You are previewing ScreenOS Cookbook.
O'Reilly logo
ScreenOS Cookbook

Book Description

Written by key members of Juniper Network's ScreenOS development team, this one-of-a-kind Cookbook helps you troubleshoot secure networks that run ScreenOS firewall appliances. Scores of recipes address a wide range of security issues, provide step-by-step solutions, and include discussions of why the recipes work, so you can easily set up and keep ScreenOS systems on track. ScreenOS Cookbook gives you real-world fixes, techniques, and configurations that save time -- not hypothetical situations out of a textbook. The book comes directly from the experience of engineers who have seen and fixed every conceivable ScreenOS network topology, from small branch office firewalls to appliances for large core enterprise and government, to the heavy duty protocol driven service provider network. Its easy-to-follow format enables you to find the topic and specific recipe you need right away and match it to your network and security issue. Topics include:

  • Configuring and managing ScreenOS firewalls

  • NTP (Network Time Protocol)

  • Interfaces, Zones, and Virtual Routers

  • Mitigating Denial of Service Attacks

  • DDNS, DNS, and DHCP

  • IP Routing

  • Policy-Based Routing

  • Elements of Policies

  • Authentication

  • Application Layer Gateway (SIP, H323, RPC, RTSP, etc.,)

  • Content Security

  • Managing Firewall Policies

  • IPSEC VPN

  • RIP, OSPF, BGP, and NSRP

  • Multicast -- IGPM, PIM, Static Mroutes

  • Wireless

Along with the usage and troubleshooting recipes, you will also find plenty of tricks, special considerations, ramifications, and general discussions of interesting tangents and network extrapolation. For the accurate, hard-nosed information you require to get your ScreenOS firewall network secure and operating smoothly , no book matches ScreenOS Cookbook.

Table of Contents

  1. ScreenOS Cookbook
    1. SPECIAL OFFER: Upgrade this ebook with O’Reilly
    2. Credits
    3. Glossary
    4. Preface
      1. Audience
      2. Assumptions This Book Makes
      3. Conventions Used in This Book
      4. Using Code Examples
      5. Safari® Books Online
      6. Comments and Questions
      7. Acknowledgments
    5. 1. ScreenOS CLI, Architecture, and Troubleshooting
      1. 1.0. Introduction
        1. get
        2. set/unset
        3. save
        4. clear
        5. exec
        6. delete
        7. Filtering the Output
      2. 1.1. ScreenOS Architecture
        1. Virtual Router
        2. Zones
          1. Security zone
          2. Functional zones
        3. Interfaces
          1. Redundant
          2. Aggregate
          3. Bridge Groups
          4. Loopback
          5. VLAN
          6. Tunnel
          7. Summary
      3. 1.2. Troubleshoot ScreenOS
        1. Debug
        2. Flow Filter
        3. Debug Buffer
        4. Snoop
    6. 2. Firewall Configuration and Management
      1. 2.0. Introduction
      2. 2.1. Use TFTP to Transfer Information to and from the Firewall
        1. Problem
        2. Solution
        3. Discussion
      3. 2.2. Use SCP to Securely Transfer Information to and from the Firewall
        1. Problem
        2. Solution
        3. Discussion
      4. 2.3. Use the Dedicated MGT Interface to Manage the Firewall
        1. Problem
        2. Solution
        3. Discussion
      5. 2.4. Control Access to the Firewall
        1. Problem
        2. Solution
        3. Discussion
      6. 2.5. Manage Multiple ScreenOS Images for Remotely Managed Firewalls
        1. Problem
        2. Solution
        3. Discussion
      7. 2.6. Manage the USB Port on SSG
        1. Problem
        2. Solution
        3. Discussion
    7. 3. Wireless
      1. 3.0. Introduction
        1. The 802.11 Standards
        2. The Point-to-Point Protocol
      2. 3.1. Use MAC Filtering
        1. Problem
        2. Solution
        3. Discussion
      3. 3.2. Configure the WEP Shared Key
        1. Problem
        2. Solution
        3. Discussion
      4. 3.3. Configure the WPA Preshared Key
        1. Problem
        2. Solution
        3. Discussion
      5. 3.4. Configure WPA Using 802.1x with IAS and Microsoft Active Directory
        1. Problem
        2. Solution
        3. Discussion
      6. 3.5. Configure WPA with the Steel-Belted Radius Server and Odyssey Access Client
        1. Problem
        2. Solution
        3. Discussion
          1. Installing the Steel-Belted Radius server
          2. Installing the Odyssey Access Client on the PC
      7. 3.6. Separate Wireless Access for Corporate and Guest Users
        1. Problem
        2. Solution
        3. Discussion
      8. 3.7. Configure Bridge Groups for Wired and Wireless Networks
        1. Problem
        2. Solution
        3. Discussion
    8. 4. Route Mode and Static Routing
      1. 4.0. Introduction
      2. 4.1. View the Routing Table on the Firewall
        1. Problem
        2. Solution
        3. Discussion
      3. 4.2. View Routes for a Particular Prefix
        1. Problem
        2. Solution
        3. Discussion
      4. 4.3. View Routes in the Source-Based Routing Table
        1. Problem
        2. Solution
        3. Discussion
      5. 4.4. View Routes in the Source Interface-Based Routing Table
        1. Problem
        2. Solution
        3. Discussion
      6. 4.5. Create Blackhole Routes
        1. Problem
        2. Solution
        3. Discussion
      7. 4.6. Create ECMP Routing
        1. Problem
        2. Solution
        3. Discussion
      8. 4.7. Create Static Routes for Gateway Tracking
        1. Problem
        2. Solution
        3. Discussion
      9. 4.8. Export Filtered Routes to Other Virtual Routers
        1. Problem
        2. Solution
        3. Discussion
      10. 4.9. Change the Route Lookup Preference
        1. Problem
        2. Solution
        3. Discussion
      11. 4.10. Create Permanent Static Routes
        1. Problem
        2. Solution
        3. Discussion
    9. 5. Transparent Mode
      1. 5.0. Introduction
      2. 5.1. Enable Transparent Mode with Two Interfaces
        1. Problem
        2. Solution
        3. Discussion
      3. 5.2. Enable Transparent Mode with Multiple Interfaces
        1. Problem
        2. Solution
        3. Discussion
      4. 5.3. Configure a VLAN Trunk
        1. Problem
        2. Solution
        3. Discussion
      5. 5.4. Configure Retagging
        1. Problem
        2. Solution
        3. Discussion
      6. 5.5. Configure Bridge Groups
        1. Problem
        2. Solution
        3. Discussion
      7. 5.6. Manipulate the Layer 2 Forwarding Table
        1. Problem
        2. Solution
        3. Discussion
      8. 5.7. Configure the Management Interface in Transparent Mode
        1. Problem
        2. Solution
        3. Discussion
      9. 5.8. Configure the Spanning Tree Protocol (STP)
        1. Problem
        2. Solution
        3. Discussion
      10. 5.9. Enable Compatibility with HSRP and VRRP Routers
        1. Problem
        2. Solution
        3. Discussion
      11. 5.10. Configure VPNs in Transparent Mode
        1. Problem
        2. Solution
        3. Discussion
      12. 5.11. Configure VSYS with Transparent Mode
        1. Problem
        2. Solution
        3. Discussion
    10. 6. Leveraging IP Services in ScreenOS
      1. 6.0. Introduction
      2. 6.1. Set the Time on the Firewall
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      3. 6.2. Set the Clock with NTP
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      4. 6.3. Check NTP Status
        1. Problem
        2. Solution
        3. Discussion
      5. 6.4. Configure the Device's Name Service
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      6. 6.5. View DNS Entries on a Device
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      7. 6.6. Use Static DNS to Provide a Common Policy for Multiple Devices
        1. Problem
        2. Solution
        3. Discussion
      8. 6.7. Configure the DNS Proxy for Split DNS
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      9. 6.8. Use DDNS on the Firewall for VPN Creation
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      10. 6.9. Configure the Firewall As a DHCP Client for Dynamic IP Environments
        1. Problem
        2. Solution
        3. Discussion
      11. 6.10. Configure the Firewall to Act As a DHCP Server
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      12. 6.11. Automatically Learn DHCP Option Information
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      13. 6.12. Configure DHCP Relay
        1. Problem
        2. Solution
        3. Discussion
      14. 6.13. DHCP Server Maintenance
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
    11. 7. Policies
      1. 7.0. Introduction
        1. Address Objects
        2. Service Objects
        3. Intra-Zone, Inter-Zone, and Global Policies
        4. ACL Rules
        5. Default Policies
      2. 7.1. Configure an Inter-Zone Firewall Policy
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      3. 7.2. Log Hits on ScreenOS Policies
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      4. 7.3. Generate Log Entries at Session Initiation
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      5. 7.4. Configure a Syslog Server
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      6. 7.5. Configure an Explicit Deny Policy
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      7. 7.6. Configure a Reject Policy
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      8. 7.7. Schedule Policies to Run at a Specified Time
        1. Problem
        2. Solution
        3. Discussion
      9. 7.8. Change the Order of ScreenOS Policies
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      10. 7.9. Disable a ScreenOS Policy
        1. Problem
        2. Solution
        3. Discussion
      11. 7.10. Configure an Intra-Zone Firewall Policy
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      12. 7.11. Configure a Global Firewall Policy
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      13. 7.12. Configure Custom Services
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      14. 7.13. Configure Address and Service Groups
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      15. 7.14. Configure Service Timeouts
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      16. 7.15. View and Use Microsoft RPC Services
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      17. 7.16. View and Use Sun-RPC Services
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      18. 7.17. View the Session Table
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      19. 7.18. Troubleshoot Traffic Flows
        1. problem
        2. Solution
        3. Discussion
        4. See Also
      20. 7.19. Configure a Packet Capture in ScreenOS
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      21. 7.20. Determine Platform Limits on Address/Service Book Entries and Policies
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
    12. 8. Network Address Translation
      1. 8.0. Introduction
        1. NAT Elements in ScreenOS
        2. Intelligent Translation
        3. Integration of the Rule Base and NAT
      2. 8.1. Configure Hide NAT
        1. Problem
        2. Solution
        3. Discussion
      3. 8.2. Configure Hide NAT with VoIP
        1. Problem
        2. Solution
        3. Discussion
      4. 8.3. Configure Static Source NAT
        1. Problem
        2. Solution
        3. Discussion
      5. 8.4. Configure Source NAT Pools
        1. Problem
        2. Solution
        3. Discussion
      6. 8.5. Link Multiple DIPs to the Same Policy
        1. Problem
        2. Solution
        3. Discussion
      7. 8.6. Configure Destination NAT
        1. Problem
        2. Solution
        3. Discussion
      8. 8.7. Configure Destination PAT
        1. Problem
        2. Solution
        3. Discussion
      9. 8.8. Configure Bidirectional NAT for DMZ Servers
        1. Problem
        2. Solution
        3. Discussion
      10. 8.9. Configure Static Bidirectional NAT with Multiple VRs
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      11. 8.10. Configure Source Shift Translation
        1. Problem
        2. Solution
        3. Discussion
      12. 8.11. Configure Destination Shift Translation
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      13. 8.12. Configure Bidirectional Network Shift Translation
        1. Problem
        2. Solution
        3. Discussion
      14. 8.13. Configure Conditional NAT
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      15. 8.14. Configure NAT with Multiple Interfaces
        1. Problem
        2. Solution
        3. Discussion
      16. 8.15. Design PAT for a Home or Branch Office
        1. Problem
        2. Solution
        3. Discussion
      17. 8.16. A NAT Strategy for a Medium Office with DMZ
        1. Problem
        2. Solution
        3. Discussion
      18. 8.17. Deploy a Large-Office Firewall with DMZ
        1. Problem
        2. Solution
        3. Discussion
      19. 8.18. Create an Extranet with Mutual PAT
        1. Problem
        2. Solution
        3. Discussion
      20. 8.19. Configure NAT with Policy-Based VPN
        1. Problem
        2. Solution
        3. Discussion
      21. 8.20. Configure NAT with Route-Based VPN
        1. Problem
        2. Solution
        3. Discussion
      22. 8.21. Troubleshoot NAT Mode
        1. Problem
        2. Solution
        3. Discussion
      23. 8.22. Troubleshoot DIPs (Policy NAT-SRC)
        1. Problem
        2. Solution
        3. Discussion
      24. 8.23. Troubleshoot Policy NAT-DST
        1. Problem
        2. Solution
        3. Discussion
      25. 8.24. Troubleshoot VIPs
        1. Problem
        2. Solution
        3. Discussion
      26. 8.25. Troubleshoot MIPs
        1. Problem
        2. Solution
        3. Discussion
    13. 9. Mitigating Attacks with Screens and Flow Settings
      1. 9.0. Introduction
      2. 9.1. Configure SYN Flood Protection
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      3. 9.2. Control UDP Floods
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      4. 9.3. Detect Scan Activity
        1. Problem
        2. Solution
        3. Discussion
      5. 9.4. Avoid Session Table Depletion
        1. Problem
        2. Solution
        3. Discussion
      6. 9.5. Baseline Traffic to Prepare for Screen Settings
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      7. 9.6. Use Flow Configuration for State Enforcement
        1. Problem
        2. Solution
        3. Discussion
      8. 9.7. Detect and Drop Illegal Packets with Screens
        1. Problem
        2. Solution
        3. Discussion
      9. 9.8. Prevent IP Spoofing
        1. Problem
        2. Solution
        3. Discussion
      10. 9.9. Prevent DoS Attacks with Screens
        1. Problem
        2. Solution
        3. Discussion
      11. 9.10. Use Screens to Control HTTP Content
        1. Problem
        2. Solution
        3. Discussion
    14. 10. IPSec VPN
      1. 10.0. Introduction
        1. IPSec Tutorial
          1. Modes
          2. Protocols
          3. Security Associations
          4. IKE and IPSec packets
        2. Using IPSec in ScreenOS
          1. Route-based versus policy-based tunneling
          2. Tunnel interfaces and VPN routing
          3. NHTB
        3. Creating VPN Tunnels
          1. Configuring an IKE gateway
          2. Main and Aggressive modes
          3. Diffie-Hellman exchange
          4. Configuring a Main mode gateway
          5. Configuring an Aggressive mode gateway
          6. Configuring a Phase-2 VPN
          7. VPN monitor
          8. Finishing the tunnel configuration
      2. 10.1. Create a Simple User-to-Site VPN
        1. Problem
        2. Solution
        3. Discussion
          1. ScreenOS configuration
          2. NetScreen-Remote configuration
          3. Troubleshooting client connectivity
      3. 10.2. Policy-Based IPSec Tunneling with Static Peers
        1. Problem
        2. Solution
          1. Hub site configuration
          2. Remote site configuration
        3. Discussion
      4. 10.3. Route-Based IPSec Tunneling with Static Peers and Static Routes
        1. Problem
        2. Solution
          1. Hub site configuration
          2. Remote site configuration
        3. Discussion
      5. 10.4. Route-Based VPN with Dynamic Peer and Static Routing
        1. Problem
        2. Solution
          1. Hub site configuration
          2. Remote site configuration
        3. Discussion
      6. 10.5. Redundant VPN Gateways with Static Routes
        1. Problem
        2. Solution
          1. Primary hub site configuration
          2. Backup hub site configuration
          3. Remote site configuration
        3. Discussion
      7. 10.6. Dynamic Route-Based VPN with RIPv2
        1. Problem
        2. Solution
          1. Primary hub site configuration
          2. Backup hub site configuration
          3. Remote site configuration
        3. Discussion
      8. 10.7. Interoperability
        1. Problem
        2. Solution
          1. ScreenOS configuration
          2. Cisco configuration
        3. Discussion
    15. 11. Application Layer Gateways
      1. 11.0. Introduction
        1. Differences Between ALGs and Deep Inspection
      2. 11.1. View the List of Available ALGs
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      3. 11.2. Globally Enable or Disable an ALG
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      4. 11.3. Disable an ALG in a Specific Policy
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      5. 11.4. View the Control and Data Sessions for an FTP Transfer
        1. Problem
        2. Solution
        3. Discussion
          1. Active FTP
          2. Passive FTP
        4. See Also
      6. 11.5. Configure ALG Support When Running FTP on a Custom Port
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      7. 11.6. Configure and View ALG Inspection of a SIP-Based IP Telephony Call Session
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      8. 11.7. View SIP Call and Session Counters
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      9. 11.8. View and Modify SIP ALG Settings
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      10. 11.9. View the Dynamic Port(s) Associated with a Microsoft RPC Session
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      11. 11.10. View the Dynamic Port(s) Associated with a Sun-RPC Session
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
    16. 12. Content Security
      1. 12.0. Introduction
      2. 12.1. Configure Internal Antivirus
        1. Problem
        2. Solution
        3. Discussion
      3. 12.2. Configure External Antivirus with ICAP
        1. Problem
        2. Solution
        3. Discussion
      4. 12.3. Configure External Antivirus via Redirection
        1. Problem
        2. Solution
        3. Discussion
      5. 12.4. Configure Antispam
        1. Problem
        2. Solution
        3. Discussion
      6. 12.5. Configure Antispam with Third Parties
        1. Problem
        2. Solution
        3. Discussion
      7. 12.6. Configure Custom Blacklists and Whitelists for Antispam
        1. Problem
        2. Solution
        3. Discussion
      8. 12.7. Configure Internal URL Filtering
        1. Problem
        2. Solution
        3. Discussion
      9. 12.8. Configure External URL Filtering
        1. Problem
        2. Solution
        3. Discussion
      10. 12.9. Configure Custom Blacklists and Whitelists with URL Filtering
        1. Problem
        2. Solution
        3. Discussion
      11. 12.10. Configre Deep Inspection
        1. Problem
        2. Solution
        3. Discussion
      12. 12.11. Download Deep Inspection Signatures Manually
        1. Problem
        2. Solution
        3. Discussion
      13. 12.12. Develop Custom Signatures with Deep Inspection
        1. Problem
        2. Solution
        3. Discussion
      14. 12.13. Configure Integrated IDP
        1. Problem
        2. Solution
        3. Discussion
    17. 13. User Authentication
      1. 13.0. Introduction
        1. Authentication and Authorization
        2. User Profiles
        3. External Authentication Servers
          1. RADIUS
          2. LDAP
          3. SecurID
        4. ScreenOS User Types
        5. Administrative Users
        6. Auth Users
        7. IKE, Xauth, and L2TP Users
        8. Multiple-Type Users
        9. Group Expressions
        10. Login Banners
      2. 13.1. Create Local Administrative Users
        1. Problem
        2. Solution
        3. Discussion
      3. 13.2. Create VSYS-Level Administrator Accounts
        1. Problem
        2. Solution
        3. Discussion
      4. 13.3. Create User Groups for Authentication Policies
        1. Problem
        2. Solution
        3. Discussion
      5. 13.4. Use Authentication Policies
        1. Problem
        2. Solution
        3. Discussion
      6. 13.5. Use WebAuth with the Local Database
        1. Problem
        2. Solution
        3. Discussion
      7. 13.6. Create VPN Users with the Local Database
        1. Problem
        2. Solution
        3. Discussion
      8. 13.7. Use RADIUS for Admin Authentication
        1. Problem
        2. Solution
        3. Discussion
      9. 13.8. Use LDAP for Policy-Based Authentication
        1. Problem
        2. Solution
        3. Discussion
      10. 13.9. Use SecurID for Policy-Based Authentication
        1. Problem
        2. Solution
        3. Discussion
    18. 14. Traffic Shaping
      1. 14.0. Introduction
      2. 14.1. Configure Policy-Level Traffic Shaping
        1. Problem
        2. Solution
        3. Discussion
      3. 14.2. Configure Low-Latency Queuing
        1. Problem
        2. Solution
        3. Discussion
      4. 14.3. Configure Interface-Level Traffic Policing
        1. Problem
        2. Solution
        3. Discussion
      5. 14.4. Configure Traffic Classification (Marking)
        1. Problem
        2. Solution
        3. Discussion
      6. 14.5. Troubleshoot QoS
        1. Problem
        2. Solution
        3. Discussion
    19. 15. RIP
      1. 15.0. Introduction
        1. RIP Version 1
        2. RIP Version 2
        3. Routing Loops in RIP
        4. The ScreenOS RIP Implementation
      2. 15.1. Configure a RIP Instance on an Interface
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      3. 15.2. Advertise the Default Route via RIP
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      4. 15.3. Configure RIP Authentication
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      5. 15.4. Suppress RIP Route Advertisements with Passive Interfaces
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      6. 15.5. Adjust RIP Timers to Influence Route Convergence Duration
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      7. 15.6. Adjust RIP Interface Metrics to Influence Path Selection
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      8. 15.7. Redistribute Static Routes into RIP
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      9. 15.8. Redistribute Routes from OSPF into RIP
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      10. 15.9. Filter Inbound RIP Routes
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      11. 15.10. Configure Summary Routes in RIP
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      12. 15.11. Administer RIP Version 1
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      13. 15.12. Troubleshoot RIP
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
    20. 16. OSPF
      1. 16.0. Introduction
      2. 16.1. Configure OSPF on a ScreenOS Device
        1. Problem
        2. Solution
        3. Discussion
      3. 16.2. View Routes Learned by OSPF
        1. Problem
        2. Solution
        3. Discussion
      4. 16.3. View the OSPF Link-State Database
        1. Problem
        2. Solution
        3. Discussion
      5. 16.4. Configure a Multiarea OSPF Network
        1. Problem
        2. Solution
        3. Discussion
      6. 16.5. Set Up Stub Areas
        1. Problem
        2. Solution
        3. Discussion
      7. 16.6. Create a Not-So-Stubby Area (NSSA)
        1. Problem
        2. Solution
        3. Discussion
      8. 16.7. Control Route Propagation in OSPF
        1. Problem
        2. Solution
        3. Discussion
      9. 16.8. Redistribute Routes into OSPF
        1. Problem
        2. Solution
        3. Discussion
      10. 16.9. Make OSPF RFC 1583-Compatible Problem
        1. Problem
        2. Solution
        3. Discussion
      11. 16.10. Adjust OSPF Link Costs
        1. Problem
        2. Solution
        3. Discussion
      12. 16.11. Configure OSPF on Point-to-Multipoint Links
        1. Problem
        2. Solution
        3. Discussion
      13. 16.12. Configure Demand Circuits
        1. Problem
        2. Solution
        3. Discussion
      14. 16.13. Configure Virtual Links
        1. Problem
        2. Solution
        3. Discussion
      15. 16.14. Change OSPF Timers
        1. Problem
        2. Solution
        3. Discussion
      16. 16.15. Secure OSPF
        1. Problem
        2. Solution
        3. Discussion
      17. 16.16. Troubleshoot OSPF
        1. Problem
        2. Solution
        3. Discussion
    21. 17. BGP
      1. 17.0. Introduction
        1. BGP Messages
        2. BGP Attribute Types
        3. BGP Attributes
        4. The ScreenOS BGP Implementation
      2. 17.1. Configure BGP with an External Peer
        1. Problem
        2. Solution
          1. Configuring EBGP with a peer that is not directly connected
        3. Discussion
        4. See Also
      3. 17.2. Configure BGP with an Internal Peer
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      4. 17.3. Configure BGP Peer Groups
        1. Problem
        2. Solution
        3. Discussion
      5. 17.4. Configure BGP Neighbor Authentication
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      6. 17.5. Adjust BGP Keepalive and Hold Timers
        1. Problem
        2. Solution
        3. Discussion
      7. 17.6. Statically Define Prefixes to Be Advertised to EBGP Peers
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      8. 17.7. Use Route Maps to Filter Prefixes Announced to BGP Peers
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      9. 17.8. Aggregate Route Announcements to BGP Peers
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      10. 17.9. Filter Route Announcements from BGP Peers
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      11. 17.10. Update the BGP Routing Table Without Resetting Neighbor Connections
        1. Problem
        2. Solution
        3. Discussion
      12. 17.11. Use BGP Local_Pref for Route Selection
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      13. 17.12. Configure Route Dampening
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      14. 17.13. Configure BGP Communities
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      15. 17.14. Configure BGP Route Reflectors
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      16. 17.15. Troubleshoot BGP
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
    22. 18. High Availability with NSRP
      1. 18.0. Introduction
        1. See Also
      2. 18.1. Configure an Active-Passive NSRP Cluster in Route Mode
        1. Problem
        2. Solution
        3. Discussion
      3. 18.2. View and Troubleshoot NSRP State
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      4. 18.3. Influence the NSRP Master
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      5. 18.4. Configure NSRP Monitors
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      6. 18.5. Configure NSRP in Transparent Mode
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      7. 18.6. Configure an Active-Active NSRP Cluster
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      8. 18.7. Configure NSRP with OSPF
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      9. 18.8. Provide Subsecond Failover with NSRP and BGP
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      10. 18.9. Synchronize Dynamic Routes in NSRP
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      11. 18.10. Create a Stateful Failover for an IPSec Tunnel
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      12. 18.11. Configure NAT in an Active-Active Cluster
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      13. 18.12. Configure NAT in a VSD-Less Cluster
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      14. 18.13. Configure NSRP Between Data Centers
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      15. 18.14. Maintain NSRP Clusters
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
    23. 19. Policy-Based Routing
      1. 19.0. Introduction
      2. 19.1. Traffic Load Balancing
        1. Problem
        2. Solution
        3. Discussion
      3. 19.2. Verify That PBR Is Working for Traffic Load Balancing
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      4. 19.3. Prioritize Traffic Between IPSec Tunnels
        1. Problem
        2. Solution
        3. Discussion
      5. 19.4. Redirect Traffic to Mitigate Threats
        1. Problem
        2. Solution
        3. Discussion
      6. 19.5. Classify Traffic Using the ToS Bits
        1. Problem
        2. Solution
        3. Discussion
      7. 19.6. Block Unwanted Traffic with a Blackhole
        1. Problem
        2. Solution
        3. Discussion
      8. 19.7. View Your PBR Configuration
        1. Problem
        2. Solution
        3. Discussion
    24. 20. Multicast
      1. 20.0. Introduction
        1. Multicast Applications
      2. 20.1. Allow Multicast Traffic Through a Transparent Mode Device
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      3. 20.2. Use Multicast Group Policies to Enforce Stateful Multicast Forwarding
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      4. 20.3. View mroute State
        1. Problem
        2. Solution
        3. Discussion
      5. 20.4. Use Static mroutes to Allow Multicast Through a Firewall Without Using PIM
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      6. 20.5. Connect Directly to Multicast Receivers
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      7. 20.6. Use IGMP Proxy Mode to Dynamically Join Groups
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      8. 20.7. Configure PIM on a Firewall
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      9. 20.8. Use BSR for RP Mapping
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      10. 20.9. Firewalling Between PIM Domains
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      11. 20.10. Connect Two PIM Domains with Proxy RP
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      12. 20.11. Manage RPF Information with Redundant Routers
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      13. 20.12. PIM and High Availability
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      14. 20.13. Provide Active-Active Multicast
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      15. 20.14. Scale Multicast Replication
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
    25. 21. Virtual Systems
      1. 21.0. Introduction
        1. VSYS and VSYS Administrators
          1. VSYS components
          2. Types of VSYS
      2. 21.1. Create a Route Mode VSYS
        1. Problem
        2. Solution
        3. Discussion
          1. Shared VRs, zones, and interfaces
          2. Routing and policies
      3. 21.2. Create Multiple VSYS Configurations
        1. Problem
        2. Solution
        3. Discussion
          1. Root system
          2. VSYS configuration
      4. 21.3. VSYS and High Availability
        1. Problem
        2. Solution
        3. Discussion
      5. 21.4. Create a Transparent Mode VSYS
        1. Problem
        2. Solution
        3. Discussion
          1. Creating a Layer 2 VSYS
          2. Policies
      6. 21.5. Terminate IPSec Tunnels in the VSYS
        1. Problem
        2. Solution
        3. Discussion
          1. Tunnel configuration
      7. 21.6. Configure VSYS Profiles
        1. Problem
        2. Solution
        3. Discussion
          1. Profiles
          2. Limits
          3. Example profile
          4. CPU limiting
          5. Command overrides
    26. About the Authors
    27. Colophon
    28. SPECIAL OFFER: Upgrade this ebook with O’Reilly