You are previewing Juniper SRX Series.
O'Reilly logo
Juniper SRX Series

Book Description

This complete field guide, authorized by Juniper Networks, is the perfect hands-on reference for deploying, configuring, and operating Juniper’s SRX Series networking device. Authors Brad Woodberg and Rob Cameron provide field-tested best practices for getting the most out of SRX deployments, based on their extensive field experience.

Table of Contents

  1. Special Upgrade Offer
  2. Foreword
  3. Preface
    1. How to Use This Book
    2. What’s in This Book?
    3. Conventions Used in This Book
    4. Using Code Examples
    5. Safari® Books Online
    6. How to Contact Us
    7. Acknowledgments
  4. 1. Welcome to the SRX
    1. Evolving into the SRX
      1. ScreenOS to Junos
        1. Inherited ScreenOS features
        2. Device management
    2. The SRX Series Platform
      1. Built for Services
    3. Deployment Solutions
      1. Small Branch
      2. Medium Branch
      3. Large Branch
      4. Data Center
      5. Data Center Edge
      6. Data Center Services Tier
      7. Service Provider
      8. Mobile Carriers
      9. Cloud Networks
      10. The Junos Enterprise Services Reference Network
    4. Summary
    5. Study Questions
  5. 2. SRX Series Product Lines
    1. Branch SRX Series
      1. Branch-Specific Features
      2. SRX100 Series
      3. SRX200 Series
        1. Interface modules for the SRX200 line
      4. SRX500 Series
      5. SRX600 Series
        1. Interface modules for the SRX600 line
      6. JunosV Firefly (Virtual Junos)
      7. AX411
      8. CX111
      9. Branch SRX Series Hardware Overview
      10. Licensing
      11. Branch Summary
    2. Data Center SRX Series
      1. Data Center SRX-Specific Features
      2. SPC
      3. NPU
      4. Data Center SRX Series Session Setup
      5. Data Center SRX Series Hardware Overview
      6. SRX1000 Series
      7. SRX3000 Series
        1. IOC modules
      8. SRX5000 Series
        1. NG-SPC
        2. IOC modules
    3. Summary
    4. Study Questions
  6. 3. SRX GUI Management
    1. J-Web: Your On-Box Assistant
      1. Dashboard
        1. Chassis view
        2. Informational panels
      2. Device Configuration
        1. Task wizards
        2. Committing the configuration
        3. Interfaces
        4. Firewall policies
        5. Point and click CLI
      3. Monitoring Your SRX
        1. Interface monitoring
        2. Traffic reports
      4. Operational Tasks
        1. Software management
        2. Configuration management
        3. Rebooting
        4. Disk management
      5. Troubleshooting from J-Web
        1. Packet capture
        2. Network connectivity
    2. Centralized Management
      1. Space: The Final Frontier of Management
        1. The Junos Space ecosphere
        2. Security Director
        3. Firewall policy management
      2. Log Management with STRM
        1. Reporting with STRM
      3. Legacy Security Management
        1. Using NSM
    3. Summary
    4. Study Questions
  7. 4. SRX Networking Basics
    1. Interfaces
      1. Physical Interfaces
      2. Management Interfaces
      3. Virtual Interfaces
      4. Logical Interfaces
      5. Switching Configuration
      6. Aggregate Interfaces
        1. LACP protocol
      7. Transparent Interfaces
    2. Zones
      1. Security Zones
      2. Functional Zones
    3. Basic Protocols
      1. Static Routing
      2. Dynamic Routing Protocols
      3. Spanning Tree
    4. Routing Instances
      1. Routing Instance Types
      2. Configuring Routing Instances
    5. Flow Mode and Packet Mode
    6. Sample Deployment
    7. Summary
    8. Study Questions
  8. 5. System Services
    1. System Services Operation on the SRX
      1. System Services and the Control Plane
        1. System services that operate on the control plane
      2. System Services and the Data Plane
      3. Accounts for Administrative Users
        1. Configuring local users
        2. Creating a login class
        3. Remote authentication
      4. Accessing System Services: Control Plane Versus Data Plane
        1. Configuring a stateless firewall filter to control traffic on fxp0
        2. Configuring a stateless firewall filter to control all inbound management traffic
        3. Configuring a security policy to control data plane management traffic
      5. Zone-Based Service Control
        1. Configuring system services and protocols per zone or interface
    2. Management Services
      1. Command-Line Interfaces
        1. Configuring console options
        2. Configuring Telnet access
        3. Configuring SSH access
      2. Web Management on the SRX
      3. Enabling NetConf over SSH
    3. SNMP Management
      1. Configuring SNMP Management
      2. Configuring SNMP Traps
      3. SNMP in High Availability Chassis Clusters
      4. Junos SNMP MIB
    4. Networking Services
      1. Network Time Protocol
        1. Manually configuring SRX time
        2. Configuring the SRX as an NTP client
        3. Configuring the SRX as an NTP server
      2. Domain Name System
        1. Configuring the SRX as a DNS client
        2. Configuring the SRX as a proxy server
      3. Dynamic Host Configuration Protocol
        1. Configuring the SRX as a DHCP server
        2. Configuring the SRX as a DHCP client
        3. Configuring the SRX as a DHCP relay server
    5. SRX Logging and Flow Records
      1. Control Plane Versus Data Plane Logs
        1. Data plane logs: Event versus Stream mode
        2. Configuring control plane logging on the SRX
        3. Configuring Stream mode logging on the data plane
        4. Syslog format types
        5. Configuring Event mode logging to the control plane
      2. Tips for Viewing Syslog Messages
      3. JFlow on the SRX
    6. Best Practices
    7. Troubleshooting and Operation
      1. Viewing the System Connection Table
      2. Viewing the Services/Counters on the Interface
      3. Checking NTP Status
      4. Checking SNMP Status
      5. DHCP Operational Mode Commands
      6. Viewing Security Logs Locally
      7. Checking for Core Dumps
      8. Restarting Platform Daemons
      9. Troubleshooting Individual Daemons
    8. Summary
    9. Study Questions
  9. 6. Transparent Mode
    1. Transparent Mode Overview
      1. When to Use Transparent Mode
        1. Segmenting a Layer 2 domain
        2. Complex routing environments
        3. Separation of duties
        4. Existing transparent mode infrastructure
      2. MAC Address Learning
      3. Transparent Mode and Bridge Loops, Spanning Tree Protocol
      4. Transparent Mode Limitations
      5. Transparent Mode Components
        1. Interfaces, family bridge, and bridge domains in transparent mode
      6. Interface Modes in Transparent Mode
      7. Bridge Domains
      8. IRB Interfaces
      9. Transparent Mode Zones
      10. Transparent Mode Security Policy
      11. Transparent Mode Specific Options
      12. QoS in Transparent Mode
      13. VLAN Rewriting
      14. High Availability with Transparent Mode
        1. Spanning Tree Protocol in transparent mode Layer 2 deployments
      15. Transparent Mode Flow Process
        1. Slow-path SPU packet processing
        2. Fast-path SPU packet processing
        3. Session teardown
    2. Configuring Transparent Mode
      1. Configuring Transparent Mode Basics
      2. Traditional Switching
      3. Configuring Integrated Routing and Bridging
      4. Configuring Transparent Mode Security Zones
      5. Configuring Transparent Mode Security Policies
      6. Configuring Bridging Options
        1. Restricting BPDUs to VLANs
      7. Configuring Transparent Mode QoS
      8. Configuring VLAN Rewriting
    3. Troubleshooting and Operation
      1. The show bridge domain Command
      2. The show bridge mac-table Command
      3. The show l2-learning global-information Command
      4. The show l2-learning global-mac-count Command
      5. The show l2-learning interface Command
      6. Transparent Mode Troubleshooting Steps
    4. Sample Deployments
    5. Summary
    6. Study Questions
  10. 7. High Availability
    1. Understanding High Availability in the SRX
      1. Chassis Cluster
      2. The Control Plane
      3. The Data Plane
    2. Getting Started with High Availability
      1. Cluster ID
      2. Node ID
      3. Redundancy Groups
      4. Interfaces
    3. Deployment Concepts
      1. Active/passive
      2. Active/active
      3. Mixed mode
      4. Six pack
    4. Preparing Devices for Deployment
      1. Differences from Standalone
      2. Activating Juniper Services Redundancy Protocol
      3. Managing Cluster Members
      4. Configuring the Control Ports
      5. Configuring the Fabric Links
      6. Configuring the Switching Fabric Interface
      7. Node-Specific Information
      8. Configuring Heartbeat Timers
      9. Redundancy Groups
    5. Integrating the Cluster into Your Network
      1. Configuring Interfaces
    6. Fault Monitoring
      1. Interface Monitoring
      2. IP Monitoring
      3. Hardware Monitoring
        1. Route engine
        2. Switch control board
        3. Switch fabric board
        4. Services Processing Card/Next Generation Services Processing Card
        5. Network Processing Card
        6. Interface card
        7. Control link
        8. Data link
        9. Control link and data link failure
        10. Power supplies
      4. Software Monitoring
      5. Preserving the Control Plane
    7. Troubleshooting and Operation
      1. First Steps
      2. Checking Interfaces
      3. Verifying the Data Plane
      4. Core Dumps
      5. The Dreaded Priority Zero
      6. When All Else Fails
      7. Manual Failover
    8. Sample Deployments
    9. Summary
    10. Study Questions
  11. 8. Security Policies
    1. Packet Flow
    2. Security Policy Criteria and Precedence
    3. Security Policy Precedence
      1. Top to Bottom Policy Evaluation
    4. Security Policy Components in Depth
      1. Match Criteria
        1. Security zones
          1. One interface per zone versus multiple interfaces per zone
          2. Configuring security zones
        2. Address books
        3. Address objects
          1. IP prefix address objects
          2. Configuring IP prefix address objects
          3. DNS address objects
          4. Configuring DNS address objects
          5. IP range objects
          6. Configuring IP range objects
          7. Wildcard address objects
          8. Configuring wildcard address objects
          9. Address sets
          10. Configuring address sets
        4. Application objects
          1. Application sets
          2. Configuring applications and application sets
          3. Source-Identity
        5. Negated source and destination objects
        6. Schedulers
          1. Configuring schedulers
      2. Action Criteria
        1. Permit options
        2. Configuring security policies
        3. Host security policies
          1. Configuring a policy to restrict inbound or outbound management requests
      3. Application Layer Gateways
        1. Enabling an ALG example
    5. Best Practices
    6. Troubleshooting and Operation
      1. Viewing Security Policies
        1. Security policy tools
      2. Viewing the Firewall Session Table
        1. Sample firewall logs
      3. Monitoring Interface Counters
      4. Performing a Flow Trace
      5. Performing a Packet Capture on SRX Branch
      6. Performing a Packet Capture on the High-End SRX
    7. Sample Deployment
    8. Summary
    9. Study Questions
  12. 9. Network Address Translation
    1. The Need for NAT
      1. NAT as a Security Component?
    2. Junos NAT Fundamentals
      1. Junos NAT Types
      2. NAT Precedence in the Junos Event Chain
        1. NAT type precedence
    3. Junos NAT Components
      1. Rulesets
        1. Static NAT rulesets
        2. Destination NAT rulesets
        3. Source NAT rulesets
        4. NAT ruleset precedence
          1. NAT ruleset precedence example
      2. NAT Interfaces, Pools, and Mapping Objects
        1. Static NAT transforms
        2. Source NAT transforms
          1. Interfaces
          2. Pools
        3. Destination NAT pools
      3. NAT Rules
      4. NAT and Security Policies
      5. Proxy-ARP and Proxy-NDP
        1. Configuring Proxy-ARP/NDP
          1. When you don’t need Proxy-ARP/NDP
    4. Junos NAT in Practice
      1. Static NAT
        1. Static NAT one-to-one mapping
        2. Static NAT many-to-many mapping
          1. Option 1: NAT44/NAT66
          2. Option 2: NAT46 Static mapping
          3. Option 3: NAT 64 automatic translation
      2. Source NAT
        1. Source NAT with interfaces
        2. Source NAT with pools and interfaces
        3. Other SRX source NAT configuration options
      3. Destination NAT
        1. Configuration destination NAT
      4. Combination Source and Destination NAT
      5. No-NAT with Source or Destination NAT
    5. Best Practices
    6. Troubleshooting and Operation
      1. NAT Rule and Usage Counters
      2. Viewing the Session Table
      3. View NAT Errors
      4. View Firewall Logs with NAT
      5. Flow Debugging with NAT
        1. Source NAT
        2. Destination NAT
        3. Static NAT
    7. Sample Deployment
    8. Summary
    9. Study Questions
  13. 10. IPsec VPN
    1. VPN Architecture Overview
      1. Site-to-Site IPsec VPNs
      2. Hub and Spoke IPsec VPNs
      3. Full Mesh VPNs
      4. Partial Mesh VPNs
      5. Remote Access VPNs
    2. IPsec VPN Concepts Overview
      1. IPsec Encryption Algorithms
      2. IPsec Authentication Algorithms
      3. IKE Version 1 Overview
        1. Phase 1 IKE negotiation modes
          1. Main mode
          2. Aggressive mode
        2. Phase 2 IKE negotiation modes
          1. Perfect Forward Secrecy
          2. Quick mode
          3. Proxy ID negotiation
      4. IKE Version 2
        1. IKEv1 versus IKEv2
      5. IPsec VPN Protocol
      6. IPsec VPN Mode
      7. IPsec Manual Keys
      8. IPv6 and IPsec on the SRX
    3. IKE Negotiations
      1. IKE Authentication
        1. Preshared key authentication
        2. Certificate authentication
      2. IKE Identities
    4. Flow Processing and IPsec VPNs
    5. SRX VPN Types
      1. Policy-Based VPNs
      2. Route-Based VPNs
        1. Numbered versus unnumbered st0 interfaces
        2. Point-to-point versus point-to-multipoint VPNs
        3. Special point-to-multipoint attributes
        4. Point-to-multipoint NHTB
        5. Which should you use: Policy- or route-based VPN?
    6. Other SRX VPN Components
      1. Dead Peer Detection
      2. VPN Monitoring
      3. XAuth
      4. NAT Traversal
      5. Anti-Replay Protection
      6. Fragmentation
      7. Differentiated Services Code Point
      8. IKEv1 Key Lifetimes
      9. Network Time Protocol
      10. Certificate Validation
      11. Simple Certificate Enrollment Protocol
      12. Group VPN
      13. Dynamic VPN
    7. Selecting the Appropriate VPN Configuration
    8. IPsec VPN Configuration
      1. Configuring NTP
      2. Certificate Preconfiguration Tasks
      3. Phase 1 IKE Configuration
        1. Configuring Phase 1 proposals
          1. Configuration for Remote-Office1 proposal with preshared keys
          2. Configuration for Remote-Office1 proposal with certificates
        2. Configuring IKEv1 Phase 1 policies
          1. Configuring IKEv1 Phase 1 IKE policy with preshared key, Main mode
          2. Configuring IKEv1 Phase 1 IKE policy with preshared key, Aggressive mode
          3. Configuring IKEv1 Phase 1 IKE policy with certificates
        3. Configuring IKEv1 Phase 1 gateways
          1. Configuring an IKEv1 gateway with static IP address and DPD
        4. Configuring dynamic gateways and remote access clients
          1. Configuring an IKE gateway with a dynamic IP address
          2. Configuring an IKEv1 remote access client
      4. Phase 2 IKE Configuration
        1. Configuring IKEv1 Phase 2 proposals
          1. Configuring an IKEv1 Phase 2 proposal for remote offices and client connections
        2. Configuring Phase 2 IPsec policy
          1. Configuring an IPsec policy defining the Phase 2 proposal
        3. Configuring common IPsec VPN components
          1. Configuring a common site-to-site VPN component
      5. IKEv1 Versus IKEv2 Configuration
        1. Configuring policy-based VPNs
          1. Configuring a policy-based VPN for the East Branch to the Central site VPN
        2. Configuring route-based VPNs
      6. IPsec and SRX HA
        1. IPsec termination in HA
        2. ISSU for VPN
      7. Dynamic VPN
    9. Best Practices
    10. Troubleshooting and Operation
      1. Useful VPN Commands
        1. show security ike security-associations
        2. show security ipsec security-associations
        3. show security ipsec inactive-tunnels
        4. show security ipsec statistics
        5. Checking interface statistics
      2. VPN Tracing and Debugging
        1. VPN troubleshooting process
        2. Configuring and analyzing VPN tracing
    11. Sample Deployments
      1. Site-to-Site VPN
      2. Remote Access VPN
      3. IPsec Caveats on SRX
    12. Summary
    13. Study Questions
  14. 11. Screens and Flow Options
    1. A Brief Review of Denial-of-Service Attacks
      1. Exploit-Based DoS
      2. Flood-Based DoS
      3. DoS Versus DDoS
    2. Screen Theory and Examples
      1. How Screens Fit into the Packet Flow
        1. Screen Processing only happens on the ingress interface
      2. Screens in Hardware and Software
      3. Screen Profiles
        1. Packet versus threshold Screens
        2. Applying Screen profiles to single and multiple zones
        3. Configuring a Screen profile
      4. DoS Attacks with IP Protocols
        1. Bad IP Option Screen
          1. Configuring Bad IP Option Screen
        2. Block Frag Screen
          1. Configuring Block Frag Screen
        3. Route Option Screens
          1. Configuring Route Option Screens
        4. IP Security Option Screen
          1. Configuring the IP Security Option Screen
        5. IP Spoofing Screen
          1. Configuring the IP Spoofing Screen
        6. IP Stream Option Screen
          1. Configuring the IP Stream Option Screen
        7. IP Tear Drop Screen
          1. Configuring the IP Tear Drop Screen
        8. IP Timestamp Option Screen
          1. Configuring the IP Timestamp Option Screen
        9. Unknown IP Protocol Screen
          1. Configuring the Unknown IP Protocol Screen
      5. DoS Attacks with ICMP
        1. ICMP Flood Screen
          1. Configuring the ICMP Flood Screen
        2. ICMP Fragment Screen
          1. Configuring the ICMP Fragment Screen
        3. ICMP IP Sweep Screen
          1. Configuring the ICMP IP Sweep Screen
        4. ICMP Large Packet Screen
          1. Configuring the ICMP Large Packet Screen
        5. ICMP Ping of Death Screen
          1. Configuring the ICMP Ping of Death Screen
      6. DoS Attacks with UDP
        1. UDP Flood Screen
          1. Configuring the UDP Flood Screen
        2. UDP Sweep Screen
          1. Configuring the UDP Sweep Screen
      7. DoS Attacks with TCP
        1. FIN-No-ACK Screen
          1. Configuring the FIN-No-ACK Screen
        2. LAND Attack Screen
          1. Configuring the LAND Attack Screen
        3. TCP Port Scan Screen
          1. Configuring the TCP Port Scan Screen
        4. SYN-ACK-ACK Proxy Screen
          1. Configuring the SYN-ACK-ACK-Proxy Screen
        5. SYN-FIN Screen
          1. Configuring the SYN-FIN Screen
        6. SYN flood/spoofing attacks
          1. SYN flood rate limiting
          2. Configuring SYN Flood Rate Limiting
          3. SYN Spoofing Protection Modes
          4. Configuring SYN Cookie/Proxy Protection
        7. SYN-Frag Screen
          1. Configuring the SYN-Frag Screen
        8. TCP No Flags Screen
          1. Configuring the TCP No Flags Screen
        9. TCP Sweep Screen
          1. Configuring the TCP Sweep Screen
        10. WinNuke Screen
          1. Configuring the WinNuke Screen
      8. Session Limit Screens
        1. Source IP Session Limit Screen
          1. Configuring the Source IP Session Limit Screen
        2. Destination IP Session Limit Screen
          1. Configuring the Destination IP Session Limit Screen
      9. SRX Flow Options
        1. Aggressive session aging
          1. Configuring the aggressive session ageout flow option
        2. TCP sequence checks
          1. Configuring TCP sequence checks
        3. Configuring TCP sequence checks for RST packets
        4. TCP SYN checks
          1. Strict SYN checks
          2. Configuring the strict SYN check
        5. SYN checks in tunnels
        6. TCP state timeouts
          1. Configuring the TCP initial session timeout and TCP time wait timeout
    3. Best Practices
    4. Troubleshooting and Operation
      1. Viewing Screen Profile Settings
      2. Viewing the Screen Attack Statistics
      3. Viewing Flow Exceptions
    5. Sample Deployment
      1. Configuration for Screen and Flow Option Sample Deployment
    6. Summary
    7. Study Questions
  15. 12. AppSecure Basics
    1. AppSecure Component Overview
      1. Application Identification
      2. Application Tracking
      3. Application Firewall
      4. Application Quality of Service
      5. User Role Firewalling
      6. SSL Forward Proxy
      7. AI Processing Architecture
        1. How Application Identification identifies applications
        2. Signature-based pattern matching
          1. Nested application signatures
          2. Keeping honest applications honest
        3. Heuristic-based detection
        4. Predictive session identification
        5. Application system cache
    2. Deploying AppSecure
      1. AppSecure Licensing
      2. Downloading and Installing Application Identification Sigpacks
        1. Controlling application caching
          1. Enabling application identification heuristics
      3. AppID Signature Operations
        1. Enabling and disabling applications and application groups
        2. Creating Layer 3/Layer 4 applications
        3. Creating custom application groups
      4. Configuring and Deploying AppTrack
        1. Enabling AppTrack
        2. Configuring AppTrack options
      5. Configuring and Deploying Application Firewall
        1. Three types of Application Firewall rulesets
          1. Configuring a blacklist application ruleset
          2. Configuring a whitelist application ruleset
          3. Configuring a hybrid application ruleset
          4. When to use blacklist, whitelist, and hybrid rulesets
          5. Configuring application redirect
      6. Configuring and Deploying Application Quality of Service
        1. DSCP rewrite
        2. Forwarding class
        3. Logging
        4. Loss priority
        5. Rate limiter
        6. Configuring an AppQoS example
      7. Configuring and Deploying User Role Firewall
        1. UserFW functionality overview
        2. UserFW packaging and licensing
        3. Deploying UserFW
        4. Configuring the SRX for UserFW
        5. Configuring the IC
          1. Configuring the SRX as an IC enforcer
          2. Configuring the authentication server
          3. Configuring realms, roles, and sign-in policies
        6. Miscellaneous Active Directory tasks
      8. Configuring and Deploying SSL Forward Proxy
        1. Configuring SSL Forward Proxy on the SRX
        2. AppFW with encrypted applications
    3. Best Practices
      1. Application Identification
      2. AppTrack
      3. AppFW
      4. AppQoS
      5. UserFW
      6. SSL FP
    4. Troubleshooting and Operation
      1. Operating Application Identification
        1. Checking the AppID package
        2. Checking the AppID engine settings and cache
        3. Checking AppID counters
        4. Checking application statistics
        5. AppTrack
      2. Operating Application Firewall
      3. Operating Application QoS
      4. Operating UserFW
      5. Operating SSL Forward Proxy
    5. Sample Deployments
    6. Summary
    7. Study Questions
  16. 13. Intrusion Prevention
    1. The Need for IPS
      1. What About Application Firewalling in NGFW?
    2. How Does IPS Work?
      1. Licensing
      2. IPS and UTM
      3. What Is the Difference Between Full IPS and Deep Inspection/IPS Lite?
      4. Is It IDP or IPS?
      5. False Positives and False Negatives in IPS
      6. Management IPS Functionality on the SRX
      7. Stages of a System Compromise
      8. IPS Packet Processing on the SRX
        1. Packet processing path
        2. Direction-specific detection
        3. SRX deployment options
      9. Attack Object Types
        1. Application contexts
        2. Predefined attack objects and groups
        3. Custom attack objects and groups
        4. Severities
        5. Signature performance impacts
      10. IPS Policy Components
        1. Rulebases
        2. Match criteria
        3. Then actions
          1. IPS actions
          2. Notification actions
          3. Packet logging
          4. Configuring packet logging in the STRM
          5. IP actions
          6. Targets and timeouts
        4. Terminal Match
      11. Security Packages
        1. Attack database
        2. Attack object updates versus full updates
        3. Application objects
        4. Detector engines
        5. Policy templates
        6. Scheduling updates
      12. Sensor Attributes
      13. SSL Inspection (Reverse Proxy)
      14. Custom Attack Groups
        1. Static attack groups
        2. Dynamic attack groups
    3. Configuring IPS Features on the SRX
      1. Getting Started with IPS on the SRX
        1. Getting started example
        2. Configuring automatic updates
        3. Useful IPS files
        4. Viewing IPS attack objects and group membership
        5. Configuring static and dynamic attack groups
        6. Creating, activating, and referencing IPS
        7. Exempt rulebase
          1. Enabling GZIP/Deflate Decompression
    4. Deploying and Tuning IPS
      1. First Steps to Deploying IPS
      2. Building the Policy
      3. Testing Your Policy
        1. Leveraging sniffer mode for the deployment
      4. Actual Deployment
      5. Day-to-Day IPS Management
    5. Best Practices
    6. Troubleshooting and Operation
      1. Checking IPS Status
      2. Checking Security Package Version
      3. Troubleshooting and Monitoring Security Package Installation
        1. Clearing the download and cache files on the SRX
      4. Checking Policy Compilation Status
      5. IPS Attack Table
      6. IPS Counters
      7. IP Action Table
    7. Sample Deployments
    8. Summary
    9. Study Questions
  17. 14. Unified Threat Management
    1. Shifting Threats
    2. UTM, IPS, or Both?
      1. Antivirus
      2. URL Filtering
      3. Antispam
      4. Content Filtering
      5. Antivirus + URL Filtering+ IPS?
      6. I Have SRX Antivirus: Do I Need Desktop Antivirus?
    3. UTM Licensing
      1. Configuring Licensing
    4. UTM Components
      1. Feature Profiles
      2. Custom Objects
      3. UTM Policies
      4. Application Proxy
      5. Networking Requirements for UTM Features
      6. Antivirus
        1. Antivirus flavors in the SRX
        2. Sophos AV
          1. Implementing Sophos AV
          2. Configuring Sophos with a default profile
          3. Default profile configuration
          4. Sophos AV feature profiles
          5. Configuring Sophos feature profile example
        3. Kaspersky Full AV
          1. Configuring Kaspersky with the default profile
          2. Default Kaspersky profile configuration
          3. Configuring Kaspersky AV scanning and fallback options
        4. Express AV
          1. Default Express AV profile
      7. Which AV to Choose?
      8. URL Filtering
        1. URL filtering flavors
          1. Configuring the URL filtering with default profiles
        2. Websense Enhanced filtering
          1. Configuring Websense Enhanced default profile
          2. Default Websense Enhanced profile
          3. Configuring a custom Websense Enhanced profile
        3. Surfcontrol/Websense Integrated URL filtering
          1. Configuring Surfcontrol Integrated with default profile
          2. Default Surfcontrol/Websense profile configuration
          3. Configuring Surfcontrol/Websense Integrated options
        4. Websense Redirect
          1. Configuring Websense Redirect
          2. Default Websense Redirect profile
          3. Default local URL filtering profile
        5. URL Custom URLs, blacklists, whitelists, and categories
          1. Custom URL patterns
          2. Custom URL category
        6. URL filtering profiles
          1. Juniper Local feature profile options
          2. Putting it all together for Juniper Local web filtering
        7. Which URL filtering solution to choose?
      9. Antispam
        1. Configuration options for antispam
        2. Configuring antispam with the default profile
        3. Configuring a custom spam profile and policy
      10. Content Filtering
        1. Configuring content filtering example
      11. Logging UTM Messages
        1. Configuring syslog to send UTM to a remote server
    5. Best Practices
    6. Troubleshooting and Operation
      1. UTM Engine
      2. Antivirus
        1. Testing antivirus
      3. URL Filtering
        1. Websense site lookup tool
      4. Antispam
      5. Content Filtering
    7. Sample Deployments
    8. Summary
    9. Study Questions
  18. Index
  19. About the Authors
  20. Colophon
  21. Special Upgrade Offer
  22. Copyright