ScreenOS Cookbook by Stefan Brunner, Vik Davar, David Delcourt, Ken Draper, Joe Kelly, Sunil Wadhwa

Although it would probably suffice to say that this book is for any person interested in learning about ScreenOS, the true audience consists of those who must manage, operate, and configure Juniper Networks’ ScreenOS security devices. If you’ve just opened the box of a ScreenOS device, you should examine the documentation first and save this book for later. The authors assume that their audience comprises skilled network administrators and engineers with medium-level knowledge of ScreenOS. They also assume that some portion of the audience comprises medium-to advanced-level network security administrators and engineers who are coming from another vendor’s product line. In reality, this cookbook will accept anyone who is a little rusty in either ScreenOS or another vendor’s operating system—it just may take you a little longer to get your ScreenOS legs.

The biggest assumption the authors have made is that you know the ScreenOS CLI and are somewhat nimble with it. The first two chapters cover the CLI, but only from the angle that you have already read the basic documentation and are familiar with the CLI. The authors also assume that you have set up the device properly; that you are familiar with firewalls, VPNs, and modern network security issues as well as Transmission Control Protocol/Internet Protocol (TCP/IP), routing basics, and routing protocols; and that you have set up and run ScreenOS security devices.

The ScreenOS Cookbook consists of 21 chapters. There are no parts or sections to this book, reinforcing the authors’ hope that readers will use it as a field guide and jump from recipe to recipe either as needed or as curiosity leads. You should attempt to read each chapter’s introduction, as it contains an overview and key information that we are assuming you are acquainted with as you browse that chapter’s recipes and discussions.

The following typographical conventions are used in this book:

This book is here to help you get your job done. In general, you may use the code in this book in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing a CD-ROM of examples from O’Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product’s documentation does require permission.

We appreciate, but do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: “ScreenOS Cookbook by Stefan Brunner et al. Copyright 2008 O’Reilly Media, Inc., 978-0-596-51003-9.”

If you feel your use of code examples falls outside fair use or the permission given here, feel free to contact us at permissions@oreilly.com.

When you see a Safari® Books Online icon on the cover of your favorite technology book, that means the book is available online through the O’Reilly Network Safari Bookshelf.

Safari offers a solution that’s better than e-books. It’s a virtual library that lets you easily search thousands of top tech books, cut and paste code samples, download chapters, and find quick answers when you need the most accurate, current information. Try it for free at http://safari.oreilly.com.

Please address comments and questions concerning this book to the publisher:

We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at:

To comment or ask technical questions about this book, send email to:

For more information about our books, conferences, Resource Centers, and the O’Reilly Network, see our web site at:

Writing a book such as the one you are holding is a group effort with a cast that sometimes resembles a Hollywood movie. As a group, the authors would like to acknowledge Juniper Networks for giving them the opportunity to put their work-day knowledge to paper. Keith Redfield supported this book and ran interference at the managerial level, and even tech-edited one of the chapters. Without Keith’s support, it is doubtful that this book would exist.

Also, as a group, the authors would like to thank Patrick Ames, the Juniper Networks editor-in-chief for retail books and retail book projects. He held us on schedule and drove the project over the long year and a half that it took from that initial meeting to the final printed pages. Our editor at O’Reilly, Mike Loukides, gave us both the support and the fine-tuning we needed to turn this into a quality O’Reilly Cookbook. Our developmental editor, Sara Kreisman, managed to smooth our rough language into presentable English, and many great editors, illustrators, and production artists on the O’Reilly staff helped also. Thank you.

As a group, we had many technical reviewers who read these pages and double-checked our recipes and discussions. They did all this while maintaining their day jobs with little expectation of reward or glory. As a group, we would like to gratefully acknowledge their extracurricular efforts and recognize their expertise in ScreenOS: Rob Cameron, Andy Clutton, Cesar Collantes, Rafael Gracioli, Anil Jethnani, Umesh Kondur, Kathy Laymon, Joseph Naughton, Barny Sanchez, Mike Swarm, Al Rodriquez, Adam Rypinski, JianYu Yang, Jerish Parapurath, and Yansong Yu.

We labored for many months on this book, sacrificing time with our families and friends, and working strange hours in the lab when others went home. Our individual acknowledgments follow.

Stefan Brunner would like to thank is wife, Natalija, for her patience and the mental support to become more efficient; their baby daughter, Saffron, for playing patiently in his office while Papa stared into the screen and hacked away on the keyboard; and their youngest family member, daughter Cinnamon, for being very patient with Papa while he used his paternity leave for reviewing the final edits for this book. He also would like to thank his manager, Dave Delcourt, and group director, Gary Richman, for providing encouragement and flexibility regarding client schedules, and many of the old NetScreen folks who gave valuable input; product managers Mike Kouri and Abby Hassle, who helped with researching old function specs; editor-in-chief Patrick Ames, who kept the authoring team on track; and Aviva Garrett and Jeff Doyle for their insight into becoming an author.

Vik Davar would like to thank his wife, Bharti, and children, Neal and Riya, for their encouragement and support throughout the long hours spent on writing; his parents for providing him inspiration; and the following people for their review and support: Patrick Ames, Umesh Kondur, Kathy Laymon, Stefan Brunner, Mike Swarm, Cesar Colantes, and the entire Juniper Networks team.

David Delcourt would like to thank his wife, Bonnie, for helping him stay focused by locking him in his office to complete the writing and testing; his daughter, April, for making cookies and bringing him coffee to help him stay energized; his trusty side-kick, Sadie; his managers and mentors, Brett Eldridge and Robert Schneider, for their inspiration and motivation; Adam Rypinski for his technical review and support; and the entire Juniper Networks team.

Ken Draper would like to thank his wife, Leslie, for sacrificing weekends not going to the lake house so that he could write his chapters and for encouraging him to stay at it so that he could complete them. Additional thanks go to Patrick Ames for cracking the whip and driving the schedule of this book, Joo Kim for his submission to Chapter 10, and Jerish Parapurath and Rob Cameron for their technical review of his chapters.

Joe Kelly would like to thank his wife, his anam cara, Jacqueline, for having the patience to deal with his late nights working and for giving him the love and support to see this thing through; their children, Hannah, Ben, and Tristan, for warming his heart when stress was high; his father, David Kelly, for giving him the hunger to learn; his supervisors, Vik Davar, Paul Gerry, and Pete Fitzgerald, for supporting this effort; his coworkers past and present, including Paul Levasseur, Gregory Lebovitz, Changming Liu, Mike Swarm, Brett Eldridge, Purvi Desai, Dave Klein, and Mike Kouri, whose creativity made this stuff work and whose tutelage helped him understand how; his teammates, Larry Karantzios, Keith Sober, Greg Olivieri, Brian O’Halloran, and Brian Pavane, who helped get these recipes written; the technical reviewers, Andy Clutton and Cesar Collantes; his friend and mentor, Jeremiah Kristal, for teaching him what a subnet mask was oh so many years ago; and his customers, whose problems were the genesis for so many of these recipes.

Sunil Wadhwa would like to thank his wife, Lavanya, for motivating and supporting him, having the patience to deal with his working late nights, and giving him all the love and support to see this thing through; his daughter, Sneha, for warming his heart when stress was high; and his mother, Jayanthi, for her motivation and support. He would also like to thank his supervisors, Raj Sabnani, Paul McNulty, Adam Rypinski, Steven Tufts, and Farhad Zaeni, for providing the opportunity to contribute to this book; and Umesh Kondur and Joseph Naughton, for providing technical help for writing some of the recipes. Finally, he would like to thank his coworkers in the Advanced Firewall/VPN JTAC and his team members for supporting this effort.