Index
A note on the digital index
A link in an index entry is displayed as the section title in which that entry appears. Because some sections have multiple index markers, it is not unusual for an entry to have several links to the same section. Clicking on any link will take you directly to the place in the text in which the marker appears.
Symbols
- 10 gigabit ports, IOC modules
- 10 Gigabit Small Form-Factor Pluggable card, IOC modules
- 3DES (Triple Data Encryption Standard), IPsec Encryption Algorithms, Selecting the Appropriate VPN Configuration
- 3G cards, on SRX210, SRX200 Series
- 41 gigabit SFP IOC card, IOC modules
A
- access control list (ACL), Configuring a stateless firewall filter to control traffic on fxp0
- in troubleshooting, VPN troubleshooting process
- access mode, in transparent mode, Interface Modes in Transparent Mode
- access port, Switching Configuration
- access-control system, role-based, Accounts for Administrative Users
- action criteria, in security policy, Action Criteria–Configuring a policy to restrict inbound or outbound management requests
- action profiles, in security policy, Security Policy Criteria and Precedence
- Active Directory
- mapping users based on group membership, Configuring realms, roles, and sign-in policies
- miscellaneous tasks, Miscellaneous Active Directory tasks
- SPNEGO and, UserFW
- active reconnaissance, Stages of a System Compromise
- active/active deployment
- for high availability clusters, Active/active
- for SRX3000 line products, Data Center Edge
- active/backup state, for control plane, The Control Plane
- active/passive mode, Sample Deployments–Summary
- for high availability clusters, Active/passive
- ActiveX, Shifting Threats
- address books, for security zones, Address books
- address objects
- mapping IP address to, Address objects
- in NAT ruleset, Best Practices
- in security policy, Security Policy Criteria and Precedence
- address persistence, in source NAT, Other SRX source NAT configuration options
- Address Resolution Protocol (ARP), with traceroute, MAC Address Learning
- address sets, Best Practices
- for security zones, Address sets
- address shifting, in source NAT, Other SRX source NAT configuration options
- administrative user accounts, Accounts for Administrative Users–Remote authentication
- ADSL cards, Interface modules for the SRX200 line
- ae interface, Aggregate Interfaces
- AES (Advanced Encryption Standard), IPsec Encryption Algorithms, Selecting the Appropriate VPN Configuration
- aggregate interfaces, Aggregate Interfaces–LACP protocol
- Aggressive mode for IKE negotiations, Aggressive mode, Configuring IKEv1 Phase 1 IKE policy with preshared key, Aggressive mode
- vs. Main mode, Selecting the Appropriate VPN Configuration
- aggressive session aging, Aggressive session aging
- configuring flow option, Configuring the aggressive session ageout flow option
- AH (Authentication Header), Phase 2 IKE negotiation modes, IPsec VPN Protocol
- best practices, Best Practices
- vs. ESP, Selecting the Appropriate VPN Configuration
- alarm threshold, in SYN Cookie/SYN Proxy, SYN Spoofing Protection Modes
- alarm-without-drop setting, in Screen profile, Configuring a Screen profile
- alarms, Informational panels
- ALGs (application layer gateways), Application Layer Gateways–Enabling an ALG example, Best Practices
- enabling example, Enabling an ALG example
- Anti-Replay detection for IPsec VPN, Anti-Replay Protection
- configuring, Configuring common IPsec VPN components
- anticipating needs, Welcome to the SRX
- antispam feature, Antispam
- deployment, Sample Deployments
- on SRX Series, Branch-Specific Features
- troubleshooting, Antispam
- antivirus software, IPS and UTM, Antivirus–Which AV to Choose?
- in branch SRX, Branch-Specific Features
- Express AV engine, Express AV–Which AV to Choose?
- default profile for configuring, Default Express AV profile
- focus of, Antivirus + URL Filtering+ IPS?
- Kaspersky Full AV, Kaspersky Full AV–Express AV
- configuring scanning and fallback options, Configuring Kaspersky AV scanning and fallback options
- default profile for configuring, Configuring Kaspersky with the default profile
- selecting, Which AV to Choose?
- Sophos engine, Sophos AV
- default profile for configuring, Configuring Sophos with a default profile
- feature profiles, Sophos AV feature profiles
- SRX vs. desktop, I Have SRX Antivirus: Do I Need Desktop Antivirus?
- testing, Testing antivirus
- troubleshooting, Antivirus
- any role in SRX, Configuring the SRX for UserFW
- appliance-based firewall model, Evolving into the SRX
- application caching, controlling, Controlling application caching
- application contexts, Application contexts
- Application Denial of Service (AppDoS) prevention, Data Center Services Tier
- Application Firewall (AppFW), Flow Mode and Packet Mode, Application Firewall, What About Application Firewalling in NGFW?
- best practices, AppFW
- configuring and deploying, Configuring and Deploying Application Firewall–Configuring application redirect
- ruleset types, Three types of Application Firewall rulesets
- with encrypted applications, AppFW with encrypted applications
- operating, AppTrack, Operating Application Firewall
- application groups
- creating custom, Creating custom application groups
- enabling and disabling, Enabling and disabling applications and application groups
- Application Identification (AI), AI Processing Architecture–Application system cache
- best practices, Application Identification
- cache hits and misses, Checking AppID counters
- counters, Checking AppID counters
- downloading and installing sigpacks, Downloading and Installing Application Identification Sigpacks–Enabling application identification heuristics
- in IPS processing, Packet processing path
- object output, Signature-based pattern matching
- signature operations, AppID Signature Operations–Creating custom application groups
- troubleshooting, Operating Application Identification–Operating Application Firewall
- application layer gateways (ALGs), Application Layer Gateways, Best Practices
- enabling example, Enabling an ALG example
- application objects, Application objects–Configuring a policy to restrict inbound or outbound management requests
- creating custom, Enabling an ALG example
- IPS and, Application objects
- in security policy, Security Policy Criteria and Precedence
- Application Quality of Service (AppQoS), Application Quality of Service
- best practices, AppQoS
- configuring and deploying, Configuring and Deploying Application Quality of Service–Configuring an AppQoS example
- example, Configuring an AppQoS example–Configuring an AppQoS example
- operating, Operating Application QoS
- application redirect, configuring, Configuring application redirect
- application sets, Application sets, Best Practices
- application statistics, Checking application statistics–Checking application statistics
- application system cache, Application system cache
- Application-DDoS rulebase, Rulebases
- application.list file, Useful IPS files
- applications, enabling and disabling, Enabling and disabling applications and application groups
- apply-groups command, Node-Specific Information
- AppSecure, Data Center Services Tier, AppSecure Basics
- best practices, Best Practices–SSL FP
- components, Acknowledgments, AppSecure Component Overview–Application system cache
- (see also specific component names)
- Application Firewall (AppFW), Application Firewall
- Application Identification (AI), Application Identification, AI Processing Architecture–Application system cache
- Application Quality of Service (AppQoS), Application Quality of Service
- AppTrack, Application Tracking
- SSL Forward Proxy, SSL Forward Proxy
- User Role Firewalling, User Role Firewalling
- licensing, AppSecure Licensing
- sample deployment, Sample Deployments–Sample Deployments
- troubleshooting, Troubleshooting and Operation
- AppTrack, Application Tracking, Sample Deployments
- best practices, AppTrack
- configuring and deploying, Configuring and Deploying AppTrack–Configuring AppTrack options
- enabling, Enabling AppTrack
- Assured forwarding class, Forwarding class
- asymmetric traffic, through firewall, TCP SYN checks
- attack database, Attack database, Useful IPS files
- attack groups, custom, Custom Attack Groups
- attack objects
- downloading Juniper predefined, Getting Started with IPS on the SRX
- updates for, Attack object updates versus full updates, Best Practices
- viewing, Viewing IPS attack objects and group membership
- in Junos Space, Viewing IPS attack objects and group membership
- attack table, IPS Attack Table
- attack threshold, in SYN Cookie/SYN Proxy, SYN Spoofing Protection Modes
- attack-group.list file, Useful IPS files
- attack.list file, Useful IPS files
- attacks
- object types, Attack Object Types–Signature performance impacts
- custom, Custom attack objects and groups
- predefined, Predefined attack objects and groups
- severity levels of, Severities
- shifted strategies, Shifting Threats
- stages of, Stages of a System Compromise
- viewing statistics, Viewing the Screen Attack Statistics
- Aurora Internet Explorer exploit, Security Packages
- authentication
- certificate, Certificate authentication
- configuring, Configuring Phase 1 proposals, Configuring IKEv1 Phase 2 proposals
- IKE, IKE Authentication
- in IPsec VPN, IPsec Authentication Algorithms
- for VPN, Selecting the Appropriate VPN Configuration
- Authentication Header (AH), Phase 2 IKE negotiation modes, IPsec VPN Protocol
- best practices, Best Practices
- vs. ESP, Selecting the Appropriate VPN Configuration
- authentication server, configuring, Configuring the authentication server
- AX411 Wireless LAN Access Point, AX411–CX111
- license for, Licensing
B
- Bad IP Option Screen, Bad IP Option Screen
- bandwidth limit, Rate limiter
- BDPUs (Bridge Protocol Data Units), Spanning Tree
- Best Effort forwarding class, Forwarding class, Configuring an AppQoS example
- best practices
- AppSecure, Best Practices
- DHCP (Dynamic Host Configuration Protocol), Best Practices
- intrusion prevention systems (IPS), Best Practices–Best Practices
- IPsec VPN (IP Security virtual private network), Best Practices–Best Practices
- Network Address Translation (NAT), Best Practices
- for number of monitored hosts, IP Monitoring
- Screens, Best Practices
- security policies, Best Practices–Best Practices
- for system services configuration, Best Practices
- Unified Threat Management (UTM), Best Practices
- bidirectional forwarding detection (BFD), Preserving the Control Plane
- bidirectional NAT, Junos NAT Types
- binary syslog, Configuring Stream mode logging on the data plane
- blacklist approach to firewall rules, Configuring a blacklist application ruleset–Configuring a whitelist application ruleset
- best practices, AppFW
- for Juniper Local filtering, URL Custom URLs, blacklists, whitelists, and categories
- when to use, When to use blacklist, whitelist, and hybrid rulesets
- blind switching, Branch-Specific Features, SRX100 Series
- Block Frag Screen, Block Frag Screen
- Border Gateway Protocol (BGP) route reflector, licensing, Licensing
- botnet attacks on data center, Data Center Edge
- branch firewall, Built for Services
- SRX Series products for, Deployment Solutions
- branch SRX Series, Branch SRX Series–Branch Summary
- and AX411 appliances, AX411
- features specific to, Branch-Specific Features–Branch-Specific Features
- hardware overview, Branch SRX Series Hardware Overview
- licensing, Licensing
- packet mode, Flow Mode and Packet Mode
- SRX100 series, SRX100 Series–SRX100 Series
- SRX200 Series, SRX200 Series–Interface modules for the SRX200 line
- interface modules for, Interface modules for the SRX200 line
- SRX500 Series, SRX500 Series
- SRX550, SRX500 Series
- capacities, SRX500 Series
- SRX600 Series, SRX600 Series–Interface modules for the SRX600 line
- interface modules for, Interface modules for the SRX600 line
- SRX650
- capacities, SRX600 Series
- summary, Branch Summary
- bridge domains, Routing Instance Types
- listing active, The show bridge domain Command
- in transparent mode, Interfaces, family bridge, and bridge domains in transparent mode, Bridge Domains
- configuring, Sample Deployments
- bridge loop, transparent mode firewall for, Transparent Mode and Bridge Loops, Spanning Tree Protocol
- bridge MAC learning table, The show bridge mac-table Command
- Bridge Protocol Data Units (BDPUs), Spanning Tree
- bridge, for transparent mode interface, Transparent Interfaces
- bridging, configuring options, Configuring Bridging Options
- byte stream, measuring randomness of, Heuristic-based detection
C
- CA (certificate authority), Certificate authentication
- SSL FP support for installing certificate, Configuring SSL Forward Proxy on the SRX
- cable modem, Interface modules for the SRX200 line
- cache
- application system, Application system cache
- clearing files, Clearing the download and cache files on the SRX
- campus core firewalls, The Junos Enterprise Services Reference Network
- categories, for custom URL pattern, Custom URL category
- CBC (Cipher Block Chaining), Configuring Phase 1 proposals
- cellular Internet access, RF interference and, Branch-Specific Features
- central point (CP), SPU for, SPC
- centralized management, Centralized Management–Using NSM
- certificate revocation lists (CRLs), Certificate Validation
- certificates
- authentication, Certificate authentication
- best practices, SSL FP
- configuring, Configuration for Remote-Office1 proposal with certificates, Configuring IKEv1 Phase 1 policies
- configuring IKEv1 Phase 1 IKE policy, Configuring IKEv1 Phase 1 IKE policy with certificates
- importing external, Configuring SSL Forward Proxy on the SRX
- preconfiguration tasks, Certificate Preconfiguration Tasks
- validation for IPsec VPN, Certificate Validation
- chassis cluster, Medium Branch, Chassis Cluster, Getting Started with High Availability–Six pack
- deployment solutions, Deployment Concepts–Six pack
- high availability, node-specific information, Node-Specific Information–Node-Specific Information
- hold-down timer to prevent failover, Redundancy Groups
- integrating into network, Integrating the Cluster into Your Network–Configuring Interfaces
- managing members, Managing Cluster Members
- private mode, Differences from Standalone
- sample deployment, Sample Deployments–Summary
- status of, Activating Juniper Services Redundancy Protocol
- for transparent mode deployment, Sample Deployments
- Chassis Information view (J-Web), Chassis view
- Chassis Status panel, Informational panels
- chassisD daemon, System services that operate on the control plane, Hardware Monitoring
- child processes, Branch SRX Series Hardware Overview
- Cipher Block Chaining (CBC), Configuring Phase 1 proposals
- ciphers, defining for SRX/Servers, Configuring SSL Forward Proxy on the SRX
- Cisco Systems, GETVPN solution, Group VPN
- clear interface statistics command, Monitoring Interface Counters
- clear services application-identification application-system-cache command, Checking the AppID engine settings and cache
- clearing, cache files, Clearing the download and cache files on the SRX
- CLI (see command-line interface (CLI))
- Client-Outbound firewall rule, Sample Deployments
- client-side threats, Layer 7 protection against, Unified Threat Management
- client-to-server attacks, Direction-specific detection
- Close-Client IPS action, IPS actions
- Close-Client-and-Server IPS action, IPS actions
- Close-Server IPS action, IPS actions
- closing session, Application objects
- cloud networks, deployment, Cloud Networks–The Junos Enterprise Services Reference Network
- cluster ID, Cluster ID
- cluster-master mode, Managing Cluster Members
- clustering mode, requirements for running device, Chassis Cluster
- coldsync, The Dreaded Priority Zero
- command-line interface (CLI), How to Use This Book, Device management, SRX GUI Management
- for management services, Command-Line Interfaces–Configuring SSH access
- commands, running from configuration mode, Aggregate Interfaces
- compact flash port, SRX600 Series
- complex attack objects, Dynamic attack groups
- concurrent sessions, at data center core, Data Center Services Tier
- configuration
- committing, Committing the configuration
- J-Web tool for managing, Configuration management
- configuration mode in Junos CLI
- running commands from, Aggregate Interfaces
- congestion, and loss priority for dropped traffic, Loss priority
- connection-oriented communications, How to Use This Book
- connectionless paradigm, How to Use This Book
- connectivity
- maximum, example SRX5800 configuration for, SRX5000 Series
- security for, Preface
- console, Command-Line Interfaces
- configuring options, Configuring console options
- content filtering, Content Filtering, Content Filtering–Configuring syslog to send UTM to a remote server
- troubleshooting, Content Filtering
- contexts, in IPS processing, Packet processing path, Application contexts
- control link
- failure, Control link and data link failure
- monitoring, Control link
- control plane
- access, vs. data plane, Accessing System Services: Control Plane Versus Data Plane–Configuring a security policy to control data plane management traffic
- high availability and, The Control Plane
- logs
- configuring, Configuring control plane logging on the SRX–Configuring control plane logging on the SRX
- configuring Event mode, Configuring Event mode logging to the control plane
- vs. data plane logs, Control Plane Versus Data Plane Logs–JFlow on the SRX
- preserving, Preserving the Control Plane
- in redundancy group, Redundancy Groups
- states, Activating Juniper Services Redundancy Protocol
- system services and, System Services and the Control Plane–System services that operate on the control plane
- control ports, configuring, Configuring the Control Ports–Configuring the Control Ports
- core dump, Checking for Core Dumps
- troubleshooting, Core Dumps
- Count action, in security policy, Action Criteria
- counters
- for IPS troubleshooting, IPS Counters
- viewing on interface, Viewing the Services/Counters on the Interface–Viewing the Services/Counters on the Interface
- CPE (Customer Premise Equipment), SRX installed in, Configuring the SRX as a DHCP client
- CPS rate, Data Center SRX Series Hardware Overview
- craft port, in SRX5600, SRX5000 Series
- Critical severity level of attacks, Severities
- CRLs (certificate revocation lists), Certificate Validation, Best Practices
- custom spam profile, Configuring a custom spam profile and policy
- CX111 Cellular Broadband Data Bridge, CX111
- cyberthreats, IPS and UTM
D
- daemons
- restarting platform, Restarting Platform Daemons
- for system services, System Services and the Control Plane
- troubleshooting, Troubleshooting Individual Daemons
- dashboard
- for J-Web tool, Dashboard–Informational panels
- chassis view, Chassis view–Chassis view, Informational panels–Informational panels
- customizing, Informational panels
- for NSM, Using NSM
- Dashboard Preferences dialog box, Informational panels
- data center firewall, Built for Services
- deployment solutions, Data Center
- services tier, Data Center Services Tier
- edge of, Data Center Edge–Data Center Edge
- SRX Series products for, Deployment Solutions
- data center SRX Series, SRX Series Product Lines, Data Center SRX Series–IOC modules
- antivirus feature for, Branch-Specific Features
- features specific to, Data Center SRX-Specific Features
- hardware overview, Data Center SRX Series Hardware Overview
- session setup, Data Center SRX Series Session Setup–Data Center SRX Series Session Setup
- SRX1000 Series, Data Center SRX Series, SRX1000 Series
- SRX1400 Series
- capacities, SRX1000 Series
- SRX3000 Series, Data Center SRX Series, SRX3000 Series–IOC modules
- SRX3400, SRX3000 Series
- capacities, SRX3000 Series
- SRX3600, SRX3000 Series
- capacities, SRX3000 Series
- interface modules for, IOC modules
- SRX5000 Series, Data Center SRX Series, SRX5000 Series–IOC modules
- capacities, SRX5000 Series
- IOC modules, IOC modules
- upgrade for NG-SPC support, NG-SPC
- SRX5600, SRX5000 Series
- FPC numbers, SRX5000 Series
- SRX5800, SRX5000 Series, SRX5000 Series
- example line configurations, SRX5000 Series
- FPC numbers, SRX5000 Series
- Data Encryption Standard (DES), IPsec Encryption Algorithms, Selecting the Appropriate VPN Configuration
- Data Leak Protection (DLP), Content Filtering
- data links, The Data Plane
- configuring for transparent mode deployment, Sample Deployments
- failure, Control link and data link failure
- monitoring, Data link
- data path, The Data Plane
- data plane, System Services and the Control Plane
- access, vs. control plane, Accessing System Services: Control Plane Versus Data Plane–Configuring a security policy to control data plane management traffic
- default route in, Management Interfaces
- high availability and, The Data Plane
- logs, vs. control plane logs, Control Plane Versus Data Plane Logs
- security policy enforcement on, Packet Flow
- system services and, System Services and the Data Plane
- troubleshooting, Verifying the Data Plane–Verifying the Data Plane
- data, creation, Preface
- date and time, manually configuring, Manually configuring SRX time
- Day One Automation Series, Device management
- Dead Peer Detection (DPD), Power supplies, Dead Peer Detection
- debug output, for troubleshooting transparent mode, Transparent Mode Troubleshooting Steps
- debugging VPN, VPN Tracing and Debugging–Configuring and analyzing VPN tracing
- dedicated mode, for data center SRX Series, Data Center SRX-Specific Features
- deep packet inspection, Welcome to the SRX, ScreenOS to Junos
- default action, in security policy, Security Policy Precedence
- default profile for configuring antispam, Configuring antispam with the default profile
- default-policy action, Top to Bottom Policy Evaluation
- denial-of-service (DoS) attacks, A Brief Review of Denial-of-Service Attacks–DoS Versus DDoS
- on data center, Data Center Edge
- exploit-based, Exploit-Based DoS
- flood-based, Flood-Based DoS
- screen feature for, Service Provider
- vs. DDoS, DoS Versus DDoS
- with ICMP, DoS Attacks with ICMP–Configuring the ICMP Ping of Death Screen
- with IP protocols, DoS Attacks with IP Protocols–Configuring the Unknown IP Protocol Screen
- with TCP, DoS Attacks with TCP–Configuring the WinNuke Screen
- with UDP, DoS Attacks with UDP
- deny action, in security policy, Action Criteria
- DES (Data Encryption Standard), IPsec Encryption Algorithms, Selecting the Appropriate VPN Configuration
- desktop antivirus, need for, I Have SRX Antivirus: Do I Need Desktop Antivirus?
- destination address, in IPS policy, Match criteria
- destination MAC addresses, known vs. unknown, Slow-path SPU packet processing
- destination NAT, Junos NAT Types
- combining with source NAT, Combination Source and Destination NAT–Combination Source and Destination NAT
- examples, Destination NAT–Configuration destination NAT
- flow debugging, Source NAT
- no-NAT rules with, No-NAT with Source or Destination NAT–No-NAT with Source or Destination NAT
- pools, Destination NAT pools
- precedence for, NAT type precedence
- rulesets, Destination NAT rulesets
- destination objects, negated, for security zones, Negated source and destination objects
- destination zone, Security zones
- Destination-IP Session Limit screen, Session Limit Screens, Destination IP Session Limit Screen
- detail command, show security ike security-associations
- detail flag, for show route table command, Static Routing
- detector engines, in IPS process, Detector engines
- Deterministic Finite Automaton (DFA) technology, Signature-based pattern matching
- Device Management Interface (DMI), Space: The Final Frontier of Management
- DHCP (Dynamic Host Configuration Protocol), Dynamic Host Configuration Protocol–Configuring the SRX as a DHCP relay server
- best practices, Best Practices
- client configuration on SRX, Configuring the SRX as a DHCP client
- operational mode commands for troubleshooting, DHCP Operational Mode Commands
- relay server configuration on SRX, Configuring the SRX as a DHCP relay server
- server configuration on SRX, Configuring the SRX as a DHCP server
- differentiated Services Code Point (DSCP), Differentiated Services Code Point
- Diffie-Hellman groups, Aggressive mode, Configuring Phase 1 proposals
- troubleshooting, VPN troubleshooting process
- Diffie-Hellman key exchange process, Main mode, Aggressive mode
- group number, Selecting the Appropriate VPN Configuration
- direction-specific detection, in IPS processing, Direction-specific detection
- Disable Session Resumption option, in SSL Proxy profile, Configuring SSL Forward Proxy on the SRX
- disabled control plane state, Activating Juniper Services Redundancy Protocol
- discard option, for static routing, Static Routing
- disk storage, on firewall, monitoring, Informational panels
- distinguished name (DN), as IKE identity, IKE Identities
- distributed denial-of-service (DDoS) attack
- on data center, Data Center Edge
- vs. DoS, DoS Versus DDoS
- DLP (Data Leak Protection), Content Filtering
- DMI (Device Management Interface), Space: The Final Frontier of Management
- DMZ
- IPS deployment, Sample Deployments
- SRX Series devices firewall deployment, The Junos Enterprise Services Reference Network
- DNS (Domain Name System), Domain Name System
- address objects, DNS address objects
- DOCSIS 3.0 card, Interface modules for the SRX200 line
- DoS attack (see denial-of-service (DoS) attacks)
- dotted decimal format, How to Use This Book
- downgrade process, for Junos, Software management
- downloading
- for Application Identification (AI) sigpacks, Downloading and Installing Application Identification Sigpacks–Enabling application identification heuristics
- Drop-Connection IPS action, IPS actions
- Drop-Packet IPS action, IPS actions
- DSCP (differentiated Services Code Point), Differentiated Services Code Point
- field rewrite, DSCP rewrite
- dual control links, Configuring the Control Ports
- dual mastership, Configuring the Control Ports
- dyamic routing network protocols, Dynamic Routing Protocols
- dynamic attack groups, Custom attack objects and groups, Dynamic attack groups
- best practices, Best Practices
- configuring, Configuring static and dynamic attack groups
- dynamic gateways, configuring, Configuring dynamic gateways and remote access clients
- dynamic group objects, Sample Deployments
- Dynamic Host Configuration Protocol (DHCP) (see DHCP (Dynamic Host Configuration Protocol))
- dynamic IP address
- configuring IKE gateway with, Configuring an IKE gateway with a dynamic IP address
- configuring remote gateways with, Configuring IKEv1 Phase 1 gateways
- dynamic VPN, Dynamic VPN, Dynamic VPN–Best Practices
- interface for, Best Practices
- dynamic VPN client, Branch-Specific Features
- licensing, Licensing
E
- egress interface, Security zones, NAT Precedence in the Junos Event Chain
- egress traffic, NPUs for, Data Center SRX Series Session Setup, Data Center SRX Series Session Setup
- egress zone, Inherited ScreenOS features
- embryonic session, Data Center SRX Series Session Setup
- Encapsulating Security Payload (ESP), SRX100 Series, Phase 2 IKE negotiation modes, IPsec VPN Protocol
- best practices, Best Practices
- vs. AH, Selecting the Appropriate VPN Configuration
- encrypted applications, AppFW with, AppFW with encrypted applications
- encryption (see Internet Key Exchange (IKE)) (see IPsec VPN (IP Security virtual private network))
- encryption algorithms
- End to End Data-path Debug, Performing a Packet Capture on the High-End SRX
- ending sessions, Data Center SRX Series Session Setup
- Engine-not-ready option, for Sophos engine, Sophos AV feature profiles
- Enhanced Websense Filtering, Antivirus + URL Filtering+ IPS?
- enterprise management, Management Interfaces
- error statistics, Monitoring Interface Counters
- ESP (Encapsulating Security Payload), Phase 2 IKE negotiation modes, IPsec VPN Protocol
- best practices, Best Practices
- vs. AH, Selecting the Appropriate VPN Configuration
- Ethernet, How to Use This Book
- Ethernet ports
- on SRX100, SRX100 Series
- on SRX210, SRX200 Series
- etheroptions hierarchy
- adding interfaces to aggregate device, Aggregate Interfaces
- for physical interfaces, Physical Interfaces
- event mode, vs. stream mode, for data plane logs, Data plane logs: Event versus Stream mode
- Exempt rulebase, Rulebases
- Expedited forwarding class, Forwarding class, Configuring an AppQoS example
- explicit drop rules, Best Practices
- exploit-based denial-of-service (DoS) attacks, Exploit-Based DoS
- exporting flow records, JFlow on the SRX
- ExpressCard slot, on SRX210, SRX200 Series
- Extensible Markup Language (XML) interface
- Junos CLI as, Device management
- external certificate, importing, Configuring SSL Forward Proxy on the SRX
- external interface, configuring for IPsec VPN, Configuring IKEv1 Phase 1 gateways
- extreme mode, in SRX3400, SRX3000 Series
F
- fab interface, Configuring the Fabric Links
- fabric chip, IOC modules
- fabric links, The Data Plane
- configuring, Configuring the Fabric Links–Configuring the Fabric Links
- redundant, Configuring the Fabric Links
- verifying, First Steps
- Facebook, rule blocking, Three types of Application Firewall rulesets
- failover, Fault Monitoring
- hold-down timer to prevent in chassis cluster, Redundancy Groups
- information to handle traffic, The Data Plane
- manual, Manual Failover–Manual Failover
- multiple interfaces in zone for, One interface per zone versus multiple interfaces per zone
- for service provider, Mobile Carriers
- fallback options
- for Kaspersky Full AV, Kaspersky Full AV
- for Sophos engine, Sophos AV feature profiles
- false positives and false positives, in IPS, False Positives and False Negatives in IPS
- family (protocol), Logical Interfaces
- family bridge, in transparent mode, Interfaces, family bridge, and bridge domains in transparent mode
- fast-path SPU processing, Fast-path SPU packet processing
- fault monitoring, Fault Monitoring–Preserving the Control Plane
- hardware monitoring, Hardware Monitoring–Power supplies
- interface monitoring, Interface Monitoring–Interface Monitoring
- IP monitoring, IP Monitoring
- File Transfer Protocol (FTP), Application Layer Gateways
- antivirus feature for, Branch-Specific Features
- File Usage panel, Informational panels
- file-based protection, IPS and UTM
- filesystem interfaces, on control plane, System services that operate on the control plane
- FIN-No-ACK Screen, FIN-No-ACK Screen
- financial network, data center SRX Series for, SRX5000 Series
- Firefox, J-Web: Your On-Box Assistant
- firewall filter, Flow Mode and Packet Mode
- firewall policies, Firewall policies
- Junos OS management, Firewall policy management
- lookup, Packet Flow
- rules defining objects to be excluded, Negated source and destination objects
- firewalls, Foreword
- importance of, Welcome to the SRX
- Flash, Shifting Threats
- Flex IOC card, IOC modules
- flexible PIC concentrator (FPC), Physical Interfaces, Chassis Cluster
- slots for, SRX3000 Series
- flood-based denial-of-service (DoS) attacks, Flood-Based DoS
- flood-based Screens, Best Practices
- flooding frame, MAC Address Learning
- flow
- and IP VPNs, Flow Processing and IPsec VPNs
- debugging, Flow Debugging with NAT–Static NAT
- in transparent mode, Transparent Mode Flow Process
- viewing exceptions, Viewing Flow Exceptions
- flow mode, Branch-Specific Features, Flow Mode and Packet Mode–Flow Mode and Packet Mode
- in branch SRX Series, Branch Summary
- flow options, SRX Flow Options–Configuring the TCP initial session timeout and TCP time wait timeout
- aggressive session aging, Aggressive session aging
- TCP sequence checks, TCP sequence checks, Configuring TCP sequence checks
- flow records, exporting, JFlow on the SRX
- flow trace, troubleshooting, Performing a Flow Trace–Performing a Flow Trace
- flowd daemon, The Data Plane
- IPS-bound traffic processed by, Packet processing path
- RE monitored by, Software Monitoring
- forwarding classes, Forwarding class
- FPC (flexible PIC concentrator), Physical Interfaces
- FQDN (fully qualified domain name)
- as IKE identity, IKE Identities
- in SSL certificate, AppFW with encrypted applications
- fragmentation
- configuring, Configuring common IPsec VPN components
- in IPS processing, Packet processing path
- in IPsec VPN, Fragmentation
- FreeBSD, ScreenOS to Junos
- from zone, Security zones, NAT Precedence in the Junos Event Chain
- in IPS policy, Match criteria
- FTP (File Transfer Protocol), Application Layer Gateways
- antivirus feature for, Branch-Specific Features
- fully qualified domain name (FQDN), as IKE identity, IKE Identities
- Fun WebProducts spyware, Exempt rulebase
- functional zones, Functional Zones–Functional Zones
- fxp0 interface, Routing Instances, Accessing System Services: Control Plane Versus Data Plane, Managing Cluster Members
- management port, Management Interfaces
G
- G-PIM slots, SRX600 Series, Interface modules for the SRX600 line
- G.SHDSL standard, Interface modules for the SRX200 line
- GARPs, Configuring Interfaces
- gateway configuration
- for IKEv1 Phase 1, Configuring IKEv1 Phase 1 gateways–Configuring IKEv1 Phase 1 gateways
- for IPsec VPN, Configuring common IPsec VPN components
- Generic Route Encapsulation (GRE), SRX100 Series
- global security policies, Security Policy Precedence
- Google Chrome, J-Web: Your On-Box Assistant
- granularity, of SRX IPS implementation, Packet processing path
- Gratuitous ARPs (GARPs), High Availability with Transparent Mode
- Group VPN, Group VPN
- groups in Junos, Node-Specific Information
- groups.xml file, Useful IPS files
- GUI management, Acknowledgments, SRX GUI Management
- (see also J-Web tool)
H
- hardware
- monitoring, Hardware Monitoring–Power supplies
- Screens in, Screens in Hardware and Software
- hashing, IPsec Authentication Algorithms
- heartbeat timers, configuring, Configuring Heartbeat Timers
- help command, for logs, Tips for Viewing Syslog Messages
- heuristic-based detection of applications, Heuristic-based detection, Enabling application identification heuristics
- High Availability (HA), Medium Branch
- basics, High Availability
- chassis clusters, Chassis Cluster, Getting Started with High Availability–Six pack
- deployment concepts, Deployment Concepts–Six pack
- node-specific information, Node-Specific Information–Node-Specific Information
- reth interface for, Aggregate Interfaces
- SNMP in, SNMP in High Availability Chassis Clusters
- control plane and, The Control Plane
- data plane and, The Data Plane
- fault monitoring, Fault Monitoring–Preserving the Control Plane
- hardware monitoring, Hardware Monitoring–Power supplies
- interface monitoring, Interface Monitoring–Interface Monitoring
- IP monitoring, IP Monitoring–IP Monitoring
- IPsec termination in, IPsec termination in HA
- preparing devices for deployment, Preparing Devices for Deployment–Redundancy Groups
- and source NAT with Port overloading, Other SRX source NAT configuration options
- troubleshooting, Troubleshooting and Operation–Manual Failover
- with transparent mode, High Availability with Transparent Mode
- hijacking attacks, preventing, TCP sequence checks
- Hit Count output, Security policy tools
- hold-down timer
- failover prevention in chassis cluster, Redundancy Groups
- manual failover and, Manual Failover
- honored sessions, Operating Application QoS
- host inbound traffic configuration, Functional Zones
- host security policies, Host security policies
- hostname
- defining, Task wizards
- as IKE identity, IKE Identities
- troubleshooting, VPN troubleshooting process
- Hostname attribute, Selecting the Appropriate VPN Configuration
- hub and spoke IPsec VPN, Hub and Spoke IPsec VPNs
- best practices, Best Practices
- hybrid approach to firewall rules, Three types of Application Firewall rulesets, Configuring a hybrid application ruleset
- best practices, AppFW
- when to use, When to use blacklist, whitelist, and hybrid rulesets
- HyperText Transfer Protocol (HTTP), antivirus feature for, Branch-Specific Features
- hypervisor, JunosV Firefly (Virtual Junos)
I
- IC enforcer, configuring SRX as, Configuring the SRX as an IC enforcer
- ICMP (Internet Control Message Protocol), How to Use This Book
- DoS attacks with, DoS Attacks with ICMP–Configuring the ICMP Ping of Death Screen
- fragment screen, ICMP Fragment Screen
- IP sweep screen, ICMP IP Sweep Screen
- large packet screen, ICMP Large Packet Screen
- ping of death screen, ICMP Ping of Death Screen
- for VPN monitoring, VPN Monitoring
- ICMP flood screen, ICMP Flood Screen
- ICMP reset, Action Criteria
- idle timeout, for application object, Application objects
- IDPD process, System Services and the Data Plane
- IFD, Physical Interfaces
- IFL, Physical Interfaces
- Ignore-Connection IPS action, IPS actions
- Ignore-Server-Auth-Failure option, in SSL Proxy profile, Configuring SSL Forward Proxy on the SRX
- IKE (Internet Key Exchange)
- AutoKey vs. manual keys, Selecting the Appropriate VPN Configuration
- best practices, Best Practices
- configuring connection sharing, Configuring dynamic gateways and remote access clients
- identities, IKE Identities
- negotiations, IKE Negotiations
- authentication, IKE Negotiations
- Phase 1 authentication, VPN troubleshooting process
- version 1, IKE Version 1 Overview–Proxy ID negotiation
- configuring gateway with static IP, Configuring an IKEv1 gateway with static IP address and DPD
- configuring gateways, Configuring IKEv1 Phase 1 gateways–Configuring IKEv1 Phase 1 gateways
- configuring with certificates, Configuring IKEv1 Phase 1 IKE policy with certificates
- configuring with preshared key, Aggressive mode, Configuring IKEv1 Phase 1 IKE policy with preshared key, Aggressive mode
- configuring with preshared key, Main mode, Configuring IKEv1 Phase 1 IKE policy with preshared key, Main mode
- key lifetimes, IKEv1 Key Lifetimes
- phase 1 configuration, Phase 1 IKE Configuration–Phase 2 IKE Configuration
- phase 1 negotiation modes, Phase 1 IKE negotiation modes
- phase 2 configuration, Phase 2 IKE Configuration–IKEv1 Versus IKEv2 Configuration
- phase 2 negotiations, Phase 2 IKE negotiation modes
- vs. version 2 configuration, IKEv1 Versus IKEv2 Configuration–IPsec and SRX HA
- version 2, IKE Version 2
- vs. version 1, IKEv1 versus IKEv2
- IKE identity, Selecting the Appropriate VPN Configuration
- IKE-ID, IKE Identities
- IMIX number, Data Center SRX Series Hardware Overview
- importing external certificate, Configuring SSL Forward Proxy on the SRX
- in-band management, Management Interfaces
- inactivity timeout, for application object, Application objects
- inbound management requests, policy to restrict, Configuring a policy to restrict inbound or outbound management requests
- ineligible control plane state, Activating Juniper Services Redundancy Protocol
- Inet, for transform definition, Static NAT transforms
- infection attempts, Stages of a System Compromise
- information availability, High Availability
- Information severity level of attacks, Severities
- information, expansion, Preface
- Infranet controller (IC)
- best practices, UserFW
- configuring, Configuring the IC–Configuring realms, roles, and sign-in policies
- firewall rules for clients to communicate with, Configuring the SRX for UserFW
- service account for, Operating UserFW
- troubleshooting facilities on, Operating UserFW
- ingress interface, Screen processing in, Screen Processing only happens on the ingress interface
- ingress point for data center, Data Center
- ingress traffic
- ingress zone, Inherited ScreenOS features
- inline tap mode, for data center SRX Series, Data Center SRX-Specific Features
- input/output cards (IOCs), Interface card
- installing
- for Application Identification (AI) sigpacks, Downloading and Installing Application Identification Sigpacks–Enabling application identification heuristics
- security packages, troubleshooting,, Troubleshooting and Monitoring Security Package Installation–Checking Policy Compilation Status
- interface binding, configuring, Configuring route-based VPNs
- interface cards
- monitoring, Interface card
- for SRX1400, SRX1000 Series
- interface counters, monitoring, Monitoring Interface Counters–Performing a Flow Trace
- interface modes, in transparent mode, Interface Modes in Transparent Mode
- interface modules
- for SRX200 Series, Interface modules for the SRX200 line
- for SRX3600, IOC modules
- for SRX600 Series, Interface modules for the SRX600 line
- interface range command, Switching Configuration
- interfaces, Interfaces–Transparent Interfaces
- adding to routing interfaces, Configuring Routing Instances
- addressing in transparent mode, Interfaces, family bridge, and bridge domains in transparent mode
- aggregate, Aggregate Interfaces–LACP protocol
- configuring, Configuring Interfaces–Configuring Interfaces
- to allow IKE traffic, Configuring IKEv1 Phase 1 gateways
- displaying, Physical Interfaces
- IRB, IRB Interfaces
- J-Web for managing, Interfaces
- logical, Logical Interfaces–Logical Interfaces
- management, Management Interfaces–Management Interfaces
- as members of reth, Configuring Interfaces
- monitoring, Interface monitoring, Interface Monitoring–Interface Monitoring
- number per zone, One interface per zone versus multiple interfaces per zone
- numbering format, Chassis Cluster
- output of statistics, Viewing Flow Exceptions
- physical, Physical Interfaces–Physical Interfaces
- in redundancy group, Redundancy Groups
- in source NAT, Interfaces, Interfaces
- source NAT examples with, Source NAT with interfaces–Source NAT with interfaces
- statistics on, Checking interface statistics
- transparent, Transparent Interfaces
- troubleshooting, Checking Interfaces
- virtual, Virtual Interfaces
- for VPN, terminating, VPN troubleshooting process
- internal clients, IPS deployment, Sample Deployments
- internal servers, IPS deployment, Sample Deployments
- Internet Explorer, J-Web: Your On-Box Assistant
- Internet Key Exchange (IKE) (see IKE (Internet Key Exchange))
- Internet Message Access Protocol (IMAP), antivirus feature for, Branch-Specific Features
- interzone security policies, Security Policy Precedence
- intrazone security policies, Security Policy Precedence, Top to Bottom Policy Evaluation
- intrusion detection and prevention (IDP), Is It IDP or IPS?
- intrusion prevention systems (IPS), Preface
- actual deployment, Actual Deployment
- attack object types, Attack Object Types–Signature performance impacts
- best practices, Best Practices–Best Practices
- configuring, Configuring IPS Features on the SRX–Deploying and Tuning IPS
- automatic updates, Configuring automatic updates
- creating, activating and referencing, Creating, activating, and referencing IPS–Creating, activating, and referencing IPS
- example, Getting started example
- Exempt rulebase, Exempt rulebase
- GZIP/Deflate Decompression, Enabling GZIP/Deflate Decompression
- static and dynamic attack groups, Configuring static and dynamic attack groups
- data center SRX Series features for, Data Center SRX-Specific Features
- for data center servers, Branch-Specific Features
- day-to-day management, Day-to-Day IPS Management
- deploying and tuning, Deploying and Tuning IPS–Day-to-Day IPS Management
- deployments, Sample Deployments–Summary
- false positives and false negatives, False Positives and False Negatives in IPS
- firewall inspection of attack vs., How Does IPS Work?
- how it works, How Does IPS Work?–Dynamic attack groups
- Junos Space and IPS signature downloads, Configuring automatic updates
- licensing, Licensing
- management functionality on SRX, Management IPS Functionality on the SRX
- need for, The Need for IPS, Antivirus + URL Filtering+ IPS?
- packet processing, IPS Packet Processing on the SRX–SRX deployment options
- policy components, IPS Policy Components
- actions, Then actions–Targets and timeouts
- match criteria, Match criteria
- rulebases, Rulebases
- sensor attributes, Sensor Attributes
- SRX deployment options, SRX deployment options
- testing policy, Testing Your Policy–Leveraging sniffer mode for the deployment
- troubleshooting, Troubleshooting and Operation–IP Action Table
- attack table, IPS Attack Table
- checking policy compilation status, Checking Policy Compilation Status
- checking security package version, Checking Security Package Version
- checking status of, Checking IPS Status
- counters for, IPS Counters
- security package installation, Troubleshooting and Monitoring Security Package Installation–Checking Policy Compilation Status
- useful files, Useful IPS files
- and UTM, IPS and UTM
- viewing attack objects and group membership, Viewing IPS attack objects and group membership
- vs. deep inspection/IPS Lite, What Is the Difference Between Full IPS and Deep Inspection/IPS Lite?
- vs. UTM, Unified Threat Management
- IP action table, troubleshooting, IP Action Table
- IP actions, IP actions
- IP addresses, How to Use This Book
- on aggregate interface, Aggregate Interfaces
- configuration, Logical Interfaces
- displaying, Interfaces
- as IKE identity, IKE Identities
- mapping object to, Address objects
- reporting by geographic location, Reporting with STRM
- IP fragments, Block Frag Screen
- IP monitoring, IP Monitoring
- IP options field, Bad IP Option Screen
- IP prefix address objects, IP prefix address objects
- IP prefix, for transform definition, Static NAT transforms
- IP protocols, DoS attacks with, DoS Attacks with IP Protocols–Configuring the Unknown IP Protocol Screen
- IP range objects, IP range objects
- IP Security Option Screen, IP Security Option Screen
- IP Security virtual private network (IPsec VPN), IPsec VPN
- IP Session Limit Screens, Aggressive session aging
- IP Spoofing Screen, IP Spoofing Screen
- IP Stream Option Screen, IP Stream Option Screen
- IP Tear Drop Screen, IP Tear Drop Screen
- IP Timestamp Option Screen, IP Timestamp Option Screen
- IP-Block action, IP actions
- IP-Close action, IP actions
- IP-Notify action, IP actions
- IPS, Acknowledgments, Data Center Services Tier
- (see also intrusion prevention systems (IPS))
- IPS rulebase, creating, Creating, activating, and referencing IPS
- IPsec
- access to SRX Series firewalls, The Junos Enterprise Services Reference Network
- caveats on SRX, IPsec Caveats on SRX
- configuring Phase 2 policy, Configuring Phase 2 IPsec policy
- statistics on, show security ipsec statistics
- termination in HA, IPsec termination in HA
- IPsec VPN (IP Security virtual private network), IPsec VPN
- anti-replay protection for, Anti-Replay Protection
- architecture overview, VPN Architecture Overview–Remote Access VPNs
- authentication algorithms, IPsec Authentication Algorithms
- best practices, Best Practices–Best Practices
- certificate validation, Certificate Validation
- configuring, IPsec VPN Configuration
- certificate preconfiguration tasks, Certificate Preconfiguration Tasks
- NTP, Configuring NTP
- differentiated Services Code Point (DSCP), Differentiated Services Code Point
- encryption algorithms, IPsec Encryption Algorithms
- flow process and, Flow Processing and IPsec VPNs
- fragmentation, Fragmentation
- IKE version 1, IKE Version 1 Overview–Proxy ID negotiation
- manual keys, IPsec Manual Keys
- mode, IPsec VPN Mode
- Network Time Protocol (NTP) for, Network Time Protocol
- preshared key authentication, Preshared key authentication
- vs. certificate, Selecting the Appropriate VPN Configuration
- vs. SSL VPNs, Remote Access VPNs
- IPv4, Logical Interfaces
- IPv6
- enabling flow-based or packet-based processing, Flow Mode and Packet Mode
- encapsulation, Flow Mode and Packet Mode
- NAT automatic translation, Option 3: NAT 64 automatic translation
- NAT translation of IPv4 to, Option 2: NAT46 Static mapping
- packet fragments on, Block Frag Screen
- protocol versions for, Dynamic Routing Protocols
- route configuration, Static Routing
- Screens and, Screen Theory and Examples
- support for IPsec, IPv6 and IPsec on the SRX
- IRB (integrated routing and bridging) interfaces, IRB Interfaces
- IS-IS routing protocol, Dynamic Routing Protocols
- ISSU (unified in-service software upgrade), Configuring the Control Ports
- for VPN, ISSU for VPN
J
- J-Net community, When All Else Fails
- J-Web tool, Device management, SRX GUI Management, J-Web: Your On-Box Assistant–Network connectivity
- configuration management, Configuration management
- dashboard, Dashboard–Informational panels
- chassis view, Chassis view–Chassis view
- customizing, Informational panels
- informational panels, Informational panels–Informational panels
- device configuration, Device Configuration–Point and click CLI
- task wizards, Task wizards–Task wizards
- interface management, Interfaces
- monitoring with, Monitoring Your SRX
- operational tasks, Operational Tasks–Disk management
- Ping option, Network connectivity
- point and click CLI, Point and click CLI
- rebooting, Rebooting
- troubleshooting with, Troubleshooting from J-Web
- viewing security logs, Viewing Security Logs Locally
- Java, Shifting Threats
- JavaScript, Shifting Threats
- JFlow format, JFlow on the SRX
- best practices, Best Practices
- JFlow record export, SRX Logging and Flow Records
- jsrpd daemon, System services that operate on the control plane, The Control Plane, The Data Plane, Activating Juniper Services Redundancy Protocol
- heartbeat messages, Data link
- logging, The Dreaded Priority Zero
- JTAC, When All Else Fails
- jumbo frame, Data Center SRX Series Hardware Overview, Configuring the Fabric Links
- Juniper Day One Library, How to Use This Book
- Juniper Group VPN solution, Group VPN
- Juniper Knowledge Base, Transparent Mode Troubleshooting Steps
- Juniper Local URL filtering, pros and cons, Which URL filtering solution to choose?
- Juniper Networks, Preface
- AX411 Wireless LAN Access Point, Branch-Specific Features, AX411–CX111
- CX111 Cellular Broadband Data Bridge, Branch-Specific Features, CX111
- EX Series Ethernet Switches, Large Branch
- J Series Services Routers, Branch-Specific Features
- management paradigm, Cloud Networks
- MX960 3D Universal Edge Router, Service Provider
- resources for learning SRX, When All Else Fails
- SA Series SSL VPN Appliances, Branch-Specific Features
- Juniper Networks SRX Series products, Foreword, Acknowledgments, Acknowledgments, Welcome to the SRX
- (see also branch SRX series)
- (see also data center SRX Series)
- deployment solutions, Deployment Solutions–The Junos Enterprise Services Reference Network
- cloud networks, Cloud Networks–Cloud Networks
- data center, Data Center
- large branch, Large Branch–Large Branch
- medium branch, Medium Branch
- mobile carriers, Mobile Carriers–Mobile Carriers
- service provider, Service Provider–Service Provider
- small branch, Small Branch
- development, Preface
- hardware platform, The SRX Series Platform–Built for Services
- inherited ScreenOS features, Inherited ScreenOS features
- predecessors, Evolving into the SRX
- SRX100, Small Branch, The Junos Enterprise Services Reference Network, SRX100 Series–SRX100 Series
- capacities, SRX100 Series
- SRX110, SRX100 Series
- SRX1400, Data Center Edge
- SRX200 Series, SRX200 Series–Interface modules for the SRX200 line
- interface modules for, Interface modules for the SRX200 line
- SRX210, Small Branch
- capacities, SRX200 Series
- enhanced version, SRX200 Series
- SRX220, SRX200 Series
- capacities, SRX200 Series
- SRX240, Medium Branch, The Junos Enterprise Services Reference Network, SRX200 Series
- capacities, SRX200 Series
- SRX3000, Data Center Edge, Interface card
- SRX Clustering Module, Configuring the Control Ports
- SRX5000 Series, Preface, Interface card
- control ports, Configuring the Control Ports
- switch control board (SCB), Switch control board
- SRX550, Medium Branch, Large Branch
- SRX5800, Data Center Services Tier, The Junos Enterprise Services Reference Network
- for mobile carrier networks, Mobile Carriers
- PIC status, Verifying the Data Plane
- SRX5800 Services Gateway
- in cloud network, Cloud Networks
- SRX650, Large Branch, The Junos Enterprise Services Reference Network
- upgrade process, Software management
- VPN components, Other SRX VPN Components–Dynamic VPN
- VPN types, SRX VPN Types–Which should you use: Policy- or route-based VPN?
- policy-based, Policy-Based VPNs
- route-based, Route-Based VPNs
- Juniper Services Redundancy protocol, activating, Activating Juniper Services Redundancy Protocol
- Juniper Support
- Knowledge Base, Application contexts
- Technical Bulletins, Attack database
- juniper-nsp mailing list, When All Else Fails
- Junos Enterprise Services Reference Network, The Junos Enterprise Services Reference Network–The Junos Enterprise Services Reference Network
- Junos OS, Preface, Preface, ScreenOS to Junos
- common shared codebase, Built for Services
- control plane, System Services and the Control Plane
- device management, Device management–Device management
- downgrade process for, Software management
- modular architecture, ScreenOS to Junos
- SNMP MIB, Junos SNMP MIB
- Junos Script, Device management
- Junos Space, Device management, Centralized Management, Space: The Final Frontier of Management–Firewall policy management
- application dashboard, The Junos Space ecosphere
- firewall policy management, Firewall policy management
- and IPS signature downloads, Configuring automatic updates
- Security Director, Security Director
- viewing IPS attack objects in, Viewing IPS attack objects and group membership
- junos-host zone type, Host security policies
- Junos-Local Feature profile, Juniper Local feature profile options
- junos:web, vs. junos:HTTP, Configuring a whitelist application ruleset
- JunosV Firefly (virtual Junos), JunosV Firefly (Virtual Junos)
K
- Kaspersky Express AV engine, Express AV
- default profile for configuring, Default Express AV profile
- pros and cons, Which AV to Choose?
- Kaspersky Full AV, Kaspersky Full AV
- configuring scanning and fallback options, Configuring Kaspersky AV scanning and fallback options
- pros and cons, Which AV to Choose?
- Kerberos ticket, UserFW functionality overview, Miscellaneous Active Directory tasks, Operating UserFW
- key lifetimes, IKEv1 Key Lifetimes, Configuring Phase 1 proposals, Configuring IKEv1 Phase 2 proposals
- troubleshooting, VPN troubleshooting process
- ksyncd kernel, The Control Plane
- KTpass command, Miscellaneous Active Directory tasks
L
- LACP (Link Aggregate Control Protocol), LACP protocol
- LAND Attack Screen, LAND Attack Screen
- large branch deployment, Large Branch
- reference network, The Junos Enterprise Services Reference Network
- latency issues, VPN design and, Full Mesh VPNs
- Layer 2 active/active mode, High Availability with Transparent Mode
- Layer 2 domain, transparent mode for segmenting, Segmenting a Layer 2 domain
- Layer 2 loop, Spanning Tree
- Layer 2 security zone, Transparent Mode Zones
- Layer 2 switch, destination MAC addresses and, MAC Address Learning
- Layer 2, switching from Layer 3, Configuring Transparent Mode Basics
- Layer 3 mode, Transparent Interfaces
- Layer 3/Layer 4 applications, creating, Creating Layer 3/Layer 4 applications
- layered security, IPS and UTM
- least privilege concept
- for Screens, Best Practices
- for security policy, Best Practices
- licensing
- AppSecure, AppSecure Licensing
- for branch SRX series, Licensing
- intrusion prevention systems (IPS), Licensing, Getting Started with IPS on the SRX
- key, and SRX100 memory, SRX100 Series
- Unified Threat Management (UTM), UTM Licensing
- configuring, Configuring Licensing
- User Role Firewall, UserFW packaging and licensing
- UTM features, UTM Engine
- line rate switching, Branch-Specific Features
- Link Aggregate Control Protocol (LACP), LACP protocol
- load sharing, active/active deployment for, Active/active
- local interfaces, Interfaces, Mixed mode, Configuring Interfaces, Configuring Interfaces
- six pack deployment, Six pack
- Local URL filtering, URL filtering flavors, URL Filtering
- default profile, Default local URL filtering profile
- profile options, Juniper Local feature profile options
- local users, configuration, Configuring local users
- Log/Log-Create action, IP actions
- logging, SRX Logging and Flow Records–JFlow on the SRX
- AppQoS, Logging
- by AppTrack, Configuring and Deploying AppTrack
- best practices, Best Practices
- to control plane, configuring Event mode, Configuring Event mode logging to the control plane
- data plane vs. control plane, Control Plane Versus Data Plane Logs
- on firewall policies, Best Practices
- formats, Configuring Stream mode logging on the data plane–Syslog format types
- for IPS monitoring, Day-to-Day IPS Management
- packets in IPS, Packet logging
- sample firewall, Sample firewall logs
- sampling rates for, JFlow on the SRX
- in security policy, Action Criteria
- in SSL Proxy profile, Configuring SSL Forward Proxy on the SRX
- STRM for managing, Log Management with STRM
- UTM messages, Logging UTM Messages
- viewing with NAT, View Firewall Logs with NAT
- logical interfaces, Physical Interfaces, Logical Interfaces–Logical Interfaces, One interface per zone versus multiple interfaces per zone
- login
- to J-Web tool, J-Web: Your On-Box Assistant
- for local users, Configuring local users
- login class, creating, Creating a login class
- Login Sessions panel, Informational panels
- loop, in routed network, Spanning Tree
- Loose Source Route Option, Route Option Screens
- loss priority, Loss priority
M
- MAC (see media access control (MAC) addresses)
- MAG Pulse appliance, The Junos Enterprise Services Reference Network
- Main mode for IKE negotiation, Main mode, Configuring IKEv1 Phase 1 IKE policy with preshared key, Main mode
- vs. Aggressive mode, Selecting the Appropriate VPN Configuration
- Major severity level of attacks, Severities
- malware, IPS and UTM, Shifting Threats
- managed service provider (MSP) environment, Service Provider
- Management Daemon (MGD), System services that operate on the control plane
- management interface, Management Interfaces–Management Interfaces
- management paradigm, for Juniper Networks, Cloud Networks
- management services, Management Services–Junos SNMP MIB
- best practices, Best Practices
- command-line interface (CLI), Command-Line Interfaces–Configuring SSH access
- management zone, Functional Zones
- manual failover, Manual Failover–Manual Failover
- manual key exchange, IKE Version 1 Overview
- many-to-many mapping, static NAT, Static NAT many-to-many mapping–Option 3: NAT 64 automatic translation
- Mark-Diffserv IPS action, IPS actions
- master-only IP, Node-Specific Information
- match criteria, in security policy, Match Criteria–Configuring schedulers
- match policy, Security policy tools
- matched sessions, Operating SSL Forward Proxy
- maximum connectivity, example SRX5800 configuration for, SRX5000 Series
- maximum segment size (MSS), Fragmentation
- maximum transmission unit (MTU), Fragmentation
- MD5 (Message-Digest algorithm 5), IPsec Authentication Algorithms
- media access control (MAC) addresses, How to Use This Book
- learning, MAC Address Learning
- for reth, Interfaces
- troubleshooting, Transparent Mode Troubleshooting Steps
- unknown destination, Transparent Mode Specific Options
- medium branch location, deployment to, Medium Branch
- memory
- on SRX100, SRX100 Series
- Resource Utilization panel to display, Informational panels
- Message-Digest algorithm 5 (MD5), IPsec Authentication Algorithms
- metric options, for static routing, Static Routing
- MGD (Management Daemon), System services that operate on the control plane
- MIB (Management Information Base), monitoring, Junos SNMP MIB
- mini-PIMs, Interface modules for the SRX200 line
- Minor severity level of attacks, Severities
- mixed mode, for high availability clusters, Mixed mode
- mobile carriers
- data center SRX Series for, SRX5000 Series
- deployment of, Mobile Carriers–Mobile Carriers
- mobility, of computing devices, User Role Firewalling
- monitor flow, Performing a Flow Trace
- MPLS, Branch-Specific Features, Branch Summary
- MSP (managed service provider) environment, Service Provider
- MSS (maximum segment size), Fragmentation
- MTU (maximum transmission unit), Fragmentation
- Multiple Spanning Tree Protocol (MSTP), Spanning Tree, Spanning Tree Protocol in transparent mode Layer 2 deployments
- interfaces to enable, Spanning Tree
- Muus, Mike, Network connectivity
N
- names
- for rib, Static Routing
- for routing instances, Configuring Routing Instances
- for zones, Sample Deployment
- NAT (see Network Address Translation (NAT))
- NAT scenarios, in session table, Viewing the Firewall Session Table
- National Institute of Standards and Technology (NIST), IPsec Encryption Algorithms
- negated objects, source and destination, for security zones, Negated source and destination objects
- nested application signatures, Nested application signatures
- NETCONF protocol, Device management
- NetConf protocol, Space: The Final Frontier of Management
- enabling over SSH, Enabling NetConf over SSH
- NetScreen Screen OS platforms, Preface
- NetScreen Security Manager (NSM), Legacy Security Management–Using NSM
- NetScreen Technologies, Evolving into the SRX
- Network Address Translation (NAT), Acknowledgments, Acknowledgments, Network Address Translation
- (see also source NAT)
- (see also static NAT)
- best practices, Best Practices
- Junos components, Junos NAT Components–When you don’t need Proxy-ARP/NDP
- Junos fundamentals, Junos NAT Fundamentals–NAT type precedence
- types, Junos NAT Types
- keepalives configuration, Configuring IKEv1 Phase 1 gateways
- need for, The Need for NAT
- in practice, Junos NAT in Practice
- precedence in Junos event chain, NAT Precedence in the Junos Event Chain–NAT type precedence
- rules, NAT Rules
- ScreenOS for, The SRX Series Platform
- security policies and, NAT and Security Policies
- troubleshooting, NAT Rule and Usage Counters
- flow debugging, Flow Debugging with NAT–Static NAT
- rule and usage counters, NAT Rule and Usage Counters–Viewing the Session Table
- session table, Viewing the Session Table–View NAT Errors
- viewing firewall logs, View Firewall Logs with NAT
- viewing errors, View NAT Errors–View Firewall Logs with NAT
- Network Address Translation Traversal (NAT-T)
- configuring, Configuring IKEv1 Phase 1 gateways
- VPN and, NAT Traversal
- Network and Security Manager (NSM), Device management, Centralized Management, Management IPS Functionality on the SRX
- Network Control forwarding class, Forwarding class
- network design, security policy enforcement and, Best Practices
- network processing card (NPC), monitoring, Network Processing Card
- Network Processing Units (NPUs), NPU–NPU
- for scaling, Data Center SRX Series Hardware Overview
- network protocols, Preface, SRX Networking Basics, Functional Zones, Basic Protocols–Spanning Tree
- decoding in IPS processing, Packet processing path
- dynamic routing, Dynamic Routing Protocols
- Network Time Protocol (NTP), Network Time Protocol–Configuring the SRX as an NTP server, Best Practices
- best practices, Best Practices
- for IPsec VPN, Network Time Protocol
- configuring, Configuring NTP
- SRX configuration as server, Configuring the SRX as an NTP server
- network-based threats, IPS and UTM
- networking
- attacker use of ICMP to map, ICMP IP Sweep Screen
- sample deployment, Sample Deployment–Sample Deployment
- troubleshooting
- connectivity, Network connectivity
- equipment, Transparent Mode Troubleshooting Steps
- networking services, Networking Services–Configuring the SRX as a DHCP relay server
- on control plane, System services that operate on the control plane
- DHCP (Dynamic Host Configuration Protocol), Dynamic Host Configuration Protocol
- DNS (Domain Name System), Domain Name System
- Next Generation Services Processing card, monitoring, Services Processing Card/Next Generation Services Processing Card
- next-hop keyword, Static Routing
- Next-Hop Tunnel Binding (NHTB), Special point-to-multipoint attributes
- NG-PSU (next-generation power supply units), SRX5000 Series
- NG-SPC (Next Generation SPC), NG-SPC
- NHTB (Next-Hop Tunnel Binding), Special point-to-multipoint attributes
- nine-tuple, Packet Flow
- NIST (National Institute of Standards and Technology), IPsec Encryption Algorithms
- No-Action IPS action, IPS actions
- best practices, Best Practices
- no-NAT rules, with source or destination NAT, No-NAT with Source or Destination NAT–No-NAT with Source or Destination NAT
- no-old-master-upgrade command, Configuring the Control Ports
- node ID, Node ID
- nonalphameric characters, in preshared keys, Preshared key authentication
- notification actions in IPS, Notification actions
- Notification options, in Sophos feature profile, Sophos AV feature profiles
- NPU (network processor), IOC modules
- bundling, NPU
- NSM (see Network and Security Manager (NSM))
- NSPC card, for SRX1400, SRX1000 Series
- NTP (see Network Time Protocol (NTP))
O
- objects, defining in global zone, Address books
- OCSP (Online Certificate Status Protocol), Certificate Validation, Certificate Validation
- Office documents, attacks using, Shifting Threats
- office environment, reference network, The Junos Enterprise Services Reference Network
- one-to-one mapping, static NAT, Static NAT one-to-one mapping–Static NAT one-to-one mapping
- OneSecure, Is It IDP or IPS?
- Online Certificate Status Protocol (OCSP), Certificate Validation, Certificate Validation
- OpenSSH, Configuring SSH access
- Optimized option, for SRX VPN monitoring, VPN Monitoring
- OSI (Open Systems Interconnection) model, How to Use This Book
- Out of resources option, for Sophos engine, Sophos AV feature profiles
- out-of-band attacks, listening for, SRX deployment options
- out-of-band network, for management, Management Interfaces
- outbound management requests, policy to restrict, Configuring a policy to restrict inbound or outbound management requests
- overflow pools in NAT, Pools
- best practices, Best Practices
P
- Packet Captures (PCAPs), Performing a Packet Capture on SRX Branch–Performing a Packet Capture on SRX Branch
- best practices, Best Practices
- on high-end SRX, Performing a Packet Capture on the High-End SRX–Performing a Packet Capture on the High-End SRX
- for troubleshooting, Packet capture
- packet filters, Preface
- packet flooding, Transparent Mode Specific Options
- packet flow, Packet Flow–Packet Flow
- NAT and, NAT Precedence in the Junos Event Chain
- Screens and, How Screens Fit into the Packet Flow
- Packet Forwarding Engine (PFE), Built for Services
- packet mode, Branch-Specific Features, Flow Mode and Packet Mode
- in branch SRX Series, Branch Summary
- packet rate, Data Center SRX Series Hardware Overview
- packet size, Data Center SRX Series Hardware Overview
- packet-based Screens, Packet versus threshold Screens
- packets
- fragmentation, Block Frag Screen
- in ICMP, ICMP Large Packet Screen
- processing for IPS, IPS Packet Processing on the SRX–SRX deployment options
- processing in IPS
- logging, Packet logging
- TCP fragmentation of, SYN-Frag Screen
- parallel processing, Branch SRX Series Hardware Overview–Branch SRX Series Hardware Overview
- partial mesh VPNs, Partial Mesh VPNs
- pathfinder tool, How to Use This Book
- PCAPs (see Packet Captures (PCAPs))
- PDF documents, attacks using, Shifting Threats
- Perfect Forward Secrecy (PFS), Perfect Forward Secrecy, Selecting the Appropriate VPN Configuration
- performance, Data Center SRX Series Hardware Overview–Data Center SRX Series Hardware Overview
- permissions, login classes to control, Creating a login class
- Permit action, in security policy, Action Criteria
- persistent NAT, Other SRX source NAT configuration options
- PFS (Perfect Forward Secrecy), Perfect Forward Secrecy, Selecting the Appropriate VPN Configuration
- phone-home traffic, Stages of a System Compromise
- PHY (physical chip), in SRX5000, IOC modules
- physical interface card (PIC), SRX3000 Series
- physical interfaces, Physical Interfaces–Physical Interfaces
- disabling, Physical Interfaces
- physical locations, multiple, for data center, Data Center
- PIM card, diagram for SRX650, Interface modules for the SRX600 line
- ping, Network connectivity, VPN troubleshooting process
- enabling, Sample Deployment
- for IP monitoring, IP Monitoring
- ping of death screen, ICMP Ping of Death Screen
- ping probe, IP Monitoring
- point-to-multipoint NHTB, Point-to-multipoint NHTB
- policy-based VPNs, Policy-Based VPNs
- configuring, Configuring policy-based VPNs
- troubleshooting, VPN troubleshooting process
- vs. route-based, Selecting the Appropriate VPN Configuration
- policy-driven management system, for large networks, Device management
- pools for source NAT, Pools
- port scans, detection, TCP Port Scan Screen
- ports, AppSecure Basics
- randomization in source NAT, Other SRX source NAT configuration options
- spanning-tree operational commands to identify status, Spanning Tree
- for Telnet/SSH, Configuring SSH access
- Post Office Protocol 3 (POP3), antivirus feature for, Branch-Specific Features
- Power over Ethernet (PoE)
- ports, SRX200 Series
- SRX550 support for, SRX500 Series
- power supplies, monitoring, Power supplies
- precedence
- NAT in Junos event chain, NAT Precedence in the Junos Event Chain
- NAT rulesets, NAT ruleset precedence
- predefined proposal set, vs. custom proposal sets, Selecting the Appropriate VPN Configuration
- predictive session identification, Predictive session identification
- preference options, for static routing, Static Routing
- Preferred Ciphers, for SRX/Servers, Configuring SSL Forward Proxy on the SRX
- prefix name, for transform definition, Static NAT transforms
- preshared key authentication
- configuring, Configuration for Remote-Office1 proposal with preshared keys, Configuring IKEv1 Phase 1 policies
- configuring IKEv1 Phase 1 IKE policy, Configuring IKEv1 Phase 1 IKE policy with preshared key, Main mode
- for VPN, Preshared key authentication
- vs. certificate, Selecting the Appropriate VPN Configuration
- primary actions, in security policy, Action Criteria
- priority zero, troubleshooting, The Dreaded Priority Zero
- private IP addresses, from NAT, The Need for NAT
- private mode, for chassis cluster, Differences from Standalone
- privilege escalation phase of attack, Stages of a System Compromise
- protocol anomaly attack objects, Attack Object Types
- protocols (see network protocols)
- proxy IDs
- configuring, Configuring route-based VPNs
- negotiation for VPN, Proxy ID negotiation
- for policy-based VPNs, Policy-Based VPNs
- for route-based VPNs, Route-Based VPNs
- troubleshooting, VPN troubleshooting process
- proxy server, SRX configuration as, Configuring the SRX as a proxy server
- proxy-ARP, Proxy-ARP and Proxy-NDP–When you don’t need Proxy-ARP/NDP
- configuring, Configuring Proxy-ARP/NDP
- proxy-based firewall, Preface
- proxy-NDP (Neighbor Discovery Protocol), Proxy-ARP and Proxy-NDP–When you don’t need Proxy-ARP/NDP
- configuring, Configuring Proxy-ARP/NDP
- when no need of, When you don’t need Proxy-ARP/NDP
- public IP addresses, The Need for NAT
- public network, access to, Mobile Carriers
- Putty, Configuring SSH access
Q
- quad-slot X-PIM card, Interface modules for the SRX600 line
- Quality of Service (QoS) in transparent mode, QoS in Transparent Mode
- Quick mode in phase 2 IKE, Phase 2 IKE negotiation modes, Quick mode
R
- radio frequency (RF) interference, Branch-Specific Features
- RADIUS, Remote authentication
- Rapid Spanning Tree Protocol (RSTP), Spanning Tree
- rate limiter, in AppQoS, Rate limiter, Configuring an AppQoS example
- real-time object (RTO), The Data Plane
- realms, configuring on IC, Configuring realms, roles, and sign-in policies
- reboot
- after software upgrade, Software management
- with J-Web tool, Rebooting
- Recommended IPS action, IPS actions
- Reconnaissance phase of attack, Stages of a System Compromise
- Record Route Option, Route Option Screens
- redirect rules, for unauthenticated users, Operating UserFW
- redundancy groups, Redundancy Groups, Redundancy Groups–Redundancy Groups
- global options for monitoring, IP Monitoring
- redundant fabric link, Configuring the Fabric Links
- redundant power supplies, Power supplies
- reference network, The Junos Enterprise Services Reference Network
- reject action
- for all traffic, rule for, Configuring a hybrid application ruleset
- in security policy, Action Criteria
- reject option, for static routing, Static Routing
- remote access clients
- configuring, Configuring dynamic gateways and remote access clients
- configuring IKEv1, Configuring an IKEv1 remote access client
- remote access VPN, Remote Access VPNs
- sample deployment, Remote Access VPN
- remote authentication, Remote authentication
- remote offices, IKEv1 Phase 2 proposal for, Configuring an IKEv1 Phase 2 proposal for remote offices and client connections
- Remote-Office-Cert proposal, configuring with certificates, Configuration for Remote-Office1 proposal with certificates
- Remote-Office-PSK proposal, configuring, Configuration for Remote-Office1 proposal with preshared keys
- Renegotiation option, SSL support for, Configuring SSL Forward Proxy on the SRX
- Request for Comments (RFC), 4741, on NetConf protocol, Space: The Final Frontier of Management
- request security idp security-package download status command, Troubleshooting and Monitoring Security Package Installation
- request security idp security-package install status command, Troubleshooting and Monitoring Security Package Installation
- request services application-identification command, Checking the AppID package
- request services application-identification install command, Checking the AppID package
- request services application-identification uninstall command, Checking the AppID package
- request support information command, When All Else Fails
- request system license add command, AppSecure Licensing, Getting Started with IPS on the SRX, Configuring Licensing
- Resource Utilization panel, Informational panels
- resource-manager qualifier, for sessions using ALGs, Application Layer Gateways
- REST (Representational State Transfer) protocol, Space: The Final Frontier of Management
- restart <service> command, Restarting Platform Daemons
- reth (redundant Ethernet interface), Aggregate Interfaces, Interfaces, Integrating the Cluster into Your Network
- checking status of, Checking Interfaces
- Reverse Proxy (SSL Inspection), SSL Inspection (Reverse Proxy)
- revoked certificates, list of, Certificate Validation
- rib (routing information base), Static Routing
- roles, configuring on IC, Configuring realms, roles, and sign-in policies
- root password on authentication, Task wizards
- route engine (RE)
- flowd daemon for monitoring, Software Monitoring
- monitoring, Route engine
- in SRX cluster, Chassis Cluster
- in SRX1000, SRX1000 Series
- in SRX3000, SRX3000 Series
- in SRX5000, SRX5000 Series
- route keyword, Static Routing
- route lookup, Static Routing
- Route Option Screens, Route Option Screens
- route-based VPNs, Route-Based VPNs
- best practices, Best Practices
- configuring, Configuring route-based VPNs
- troubleshooting, VPN troubleshooting process
- vs. policy-based, Selecting the Appropriate VPN Configuration
- routers, How to Use This Book
- virtual, Inherited ScreenOS features
- routing
- configuring, Configuring route-based VPNs
- protocol preferences, Static Routing
- static, Static Routing–Static Routing
- transparent mode for complex environments, Complex routing environments
- troubleshooting, Static Routing
- routing information base (rib), Static Routing
- routing instances, Routing Instances
- configuring, Configuring Routing Instances–Configuring Routing Instances
- types, Routing Instance Types
- routing mode, Transparent Interfaces
- Routing Protocol Daemon (RPD), System services that operate on the control plane
- routing table, statistics on, Static Routing
- routing-options hierarchy, static routes added to, Static Routing
- RST packets, TCP sequence check configuration for, Configuring TCP sequence checks for RST packets
- RSTP (Rapid Spanning Tree Protocol), Spanning Tree
- RT (real time), Sample firewall logs
- RTO (real-time object), The Data Plane
- rulebases, in IPS policy, Rulebases
- rulesets, in NAT, Rulesets–When you don’t need Proxy-ARP/NDP
- run command, Aggregate Interfaces
S
- sampling rates, for logs, JFlow on the SRX
- scalable services, Built for Services
- scaling
- by cloud network, Cloud Networks
- under load, Built for Services
- scan options
- for Kaspersky Full AV, Kaspersky Full AV
- in Sophos feature profile, Sophos AV feature profiles
- SCEP (Simple Certificate Enrollment Protocol), Simple Certificate Enrollment Protocol, Best Practices
- scheduler objects, in security policy, Security Policy Criteria and Precedence, Schedulers–Configuring schedulers
- screen feature, for DoS attack, Service Provider
- Screen profiles
- applying to zones, Applying Screen profiles to single and multiple zones
- configuring, Configuring a Screen profile
- ScreenOS operating system
- limitations, ScreenOS to Junos
- services provided, The SRX Series Platform
- ScreenOS platform, Evolving into the SRX
- inherited features from, Inherited ScreenOS features
- IP/MAC mapping in, Configuring Proxy-ARP/NDP
- NAT and, Junos NAT Fundamentals
- service objects in, Application objects
- Screens
- best practices, Best Practices
- defined, Screens and Flow Options
- in hardware and software, Screens in Hardware and Software
- packet flow and, How Screens Fit into the Packet Flow
- profiles, Screen Profiles
- deployment, Sample Deployment–Summary
- session limit, Session Limit Screens–Configuring the Destination IP Session Limit Screen
- theory and examples, Screen Theory and Examples–Configuring the TCP initial session timeout and TCP time wait timeout
- troubleshooting, Troubleshooting and Operation–Sample Deployment
- viewing attack statistics, Viewing the Screen Attack Statistics
- viewing profile settings, Viewing Screen Profile Settings
- secondary actions, in security policy, Action Criteria
- Secure Hash Algorithm 1 (SHA-1), IPsec Authentication Algorithms
- Secure Hash Algorithm 2 (SHA-2), IPsec Authentication Algorithms
- Secure Sockets Layer (SSL), SSL Forward Proxy
- SSL Forward Proxy, SSL Forward Proxy
- secure tunnel interface (st0 interface) (see st0 interfaces)
- SecureCRT, Configuring SSH access
- security, Preface
- legacy management, Legacy Security Management–Using NSM
- NAT and, NAT as a Security Component?
- zones for, Security Zones
- Security Design (SD) application, Device management, Viewing IPS attack objects and group membership
- security packages, Security Packages
- installation troubleshooting, Troubleshooting and Monitoring Security Package Installation–Checking Policy Compilation Status
- security policies, Security Policies
- best practices, Best Practices–Best Practices
- components, Security Policy Components in Depth–Enabling an ALG example
- action criteria, Action Criteria–Configuring a policy to restrict inbound or outbound management requests
- match criteria, Match Criteria–Configuring schedulers
- configuring, Configuring security policies–Host security policies
- configuring to control data plane management traffic, Configuring a security policy to control data plane management traffic
- criteria, Security Policy Criteria and Precedence
- deployment, Sample Deployment–Summary
- host, Host security policies
- NAT and, NAT and Security Policies
- permit options, Permit options
- precedence, Security Policy Precedence–Top to Bottom Policy Evaluation
- rule placement, Configuring security policies
- tools, Security policy tools
- in transparent mode, Transparent Mode Security Policy
- troubleshooting, Troubleshooting and Operation–Performing a Packet Capture on the High-End SRX
- viewing, Viewing Security Policies–Security policy tools
- security policy context, Security Policy Precedence
- Security Resources panel, Informational panels
- security services, Foreword
- security zones, Security Zones, Security Policy Criteria and Precedence, Security zones
- configuring, Sample Deployment, Configuring security zones
- in transparent mode, configuring, Configuring Transparent Mode Security Zones–Configuring Transparent Mode Security Policies, Sample Deployments
- security-related events, logs, Configuring control plane logging on the SRX
- self-signed CA certificate, creating, Configuring SSL Forward Proxy on the SRX
- separation of duties, transparent mode for, Separation of duties
- serial port connection, SRX200 line support, Interface modules for the SRX200 line
- serialization processing, in IPS processing, Packet processing path
- server load balancing, Data Center Services Tier
- server-to-client attacks, Direction-specific detection
- service objects, in ScreenOS, Application objects
- Service Processing Card (SPC), SPC
- service provider, deployment to, Service Provider–Service Provider
- services
- defined, The SRX Series Platform
- restarting, Restarting Platform Daemons
- viewing on interface, Viewing the Services/Counters on the Interface–Viewing the Services/Counters on the Interface
- Services and Routing Engine (SRE), SRX600 Series
- services gateway, Welcome to the SRX
- Services Processing card (SPC), monitoring, Services Processing Card/Next Generation Services Processing Card
- Services Processing Units (SPUs), SPC
- capacities, SPC
- for scaling, Data Center SRX Series Hardware Overview
- session ageout, Session teardown
- Session Close logs, Action Criteria
- session init logs, Action Criteria
- session keepalives, Configuring IKEv1 Phase 1 gateways
- session limit screens, Session Limit Screens–Configuring the Destination IP Session Limit Screen, Best Practices
- session resumption, Configuring SSL Forward Proxy on the SRX
- session table, SPC
- NAT scenarios in, Viewing the Firewall Session Table
- output of, Packet Flow
- troubleshooting, Viewing the Session Table–View NAT Errors
- viewing, Viewing the Firewall Session Table–Sample firewall logs
- session timeout, Session teardown
- sessions, SRX100 Series
- closing, Application objects
- defining number from individual source, Source IP Session Limit Screen
- synchronization, Configuring the Fabric Links
- terminating, Session teardown
- troubleshooting, Transparent Mode Troubleshooting Steps
- set apply-groups “${node}” command, Node-Specific Information
- set chassis cluster command, Activating Juniper Services Redundancy Protocol
- set commands
- for physical interfaces, Physical Interfaces
- set gratuitous-arp-count command, Configuring Interfaces
- set interfaces command, Configuring VLAN Rewriting
- set redundancy-group command, configuration options, IP Monitoring
- set security forwarding-options inet6 command, Static NAT one-to-one mapping
- set system name-server command, Antispam
- Setup wizard, in J-Web, Task wizards–Task wizards
- seven-tuple, Packet Flow
- severity levels, of attacks, Severities
- SHA-1 (Secure Hash Algorithm 1), IPsec Authentication Algorithms
- SHA-2 (Secure Hash Algorithm 2), IPsec Authentication Algorithms
- shared configuration, vs. standalone, Differences from Standalone
- shellcode, Stages of a System Compromise
- show bridge domain command, The show bridge domain Command, Transparent Mode Troubleshooting Steps
- show bridge mac-table command, The show bridge mac-table Command, Transparent Mode Troubleshooting Steps
- show chassis cluster control-plane statistics command, Configuring the Control Ports, First Steps, First Steps
- show chassis cluster interfaces command, Checking Interfaces
- show chassis cluster statistics command, Configuring the Control Ports
- show chassis cluster status command, Activating Juniper Services Redundancy Protocol, Configuring the Control Ports, First Steps, The Dreaded Priority Zero
- show chassis fpc pic-status command, Control link and data link failure, Verifying the Data Plane, Verifying the Data Plane
- show chassis hardware command, Physical Interfaces, Verifying the Data Plane
- show chassis routing-engine command, Best Practices
- show class-of-service application-traffic-control command, Operating Application QoS
- show class-of-service command, Operating Application QoS
- show groups junos-defaults command, Default profile configuration
- show interfaces extensive command, Monitoring Interface Counters
- show interfaces terse command, Physical Interfaces, Sample Deployment, Checking Interfaces
- show interfaces | display inheritance command, Sample Deployments
- show l2-learning global-information command, The show l2-learning global-information Command
- show l2-learning global-mac-count command, The show l2-learning global-mac-count Command
- show l2-learning interface command, The show l2-learning interface Command
- show log command, Configuring control plane logging on the SRX
- show log jsrpd command, The Dreaded Priority Zero
- show ntp associations command, Checking NTP Status
- show ntp status command, Checking NTP Status
- show route command, Static Routing
- show security anti-virus statistics command, Antivirus
- show security flow ip-action command, IP Action Table
- show security flow session <modifiers> command, Transparent Mode Troubleshooting Steps
- show security flow session ? command, Viewing the Firewall Session Table–Sample firewall logs
- show security idp attack detail command, Viewing IPS attack objects and group membership
- show security idp attack table command, IPS Attack Table
- show security idp policy-commit-status command, Checking Policy Compilation Status
- show security idp security-package-version command, Checking the AppID package, Checking Security Package Version
- show security idp status command, Creating, activating, and referencing IPS, Checking IPS Status
- show security ike security-associations command, show security ike security-associations
- show security ipsec inactive-tunnels command, show security ipsec inactive-tunnels
- show security ipsec security-associations command, show security ipsec security-associations
- show security ipsec statistics command, show security ipsec statistics
- show security match-policies command, Operating UserFW
- show security monitoring fpc <x> command, Best Practices
- show security nat destination pool command, NAT Rule and Usage Counters
- show security nat destination rule command, NAT Rule and Usage Counters
- show security nat destination summary command, NAT Rule and Usage Counters
- show security nat interface-nat-ports command, NAT Rule and Usage Counters
- show security nat source pool command, NAT Rule and Usage Counters
- show security nat source rule command, NAT Rule and Usage Counters
- show security nat source summary command, NAT Rule and Usage Counters
- show security nat static rule command, NAT Rule and Usage Counters
- show security policies command, Viewing Security Policies
- show security screen ids-option <Screen> command, Viewing Screen Profile Settings
- show security screen statistics interface|zone command, Viewing the Screen Attack Statistics
- show security utm <feature> statistics | status, Best Practices
- show security utm anti-spam statistics command, Antispam
- show security utm anti-spam status command, Antispam
- show security utm anti-virus command, Antivirus
- show security utm web-filtering statistics command, URL Filtering
- show security utm web-filtering status command, URL Filtering
- show security zones command, Sample Deployment
- show services application-identification application-system-cache command, Checking the AppID engine settings and cache
- show services application-identification version command, Checking the AppID package
- show services ssl proxy statistics command, Operating SSL Forward Proxy
- show snmp mib walk command, Junos SNMP MIB, Checking SNMP Status
- show spanning-tree interface command, Transparent Mode Troubleshooting Steps
- show system connections command, Viewing the System Connection Table
- show system core-dumps command, Core Dumps
- show system license command, UTM Engine
- show system processes extensive | match IDPD command, Restarting Platform Daemons
- show system services dhcp command, DHCP Operational Mode Commands
- show | compare command, Aggregate Interfaces
- show | display inheritance command, Node-Specific Information
- sign-in policies, configuring on IC, Configuring realms, roles, and sign-in policies
- signature-based attack objects, Attack Object Types
- signature-based pattern matching, Signature-based pattern matching–Keeping honest applications honest, Enabling application identification heuristics
- signatures
- nested application, Nested application signatures
- performance impact in IPS, Signature performance impacts
- SignatureUpdate.xml file, Useful IPS files
- Simple Certificate Enrollment Protocol (SCEP), Simple Certificate Enrollment Protocol
- Simple Mail Transfer Protocol (SMTP), antivirus feature for, Branch-Specific Features
- Simple Network Management Protocol (SNMP)
- best practices, Best Practices
- configuring traps, Configuring SNMP Traps
- in high availability clusters, SNMP in High Availability Chassis Clusters
- management, SNMP Management–Junos SNMP MIB
- site-to-site IPsec VPN, Site-to-Site IPsec VPNs
- configuring component, Configuring a common site-to-site VPN component
- sample deployment, Site-to-Site VPN–Remote Access VPN
- six pack deployment, for high availability, Six pack
- Skype, SSL and, AppFW with encrypted applications
- slow-path packet processing, Slow-path SPU packet processing
- Slowloris attack, Session Limit Screens
- small branch location
- deployment to, Small Branch
- reference network with SRX100 device, The Junos Enterprise Services Reference Network
- Small Form-Factor Pluggable Interface Modules (SFP) mini-PIM ports, on SRX200, Interface modules for the SRX200 line
- smart phones, Preface
- sniffer mode, for IPS, SRX deployment options, Leveraging sniffer mode for the deployment
- SNMP (see Simple Network Management Protocol (SNMP))
- software
- J-Web for managing, Software management
- monitoring, Software Monitoring
- Screens in, Screens in Hardware and Software
- Sophos engine, Antivirus, Sophos AV
- default profile for configuring, Configuring Sophos with a default profile
- feature profile example, Configuring Sophos feature profile example
- feature profiles, Sophos AV feature profiles
- inspection diagram, Sophos AV
- pros and cons, Which AV to Choose?
- source address, in IPS policy, Match criteria
- source identity, Source-Identity
- source NAT, Junos NAT Types
- best practices, Best Practices
- combining with destination NAT, Combination Source and Destination NAT–Combination Source and Destination NAT
- examples, Source NAT–Destination NAT
- with interfaces, Source NAT with interfaces–Source NAT with interfaces
- with pools and interfaces, Source NAT with pools and interfaces–Source NAT with pools and interfaces
- flow debugging, Flow Debugging with NAT
- High Availability and, Other SRX source NAT configuration options
- no-NAT rules with, No-NAT with Source or Destination NAT–No-NAT with Source or Destination NAT
- precedence for, NAT type precedence
- rulesets, Source NAT rulesets
- transforms, Interfaces
- source objects, negated, for security zones, Negated source and destination objects
- Source Route Option, Route Option Screens
- source zone, Security zones
- Source-IP Session Limit screens, Session Limit Screens
- Space platform, for firewall policies management, Firewall policies
- spam, Branch-Specific Features
- filtering, Antispam
- Spanning Tree Protocol (STP), SRX100 Series, Spanning Tree–Spanning Tree, Transparent Mode and Bridge Loops, Spanning Tree Protocol
- in transparent mode Layer 2 deployments, Spanning Tree Protocol in transparent mode Layer 2 deployments
- troubleshooting, Transparent Mode Troubleshooting Steps
- split brain, Configuring the Control Ports, Control link, Control link and data link failure, First Steps
- SPNEGO, Operating UserFW
- Active Directory and, UserFW
- authentication session, UserFW functionality overview
- SRX Series products (see Juniper Networks SRX Series products)
- SSH, Command-Line Interfaces
- configuring options, Configuring SSH access
- enabling NetConf protocol over, Enabling NetConf over SSH
- SSL decryption, in IPS processing, Packet processing path
- SSL Forward Proxy
- best practices, SSL FP
- configuring, Configuring and Deploying SSL Forward Proxy–AppFW with encrypted applications
- troubleshooting, Operating SSL Forward Proxy
- SSL Inspection (Reverse Proxy), SSL Inspection (Reverse Proxy)
- SSL Reverse Proxy, SSL Forward Proxy, Configuring and Deploying SSL Forward Proxy
- SSL session, restarting, Configuring SSL Forward Proxy on the SRX
- SSL VPNs, vs. IPsec VPN, Remote Access VPNs
- st0 interfaces
- multipoint interface specified, Point-to-point versus point-to-multipoint VPNs
- numbered vs. unnumbered, Numbered versus unnumbered st0 interfaces
- state synchronization, data plane and, The Data Plane
- stateful firewall, Preface, Welcome to the SRX, Data Center Services Tier, Flow Mode and Packet Mode, The Need for IPS
- failover by, Preserving the Control Plane
- high availability and, High Availability
- IP spoofing and, IP Spoofing Screen
- policies, Firewall policies
- ScreenOS for, The SRX Series Platform
- stateful processing, Service Provider
- stateful signature detection, in IPS processing, Packet processing path
- stateless filters
- configuring for inbound management traffic, Configuring a stateless firewall filter to control all inbound management traffic
- for connections to control plane, Accessing System Services: Control Plane Versus Data Plane
- stateless inspection of traffic, Flow Mode and Packet Mode
- stateless packet processing, Service Provider, Service Provider
- static attack groups, Custom attack objects and groups, Static attack groups
- best practices, Best Practices
- configuring, Configuring static and dynamic attack groups
- static IP address, configuring remote gateways with, Configuring IKEv1 Phase 1 gateways
- static NAT, Junos NAT Types, NAT type precedence
- best practices, Best Practices
- flow debugging, Destination NAT–Static NAT
- many-to-many mapping, Static NAT many-to-many mapping–Option 3: NAT 64 automatic translation
- one-to-one mapping, Static NAT one-to-one mapping–Static NAT one-to-one mapping
- rulesets, Static NAT rulesets
- transforms, Static NAT transforms
- static routing, Static Routing–Static Routing
- configuration options, Static Routing
- Statistical Report Manager software (STRM), Centralized Management
- packet logging in, Configuring packet logging in the STRM
- statistics, on application usage, Application Tracking
- Storage Usage panel, Informational panels
- stream mode on data plane
- configuring, Configuring Stream mode logging on the data plane
- vs. event mode, Data plane logs: Event versus Stream mode
- Strict Source Route Option, Route Option Screens
- strict SYN checks, Strict SYN checks
- STRM (Statistical Report Manager software), Centralized Management
- for log management, Log Management with STRM
- reporting infrastructure, Reporting with STRM
- structured syslog, Sample firewall logs
- subnet mask, Wildcard address objects
- subnetting, How to Use This Book
- Surfcontrol URL filtering, URL filtering flavors
- Surfcontrol/Websense Integrated URL filtering, Surfcontrol/Websense Integrated URL filtering
- sustained CPS rate, Data Center SRX Series Hardware Overview
- switch control board (SCB), monitoring, Switch control board
- switch fabric board (SFB)
- failure impact, Switch fabric board
- in SRX3000, SRX3000 Series
- switch-packet counters, Data Center SRX Series Hardware Overview
- switches, How to Use This Book
- configuration, Switching Configuration–Switching Configuration
- switching fabric interface, configuring, Configuring the Switching Fabric Interface
- SYN checks
- strict, Strict SYN checks
- TCP, TCP SYN checks
- in tunnels, SYN checks in tunnels
- SYN Cookies, SYN Spoofing Protection Modes
- SYN flood/spoofing attacks, protection against, SYN flood/spoofing attacks
- SYN-ACK-ACK proxy screen, SYN-ACK-ACK Proxy Screen
- SYN-FIN screen, SYN-FIN Screen
- SYN-Frag Screen, SYN-Frag Screen
- syslog, Application Tracking, Logging UTM Messages
- formats, SRX Logging and Flow Records, Configuring Stream mode logging on the data plane
- tips for viewing messages, Tips for Viewing Syslog Messages
- syslogD, System services that operate on the control plane
- System Alarms panel, Informational panels
- system connection table, viewing, Viewing the System Connection Table
- system I/O (SYSIO), in SRX1000, SRX1000 Series
- System Identification panel (J-Web), Informational panels
- system services, System Services–Configuring system services and protocols per zone or interface
- best practices for configuring, Best Practices
- control plane access vs. data plane, Accessing System Services: Control Plane Versus Data Plane–Configuring a security policy to control data plane management traffic
- control plane and, System Services and the Control Plane–System services that operate on the control plane
- data plane and, System Services and the Data Plane
- traffic, Functional Zones
- troubleshooting, Troubleshooting and Operation–Troubleshooting Individual Daemons
- checking SNMP stats, Checking SNMP Status
- core dump, Checking for Core Dumps
- DHCP operational mode commands, DHCP Operational Mode Commands
- restarting platform daemons, Restarting Platform Daemons
- viewing security logs locally, Viewing Security Logs Locally
- viewing services/counters on interface, Viewing the Services/Counters on the Interface–Viewing the Services/Counters on the Interface
- viewing system connection table, Viewing the System Connection Table
- zone-based service control, Zone-Based Service Control–Configuring system services and protocols per zone or interface
T
- Tacacs+, Remote authentication
- targets, of IP actions, Targets and timeouts
- task wizards, in J-Web, Task wizards–Task wizards
- TCP (Transmission Control Protocol), How to Use This Book, SRX100 Series
- denial-of-service (DoS) attacks with, DoS Attacks with TCP–Configuring the WinNuke Screen
- performance definitions, Data Center SRX Series Hardware Overview
- TCP initial session timeout, Configuring the TCP initial session timeout and TCP time wait timeout
- TCP No Flags Screen, TCP No Flags Screen
- TCP Port Scan Screen, TCP Port Scan Screen
- TCP reset, Action Criteria
- TCP sequence checks, TCP sequence checks, Configuring TCP sequence checks
- configuring for RST packets, Configuring TCP sequence checks for RST packets
- TCP SockStress, Session Limit Screens
- TCP state timeouts, TCP state timeouts
- TCP Sweep Screen, TCP Sweep Screen
- TCP SYN checks, TCP SYN checks
- TCP wait state timeout, TCP state timeouts
- Telnet, Command-Line Interfaces
- configuring options, Configuring Telnet access
- ports for, Configuring SSH access
- templates
- downloading policy, Getting Started with IPS on the SRX
- for IPS process, Policy templates
- terminal match, for IP action, Terminal Match
- test security utm web-filtering profile <profile> test-string command, Websense site lookup tool
- testing
- antivirus software, Testing antivirus
- IPS policy, Testing Your Policy–Leveraging sniffer mode for the deployment
- threads of execution, Branch SRX Series Hardware Overview
- Threats Activity panel, Informational panels
- three-way handshake, Data Center SRX Series Session Setup, Strict SYN checks
- threshold, Best Practices
- for TCP Sweep Screen, Configuring the TCP Sweep Screen
- threshold-based Screens, Packet versus threshold Screens
- throughput of firewall, Data Center SRX Series Hardware Overview
- timekeeping
- best practices, Best Practices
- importance, Network Time Protocol
- synchronization, Best Practices
- timeout
- for IP action, Targets and timeouts
- in Sophos feature profile, Sophos AV feature profiles
- in SYN Cookie/SYN Proxy, SYN Spoofing Protection Modes
- to-zone, Security zones, Match criteria
- top-to-bottom evaluation, of security policy, Top to Bottom Policy Evaluation
- TOR, SSL and, AppFW with encrypted applications
- traceoptions, The Dreaded Priority Zero
- traceroute, VPN troubleshooting process
- tracing, for VPN troubleshooting, VPN Tracing and Debugging–Configuring and analyzing VPN tracing
- traffic reports, Traffic reports
- transparent interfaces, Transparent Interfaces
- transparent mode, Troubleshooting Individual Daemons, Transparent Mode
- components, Transparent Mode Components
- configuration, Configuring Transparent Mode
- deployment, The Junos Enterprise Services Reference Network, Sample Deployments–Summary
- flow process, Transparent Mode Flow Process–Session teardown
- high availability with, High Availability with Transparent Mode
- limitations, Transparent Mode Limitations
- Quality of Service (QoS), QoS in Transparent Mode
- configuration, Configuring Transparent Mode QoS–Configuring VLAN Rewriting
- security policies, Transparent Mode Security Policy
- security zones, configuring, Configuring Transparent Mode Security Zones–Configuring Transparent Mode Security Policies
- specific options, Transparent Mode Specific Options
- troubleshooting, Troubleshooting and Operation–Transparent Mode Troubleshooting Steps
- when to use, When to Use Transparent Mode
- zones, Transparent Mode Zones
- Transport mode for IPsec VPN, IPsec VPN Mode
- best practices, Best Practices
- Trapeze, Branch-Specific Features
- Triple Data Encryption Standard (3DES), IPsec Encryption Algorithms, Selecting the Appropriate VPN Configuration
- troubleshooting
- Application Identification (AI), Operating Application Identification
- AppSecure, Troubleshooting and Operation–Sample Deployments
- AppTrack, AppTrack
- core dump, Core Dumps
- daemons, Troubleshooting Individual Daemons
- data plane, Verifying the Data Plane–Verifying the Data Plane
- flow trace, Performing a Flow Trace–Performing a Flow Trace
- high availability, Troubleshooting and Operation–Manual Failover
- interfaces, Checking Interfaces
- intrusion prevention systems (IPS), Troubleshooting and Operation–IP Action Table
- attack table, IPS Attack Table
- checking policy compilation status, Checking Policy Compilation Status
- checking security package version, Checking Security Package Version
- checking status of, Checking IPS Status
- counters for, IPS Counters
- IP action table, IP Action Table
- security package installation, Troubleshooting and Monitoring Security Package Installation–Checking Policy Compilation Status
- with J-Web tool, Troubleshooting from J-Web
- Network Address Translation (NAT), NAT Rule and Usage Counters
- flow debugging, Flow Debugging with NAT–Static NAT
- session table, Viewing the Session Table–View NAT Errors
- viewing firewall logs, View Firewall Logs with NAT
- priority zero, The Dreaded Priority Zero
- routing, Static Routing
- Screens, Troubleshooting and Operation
- security policies, Troubleshooting and Operation
- SSL Forward Proxy, Operating SSL Forward Proxy
- system services, Troubleshooting and Operation–Troubleshooting Individual Daemons
- checking SNMP stats, Checking NTP Status
- core dump, Checking for Core Dumps
- DHCP operational mode commands, DHCP Operational Mode Commands
- restarting platform daemons, Restarting Platform Daemons
- viewing security logs locally, Viewing Security Logs Locally
- viewing services/counters on interface, Viewing the Services/Counters on the Interface–Viewing the Services/Counters on the Interface
- viewing system connection table, Troubleshooting and Operation
- transparent mode, Troubleshooting and Operation–Transparent Mode Troubleshooting Steps
- Unified Threat Management (UTM), Troubleshooting and Operation–Content Filtering
- antispam, Antispam
- antivirus software, Antivirus
- content filtering, Content Filtering
- URL filtering, URL Filtering
- VPN (virtual private networking), Troubleshooting and Operation–Configuring and analyzing VPN tracing
- commands for, Useful VPN Commands–Checking interface statistics
- tracing and debugging, VPN Tracing and Debugging–Configuring and analyzing VPN tracing
- trunk mode, in transparent mode, Interface Modes in Transparent Mode
- trunk port, Switching Configuration
- trust interface, Sample Deployment
- trust zone, configuring, Configuring system services and protocols per zone or interface
- Trusted-CA
- configuring, Configuring IKEv1 Phase 1 policies
- in SSL Proxy profile, Configuring SSL Forward Proxy on the SRX
- Tunnel mode for IPsec VPN, IPsec VPN Mode
- best practices, Best Practices
- tunnels
- SYN checks in, SYN checks in tunnels
- viewing inactive, show security ipsec inactive-tunnels
U
- UDP (User Datagram Protocol), How to Use This Book, SRX100 Series
- denial-of-service (DoS) attacks with, DoS Attacks with UDP
- for IKE negotiations, VPN troubleshooting process
- UFQDN (user FQDN), as IKE identity, IKE Identities
- Ultrasurf, SSL and, AppFW with encrypted applications
- unauthenticated role in SRX, Configuring the SRX for UserFW
- unauthenticated users, redirect rules for, Operating UserFW
- Unicast Reverse Path Forwarding (uRPF) lookup, IP Spoofing Screen
- unified in-service software upgrade (ISSU), Configuring the Control Ports
- Unified Threat Management (UTM)
- antispam feature, Antispam
- antivirus software, Antivirus, Antivirus–Which AV to Choose?
- Sophos engine, Sophos AV–Kaspersky Full AV
- basics, Unified Threat Management
- best practices, Best Practices
- components, UTM Components–Configuring syslog to send UTM to a remote server
- application proxy, Application Proxy
- custom objects, Custom Objects
- feature profiles, Feature Profiles
- policies, UTM Policies
- content filtering, Content Filtering–Configuring syslog to send UTM to a remote server
- deployments, Sample Deployments–Summary
- IPS and, IPS and UTM
- licensing, UTM Licensing
- configuring, Configuring Licensing
- logging messages, Logging UTM Messages
- shifting threats, Shifting Threats
- troubleshooting, Troubleshooting and Operation–Content Filtering
- antispam, Antispam
- antivirus software, Antivirus
- URL filtering, URL Filtering
- URL filtering, URL Filtering–Which URL filtering solution to choose?
- flavors, URL filtering flavors
- Websense Enhanced filtering, Websense Enhanced filtering
- unit, in interface configuration, Logical Interfaces
- universal resource locator (URL) filtering, Branch-Specific Features
- unknown control plane state, Activating Juniper Services Redundancy Protocol
- Unknown IP Protocol Screen, Unknown IP Protocol Screen
- unknown role in SRX, Configuring the SRX for UserFW
- untrust interface, Sample Deployment
- untrust zone, configuring, Configuring system services and protocols per zone or interface
- URL filtering, IPS and UTM, Unified Threat Management, URL Filtering, URL Filtering–Which URL filtering solution to choose?
- default local profile, Default local URL filtering profile
- deployment, Sample Deployments
- profiles, URL filtering profiles
- Surfcontrol/Websense Integrated, Surfcontrol/Websense Integrated URL filtering
- troubleshooting, URL Filtering
- Websense Enhanced filtering, Websense Enhanced filtering
- user authentication infrastructure, STRM and, Reporting with STRM
- user base dynamic firewalling, Large Branch
- User Datagram Protocol (UDP), How to Use This Book
- denial-of-service (DoS) attacks with, DoS Attacks with UDP
- for IKE negotiations, VPN troubleshooting process
- user interfaces, on control plane, System services that operate on the control plane
- user objects, in security policy, Security Policy Criteria and Precedence
- User Role Firewall, User Role Firewalling
- best practices, UserFW
- configuring and deploying, Configuring and Deploying User Role Firewall–Miscellaneous Active Directory tasks
- functionality review, UserFW functionality overview–UserFW functionality overview
- operating, Operating UserFW
- packaging and licensing, UserFW packaging and licensing
- users, display of logged on, Informational panels
- UTM (see Unified Threat Management (UTM))
V
- validation, heartbeat messages for, Configuring Heartbeat Timers
- virtual interfaces, Virtual Interfaces
- virtual Junos, JunosV Firefly (Virtual Junos)
- virtual private networking (VPN) (see VPN (virtual private networking))
- virtual router (VR), Inherited ScreenOS features
- instances, Routing Instance Types
- virtual security device (VSD), Redundancy Groups
- viruses, Acknowledgments
- (see also antivirus software)
- identifying, IPS and UTM
- protection against, Unified Threat Management
- VLAN retagging, VLAN Rewriting
- VLAN trunking, transparent mode and, Spanning Tree Protocol in transparent mode Layer 2 deployments
- vlan-id-list command, Configuring VLAN Rewriting
- vlan-rewrite command, Configuring VLAN Rewriting
- VLANs
- in cloud environment, Cloud Networks
- configuration, Switching Configuration
- name for, Switching Configuration
- restricting BPDUs to, Restricting BPDUs to VLANs
- rewriting, VLAN Rewriting
- configuring, Configuring VLAN Rewriting–Configuring VLAN Rewriting
- terminating multiple, Interface Modes in Transparent Mode
- VMware, JunosV Firefly (Virtual Junos)
- VPLS, Branch Summary
- VPN (virtual private networking), Acknowledgments
- (see also IPsec VPN (IP Security virtual private network))
- architecture overview, VPN Architecture Overview–Remote Access VPNs
- full mesh, Full Mesh VPNs
- hub and spoke, Hub and Spoke IPsec VPNs
- site-to-site, Site-to-Site IPsec VPNs
- dynamic, Dynamic VPN–Best Practices
- encryption algorithms, Selecting the Appropriate VPN Configuration
- monitoring, VPN Monitoring
- configuring, Configuring common IPsec VPN components
- partial mesh, Partial Mesh VPNs
- point-to-point vs. point-to-multipoint, Point-to-point versus point-to-multipoint VPNs
- policy-based, vs. route-based, Selecting the Appropriate VPN Configuration
- remote access, Remote Access VPNs
- sample deployment, Sample Deployments–IPsec Caveats on SRX
- remote access VPN, Remote Access VPN
- site-to-site, Site-to-Site VPN–Remote Access VPN
- ScreenOS for, The SRX Series Platform
- selecting configuration, Selecting the Appropriate VPN Configuration–Selecting the Appropriate VPN Configuration
- troubleshooting, Troubleshooting and Operation–Configuring and analyzing VPN tracing
- commands for, Useful VPN Commands–Checking interface statistics
- tracing and debugging, VPN Tracing and Debugging–Configuring and analyzing VPN tracing
- VSD (virtual security device), Redundancy Groups
- vulnerability exploitation phase of attack, Stages of a System Compromise
W
- Warning severity level of attacks, Severities
- web management, Web Management on the SRX
- Web Trends Log Format (WELF), Configuring Stream mode logging on the data plane
- Websense Enhanced URL filtering, URL filtering flavors, Websense Enhanced filtering
- custom profile, Configuring a custom Websense Enhanced profile
- default profile, Configuring Websense Enhanced default profile
- pros and cons, Which URL filtering solution to choose?, Which URL filtering solution to choose?
- troubleshooting, URL Filtering
- Websense Redirect URL filtering, URL filtering flavors, Websense Redirect
- default profile for configuring, Default Websense Redirect profile
- pros and cons, Which URL filtering solution to choose?
- Websense site lookup tool, Websense site lookup tool
- Websense Threatseeker cloud, Websense Enhanced filtering
- Websense/Surfcontrol Integrated URL filtering, pros and cons, Which URL filtering solution to choose?
- Websense/Surfcontrol URL filtering, troubleshooting, URL Filtering
- weighted round-robin algorithm, Data Center SRX Series Session Setup
- WELF (Web Trends Log Format), Configuring Stream mode logging on the data plane
- well-known ports, AppSecure Basics
- whitelist approach to firewall rules, Three types of Application Firewall rulesets, Configuring a whitelist application ruleset
- best practices, AppFW
- for Juniper Local filtering, URL Custom URLs, blacklists, whitelists, and categories
- in SSL Proxy profile, Configuring SSL Forward Proxy on the SRX
- when to use, When to use blacklist, whitelist, and hybrid rulesets
- WiFi, RF interference and, Branch-Specific Features
- wildcard address objects, for IP prefix-based matches, Wildcard address objects
- wing table, NPU
- Winnuke Screen, WinNuke Screen
- wireless capabilities, of AX411, AX411
X
- X-PIM card, SRX600 Series, Interface modules for the SRX600 line
- X.509 certificate, authentication, Certificate Validation
- XAuth, XAuth, Configuring dynamic gateways and remote access clients
- troubleshooting, VPN troubleshooting process
Y
- YouTube, Preface
Z
- Z path forwarding, The Data Plane
- zero-day branch, SRX200 Series
- zone-based firewall, NAT Precedence in the Junos Event Chain
- zone-based service control, Zone-Based Service Control–Configuring system services and protocols per zone or interface
- zones, Acknowledgments, Inherited ScreenOS features, Zones–Functional Zones
- (see also security zones)
- applying Screen profiles to, Applying Screen profiles to single and multiple zones
- configuring to allow IKE traffic, Configuring IKEv1 Phase 1 gateways
- functional, Functional Zones–Functional Zones
- names for, Sample Deployment
- in transparent mode, Transparent Mode Zones
Get Juniper SRX Series now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.