 14
How Reachability State Transitions Occur......................................... 15
Enabling an IPv6 Environment ...................................................................... 18
Enabling IPv6 at the Device Level............................................................ 18
Disabling IPv6 at the Device Level ........................................................... 19
Configuring an IPv6 Host ............................................................................... 19
Binding the IPv6 Interface to a Zone........................................................ 20
Enabling IPv6 Host Mode ........................................................................ 20
Setting an Interface Identifier .................................................................. 20
Configuring Address Autoconfiguration ................................................... 21
Configuring Neighbor Discovery .............................................................. 21
Configuring an IPv6 Router ............................................................................ 22
Binding the IPv6 Interface to a Zone........................................................ 22
Enabling IPv6 Router Mode ..................................................................... 22
Setting an Interface Identifier .................................................................. 23
Setting Address Autoconfiguration........................................................... 23
Outgoing Router Advertisements Flag ............................................... 23
Managed Configuration Flag.............................................................. 24
Other Parameters Configuration Flag ................................................ 24
Disabling Address Autoconfiguration ....................................................... 24
xl
Table of Contents
Table of Contents
Setting Advertising Time Intervals ........................................................... 25

Advertised Reachable Time Interval .................................................. 25
Advertised Retransmit Time Interval................................................. 26
Maximum Advertisement Interval..................................................... 26
Minimum Advertisement Interval ..................................................... 26
Advertised Default Router Lifetime ................................................... 27
Advertising Packet Characteristics ........................................................... 27
Link MTU Value................................................................................. 27
Current Hop Limit ............................................................................. 28
Advertising Router Characteristics ........................................................... 28
Link Layer Address Setting................................................................ 28
Advertised Router Preference............................................................ 28
Configuring Neighbor Discovery Parameters ........................................... 29
Neighbor Unreachability Detection ................................................... 29
MAC Session-Caching........................................................................ 29
Static Neighbor Cache Entries ........................................................... 30
Base Reachable Time ........................................................................ 30
Probe Time ....................................................................................... 31
Retransmission Time ........................................................................ 31
Duplicate Address Detection Retry Count.......................................... 31
Viewing IPv6 Interface Parameters ................................................................ 32
Viewing Neighbor Discovery Configurations ............................................ 32
Viewing the Current RA Configuration ..................................................... 32
IPv6 Router ............................................................................................. 33
IPv6 Host................................................................................................. 33
Chapter 3
Connection and Network Services
35
Overview ....................................................................................................... 36
Dynamic Host Configuration Protocol Version 6 ............................................ 36
Device-Unique Identification.................................................................... 36
Identity Association Prefix Delegation-Identification................................ 37
Prefix Features ........................................................................................ 37
Server Preference .................................................................................... 38
Configuring a DHCPv6 Server.................................................................. 38
Configuring a DHCPv6 Client................................................................... 40
Viewing DHCPv6 Settings ........................................................................ 41
Configuring Domain Name System Servers....................................................42
Requesting DNS and DNS Search List Information .................................. 43
Setting Proxy DNS Address Splitting ........................................................ 44
Configuring PPPoE ......................................................................................... 46
Setting Fragmentation.................................................................................... 47
Chapter 4
Static and Dynamic Routing
49
Overview ....................................................................................................... 50
Dual Routing Tables................................................................................. 50
Static and Dynamic Routing .................................................................... 51
Upstream and Downstream Prefix Delegation......................................... 51
Static Routing................................................................................................. 52
RIPng Configuration....................................................................................... 53
Creating and Deleting a RIPng Instance................................................... 54
Creating a RIPng Instance .................................................................54
Deleting a RIPng Instance .................................................................54
Table of Contents
xli
Enabling and Disabling RIPng on Interfaces ............................................ 55

Enabling RIPng on an Interface......................................................... 55
Disabling RIPng on an Interface ........................................................ 55
Global RIPng Parameters ............................................................................... 56
Advertising the Default Route .................................................................. 56
Configuring Trusted Neighbors ................................................................ 57
Redistributing Routes .............................................................................. 58
Protecting Against Flooding by Setting an Update Threshold ................... 59
RIPng Interface Parameters ........................................................................... 60
Route, Interface, and Offset Metrics ........................................................ 60
Access Lists and Route Maps............................................................. 61
Static Route Redistribution................................................................ 61
Configuring Split Horizon with Poison Reverse ........................................ 64
Viewing Routing and RIPng Information ........................................................ 64
Viewing the Routing Table ....................................................................... 65
Viewing the RIPng Database.................................................................... 65
Viewing RIPng Details by Virtual Router .................................................. 66
Viewing RIPng Details by Interface.......................................................... 67
Viewing RIPng Neighbor Information ...................................................... 68
Enabling RIPng on Tunnel Interfaces ....................................................... 69
Avoiding Traffic Loops to an ISP Router................................................... 71
Configuring the Customer Premises Equipment ................................ 71
Configuring the Gateway................................................................... 75
Configuring the ISP Router................................................................ 78
Setting a Null Interface Redistribution to OSPF........................................ 79
Redistributing Discovered Routes to OSPF .............................................. 80
Setting Up OSPF-Summary Import .......................................................... 80
Chapter 5
Address Translation
81
Overview ....................................................................................................... 82
Translating Source IP Addresses .............................................................. 83
DIP from IPv6 to IPv4 ....................................................................... 83
DIP from IPv4 to IPv6 ....................................................................... 83
Translating Destination IP Addresses....................................................... 84
MIP from IPv6 to IPv4....................................................................... 84
MIP from IPv4 to IPv6....................................................................... 85
IPv6 Hosts to Multiple IPv4 Hosts ............................................................ 86
IPv6 Hosts to a Single IPv4 Host .............................................................. 88
IPv4 Hosts to Multiple IPv6 Hosts ............................................................ 90
IPv4 Hosts to a Single IPv6 Host .............................................................. 91
Translating Addresses for Domain Name System Servers........................ 93
Chapter 6
IPv6 in an IPv4 Environment
97
Overview ....................................................................................................... 98
Configuring Manual Tunneling ....................................................................... 99
Configuring 6to4 Tunneling..........................................................................102
6to4 Routers..........................................................................................102
6to4 Relay Routers ................................................................................103
Tunnels to Remote Native Hosts............................................................104
Tunnels to Remote 6to4 Hosts...............................................................107
xlii
Table of Contents
Table of Contents
Chapter 7
IPSec Tunneling
111
Overview .....................................................................................................112
IPSec 6in6 Tunneling ...................................................................................112
Manual Tunneling with Fragmentation Enabled ...........................................124
IPv6 to IPv6 Route-Based VPN Tunnel ...................................................125
IPv4 to IPv6 Route-Based VPN Tunnel ...................................................127
Chapter 8
IPv6 XAuth User Authentication
131
Overview .....................................................................................................132
RADIUSv6..............................................................................................132
Single Client, Single Server..............................................................132
Multiple Clients, Single Server .........................................................132
Single Client, Multiple Servers .........................................................133
Multiple Hosts, Single Server ...........................................................133
IPSec Access Session Management........................................................134
IPSec Access Session.......................................................................134
Enabling and Disabling IAS Functionality ........................................136
Releasing an IAS Session.................................................................136
Limiting IAS Settings .......................................................................136
Dead Peer Detection..............................................................................137
XAuth with RADIUS ...............................................................................138
RADIUS with XAuth Route-Based VPN...................................................139
RADIUS with XAuth and Domain Name Stripping .................................143
IP Pool Range Assignment.....................................................................147
RADIUS Retries......................................................................................153
Calling-Station-Id ...................................................................................153
IPSec Access Session .............................................................................154
Dead Peer Detection..............................................................................163
Appendix A
Switching
A-I
Index..........................................................................................................................IX-I
Table of Contents
xliii
xliv
Table of Contents
About the Concepts & Examples

ScreenOS Reference Guide
Juniper Networks security devices integrate the following firewall, virtual private
network (VPN), and traffic-shaping features to provide flexible protection for
security zones when connecting to the Internet:
Firewall: A firewall screens traffic crossing the boundary between a private

LAN and the public network, such as the Internet.
Layered Security: The layered security solution is deployed at different

locations to repel attacks. If one layer fails, the next one catches the attack.
Some functions help protect remote locations with site-to-site VPNs. Devices
deployed at the perimeter repel network-based attacks. Another layer, using
Intrusion Detection Prevention (IDP) and Deep Inspection, automatically
detects and prevents attacks from inflicting damages.
Network segmentation, the final security layer (also known as virtualization),
divides the network up into secure domains to protect critical resources from
unauthorized roaming users and network attacks.
Content Security: Protects users from malicious URLs and provides embedded
antivirus scanning and web filtering. In addition, works with third-party
products to provide external antivirus scanning, anti-spam, and web filtering.
VPN: A VPN provides a secure communications channel between two or more

remote network appliances.
Integrated Networking Functions: Dynamic routing protocols learn

reachability and advertise dynamically changing network topologies. In
addition, traffic shaping functionality allows administrative monitoring and
control of traffic passing across the Juniper Networks firewall to maintain a
networks quality-of-service (QoS) level.
Centralized Management: The Netscreen-Security Manager tool simplifies

configuration, deployment, and management of security devices.
Redundancy: High availability of interfaces, routing paths, security devices,

andon high-end Juniper Networks devicespower supplies and fans, to
avoid a single point of failure in any of these areas.
xlv
NOTE:
For information about Juniper Networks compliance with Federal Information

Processing Standards (FIPS) and for instructions on setting a FIPS-compliant
security device in FIPS mode, refer to the platform-specific Cryptographic Module
Security Policy document on the documentation CD.
Figure 1: Key Features in ScreenOS
Untrust Zone
LAN
LAN
Internet
Redundancy: The backup device
maintains identical configuration
and sessions as those on the
primary device to assume the place
of the primary device if necessary.
(Note: Interfaces, routing paths,
power supplies, and fans can also
be redundant.)
VPNs: Secure communication

tunnels between sites for traffic
passing through the Internet
Backup Device
Firewall: Screening traffic
between the protected LAN and
the Internet
Traffic Shaping: Efficient

prioritization of traffic as it
traverses the firewall
Integrated Networking Functions:

Performs routing functions and
communicates and interacts with
routing devices in the environment
LAN
Trust Zone
Dynamic Routing:
The routing table
automatically updates by
communicating with
dynamic routing peers.
Dst
Use
0.0.0.0/0
1.1.1.0/24
1.2.1.0/24
10.1.0.0/16
10.2.2.0/24
10.3.3.0/24
1.1.1.250
eth3
eth2
trust-vr
tunnel.1
tunnel.2
The ScreenOS system provides all the features needed to set up and manage any
security appliance or system. This document is a reference guide for configuring
and managing a Juniper Networks security device through ScreenOS.
xlvi
Volume Organization
The Concepts & Examples ScreenOS Reference Guide is a multi-volume manual. The
following information outlines and summarizes the material in each volume:
Volume 1: Overview
Table of Contents contains a master table of contents for all volumes in the
manual.
Master Index is an index of all volumes in the manual.
Volume 2: Fundamentals
Chapter 1, ScreenOS Architecture, presents the fundamental elements of the

architecture in ScreenOS and concludes with a four-part example illustrating an
enterprise-based configuration incorporating most of those elements. In this
and all subsequent chapters, each concept is accompanied by illustrative
examples.
Chapter 2, Zones, explains security zones, tunnel zones, and function zones.
Chapter 3, Interfaces, describes the various physical, logical, and virtual

interfaces on security devices.
Chapter 4, Interface Modes, explains the concepts behind Transparent,

Network Address Translation (NAT), and Route interface operational modes.
Chapter 5, Building Blocks for Policies, discusses the elements used for
creating policies and virtual private networks (VPNs): addresses (including VIP
addresses), services, and DIP pools. It also presents several example
configurations support for the H.323 protocol.
Chapter 6, Policies, explores the components and functions of policies and

offers guidance on their creation and application.
Chapter 7, Traffic Shaping, explains how you can manage bandwidth at the
interface and policy levels and prioritize services.
Chapter 8, System Parameters, presents the concepts behind Domain Name

System (DNS) addressing, using Dynamic Host Configuration Protocol (DHCP)
to assign or relay TCP/IP settings, downloading and uploading system
configurations and software, and setting the system clock.
Volume Organization
xlvii
Volume 3: Administration
Chapter 1, Administration, explains the different means available for

managing a security device both locally and remotely. This chapter also
explains the privileges pertaining to each of the four levels of network
administrators that can be defined.
Chapter 2, Monitoring Security Devices, explains various monitoring

methods and provides guidance in interpreting monitoring output.
Volume 4: Attack Detection and Defense Mechanisms
xlviii
Volume Organization
Chapter 1, Protecting a Network, outlines the basic stages of an attack and

the firewall options available to combat the attacker at each stage.
Chapter 2, Reconnaissance Deterrence, describes the options available for

blocking IP address sweeps, port scans, and attempts to discover the type of
operating system (OS) of a targeted system.
Chapter 3, Denial-of-Service Attack Defenses, explains firewall, network, and

OS-specific DoS attacks and how ScreenOS mitigates such attacks.
Chapter 4, Content Monitoring and Filtering, describes how to protect

HyperText Transfer Protocol (HTTP) users from malicious uniform resource
locators (URLs) and how to configure the security device to work with third
party products to provide antivirus scanning and web filtering.
Chapter 5, Deep Inspection, describes how to configure the security device to

obtain Deep Inspection (DI) attack object updates, how to create user-defined
attack objects and attack object groups, and how to apply IDP at the policy
level.
Chapter 6, Intrusion Detection and Prevention, describes Juniper Networks

Intrusion Detection and Prevention (IDP) technology which can both detect and
then stop attacks when deployed inline to your network. The chapter describes
how to apply IDP at the policy level to drop malicious packets or connections
before the attacks can enter your network.
Chapter 7, Suspicious Packet Attributes, explains a number of SCREEN

options that block potentially dangerous packets.
Appendix A, Contexts for User-Defined Signatures, provides a list and

descriptions of contexts that you can specify when defining a stateful signature
attack object.
Volume 5: Virtual Private Networks
Chapter 1, Internet Protocol Security, provides background information

about IPSec, presents a flow sequence for Phase 1 in IKE negotiations in
Aggressive and Main modes, and concludes with information about IKE and
IPSec packet encapsulation.
Chapter 2, Public Key Cryptography, provides information about how to

obtain and load digital certificates and certificate revocation lists (CRLs).
Chapter 3, Virtual Private Network Guidelines, offers some useful information

to help in the selection of the available VPN options. It also presents a packet
flow chart to demystify VPN packet processing.
Chapter 4, Site-to-Site Virtual Private Networks, provides extensive examples

VPN configurations connecting two private networks.
Chapter 5, Dialup Virtual Private Networks, provides extensive examples of

client-to-LAN communication using AutoKey IKE. It also details group IKE ID
and shared IKE ID configurations.
Chapter 6, Layer 2 Tunneling Protocol, explains the Layer 2 Tunneling

Protocol and its use alone and in conjunction with IPSec (L2TP-over-IPSec).
Chapter 7, Advanced Virtual Private Network Features, contains information

and examples for the more advanced VPN configurations, such as
NAT-Traversal, VPN monitoring, binding multiple tunnels to a single tunnel
interface, and hub-and-spoke and back-to-back tunnel designs.
Chapter 8, AutoConnect-Virtual Private Networks, describes how ScreenOS

uses Next Hop Resolution Protocol (NHRP) messages to enable security devices
to set up AutoConnect VPNs as needed. The chapter provides an example of a
typical scenario in which AC-VPN might be used.
Volume 6: Voice-over-Internet Protocol
Chapter 1, H.323 Application Layer Gateway, describes the H.323 protocol

and provides examples of typical scenarios.
Chapter 2, Session Initiation Protocol Application Layer Gateway, describes

the Session Initiation Protocol (SIP) and shows how the SIP ALG processes calls
in Route and Network Address Translation (NAT) modes. Examples of typical
scenarios follow a summary of the SIP architecture.
Chapter 3, Media Gateway Control Protocol Application Layer Gateway,

presents an overview of the Media Gateway Control Protocol (MGCP) ALG and
lists the firewall security features of the implementation. Examples of typical
scenarios follow a summary of the MGCP architecture.
Chapter 4, Skinny Client Control Protocol Application Layer Gateway,

presents an overview of the Skinny Client Control Protocol (SCCP) ALG and lists
the firewall security features of the implementation. Examples of typical
scenarios follow a summary of the SCCP architecture.
Volume Organization
xlix
Volume 7: Routing
Chapter 1, Static Routing, describes the ScreenOS routing table, the basic
routing process on the security device, and how to configure static routes on
security devices.
Chapter 2, Routing, explains how to configure virtual routers on security

devices and how to redistribute routing table entries between protocols or
between virtual routers.
Chapter 3, Open Shortest Path First, describes how to configure the OSPF
dynamic routing protocol on security devices.
Chapter 4, Routing Information Protocol, describes how to configure the RIP

Chapter 5, Border Gateway Protocol, describes how to configure the BGP

Chapter 6, Policy-Based Routing, explains how to force interesting traffic

along a specific path in the network.
Chapter 7, Multicast Routing, introduces basic multicast routing concepts.
Chapter 8, Internet Group Management Protocol, describes how to configure

the Internet Group Management Protocol (IGMP) on security devices.
Chapter 9, Protocol Independent Multicast, describes how to configure the

Protocol Independent Multicast (PIM) routing protocol on security devices.
Chapter 10, ICMP Router Discovery Protocol, explains how to set up an

Internet Control Messages Protocol (ICMP) message exchange between a host
and a router.
Volume 8: Address Translation
Volume Organization
Chapter 1, Address Translation, gives an overview of the various translation

options, which are covered in detail in subsequent chapters.
Chapter 2, Source Network Address Translation, describes NAT-src, the

translation of the source IP address in a packet header, with and without Port
Address Translation (PAT).
Chapter 3, Destination Network Address Translation, describes NAT-dst, the

translation of the destination IP address in a packet header, with and without
destination port address mapping. This section also includes information about
the packet flow when doing NAT-src, routing considerations, and address
shifting.
Chapter 4, Mapped and Virtual Addresses, describes the mapping of one

destination IP address to another based on IP address alone (mapped IP) or
based on destination IP address and destination port number (virtual IP).
Volume 9: User Authentication
Chapter 1, Authentication, details the various authentication methods and

uses that ScreenOS supports.
Chapter 2, Authentication Servers, presents the options of using one of three

possible types of external authentication serverRADIUS, SecurID, or
LDAPor the internal database and shows how to configure the security device
to work with each type.
Chapter 3, Infranet Authentication, details how the security device is

deployed in a unified access control (UAC) solution. Juniper Networks unified
access control solution (UAC) secures and assures the delivery of applications
and services across an enterprise infranet.
Chapter 4, Authentication Users, explains how to define profiles for

authentication users and how to add them to user groups stored either locally
or on an external RADIUS authentication server.
Chapter 5, IKE, XAuth, and L2TP Users, explains how to define IKE, XAuth,
and L2TP users. Although the XAuth section focusses primarily on using the
security device as an XAuth server, it also includes a subsection on configuring
select security devices to act as an XAuth client.
Chapter 6, Extensible Authentication for Wireless and Ethernet Interfaces,

explains the options available for and examples of how to use Extensible
Authentication Protocol to provide authentication for Ethernet and wireless
interfaces.
Volume 10: Virtual Systems
Chapter 1, Virtual Systems, discusses virtual systems, objects, and

administrative tasks.
Chapter 2, Traffic Sorting, explains how ScreenOS sorts traffic.
Chapter 3, VLAN-Based Traffic Classification, describes VLAN-based traffic

classification for virtual systems, and VLAN retagging.
Chapter 4, IP-Based Traffic Classification, explains IP-based traffic

classification for virtual systems.
Volume 11: High Availability
Chapter 1, NetScreen Redundancy Protocol, explains how to cable,

configure, and manage Juniper Networks security devices in a redundant group
to provide high availability (HA) using the NetScreen Redundancy Protocol
(NSRP).
Chapter 2, Interface Redundancy and Failover, describes the various ways in

which Juniper Networks security devices provide interface redundancy.
Volume Organization
li
Volume 12: WAN, DSL, Dial, and Wireless
Chapter 1, Wide Area Networks, describes how to configure a wide area

network (WAN).
Chapter 2, Digital Subscriber Line, describes the Asymmetric Digital

Subscriber Line (ADSL) interface on the security device. ADSL is a Digital
Subscriber Line (DSL) technology that allows existing telephone lines to carry
both voice telephone service and high-speed digital transmission.
Chapter 3, ISP Failover and Dial Recovery, describes how to set priority and
define conditions for ISP failover and how to configure a dialup recovery
solution.
Chapter 4, Wireless Local Area Network, describes the wireless interfaces on

Juniper Networks wireless devices and provides example configurations.
Appendix A, Wireless Information, lists available channels, frequencies, and

regulatory domains and lists the channels that are available on wireless devices
for each country.
Volume 13: General Packet Radio Service
Chapter 1, GPRS, describes the GPRS Tunneling Protocol (GTP) features in

ScreenOS and demonstrates how to configure GTP functionality on a Juniper
Networks security device.
Volume 14: Dual-Stack Architecture with IPv6
lii
Volume Organization
Chapter 1, Internet Protocol Version 6 Introduction, explains IPv6 headers,

concepts, and tunneling guidelines.
Chapter 2, IPv6 Configuration, explains how to configure an interface for

operation as an IPv6 router or host.
Chapter 3, Connection and Network Services, explains how to configure

Dynamic Host Configuration protocol version 6 (DHCPv6), Domain Name
Services (DNS), Point-to-Point Protocol over Ethernet (PPPoE), and
fragmentation.
Chapter 4, Static and Dynamic Routing, explains how to set up static and
dynamic routing. This chapter explains ScreenOS support for Routing
Information Protocol-Next Generation (RIPng).
Chapter 5, Address Translation, explains how to use Network Address

Translation (NAT) with dynamic IP (DIP) and mapped-IP (MIP) addresses to
traverse IPv4/IPv6 boundaries.
Chapter 6, IPv6 in an IPv4 Environment, explains manual and dynamic

tunneling.
Chapter 7, IPSec Tunneling, explains how to configure IPSec tunneling to

connect dissimilar hosts.
Chapter 8, IPv6 XAuth User Authentication, explains how to configure

Remote Authentication Dial In User Service (RADIUS) and IPSec Access Session
(IAS) management.
Appendix A, Switching, lists options for using the security device as a switch
to pass IPv6 traffic.
Document Conventions
This document uses the conventions described in the following sections:
Web User Interface Conventions on page liii
Command Line Interface Conventions on page liii
Naming Conventions and Character Types on page liv
Illustration Conventions on page lv
Web User Interface Conventions

In the Web user interface (WebUI), the set of instructions for each task is divided
into navigational path and configuration settings. To open a WebUI page where you
can enter configuration settings, you navigate to it by clicking on a menu item in
the navigation tree on the left side of the screen, then on subsequent items. As you
proceed, your navigation path appears at the top of the screen, each page
separated by angle brackets.
The following shows the WebUI path and parameters for defining an address:
Policy > Policy Elements > Addresses > List > New: Enter the following,
then click OK:
Address Name: addr_1
IP Address/Domain Name:
IP/Netmask: (select), 10.2.2.5/32
Zone: Untrust
To open Online Help for configuration settings, click on the question mark (?) in the
upper left of the screen.
The navigation tree also provides a Help > Config Guide configuration page to help
you configure security policies and Internet Protocol Security (IPSec). Select an
option from the dropdown menu and follow the instructions on the page. Click
the ? character in the upper left for Online Help on the Config Guide.
Command Line Interface Conventions

The following conventions are used to present the syntax of command line
interface (CLI) commands in examples and in text.
In examples:
Anything inside square brackets [ ] is optional.
liii
Anything inside braces { } is required.
If there is more than one choice, each choice is separated by a pipe ( | ). For
example:
set interface { ethernet1 | ethernet2 | ethernet3 } manage
Variables are in italic type:

set admin user name1 password xyz
In text, commands are in boldface type and variables are in italic type.
NOTE:
When entering a keyword, you only have to type enough letters to identify the
word uniquely. Typing set adm u whee j12fmt54 will enter the command set
admin user wheezer j12fmt54. However, all the commands documented here
are presented in their entirety.
Naming Conventions and Character Types

ScreenOS employs the following conventions regarding the names of objectssuch
as addresses, admin users, auth servers, IKE gateways, virtual systems, VPN
tunnels, and zonesdefined in ScreenOS configurations:
If a name string includes one or more spaces, the entire string must be
enclosed within double quotes; for example:
set address trust local LAN 10.1.1.0/24
Any leading spaces or trailing text within a set of double quotes are trimmed;
for example, local LAN becomes local LAN.
Multiple consecutive spaces are treated as a single space.
Name strings are case-sensitive, although many CLI keywords are

case-insensitive. For example, local LAN is different from local lan.
ScreenOS supports the following character types:
NOTE:
liv
Single-byte character sets (SBCS) and multiple-byte character sets (MBCS).

Examples of SBCS are ASCII, European, and Hebrew. Examples of MBCSalso
referred to as double-byte character sets (DBCS)are Chinese, Korean, and
Japanese.
ASCII characters from 32 (0x20 in hexadecimals) to 255 (0xff), except double

quotes ( ), which have special significance as an indicator of the beginning or
end of a name string that includes spaces.
A console connection only supports SBCS. The WebUI supports both SBCS and
MBCS, depending on the character sets that your browser supports.
Illustration Conventions
The following figure shows the basic set of images used in illustrations throughout
this volume.
Figure 2: Images in Illustrations
Autonomous System
or
Virtual Routing Domain
Internet
Security Zone Interfaces:

White = Protected Zone Interface
(example = Trust Zone)
Black = Outside Zone Interface
(example = Untrust Zone)
Local Area Network (LAN)

with a Single Subnet
or
Security Zone
Dynamic IP (DIP) Pool
Policy Engine
Generic Network Device
Tunnel Interface
Server
VPN Tunnel
Router
Switch
Juniper Networks
Security Devices
Hub
lv
Technical Documentation and Support

To obtain technical documentation for any Juniper Networks product, visit
www.juniper.net/techpubs/.
For technical support, open a support case using the Case Manager link at
http://www.juniper.net/customers/support/ or call 1-888-314-JTAC (within the
United States) or 1-408-745-9500 (outside the United States).
If you find any errors or omissions in this document, please contact Juniper
Networks at techpubs-comments@juniper.net.
lvi
Technical Documentation and Support
Master Index
Numerics
3DES ............................................................................. 5-6
3DES encryption .................................................... 14-121
4in6 tunneling
basic setup ....................................................... 14-115
definition .......................................................... 14-115
6in4 tunneling ........................................................ 14-111
basic setup ....................................................... 14-120
over IPv4 WAN ................................................ 14-120
6over4 tunneling
addresses, handling .......................................... 14-99
definition ............................................................ 14-98
manual tunneling .............................................. 14-99
types ................................................................... 14-98
when to use ....................................................... 14-98
6to4
addresses .................................. 14-8, 14-102, 14-108
hosts ................................................................. 14-107
relay routers ........................................14-102, 14-103
routers .............................................................. 14-102
tunneling ...............................................14-98, 14-102
tunneling, description ..................................... 14-102
A
AAL5 encapsulations ............................................... 12-66
AAL5 multiplexing ................................................... 12-74
Access Concentrator (AC)........................................ 14-46
access control list
See ACL
access lists
for routes .............................................................. 7-40
IGMP ................................................................... 7-158
multicast routing ............................................... 7-151
PIM-SM ............................................................... 7-199
Access Point Name
See APN
access policies
See policies
ACL .......................................................................... 12-132
ActiveX controls, blocking ...................................... 4-168
address books
addresses
adding............................................................ 2-104
modifying ...................................................... 2-105
removing ....................................................... 2-108
entries ................................................................. 2-104

group entries, editing ........................................ 2-108
groups ................................................................. 2-105
See also addresses
address groups ............................................. 2-105, 2-166
creating ............................................................... 2-107
editing ................................................................. 2-108
entries, removing .............................................. 2-108
options ................................................................ 2-106
address negation ...................................................... 2-186
address sweep .............................................................. 4-8
address translation
See NAT, NAT-dst, and NAT-src
addresses
address book entries .......................... 2-104 to 2-108
autoconfiguration .............................................. 14-11
defined ................................................................ 2-166
in policies ........................................................... 2-166
IP lifetime for XAuth users ................................. 9-70
IP, host and network IDs .................................... 2-47
L2TP assignments ............................................... 9-84
link-local ............................................................. 14-12
MAC .............................................14-13, 14-21, 14-29
private ................................................................... 2-47
public .................................................................... 2-47
splitting ............................................................... 14-44
addresses, handling
4in6 tunneling ................................................. 14-116
6to4 tunneling ................................................. 14-104
destination address translation ....................... 14-84
DIP from IPv4 to IPv6 ....................................... 14-84
IPv4 hosts to a single IPv6 host ..................... 14-113
IPv6 hosts to multiple IPv4 hosts .................... 14-87
manual tunneling .............................................. 14-99
addresses, overlapping ranges ................... 10-63, 10-72
addresses, XAuth
assignments ......................................................... 9-68
authentication, and ............................................. 9-79
timeout ................................................................. 9-70
admin users .................................................................. 9-2
prioritizing authentication .................................. 9-32
privileges from RADIUS ........................................ 9-2
server support ...................................................... 9-14
timeout ................................................................. 9-18
Master Index
IX-I
administration
CLI ........................................................................... 3-9
restricting ............................................................. 3-42
WebUI .................................................................... 3-2
administration, vsys .................................................. 10-7
administrative traffic ................................................. 3-29
admins ........................................................................ 10-2
changing passwords ..................................10-4, 10-7
types ..................................................................... 10-4
ADSL
configuring interface ........................................ 12-73
overview ............................................................. 12-73
VPN tunnel ......................................................... 12-97
Advanced Encryption Standard (AES) ....................... 5-6
AES ................................................................................ 5-6
AES128 encryption ............................................... 14-121
agents, zombie ..................................................4-27, 4-29
aggregate interfaces .......................................2-37, 11-43
aggressive aging ............................................4-30 to 4-32
Aggressive mode ....................................................... 5-10
AH ..........................................................................5-3, 5-5
AIM ............................................................................ 4-130
alarms
email alert ............................................................ 3-68
reporting to NetScreen-Security Manager ........ 3-25
thresholds ............................................................ 3-69
traffic ........................................................3-68 to 3-71
alarms, thresholds ................................................... 2-172
ALG .....................................................................4-55, 6-17
SIP ......................................................................... 6-13
SIP NAT ................................................................ 6-23
ALGs
for custom services ........................................... 2-167
MS RPC ............................................................... 2-129
RTSP ................................................................... 2-130
Sun RPC ............................................................. 2-127
America Online Instant Messaging
See AIM
anti-replay checking .........................................5-52, 5-59
APN
filtering ............................................................... 13-15
selection mode .................................................. 13-15
Application Layer Gateway
See ALG
application option, in policies ................................ 2-167
ARP ..................................................................2-82, 11-52
broadcasts .......................................................... 11-29
lookup ................................................................. 11-38
ARP, ingress IP address............................................. 2-84
asset recovery log ...................................................... 3-68
assigning priorities .................................................... 9-32
Asynchronous Transfer Mode
See ATM
ATM ........................................................................... 12-67
IX-II
Master Index
ATM Adaptation Layer 5 .......................................... 12-74

attack actions .............................................4-138 to 4-146
close .................................................................... 4-138
close client ......................................................... 4-138
close server ........................................................ 4-138
drop .................................................................... 4-138
drop packet ........................................................ 4-138
ignore.................................................................. 4-138
none .................................................................... 4-139
attack database updates
downloading ...................................................... 4-230
overview ............................................................. 4-230
attack object database ..............................4-120 to 4-127
auto notification and manual update.............. 4-124
automatic update .............................................. 4-123
changing the default URL ................................. 4-126
immediate update ............................................. 4-122
manual update........................................4-125, 4-126
attack object groups ................................................ 4-134
applied in policies ............................................. 4-128
changing severity .............................................. 4-134
Help URLs .......................................................... 4-131
logging ................................................................ 4-149
severity levels .................................................... 4-134
attack objects ................................. 4-117, 4-127 to 4-133
brute force.......................................................... 4-146
custom ................................................................ 4-212
disabling ............................................................. 4-137
IDP ...................................................................... 4-184
negation ............................................................. 4-163
overview ............................................................. 4-209
protocol anomalies ................................4-133, 4-162
protocol anomaly .............................................. 4-210
re-enabling ......................................................... 4-137
signature............................................................. 4-210
stateful signatures ............................................. 4-132
stream signatures .............................................. 4-133
TCP stream signatures ...................................... 4-160
attack protection
policy level ............................................................. 4-4
security zone level ................................................ 4-4
attacks
common objectives ............................................... 4-1
detection and defense options ..................4-2 to 4-4
DOS ...........................................................4-27 to 4-51
ICMP
floods ............................................................... 4-46
fragments ...................................................... 4-236
IP packet fragments .......................................... 4-240
Land ...................................................................... 4-48
large ICMP packets............................................ 4-237
Ping of Death ....................................................... 4-49
Replay ................................................................... 5-12
session table floods ....................................4-17, 4-28
Master Index
stages of ................................................................. 4-2

SYN floods ................................................4-34 to 4-39
SYN fragments................................................... 4-241
Teardrop ............................................................... 4-50
UDP floods ........................................................... 4-47
unknown MAC addresses ................................... 4-39
unknown protocols ........................................... 4-239
WinNuke .............................................................. 4-51
attacks, Overbilling ....................................13-26 to 13-28
auth servers ....................................................9-13 to 9-40
addresses ............................................................. 9-18
authentication process ....................................... 9-17
backup .................................................................. 9-18
default ..........................................................9-39, 9-40
defining ....................................................9-33 to 9-40
external ................................................................ 9-17
ID number ............................................................ 9-18
idle timeout .......................................................... 9-18
LDAP .........................................................9-29 to 9-30
maximum number .............................................. 9-14
SecurID ................................................................. 9-27
SecurID, defining................................................. 9-35
types ..................................................................... 9-18
XAuth queries ...................................................... 9-69
auth servers, objects
names ................................................................... 9-18
properties ............................................................. 9-18
auth servers, RADIUS ....................................9-19 to 9-22
defining ................................................................ 9-33
user-type support ................................................ 9-20
auth servers, TACACS+
defining ................................................................ 9-38
auth table entry.......................................................... 9-43
auth users .......................................................9-45 to 9-64
admin ..................................................................... 9-2
groups ..........................................................9-45, 9-48
IKE ...............................................................9-14, 9-65
in policies ............................................................. 9-46
L2TP ...................................................................... 9-84
local database ..........................................9-15 to 9-16
logins, with different ............................................. 9-5
manual key .......................................................... 9-14
multiple-type .......................................................... 9-4
pre-policy auth ................................................... 2-171
run-time auth process ....................................... 2-170
run-time authentication .................................... 2-170
server support...................................................... 9-14
timeout ................................................................. 9-18
types and applications ................................9-1 to 9-5
user types ............................................................. 9-13
WebAuth ...................................................2-171, 9-14
XAuth .................................................................... 9-68
auth users, authentication
auth servers, with ................................................ 9-14
point of ................................................................... 9-1

pre-policy.............................................................. 9-47
auth users, run-time
auth process ......................................................... 9-46
authentication ...................................................... 9-46
user groups, external .......................................... 9-53
user groups, local ................................................ 9-50
users, external ..................................................... 9-51
users, local ........................................................... 9-49
auth users, WebAuth .................................................. 9-47
user groups, external .......................................... 9-59
with SSL (user groups, external) ........................ 9-61
authentication .............................14-112, 14-115, 14-138
algorithms ........................5-6, 5-51, 5-54, 5-57, 5-61
Allow Any ........................................................... 2-171
NSRP ................................................................... 11-28
NSRP-Lite ............................................................ 11-15
policies ................................................................ 2-170
prioritizing ............................................................ 9-32
users .................................................................... 2-170
Authentication and Encryption
Multiple WEP Keys .......................................... 12-123
Wi-Fi Protected Access
See WPA
Wireless Equivalent Privacy
See WEP
authentication and encryption, using RADIUS server ...
12-123
Authentication Header (AH) ....................................... 5-5

authentication servers
See auth servers
authentication users
See auth users
autoconfiguration
address autoconfiguration ................................ 14-11
router advertisement messages ...................... 14-12
stateless .............................................................. 14-11
AutoKey IKE VPN ......................................3-43, 3-79, 5-7
management .......................................................... 5-7
Autonomous System (AS) numbers ....................... 7-107
AV objects
timeout ................................................................. 4-88
AV scanning ................................................... 4-58 to 4-85
AV resources per client ....................................... 4-81
decompression .................................................... 4-89
fail-mode .............................................................. 4-81
file extensions ...................................................... 4-90
FTP ........................................................................ 4-70
HTTP ..................................................................... 4-71
HTTP keep-alive ................................................... 4-83
HTTP trickling ...................................................... 4-84
IMAP ..................................................................... 4-73
MIME ..................................................................... 4-72
Master Index
IX-III
POP3..................................................................... 4-73
SMTP .................................................................... 4-74
subscription ......................................................... 4-78
B
back store ................................................................... 3-94
backdoor rulebase
adding to Security Policy.................................. 4-205
overview ............................................................. 4-205
backdoor rules ...........................................4-205 to 4-209
configuring actions ........................................... 4-207
configuring Match columns ............................. 4-206
configuring operation ....................................... 4-207
configuring services .......................................... 4-207
configuring severity .......................................... 4-209
configuring source and destination ................ 4-207
configuring targets ............................................ 4-209
configuring zones .............................................. 4-206
bandwidth ................................................................ 2-173
guaranteed .................................. 2-173, 2-193, 2-199
managing ........................................................... 2-193
maximum ................................... 2-173, 2-193, 2-199
maximum, unlimited........................................ 2-194
priority
default ........................................................... 2-198
levels.............................................................. 2-198
queues ........................................................... 2-198
banners ....................................................................... 9-10
BGP
AS-path access list ............................................. 7-116
communities ...................................................... 7-124
confederations ................................................... 7-122
configurations, security .................................... 7-113
configurations, verifying .................................. 7-112
external .............................................................. 7-105
internal ............................................................... 7-105
load-balancing ..................................................... 7-36
message types ................................................... 7-104
neighbors, authenticating ................................ 7-113
parameters ......................................................... 7-115
path attributes ................................................... 7-105
protocol overview ............................................. 7-104
regular expressions ........................................... 7-116
virtual router, creating an instance in ............ 7-107
BGP routes
adding................................................................. 7-117
aggregation ........................................................ 7-125
attributes, setting .............................................. 7-119
conditional advertisement ............................... 7-118
default, rejecting ............................................... 7-114
redistributing ..................................................... 7-116
reflection ............................................................ 7-120
suppressing ........................................................ 7-126
weight, setting ................................................... 7-118
IX-IV
Master Index
BGP routes, aggregate

aggregation ........................................................ 7-125
AS-Path in........................................................... 7-127
AS-Set in ............................................................. 7-125
attributes of ........................................................ 7-128
BGP, configuring
peer groups ........................................................ 7-109
peers ................................................................... 7-109
steps .................................................................... 7-106
BGP, enabling
in VR ................................................................... 7-107
on interface ........................................................ 7-108
bit stream ................................................................... 3-93
bridge groups
logical interface ................................................... 2-37
unbinding ............................................................. 2-46
browser requirements ................................................. 3-2
brute force
attack actions ..................................................... 4-146
brute force attack objects ....................................... 4-146
bypass-auth ................................................................ 9-69
C
CA certificates ...................................................5-22, 5-25
cables, serial ............................................................... 3-19
C-bit parity mode..................................................... 12-13
Certificate Revocation List ...............................5-23, 5-34
loading .................................................................. 5-23
certificates .................................................................... 5-7
CA.................................................................5-22, 5-25
loading .................................................................. 5-28
loading CRL .......................................................... 5-23
local....................................................................... 5-25
requesting ............................................................ 5-26
revocation ...................................................5-25, 5-34
via email ............................................................... 5-25
Challenge Handshake Authentication Protocol
See CHAP
channels, finding available ................................... 12-131
CHAP .................................................... 5-208, 5-211, 9-79
Chargen .................................................................... 4-129
CLI .......................................................... 3-9, 14-30, 14-32
CLI, set arp always-on-dest ..............................2-74, 2-77
CLI, set vip multi -port .............................................. 8-82
clock, system
See system clock
cluster names, NSRP ....................................11-11, 11-28
clusters ...........................................................11-11, 11-34
command line interface
See CLI
common names......................................................... 9-30
CompactFlash ............................................................ 3-56
compatibility-mode option
T3 interfaces ...................................................... 12-20
Master Index
configuration
ADSL 2/2+ PIM ................................................. 12-73
virtual circuits .................................................... 12-71
VPI/VCI pair........................................................ 12-71
configuration examples
6to4 host, tunneling to a ................................ 14-108
access lists and route maps ............................. 14-61
DNS server information, requesting ............... 14-43
IPv4 tunneling over IPv6 (autokey IKE) ....... 14-117
IPv6 requests to multiple IPv4 hosts .............. 14-87
IPv6 to an IPv4 network over IPv4 ............... 14-113
IPv6 tunneling over IPv4 (autokey IKE) ....... 14-121
manual tunneling ............................................ 14-100
native host, tunneling to ................................ 14-104
PPPoE instance, configuring ............................ 14-46
prefixes, delegating ................................14-38, 14-40
static route redistribution ................................. 14-61
configuration settings, browser requirements.......... 3-2
configurations
full-mesh............................................................. 11-56
connection policy for Infranet Enforcer, configuring.....
9-42
console ........................................................................ 3-56

containers ................................................................. 5-186
content filtering ...........................................4-53 to 4-114
control messages ..................................................... 11-13
HA ......................................................................... 11-7
HA physical link heartbeats ............................... 11-7
RTO heartbeats.................................................... 11-7
cookies, SYN............................................................... 4-44
country codes and channels ................................ 12-130
country codes and channels, regulatory domain for .....
12-130
CRL
See Certificate Revocation List
cryptographic options ...................................5-48 to 5-61
anti-replay checking ...................................5-52, 5-59
authentication algorithms ..... 5-51, 5-54, 5-57, 5-61
authentication types ..................................5-50, 5-56
certificate bit lengths .................................5-50, 5-56
dialup ........................................................5-55 to 5-61
dialup VPN recommendations ........................... 5-61
encryption algorithms .................. 5-51 to 5-57, 5-61
ESP ...............................................................5-54, 5-60
IKE ID ................................ 5-51 to 5-52, 5-57 to 5-58
IPSec protocols ...........................................5-53, 5-60
key methods ........................................................ 5-49
PFS ...............................................................5-53, 5-59
Phase 1 modes ...........................................5-49, 5-56
site-to-site .................................................5-48 to 5-55
site-to-site VPN recommendations .................... 5-55
Transport mode ................................................... 5-60
Tunnel mode........................................................ 5-60
CSU compatibility, T3 interfaces ............................ 12-20
custom services........................................................ 2-121

custom services, in root and vsys .......................... 2-122
Customer Premises Equipment (CPE) ..... 14-39, 14-134
D
Data Encryption Standard (DES) ................................ 5-6
data messages ............................................................ 11-7
databases, local ............................................. 9-15 to 9-16
DDoS ........................................................................... 4-27
decompression, AV scanning ................................... 4-89
Deep Inspection (DI) ................................ 4-134 to 4-160
attack actions ...................................... 4-138 to 4-146
attack object database ....................... 4-120 to 4-127
attack object groups .......................................... 4-134
attack object negation....................................... 4-163
attack objects ..................................................... 4-117
changing severity .............................................. 4-134
context ..................................................................... 4-I
custom attack objects ....................................... 4-156
custom services .................................. 4-152 to 4-156
custom signatures .............................. 4-157 to 4-160
disabling attack objects .................................... 4-137
license keys ........................................................ 4-118
logging attack object groups ............................ 4-149
overview ............................................................. 4-116
protocol anomalies ............................................ 4-133
re-enabling attack objects ................................ 4-137
regular expressions ............................ 4-157 to 4-158
signature packs .................................................. 4-120
stateful signatures ............................................. 4-132
demand circuits, RIP ................................................. 7-94
Denial-of-Service
See DoS
DES ................................................................................ 5-6
destination gateway................................................. 14-99
device failover .......................................................... 11-57
devices, resetting to factory defaults ....................... 3-41
Device-Unique Identification (DUID) ..................... 14-36
DHCP ........................................ 2-96, 2-100, 2-243, 4-129
client ................................................................... 2-225
HA ....................................................................... 2-231
PXE scenario ...................................................... 2-237
relay agent ......................................................... 2-225
server .................................................................. 2-225
DHCPv6
client and server ................................................ 14-36
delegated prefixes ............................................. 14-38
purposes ............................................................. 14-35
TLA and SLA....................................................... 14-37
dictionary file, RADIUS ............................................... 9-2
Diffie-Hellman ............................................................ 5-10
Diffie-Hellman groups ........................................... 14-121
DiffServ ..............................................2-173, 2-200, 2-214
Master Index
IX-V
See also DS Codepoint Marking

digital signature ......................................................... 5-20
DIP ...........................................2-98, 2-140 to 2-143, 3-95
fix-port ................................................................ 2-142
groups ...................................................2-153 to 2-155
PAT ..........................................................2-141, 2-142
pools ................................................................... 2-169
pools, modifying ............................................... 2-143
DIP pools
address considerations ....................................... 8-14
extended interfaces .......................................... 5-140
NAT for VPNs..................................................... 5-140
NAT-src ................................................................... 8-1
size ........................................................................ 8-14
Discard ...................................................................... 4-129
Discrete multitone
See DMT
dissimilar IP stacks .......................................14-84, 14-86
distinguished name (DN) ........................................ 5-183
distinguished names ................................................. 9-30
DMT ...............................................................12-69, 12-70
DN ............................................................................. 5-183
DNS ................................................................2-217, 4-129
addresses, splitting ........................................... 2-223
lookups ............................................................... 2-218
lookups, domain ............................................... 2-223
servers ................................................................ 2-244
servers, tunneling to ......................................... 2-223
status table ......................................................... 2-219
DNS, L2TP settings .................................................. 5-211
Domain Name System
See DNS
Domain Name System (DNS)
DHCP client host ............................................... 14-43
DHCPv6 search list ........................................... 14-36
domain lookups................................................. 14-44
IPv4 or IPv6 addresses ..................................... 14-42
partial domain names ...................................... 14-36
proxy .................................................................. 14-44
refresh ................................................................ 14-42
search list ........................................................... 14-43
servers .............................................................. 14-132
servers, tunneling to ......................................... 14-44
Domain Name System (DNS) addresses
splitting....................................................14-44, 14-45
translating .......................................................... 14-93
DoS
firewall......................................................4-28 to 4-33
network ....................................................4-34 to 4-48
OS-specific ...............................................4-49 to 4-51
session table floods....................................4-17, 4-28
DoS attacks ....................................................4-27 to 4-51
drop-no-rpf-route ....................................................... 4-19
DS Codepoint Marking ..................... 2-194, 2-200, 2-214
IX-VI
Master Index
DSL .................................................................2-239, 2-244

dual-stack architecture ............................................ 14-50
networks, dissimilar.......................................... 14-50
routing tables ..................................................... 14-50
WAN backbones, dissimilar ............................. 14-50
Duplicate Address Detection (DAD)
function .............................................................. 14-31
Retry Count ........................................................ 14-31
Dynamic IP
See DIP
dynamic IP ............................................................... 14-82
Dynamic IP (DIP) pools................................2-143, 2-169
dynamic IP, from IPv6 to IPv4 ............................... 14-83
dynamic packet filtering ............................................. 4-3
E
Echo .......................................................................... 4-129
ECMP..................................................................7-36, 7-59
email alert notification .....................................3-71, 3-73
Encapsulating Security Payload
See ESP
encapsulation .............................. 14-103, 14-111, 14-117
encryption .................................................14-112, 14-115
3DES ................................................................. 14-121
AES128 ............................................................. 14-121
algorithms .............................. 5-6, 5-51, 5-54 to 5-61
NSRP ................................................................... 11-28
NSRP-Lite ........................................................... 11-15
encryption, SecurID .................................................. 9-28
endpoint host state mode
Base Reachable Time ........................................ 14-30
Duplicate Address Detection (DAD) ................ 14-31
Probe Forever state ........................................... 14-31
Probe Time ........................................................ 14-31
Reachable Time ................................................. 14-30
Retransmission Time ........................................ 14-31
Stale mode ......................................................... 14-30
ESP ................................................................. 5-3, 5-5, 5-6
authenticate only................................................. 5-54
encrypt and authenticate ..........................5-54, 5-60
encrypt only ......................................................... 5-54
evasion ............................................................4-15 to 4-25
event log ..................................................................... 3-56
exe files, blocking .................................................... 4-168
exempt rulebase
adding to Security Policy .................................. 4-201
overview ............................................................. 4-200
exempt rules ..............................................4-200 to 4-204
configuring ......................................................... 4-201
configuring attacks ............................................ 4-203
configuring from the Log Viewer .................... 4-204
Master Index
configuring zones .............................................. 4-202

exploits
See attacks
extended channels, setting for WLAN ................. 12-130
F
factory defaults, resetting devices to ....................... 3-41
fail-mode ..................................................................... 4-81
failover
devices ................................................................ 11-57
dual Untrust interfaces ..........................11-44, 11-47
object monitoring .............................................. 11-50
virtual systems................................................... 11-56
VSD groups ........................................................ 11-56
fallback
assigning priorities .............................................. 9-32
file extensions, AV scanning ..................................... 4-90
filter source route ...................................................... 3-96
FIN scans .................................................................... 4-15
FIN without ACK flag ................................................. 4-13
Finger ........................................................................ 4-129
floods
ICMP ..................................................................... 4-46
session table ........................................................ 4-28
SYN ................................................. 4-34 to 4-39, 4-44
UDP ....................................................................... 4-47
fragment reassembly ....................................4-54 to 4-57
full-mesh configuration ........................................... 11-56
function zone interfaces ........................................... 2-38
HA ......................................................................... 2-38
management........................................................ 2-38
G
gatekeeper devices ...................................................... 6-1
Generic Routing Encapsulation (GRE) ................... 7-151
Gi interface ................................................................. 13-2
global unicast addresses ..........................14-102, 14-120
global zones................................................................ 8-82
Gn interface ................................................................ 13-2
Gopher ...................................................................... 4-129
Gp interface ................................................................ 13-2
GPRS Tunneling Protocol (GTP)
See GTP
graphs, historical...................................................... 2-172
group expressions..............................................9-5 to 9-9
operators ................................................................ 9-5
server support...................................................... 9-14
users ....................................................................... 9-5
group IKE ID
certificates ............................................5-183 to 5-192
preshared keys ....................................5-192 to 5-198
groups
addresses ........................................................... 2-105
services ............................................................... 2-138
GTP
Access Point Name (APN) filtering .................. 13-15
GTP-in-GTP packet filtering .............................. 13-13
IMSI prefix filtering ........................................... 13-16
inspection objects................................... 13-5 to 13-7
IP fragmentation................................................ 13-13
packet sanity check ............................................. 13-8
policy-based ......................................................... 13-5
protocol ................................................................ 13-2
standards .............................................................. 13-9
stateful inspection ............................................. 13-23
tunnel timeout ................................................... 13-25
GTP messages........................................................... 13-10
length, filtering by ............................................... 13-9
rate, limiting by ................................................. 13-12
type, filtering by ................................................ 13-10
types ................................................................... 13-10
versions 0 and 1 ................................................ 13-10
GTP traffic
counting .............................................................. 13-33
logging ................................................................ 13-31
GTP tunnels
failover ................................................................ 13-24
limiting................................................................ 13-23
timeout ............................................................... 13-25
H
HA
DHCP .................................................................. 2-231
interfaces, virtual HA .......................................... 2-39
See high availability
See also NSRP
hanging GTP tunnel ................................................. 13-25
hash-based message authentication code ................ 5-6
hashing, Secure Hashing Algorithm (SHA) ......... 14-121
heartbeats
HA physical link ................................................... 11-7
RTO ....................................................................... 11-7
Help files ....................................................................... 3-2
high availability
cabling ................................................. 11-25 to 11-28
data link ................................................................ 11-7
IP tracking .......................................................... 11-52
link probes ........................................................... 11-9
messages .............................................................. 11-7
virtual interfaces ................................................ 11-27
high availability (HA) ..................................... 13-4, 13-24
high availability failover
active/active ....................................................... 11-12
active/passive ..................................................... 11-11
high availability interfaces
aggregate ............................................................ 11-43
cabling network as HA links ............................ 11-27
redundant ........................................................... 11-42
Master Index
IX-VII
high-watermark threshold ........................................ 4-30

historical graphs ...................................................... 2-172
HMAC ............................................................................ 5-6
Host mode ...................................................14-46, 14-116
HTTP
blocking components .........................4-167 to 4-169
keep-alive ............................................................. 4-83
session timeout ................................................... 4-31
trickling ................................................................ 4-84
HTTP, session ID .......................................................... 3-4
HyperText Transfer Protocol (HTTP), session ID ..... 3-4
I
ICMP ......................................................................... 4-129
fragments ........................................................... 4-236
large packets ...................................................... 4-237
ICMP floods ................................................................ 4-46
ICMP services ........................................................... 2-126
message codes .................................................. 2-126
message types ................................................... 2-126
IDENT ....................................................................... 4-129
Identity Association Prefix Delegation Identification
(IAPD-ID).....................................................14-37, 14-39
Ident-Reset ................................................................. 3-28
idle session timeout .................................................. 9-18
IDP
basic configuration ........................................... 4-174
configuring device for standalone IDP ........... 4-227
configuring inline or inline tap mode ............. 4-186
enabling in firewall rule.................................... 4-185
IDP attack objects.................................................... 4-184
IDP engine
updating ............................................................. 4-231
IDP modes ................................................................ 4-186
IDP rulebase
adding to Security Policy.................................. 4-188
overview ............................................................. 4-187
IDP rulebases
role-based administration ................................ 4-184
types ................................................................... 4-183
IDP rules ................................................................... 4-187
configuring ......................................................... 4-189
configuring actions ........................................... 4-195
configuring address objects ............................. 4-184
configuring attack severity............................... 4-199
configuring attacks............................................ 4-196
configuring IDP attack objects......................... 4-184
configuring IP actions ....................................... 4-197
configuring notification .................................... 4-199
configuring service objects .............................. 4-184
configuring services .......................................... 4-190
IX-VIII
Master Index
configuring terminal rules ................................ 4-193

entering comments .................... 4-200, 4-204, 4-209
IDP-capable system ................................................. 4-172
IEEE 802.1Q VLAN standard .................................. 10-41
IGMP
access lists, using .............................................. 7-158
configuration, basic .......................................... 7-159
configuration, verifying .................................... 7-161
host messages ................................................... 7-156
interfaces, enabling on ..................................... 7-157
parameters ..............................................7-161, 7-162
policies, multicast.............................................. 7-168
querier ................................................................ 7-157
IGMP proxies ............................................................ 7-163
on interfaces ...................................................... 7-166
sender ................................................................. 7-175
IKE .................................................. 5-7, 5-86, 5-95, 5-160
group IKE ID user ................................5-183 to 5-198
group IKE ID, container .................................... 5-186
group IKE ID, wildcards ................................... 5-186
heartbeats .......................................................... 5-294
hello messages .................................................. 5-294
IKE ID ................................ 5-51 to 5-52, 5-57 to 5-58
IKE ID recommendations ................................... 5-70
IKE ID, Windows 2000 ..........................5-219, 5-227
local ID, ASN1-DN ............................................. 5-185
Phase 1 proposals, predefined ............................ 5-9
Phase 2 proposals, predefined .......................... 5-11
proxy IDs.............................................................. 5-11
redundant gateways ...........................5-291 to 5-304
remote ID, ASN1-DN ........................................ 5-185
shared IKE ID user ..............................5-198 to 5-204
IKE users ............................................... 9-14, 9-65 to 9-68
defining ................................................................ 9-66
groups ................................................................... 9-66
groups, and .......................................................... 9-65
groups, defining .................................................. 9-67
IKE ID ..........................................................9-65, 9-79
server support...................................................... 9-14
with other user types ............................................ 9-4
IMSI prefix filtering.................................................. 13-16
inactive SA .................................................................. 3-96
Infranet authentication ............................................. 9-44
Infranet Controller
actions .................................................................. 9-43
overview ............................................................... 9-42
resource policies .................................................. 9-43
Infranet Enforcer
connection policy, configuring .......................... 9-42
overview ............................................................... 9-42
inline mode .............................................................. 4-186
inline tap mode ........................................................ 4-186
in-short error .............................................................. 3-93
inspections ................................................................... 4-3
Master Index
Instant Messaging .................................................... 4-130

AIM...................................................................... 4-130
IRC ...................................................................... 4-130
MSN Messenger ................................................. 4-130
Yahoo! Messenger ............................................. 4-130
interfaces
addressing ............................................................ 2-46
aggregate ...................................................2-37, 11-43
binding to zone ................................................... 2-44
connections, monitoring .................................... 2-63
dedicated .................................................10-37, 10-71
default ................................................................... 2-48
DHCPv6 .............................................................. 14-35
DIP ...................................................................... 2-140
down, logically ..................................................... 2-61
down, physically ................................................. 2-61
dual routing tables ............................................ 14-50
extended ............................................................ 5-140
function zone ....................................................... 2-38
Gi ........................................................................... 13-2
Gn .......................................................................... 13-2
Gp .......................................................................... 13-2
HA function zone ................................................ 2-38
HA, dual ................................................................ 11-8
interface tables, viewing .................................... 2-43
IP tracking (See IP tracking)
L3 security zones................................................. 2-46
loopback ............................................................... 2-58
manageable ......................................................... 3-31
management options .......................................... 3-28
MGT....................................................................... 2-38
MIP ........................................................................ 8-64
modifying ............................................................. 2-48
monitoring ......................................................... 11-29
ND ....................................................................... 14-29
NDP ..................................................................... 14-30
NUD .................................................................... 14-29
null ........................................................................ 5-85
physical in security zones .................................. 2-36
physical, exporting from vsys ......................... 10-40
physical, importing to vsys .............................. 10-39
policy-based NAT tunnel .................................... 2-39
PPPoE ................................................................. 14-46
redundant ..................................................2-37, 11-42
secondary IP addresses ...................................... 2-50
shared ......................................................10-37, 10-71
state changes ....................................................... 2-61
tunnel.............................................. 2-39, 2-39 to 2-42
up, logically .......................................................... 2-61
up, physically ....................................................... 2-61
viewing interface table ....................................... 2-43
VIP......................................................................... 8-80
virtual HA ..................................................2-39, 11-27
VLAN1................................................................... 2-81
VSI ......................................................................... 2-38

VSIs ..................................................................... 11-24
zones, unbinding from ....................................... 2-45
interfaces, enabling IGMP on ................................. 7-157
interfaces, monitoring .................................. 2-68 to 2-73
loops ..................................................................... 2-69
security zones ...................................................... 2-73
Interior Gateway Protocol (IGP) .............................. 14-51
internal flash storage ................................................. 3-56
Internet Group Management Protocol
See IGMP
Internet Key Exchange
See IKE
Internet Protocol (IP) addresses
See IP addresses
Internet Service Provider (ISP) .......2-223, 14-36, 14-44,
14-98
intrusion detection and prevention, defined ........ 4-171

IP
packet fragments............................................... 4-240
IP addresses
extended............................................................. 5-140
host IDs................................................................. 2-47
interfaces, tracking on ........................................ 2-63
L3 security zones .................................... 2-46 to 2-47
Manage ................................................................. 2-95
manage IP ............................................................ 3-31
NetScreen-Security Manager servers ................ 3-25
network IDs.......................................................... 2-47
ports, defining for each .................................... 2-104
private ................................................................... 2-46
private address ranges ........................................ 2-47
public .................................................................... 2-46
secondary ................................................... 2-50, 2-51
secondary, routing between .............................. 2-51
IP addresses, virtual................................................... 8-80
IP options ....................................................... 4-10 to 4-11
attributes ................................................. 4-10 to 4-11
incorrectly formatted ........................................ 4-238
loose source route .........................4-10, 4-23 to 4-25
record route ......................................................... 4-11
security ....................................................... 4-10, 4-11
source route ......................................................... 4-23
stream ID.............................................................. 4-11
strict source route..........................4-11, 4-23 to 4-25
timestamp ............................................................ 4-11
IP pools
See DIP pools
IP Security
See IPSec
IP spoofing..................................................... 4-18 to 4-23
drop-no-rpf-route ................................................. 4-19
Layer 2 ........................................................ 4-19, 4-22
Layer 3 ........................................................ 4-18, 4-20
Master Index
IX-IX
IP tracking ...................................................11-52, 12-111

dynamic option ................................................... 2-64
interfaces, shared................................................ 2-64
interfaces, supported .......................................... 2-63
object failure threshold....................................... 2-65
ping and ARP ..................................................... 11-52
rerouting traffic .......................................2-63 to 2-78
vsys ....................................................................... 2-64
weights ................................................................. 2-65
IP tracking, failure
egress interface, on ................................2-75 to 2-76
ingress interface, on ...............................2-76 to 2-78
tracked IP threshold............................................ 2-64
IP-based traffic classification ................................. 10-71
IPSec
AH ........................................................ 5-2, 5-53, 5-60
digital signature ................................................... 5-20
ESP ....................................................... 5-2, 5-53, 5-60
L2TP-over-IPSec .................................................... 5-4
SAs ......................................................... 5-2, 5-8, 5-11
SPI ........................................................................... 5-2
Transport mode ..................5-4, 5-208, 5-213, 5-218
tunnel ..................................................................... 5-2
Tunnel mode ......................................................... 5-4
tunnel negotiation ................................................. 5-8
IPSec Access Session (IAS) ................................... 14-134
IPv4
addresses, mapped ................................14-82, 14-87
WAN ................................................................. 14-112
IPv4 to IPv6
host mapping..................................................... 14-91
network mapping.............................................. 14-90
IPv4/IPv6 boundaries .................... 14-81 to 14-86, 14-90
IPv6
addresses, SLA .................................................. 14-37
addresses, TLA .................................................. 14-37
backbone...............................................14-85, 14-115
networks, island .............................................. 14-112
IPv6 to IPv4 host mapping ..................................... 14-88
IPv6/IPv4 boundaries ................................14-82 to 14-88
IRC............................................................................. 4-130
ISP ............................................................................. 2-223
failover holddown timer ................................. 12-110
priority.............................................................. 12-109
ISP IP address and netmask................................... 12-72
J
Java applets, blocking ............................................. 4-168
K
keepalive
frequency, NAT-T .............................................. 5-237
L2TP .................................................................... 5-216
keys
IX-X
Master Index
manual.....................................................5-118, 5-124
preshared ........................................................... 5-160
keys, license ............................................................. 2-250
keys, vsys .................................................................. 10-37
L
L2TP .................................................. 5-205 to 5-230, 13-3
access concentrator: See LAC
address assignments .......................................... 9-84
bidirectional ....................................................... 5-208
compulsory configuration ................................ 5-205
decapsulation ..................................................... 5-209
default parameters ............................................ 5-211
encapsulation..................................................... 5-208
external auth server ............................................ 9-84
hello signal ..............................................5-216, 5-221
Keep Alive ...............................................5-216, 5-221
L2TP-only on Windows 2000 .......................... 5-207
local database ...................................................... 9-84
network server: See LNS
operational mode .............................................. 5-208
RADIUS server ................................................... 5-211
ScreenOS support ............................................. 5-207
SecurID server ................................................... 5-211
tunnel.................................................................. 5-213
user authentication ............................................. 9-84
voluntary configuration .................................... 5-205
Windows 2000 tunnel authentication .5-216, 5-221
L2TP policies ............................................................ 2-168
L2TP users .................................................................. 9-84
server support...................................................... 9-14
with XAuth ............................................................. 9-4
L2TP-over-IPSec .................................... 5-4, 5-213, 5-218
bidirectional ....................................................... 5-208
tunnel.................................................................. 5-213
LAC ............................................................................ 5-205
NetScreen-Remote 5.0...................................... 5-205
Windows 2000 .................................................. 5-205
Land attacks ............................................................... 4-48
lawful interception ................................................... 13-34
Layer 2 Tunneling Protocol
See L2TP
LDAP ................................................... 4-129, 9-29 to 9-30
common name identifiers.................................. 9-30
distinguished names ........................................... 9-30
server ports .......................................................... 9-30
structure ............................................................... 9-29
user types supported .......................................... 9-30
license keys .............................................................. 2-250
advanced mode ................................................. 4-118
attack pattern update ....................................... 4-118
Lightweight Directory Access Protocol
See LDAP
link-local addresses ......................................14-12, 14-14
Master Index
Link-State Advertisement (LSA) suppression .......... 7-67

LNS ............................................................................ 5-205
load sharing .............................................................. 11-82
load-balancing by path cost.............................7-36, 7-59
local certificate ........................................................... 5-25
local database
IKE users .............................................................. 9-66
timeout ................................................................. 9-16
user types supported .......................................... 9-16
log entries
enabling in IDP rules ........................................ 4-233
Log Viewer
creating an exempt rule ................................... 4-204
logging ................................................ 2-172, 3-55 to 3-68
asset recovery log ............................................... 3-68
attack object groups .......................................... 4-149
CompactFlash (PCMCIA) .................................... 3-56
console ................................................................. 3-56
email ..................................................................... 3-56
event log ............................................................... 3-56
internal ................................................................. 3-56
NetScreen-Security Manager .............................. 3-25
self log .................................................................. 3-66
SNMP ...........................................................3-56, 3-73
syslog ...........................................................3-56, 3-72
USB ....................................................................... 3-56
WebTrends..................................................3-56, 3-73
logging, traffic ............................................................ 13-5
loopback interfaces ................................................... 2-58
loose source route IP option ............... 4-10, 4-23 to 4-25
low-watermark threshold .......................................... 4-31
LPR spooler .............................................................. 4-129
M
MAC addresses .................................. 14-13, 14-21, 14-29
Main mode ................................................................... 5-9
malicious URL protection .............................4-54 to 4-57
Manage IP ................................................................... 2-95
manage IP .................................................................. 3-31
manage IP, VSD group 0 ........................................... 11-3
management client IP addresses ............................. 3-42
Management information base II
See MIB II
management methods
CLI ........................................................................... 3-9
console ................................................................. 3-19
SSL .......................................................................... 3-5
Telnet ...................................................................... 3-9
WebUI ..................................................................... 3-2
management options
interfaces .............................................................. 3-28
manageable ......................................................... 3-31
MGT interface ...................................................... 3-29
NetScreen-Security Manager .............................. 3-28
ping ....................................................................... 3-28

SNMP .................................................................... 3-28
SSH ........................................................................ 3-28
SSL......................................................................... 3-28
Telnet .................................................................... 3-28
Transparent mode ............................................... 3-29
VLAN1 ................................................................... 3-29
WebUI ................................................................... 3-28
manual 6over4 tunneling ........................................ 14-98
Manual Key
management .......................................................... 5-7
manual keys ........................................5-118, 5-124, 9-14
manual keys, VPNs .......................................... 3-43, 3-79
manual tunneling ..................................................... 14-99
mapped IP
See MIP
mapped IP (MIP) .......................................... 14-82, 14-84
IPv4 hosts to a single IPv6 host ....................... 14-91
IPv6-to-IPv4 network mapping ........................ 14-86
MIP from IPv6 to IPv4 ...................................... 14-84
mapping
host, IPv4 to IPv6 .............................................. 14-91
host, IPv6 to IPv4 .............................................. 14-88
network, IPv4 to IPv6 ....................................... 14-90
Maximum Transmission Unit (MTU) ..................... 14-12
MD5 ............................................................................... 5-6
Message Digest version 5 (MD5) ................................ 5-6
messages
alert ....................................................................... 3-57
control................................................................. 11-13
critical ................................................................... 3-57
data ....................................................................... 11-7
debug .................................................................... 3-57
emergency ........................................................... 3-56
error ...................................................................... 3-57
HA ......................................................................... 11-7
info ........................................................................ 3-57
notification ........................................................... 3-57
warning................................................................. 3-57
WebTrends ........................................................... 3-73
MGT interface ............................................................. 2-38
MGT interface, management options ...................... 3-29
MIB files, importing ................................................. 5-252
MIB II ................................................................. 3-28, 3-74
Microsoft Network Instant Messenger
See MSN Instant Messenger
Microsoft-Remote Procedure Call
See MS-RPC
MIME, AV scanning .................................................... 4-72
MIP .................................................................... 2-11, 8-63
address ranges ..................................................... 8-66
Master Index
IX-XI
bidirectional translation ....................................... 8-6

definition ................................................................ 8-6
global zone ........................................................... 8-64
grouping, multi-cell policies ............................... 8-79
reachable from other zones ............................... 8-67
same-as-untrust interface.......................8-70 to 8-73
MIP, creating
addresses ............................................................. 8-65
on tunnel interface.............................................. 8-70
on zone interface ................................................ 8-65
MIP, default
netmasks .............................................................. 8-66
virtual routers ...................................................... 8-66
MIP, to zone with interface-based NAT ................... 2-94
MIP, virtual systems ................................................ 10-31
MIP, VPNs ................................................................. 5-140
Mobile Station (MS) mode ...................................... 13-15
mode config ............................................................... 9-69
mode, Transparent .................................................. 10-42
modem ports ....................................................3-20, 3-22
modes
Aggressive ............................................................ 5-10
Host .......................................................14-46, 14-116
L2TP operational ............................................... 5-208
Main ........................................................................ 5-9
NAT and Route .................................................... 11-3
NAT, traffic to Untrust zone ............................... 2-79
Phase 1 cryptographic ...............................5-49, 5-56
preempt.............................................................. 11-21
Router ................................................................. 14-52
Stale .................................................................... 14-30
Transparent ......................................................... 2-80
Transport.................... 5-4, 5-60, 5-208, 5-213, 5-218
Tunnel ...........................................................5-4, 5-60
modes, operational
NAT ....................................................................... 13-4
Route .................................................................... 13-4
Transparent ......................................................... 13-4
modes, selection
APN ..................................................................... 13-15
Mobile Station (MS) ........................................... 13-15
Network.............................................................. 13-15
Verified ............................................................... 13-15
modulus ...................................................................... 5-10
MS RPC ALG, defined .............................................. 2-129
MSN Messenger ....................................................... 4-130
MS-RPC ..................................................................... 4-131
multicast
addresses ........................................................... 7-148
distribution trees ............................................... 7-183
policies ............................................................... 7-153
policies for IGMP ............................................... 7-168
reverse path forwarding ................................... 7-148
routing tables ..................................................... 7-149
IX-XII
Master Index
static routes........................................................ 7-150

multicast routing
IGMP ................................................................... 7-155
PIM ...................................................................... 7-181
multimedia sessions, SIP .......................................... 6-13
multiplexing, configuring........................................ 12-71
N
NAT
definition ................................................................ 8-1
IPSec and NAT ................................................... 5-232
NAT servers........................................................ 5-232
NAT-src with NAT-dst .............................8-50 to 8-61
NAT mode ................................... 2-92 to 2-97, 11-3, 13-4
interface settings ................................................. 2-95
traffic to Untrust zone ...............................2-79, 2-94
NAT vector error......................................................... 3-95
NAT-dst ............................................................8-28 to 8-61
address shifting ..................................................... 8-5
packet flow...............................................8-29 to 8-31
port mapping ...................................... 8-4, 8-28, 8-47
route considerations ..................... 8-29, 8-32 to 8-34
unidirectional translation ............................8-6, 8-10
VPNs ................................................................... 5-140
with MIPs or VIPs .................................................. 8-3
NAT-dst, addresses
range to range ............................................8-10, 8-44
range to single IP .........................................8-9, 8-41
ranges ..................................................................... 8-4
shifting .........................................................8-28, 8-44
NAT-dst, single IP
with port mapping ................................................ 8-8
without port mapping ........................................... 8-9
NAT-dst, translation
one-to-many ........................................................ 8-38
one-to-one ............................................................ 8-35
native hosts ...............................................14-102, 14-104
NAT-PT ....................................................................... 14-81
NAT-PT, IPSec, when to use .................................. 14-112
NAT-src .................................................... 8-1, 8-13 to 8-25
egress interface ............................... 8-8, 8-24 to 8-25
fixed port........................................ 8-14, 8-18 to 8-19
interface-based ...................................................... 8-2
VPNs ................................................................... 5-142
NAT-src, addresses
shifting ......................................................8-20 to 8-24
shifting, range considerations ........................... 8-20
NAT-src, DIP pools ....................................................... 8-1
fixed port................................................................ 8-7
with address shifting............................................. 8-8
with PAT ........................................... 8-7, 8-15 to 8-17
NAT-src, Route mode ................................................. 2-98
NAT-src, translation
port addresses ....................................................... 8-2
Master Index
unidirectional ................................................8-6, 8-10

NAT-T ...........................................................5-232 to 5-239
enabling .............................................................. 5-239
IKE packet .......................................................... 5-235
initiator and responder ..................................... 5-237
IPSec packet....................................................... 5-236
keepalive frequency .......................................... 5-237
obstacles for VPNs ............................................ 5-235
probing for NAT...................................5-233 to 5-234
NAT-Traversal
See NAT-T
negation, address .................................................... 2-186
negation, Deep Inspection (DI) .............................. 4-163
Neighbor Advertisement (NA) ................................ 14-30
Neighbor Cache table ........... 14-13, 14-15, 14-25, 14-30
Neighbor Cache table, neighbor entry categories 14-14
Neighbor Discovery (ND) ........................................ 14-29
Accept Incoming RAs ....................................... 14-21
age of neighbor entry ....................................... 14-13
bypassing MAC session-caching ...................... 14-29
definition ............................................................ 14-13
enabling .............................................................. 14-29
Neighbor Cache table ............................14-13, 14-29
neighbor reachability state............................... 14-13
neighbor reachability status ............................. 14-30
packets currently queued for transmission.... 14-13
reachability status ............................................. 14-29
Neighbor Discovery (ND), displaying .................... 14-32
Neighbor Discovery Parameter (NDP) ........14-21, 14-30
Neighbor Solicitation (NS)............................14-14, 14-31
setting ................................................................. 14-30
Neighbor Unreachability Detection (NUD) ........... 14-13
Neighbor Cache table ....................................... 14-25
Neighbor Unreachability Detection (NUD), Neighbor
Cache table ............................................................ 14-13
NetBIOS .................................................................... 4-131
NetInfo ...................................................................... 2-226
netmasks .........................................................2-47, 2-166
netmasks, MIP default............................................... 8-66
NetScreen Redundancy Protocol
See NSRP
NetScreen Reliable Transport Protocol
See NRTP
NetScreen-Remote
AutoKey IKE VPN .............................................. 5-160
dynamic peer ..........................................5-166, 5-173
NAT-T option ..................................................... 5-232
NetScreen-Security Manager
definition .............................................................. 3-22
enabling NSM Agent ........................................... 3-24
initial connectivity setup .................................... 3-23
logging .................................................................. 3-25
management options .......................................... 3-28
management system ....................... 3-22, 3-23, 3-25
NSM Agent ................................................. 3-22, 3-25

reporting events ........................................ 3-25, 3-26
UI ........................................................................... 3-22
Network Address Translation (NAT) ......................... 3-95
Network Address Translation-Port Translation
DIP addresses, translating ................................ 14-84
dynamic IP (DIP) ............................................... 14-82
MIP ...................................................................... 14-82
MIP from IPv4 to IPv6 ...................................... 14-85
outgoing service requests ..................... 14-82, 14-86
source address translation ............................... 14-83
when to use ........................................................ 14-82
Network Address Translation-Port Translation
(NAT-PT).................................................................. 14-81
Network mode ......................................................... 13-15
network, bandwidth ................................................ 2-193
next-hop gateway .................................................... 14-31
NFS ............................................................................ 4-129
NHTB table ................................................ 5-254 to 5-258
addressing scheme............................................ 5-256
automatic entries............................................... 5-257
manual entries ................................................... 5-257
mapping routes to tunnels ............................... 5-255
NNTP ......................................................................... 4-129
NRTP ......................................................................... 11-19
NSM Agent ........................................................ 3-22, 3-23
enabling ................................................................ 3-24
reporting events .................................................. 3-25
NSRP ........................................................................... 11-1
ARP broadcasts .................................................. 11-29
ARP lookup......................................................... 11-38
backup ................................................................ 11-11
cabling ................................................. 11-25 to 11-28
clear cluster command ..................................... 11-10
config sync ......................................................... 11-19
control messages ..................................... 11-7, 11-13
debug cluster command ................................... 11-10
default settings .................................................... 11-6
DHCP .................................................................. 2-231
DIP groups........................................... 2-153 to 2-155
full-mesh configuration ......................... 11-25, 11-56
HA session backup ............................................ 2-171
hold-down time ..................................... 11-35, 11-38
interface monitoring ......................................... 11-29
load sharing ....................................................... 11-82
manage IP .......................................................... 11-52
master ................................................................. 11-11
NAT and Route modes ........................................ 11-3
NTP synchronization ............................. 2-256, 11-20
Master Index
IX-XIII
packet forwarding and dynamic routing.......... 11-8

preempt mode................................................... 11-21
priority numbers ............................................... 11-21
redundant interfaces .......................................... 2-37
redundant ports .................................................. 11-3
RTOs ................................................................... 11-34
secondary path .................................................. 11-29
secure communications ................................... 11-28
virtual systems ....................................11-56 to 11-86
VSD groups ................................. 4-181, 11-21, 11-34
VSIs ..............................................................2-38, 11-2
VSIs, static routes ...................................11-24, 11-68
NSRP clusters ................................................11-30, 11-34
names ......................................................11-11, 11-28
NSRP data
link ........................................................................ 11-7
messages .............................................................. 11-7
NSRP HA
cabling, network interfaces ............................. 11-27
interfaces ............................................................. 11-6
ports, redundant interfaces ............................. 11-42
session backup .................................................. 11-16
NSRP ports
failover ............................................................... 11-42
NSRP RTOs .................................................11-16 to 11-17
states .................................................................. 11-17
sync .................................................................... 11-20
NSRP synchronization
NTP, NSRP ......................................................... 11-20
RTOs ................................................................... 11-20
NSRP-Lite .................................................................. 11-19
clusters ............................................................... 11-11
secure communications ................................... 11-15
NSRP-Lite synchronization
disabling ............................................................. 11-19
NTP ................................................. 2-255 to 2-257, 4-130
authentication types ......................................... 2-257
maximum time adjustment ............................. 2-256
multiple servers ................................................. 2-255
NSRP synchronization ...................................... 2-256
secure servers .................................................... 2-257
servers ................................................................ 2-255
NTP, NSRP synchronization ................................... 11-20
Null interface, defining routes with ......................... 7-11
null route .................................................................... 5-85
O
objects
attack objects ..................................................... 4-209
attack objects, creating custom ....................... 4-212
attack objects, protocol anomaly .................... 4-210
attack objects, signature .................................. 4-210
objects, monitoring ................................................. 11-50
OCSP (Online Certificate Status Protocol) .............. 5-34
IX-XIV
Master Index
client ..................................................................... 5-34

responder ............................................................. 5-34
Open Shortest Path First
See OSPF
operating systems, probing hosts for ..........4-12 to 4-14
operational modes
NAT ....................................................................... 13-4
Route .................................................................... 13-4
Transparent.......................................................... 13-4
OSPF
broadcast networks ............................................ 7-48
configuration steps.............................................. 7-49
ECMP support ...................................................... 7-59
flooding, protecting against ............................... 7-66
flooding, reduced LSA......................................... 7-67
global parameters ............................................... 7-58
hello protocol ....................................................... 7-47
interface parameters .......................................... 7-62
interfaces, assigning to areas ............................ 7-53
interfaces, tunnel ................................................ 7-68
link-state advertisements ................................... 7-46
link-type, setting .................................................. 7-68
load-balancing ..................................................... 7-36
LSA suppression .................................................. 7-67
neighbors, authenticating .................................. 7-64
neighbors, filtering .............................................. 7-65
not so stubby area .............................................. 7-47
point-to-multipoint .............................................. 7-68
point-to-point network........................................ 7-48
security configuration ......................................... 7-64
stub area............................................................... 7-47
virtual links .......................................................... 7-59
OSPF areas ................................................................. 7-46
defining ................................................................ 7-51
interfaces, assigning to ....................................... 7-53
OSPF routers
adjacency ............................................................. 7-47
backup designated .............................................. 7-47
creating OSPF instance in VR ............................ 7-50
designated ............................................................ 7-47
types ..................................................................... 7-47
OSPF routes
default, rejecting.................................................. 7-66
redistributed, summarizing................................ 7-57
redistributing ....................................................... 7-56
route-deny restriction, disabling ....................... 7-69
Overbilling attacks
description ......................................................... 13-26
prevention ............................................13-26 to 13-31
prevention, configuring .................................... 13-29
solutions ............................................................. 13-28
P
P2P ............................................................................ 4-131
Master Index
BitTorrent ........................................................... 4-131

DC ....................................................................... 4-131
eDonkey ............................................................. 4-131
FastTrack ............................................................ 4-131
Gnutella .............................................................. 4-131
KaZaa .................................................................. 4-131
MLdonkey .......................................................... 4-131
Skype .................................................................. 4-131
SMB ..................................................................... 4-131
WinMX................................................................ 4-131
packet flow .....................................................2-10 to 2-12
inbound VPN............................................5-66 to 5-68
outbound VPN ..................................................... 5-66
policy-based VPN ....................................5-68 to 5-69
route-based VPN ......................................5-63 to 5-68
packet flow, NAT-dst ......................................8-29 to 8-31
packets ........................................................................ 3-96
address spoofing attack ...................................... 3-94
collision .......................................................3-93, 3-94
denied ................................................................... 3-95
dropped .......................................................3-95, 3-96
fragmented .......................................................... 3-96
incoming .............................................................. 3-93
Internet Control Message Protocol (ICMP) ...... 3-92,
3-94
IPSec ..................................................................... 3-95

land attack ........................................................... 3-95
Network Address Translation (NAT) ................. 3-95
Point to Point Tunneling Protocol (PPTP) ........ 3-94
received ............................................. 3-93, 3-94, 3-95
transmitted underrun ......................................... 3-93
unreceivable................................................3-93, 3-94
unroutable ............................................................ 3-95
PAP .................................................................5-208, 5-211
parent connection ..................................................... 3-95
Password Authentication Protocol
See PAP
passwords
forgetting .............................................................. 3-39
root admin ........................................................... 3-41
passwords, changing admins .........................10-4, 10-7
PAT ....................................................................2-141, 8-14
PCMCIA ....................................................................... 3-56
Peer-to-Peer
See P2P
Perfect Forward Secrecy
See PFS
PFS ........................................................... 5-11, 5-53, 5-59
Phase 1 ......................................................................... 5-9
proposals ................................................................ 5-9
proposals, predefined ........................................... 5-9
Phase 2 ....................................................................... 5-11
proposals .............................................................. 5-11
proposals, predefined ......................................... 5-11
physical interface
physical interfaces
C-bit parity mode .............................................. 12-13
CSU compatibility .............................................. 12-20
exporting from vsys .......................................... 10-40
importing to vsys............................................... 10-39
PIM-SM ...................................................................... 7-183
configuration steps ............................................ 7-187
configuring rendezvous points ........................ 7-197
designated router .............................................. 7-184
IGMPv3 ............................................................... 7-213
instances, creating ............................................ 7-188
interface parameters ......................................... 7-202
proxy RP ............................................................. 7-204
rendezvous points ............................................. 7-184
security configurations ..................................... 7-199
traffic, forwarding ............................................. 7-185
PIM-SSM .................................................................... 7-187
ping management options ....................................... 3-28
Ping of Death ............................................................. 4-49
pinholes ...................................................................... 6-19
PKI ............................................................................... 5-22
PKI keys ........................................................................ 3-6
point-to-multipoint configuration
OSPF ..................................................................... 7-68
Point-to-Point Protocol
See PPP
Point-to-Point Protocol (PPP) .................................. 14-46
Point-to-Point Protocol over ATM
See PPPoA
Point-to-Point Protocol over Ethernet
See PPPoE
Point-to-Point Protocol over Ethernet (PPPoE) ..... 14-46
Point-to-Point Tunneling Protocol (PPTP) ................ 3-94
policies ................................................................ 2-3, 13-5
actions ................................................................ 2-167
address groups................................................... 2-166
address negation ............................................... 2-186
addresses ............................................................ 2-166
addresses in ....................................................... 2-166
alarms ................................................................. 2-172
application, linking service to explicitly ......... 2-167
authentication .................................................... 2-170
bidirectional VPNs ................................. 2-168, 5-125
changing ............................................................. 2-189
context ................................................................ 4-120
core section .............................................. 4-17, 4-118
counting .............................................................. 2-172
Deep Inspection (DI) ......................................... 2-169
deny .................................................................... 2-167
DIP groups.......................................................... 2-154
disabling ............................................................. 2-189
editing ................................................................. 2-189
Master Index
IX-XV
enabling.............................................................. 2-189
functions of ........................................................ 2-159
global ........................................... 2-162, 2-174, 2-184
HA session backup ............................................ 2-171
ID ........................................................................ 2-166
internal rules...................................................... 2-164
interzone ..........................2-161, 2-174, 2-175, 2-178
intrazone ..................................... 2-161, 2-174, 2-182
L2TP .................................................................... 2-168
L2TP tunnels ...................................................... 2-168
lookup sequence ............................................... 2-163
management ..................................................... 2-174
managing bandwidth........................................ 2-193
maximum limit ................................................. 2-107
multicast............................................................. 7-153
multiple items per component ........................ 2-185
name .................................................................. 2-168
NAT-dst............................................................... 2-169
NAT-src ............................................................... 2-169
order ................................................................... 2-190
permit ................................................................. 2-167
policy context .................................................... 2-185
policy set lists .................................................... 2-163
position at top ........................................2-169, 2-190
reject ................................................................... 2-167
removing ............................................................ 2-191
reordering .......................................................... 2-190
required elements ............................................. 2-160
root system ........................................................ 2-164
schedules............................................................ 2-172
security zones .................................................... 2-166
service book....................................................... 2-109
service groups ................................................... 2-138
services............................................................... 2-166
services in ...............................................2-109, 2-166
shadowing ...............................................2-189, 2-190
traffic logging ..................................................... 2-172
traffic shaping.................................................... 2-173
tunnel ................................................................. 2-167
types .....................................................2-161 to 2-162
verifying ............................................................. 2-189
virtual systems .................................................. 2-164
VPN dialup user groups .................................... 2-166
VPNs ................................................................... 2-168
policies, configuring .................................................. 13-6
policy-based NAT
See NAT-dst and NAT-src
policy-based NAT, tunnel interfaces......................... 2-39
policy-based VPNs ..................................................... 5-62
Port Address Translation
See PAT
port scan ....................................................................... 4-9
Portmapper .............................................................. 4-130
ports
IX-XVI
Master Index
failover................................................................ 11-42
mapping ........................................................8-4, 8-28
numbers ............................................................... 8-87
primary trusted and untrusted ........................ 11-42
redundant............................................................. 11-3
secondary trusted and untrusted .................... 11-42
ports, modem ...................................................3-20, 3-22
ports, trunk ............................................................... 10-42
PPP .................................................................5-206, 12-66
PPPoA................................................. 12-66, 12-68, 12-74
PPPoE .............................................................12-66, 12-74
PPPoE - Point-to-Point Protocol over Ethernet ..... 14-46
preempt mode ......................................................... 11-21
prefix lists ................................................................. 14-12
preshared key............................................................... 5-7
preshared keys ......................................................... 5-160
priority queuing ....................................................... 2-198
private addresses ....................................................... 2-47
probe ......................................................................... 14-31
Probe Time ............................................................... 14-31
probes
network .................................................................. 4-8
open ports .............................................................. 4-9
operating systems ......................................4-12, 4-14
proposals
Phase 1 ..........................................................5-9, 5-69
Phase 2 ........................................................5-11, 5-69
protocol anomalies .................................................. 4-133
ALGs .................................................................... 4-131
basic network protocols ................................... 4-129
configuring parameters .................................... 4-162
Instant Messaging applications........................ 4-130
P2P applications ................................................ 4-131
supported protocols ............................4-129 to 4-132
protocol distribution, reporting to NetScreen-Security
Manager ................................................................... 3-25
Protocol Independent Multicast
See PIM
protocols
CHAP .................................................................. 5-208
IGP ...................................................................... 14-51
NRTP ................................................................... 11-19
NSRP ..................................................................... 11-1
PAP ..................................................................... 5-208
PPP ...........................................................5-206, 14-46
PPPoE ................................................................. 14-46
VRRP ................................................................... 11-53
protocols, CHAP ......................................................... 9-79
proxy IDs .................................................................... 5-11
matching .....................................................5-63, 5-69
VPNs and NAT .....................................5-140 to 5-141
public addresses ........................................................ 2-47
Public key infrastructure
See PKI
Master Index
2474, Definition of the Differentiated Services Field

(DS Field) in the IPv4 and IPv6 Headers ....... 2-173
791, Internet Protocol..................................... 4-10
793, Transmission Control Protocol................. 4-13
Public/private key pair .............................................. 5-23

PXE ............................................................................ 2-237
PXE server ................................................................ 2-237
RIP
QoS ............................................................................ 2-193
authenticating neighbors .................................... 7-86

configuration ...................................................... 14-53
database ............................................................... 7-93
demand circuit configuration............................. 7-94
filtering neighbors ............................................... 7-87
flooding, protecting against ................... 7-88, 14-59
global parameters.................................... 7-83, 14-56
instances, creating in VR ........................ 7-76, 14-54
interface parameters ............................... 7-85, 14-60
interfaces, enabling on ........................... 7-77, 14-55
load-balancing...................................................... 7-36
neighbors, filtering ............................................ 14-57
point-to-multipoint .............................................. 7-97
prefix summary ................................................... 7-92
versions ................................................................ 7-90
versions, protocol ................................................ 7-90
RIP routes
alternate ............................................................... 7-93
default, rejecting ................................................ 14-57
redistributing............................................ 7-77, 14-58
rejecting default ................................................... 7-88
summary, configuring ........................................ 7-92
RIP, configuring
demand circuits ................................................... 7-95
security ................................................................. 7-86
steps ...................................................................... 7-75
RIP, viewing
database ................................................... 7-80, 14-66
interface details ................................................... 7-82
neighbor information .............................. 7-81, 14-68
protocol details ........................................ 7-80, 14-66
RIPng ............................................................. 14-49, 14-51
interface cost metric ............................. 14-60, 14-62
metric calculation .............................................. 14-62
offset metric ........................................... 14-60, 14-62
route metric ........................................... 14-60, 14-62
route redistribution ........................................... 14-51
rlogin ......................................................................... 4-130
role-based administration
configuring IDP-only administrator................. 4-228
IDP rulebases ..................................................... 4-184
root admin, logging in ............................................... 3-42
route lookup
multiple VRs ......................................................... 7-34
sequence .............................................................. 7-32
Route mode .............................. 2-98 to 2-101, 11-3, 13-4
interface settings ................................................. 2-99
NAT-src ................................................................. 2-98
route tracking ......................................................... 12-111
R
RA - Router Advertisement ..................................... 14-12
RADIUS ..................................... 3-39, 4-130, 9-19 to 9-22
auth server objects .............................................. 9-33
dictionary file ......................................................... 9-2
dictionary files ..................................................... 9-21
L2TP .................................................................... 5-211
object properties ................................................. 9-20
ports ...................................................................... 9-20
retry timeout ........................................................ 9-20
shared secret ....................................................... 9-20
RADIUSv6 ............................................................... 14-132
rate limiting, GTP-C messages................................ 13-12
reachability states .................................................... 14-14
reachability states, transitions ................................ 14-15
reconnaissance ................................................4-7 to 4-25
address sweep ....................................................... 4-8
FIN scans .............................................................. 4-15
IP options ............................................................. 4-10
port scan ................................................................ 4-9
SYN and FIN flags set ......................................... 4-12
TCP packet without flags .................................... 4-14
record route IP option ............................................... 4-11
redundant gateways ..................................5-291 to 5-304
recovery procedure ........................................... 5-295
TCP SYN flag checking ..................................... 5-297
regular expressions ...................................4-157 to 4-158
rekey option, VPN monitoring ............................... 5-242
Remote Authentication Dial-in User Service
See RADIUS
remote termination point ........................14-104, 14-107
replay protection........................................................ 5-12
request packets, outgoing from IPv6 to IPv4 ....... 14-84
requirements, basic functional................................. 10-4
Retransmission Time .............................................. 14-31
rexec .......................................................................... 4-130
RFC 1777, Lightweight Directory Access Protocol.. 9-29
RFCs
0792, Internet Control Message Protocol ....... 2-126
1038, Revised IP Security Option .................... 4-10
1349, Type of Service in the Internet Protocol Suite ..
2-173
1918, Address Allocation for Private Internets . 2-47
2132, DHCP Options and BOOTP Vendor Extensions
2-230
2326, Real Time Streaming Protocol (RTSP) . 2-130,
2-134
Master Index
IX-XVII
route-based VPNs ..........................................5-62 to 5-63

Router Advertisement (RA)..................................... 14-12
Router mode ............................................................ 14-52
Router Solicitation (RS) ........................................... 14-12
routers
upstream ............................................................ 14-38
virtual ....................................................14-50, 14-102
routes
exporting .............................................................. 7-42
filtering ................................................................. 7-39
importing ............................................................. 7-42
maps ..................................................................... 7-38
metrics ................................................................. 7-31
null ........................................................................ 5-85
preference ............................................................ 7-30
redistributing ....................................................... 7-37
selection ............................................................... 7-30
Routing Information Protocol
See RIP
routing tables ............................................................. 7-15
lookup ................................................................... 7-32
lookup in multiple VRs ....................................... 7-34
multicast............................................................. 7-149
route selection ..................................................... 7-30
types ..................................................................... 7-15
routing, multicast .................................................... 7-147
RSA authentication ................................................ 14-121
rsh ............................................................................. 4-130
RSH ALG ................................................................... 2-127
RTOs ............................................................11-16 to 11-17
operational states .............................................. 11-17
peers ................................................................... 11-22
synchronization ................................................. 11-20
RTSP .......................................................................... 4-130
RTSP ALG
defined ............................................................... 2-130
request methods ............................................... 2-131
server in private domain .................................. 2-134
server in public domain ................................... 2-136
status codes ....................................................... 2-133
rules, derived from policies .................................... 2-164
run-time authentication .................................2-170, 9-46
Run-Time Objects
See RTOs
S
SA policy ..................................................................... 3-96
SAs........................................................................5-8, 5-11
check in packet flow ........................................... 5-65
SCEP (Simple Certificate Enrollment Protocol) ...... 5-30
schedules .......................................................2-156, 2-172
SCP
enabling................................................................ 3-18
example client command .................................. 3-18
IX-XVIII
Master Index
SCREEN
address sweep ....................................................... 4-8
bad IP options, drop ......................................... 4-238
drop unknown MAC addresses.......................... 4-39
FIN with no ACK.................................................. 4-15
FIN without ACK flag, drop ................................ 4-13
ICMP
fragments, block .......................................... 4-236
ICMP floods .......................................................... 4-46
IP options ............................................................. 4-10
IP packet fragments, block .............................. 4-240
IP spoofing ...............................................4-18 to 4-23
Land attacks ......................................................... 4-48
large ICMP packets, block ................................ 4-237
loose source route IP option, detect ................. 4-25
Ping of Death ....................................................... 4-49
port scan ................................................................ 4-9
source route IP option, deny ............................. 4-25
strict source route IP option, detect .................. 4-25
SYN and FIN flags set ......................................... 4-12
SYN floods ................................................4-34 to 4-39
SYN fragments, detect ...................................... 4-241
SYN-ACK-ACK proxy floods ............................... 4-32
TCP packet without flags, detect ....................... 4-14
Teardrop ............................................................... 4-50
UDP floods ........................................................... 4-47
unknown protocols, drop ................................. 4-239
VLAN and MGT zones ........................................... 4-2
WinNuke attacks ................................................. 4-51
SCREEN, MGT zone ................................................... 2-28
ScreenOS
function zones ..................................................... 2-33
global zone ........................................................... 2-28
overview ................................................................. 2-1
packet flow...............................................2-10 to 2-12
policies.................................................................... 2-3
RADIUS vendor IDs ............................................. 9-22
security zones ...............................................2-2, 2-28
security zones, global ........................................... 2-2
security zones, predefined ................................... 2-2
tunnel zones ........................................................ 2-29
virtual systems ...................................................... 2-9
VRs ........................................................................ 10-6
zones .............................................. 2-25 to 2-33, 10-6
ScreenOS interfaces
security zones ........................................................ 2-3
subinterfaces.......................................................... 2-3
SDP ..................................................................6-17 to 6-18
secondary IP addresses ............................................ 2-51
secondary path ........................................................ 11-29
Secure Copy
See SCP
Secure Hash Algorithm-1
See SHA-1
Master Index
Secure Shell
See SSH
Secure Sockets Layer
See SSL
SecurID ....................................................................... 9-27
ACE servers .......................................................... 9-28
auth server object................................................ 9-35
authentication port ............................................. 9-28
authenticator........................................................ 9-27
encryption types ................................................. 9-28
L2TP .................................................................... 5-211
token codes .......................................................... 9-27
Use Duress option ............................................... 9-28
user type support ................................................ 9-28
SecurID clients
retries.................................................................... 9-28
timeout ................................................................. 9-28
security associations
See SAs
Security Associations (SA) ........................................ 3-95
security IP option .............................................4-10, 4-11
Security Policies ....................................................... 4-182
security policies
rulebase execution ............................................ 4-185
rulebases ............................................................ 4-182
rules .................................................................... 4-182
templates............................................................ 4-185
security zones .............................................................. 2-2
determination, destination zone ....................... 2-12
determination, source zone ............................... 2-10
global ...................................................................... 2-2
predefined .............................................................. 2-2
See zones
security zones, interfaces ........................................... 2-3
physical ................................................................ 2-36
selection modes
APN ..................................................................... 13-15
Mobile Station (MS) ........................................... 13-15
Network .............................................................. 13-15
Verified ............................................................... 13-15
self log ......................................................................... 3-66
sequence-number validation .................................. 13-13
serial cables ................................................................ 3-19
Server Message Block
See SMB
servers, auth
See auth servers
servers, SecurID ACE ................................................. 9-28
service book
entries, modifying (CLI) .................................... 2-123
entries, removing (CLI) ..................................... 2-123
service book, service groups (WebUI) ..................... 6-63
service book, services
adding ................................................................. 2-122
custom ................................................................ 2-109

custom (CLI) ....................................................... 2-122
preconfigured..................................................... 2-109
service groups ........................................... 2-138 to 2-140
creating ............................................................... 2-138
deleting ............................................................... 2-140
modifying ........................................................... 2-139
service groups (WebUI) ........................................... 2-138
service provider, information from ........................ 12-66
service requests, outgoing .......................... 14-86, 14-88
services ..................................................................... 2-109
custom ................................................................ 4-152
defined ................................................................ 2-166
dropdown list ..................................................... 2-109
ICMP.................................................................... 2-126
in policies ........................................................... 2-166
timeout threshold .............................................. 2-123
services, custom....................................................... 2-121
ALGs .................................................................... 2-167
in vsys ................................................................. 2-122
session ID ..................................................................... 3-4
session idle timeout................................................... 9-18
session limits ................................................. 4-28 to 4-30
destination-based ...................................... 4-29, 4-30
source-based .............................................. 4-28, 4-29
session table floods ......................................... 4-17, 4-28
session timeout
HTTP ..................................................................... 4-31
session timeouts
TCP ........................................................................ 4-31
UDP ....................................................................... 4-31
SHA-1 ............................................................................ 5-6
shared VRs ................................................................ 10-37
shared zones ............................................................ 10-37
signature packs, DI .................................................. 4-120
signatures
stateful ................................................................ 4-132
SIP
ALG .............................................................. 6-17, 6-20
connection information ...................................... 6-18
defined .................................................................. 6-13
media announcements ....................................... 6-18
messages .............................................................. 6-14
multimedia sessions ........................................... 6-13
pinholes ................................................................ 6-17
request methods.................................................. 6-14
response codes .................................................... 6-16
RTCP ..................................................................... 6-18
RTP ........................................................................ 6-18
SDP .......................................................... 6-17 to 6-18
signaling ............................................................... 6-17
SIP NAT
call setup .................................................... 6-23, 6-28
defined .................................................................. 6-23
Master Index
IX-XIX
DIP pool, using a ................................................. 6-35

DIP, using incoming ........................................... 6-31
DIP, using interface ............................................ 6-32
incoming, with MIP ...................................6-35, 6-37
proxy in DMZ ...................................................... 6-44
proxy in private zone ................................6-39, 6-86
proxy in public zone ........................................... 6-42
trust intrazone ..................................................... 6-51
untrust intrazone........................................6-47, 6-93
VPN, using full-mesh .................................6-53, 6-99
SIP timeouts
inactivity .............................................................. 6-20
media inactivity..........................................6-21, 6-22
session inactivity ................................................. 6-20
signaling inactivity .....................................6-21, 6-22
site survey .............................................................. 12-131
Site-Local Aggregator (SLA) .........................14-37, 14-39
SMB
NetBIOS .............................................................. 4-131
SMTP server IP........................................................... 3-71
SNMP .................................................................3-28, 3-73
cold start trap ...................................................... 3-74
configuration ....................................................... 3-77
encryption ...................................................3-76, 3-78
management options ......................................... 3-28
MIB files, importing .......................................... 5-252
VPN monitoring ................................................ 5-252
SNMP community
private .................................................................. 3-77
public .................................................................... 3-77
SNMP traps
100, hardware problems.................................... 3-74
200, firewall problems ....................................... 3-74
300, software problems ..................................... 3-74
400, traffic problems .......................................... 3-74
500, VPN problems............................................. 3-74
allow or deny ....................................................... 3-76
system alarm ....................................................... 3-74
traffic alarm ......................................................... 3-74
types ..................................................................... 3-74
SNMPTRAP ............................................................... 4-130
software keys ........................................................... 10-37
source address translation...................................... 14-83
source interface-based routing (SIBR) ..................... 7-19
source route ............................................................... 3-96
source-based routing (SBR) ...................................... 7-17
SSH ...................................................... 3-11 to 3-16, 4-130
authentication method priority ......................... 3-15
automated logins ................................................ 3-17
connection procedure ........................................ 3-12
forcing PKA authentication only ....................... 3-16
loading public keys, CLI ..................................... 3-15
loading public keys, TFTP .........................3-15, 3-17
loading public keys, WebUI ............................... 3-15
IX-XX
Master Index
management options.......................................... 3-28

password authentication .................................... 3-14
PKA ....................................................................... 3-15
PKA authentication ............................................. 3-14
SSID
binding to wireless interface.......................... 12-144
SSL ......................................................................3-5, 4-130
SSL Handshake Protocol
See SSLHP
SSL management options ......................................... 3-28
SSL, with WebAuth .................................................... 9-62
SSLHP............................................................................ 3-5
state transitions
endpoint host..................................................... 14-15
next-hop gateway router .................................. 14-16
static entry ......................................................... 14-18
tunnel gateway .................................................. 14-17
stateful .......................................................................... 4-3
inspection ............................................................... 4-3
signatures ........................................................... 4-132
stateless address autoconfiguration ...................... 14-11
static IP address ....................................................... 12-74
static routing ............................................ 7-2, 7-2 to 7-10
configuring ............................................................. 7-5
multicast ............................................................. 7-150
Null interface, forwarding on ............................. 7-11
using ....................................................................... 7-3
statistics, reporting to NSM....................................... 3-26
stream ID IP option ................................................... 4-11
stream signatures .................................................... 4-133
strict source route IP option ............... 4-11, 4-23 to 4-25
subinterfaces .....................................................2-3, 10-62
configuring (vsys) .............................................. 10-62
creating (root system) ......................................... 2-49
creating (vsys) .................................................... 10-62
deleting ................................................................. 2-50
multiple per vsys ............................................... 10-62
subnets, overlapping ............................................... 10-63
subrate option .......................................................... 12-20
subscriptions
registration and activation .................2-251 to 2-253
temporary service ............................................. 2-252
Sun RPC ALG
call scenarios ..................................................... 2-127
defined ............................................................... 2-127
Super G ................................................................... 12-133
SurfControl ......................................................4-98, 4-107
SYN and FIN flags set ................................................ 4-12
SYN checking ....................................... 4-15, 4-15 to 4-18
asymmetric routing ............................................ 4-16
reconnaissance hole ........................................... 4-17
session interruption ............................................ 4-17
session table floods ............................................. 4-17
SYN cookies................................................................ 4-44
Master Index
SYN floods ......................................................4-34 to 4-39

alarm threshold ................................................... 4-38
attack threshold ................................................... 4-37
attacks .................................................................. 4-34
destination threshold .......................................... 4-38
drop unknown MAC addresses.......................... 4-39
queue size ............................................................ 4-39
source threshold .................................................. 4-38
SYN cookies ......................................................... 4-44
threshold .............................................................. 4-35
timeout ................................................................. 4-39
SYN fragments ......................................................... 4-241
SYN-ACK-ACK proxy floods ...................................... 4-32
synchronization
configuration...................................................... 11-19
RTOs ................................................................... 11-20
syslog ...............................................................3-56, 4-130
encryption ............................................................ 3-78
facility ................................................ 3-72, 3-81, 3-88
host ....................................................................... 3-72
host name ............................... 3-72, 3-73, 3-81, 3-88
messages .............................................................. 3-71
port .................................................... 3-72, 3-81, 3-88
security facility ................................. 3-72, 3-81, 3-88
system clock ...............................................2-253 to 2-257
date & time ........................................................ 2-254
sync with client ................................................. 2-254
time zone ........................................................... 2-254
system parameters .................................................. 2-257
T
T3 interfaces
C-bit parity mode .............................................. 12-13
CSU compatibility.............................................. 12-20
TACACS+
auth server objects .............................................. 9-38
clients retries ....................................................... 9-32
clients timeout ..................................................... 9-32
object properties ................................................. 9-32
ports ...................................................................... 9-32
retry timeout ........................................................ 9-32
shared secret ....................................................... 9-32
tags, VLANs .................................................................. 2-3
TCP
packet without flags ............................................ 4-14
session timeouts .................................................. 4-31
SYN flag checking ............................................. 5-297
TCP proxy ................................................................... 3-96
Teardrop attacks ........................................................ 4-50
Telnet .................................................................3-9, 4-130
Telnet management options .................................... 3-28
Telnet, logging in via ................................................. 3-10
templates
security policy .................................................... 4-185

TFTP .......................................................................... 4-130
three-way handshakes............................................... 4-34
threshold
low-watermark..................................................... 4-31
thresholds
high-watermark ................................................... 4-30
time zone .................................................................. 2-254
timeout...................................................................... 13-25
admin users ......................................................... 9-18
auth users ............................................................. 9-18
timestamp IP option .................................................. 4-11
token codes ................................................................ 9-27
Top-Level Aggregator (TLA) ..................................... 14-37
trace-route .................................................................. 2-85
traffic
counting .................................................... 2-172, 13-5
IP-based .............................................................. 10-71
logging ...................................................... 2-172, 13-5
priority ................................................................ 2-173
shaping ............................................................... 2-193
sorting .................................................. 10-31 to 10-39
through traffic, vsys sorting .............. 10-32 to 10-35
VLAN-based ..............................10-40, 10-41 to 10-68
traffic alarms ................................................. 3-68 to 3-71
traffic shaping .......................................................... 2-193
automatic ........................................................... 2-194
service priorities ................................................ 2-198
Transparent mode ........2-80 to 2-92, 10-42, 10-43, 13-4
ARP/trace-route ................................................... 2-83
blocking non-ARP traffic..................................... 2-81
blocking non-IP traffic ........................................ 2-81
broadcast traffic................................................... 2-81
drop unknown MAC addresses .......................... 4-39
flood ...................................................................... 2-83
routes .................................................................... 2-82
unicast options .................................................... 2-83
Transparent mode, management options............... 3-29
Transport mode......................... 5-4, 5-208, 5-213, 5-218
Triple DES
See 3DES
trunk ports ................................................................ 10-42
trunk ports, Transparent mode .............................. 10-42
trustee administrator ............................................. 12-109
tunnel interfaces ........................................................ 2-39
definition .............................................................. 2-39
policy-based NAT................................................. 2-39
Tunnel mode ................................................................ 5-4
tunnel termination points ..................................... 14-102
tunnel tracking ....................................................... 12-111
U
UDP
checksum ........................................................... 5-237
Master Index
IX-XXI
NAT-T encapsulation ........................................ 5-232

session timeouts.................................................. 4-31
unified access control solution
overview of ..........................................1-li, 9-vii, 9-41
unknown protocols.................................................. 4-239
unknown unicast options .............................2-82 to 2-87
ARP ...........................................................2-84 to 2-87
flood..........................................................2-83 to 2-84
trace-route ............................................................ 2-85
updating IDP engine ............................................... 4-231
upstream routers ..................................................... 14-38
URL filtering
See web filtering
USB.............................................................................. 3-56
users
admin ..................................................................... 9-2
admin, timeout.................................................... 9-18
group IKE ID ........................................5-183 to 5-198
groups, server support ....................................... 9-14
IKE
See IKE users
L2TP ..........................................................9-84 to 9-87
multiple-type.......................................................... 9-4
shared IKE ID ......................................5-198 to 5-204
WebAuth .............................................................. 9-14
XAuth........................................................9-68 to 9-82
users, auth
See auth users
users, IKE
See IKE users
users, multiple administrative .................................. 3-33
V
VC .............................................................................. 12-66
VCI............................................................................. 12-66
vendor IDs, VSA ......................................................... 9-22
vendor-specific attributes ......................................... 9-21
Verified mode........................................................... 13-15
Verisign ....................................................................... 5-34
VIP ............................................................................... 2-11
configuring ........................................................... 8-82
definition ................................................................ 8-6
editing .................................................................. 8-84
global zones ......................................................... 8-82
reachable from other zones ............................... 8-82
removing .............................................................. 8-84
required information .......................................... 8-81
VIP services
custom and multi-port ............................8-85 to 8-88
custom, low port numbers................................. 8-82
VIP, to zone with interface-based NAT .................... 2-94
virtual adapters .......................................................... 9-68
virtual channel identifier
See VCI
IX-XXII
Master Index
virtual circuit
See VC
virtual HA interfaces .......................................2-39, 11-27
virtual IP
See VIP
virtual path identifier
See VPI
Virtual Path Identifier/Virtual Channel Identifier
See VPI/VCI
virtual private networks
See VPNs
virtual routers ..............................................14-50, 14-102
See VRs
virtual routers, MIP default ....................................... 8-66
virtual routers, RIP .....................................14-53 to 14-70
virtual security device groups
See VSD groups
virtual security interface
See VSI
virtual system support .............................................. 13-5
virtual systems ............................................................. 2-9
admins .................................................................. 3-34
failover................................................................ 11-56
load sharing ....................................................... 11-82
manageability and security of ......................... 10-73
NSRP ................................................................... 11-56
read-only admins ................................................ 3-34
VIP....................................................................... 10-31
VLAN zone .................................................................. 2-81
VLAN1
interface ......................................................2-81, 2-87
zones .................................................................... 2-81
VLAN1, management options .................................. 3-29
VLAN-based traffic classification . 10-40, 10-41 to 10-68
VLANs
communicating with another VLAN 10-39, 10-65 to
10-68
creating.................................................10-43 to 10-64
subinterfaces...................................................... 10-62
tag ............................................................10-43, 10-62
Transparent mode .................................10-42, 10-43
trunking .............................................................. 10-42
VLAN-based traffic classification ......10-40, 10-41 to
10-68
VLANs, tags .................................................................. 2-3

VNC ........................................................................... 4-130
voice-over IP
bandwidth management .................................... 6-62
VPI ............................................................................. 12-66
VPI/VCI
configuring ......................................................... 12-71
values .................................................................. 12-74
VPN idletime .............................................................. 9-71
VPN monitoring ........................... 5-241 to 5-252, 12-111
Master Index
destination address .............................5-243 to 5-245

destination address, XAuth .............................. 5-243
ICMP echo requests .......................................... 5-252
outgoing interface ...............................5-243 to 5-245
policies................................................................ 5-244
rekey option ............................................5-242, 5-258
routing design ...................................................... 5-71
SNMP .................................................................. 5-252
status changes ........................................5-241, 5-244
VPNs
Aggressive mode ................................................. 5-10
AutoKey IKE........................................ 3-43, 3-79, 5-7
configuration tips ....................................5-69 to 5-71
cryptographic options .............................5-48 to 5-61
Diffie-Hellman exchange .................................... 5-10
Diffie-Hellman groups......................................... 5-10
for administrative traffic .................................... 3-78
FQDN aliases ..................................................... 5-130
FQDN for gateways .............................5-129 to 5-140
Main mode ............................................................. 5-9
manual key .......................................................... 3-79
manual keys......................................................... 3-43
MIP ...................................................................... 5-140
multiple tunnels per tunnel interface5-254 to 5-289
NAT for overlapping addresses .........5-140 to 5-151
NAT-dst ............................................................... 5-140
NAT-src ............................................................... 5-142
packet flow ...............................................5-63 to 5-69
Phase 1 ................................................................... 5-9
Phase 2 ................................................................. 5-11
policies................................................................ 2-168
policies for bidirectional ................................... 5-125
proxy IDs, matching ........................................... 5-69
redundant gateways ...........................5-291 to 5-304
redundant groups, recovery procedure .......... 5-295
replay protection ................................................. 5-12
route- vs policy-based ......................................... 5-62
SAs .......................................................................... 5-8
to zone with interface-based NAT ..................... 2-94
Transport mode ..................................................... 5-4
tunnel always up ............................................... 5-242
tunnel zones ........................................................ 2-29
VPN groups ........................................................ 5-292
VPN monitoring and rekey .............................. 5-242
VRRP ......................................................................... 11-53
VRs ........................................................ 7-37 to 7-42, 10-6
access lists............................................................ 7-40
BGP .......................................................7-106 to 7-113
ECMP .................................................................... 7-36
forwarding traffic between .................................. 2-4
introduction ........................................................... 2-4
modifying ............................................................. 7-22
on vsys ................................................................. 7-26
OSPF .........................................................7-49 to 7-67
RIP ............................................................ 7-75 to 7-90

route metrics ........................................................ 7-31
router IDs ............................................................. 7-22
SBR ........................................................................ 7-17
shared ................................................................. 10-37
shared, creating a .............................................. 10-38
SIBR....................................................................... 7-19
using two .............................................................. 7-23
VRs, routes
exporting .............................................................. 7-42
filtering ................................................................. 7-39
importing .............................................................. 7-42
maps ..................................................................... 7-38
preference ............................................................ 7-30
redistribution ....................................................... 7-37
selection ............................................................... 7-30
VRs, routing tables
lookup ................................................................... 7-32
lookup in multiple VRs ....................................... 7-34
maximum entries ................................................ 7-29
VSA attribute types .................................................... 9-22
VSAs............................................................................. 9-21
VSD groups ................................................... 4-181, 11-21
failover ................................................................ 11-56
heartbeats............................................... 11-23, 11-29
hold-down time ..................................... 11-35, 11-38
member states .................................... 11-22 to 11-23
priority numbers ............................................... 11-21
VSIs .................................................................. 11-2, 11-21
multiple VSIs per VSD group ............................ 11-56
static routes ........................................................ 11-24
vsys
admin.................................................................... 10-7
keys ..................................................................... 10-37
objects, creating .................................................. 10-4
W
web browser requirements ......................................... 3-2
web filtering ...................................2-172, 4-107 to 4-114
applying profiles to policies ............................. 4-104
blocked URL message ....................................... 4-111
blocked URL message type .............................. 4-111
cache ..................................................................... 4-99
communication timeout ................................... 4-110
integrated ............................................................. 4-98
profiles ................................................................ 4-102
redirect ............................................................... 4-107
routing ................................................................ 4-112
server status ....................................................... 4-112
servers per vsys ................................................. 4-108
SurfControl CPA servers ..................................... 4-98
SurfControl SCFP ............................................... 4-109
SurfControl server name .................................. 4-110
SurfControl server port ..................................... 4-110
Master Index
IX-XXIII
SurfControl servers ............................................. 4-99

URL categories................................................... 4-101
Websense server name .................................... 4-110
Websense server port ....................................... 4-110
Web user interface
See WebUI
WebAuth ............................................................9-14, 9-47
external user groups ........................................... 9-59
pre-policy auth process ...................................... 9-47
with SSL (user groups, external)........................ 9-61
WebAuth, pre-policy auth process ......................... 2-171
WebTrends.........................................................3-56, 3-73
encryption ...................................................3-73, 3-78
messages .............................................................. 3-73
WebUI ................................................................3-2, 14-32
Help files ................................................................ 3-2
management options ......................................... 3-28
WebUI, on sample client, downstream router ..... 14-40
WEP ........................................................................ 12-122
Whois ........................................................................ 4-130
wildcards .......................................................5-186, 13-15
WinNuke attacks ....................................................... 4-51
WINS
L2TP settings ..................................................... 5-211
WINS server ........................................................... 14-132
Wired Equivalent Privacy
See WEP
wireless bridge groups .......................................... 12-145
wireless interface
wireless interfaces
binding SSID to ............................................... 12-144
binding to radio ............................................... 12-144
configuring ....................................................... 12-144
disabling ........................................................... 12-146
Wireless Local Area Network
See WLAN
WLAN
access control list ............................................ 12-132
advanced parameters ..................................... 12-138
aging interval ................................................... 12-138
authentication and encryption ...................... 12-122
beacon interval ................................................ 12-139
bridge groups................................................... 12-145
burst threshold ................................................ 12-140
Clear to Send mode ........................................ 12-141
Clear to Send rate ........................................... 12-142
Clear to Send type........................................... 12-142
configurations, reactivating ........................... 12-133
configuring Super G ........................................ 12-133
country codes and channels .......................... 12-130
DTIM ................................................................. 12-140
extended channels .......................................... 12-130
IX-XXIV
Master Index
finding available channels .............................. 12-131

fragment threshold ......................................... 12-140
preamble length .............................................. 12-143
Request to Send threshold ............................. 12-141
site survey ........................................................ 12-131
slot time ........................................................... 12-143
viewing wireless configuration information 12-146
WMM ................................................................ 12-134
XR ..................................................................... 12-133
WLAN WAP operation modes
802.11b clients, configuring .......................... 12-119
802.11g clients, configuring .......................... 12-119
WLAN, wireless interfaces
binding ............................................................. 12-144
WMM
access categories ............................................. 12-135
configuring quality of service ........................ 12-134
default settings ................................................ 12-135
enabling ............................................................ 12-134
X
XAuth
authentication .................................................. 14-138
bypass-auth .......................................................... 9-69
client authentication ........................................... 9-83
defined ................................................................. 9-68
query remote settings ......................................... 9-69
ScreenOS as client .............................................. 9-83
TCP/IP assignments ............................................ 9-70
virtual adapters.................................................... 9-68
VPN idletime ........................................................ 9-71
VPN monitoring ................................................. 5-243
when to use ..................................................... 14-132
XAuth addresses
assignments ......................................................... 9-68
authentication, and ............................................. 9-79
IP address lifetime ..................................9-70 to 9-71
timeout ................................................................. 9-70
XAuth users ....................................................9-68 to 9-82
authentication ...................................................... 9-68
local authentication ............................................. 9-71
local group authentication.................................. 9-73
server support...................................................... 9-14
with L2TP ............................................................... 9-4
XAuth, external
auth server queries ............................................. 9-69
user authentication ............................................. 9-74
user group authentication .................................. 9-76
XR, configuring ...................................................... 12-133
Y
Yahoo! Messenger.................................................... 4-130
Master Index
Z
zip files, blocking ..................................................... 4-168
zombie agents ...................................................4-27, 4-29
zones ..................................................... 2-25 to 2-33, 10-6
defining ................................................................ 2-30
editing ................................................................... 2-31
function ................................................................ 2-33
function, MGT interface ...................................... 2-38
global .................................................................... 2-28
global security........................................................ 2-2
Layer 2 .................................................................. 2-81
shared ................................................................. 10-37
tunnel.................................................................... 2-29
VLAN ............................................................2-33, 2-81
vsys ....................................................................... 10-6
zones, global............................................................... 8-82
zones, ScreenOS ............................................2-25 to 2-33
predefined .............................................................. 2-2
security interfaces ................................................. 2-3
zones, security ....................................................2-2, 2-28
determination, destination zone ....................... 2-12
determination, source zone ............................... 2-10
global ...................................................................... 2-2
interfaces, monitoring ........................................ 2-73
interfaces, physical ............................................. 2-36
Master Index
IX-XXV
IX-XXVI
Master Index

Juniper Overview SSG500

Uploaded by

Copyright:

Available Formats

Juniper Overview SSG500

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Juniper Overview SSG500

Uploaded by

Copyright:

Available Formats

Concepts & Examples

ScreenOS Reference Guide

Release 6.0.0, Rev. 02

Juniper Networks, Inc.

Reorient or relocate the receiving antenna.

Increase the separation between the equipment and receiver.

Consult the dealer or an experienced radio/TV technician for help.

Volume Organization .................................................................................. xlvii

Security Zones ................................................................................................. 2

Concepts & Examples ScreenOS Reference Guide

Viewing Preconfigured Zones......................................................................... 26

Interface Types ..............................................................................................36

Interface Monitoring ................................................................................ 68

Building Blocks for Policies

Concepts & Examples ScreenOS Reference Guide

Custom Services ....................................................................................121

Destination Address Translation......................................................169

Managing Bandwidth at the Policy Level ......................................................193

Domain Name System Support ....................................................................217

Concepts & Examples ScreenOS Reference Guide

Placing the DHCP Server in an NSRP Cluster...................................231

Document Conventions.................................................................................. vii

Management via the Web User Interface ......................................................... 2

Concepts & Examples ScreenOS Reference Guide

Restricting Administrative Access ............................................................ 42

Monitoring Security Devices

Storing Log Information ................................................................................. 55

IP Address Sweep ............................................................................................ 8

Denial-of-Service Attack Defenses

Firewall DoS Attacks ...................................................................................... 28

Concepts & Examples ScreenOS Reference Guide

Content Monitoring and Filtering

Testing Anti-Spam ................................................................................... 96

Concepts & Examples ScreenOS Reference Guide

Intrusion Detection and Prevention

IDP-Capable Security Devices.......................................................................172

Setting Logging ...............................................................................199

Concepts & Examples ScreenOS Reference Guide

Suspicious Packet Attributes

ICMP Fragments ..........................................................................................236

Contexts for User-Defined Signatures

Document Conventions................................................................................. viii

Internet Protocol Security

Introduction to Virtual Private Networks .......................................................... 2

Perfect Forward Secrecy ................................................................... 11

Public Key Cryptography

Introduction to Public Key Cryptography ....................................................... 20

Virtual Private Network Guidelines

Cryptographic Options ................................................................................... 48

Site-to-Site Virtual Private Networks

Site-to-Site VPN Configurations ...................................................................... 80

Concepts & Examples ScreenOS Reference Guide

Dynamic IKE Gateways Using FQDN ...........................................................129

Dialup Virtual Private Networks

Layer 2 Tunneling Protocol

Introduction to L2TP ....................................................................................205

Advanced Virtual Private Network Features

Using OSPF for Automatic Route Table Entries ...............................290

AutoConnect-Virtual Private Networks

H.323 Application Layer Gateway