Index

A note on the digital index

A link in an index entry is displayed as the section title in which that entry appears. Because some sections have multiple index markers, it is not unusual for an entry to have several links to the same section. Clicking on any link will take you directly to the place in the text in which the marker appears.

Symbols

10 gigabit ports, IOC modules
10 Gigabit Small Form-Factor Pluggable card, IOC modules
3DES (Triple Data Encryption Standard), IPsec Encryption Algorithms, Selecting the Appropriate VPN Configuration
3G cards, on SRX210, SRX200 Series
41 gigabit SFP IOC card, IOC modules

A

access control list (ACL), Configuring a stateless firewall filter to control traffic on fxp0
in troubleshooting, VPN troubleshooting process
access mode, in transparent mode, Interface Modes in Transparent Mode
access port, Switching Configuration
access-control system, role-based, Accounts for Administrative Users
action criteria, in security policy, Action CriteriaConfiguring a policy to restrict inbound or outbound management requests
action profiles, in security policy, Security Policy Criteria and Precedence
Active Directory
mapping users based on group membership, Configuring realms, roles, and sign-in policies
miscellaneous tasks, Miscellaneous Active Directory tasks
SPNEGO and, UserFW
active reconnaissance, Stages of a System Compromise
active/active deployment
for high availability clusters, Active/active
for SRX3000 line products, Data Center Edge
active/backup state, for control plane, The Control Plane
active/passive mode, Sample DeploymentsSummary
for high availability clusters, Active/passive
ActiveX, Shifting Threats
address books, for security zones, Address books
address objects
mapping IP address to, Address objects
in NAT ruleset, Best Practices
in security policy, Security Policy Criteria and Precedence
address persistence, in source NAT, Other SRX source NAT configuration options
Address Resolution Protocol (ARP), with traceroute, MAC Address Learning
address sets, Best Practices
for security zones, Address sets
address shifting, in source NAT, Other SRX source NAT configuration options
administrative user accounts, Accounts for Administrative UsersRemote authentication
ADSL cards, Interface modules for the SRX200 line
ae interface, Aggregate Interfaces
AES (Advanced Encryption Standard), IPsec Encryption Algorithms, Selecting the Appropriate VPN Configuration
aggregate interfaces, Aggregate InterfacesLACP protocol
Aggressive mode for IKE negotiations, Aggressive mode, Configuring IKEv1 Phase 1 IKE policy with preshared key, Aggressive mode
vs. Main mode, Selecting the Appropriate VPN Configuration
aggressive session aging, Aggressive session aging
configuring flow option, Configuring the aggressive session ageout flow option
AH (Authentication Header), Phase 2 IKE negotiation modes, IPsec VPN Protocol
best practices, Best Practices
vs. ESP, Selecting the Appropriate VPN Configuration
alarm threshold, in SYN Cookie/SYN Proxy, SYN Spoofing Protection Modes
alarm-without-drop setting, in Screen profile, Configuring a Screen profile
alarms, Informational panels
ALGs (application layer gateways), Application Layer GatewaysEnabling an ALG example, Best Practices
enabling example, Enabling an ALG example
Anti-Replay detection for IPsec VPN, Anti-Replay Protection
configuring, Configuring common IPsec VPN components
anticipating needs, Welcome to the SRX
antispam feature, Antispam
deployment, Sample Deployments
on SRX Series, Branch-Specific Features
troubleshooting, Antispam
antivirus software, IPS and UTM, AntivirusWhich AV to Choose?
in branch SRX, Branch-Specific Features
Express AV engine, Express AVWhich AV to Choose?
default profile for configuring, Default Express AV profile
focus of, Antivirus + URL Filtering+ IPS?
Kaspersky Full AV, Kaspersky Full AVExpress AV
configuring scanning and fallback options, Configuring Kaspersky AV scanning and fallback options
default profile for configuring, Configuring Kaspersky with the default profile
selecting, Which AV to Choose?
Sophos engine, Sophos AV
default profile for configuring, Configuring Sophos with a default profile
feature profiles, Sophos AV feature profiles
SRX vs. desktop, I Have SRX Antivirus: Do I Need Desktop Antivirus?
testing, Testing antivirus
troubleshooting, Antivirus
any role in SRX, Configuring the SRX for UserFW
appliance-based firewall model, Evolving into the SRX
application caching, controlling, Controlling application caching
application contexts, Application contexts
Application Denial of Service (AppDoS) prevention, Data Center Services Tier
Application Firewall (AppFW), Flow Mode and Packet Mode, Application Firewall, What About Application Firewalling in NGFW?
best practices, AppFW
configuring and deploying, Configuring and Deploying Application FirewallConfiguring application redirect
ruleset types, Three types of Application Firewall rulesets
with encrypted applications, AppFW with encrypted applications
operating, AppTrack, Operating Application Firewall
application groups
creating custom, Creating custom application groups
enabling and disabling, Enabling and disabling applications and application groups
Application Identification (AI), AI Processing ArchitectureApplication system cache
best practices, Application Identification
cache hits and misses, Checking AppID counters
counters, Checking AppID counters
downloading and installing sigpacks, Downloading and Installing Application Identification SigpacksEnabling application identification heuristics
in IPS processing, Packet processing path
object output, Signature-based pattern matching
signature operations, AppID Signature OperationsCreating custom application groups
troubleshooting, Operating Application IdentificationOperating Application Firewall
application layer gateways (ALGs), Application Layer Gateways, Best Practices
enabling example, Enabling an ALG example
application objects, Application objectsConfiguring a policy to restrict inbound or outbound management requests
creating custom, Enabling an ALG example
IPS and, Application objects
in security policy, Security Policy Criteria and Precedence
Application Quality of Service (AppQoS), Application Quality of Service
best practices, AppQoS
configuring and deploying, Configuring and Deploying Application Quality of ServiceConfiguring an AppQoS example
example, Configuring an AppQoS exampleConfiguring an AppQoS example
operating, Operating Application QoS
application redirect, configuring, Configuring application redirect
application sets, Application sets, Best Practices
application statistics, Checking application statisticsChecking application statistics
application system cache, Application system cache
Application-DDoS rulebase, Rulebases
application.list file, Useful IPS files
applications, enabling and disabling, Enabling and disabling applications and application groups
apply-groups command, Node-Specific Information
AppSecure, Data Center Services Tier, AppSecure Basics
best practices, Best PracticesSSL FP
components, Acknowledgments, AppSecure Component OverviewApplication system cache
(see also specific component names)
Application Firewall (AppFW), Application Firewall
Application Identification (AI), Application Identification, AI Processing ArchitectureApplication system cache
Application Quality of Service (AppQoS), Application Quality of Service
AppTrack, Application Tracking
SSL Forward Proxy, SSL Forward Proxy
User Role Firewalling, User Role Firewalling
licensing, AppSecure Licensing
sample deployment, Sample DeploymentsSample Deployments
troubleshooting, Troubleshooting and Operation
AppTrack, Application Tracking, Sample Deployments
best practices, AppTrack
configuring and deploying, Configuring and Deploying AppTrackConfiguring AppTrack options
enabling, Enabling AppTrack
Assured forwarding class, Forwarding class
asymmetric traffic, through firewall, TCP SYN checks
attack database, Attack database, Useful IPS files
attack groups, custom, Custom Attack Groups
attack objects
downloading Juniper predefined, Getting Started with IPS on the SRX
updates for, Attack object updates versus full updates, Best Practices
viewing, Viewing IPS attack objects and group membership
in Junos Space, Viewing IPS attack objects and group membership
attack table, IPS Attack Table
attack threshold, in SYN Cookie/SYN Proxy, SYN Spoofing Protection Modes
attack-group.list file, Useful IPS files
attack.list file, Useful IPS files
attacks
object types, Attack Object TypesSignature performance impacts
custom, Custom attack objects and groups
predefined, Predefined attack objects and groups
severity levels of, Severities
shifted strategies, Shifting Threats
stages of, Stages of a System Compromise
viewing statistics, Viewing the Screen Attack Statistics
Aurora Internet Explorer exploit, Security Packages
authentication
certificate, Certificate authentication
configuring, Configuring Phase 1 proposals, Configuring IKEv1 Phase 2 proposals
IKE, IKE Authentication
in IPsec VPN, IPsec Authentication Algorithms
for VPN, Selecting the Appropriate VPN Configuration
Authentication Header (AH), Phase 2 IKE negotiation modes, IPsec VPN Protocol
best practices, Best Practices
vs. ESP, Selecting the Appropriate VPN Configuration
authentication server, configuring, Configuring the authentication server
AX411 Wireless LAN Access Point, AX411CX111
license for, Licensing

B

Bad IP Option Screen, Bad IP Option Screen
bandwidth limit, Rate limiter
BDPUs (Bridge Protocol Data Units), Spanning Tree
Best Effort forwarding class, Forwarding class, Configuring an AppQoS example
best practices
AppSecure, Best Practices
DHCP (Dynamic Host Configuration Protocol), Best Practices
intrusion prevention systems (IPS), Best PracticesBest Practices
IPsec VPN (IP Security virtual private network), Best PracticesBest Practices
Network Address Translation (NAT), Best Practices
for number of monitored hosts, IP Monitoring
Screens, Best Practices
security policies, Best PracticesBest Practices
for system services configuration, Best Practices
Unified Threat Management (UTM), Best Practices
bidirectional forwarding detection (BFD), Preserving the Control Plane
bidirectional NAT, Junos NAT Types
binary syslog, Configuring Stream mode logging on the data plane
blacklist approach to firewall rules, Configuring a blacklist application rulesetConfiguring a whitelist application ruleset
best practices, AppFW
for Juniper Local filtering, URL Custom URLs, blacklists, whitelists, and categories
when to use, When to use blacklist, whitelist, and hybrid rulesets
blind switching, Branch-Specific Features, SRX100 Series
Block Frag Screen, Block Frag Screen
Border Gateway Protocol (BGP) route reflector, licensing, Licensing
botnet attacks on data center, Data Center Edge
branch firewall, Built for Services
SRX Series products for, Deployment Solutions
branch SRX Series, Branch SRX SeriesBranch Summary
and AX411 appliances, AX411
features specific to, Branch-Specific FeaturesBranch-Specific Features
hardware overview, Branch SRX Series Hardware Overview
licensing, Licensing
packet mode, Flow Mode and Packet Mode
SRX100 series, SRX100 SeriesSRX100 Series
SRX200 Series, SRX200 SeriesInterface modules for the SRX200 line
interface modules for, Interface modules for the SRX200 line
SRX500 Series, SRX500 Series
SRX550, SRX500 Series
capacities, SRX500 Series
SRX600 Series, SRX600 SeriesInterface modules for the SRX600 line
interface modules for, Interface modules for the SRX600 line
SRX650
capacities, SRX600 Series
summary, Branch Summary
bridge domains, Routing Instance Types
listing active, The show bridge domain Command
in transparent mode, Interfaces, family bridge, and bridge domains in transparent mode, Bridge Domains
configuring, Sample Deployments
bridge loop, transparent mode firewall for, Transparent Mode and Bridge Loops, Spanning Tree Protocol
bridge MAC learning table, The show bridge mac-table Command
Bridge Protocol Data Units (BDPUs), Spanning Tree
bridge, for transparent mode interface, Transparent Interfaces
bridging, configuring options, Configuring Bridging Options
byte stream, measuring randomness of, Heuristic-based detection

C

CA (certificate authority), Certificate authentication
SSL FP support for installing certificate, Configuring SSL Forward Proxy on the SRX
cable modem, Interface modules for the SRX200 line
cache
application system, Application system cache
clearing files, Clearing the download and cache files on the SRX
campus core firewalls, The Junos Enterprise Services Reference Network
categories, for custom URL pattern, Custom URL category
CBC (Cipher Block Chaining), Configuring Phase 1 proposals
cellular Internet access, RF interference and, Branch-Specific Features
central point (CP), SPU for, SPC
centralized management, Centralized ManagementUsing NSM
certificate revocation lists (CRLs), Certificate Validation
certificates
authentication, Certificate authentication
best practices, SSL FP
configuring, Configuration for Remote-Office1 proposal with certificates, Configuring IKEv1 Phase 1 policies
configuring IKEv1 Phase 1 IKE policy, Configuring IKEv1 Phase 1 IKE policy with certificates
importing external, Configuring SSL Forward Proxy on the SRX
preconfiguration tasks, Certificate Preconfiguration Tasks
validation for IPsec VPN, Certificate Validation
chassis cluster, Medium Branch, Chassis Cluster, Getting Started with High AvailabilitySix pack
deployment solutions, Deployment ConceptsSix pack
high availability, node-specific information, Node-Specific InformationNode-Specific Information
hold-down timer to prevent failover, Redundancy Groups
integrating into network, Integrating the Cluster into Your NetworkConfiguring Interfaces
managing members, Managing Cluster Members
private mode, Differences from Standalone
sample deployment, Sample DeploymentsSummary
status of, Activating Juniper Services Redundancy Protocol
for transparent mode deployment, Sample Deployments
Chassis Information view (J-Web), Chassis view
Chassis Status panel, Informational panels
chassisD daemon, System services that operate on the control plane, Hardware Monitoring
child processes, Branch SRX Series Hardware Overview
Cipher Block Chaining (CBC), Configuring Phase 1 proposals
ciphers, defining for SRX/Servers, Configuring SSL Forward Proxy on the SRX
Cisco Systems, GETVPN solution, Group VPN
clear interface statistics command, Monitoring Interface Counters
clear services application-identification application-system-cache command, Checking the AppID engine settings and cache
clearing, cache files, Clearing the download and cache files on the SRX
CLI (see command-line interface (CLI))
Client-Outbound firewall rule, Sample Deployments
client-side threats, Layer 7 protection against, Unified Threat Management
client-to-server attacks, Direction-specific detection
Close-Client IPS action, IPS actions
Close-Client-and-Server IPS action, IPS actions
Close-Server IPS action, IPS actions
closing session, Application objects
cloud networks, deployment, Cloud NetworksThe Junos Enterprise Services Reference Network
cluster ID, Cluster ID
cluster-master mode, Managing Cluster Members
clustering mode, requirements for running device, Chassis Cluster
coldsync, The Dreaded Priority Zero
command-line interface (CLI), How to Use This Book, Device management, SRX GUI Management
for management services, Command-Line InterfacesConfiguring SSH access
commands, running from configuration mode, Aggregate Interfaces
compact flash port, SRX600 Series
complex attack objects, Dynamic attack groups
concurrent sessions, at data center core, Data Center Services Tier
configuration
committing, Committing the configuration
J-Web tool for managing, Configuration management
configuration mode in Junos CLI
running commands from, Aggregate Interfaces
congestion, and loss priority for dropped traffic, Loss priority
connection-oriented communications, How to Use This Book
connectionless paradigm, How to Use This Book
connectivity
maximum, example SRX5800 configuration for, SRX5000 Series
security for, Preface
console, Command-Line Interfaces
configuring options, Configuring console options
content filtering, Content Filtering, Content FilteringConfiguring syslog to send UTM to a remote server
troubleshooting, Content Filtering
contexts, in IPS processing, Packet processing path, Application contexts
control link
failure, Control link and data link failure
monitoring, Control link
control plane
access, vs. data plane, Accessing System Services: Control Plane Versus Data PlaneConfiguring a security policy to control data plane management traffic
high availability and, The Control Plane
logs
configuring, Configuring control plane logging on the SRXConfiguring control plane logging on the SRX
configuring Event mode, Configuring Event mode logging to the control plane
vs. data plane logs, Control Plane Versus Data Plane LogsJFlow on the SRX
preserving, Preserving the Control Plane
in redundancy group, Redundancy Groups
states, Activating Juniper Services Redundancy Protocol
system services and, System Services and the Control PlaneSystem services that operate on the control plane
control ports, configuring, Configuring the Control PortsConfiguring the Control Ports
core dump, Checking for Core Dumps
troubleshooting, Core Dumps
Count action, in security policy, Action Criteria
counters
for IPS troubleshooting, IPS Counters
viewing on interface, Viewing the Services/Counters on the InterfaceViewing the Services/Counters on the Interface
CPE (Customer Premise Equipment), SRX installed in, Configuring the SRX as a DHCP client
CPS rate, Data Center SRX Series Hardware Overview
craft port, in SRX5600, SRX5000 Series
Critical severity level of attacks, Severities
CRLs (certificate revocation lists), Certificate Validation, Best Practices
custom spam profile, Configuring a custom spam profile and policy
CX111 Cellular Broadband Data Bridge, CX111
cyberthreats, IPS and UTM

D

daemons
restarting platform, Restarting Platform Daemons
for system services, System Services and the Control Plane
troubleshooting, Troubleshooting Individual Daemons
dashboard
for J-Web tool, DashboardInformational panels
chassis view, Chassis viewChassis view, Informational panelsInformational panels
customizing, Informational panels
for NSM, Using NSM
Dashboard Preferences dialog box, Informational panels
data center firewall, Built for Services
deployment solutions, Data Center
services tier, Data Center Services Tier
edge of, Data Center EdgeData Center Edge
SRX Series products for, Deployment Solutions
data center SRX Series, SRX Series Product Lines, Data Center SRX SeriesIOC modules
antivirus feature for, Branch-Specific Features
features specific to, Data Center SRX-Specific Features
hardware overview, Data Center SRX Series Hardware Overview
session setup, Data Center SRX Series Session SetupData Center SRX Series Session Setup
SRX1000 Series, Data Center SRX Series, SRX1000 Series
SRX1400 Series
capacities, SRX1000 Series
SRX3000 Series, Data Center SRX Series, SRX3000 SeriesIOC modules
SRX3400, SRX3000 Series
capacities, SRX3000 Series
SRX3600, SRX3000 Series
capacities, SRX3000 Series
interface modules for, IOC modules
SRX5000 Series, Data Center SRX Series, SRX5000 SeriesIOC modules
capacities, SRX5000 Series
IOC modules, IOC modules
upgrade for NG-SPC support, NG-SPC
SRX5600, SRX5000 Series
FPC numbers, SRX5000 Series
SRX5800, SRX5000 Series, SRX5000 Series
example line configurations, SRX5000 Series
FPC numbers, SRX5000 Series
Data Encryption Standard (DES), IPsec Encryption Algorithms, Selecting the Appropriate VPN Configuration
Data Leak Protection (DLP), Content Filtering
data links, The Data Plane
configuring for transparent mode deployment, Sample Deployments
failure, Control link and data link failure
monitoring, Data link
data path, The Data Plane
data plane, System Services and the Control Plane
access, vs. control plane, Accessing System Services: Control Plane Versus Data PlaneConfiguring a security policy to control data plane management traffic
default route in, Management Interfaces
high availability and, The Data Plane
logs, vs. control plane logs, Control Plane Versus Data Plane Logs
security policy enforcement on, Packet Flow
system services and, System Services and the Data Plane
troubleshooting, Verifying the Data PlaneVerifying the Data Plane
data, creation, Preface
date and time, manually configuring, Manually configuring SRX time
Day One Automation Series, Device management
Dead Peer Detection (DPD), Power supplies, Dead Peer Detection
debug output, for troubleshooting transparent mode, Transparent Mode Troubleshooting Steps
debugging VPN, VPN Tracing and DebuggingConfiguring and analyzing VPN tracing
dedicated mode, for data center SRX Series, Data Center SRX-Specific Features
deep packet inspection, Welcome to the SRX, ScreenOS to Junos
default action, in security policy, Security Policy Precedence
default profile for configuring antispam, Configuring antispam with the default profile
default-policy action, Top to Bottom Policy Evaluation
denial-of-service (DoS) attacks, A Brief Review of Denial-of-Service AttacksDoS Versus DDoS
on data center, Data Center Edge
exploit-based, Exploit-Based DoS
flood-based, Flood-Based DoS
screen feature for, Service Provider
vs. DDoS, DoS Versus DDoS
with ICMP, DoS Attacks with ICMPConfiguring the ICMP Ping of Death Screen
with IP protocols, DoS Attacks with IP ProtocolsConfiguring the Unknown IP Protocol Screen
with TCP, DoS Attacks with TCPConfiguring the WinNuke Screen
with UDP, DoS Attacks with UDP
deny action, in security policy, Action Criteria
DES (Data Encryption Standard), IPsec Encryption Algorithms, Selecting the Appropriate VPN Configuration
desktop antivirus, need for, I Have SRX Antivirus: Do I Need Desktop Antivirus?
destination address, in IPS policy, Match criteria
destination MAC addresses, known vs. unknown, Slow-path SPU packet processing
destination NAT, Junos NAT Types
combining with source NAT, Combination Source and Destination NATCombination Source and Destination NAT
examples, Destination NATConfiguration destination NAT
flow debugging, Source NAT
no-NAT rules with, No-NAT with Source or Destination NATNo-NAT with Source or Destination NAT
pools, Destination NAT pools
precedence for, NAT type precedence
rulesets, Destination NAT rulesets
destination objects, negated, for security zones, Negated source and destination objects
destination zone, Security zones
Destination-IP Session Limit screen, Session Limit Screens, Destination IP Session Limit Screen
detail command, show security ike security-associations
detail flag, for show route table command, Static Routing
detector engines, in IPS process, Detector engines
Deterministic Finite Automaton (DFA) technology, Signature-based pattern matching
Device Management Interface (DMI), Space: The Final Frontier of Management
DHCP (Dynamic Host Configuration Protocol), Dynamic Host Configuration ProtocolConfiguring the SRX as a DHCP relay server
best practices, Best Practices
client configuration on SRX, Configuring the SRX as a DHCP client
operational mode commands for troubleshooting, DHCP Operational Mode Commands
relay server configuration on SRX, Configuring the SRX as a DHCP relay server
server configuration on SRX, Configuring the SRX as a DHCP server
differentiated Services Code Point (DSCP), Differentiated Services Code Point
Diffie-Hellman groups, Aggressive mode, Configuring Phase 1 proposals
troubleshooting, VPN troubleshooting process
Diffie-Hellman key exchange process, Main mode, Aggressive mode
group number, Selecting the Appropriate VPN Configuration
direction-specific detection, in IPS processing, Direction-specific detection
Disable Session Resumption option, in SSL Proxy profile, Configuring SSL Forward Proxy on the SRX
disabled control plane state, Activating Juniper Services Redundancy Protocol
discard option, for static routing, Static Routing
disk storage, on firewall, monitoring, Informational panels
distinguished name (DN), as IKE identity, IKE Identities
distributed denial-of-service (DDoS) attack
on data center, Data Center Edge
vs. DoS, DoS Versus DDoS
DLP (Data Leak Protection), Content Filtering
DMI (Device Management Interface), Space: The Final Frontier of Management
DMZ
IPS deployment, Sample Deployments
SRX Series devices firewall deployment, The Junos Enterprise Services Reference Network
DNS (Domain Name System), Domain Name System
address objects, DNS address objects
DOCSIS 3.0 card, Interface modules for the SRX200 line
DoS attack (see denial-of-service (DoS) attacks)
dotted decimal format, How to Use This Book
downgrade process, for Junos, Software management
downloading
for Application Identification (AI) sigpacks, Downloading and Installing Application Identification SigpacksEnabling application identification heuristics
Drop-Connection IPS action, IPS actions
Drop-Packet IPS action, IPS actions
DSCP (differentiated Services Code Point), Differentiated Services Code Point
field rewrite, DSCP rewrite
dual control links, Configuring the Control Ports
dual mastership, Configuring the Control Ports
dyamic routing network protocols, Dynamic Routing Protocols
dynamic attack groups, Custom attack objects and groups, Dynamic attack groups
best practices, Best Practices
configuring, Configuring static and dynamic attack groups
dynamic gateways, configuring, Configuring dynamic gateways and remote access clients
dynamic group objects, Sample Deployments
Dynamic Host Configuration Protocol (DHCP) (see DHCP (Dynamic Host Configuration Protocol))
dynamic IP address
configuring IKE gateway with, Configuring an IKE gateway with a dynamic IP address
configuring remote gateways with, Configuring IKEv1 Phase 1 gateways
dynamic VPN, Dynamic VPN, Dynamic VPNBest Practices
interface for, Best Practices
dynamic VPN client, Branch-Specific Features
licensing, Licensing

E

egress interface, Security zones, NAT Precedence in the Junos Event Chain
egress traffic, NPUs for, Data Center SRX Series Session Setup, Data Center SRX Series Session Setup
egress zone, Inherited ScreenOS features
embryonic session, Data Center SRX Series Session Setup
Encapsulating Security Payload (ESP), SRX100 Series, Phase 2 IKE negotiation modes, IPsec VPN Protocol
best practices, Best Practices
vs. AH, Selecting the Appropriate VPN Configuration
encrypted applications, AppFW with, AppFW with encrypted applications
encryption (see Internet Key Exchange (IKE)) (see IPsec VPN (IP Security virtual private network))
encryption algorithms
configuring, Configuring Phase 1 proposals, Configuring IKEv1 Phase 2 proposals
in IPsec VPN, IPsec Encryption Algorithms, Selecting the Appropriate VPN Configuration
End to End Data-path Debug, Performing a Packet Capture on the High-End SRX
ending sessions, Data Center SRX Series Session Setup
Engine-not-ready option, for Sophos engine, Sophos AV feature profiles
Enhanced Websense Filtering, Antivirus + URL Filtering+ IPS?
enterprise management, Management Interfaces
error statistics, Monitoring Interface Counters
ESP (Encapsulating Security Payload), Phase 2 IKE negotiation modes, IPsec VPN Protocol
best practices, Best Practices
vs. AH, Selecting the Appropriate VPN Configuration
Ethernet, How to Use This Book
Ethernet ports
on SRX100, SRX100 Series
on SRX210, SRX200 Series
etheroptions hierarchy
adding interfaces to aggregate device, Aggregate Interfaces
for physical interfaces, Physical Interfaces
event mode, vs. stream mode, for data plane logs, Data plane logs: Event versus Stream mode
Exempt rulebase, Rulebases
Expedited forwarding class, Forwarding class, Configuring an AppQoS example
explicit drop rules, Best Practices
exploit-based denial-of-service (DoS) attacks, Exploit-Based DoS
exporting flow records, JFlow on the SRX
ExpressCard slot, on SRX210, SRX200 Series
Extensible Markup Language (XML) interface
Junos CLI as, Device management
external certificate, importing, Configuring SSL Forward Proxy on the SRX
external interface, configuring for IPsec VPN, Configuring IKEv1 Phase 1 gateways
extreme mode, in SRX3400, SRX3000 Series

F

fab interface, Configuring the Fabric Links
fabric chip, IOC modules
fabric links, The Data Plane
configuring, Configuring the Fabric LinksConfiguring the Fabric Links
redundant, Configuring the Fabric Links
verifying, First Steps
Facebook, rule blocking, Three types of Application Firewall rulesets
failover, Fault Monitoring
hold-down timer to prevent in chassis cluster, Redundancy Groups
information to handle traffic, The Data Plane
manual, Manual FailoverManual Failover
multiple interfaces in zone for, One interface per zone versus multiple interfaces per zone
for service provider, Mobile Carriers
fallback options
for Kaspersky Full AV, Kaspersky Full AV
for Sophos engine, Sophos AV feature profiles
false positives and false positives, in IPS, False Positives and False Negatives in IPS
family (protocol), Logical Interfaces
family bridge, in transparent mode, Interfaces, family bridge, and bridge domains in transparent mode
fast-path SPU processing, Fast-path SPU packet processing
fault monitoring, Fault MonitoringPreserving the Control Plane
hardware monitoring, Hardware MonitoringPower supplies
interface monitoring, Interface MonitoringInterface Monitoring
IP monitoring, IP Monitoring
File Transfer Protocol (FTP), Application Layer Gateways
antivirus feature for, Branch-Specific Features
File Usage panel, Informational panels
file-based protection, IPS and UTM
filesystem interfaces, on control plane, System services that operate on the control plane
FIN-No-ACK Screen, FIN-No-ACK Screen
financial network, data center SRX Series for, SRX5000 Series
Firefox, J-Web: Your On-Box Assistant
firewall filter, Flow Mode and Packet Mode
firewall policies, Firewall policies
Junos OS management, Firewall policy management
lookup, Packet Flow
rules defining objects to be excluded, Negated source and destination objects
firewalls, Foreword
importance of, Welcome to the SRX
Flash, Shifting Threats
Flex IOC card, IOC modules
flexible PIC concentrator (FPC), Physical Interfaces, Chassis Cluster
slots for, SRX3000 Series
flood-based denial-of-service (DoS) attacks, Flood-Based DoS
flood-based Screens, Best Practices
flooding frame, MAC Address Learning
flow
and IP VPNs, Flow Processing and IPsec VPNs
debugging, Flow Debugging with NATStatic NAT
in transparent mode, Transparent Mode Flow Process
viewing exceptions, Viewing Flow Exceptions
flow mode, Branch-Specific Features, Flow Mode and Packet ModeFlow Mode and Packet Mode
in branch SRX Series, Branch Summary
flow options, SRX Flow OptionsConfiguring the TCP initial session timeout and TCP time wait timeout
aggressive session aging, Aggressive session aging
TCP sequence checks, TCP sequence checks, Configuring TCP sequence checks
flow records, exporting, JFlow on the SRX
flow trace, troubleshooting, Performing a Flow TracePerforming a Flow Trace
flowd daemon, The Data Plane
IPS-bound traffic processed by, Packet processing path
RE monitored by, Software Monitoring
forwarding classes, Forwarding class
FPC (flexible PIC concentrator), Physical Interfaces
FQDN (fully qualified domain name)
as IKE identity, IKE Identities
in SSL certificate, AppFW with encrypted applications
fragmentation
configuring, Configuring common IPsec VPN components
in IPS processing, Packet processing path
in IPsec VPN, Fragmentation
FreeBSD, ScreenOS to Junos
from zone, Security zones, NAT Precedence in the Junos Event Chain
in IPS policy, Match criteria
FTP (File Transfer Protocol), Application Layer Gateways
antivirus feature for, Branch-Specific Features
fully qualified domain name (FQDN), as IKE identity, IKE Identities
Fun WebProducts spyware, Exempt rulebase
functional zones, Functional ZonesFunctional Zones
fxp0 interface, Routing Instances, Accessing System Services: Control Plane Versus Data Plane, Managing Cluster Members
management port, Management Interfaces

G

G-PIM slots, SRX600 Series, Interface modules for the SRX600 line
G.SHDSL standard, Interface modules for the SRX200 line
GARPs, Configuring Interfaces
gateway configuration
for IKEv1 Phase 1, Configuring IKEv1 Phase 1 gatewaysConfiguring IKEv1 Phase 1 gateways
for IPsec VPN, Configuring common IPsec VPN components
Generic Route Encapsulation (GRE), SRX100 Series
global security policies, Security Policy Precedence
Google Chrome, J-Web: Your On-Box Assistant
granularity, of SRX IPS implementation, Packet processing path
Gratuitous ARPs (GARPs), High Availability with Transparent Mode
Group VPN, Group VPN
groups in Junos, Node-Specific Information
groups.xml file, Useful IPS files
GUI management, Acknowledgments, SRX GUI Management
(see also J-Web tool)

H

hardware
monitoring, Hardware MonitoringPower supplies
Screens in, Screens in Hardware and Software
hashing, IPsec Authentication Algorithms
heartbeat timers, configuring, Configuring Heartbeat Timers
help command, for logs, Tips for Viewing Syslog Messages
heuristic-based detection of applications, Heuristic-based detection, Enabling application identification heuristics
High Availability (HA), Medium Branch
basics, High Availability
chassis clusters, Chassis Cluster, Getting Started with High AvailabilitySix pack
deployment concepts, Deployment ConceptsSix pack
node-specific information, Node-Specific InformationNode-Specific Information
reth interface for, Aggregate Interfaces
SNMP in, SNMP in High Availability Chassis Clusters
control plane and, The Control Plane
data plane and, The Data Plane
fault monitoring, Fault MonitoringPreserving the Control Plane
hardware monitoring, Hardware MonitoringPower supplies
interface monitoring, Interface MonitoringInterface Monitoring
IP monitoring, IP MonitoringIP Monitoring
IPsec termination in, IPsec termination in HA
preparing devices for deployment, Preparing Devices for DeploymentRedundancy Groups
and source NAT with Port overloading, Other SRX source NAT configuration options
troubleshooting, Troubleshooting and OperationManual Failover
with transparent mode, High Availability with Transparent Mode
hijacking attacks, preventing, TCP sequence checks
Hit Count output, Security policy tools
hold-down timer
failover prevention in chassis cluster, Redundancy Groups
manual failover and, Manual Failover
honored sessions, Operating Application QoS
host inbound traffic configuration, Functional Zones
host security policies, Host security policies
hostname
defining, Task wizards
as IKE identity, IKE Identities
troubleshooting, VPN troubleshooting process
Hostname attribute, Selecting the Appropriate VPN Configuration
hub and spoke IPsec VPN, Hub and Spoke IPsec VPNs
best practices, Best Practices
hybrid approach to firewall rules, Three types of Application Firewall rulesets, Configuring a hybrid application ruleset
best practices, AppFW
when to use, When to use blacklist, whitelist, and hybrid rulesets
HyperText Transfer Protocol (HTTP), antivirus feature for, Branch-Specific Features
hypervisor, JunosV Firefly (Virtual Junos)

I

IC enforcer, configuring SRX as, Configuring the SRX as an IC enforcer
ICMP (Internet Control Message Protocol), How to Use This Book
DoS attacks with, DoS Attacks with ICMPConfiguring the ICMP Ping of Death Screen
fragment screen, ICMP Fragment Screen
IP sweep screen, ICMP IP Sweep Screen
large packet screen, ICMP Large Packet Screen
ping of death screen, ICMP Ping of Death Screen
for VPN monitoring, VPN Monitoring
ICMP flood screen, ICMP Flood Screen
ICMP reset, Action Criteria
idle timeout, for application object, Application objects
IDPD process, System Services and the Data Plane
IFD, Physical Interfaces
IFL, Physical Interfaces
Ignore-Connection IPS action, IPS actions
Ignore-Server-Auth-Failure option, in SSL Proxy profile, Configuring SSL Forward Proxy on the SRX
IKE (Internet Key Exchange)
AutoKey vs. manual keys, Selecting the Appropriate VPN Configuration
best practices, Best Practices
configuring connection sharing, Configuring dynamic gateways and remote access clients
identities, IKE Identities
negotiations, IKE Negotiations
authentication, IKE Negotiations
Phase 1 authentication, VPN troubleshooting process
version 1, IKE Version 1 OverviewProxy ID negotiation
configuring gateway with static IP, Configuring an IKEv1 gateway with static IP address and DPD
configuring gateways, Configuring IKEv1 Phase 1 gatewaysConfiguring IKEv1 Phase 1 gateways
configuring with certificates, Configuring IKEv1 Phase 1 IKE policy with certificates
configuring with preshared key, Aggressive mode, Configuring IKEv1 Phase 1 IKE policy with preshared key, Aggressive mode
configuring with preshared key, Main mode, Configuring IKEv1 Phase 1 IKE policy with preshared key, Main mode
key lifetimes, IKEv1 Key Lifetimes
phase 1 configuration, Phase 1 IKE ConfigurationPhase 2 IKE Configuration
phase 1 negotiation modes, Phase 1 IKE negotiation modes
phase 2 configuration, Phase 2 IKE ConfigurationIKEv1 Versus IKEv2 Configuration
phase 2 negotiations, Phase 2 IKE negotiation modes
vs. version 2 configuration, IKEv1 Versus IKEv2 ConfigurationIPsec and SRX HA
version 2, IKE Version 2
vs. version 1, IKEv1 versus IKEv2
IKE identity, Selecting the Appropriate VPN Configuration
IKE-ID, IKE Identities
IMIX number, Data Center SRX Series Hardware Overview
importing external certificate, Configuring SSL Forward Proxy on the SRX
in-band management, Management Interfaces
inactivity timeout, for application object, Application objects
inbound management requests, policy to restrict, Configuring a policy to restrict inbound or outbound management requests
ineligible control plane state, Activating Juniper Services Redundancy Protocol
Inet, for transform definition, Static NAT transforms
infection attempts, Stages of a System Compromise
information availability, High Availability
Information severity level of attacks, Severities
information, expansion, Preface
Infranet controller (IC)
best practices, UserFW
configuring, Configuring the ICConfiguring realms, roles, and sign-in policies
firewall rules for clients to communicate with, Configuring the SRX for UserFW
service account for, Operating UserFW
troubleshooting facilities on, Operating UserFW
ingress interface, Screen processing in, Screen Processing only happens on the ingress interface
ingress point for data center, Data Center
ingress traffic
NPUs for, Data Center SRX Series Session Setup
policing, Configuring and Deploying Application Quality of Service
ingress zone, Inherited ScreenOS features
inline tap mode, for data center SRX Series, Data Center SRX-Specific Features
input/output cards (IOCs), Interface card
installing
for Application Identification (AI) sigpacks, Downloading and Installing Application Identification SigpacksEnabling application identification heuristics
security packages, troubleshooting,, Troubleshooting and Monitoring Security Package InstallationChecking Policy Compilation Status
interface binding, configuring, Configuring route-based VPNs
interface cards
monitoring, Interface card
for SRX1400, SRX1000 Series
interface counters, monitoring, Monitoring Interface CountersPerforming a Flow Trace
interface modes, in transparent mode, Interface Modes in Transparent Mode
interface modules
for SRX200 Series, Interface modules for the SRX200 line
for SRX3600, IOC modules
for SRX600 Series, Interface modules for the SRX600 line
interface range command, Switching Configuration
interfaces, InterfacesTransparent Interfaces
adding to routing interfaces, Configuring Routing Instances
addressing in transparent mode, Interfaces, family bridge, and bridge domains in transparent mode
aggregate, Aggregate InterfacesLACP protocol
configuring, Configuring InterfacesConfiguring Interfaces
to allow IKE traffic, Configuring IKEv1 Phase 1 gateways
displaying, Physical Interfaces
IRB, IRB Interfaces
J-Web for managing, Interfaces
logical, Logical InterfacesLogical Interfaces
management, Management InterfacesManagement Interfaces
as members of reth, Configuring Interfaces
monitoring, Interface monitoring, Interface MonitoringInterface Monitoring
number per zone, One interface per zone versus multiple interfaces per zone
numbering format, Chassis Cluster
output of statistics, Viewing Flow Exceptions
physical, Physical InterfacesPhysical Interfaces
in redundancy group, Redundancy Groups
in source NAT, Interfaces, Interfaces
source NAT examples with, Source NAT with interfacesSource NAT with interfaces
statistics on, Checking interface statistics
transparent, Transparent Interfaces
troubleshooting, Checking Interfaces
virtual, Virtual Interfaces
for VPN, terminating, VPN troubleshooting process
internal clients, IPS deployment, Sample Deployments
internal servers, IPS deployment, Sample Deployments
Internet Explorer, J-Web: Your On-Box Assistant
Internet Key Exchange (IKE) (see IKE (Internet Key Exchange))
Internet Message Access Protocol (IMAP), antivirus feature for, Branch-Specific Features
interzone security policies, Security Policy Precedence
intrazone security policies, Security Policy Precedence, Top to Bottom Policy Evaluation
intrusion detection and prevention (IDP), Is It IDP or IPS?
intrusion prevention systems (IPS), Preface
actual deployment, Actual Deployment
attack object types, Attack Object TypesSignature performance impacts
best practices, Best PracticesBest Practices
configuring, Configuring IPS Features on the SRXDeploying and Tuning IPS
automatic updates, Configuring automatic updates
creating, activating and referencing, Creating, activating, and referencing IPSCreating, activating, and referencing IPS
example, Getting started example
Exempt rulebase, Exempt rulebase
GZIP/Deflate Decompression, Enabling GZIP/Deflate Decompression
static and dynamic attack groups, Configuring static and dynamic attack groups
data center SRX Series features for, Data Center SRX-Specific Features
for data center servers, Branch-Specific Features
day-to-day management, Day-to-Day IPS Management
deploying and tuning, Deploying and Tuning IPSDay-to-Day IPS Management
deployments, Sample DeploymentsSummary
false positives and false negatives, False Positives and False Negatives in IPS
firewall inspection of attack vs., How Does IPS Work?
how it works, How Does IPS Work?Dynamic attack groups
Junos Space and IPS signature downloads, Configuring automatic updates
licensing, Licensing
management functionality on SRX, Management IPS Functionality on the SRX
need for, The Need for IPS, Antivirus + URL Filtering+ IPS?
packet processing, IPS Packet Processing on the SRXSRX deployment options
policy components, IPS Policy Components
actions, Then actionsTargets and timeouts
match criteria, Match criteria
rulebases, Rulebases
sensor attributes, Sensor Attributes
SRX deployment options, SRX deployment options
testing policy, Testing Your PolicyLeveraging sniffer mode for the deployment
troubleshooting, Troubleshooting and OperationIP Action Table
attack table, IPS Attack Table
checking policy compilation status, Checking Policy Compilation Status
checking security package version, Checking Security Package Version
checking status of, Checking IPS Status
counters for, IPS Counters
security package installation, Troubleshooting and Monitoring Security Package InstallationChecking Policy Compilation Status
useful files, Useful IPS files
and UTM, IPS and UTM
viewing attack objects and group membership, Viewing IPS attack objects and group membership
vs. deep inspection/IPS Lite, What Is the Difference Between Full IPS and Deep Inspection/IPS Lite?
vs. UTM, Unified Threat Management
IP action table, troubleshooting, IP Action Table
IP actions, IP actions
IP addresses, How to Use This Book
on aggregate interface, Aggregate Interfaces
configuration, Logical Interfaces
displaying, Interfaces
as IKE identity, IKE Identities
mapping object to, Address objects
reporting by geographic location, Reporting with STRM
IP fragments, Block Frag Screen
IP monitoring, IP Monitoring
IP options field, Bad IP Option Screen
IP prefix address objects, IP prefix address objects
IP prefix, for transform definition, Static NAT transforms
IP protocols, DoS attacks with, DoS Attacks with IP ProtocolsConfiguring the Unknown IP Protocol Screen
IP range objects, IP range objects
IP Security Option Screen, IP Security Option Screen
IP Security virtual private network (IPsec VPN), IPsec VPN
IP Session Limit Screens, Aggressive session aging
IP Spoofing Screen, IP Spoofing Screen
IP Stream Option Screen, IP Stream Option Screen
IP Tear Drop Screen, IP Tear Drop Screen
IP Timestamp Option Screen, IP Timestamp Option Screen
IP-Block action, IP actions
IP-Close action, IP actions
IP-Notify action, IP actions
IPS, Acknowledgments, Data Center Services Tier
(see also intrusion prevention systems (IPS))
IPS rulebase, creating, Creating, activating, and referencing IPS
IPsec
access to SRX Series firewalls, The Junos Enterprise Services Reference Network
caveats on SRX, IPsec Caveats on SRX
configuring Phase 2 policy, Configuring Phase 2 IPsec policy
statistics on, show security ipsec statistics
termination in HA, IPsec termination in HA
IPsec VPN (IP Security virtual private network), IPsec VPN
anti-replay protection for, Anti-Replay Protection
architecture overview, VPN Architecture OverviewRemote Access VPNs
authentication algorithms, IPsec Authentication Algorithms
best practices, Best PracticesBest Practices
certificate validation, Certificate Validation
configuring, IPsec VPN Configuration
certificate preconfiguration tasks, Certificate Preconfiguration Tasks
NTP, Configuring NTP
differentiated Services Code Point (DSCP), Differentiated Services Code Point
encryption algorithms, IPsec Encryption Algorithms
flow process and, Flow Processing and IPsec VPNs
fragmentation, Fragmentation
IKE version 1, IKE Version 1 OverviewProxy ID negotiation
manual keys, IPsec Manual Keys
mode, IPsec VPN Mode
Network Time Protocol (NTP) for, Network Time Protocol
preshared key authentication, Preshared key authentication
vs. certificate, Selecting the Appropriate VPN Configuration
vs. SSL VPNs, Remote Access VPNs
IPv4, Logical Interfaces
IPv6
enabling flow-based or packet-based processing, Flow Mode and Packet Mode
encapsulation, Flow Mode and Packet Mode
NAT automatic translation, Option 3: NAT 64 automatic translation
NAT translation of IPv4 to, Option 2: NAT46 Static mapping
packet fragments on, Block Frag Screen
protocol versions for, Dynamic Routing Protocols
route configuration, Static Routing
Screens and, Screen Theory and Examples
support for IPsec, IPv6 and IPsec on the SRX
IRB (integrated routing and bridging) interfaces, IRB Interfaces
configuring, Configuring Integrated Routing and BridgingConfiguring Integrated Routing and Bridging, Sample Deployments
IS-IS routing protocol, Dynamic Routing Protocols
ISSU (unified in-service software upgrade), Configuring the Control Ports
for VPN, ISSU for VPN

J

J-Net community, When All Else Fails
J-Web tool, Device management, SRX GUI Management, J-Web: Your On-Box AssistantNetwork connectivity
configuration management, Configuration management
dashboard, DashboardInformational panels
chassis view, Chassis viewChassis view
customizing, Informational panels
informational panels, Informational panelsInformational panels
device configuration, Device ConfigurationPoint and click CLI
task wizards, Task wizardsTask wizards
interface management, Interfaces
monitoring with, Monitoring Your SRX
operational tasks, Operational TasksDisk management
Ping option, Network connectivity
point and click CLI, Point and click CLI
rebooting, Rebooting
troubleshooting with, Troubleshooting from J-Web
viewing security logs, Viewing Security Logs Locally
Java, Shifting Threats
JavaScript, Shifting Threats
JFlow format, JFlow on the SRX
best practices, Best Practices
JFlow record export, SRX Logging and Flow Records
jsrpd daemon, System services that operate on the control plane, The Control Plane, The Data Plane, Activating Juniper Services Redundancy Protocol
heartbeat messages, Data link
logging, The Dreaded Priority Zero
JTAC, When All Else Fails
jumbo frame, Data Center SRX Series Hardware Overview, Configuring the Fabric Links
Juniper Day One Library, How to Use This Book
Juniper Group VPN solution, Group VPN
Juniper Knowledge Base, Transparent Mode Troubleshooting Steps
Juniper Local URL filtering, pros and cons, Which URL filtering solution to choose?
Juniper Networks, Preface
AX411 Wireless LAN Access Point, Branch-Specific Features, AX411CX111
CX111 Cellular Broadband Data Bridge, Branch-Specific Features, CX111
EX Series Ethernet Switches, Large Branch
J Series Services Routers, Branch-Specific Features
management paradigm, Cloud Networks
MX960 3D Universal Edge Router, Service Provider
resources for learning SRX, When All Else Fails
SA Series SSL VPN Appliances, Branch-Specific Features
Juniper Networks SRX Series products, Foreword, Acknowledgments, Acknowledgments, Welcome to the SRX
(see also branch SRX series)
(see also data center SRX Series)
deployment solutions, Deployment SolutionsThe Junos Enterprise Services Reference Network
cloud networks, Cloud NetworksCloud Networks
data center, Data Center
large branch, Large BranchLarge Branch
medium branch, Medium Branch
mobile carriers, Mobile CarriersMobile Carriers
service provider, Service ProviderService Provider
small branch, Small Branch
development, Preface
hardware platform, The SRX Series PlatformBuilt for Services
inherited ScreenOS features, Inherited ScreenOS features
predecessors, Evolving into the SRX
SRX100, Small Branch, The Junos Enterprise Services Reference Network, SRX100 SeriesSRX100 Series
capacities, SRX100 Series
SRX110, SRX100 Series
SRX1400, Data Center Edge
SRX200 Series, SRX200 SeriesInterface modules for the SRX200 line
interface modules for, Interface modules for the SRX200 line
SRX210, Small Branch
capacities, SRX200 Series
enhanced version, SRX200 Series
SRX220, SRX200 Series
capacities, SRX200 Series
SRX240, Medium Branch, The Junos Enterprise Services Reference Network, SRX200 Series
capacities, SRX200 Series
SRX3000, Data Center Edge, Interface card
SRX Clustering Module, Configuring the Control Ports
SRX5000 Series, Preface, Interface card
control ports, Configuring the Control Ports
switch control board (SCB), Switch control board
SRX550, Medium Branch, Large Branch
SRX5800, Data Center Services Tier, The Junos Enterprise Services Reference Network
for mobile carrier networks, Mobile Carriers
PIC status, Verifying the Data Plane
SRX5800 Services Gateway
in cloud network, Cloud Networks
SRX650, Large Branch, The Junos Enterprise Services Reference Network
upgrade process, Software management
VPN components, Other SRX VPN ComponentsDynamic VPN
VPN types, SRX VPN TypesWhich should you use: Policy- or route-based VPN?
policy-based, Policy-Based VPNs
route-based, Route-Based VPNs
Juniper Services Redundancy protocol, activating, Activating Juniper Services Redundancy Protocol
Juniper Support
Knowledge Base, Application contexts
Technical Bulletins, Attack database
juniper-nsp mailing list, When All Else Fails
Junos Enterprise Services Reference Network, The Junos Enterprise Services Reference NetworkThe Junos Enterprise Services Reference Network
Junos OS, Preface, Preface, ScreenOS to Junos
common shared codebase, Built for Services
control plane, System Services and the Control Plane
device management, Device managementDevice management
downgrade process for, Software management
modular architecture, ScreenOS to Junos
SNMP MIB, Junos SNMP MIB
Junos Script, Device management
Junos Space, Device management, Centralized Management, Space: The Final Frontier of ManagementFirewall policy management
application dashboard, The Junos Space ecosphere
firewall policy management, Firewall policy management
and IPS signature downloads, Configuring automatic updates
Security Director, Security Director
viewing IPS attack objects in, Viewing IPS attack objects and group membership
junos-host zone type, Host security policies
Junos-Local Feature profile, Juniper Local feature profile options
junos:web, vs. junos:HTTP, Configuring a whitelist application ruleset
JunosV Firefly (virtual Junos), JunosV Firefly (Virtual Junos)

K

Kaspersky Express AV engine, Express AV
default profile for configuring, Default Express AV profile
pros and cons, Which AV to Choose?
Kaspersky Full AV, Kaspersky Full AV
configuring scanning and fallback options, Configuring Kaspersky AV scanning and fallback options
pros and cons, Which AV to Choose?
Kerberos ticket, UserFW functionality overview, Miscellaneous Active Directory tasks, Operating UserFW
key lifetimes, IKEv1 Key Lifetimes, Configuring Phase 1 proposals, Configuring IKEv1 Phase 2 proposals
troubleshooting, VPN troubleshooting process
ksyncd kernel, The Control Plane
KTpass command, Miscellaneous Active Directory tasks

L

LACP (Link Aggregate Control Protocol), LACP protocol
LAND Attack Screen, LAND Attack Screen
large branch deployment, Large Branch
reference network, The Junos Enterprise Services Reference Network
latency issues, VPN design and, Full Mesh VPNs
Layer 2 active/active mode, High Availability with Transparent Mode
Layer 2 domain, transparent mode for segmenting, Segmenting a Layer 2 domain
Layer 2 loop, Spanning Tree
Layer 2 security zone, Transparent Mode Zones
Layer 2 switch, destination MAC addresses and, MAC Address Learning
Layer 2, switching from Layer 3, Configuring Transparent Mode Basics
Layer 3 mode, Transparent Interfaces
Layer 3/Layer 4 applications, creating, Creating Layer 3/Layer 4 applications
layered security, IPS and UTM
least privilege concept
for Screens, Best Practices
for security policy, Best Practices
licensing
AppSecure, AppSecure Licensing
for branch SRX series, Licensing
intrusion prevention systems (IPS), Licensing, Getting Started with IPS on the SRX
key, and SRX100 memory, SRX100 Series
Unified Threat Management (UTM), UTM Licensing
configuring, Configuring Licensing
User Role Firewall, UserFW packaging and licensing
UTM features, UTM Engine
line rate switching, Branch-Specific Features
Link Aggregate Control Protocol (LACP), LACP protocol
load sharing, active/active deployment for, Active/active
local interfaces, Interfaces, Mixed mode, Configuring Interfaces, Configuring Interfaces
six pack deployment, Six pack
Local URL filtering, URL filtering flavors, URL Filtering
default profile, Default local URL filtering profile
profile options, Juniper Local feature profile options
local users, configuration, Configuring local users
Log/Log-Create action, IP actions
logging, SRX Logging and Flow RecordsJFlow on the SRX
AppQoS, Logging
by AppTrack, Configuring and Deploying AppTrack
best practices, Best Practices
to control plane, configuring Event mode, Configuring Event mode logging to the control plane
data plane vs. control plane, Control Plane Versus Data Plane Logs
on firewall policies, Best Practices
formats, Configuring Stream mode logging on the data planeSyslog format types
for IPS monitoring, Day-to-Day IPS Management
packets in IPS, Packet logging
sample firewall, Sample firewall logs
sampling rates for, JFlow on the SRX
in security policy, Action Criteria
in SSL Proxy profile, Configuring SSL Forward Proxy on the SRX
STRM for managing, Log Management with STRM
UTM messages, Logging UTM Messages
viewing with NAT, View Firewall Logs with NAT
logical interfaces, Physical Interfaces, Logical InterfacesLogical Interfaces, One interface per zone versus multiple interfaces per zone
login
to J-Web tool, J-Web: Your On-Box Assistant
for local users, Configuring local users
login class, creating, Creating a login class
Login Sessions panel, Informational panels
loop, in routed network, Spanning Tree
Loose Source Route Option, Route Option Screens
loss priority, Loss priority

M

MAC (see media access control (MAC) addresses)
MAG Pulse appliance, The Junos Enterprise Services Reference Network
Main mode for IKE negotiation, Main mode, Configuring IKEv1 Phase 1 IKE policy with preshared key, Main mode
vs. Aggressive mode, Selecting the Appropriate VPN Configuration
Major severity level of attacks, Severities
malware, IPS and UTM, Shifting Threats
managed service provider (MSP) environment, Service Provider
Management Daemon (MGD), System services that operate on the control plane
management interface, Management InterfacesManagement Interfaces
management paradigm, for Juniper Networks, Cloud Networks
management services, Management ServicesJunos SNMP MIB
best practices, Best Practices
command-line interface (CLI), Command-Line InterfacesConfiguring SSH access
management zone, Functional Zones
manual failover, Manual FailoverManual Failover
manual key exchange, IKE Version 1 Overview
many-to-many mapping, static NAT, Static NAT many-to-many mappingOption 3: NAT 64 automatic translation
Mark-Diffserv IPS action, IPS actions
master-only IP, Node-Specific Information
match criteria, in security policy, Match CriteriaConfiguring schedulers
match policy, Security policy tools
matched sessions, Operating SSL Forward Proxy
maximum connectivity, example SRX5800 configuration for, SRX5000 Series
maximum segment size (MSS), Fragmentation
maximum transmission unit (MTU), Fragmentation
MD5 (Message-Digest algorithm 5), IPsec Authentication Algorithms
media access control (MAC) addresses, How to Use This Book
learning, MAC Address Learning
for reth, Interfaces
troubleshooting, Transparent Mode Troubleshooting Steps
unknown destination, Transparent Mode Specific Options
medium branch location, deployment to, Medium Branch
memory
on SRX100, SRX100 Series
Resource Utilization panel to display, Informational panels
Message-Digest algorithm 5 (MD5), IPsec Authentication Algorithms
metric options, for static routing, Static Routing
MGD (Management Daemon), System services that operate on the control plane
MIB (Management Information Base), monitoring, Junos SNMP MIB
mini-PIMs, Interface modules for the SRX200 line
Minor severity level of attacks, Severities
mixed mode, for high availability clusters, Mixed mode
mobile carriers
data center SRX Series for, SRX5000 Series
deployment of, Mobile CarriersMobile Carriers
mobility, of computing devices, User Role Firewalling
monitor flow, Performing a Flow Trace
MPLS, Branch-Specific Features, Branch Summary
MSP (managed service provider) environment, Service Provider
MSS (maximum segment size), Fragmentation
MTU (maximum transmission unit), Fragmentation
Multiple Spanning Tree Protocol (MSTP), Spanning Tree, Spanning Tree Protocol in transparent mode Layer 2 deployments
interfaces to enable, Spanning Tree
Muus, Mike, Network connectivity

N

names
for rib, Static Routing
for routing instances, Configuring Routing Instances
for zones, Sample Deployment
NAT (see Network Address Translation (NAT))
NAT scenarios, in session table, Viewing the Firewall Session Table
National Institute of Standards and Technology (NIST), IPsec Encryption Algorithms
negated objects, source and destination, for security zones, Negated source and destination objects
nested application signatures, Nested application signatures
NETCONF protocol, Device management
NetConf protocol, Space: The Final Frontier of Management
enabling over SSH, Enabling NetConf over SSH
NetScreen Screen OS platforms, Preface
NetScreen Security Manager (NSM), Legacy Security ManagementUsing NSM
NetScreen Technologies, Evolving into the SRX
Network Address Translation (NAT), Acknowledgments, Acknowledgments, Network Address Translation
(see also source NAT)
(see also static NAT)
best practices, Best Practices
Junos components, Junos NAT ComponentsWhen you don’t need Proxy-ARP/NDP
Junos fundamentals, Junos NAT FundamentalsNAT type precedence
types, Junos NAT Types
keepalives configuration, Configuring IKEv1 Phase 1 gateways
need for, The Need for NAT
in practice, Junos NAT in Practice
precedence in Junos event chain, NAT Precedence in the Junos Event ChainNAT type precedence
rules, NAT Rules
ScreenOS for, The SRX Series Platform
security policies and, NAT and Security Policies
troubleshooting, NAT Rule and Usage Counters
flow debugging, Flow Debugging with NATStatic NAT
rule and usage counters, NAT Rule and Usage CountersViewing the Session Table
session table, Viewing the Session TableView NAT Errors
viewing firewall logs, View Firewall Logs with NAT
viewing errors, View NAT ErrorsView Firewall Logs with NAT
Network Address Translation Traversal (NAT-T)
configuring, Configuring IKEv1 Phase 1 gateways
VPN and, NAT Traversal
Network and Security Manager (NSM), Device management, Centralized Management, Management IPS Functionality on the SRX
Network Control forwarding class, Forwarding class
network design, security policy enforcement and, Best Practices
network processing card (NPC), monitoring, Network Processing Card
Network Processing Units (NPUs), NPUNPU
for scaling, Data Center SRX Series Hardware Overview
network protocols, Preface, SRX Networking Basics, Functional Zones, Basic ProtocolsSpanning Tree
decoding in IPS processing, Packet processing path
dynamic routing, Dynamic Routing Protocols
Network Time Protocol (NTP), Network Time ProtocolConfiguring the SRX as an NTP server, Best Practices
best practices, Best Practices
for IPsec VPN, Network Time Protocol
configuring, Configuring NTP
SRX configuration as server, Configuring the SRX as an NTP server
network-based threats, IPS and UTM
networking
attacker use of ICMP to map, ICMP IP Sweep Screen
sample deployment, Sample DeploymentSample Deployment
troubleshooting
connectivity, Network connectivity
equipment, Transparent Mode Troubleshooting Steps
networking services, Networking ServicesConfiguring the SRX as a DHCP relay server
on control plane, System services that operate on the control plane
DHCP (Dynamic Host Configuration Protocol), Dynamic Host Configuration Protocol
DNS (Domain Name System), Domain Name System
Next Generation Services Processing card, monitoring, Services Processing Card/Next Generation Services Processing Card
next-hop keyword, Static Routing
Next-Hop Tunnel Binding (NHTB), Special point-to-multipoint attributes
NG-PSU (next-generation power supply units), SRX5000 Series
NG-SPC (Next Generation SPC), NG-SPC
NHTB (Next-Hop Tunnel Binding), Special point-to-multipoint attributes
nine-tuple, Packet Flow
NIST (National Institute of Standards and Technology), IPsec Encryption Algorithms
No-Action IPS action, IPS actions
best practices, Best Practices
no-NAT rules, with source or destination NAT, No-NAT with Source or Destination NATNo-NAT with Source or Destination NAT
no-old-master-upgrade command, Configuring the Control Ports
node ID, Node ID
nonalphameric characters, in preshared keys, Preshared key authentication
notification actions in IPS, Notification actions
Notification options, in Sophos feature profile, Sophos AV feature profiles
NPU (network processor), IOC modules
bundling, NPU
NSM (see Network and Security Manager (NSM))
NSPC card, for SRX1400, SRX1000 Series
NTP (see Network Time Protocol (NTP))

O

objects, defining in global zone, Address books
OCSP (Online Certificate Status Protocol), Certificate Validation, Certificate Validation
Office documents, attacks using, Shifting Threats
office environment, reference network, The Junos Enterprise Services Reference Network
one-to-one mapping, static NAT, Static NAT one-to-one mappingStatic NAT one-to-one mapping
OneSecure, Is It IDP or IPS?
Online Certificate Status Protocol (OCSP), Certificate Validation, Certificate Validation
OpenSSH, Configuring SSH access
Optimized option, for SRX VPN monitoring, VPN Monitoring
OSI (Open Systems Interconnection) model, How to Use This Book
Out of resources option, for Sophos engine, Sophos AV feature profiles
out-of-band attacks, listening for, SRX deployment options
out-of-band network, for management, Management Interfaces
outbound management requests, policy to restrict, Configuring a policy to restrict inbound or outbound management requests
overflow pools in NAT, Pools
best practices, Best Practices

P

Packet Captures (PCAPs), Performing a Packet Capture on SRX BranchPerforming a Packet Capture on SRX Branch
best practices, Best Practices
on high-end SRX, Performing a Packet Capture on the High-End SRXPerforming a Packet Capture on the High-End SRX
for troubleshooting, Packet capture
packet filters, Preface
packet flooding, Transparent Mode Specific Options
packet flow, Packet FlowPacket Flow
NAT and, NAT Precedence in the Junos Event Chain
Screens and, How Screens Fit into the Packet Flow
Packet Forwarding Engine (PFE), Built for Services
packet mode, Branch-Specific Features, Flow Mode and Packet Mode
in branch SRX Series, Branch Summary
packet rate, Data Center SRX Series Hardware Overview
packet size, Data Center SRX Series Hardware Overview
packet-based Screens, Packet versus threshold Screens
packets
fragmentation, Block Frag Screen
in ICMP, ICMP Large Packet Screen
processing for IPS, IPS Packet Processing on the SRXSRX deployment options
processing in IPS
logging, Packet logging
TCP fragmentation of, SYN-Frag Screen
parallel processing, Branch SRX Series Hardware OverviewBranch SRX Series Hardware Overview
partial mesh VPNs, Partial Mesh VPNs
pathfinder tool, How to Use This Book
PCAPs (see Packet Captures (PCAPs))
PDF documents, attacks using, Shifting Threats
Perfect Forward Secrecy (PFS), Perfect Forward Secrecy, Selecting the Appropriate VPN Configuration
performance, Data Center SRX Series Hardware OverviewData Center SRX Series Hardware Overview
permissions, login classes to control, Creating a login class
Permit action, in security policy, Action Criteria
persistent NAT, Other SRX source NAT configuration options
PFS (Perfect Forward Secrecy), Perfect Forward Secrecy, Selecting the Appropriate VPN Configuration
phone-home traffic, Stages of a System Compromise
PHY (physical chip), in SRX5000, IOC modules
physical interface card (PIC), SRX3000 Series
physical interfaces, Physical InterfacesPhysical Interfaces
disabling, Physical Interfaces
physical locations, multiple, for data center, Data Center
PIM card, diagram for SRX650, Interface modules for the SRX600 line
ping, Network connectivity, VPN troubleshooting process
enabling, Sample Deployment
for IP monitoring, IP Monitoring
ping of death screen, ICMP Ping of Death Screen
ping probe, IP Monitoring
point-to-multipoint NHTB, Point-to-multipoint NHTB
policy-based VPNs, Policy-Based VPNs
configuring, Configuring policy-based VPNs
troubleshooting, VPN troubleshooting process
vs. route-based, Selecting the Appropriate VPN Configuration
policy-driven management system, for large networks, Device management
pools for source NAT, Pools
examples with, Source NAT with pools and interfacesSource NAT with pools and interfaces
port scans, detection, TCP Port Scan Screen
ports, AppSecure Basics
randomization in source NAT, Other SRX source NAT configuration options
spanning-tree operational commands to identify status, Spanning Tree
for Telnet/SSH, Configuring SSH access
Post Office Protocol 3 (POP3), antivirus feature for, Branch-Specific Features
Power over Ethernet (PoE)
ports, SRX200 Series
SRX550 support for, SRX500 Series
power supplies, monitoring, Power supplies
precedence
NAT in Junos event chain, NAT Precedence in the Junos Event Chain
NAT rulesets, NAT ruleset precedence
predefined proposal set, vs. custom proposal sets, Selecting the Appropriate VPN Configuration
predictive session identification, Predictive session identification
preference options, for static routing, Static Routing
Preferred Ciphers, for SRX/Servers, Configuring SSL Forward Proxy on the SRX
prefix name, for transform definition, Static NAT transforms
preshared key authentication
configuring, Configuration for Remote-Office1 proposal with preshared keys, Configuring IKEv1 Phase 1 policies
configuring IKEv1 Phase 1 IKE policy, Configuring IKEv1 Phase 1 IKE policy with preshared key, Main mode
for VPN, Preshared key authentication
vs. certificate, Selecting the Appropriate VPN Configuration
primary actions, in security policy, Action Criteria
priority zero, troubleshooting, The Dreaded Priority Zero
private IP addresses, from NAT, The Need for NAT
private mode, for chassis cluster, Differences from Standalone
privilege escalation phase of attack, Stages of a System Compromise
protocol anomaly attack objects, Attack Object Types
protocols (see network protocols)
proxy IDs
configuring, Configuring route-based VPNs
negotiation for VPN, Proxy ID negotiation
for policy-based VPNs, Policy-Based VPNs
for route-based VPNs, Route-Based VPNs
troubleshooting, VPN troubleshooting process
proxy server, SRX configuration as, Configuring the SRX as a proxy server
proxy-ARP, Proxy-ARP and Proxy-NDPWhen you don’t need Proxy-ARP/NDP
configuring, Configuring Proxy-ARP/NDP
proxy-based firewall, Preface
proxy-NDP (Neighbor Discovery Protocol), Proxy-ARP and Proxy-NDPWhen you don’t need Proxy-ARP/NDP
configuring, Configuring Proxy-ARP/NDP
when no need of, When you don’t need Proxy-ARP/NDP
public IP addresses, The Need for NAT
public network, access to, Mobile Carriers
Putty, Configuring SSH access

Q

quad-slot X-PIM card, Interface modules for the SRX600 line
Quality of Service (QoS) in transparent mode, QoS in Transparent Mode
configuring, Configuring Transparent Mode QoSConfiguring VLAN Rewriting
Quick mode in phase 2 IKE, Phase 2 IKE negotiation modes, Quick mode

R

radio frequency (RF) interference, Branch-Specific Features
RADIUS, Remote authentication
Rapid Spanning Tree Protocol (RSTP), Spanning Tree
rate limiter, in AppQoS, Rate limiter, Configuring an AppQoS example
real-time object (RTO), The Data Plane
realms, configuring on IC, Configuring realms, roles, and sign-in policies
reboot
after software upgrade, Software management
with J-Web tool, Rebooting
Recommended IPS action, IPS actions
Reconnaissance phase of attack, Stages of a System Compromise
Record Route Option, Route Option Screens
redirect rules, for unauthenticated users, Operating UserFW
redundancy groups, Redundancy Groups, Redundancy GroupsRedundancy Groups
global options for monitoring, IP Monitoring
redundant fabric link, Configuring the Fabric Links
redundant power supplies, Power supplies
reference network, The Junos Enterprise Services Reference Network
reject action
for all traffic, rule for, Configuring a hybrid application ruleset
in security policy, Action Criteria
reject option, for static routing, Static Routing
remote access clients
configuring, Configuring dynamic gateways and remote access clients
configuring IKEv1, Configuring an IKEv1 remote access client
remote access VPN, Remote Access VPNs
sample deployment, Remote Access VPN
remote authentication, Remote authentication
remote offices, IKEv1 Phase 2 proposal for, Configuring an IKEv1 Phase 2 proposal for remote offices and client connections
Remote-Office-Cert proposal, configuring with certificates, Configuration for Remote-Office1 proposal with certificates
Remote-Office-PSK proposal, configuring, Configuration for Remote-Office1 proposal with preshared keys
Renegotiation option, SSL support for, Configuring SSL Forward Proxy on the SRX
Request for Comments (RFC), 4741, on NetConf protocol, Space: The Final Frontier of Management
request security idp security-package download status command, Troubleshooting and Monitoring Security Package Installation
request security idp security-package install status command, Troubleshooting and Monitoring Security Package Installation
request services application-identification command, Checking the AppID package
request services application-identification install command, Checking the AppID package
request services application-identification uninstall command, Checking the AppID package
request support information command, When All Else Fails
request system license add command, AppSecure Licensing, Getting Started with IPS on the SRX, Configuring Licensing
Resource Utilization panel, Informational panels
resource-manager qualifier, for sessions using ALGs, Application Layer Gateways
REST (Representational State Transfer) protocol, Space: The Final Frontier of Management
restart <service> command, Restarting Platform Daemons
reth (redundant Ethernet interface), Aggregate Interfaces, Interfaces, Integrating the Cluster into Your Network
checking status of, Checking Interfaces
Reverse Proxy (SSL Inspection), SSL Inspection (Reverse Proxy)
revoked certificates, list of, Certificate Validation
rib (routing information base), Static Routing
roles, configuring on IC, Configuring realms, roles, and sign-in policies
root password on authentication, Task wizards
route engine (RE)
flowd daemon for monitoring, Software Monitoring
monitoring, Route engine
in SRX cluster, Chassis Cluster
in SRX1000, SRX1000 Series
in SRX3000, SRX3000 Series
in SRX5000, SRX5000 Series
route keyword, Static Routing
route lookup, Static Routing
Route Option Screens, Route Option Screens
route-based VPNs, Route-Based VPNs
best practices, Best Practices
configuring, Configuring route-based VPNs
troubleshooting, VPN troubleshooting process
vs. policy-based, Selecting the Appropriate VPN Configuration
routers, How to Use This Book
virtual, Inherited ScreenOS features
routing
configuring, Configuring route-based VPNs
protocol preferences, Static Routing
static, Static RoutingStatic Routing
transparent mode for complex environments, Complex routing environments
troubleshooting, Static Routing
routing information base (rib), Static Routing
routing instances, Routing Instances
configuring, Configuring Routing InstancesConfiguring Routing Instances
types, Routing Instance Types
routing mode, Transparent Interfaces
Routing Protocol Daemon (RPD), System services that operate on the control plane
routing table, statistics on, Static Routing
routing-options hierarchy, static routes added to, Static Routing
RST packets, TCP sequence check configuration for, Configuring TCP sequence checks for RST packets
RSTP (Rapid Spanning Tree Protocol), Spanning Tree
RT (real time), Sample firewall logs
RTO (real-time object), The Data Plane
rulebases, in IPS policy, Rulebases
rulesets, in NAT, RulesetsWhen you don’t need Proxy-ARP/NDP
run command, Aggregate Interfaces

S

sampling rates, for logs, JFlow on the SRX
scalable services, Built for Services
scaling
by cloud network, Cloud Networks
under load, Built for Services
scan options
for Kaspersky Full AV, Kaspersky Full AV
in Sophos feature profile, Sophos AV feature profiles
SCEP (Simple Certificate Enrollment Protocol), Simple Certificate Enrollment Protocol, Best Practices
scheduler objects, in security policy, Security Policy Criteria and Precedence, SchedulersConfiguring schedulers
screen feature, for DoS attack, Service Provider
Screen profiles
applying to zones, Applying Screen profiles to single and multiple zones
configuring, Configuring a Screen profile
ScreenOS operating system
limitations, ScreenOS to Junos
services provided, The SRX Series Platform
ScreenOS platform, Evolving into the SRX
inherited features from, Inherited ScreenOS features
IP/MAC mapping in, Configuring Proxy-ARP/NDP
NAT and, Junos NAT Fundamentals
service objects in, Application objects
Screens
best practices, Best Practices
defined, Screens and Flow Options
in hardware and software, Screens in Hardware and Software
packet flow and, How Screens Fit into the Packet Flow
profiles, Screen Profiles
deployment, Sample DeploymentSummary
session limit, Session Limit ScreensConfiguring the Destination IP Session Limit Screen
theory and examples, Screen Theory and ExamplesConfiguring the TCP initial session timeout and TCP time wait timeout
troubleshooting, Troubleshooting and OperationSample Deployment
viewing attack statistics, Viewing the Screen Attack Statistics
viewing profile settings, Viewing Screen Profile Settings
secondary actions, in security policy, Action Criteria
Secure Hash Algorithm 1 (SHA-1), IPsec Authentication Algorithms
Secure Hash Algorithm 2 (SHA-2), IPsec Authentication Algorithms
Secure Sockets Layer (SSL), SSL Forward Proxy
SSL Forward Proxy, SSL Forward Proxy
secure tunnel interface (st0 interface) (see st0 interfaces)
SecureCRT, Configuring SSH access
security, Preface
legacy management, Legacy Security ManagementUsing NSM
NAT and, NAT as a Security Component?
zones for, Security Zones
Security Design (SD) application, Device management, Viewing IPS attack objects and group membership
security packages, Security Packages
installation troubleshooting, Troubleshooting and Monitoring Security Package InstallationChecking Policy Compilation Status
security policies, Security Policies
best practices, Best PracticesBest Practices
components, Security Policy Components in DepthEnabling an ALG example
action criteria, Action CriteriaConfiguring a policy to restrict inbound or outbound management requests
match criteria, Match CriteriaConfiguring schedulers
configuring, Configuring security policiesHost security policies
configuring to control data plane management traffic, Configuring a security policy to control data plane management traffic
criteria, Security Policy Criteria and Precedence
deployment, Sample DeploymentSummary
host, Host security policies
NAT and, NAT and Security Policies
permit options, Permit options
precedence, Security Policy PrecedenceTop to Bottom Policy Evaluation
rule placement, Configuring security policies
tools, Security policy tools
in transparent mode, Transparent Mode Security Policy
configuring, Configuring Transparent Mode Security PoliciesConfiguring Bridging Options, Sample Deployments
troubleshooting, Troubleshooting and OperationPerforming a Packet Capture on the High-End SRX
viewing, Viewing Security PoliciesSecurity policy tools
security policy context, Security Policy Precedence
Security Resources panel, Informational panels
security services, Foreword
security zones, Security Zones, Security Policy Criteria and Precedence, Security zones
configuring, Sample Deployment, Configuring security zones
in transparent mode, configuring, Configuring Transparent Mode Security ZonesConfiguring Transparent Mode Security Policies, Sample Deployments
security-related events, logs, Configuring control plane logging on the SRX
self-signed CA certificate, creating, Configuring SSL Forward Proxy on the SRX
separation of duties, transparent mode for, Separation of duties
serial port connection, SRX200 line support, Interface modules for the SRX200 line
serialization processing, in IPS processing, Packet processing path
server load balancing, Data Center Services Tier
server-to-client attacks, Direction-specific detection
service objects, in ScreenOS, Application objects
Service Processing Card (SPC), SPC
service provider, deployment to, Service ProviderService Provider
services
defined, The SRX Series Platform
restarting, Restarting Platform Daemons
viewing on interface, Viewing the Services/Counters on the InterfaceViewing the Services/Counters on the Interface
Services and Routing Engine (SRE), SRX600 Series
services gateway, Welcome to the SRX
Services Processing card (SPC), monitoring, Services Processing Card/Next Generation Services Processing Card
Services Processing Units (SPUs), SPC
capacities, SPC
for scaling, Data Center SRX Series Hardware Overview
session ageout, Session teardown
Session Close logs, Action Criteria
session init logs, Action Criteria
session keepalives, Configuring IKEv1 Phase 1 gateways
session limit screens, Session Limit ScreensConfiguring the Destination IP Session Limit Screen, Best Practices
session resumption, Configuring SSL Forward Proxy on the SRX
session table, SPC
NAT scenarios in, Viewing the Firewall Session Table
output of, Packet Flow
troubleshooting, Viewing the Session TableView NAT Errors
viewing, Viewing the Firewall Session TableSample firewall logs
session timeout, Session teardown
sessions, SRX100 Series
closing, Application objects
defining number from individual source, Source IP Session Limit Screen
synchronization, Configuring the Fabric Links
terminating, Session teardown
troubleshooting, Transparent Mode Troubleshooting Steps
set apply-groups “${node}” command, Node-Specific Information
set chassis cluster command, Activating Juniper Services Redundancy Protocol
set commands
for physical interfaces, Physical Interfaces
set gratuitous-arp-count command, Configuring Interfaces
set interfaces command, Configuring VLAN Rewriting
set redundancy-group command, configuration options, IP Monitoring
set security forwarding-options inet6 command, Static NAT one-to-one mapping
set system name-server command, Antispam
Setup wizard, in J-Web, Task wizardsTask wizards
seven-tuple, Packet Flow
severity levels, of attacks, Severities
SHA-1 (Secure Hash Algorithm 1), IPsec Authentication Algorithms
SHA-2 (Secure Hash Algorithm 2), IPsec Authentication Algorithms
shared configuration, vs. standalone, Differences from Standalone
shellcode, Stages of a System Compromise
show bridge domain command, The show bridge domain Command, Transparent Mode Troubleshooting Steps
show bridge mac-table command, The show bridge mac-table Command, Transparent Mode Troubleshooting Steps
show chassis cluster control-plane statistics command, Configuring the Control Ports, First Steps, First Steps
show chassis cluster interfaces command, Checking Interfaces
show chassis cluster statistics command, Configuring the Control Ports
show chassis cluster status command, Activating Juniper Services Redundancy Protocol, Configuring the Control Ports, First Steps, The Dreaded Priority Zero
show chassis fpc pic-status command, Control link and data link failure, Verifying the Data Plane, Verifying the Data Plane
show chassis hardware command, Physical Interfaces, Verifying the Data Plane
show chassis routing-engine command, Best Practices
show class-of-service application-traffic-control command, Operating Application QoS
show class-of-service command, Operating Application QoS
show groups junos-defaults command, Default profile configuration
show interfaces extensive command, Monitoring Interface Counters
show interfaces terse command, Physical Interfaces, Sample Deployment, Checking Interfaces
show interfaces | display inheritance command, Sample Deployments
show l2-learning global-information command, The show l2-learning global-information Command
show l2-learning global-mac-count command, The show l2-learning global-mac-count Command
show l2-learning interface command, The show l2-learning interface Command
show log command, Configuring control plane logging on the SRX
show log jsrpd command, The Dreaded Priority Zero
show ntp associations command, Checking NTP Status
show ntp status command, Checking NTP Status
show route command, Static Routing
show security anti-virus statistics command, Antivirus
show security flow ip-action command, IP Action Table
show security flow session <modifiers> command, Transparent Mode Troubleshooting Steps
show security flow session ? command, Viewing the Firewall Session TableSample firewall logs
show security idp attack detail command, Viewing IPS attack objects and group membership
show security idp attack table command, IPS Attack Table
show security idp policy-commit-status command, Checking Policy Compilation Status
show security idp security-package-version command, Checking the AppID package, Checking Security Package Version
show security idp status command, Creating, activating, and referencing IPS, Checking IPS Status
show security ike security-associations command, show security ike security-associations
show security ipsec inactive-tunnels command, show security ipsec inactive-tunnels
show security ipsec security-associations command, show security ipsec security-associations
show security ipsec statistics command, show security ipsec statistics
show security match-policies command, Operating UserFW
show security monitoring fpc <x> command, Best Practices
show security nat destination pool command, NAT Rule and Usage Counters
show security nat destination rule command, NAT Rule and Usage Counters
show security nat destination summary command, NAT Rule and Usage Counters
show security nat interface-nat-ports command, NAT Rule and Usage Counters
show security nat source pool command, NAT Rule and Usage Counters
show security nat source rule command, NAT Rule and Usage Counters
show security nat source summary command, NAT Rule and Usage Counters
show security nat static rule command, NAT Rule and Usage Counters
show security policies command, Viewing Security Policies
show security screen ids-option <Screen> command, Viewing Screen Profile Settings
show security screen statistics interface|zone command, Viewing the Screen Attack Statistics
show security utm <feature> statistics | status, Best Practices
show security utm anti-spam statistics command, Antispam
show security utm anti-spam status command, Antispam
show security utm anti-virus command, Antivirus
show security utm web-filtering statistics command, URL Filtering
show security utm web-filtering status command, URL Filtering
show security zones command, Sample Deployment
show services application-identification application-system-cache command, Checking the AppID engine settings and cache
show services application-identification version command, Checking the AppID package
show services ssl proxy statistics command, Operating SSL Forward Proxy
show snmp mib walk command, Junos SNMP MIB, Checking SNMP Status
show spanning-tree interface command, Transparent Mode Troubleshooting Steps
show system connections command, Viewing the System Connection Table
show system core-dumps command, Core Dumps
show system license command, UTM Engine
show system processes extensive | match IDPD command, Restarting Platform Daemons
show system services dhcp command, DHCP Operational Mode Commands
show | compare command, Aggregate Interfaces
show | display inheritance command, Node-Specific Information
sign-in policies, configuring on IC, Configuring realms, roles, and sign-in policies
signature-based attack objects, Attack Object Types
signature-based pattern matching, Signature-based pattern matchingKeeping honest applications honest, Enabling application identification heuristics
signatures
nested application, Nested application signatures
performance impact in IPS, Signature performance impacts
SignatureUpdate.xml file, Useful IPS files
Simple Certificate Enrollment Protocol (SCEP), Simple Certificate Enrollment Protocol
Simple Mail Transfer Protocol (SMTP), antivirus feature for, Branch-Specific Features
Simple Network Management Protocol (SNMP)
best practices, Best Practices
configuring traps, Configuring SNMP Traps
in high availability clusters, SNMP in High Availability Chassis Clusters
management, SNMP ManagementJunos SNMP MIB
site-to-site IPsec VPN, Site-to-Site IPsec VPNs
configuring component, Configuring a common site-to-site VPN component
sample deployment, Site-to-Site VPNRemote Access VPN
six pack deployment, for high availability, Six pack
Skype, SSL and, AppFW with encrypted applications
slow-path packet processing, Slow-path SPU packet processing
Slowloris attack, Session Limit Screens
small branch location
deployment to, Small Branch
reference network with SRX100 device, The Junos Enterprise Services Reference Network
Small Form-Factor Pluggable Interface Modules (SFP) mini-PIM ports, on SRX200, Interface modules for the SRX200 line
smart phones, Preface
sniffer mode, for IPS, SRX deployment options, Leveraging sniffer mode for the deployment
SNMP (see Simple Network Management Protocol (SNMP))
software
J-Web for managing, Software management
monitoring, Software Monitoring
Screens in, Screens in Hardware and Software
Sophos engine, Antivirus, Sophos AV
default profile for configuring, Configuring Sophos with a default profile
feature profile example, Configuring Sophos feature profile example
feature profiles, Sophos AV feature profiles
inspection diagram, Sophos AV
pros and cons, Which AV to Choose?
source address, in IPS policy, Match criteria
source identity, Source-Identity
source NAT, Junos NAT Types
best practices, Best Practices
combining with destination NAT, Combination Source and Destination NATCombination Source and Destination NAT
examples, Source NATDestination NAT
with interfaces, Source NAT with interfacesSource NAT with interfaces
with pools and interfaces, Source NAT with pools and interfacesSource NAT with pools and interfaces
flow debugging, Flow Debugging with NAT
High Availability and, Other SRX source NAT configuration options
no-NAT rules with, No-NAT with Source or Destination NATNo-NAT with Source or Destination NAT
precedence for, NAT type precedence
rulesets, Source NAT rulesets
transforms, Interfaces
source objects, negated, for security zones, Negated source and destination objects
Source Route Option, Route Option Screens
source zone, Security zones
Source-IP Session Limit screens, Session Limit Screens
Space platform, for firewall policies management, Firewall policies
spam, Branch-Specific Features
filtering, Antispam
Spanning Tree Protocol (STP), SRX100 Series, Spanning TreeSpanning Tree, Transparent Mode and Bridge Loops, Spanning Tree Protocol
in transparent mode Layer 2 deployments, Spanning Tree Protocol in transparent mode Layer 2 deployments
troubleshooting, Transparent Mode Troubleshooting Steps
split brain, Configuring the Control Ports, Control link, Control link and data link failure, First Steps
SPNEGO, Operating UserFW
Active Directory and, UserFW
authentication session, UserFW functionality overview
SRX Series products (see Juniper Networks SRX Series products)
SSH, Command-Line Interfaces
configuring options, Configuring SSH access
enabling NetConf protocol over, Enabling NetConf over SSH
SSL decryption, in IPS processing, Packet processing path
SSL Forward Proxy
best practices, SSL FP
configuring, Configuring and Deploying SSL Forward ProxyAppFW with encrypted applications
troubleshooting, Operating SSL Forward Proxy
SSL Inspection (Reverse Proxy), SSL Inspection (Reverse Proxy)
SSL Reverse Proxy, SSL Forward Proxy, Configuring and Deploying SSL Forward Proxy
SSL session, restarting, Configuring SSL Forward Proxy on the SRX
SSL VPNs, vs. IPsec VPN, Remote Access VPNs
st0 interfaces
multipoint interface specified, Point-to-point versus point-to-multipoint VPNs
numbered vs. unnumbered, Numbered versus unnumbered st0 interfaces
state synchronization, data plane and, The Data Plane
stateful firewall, Preface, Welcome to the SRX, Data Center Services Tier, Flow Mode and Packet Mode, The Need for IPS
failover by, Preserving the Control Plane
high availability and, High Availability
IP spoofing and, IP Spoofing Screen
policies, Firewall policies
ScreenOS for, The SRX Series Platform
stateful processing, Service Provider
stateful signature detection, in IPS processing, Packet processing path
stateless filters
configuring for inbound management traffic, Configuring a stateless firewall filter to control all inbound management traffic
for connections to control plane, Accessing System Services: Control Plane Versus Data Plane
stateless inspection of traffic, Flow Mode and Packet Mode
stateless packet processing, Service Provider, Service Provider
static attack groups, Custom attack objects and groups, Static attack groups
best practices, Best Practices
configuring, Configuring static and dynamic attack groups
static IP address, configuring remote gateways with, Configuring IKEv1 Phase 1 gateways
static NAT, Junos NAT Types, NAT type precedence
best practices, Best Practices
flow debugging, Destination NATStatic NAT
many-to-many mapping, Static NAT many-to-many mappingOption 3: NAT 64 automatic translation
one-to-one mapping, Static NAT one-to-one mappingStatic NAT one-to-one mapping
rulesets, Static NAT rulesets
transforms, Static NAT transforms
static routing, Static RoutingStatic Routing
configuration options, Static Routing
Statistical Report Manager software (STRM), Centralized Management
packet logging in, Configuring packet logging in the STRM
statistics, on application usage, Application Tracking
Storage Usage panel, Informational panels
stream mode on data plane
configuring, Configuring Stream mode logging on the data plane
vs. event mode, Data plane logs: Event versus Stream mode
Strict Source Route Option, Route Option Screens
strict SYN checks, Strict SYN checks
STRM (Statistical Report Manager software), Centralized Management
for log management, Log Management with STRM
reporting infrastructure, Reporting with STRM
structured syslog, Sample firewall logs
format, Configuring Stream mode logging on the data plane
subnet mask, Wildcard address objects
subnetting, How to Use This Book
Surfcontrol URL filtering, URL filtering flavors
Surfcontrol/Websense Integrated URL filtering, Surfcontrol/Websense Integrated URL filtering
sustained CPS rate, Data Center SRX Series Hardware Overview
switch control board (SCB), monitoring, Switch control board
switch fabric board (SFB)
failure impact, Switch fabric board
in SRX3000, SRX3000 Series
switch-packet counters, Data Center SRX Series Hardware Overview
switches, How to Use This Book
configuration, Switching ConfigurationSwitching Configuration
switching fabric interface, configuring, Configuring the Switching Fabric Interface
SYN checks
strict, Strict SYN checks
TCP, TCP SYN checks
in tunnels, SYN checks in tunnels
SYN Cookies, SYN Spoofing Protection Modes
SYN flood/spoofing attacks, protection against, SYN flood/spoofing attacks
SYN-ACK-ACK proxy screen, SYN-ACK-ACK Proxy Screen
SYN-FIN screen, SYN-FIN Screen
SYN-Frag Screen, SYN-Frag Screen
syslog, Application Tracking, Logging UTM Messages
formats, SRX Logging and Flow Records, Configuring Stream mode logging on the data plane
tips for viewing messages, Tips for Viewing Syslog Messages
syslogD, System services that operate on the control plane
System Alarms panel, Informational panels
system connection table, viewing, Viewing the System Connection Table
system I/O (SYSIO), in SRX1000, SRX1000 Series
System Identification panel (J-Web), Informational panels
system services, System ServicesConfiguring system services and protocols per zone or interface
best practices for configuring, Best Practices
control plane access vs. data plane, Accessing System Services: Control Plane Versus Data PlaneConfiguring a security policy to control data plane management traffic
control plane and, System Services and the Control PlaneSystem services that operate on the control plane
data plane and, System Services and the Data Plane
traffic, Functional Zones
troubleshooting, Troubleshooting and OperationTroubleshooting Individual Daemons
checking SNMP stats, Checking SNMP Status
core dump, Checking for Core Dumps
DHCP operational mode commands, DHCP Operational Mode Commands
restarting platform daemons, Restarting Platform Daemons
viewing security logs locally, Viewing Security Logs Locally
viewing services/counters on interface, Viewing the Services/Counters on the InterfaceViewing the Services/Counters on the Interface
viewing system connection table, Viewing the System Connection Table
zone-based service control, Zone-Based Service ControlConfiguring system services and protocols per zone or interface

T

Tacacs+, Remote authentication
targets, of IP actions, Targets and timeouts
task wizards, in J-Web, Task wizardsTask wizards
TCP (Transmission Control Protocol), How to Use This Book, SRX100 Series
denial-of-service (DoS) attacks with, DoS Attacks with TCPConfiguring the WinNuke Screen
performance definitions, Data Center SRX Series Hardware Overview
TCP initial session timeout, Configuring the TCP initial session timeout and TCP time wait timeout
TCP No Flags Screen, TCP No Flags Screen
TCP Port Scan Screen, TCP Port Scan Screen
TCP reset, Action Criteria
TCP sequence checks, TCP sequence checks, Configuring TCP sequence checks
configuring for RST packets, Configuring TCP sequence checks for RST packets
TCP SockStress, Session Limit Screens
TCP state timeouts, TCP state timeouts
TCP Sweep Screen, TCP Sweep Screen
TCP SYN checks, TCP SYN checks
TCP wait state timeout, TCP state timeouts
Telnet, Command-Line Interfaces
configuring options, Configuring Telnet access
ports for, Configuring SSH access
templates
downloading policy, Getting Started with IPS on the SRX
for IPS process, Policy templates
terminal match, for IP action, Terminal Match
test security utm web-filtering profile <profile> test-string command, Websense site lookup tool
testing
antivirus software, Testing antivirus
IPS policy, Testing Your PolicyLeveraging sniffer mode for the deployment
threads of execution, Branch SRX Series Hardware Overview
Threats Activity panel, Informational panels
three-way handshake, Data Center SRX Series Session Setup, Strict SYN checks
threshold, Best Practices
for TCP Sweep Screen, Configuring the TCP Sweep Screen
threshold-based Screens, Packet versus threshold Screens
throughput of firewall, Data Center SRX Series Hardware Overview
testing, Data Center SRX Series Hardware Overview
timekeeping
best practices, Best Practices
importance, Network Time Protocol
synchronization, Best Practices
timeout
for IP action, Targets and timeouts
in Sophos feature profile, Sophos AV feature profiles
in SYN Cookie/SYN Proxy, SYN Spoofing Protection Modes
to-zone, Security zones, Match criteria
top-to-bottom evaluation, of security policy, Top to Bottom Policy Evaluation
TOR, SSL and, AppFW with encrypted applications
traceoptions, The Dreaded Priority Zero
traceroute, VPN troubleshooting process
tracing, for VPN troubleshooting, VPN Tracing and DebuggingConfiguring and analyzing VPN tracing
traffic reports, Traffic reports
transparent interfaces, Transparent Interfaces
transparent mode, Troubleshooting Individual Daemons, Transparent Mode
components, Transparent Mode Components
configuration, Configuring Transparent Mode
deployment, The Junos Enterprise Services Reference Network, Sample DeploymentsSummary
flow process, Transparent Mode Flow ProcessSession teardown
high availability with, High Availability with Transparent Mode
limitations, Transparent Mode Limitations
Quality of Service (QoS), QoS in Transparent Mode
configuration, Configuring Transparent Mode QoSConfiguring VLAN Rewriting
security policies, Transparent Mode Security Policy
configuring, Configuring Transparent Mode Security PoliciesConfiguring Bridging Options
security zones, configuring, Configuring Transparent Mode Security ZonesConfiguring Transparent Mode Security Policies
specific options, Transparent Mode Specific Options
troubleshooting, Troubleshooting and OperationTransparent Mode Troubleshooting Steps
steps, Transparent Mode Troubleshooting StepsTransparent Mode Troubleshooting Steps
when to use, When to Use Transparent Mode
zones, Transparent Mode Zones
Transport mode for IPsec VPN, IPsec VPN Mode
best practices, Best Practices
Trapeze, Branch-Specific Features
Triple Data Encryption Standard (3DES), IPsec Encryption Algorithms, Selecting the Appropriate VPN Configuration
troubleshooting
Application Identification (AI), Operating Application Identification
AppSecure, Troubleshooting and OperationSample Deployments
AppTrack, AppTrack
core dump, Core Dumps
daemons, Troubleshooting Individual Daemons
data plane, Verifying the Data PlaneVerifying the Data Plane
flow trace, Performing a Flow TracePerforming a Flow Trace
high availability, Troubleshooting and OperationManual Failover
interfaces, Checking Interfaces
intrusion prevention systems (IPS), Troubleshooting and OperationIP Action Table
attack table, IPS Attack Table
checking policy compilation status, Checking Policy Compilation Status
checking security package version, Checking Security Package Version
checking status of, Checking IPS Status
counters for, IPS Counters
IP action table, IP Action Table
security package installation, Troubleshooting and Monitoring Security Package InstallationChecking Policy Compilation Status
with J-Web tool, Troubleshooting from J-Web
Network Address Translation (NAT), NAT Rule and Usage Counters
flow debugging, Flow Debugging with NATStatic NAT
session table, Viewing the Session TableView NAT Errors
viewing firewall logs, View Firewall Logs with NAT
priority zero, The Dreaded Priority Zero
routing, Static Routing
Screens, Troubleshooting and Operation
security policies, Troubleshooting and Operation
SSL Forward Proxy, Operating SSL Forward Proxy
system services, Troubleshooting and OperationTroubleshooting Individual Daemons
checking SNMP stats, Checking NTP Status
core dump, Checking for Core Dumps
DHCP operational mode commands, DHCP Operational Mode Commands
restarting platform daemons, Restarting Platform Daemons
viewing security logs locally, Viewing Security Logs Locally
viewing services/counters on interface, Viewing the Services/Counters on the InterfaceViewing the Services/Counters on the Interface
viewing system connection table, Troubleshooting and Operation
transparent mode, Troubleshooting and OperationTransparent Mode Troubleshooting Steps
steps, Transparent Mode Troubleshooting StepsTransparent Mode Troubleshooting Steps
Unified Threat Management (UTM), Troubleshooting and OperationContent Filtering
antispam, Antispam
antivirus software, Antivirus
content filtering, Content Filtering
URL filtering, URL Filtering
VPN (virtual private networking), Troubleshooting and OperationConfiguring and analyzing VPN tracing
commands for, Useful VPN CommandsChecking interface statistics
tracing and debugging, VPN Tracing and DebuggingConfiguring and analyzing VPN tracing
trunk mode, in transparent mode, Interface Modes in Transparent Mode
trunk port, Switching Configuration
trust interface, Sample Deployment
trust zone, configuring, Configuring system services and protocols per zone or interface
Trusted-CA
configuring, Configuring IKEv1 Phase 1 policies
in SSL Proxy profile, Configuring SSL Forward Proxy on the SRX
Tunnel mode for IPsec VPN, IPsec VPN Mode
best practices, Best Practices
tunnels
SYN checks in, SYN checks in tunnels
viewing inactive, show security ipsec inactive-tunnels

U

UDP (User Datagram Protocol), How to Use This Book, SRX100 Series
denial-of-service (DoS) attacks with, DoS Attacks with UDP
for IKE negotiations, VPN troubleshooting process
UFQDN (user FQDN), as IKE identity, IKE Identities
Ultrasurf, SSL and, AppFW with encrypted applications
unauthenticated role in SRX, Configuring the SRX for UserFW
unauthenticated users, redirect rules for, Operating UserFW
Unicast Reverse Path Forwarding (uRPF) lookup, IP Spoofing Screen
unified in-service software upgrade (ISSU), Configuring the Control Ports
Unified Threat Management (UTM)
antispam feature, Antispam
antivirus software, Antivirus, AntivirusWhich AV to Choose?
Sophos engine, Sophos AVKaspersky Full AV
basics, Unified Threat Management
best practices, Best Practices
components, UTM ComponentsConfiguring syslog to send UTM to a remote server
application proxy, Application Proxy
custom objects, Custom Objects
feature profiles, Feature Profiles
policies, UTM Policies
content filtering, Content FilteringConfiguring syslog to send UTM to a remote server
deployments, Sample DeploymentsSummary
IPS and, IPS and UTM
licensing, UTM Licensing
configuring, Configuring Licensing
logging messages, Logging UTM Messages
shifting threats, Shifting Threats
troubleshooting, Troubleshooting and OperationContent Filtering
antispam, Antispam
antivirus software, Antivirus
URL filtering, URL Filtering
URL filtering, URL FilteringWhich URL filtering solution to choose?
flavors, URL filtering flavors
Websense Enhanced filtering, Websense Enhanced filtering
unit, in interface configuration, Logical Interfaces
universal resource locator (URL) filtering, Branch-Specific Features
unknown control plane state, Activating Juniper Services Redundancy Protocol
Unknown IP Protocol Screen, Unknown IP Protocol Screen
unknown role in SRX, Configuring the SRX for UserFW
untrust interface, Sample Deployment
untrust zone, configuring, Configuring system services and protocols per zone or interface
URL filtering, IPS and UTM, Unified Threat Management, URL Filtering, URL FilteringWhich URL filtering solution to choose?
default local profile, Default local URL filtering profile
deployment, Sample Deployments
profiles, URL filtering profiles
Surfcontrol/Websense Integrated, Surfcontrol/Websense Integrated URL filtering
troubleshooting, URL Filtering
Websense Enhanced filtering, Websense Enhanced filtering
user authentication infrastructure, STRM and, Reporting with STRM
user base dynamic firewalling, Large Branch
User Datagram Protocol (UDP), How to Use This Book
denial-of-service (DoS) attacks with, DoS Attacks with UDP
for IKE negotiations, VPN troubleshooting process
user interfaces, on control plane, System services that operate on the control plane
user objects, in security policy, Security Policy Criteria and Precedence
User Role Firewall, User Role Firewalling
best practices, UserFW
configuring and deploying, Configuring and Deploying User Role FirewallMiscellaneous Active Directory tasks
functionality review, UserFW functionality overviewUserFW functionality overview
operating, Operating UserFW
packaging and licensing, UserFW packaging and licensing
users, display of logged on, Informational panels
UTM (see Unified Threat Management (UTM))

V

validation, heartbeat messages for, Configuring Heartbeat Timers
virtual interfaces, Virtual Interfaces
virtual Junos, JunosV Firefly (Virtual Junos)
virtual private networking (VPN) (see VPN (virtual private networking))
virtual router (VR), Inherited ScreenOS features
instances, Routing Instance Types
virtual security device (VSD), Redundancy Groups
viruses, Acknowledgments
(see also antivirus software)
identifying, IPS and UTM
protection against, Unified Threat Management
VLAN retagging, VLAN Rewriting
VLAN trunking, transparent mode and, Spanning Tree Protocol in transparent mode Layer 2 deployments
vlan-id-list command, Configuring VLAN Rewriting
vlan-rewrite command, Configuring VLAN Rewriting
VLANs
in cloud environment, Cloud Networks
configuration, Switching Configuration
name for, Switching Configuration
restricting BPDUs to, Restricting BPDUs to VLANs
rewriting, VLAN Rewriting
configuring, Configuring VLAN RewritingConfiguring VLAN Rewriting
terminating multiple, Interface Modes in Transparent Mode
VMware, JunosV Firefly (Virtual Junos)
VPLS, Branch Summary
VPN (virtual private networking), Acknowledgments
(see also IPsec VPN (IP Security virtual private network))
architecture overview, VPN Architecture OverviewRemote Access VPNs
full mesh, Full Mesh VPNs
hub and spoke, Hub and Spoke IPsec VPNs
site-to-site, Site-to-Site IPsec VPNs
dynamic, Dynamic VPNBest Practices
encryption algorithms, Selecting the Appropriate VPN Configuration
monitoring, VPN Monitoring
configuring, Configuring common IPsec VPN components
partial mesh, Partial Mesh VPNs
point-to-point vs. point-to-multipoint, Point-to-point versus point-to-multipoint VPNs
policy-based, vs. route-based, Selecting the Appropriate VPN Configuration
remote access, Remote Access VPNs
sample deployment, Sample DeploymentsIPsec Caveats on SRX
remote access VPN, Remote Access VPN
site-to-site, Site-to-Site VPNRemote Access VPN
ScreenOS for, The SRX Series Platform
selecting configuration, Selecting the Appropriate VPN ConfigurationSelecting the Appropriate VPN Configuration
troubleshooting, Troubleshooting and OperationConfiguring and analyzing VPN tracing
commands for, Useful VPN CommandsChecking interface statistics
tracing and debugging, VPN Tracing and DebuggingConfiguring and analyzing VPN tracing
VSD (virtual security device), Redundancy Groups
vulnerability exploitation phase of attack, Stages of a System Compromise

W

Warning severity level of attacks, Severities
web management, Web Management on the SRX
Web Trends Log Format (WELF), Configuring Stream mode logging on the data plane
Websense Enhanced URL filtering, URL filtering flavors, Websense Enhanced filtering
custom profile, Configuring a custom Websense Enhanced profile
default profile, Configuring Websense Enhanced default profile
pros and cons, Which URL filtering solution to choose?, Which URL filtering solution to choose?
troubleshooting, URL Filtering
Websense Redirect URL filtering, URL filtering flavors, Websense Redirect
default profile for configuring, Default Websense Redirect profile
pros and cons, Which URL filtering solution to choose?
Websense site lookup tool, Websense site lookup tool
Websense Threatseeker cloud, Websense Enhanced filtering
Websense/Surfcontrol Integrated URL filtering, pros and cons, Which URL filtering solution to choose?
Websense/Surfcontrol URL filtering, troubleshooting, URL Filtering
weighted round-robin algorithm, Data Center SRX Series Session Setup
WELF (Web Trends Log Format), Configuring Stream mode logging on the data plane
well-known ports, AppSecure Basics
whitelist approach to firewall rules, Three types of Application Firewall rulesets, Configuring a whitelist application ruleset
best practices, AppFW
for Juniper Local filtering, URL Custom URLs, blacklists, whitelists, and categories
in SSL Proxy profile, Configuring SSL Forward Proxy on the SRX
when to use, When to use blacklist, whitelist, and hybrid rulesets
WiFi, RF interference and, Branch-Specific Features
wildcard address objects, for IP prefix-based matches, Wildcard address objects
wing table, NPU
Winnuke Screen, WinNuke Screen
wireless capabilities, of AX411, AX411

X

X-PIM card, SRX600 Series, Interface modules for the SRX600 line
X.509 certificate, authentication, Certificate Validation
XAuth, XAuth, Configuring dynamic gateways and remote access clients
troubleshooting, VPN troubleshooting process

Y

YouTube, Preface

Z

Z path forwarding, The Data Plane
zero-day branch, SRX200 Series
zone-based firewall, NAT Precedence in the Junos Event Chain
zone-based service control, Zone-Based Service ControlConfiguring system services and protocols per zone or interface
zones, Acknowledgments, Inherited ScreenOS features, ZonesFunctional Zones
(see also security zones)
applying Screen profiles to, Applying Screen profiles to single and multiple zones
configuring to allow IKE traffic, Configuring IKEv1 Phase 1 gateways
functional, Functional ZonesFunctional Zones
names for, Sample Deployment
in transparent mode, Transparent Mode Zones

Get Juniper SRX Series now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial