You are previewing Configuring Juniper Networks NetScreen & SSG Firewalls.
O'Reilly logo
Configuring Juniper Networks NetScreen & SSG Firewalls

Book Description

Juniper Networks Secure Access SSL VPN appliances provide a complete range of remote access appliances for the smallest companies up to the largest service providers. This comprehensive configuration guide will allow system administrators and security professionals to configure these appliances to allow remote and mobile access for employees. If you manage and secure a larger enterprise, this book will help you to provide remote and/or extranet access for employees, partners, and customers from a single platform.

• Configure Juniper’s Instant Virtual Extranet (IVE)
Install and set up IVE through either the command line interface (CLI) or Web-based console.
• Master the “3 Rs”: Realms, Roles, and Resources
Realize the potential of the “3Rs” for endpoint security, sign-in policies, and authorization of servers.
• Get Inside both the Windows and Java Versions of Secure Application Manager (SAM)
Learn to implement SAM, manage the end-user experience, and troubleshoot SAM in the field.
• Integrate IVE with Terminal Services and Citrix
Enable terminal services proxy and configure role options, configure Citrix using a custom ICA, configure terminal services resource policies and profiles, and configure terminal services and Citrix using a hosted Java applet.
• Ensure Endpoint Security
Use Host Checker, Cache Cleaner, Secure Virtual Workspace, and IVE/IDP integration to secure your network.
• Manage the Remote Access Needs of Your Organization
Configure Web access, file access and telnet/SSH access for remote users and offices.
• Configure Core Networking Components through the System Menu
Create clusters, manage virtual systems, and monitor logs, reports, and alerts.
• Create Bullet-Proof Sign-in Policies
Create standard and custom sign-in pages for both user and administrator access and Secure Meeting pages.
• Use the IVE for Log-Related Tasks
Perform log filtering, log management, syslog exporting, SNMP management, and system resource monitoring and reporting.

Table of Contents

  1. Copyright
  2. Lead Author and Technical Editor
  3. Contributing Authors
  4. Foreword
  5. 1. Networking, Security, and the Firewall
    1. Introduction
    2. Understanding Networking
      1. The OSI Model
        1. Layer 7: The Application Layer
        2. Layer 6: The Presentation Layer
        3. Layer 5: The Session Layer
        4. Layer 4: The Transport Layer
        5. Layer 3: The Network Layer
        6. Layer 2: The Data Link Layer
        7. Layer 1: The Physical Layer
      2. Moving Data along with TCP/IP
        1. Understanding IP
        2. IP Packets
        3. What Does an IP Address Look Like?
        4. IP Address Allocation
        5. NAT and Private IP Addresses
        6. TCP Communications
        7. UDP Communications
        8. What Is a Port?
        9. Data Link Layer Communication
    3. Understanding Security Basics
      1. The Need for Security
      2. Introducing Common Security Standards
      3. Common Information Security Concepts
      4. Defining Information Security
      5. Insecurity and the Internet
      6. Identifying Potential Threats
      7. Using VPNs in Today’s Enterprise
      8. The Battle for the Secure Enterprise
      9. Making Your Security Come Together
    4. Understanding Firewall Basics
      1. Types of Firewalls
        1. Packet Filters
        2. Application Proxy
        3. Stateful Inspection
        4. Firewall Incarnate
      2. Firewall Ideologies
      3. DMZ Concepts
      4. Traffic Flow Concepts
      5. Networks with and without DMZs
        1. The Pros and Cons of Basic DMZ Designs
      6. DMZ Design Fundamentals
        1. Why Design Is so Important
      7. Designing End-to-End Security for Data Transmission between Hosts on the Network
      8. Traffic Flow and Protocol Fundamentals
    5. Summary
    6. Solutions Fast Track
      1. Understanding Networking
      2. Understanding Security Basics
      3. Understanding Firewall Basics
    7. Frequently Asked Questions
  6. 2. Dissecting the Juniper Firewall
    1. Introduction
    2. The Juniper Security Product Offerings
      1. Juniper Firewalls
      2. SSL VPN
      3. Intrusion Detection and Prevention
      4. Unified Access Control (UAC)
    3. The Juniper Firewall Core Technologies
      1. Zones
      2. Virtual Routers
      3. Interface Modes
      4. Policies
      5. VPN
      6. Intrusion Prevention
      7. Device Architecture
    4. The NetScreen and SSG Firewall Product Line
      1. Product Line
        1. NetScreen-Remote Client
        2. Small Office/Home Office (SOHO)
        3. Midrange
        4. High End
        5. Enterprise Class
        6. Service Provider Class
        7. Enterprise Management
    5. Summary
    6. Solutions Fast Track
      1. The Juniper Product Offerings
      2. The Juniper Firewall Core Technologies
      3. The NetScreen and SSG Firewall Product Line
    7. Frequently Asked Questions
  7. 3. Deploying Juniper Firewalls
    1. Introduction
    2. Managing Your Juniper Firewall
      1. Juniper Management Options
        1. Serial Console
        2. Telnet
        3. Secure Shell
        4. WebUI
        5. The NetScreen Security Manager
      2. Administrative Users
      3. The Local File System and the Configuration File
      4. Using the Command Line Interface
      5. Using the Web User Interface
      6. Securing the Management Interface
      7. Updating ScreenOS
      8. System Recovery
      9. Configuring Your Firewall for the First Time
      10. Types of Zones
        1. Security Zones
        2. Tunnel Zones
        3. Function Zones
      11. Virtual Routers
      12. Types of Interfaces
        1. Security Zone Interfaces
          1. Physical Interfaces
          2. Subinterfaces
          3. Aggregate Interfaces
          4. Redundant Interfaces
          5. VLAN1 Interface
          6. Virtual Security Interfaces
        2. Function Zone Interfaces
          1. Management Interfaces
          2. HA Interfaces
        3. Tunnel Interfaces
        4. Loopback Interfaces
      13. Configuring Security Zones
    3. Configuring Your Firewall for the Network
      1. Binding an Interface to a Zone
      2. Setting Up IP Addressing
      3. Configuring the DHCP Client
      4. Using PPPoE
      5. Interface Speed Modes
      6. Port Mode Configuration
      7. Bridge Groups
        1. Bridge Group Caveats
      8. Configuring Basic Network Routing
    4. Configuring System Services
      1. Setting the Time
      2. DHCP Server
      3. DNS
      4. SNMP
      5. Syslog
      6. Web Trends
    5. Resources
    6. Summary
    7. Solutions Fast Track
      1. Managing the Juniper Firewall
      2. Configuring Your Firewall for the First Time
      3. Configuring System Services
    8. Frequently Asked Questions
  8. 4. Policy Configuration
    1. Introduction
    2. Firewall Policies
      1. Theory of Access Control
      2. Types of Juniper Policies
        1. Intrazone Policies
        2. Interzone Policies
        3. Global Policies
        4. Default Policy
      3. Policy Checking
      4. Getting Ready to Make a Policy
    3. Policy Components
      1. Zones
      2. Address Book Entries
        1. Creating Address Book Entries
        2. Modifying and Deleting Address Book Entries
        3. Address Groups
      3. Services
        1. Creating Custom Services
        2. Modifying and Deleting Services
        3. Service Groups
    4. Creating Policies
      1. Creating a Policy
        1. Creating a Policy via the WebUI
        2. Reordering Policies in the WebUI
        3. Other Policy Options in the WebUI
        4. Creating a Policy via the CLI
        5. Other Policy Options Available in the CLI
    5. Summary
    6. Solutions Fast Track
      1. Firewall Policies
      2. Policy Components
      3. Creating Policies
    7. Frequently Asked Questions
  9. 5. Advanced Policy Configuration
    1. Introduction
    2. Traffic-Shaping Fundamentals
      1. The Need for Traffic Shaping
        1. Different Traffic Types
      2. How Traffic Shaping Works
        1. Bandwidth-Based Traffic Shaping
          1. Guaranteed Bandwidth
          2. Maximum Bandwidth
        2. Priority–Based Traffic Shaping
      3. Choosing the Traffic-Shaping Type
    3. Deploying Traffic Shaping on Juniper Firewalls
      1. Methods to Enforce Traffic Shaping
        1. Interface Bandwidth Properties
        2. Virtual Interface Bandwidth Properties
        3. Policy-Based Properties
        4. DiffServ Properties
      2. Traffic-Shaping Mechanics
      3. Traffic-Shaping Examples
        1. Traffic-Shaping Example 1
        2. Traffic-Shaping Example 2
        3. Interface Bandwidth
        4. Policy Configuration
          1. Configuring Traffic Shaping on a VPN Policy
          2. Configure Traffic Shaping on a Route-Based VPN
          3. Enabling DSCP Class Mapping on the Firewall
          4. Configuring DSCP Marking in a Policy
    4. Advanced Policy Options
      1. Counting
        1. Configuring Counting
        2. Configuring Traffic Alarms
      2. Scheduling
        1. Scheduling Properties
        2. Configuring Scheduling
        3. Configuring Schedule and Traffic Shaping
    5. Summary
    6. Solutions Fast Track
      1. Traffic-Shaping Fundamentals
      2. Advanced Policy Options
    7. Frequently Asked Questions
  10. 6. User Authentication
    1. Introduction
    2. User Account Types
      1. Admin Account Types
      2. Local Admin Authentication
        1. Configuring Admin Users with Local Authentication
      3. External Authentication for Admin Accounts
        1. External Authentication Properties
        2. Configuring Admin Users with External Authentication
      4. Authentication Users
        1. Auth User Type
          1. Auth User Type Properties
          2. Configuring Auth Users and Groups
        2. The IKE User Type
          1. IKE User Properties
          2. Configuring IKE Users and Groups
        3. XAuth User Type
          1. XAuth User Type Properties
          2. Configuring XAuth Users and Groups
          3. Configuring Both IKE and XAuth for a Single User
        4. L2TP User Type
          1. L2TP User Properties
          2. Configuring L2TP Users and Groups
        5. 802.1x User Type
      5. Internal Authentication Server
        1. Local Authentication Support
      6. Configuring the Local Authentication Server
      7. External Authentication Servers
        1. General Properties for External Servers
        2. RADIUS Server
          1. RADIUS Server Properties
          2. RADIUS Authentication Capabilities
          3. Configuring RADIUS Servers
        3. SecurID Server
          1. SecurID Server Properties
          2. SecurID Authentication Capacities
          3. Configuring a SecurID Server
        4. LDAP Server
          1. LDAP Server Properties
          2. LDAP Authentication Capacities
          3. Configuring an LDAP Server
        5. Infranet Authentication
          1. UAC Product Overview
          2. IE Properties
          3. Configuring the IE for Infranet Authentication
    3. Policy-Based User Authentication
      1. Explanation of Policy-Based Authentication
        1. Authenticating with User Auth
      2. Configuring Policies with User Auth
        1. Authenticating with WebAuth
          1. WebAuth Settings and Details
          2. Configuring WebAuth
        2. Policy-Based Infranet Authentication
          1. Infranet Authentication Settings
          2. Configuring Policy-Based Infranet Authentication
    4. 802.1x Authentication
      1. Components of 802.1x
        1. Configuring 802.1x Authentication
          1. 802.1x Settings
          2. Configuring an 802.1x Authentication Server
          3. Configuring Ethernet Interfaces to Use 802.1x Authentication
          4. Configuring Wireless 802.1x Authentication
          5. Checking 802.1x Sessions and Statistics
    5. Enhancing Authentication
      1. Firewall Banner Messages
        1. Configurable Banners
          1. Configuring Firewall Banners
      2. Group Expressions
        1. Group Expression Properties
          1. Configuring Group Expressions
    6. Summary
    7. Solutions Fast Track
      1. User Account Types
      2. Local and External Authentication Servers
      3. Policy-Based User Authentication
      4. 802.1x Authentication
      5. Authentication Enhancements
    8. Frequently Asked Questions
  11. 7. Routing
    1. Introduction
    2. Virtual Routers
      1. Virtual Routers on Juniper Firewalls
        1. Different Route Types
        2. Different Routing Tables
          1. Destination-Based Routing Table
          2. Source-Based Routing Table
          3. Source Interface–Based Routing
          4. Multicast Routing Table
      2. Routing Selection Process
      3. Equal Cost Multiple Path
      4. Virtual Router Properties
        1. Configuring a Virtual Router
        2. Changing Default Route Preferences
        3. Using Destination-Based Forwarding
        4. A Source-Based Routing Example
        5. A Source Interface–Based Routing Example
      5. Route Maps and Access Lists
        1. Access Lists
          1. Access List Properties
          2. Configuring an Access List
        2. Route Maps
          1. Route Map Properties
          2. Route Map Example 1
      6. Route Redistribution
      7. Importing and Exporting Routes
        1. Export Properties
        2. Import Properties
          1. Configuring an Export and Import Rule
    3. Static Routing
      1. Using Static Routes on Juniper Firewalls
        1. Destination-Based Static Routes
          1. Configuring Destination-Based Static Routes on the Firewall
        2. Source-Based Static Routes
          1. Configuring Source-Based Static Routes on the Firewall
        3. Source Interface–Based Static Routes
          1. Configuring Source Interface–Based Static Routes
        4. Multicast Routing
          1. Configuring Static Multicast Routes on the Juniper Firewall
    4. Routing Information Protocol
      1. RIP Overview
        1. RIP Concepts
        2. RIP Properties in a VR
        3. RIP Settings Per Interface
          1. Enabling RIP within a VR
          2. Configuring RIP on the Interface
          3. Controlling What Routes RIP Learns and Advertises
      2. RIP Informational Commands
        1. Summarizing RIP Information
        2. Retrieving the RIP Config
        3. Displaying the RIP Interface State
        4. Displaying the RIP Neighbors
        5. Showing the RIP Routes and RIP Database
        6. Juniper Support for RIPng
    5. Open Shortest Path First
      1. Concepts and Terminology
        1. Autonomous System
        2. Areas
          1. Virtual Links
          2. Types of OSPF Areas
          3. Routers within Each Area
        3. OSPF Neighbor Relationships
          1. OSPF Network Types
          2. Establishing an OSPF Relationship
        4. Link State Advertisements
      2. Configuring OSPF
        1. OSPF Properties within a VR
          1. Configuring OSPF in a VR
        2. Area Properties
          1. Configurable Properties within an Area
          2. Configuring an OSPF Area and Creating a Summary Route
        3. Interface Properties
          1. Configuring OSPF on Interfaces
          2. Configuring OSPF to Work with Tunnel Interfaces
      3. OSPF Informational Commands
        1. Showing the Summarized OSPF Configuration
        2. Getting the OSPF Configuration
        3. Showing the OSPF Interface Status
        4. Showing OSPF Neighbors and the LSA Database
        5. Displaying the OSPF Routing Table
    6. Border Gateway Protocol
      1. Overview of BGP
        1. Autonomous Systems
        2. BGP Peers
        3. BGP Attributes
        4. BGP Messages
        5. IBGP
          1. Route Reflection
          2. Confederations
        6. Route Flapping
      2. Configuring BGP
        1. Configuration Properties
          1. VR Properties
          2. Configuring a BGP Instance in a VR
          3. Neighbor Properties
          4. Configuring a BGP Neighbor
          5. AS Paths
          6. Advertising BGP Routes
          7. Configuring a Route to Advertise via BGP
          8. Examples of an AS Path
          9. Communities
          10. Configuring a BGP Community
          11. Route Aggregation
          12. Configuring Route Aggregation
          13. Configuring Route Reflectors
          14. Configuring a Confederation
      3. BGP Informational Commands
        1. Summarizing BGP State
        2. Viewing the BGP Configuration
        3. Viewing BGP Neighbors
        4. Viewing BGP Flapping Information
        5. Displaying the BGP Routing Table
    7. Route Redistribution
      1. Redistributing Routes in the Juniper Firewall
        1. Important Points to Consider
      2. Redistributing Routes between Routing Protocols
        1. Redistributing Routes to RIP
          1. Redistributing Static Routes into RIP
          2. Redistributing Other Protocols into RIP
        2. Redistributing Routes into OSPF
          1. Redistributing RIP Routes into OSPF
      3. Redistributing Routes into BGP
        1. Redistributing OSPF into BGP
    8. Policy-Based Routing
      1. Components of PBR
        1. Extended Access Lists
          1. Extended Access List Properties
          2. Configuring an Extended Access List
        2. Match Groups
          1. Match Group Properties
          2. Configuring a Match Group
        3. Action Groups
          1. Action Group Properties
          2. Configuring an Action Group
        4. Policies
          1. Policy Properties
          2. Configuring a Policy
        5. Policy Binding
          1. Binding a Policy to a VR
          2. Binding a Policy to a Zone
          3. Binding a Policy to an Interface
    9. Summary
    10. Solutions Fast Track
      1. Virtual Routers
      2. Static Routing
      3. Routing Information Protocol
      4. Open Shortest Path First
      5. Border Gateway Protocol
      6. Route Redistribution
      7. Policy-Based Routing
    11. Frequently Asked Questions
  12. 8. Address Translation
    1. Introduction
    2. Overview of Address Translation
      1. Port Address Translation
      2. Advantages of Address Translation
      3. Disadvantages of Address Translation
    3. Juniper NAT Overview
    4. Juniper Packet Flow
    5. Source NAT
      1. Interface-Based Source Translation
        1. Interface-Based NAT Properties
          1. Example of Interface-Based NAT
      2. MIP
        1. MIP Properties
        2. MIP Limitations
        3. MIP Scenarios
          1. Scenario 1
          2. Scenario 2
          3. Scenario 3
      3. Policy-Based Source NAT
        1. DIP
          1. DIP Properties
          2. Configuring DIP on a Policy
          3. Sticky DIP
          4. DIP Shift
    6. Destination NAT
      1. VIP
      2. VIP Properties
      3. Policy-Based Destination NAT
        1. When to Use Policy-Based Destination NAT
        2. When Not to Use Policy-Based Destination NAT
        3. Policy-Based Destination NAT Properties
        4. Destination NAT Scenarios
          1. One-to-One Mapping
          2. Many-to-One Mapping
          3. Many-to-Many Mapping
        5. Destination PAT Scenario
        6. Source and Destination NAT Combined
    7. Summary
    8. Links to Sites
    9. Solutions Fast Track
      1. Overview of Address Translation
      2. Juniper Packet Flow
      3. Source NAT
      4. Destination NAT
    10. Frequently Asked Questions
  13. 9. Transparent Mode
    1. Introduction
    2. Interface Modes
      1. NAT Mode
      2. Route Mode
    3. Understanding How Transparent Mode Works
      1. How Transparent Mode Works
      2. Layer 2 Zones
      3. VLAN Zone
      4. Broadcast Methods
    4. Configuring a Device to Use Transparent Mode
      1. VLAN1 Interface
      2. Converting an Interface to Transparent Mode
      3. Creating a Custom Layer 2 Zone and Network Object
    5. Transparent Mode Deployment Options
      1. Network Segmentation
      2. VPNs with Transparent Mode
    6. Summary
    7. Solutions Fast Track
      1. Interface Modes
      2. Understanding How Transparent Mode Works
      3. Configuring a Device to Use Transparent Mode
      4. Transparent Mode Deployment Options
    8. Frequently Asked Questions
  14. 10. Attack Detection and Defense
    1. Introduction
    2. Understanding Attacks
      1. Brain Virus, 1986
      2. Morris Worm, 1988
      3. Panix SYN Flood, 1996
      4. Old Root Causes, New Attacks
      5. Unified Threat Management
      6. Vulnerability Databases
      7. Bug Databases
      8. Common Name Dictionary
      9. The Juniper Security Research Team
    3. Understanding the Anatomy of an Attack
      1. The Three Phases of a Hack
      2. Script Kiddies
      3. Black Hat Hackers
      4. Worms, Viruses, and Other Automated Malware
    4. Configuring Screen Settings
      1. TCP/IP Behavior Anomaly Detection
        1. Reconnaissance Detection
        2. Denial-of-Service Flood Protection
        3. IP Session Limiting
        4. ICMP Network Scan
        5. ICMP Rate Limiting
        6. TCP SYN Host Scan
        7. TCP SYN Rate Limiting
        8. UDP Data Rate Limiting
      2. TCP/IP Protocol Anomaly Detection
        1. IP Option Validation
        2. IP Fragmentation Validation, Attack Signatures
        3. ICMP Length Validation, Attack Signatures
        4. TCP Flag Validation
        5. TCP Attack Signatures
        6. L7 Protocol Attacks
    5. Applying Deep Inspection
      1. Deep Inspection Concepts
      2. Deep Inspection Planning
      3. Getting the Database
        1. Configuring the Firewall for Automatic DI Updates
        2. Loading the Database Manually
      4. Using Attack Objects
        1. Using Attack Groups
        2. Enabling Deep Inspection with a Policy Using the WebUI
        3. Enabling Deep Inspection with a Policy Using the CLI
        4. Explanation of Deep Inspection Contexts and Regular Expressions
        5. Creating Your Own Signatures
    6. Setting Up Content Filtering
      1. Web Filtering
        1. Web Filtering Concepts
        2. Web Filtering Planning
        3. Web Filtering Configuration
          1. WebSense Redirect Mode
          2. SurfControl Redirect Mode
          3. SurfControl Integrated Mode
        4. Web Filtering Rules
        5. Verify Web Filtering Protection
      2. Antivirus
        1. Network Antivirus Concepts
        2. Antivirus Planning
        3. Configuring Global Antivirus Parameters
        4. Configuring Scan Manager Settings
        5. Configuring Antivirus Profile Settings
      3. Antivirus Rules
        1. Verify Antivirus Protection
    7. Understanding Application Layer Gateways
    8. Applying Best Practices
      1. Defense-in-Depth
      2. Zone Isolation
      3. Egress Filtering
      4. Explicit Permits, Implicit Denies
      5. Retain Monitoring Data
      6. Keeping Systems Updated
    9. Summary
    10. Solutions Fast Track
      1. Understanding Attacks
      2. Understanding the Anatomy of an Attack
      3. Configuring SCREEN Settings
      4. Applying Deep Inspection
      5. Setting Up Content Filtering
      6. Understanding Application Layer Gateways
      7. Applying Best Practices
    11. Frequently Asked Questions
  15. 11. VPN Theory and Usage
    1. Introduction
    2. Understanding IPSec
      1. IPSec Modes
      2. Protocols
      3. Key Management
      4. Security Associations
    3. IPSec Tunnel Negotiations
      1. Phase 1
      2. Phase 2
    4. Public Key Cryptography
      1. PKI
      2. Certificates
      3. CRLs
    5. How to Use VPNs in NetScreen Appliances
      1. Site-to-Site VPNs
      2. Policy-Based VPNs
        1. Creating a Policy-Based Site-to-Site VPN
      3. Route-Based VPNs
      4. Dial-Up VPNs
        1. NetScreen Remote
      5. L2TP VPNs
    6. Advanced VPN Configurations
      1. VPN Monitoring
      2. Gateway Redundancy
      3. Back-to-Back VPNs
      4. Hub and Spoke VPNs
      5. Multitunnel Interfaces
    7. Summary
    8. Solutions Fast Track
      1. Understanding IPSec
      2. IPSec Tunnel Negotiations
      3. Public Key Cryptography
      4. How to Use VPNs in NetScreen Appliances
      5. Advanced VPN Configuration
    9. Links to Sites
    10. Mailing Lists
    11. Frequently Asked Questions
  16. 12. High Availability
    1. Introduction
    2. The Need for High Availability
    3. High-Availability Options
    4. Improving Availability Using NetScreen SOHO Appliances
      1. Failing Over between Interfaces
      2. Using Dual Untrust Interfaces to Provide Redundancy
        1. Example: Configuration for Dual ADSL Modems
        2. Example: Advanced Configuration for ADSL Modem Plus ADSL Router
      3. Falling Back to Dial-Up
        1. Example: A Simple Backup Dial-up Configuration
        2. Example: An Advanced Backup Dial-up Configuration
      4. Restricting Policies to a Subset When Using the Serial Interface
        1. Example: Marking FTP as Not Allowed When Using the Serial Interface
      5. Using IP Tracking to Determine Failover
        1. Example: Tracking the Default Gateway
        2. Example: A More Complex IP Tracking Scenario
      6. Monitoring VPNs to Determine Failover
        1. Example: Monitoring One VPN Tunnel, with Fall-Back to a Second Unmonitored Tunnel
    5. Introducing the NetScreen Redundancy Protocol
      1. Virtualizing the Firewall
      2. Understanding NSRP States
      3. The Value of Dual HA Links
    6. Building an NSRP Cluster
      1. Connecting the Firewalls Directly to the Routers
        1. Advantages
        2. Disadvantages
      2. Connecting the Firewalls to Routers via Switches
        1. Advantages
        2. Disadvantages
      3. Cabling for a Full-Mesh Configuration
        1. Advantages
        2. Disadvantages
        3. Using Directly Connected HA Links
        4. Advantages
        5. Disadvantages
      4. Connecting HA Links via Switches
        1. Advantages
        2. Disadvantages
      5. Adding a NetScreen to an NSRP Cluster
        1. Example: Setting the Cluster ID
          1. From the CLI:
          2. From the Web Interface:
        2. Example: Setting Both Cluster ID and Cluster Name
      6. Synchronizing the Configuration
        1. Initial Synchronization Procedure #1
        2. Initial Synchronization Procedure #2
    7. Determining When to Fail Over: The NSRP Ways
      1. Using NSRP Heartbeats
        1. Example: Configuring More Aggressive Heartbeats
      2. Using Optional NSRP Monitoring
        1. Example: Lowering the Failover Threshold
          1. Using the CLI:
          2. Using the Web Interface:
      3. Using NSRP Interface Monitoring
        1. Example: A Simple Interface Monitoring Setup
        2. Example: A More Complex Interface Monitoring Setup
      4. Using NSRP Zone Monitoring
        1. Example: Monitoring the Untrust Zone
        2. Example: Using Combined Interface and Zone Monitoring
      5. Using NSRP IP Tracking
        1. Example: Using IP Tracking to Determine VPN Availability
        2. Example: Combining Interface, Zone, and IP Tracking Monitoring
    8. Reading the Output from get nsrp
      1. Looking into an NSRP Cluster
        1. Example
    9. Using NSRP-Lite on Midrange Appliances
      1. Basic NSRP-Lite Usage
        1. Example: Providing HA Internet Access
      2. Working with Local Interfaces in an NSRP-Lite Setup
        1. Example: HA Internet via Dual Providers
    10. Creating Redundant Interfaces
      1. Grouping Physical Interfaces into a Redundant Interface
        1. Example: A Simple Redundant Interface Setup
        2. Example: Changing the Primary Interface of a Redundant Interface
    11. Taking Advantage of the Full NSRP
      1. Synchronizing State Using RTO Mirroring
        1. Example: Enabling RTO Mirroring in an NSRP Cluster
        2. Example: Preventing Certain Sessions from Being Backed Up
      2. Setting Up an Active/Active Cluster
        1. Example: A Typical Active/Active Setup
      3. Implementing a Full-Mesh Active/Active Setup
        1. Example: A Full-Mesh Active/Active Setup
    12. Failing Over
      1. Example: Adjusting the Number of ARP Packets Sent after Failover
      2. Failing Over Virtual Systems
        1. Example: Binding a VSYS to VSD Group 1
    13. Avoiding the Split-Brain Problem
      1. Example: Configuring a Secondary NSRP Path
    14. Avoiding the No-Brain Problem
    15. Configuring HA through NSM
      1. Creating a Cluster
      2. Adding Members to the Cluster
      3. Configuring NSRP Parameters
      4. Configuring VSD
    16. Summary
    17. Solutions Fast Track
      1. The Need for High Availability
      2. Improving Availability Using NetScreen SOHO Appliances
      3. Introducing the NetScreen Redundancy Protocol
      4. Building an NSRP Cluster
      5. Determining When to Fail Over: The NSRP Ways
      6. Reading the Output from get nsrp
      7. Using NSRP-Lite on Midrange Appliances
      8. Creating Redundant Interfaces
      9. Taking Advantage of the Full NSRP
      10. Failing Over
      11. Avoiding the Split-Brain Problem
      12. Avoiding the No-Brain Problem
    18. Frequently Asked Questions
  17. 13. Troubleshooting the Juniper Firewall
    1. Introduction
    2. Troubleshooting Methodology
      1. Step One: Describe the Problem
      2. Step Two: Describe the Environment
      3. Step Three: Determine the Location of the Problem
      4. Step Four: Identify the Cause of the Problem
      5. Step Five: Solve the Problem
      6. Step Six: Test the Solution
      7. Step Seven: Document the Changes
    3. Troubleshooting Tools
      1. Ping
        1. traceroute
      2. Get Session
      3. Get Policy
      4. Get Route
      5. Get Interface
      6. Get ARP
      7. Get System
      8. Debug
        1. Flow Filters
      9. Snoop
      10. Firewall Session Analyzer (FSA)
      11. Putting It All Together
    4. Network Troubleshooting
    5. Debugging the Juniper Firewall
      1. Tracing a Debug
    6. Debugging NAT
    7. Debugging VPNs
      1. Policy-Based VPNs
      2. Route-Based VPNs
    8. Debugging NSRP
    9. Debugging Traffic Shaping
    10. NetScreen Logging
      1. Traffic
      2. Self
      3. Event
    11. Summary
    12. Solutions Fast Track
      1. Troubleshooting Tools
      2. Network Troubleshooting
      3. Debugging the Juniper Firewall
      4. Debugging VPNs
      5. Debugging NSRP
      6. Debugging Traffic Shaping
      7. NetScreen Logging
    13. Frequently Asked Questions
  18. 14. Virtual Systems
    1. Introduction
    2. What Is a Virtual System?
      1. Virtual System Components
    3. How Virtual Systems Work
      1. Classifying Traffic
        1. VLAN-Based (Interface) Classification
        2. IP-Based Classification
      2. Virtual System Administration
    4. Configuring Virtual Systems
      1. Creating a Virtual System
      2. Network Interfaces
        1. Physical Interfaces
        2. Subinterfaces
        3. Shared Interface
          1. Traffic Classification
    5. Virtual System Profiles
    6. Summary
    7. Solutions Fast Track
      1. What Is a Virtual System?
      2. How Virtual Systems Work
      3. Configuring Virtual Systems
    8. Frequently Asked Questions