ScreenOS Cookbook. Stefan Brunner, Vik Davar, David Delcourt, Ken Draper, Joe Kelly, and Sunil Wadhwa

Transcription

1 ScreenOS Cookbook Stefan Brunner, Vik Davar, David Delcourt, Ken Draper, Joe Kelly, and Sunil Wadhwa O'REILLY 8 Beijing Cambridge Farnham Kbln Paris Sebastopol Taipei Tokyo

2 Credits Preface xiii xv 1. ScreenOS CLI, Architecture, and Troubleshooting ScreenOS Architecture Troubleshoot ScreenOS Firewall Configuration and Management Use TFTP to Transfer Information to and from the Firewall Use SCP to Securely Transfer Information to and from the Firewall Use the Dedicated MGT Interface to Manage the Firewall Control Access to the Firewall Manage Multiple ScreenOS Images for Remotely Managed Firewalls Manage the USB Port on SSG Wireless Use MAC Filtering Configure the WEP Shared Key Configure the WPA Preshared Key Configure WPA Using 802. lx with IAS and Microsoft Active Directory Configure WPA with the Steel-Belted Radius Server and Odyssey Access Client Separate Wireless Access for Corporate and Guest Users Configure Bridge Groups for Wired and Wireless Networks 93

3 4. Route Mode and Static Routing View the Routing Table on the Firewall View Routes for a Particular Prefix View Routes in the Source-Based Routing Table View Routes in the Source Interface-Based Routing Table Create Blackhole Routes Create ECMP Routing Create Static Routes for Gateway Tracking Export Filtered Routes to Other Virtual Routers Change the Route Lookup Preference Create Permanent Static Routes Transparent Mode Enable Transparent Mode with Two Interfaces Enable Transparent Mode with Multiple Interfaces Configure a VLAN Trunk Configure Retagging Configure Bridge Groups Manipulate the Layer 2 Forwarding Table Configure the Management Interface in Transparent Mode Configure the Spanning Tree Protocol (STP) Enable Compatibility with HSRP and VRRP Routers Configure VPNs in Transparent Mode Configure VSYS with Transparent Mode Leveraging IP Services in ScreenOS Set the Time on the Firewall Set the Clock with NTP > Check NTP Status Configure the Device's Name Service View DNS Entries on a Device Use Static DNS to Provide a Common Policy for Multiple Devices Configure the DNS Proxy for Split DNS Use DDNS on the Firewall for VPN Creation Configure the Firewall As a DHCP Client for Dynamic IP Environments Configure the Firewall to Act As a DHCP Server Automatically Learn DHCP Option Information Configure DHCP Relay DHCP Server Maintenance 179 I

4 7. Policies Configure an Inter-Zone Firewall Policy Log Hits on ScreenOS Policies Generate Log Entries at Session Initiation Configure a Syslog Server Configure an Explicit Deny Policy Configure a Reject Policy Schedule Policies to Run at a Specified Time Change the Order of ScreenOS Policies Disable a ScreenOS Policy Configure an Intra-Zone Firewall Policy Configure a Global Firewall Policy Configure Custom Services Configure Address and Service Groups Configure Service Timeouts View and Use Microsoft RPC Services View and Use Sun-RPC Services View the Session Table Troubleshoot Traffic Flows Configure a Packet Capture in ScreenOS Determine Platform Limits on Address/Service Book Entries and Policies Network Address Translation Configure Hide NAT Configure Hide NAT with VoIP Configure Static Source NAT Configure Source NAT Pools Link Multiple DIPs to the Same Policy Configure Destination NAT Configure Destination PAT Configure Bidirectional NAT for DMZ Servers Configure Static Bidirectional NAT with Multiple VRs Configure Source Shift Translation Configure Destination Shift Translation Configure Bidirectional Network Shift Translation Configure Conditional NAT Configure NAT with Multiple Interfaces Design PAT for a Home or Branch Office 256 I vii

5 8.16 A NAT Strategy for a Medium Office with DMZ Deploy a Large-Office Firewall with DMZ Create an Extranet with Mutual PAT Configure NAT with Policy-Based VPN Configure NAT with Route-Based VPN Troubleshoot NAT Mode Troubleshoot DIPs (Policy NAT-SRC) Troubleshoot Policy NAT-DST Troubleshoot VIPs Troubleshoot MIPs Mitigating Attacks with Screens and Flow Settings Configure SYN Flood Protection Control UDP Floods Detect Scan Activity Avoid Session Table Depletion Baseline Traffic to Prepare for Screen Settings Use Flow Configuration for State Enforcement Detect and Drop Illegal Packets with Screens Prevent IP Spoofing Prevent DoS Attacks with Screens Use Screens to Control HTTP Content IPSecVPN Create a Simple User-to-Site VPN Policy-Based IPSec Tunneling with Static Peers Route-Based IPSec Tunneling with Static Peers and Static Routes Route-Based VPN with Dynamic Peer and Static Routing Redundant VPN Gateways with Static Routes Dynamic Route-Based VPN with RIPv Interoperability Application Layer Gateways View the List of Available ALGs Globally Enable or Disable an ALG Disable an ALG in a Specific Policy View the Control and Data Sessions for an FTP Transfer Configure ALG Support When Running FTP on a Custom Port Configure and View ALG Inspection of a SIP-Based IP Telephony Call Session 395 viii I

6 11.7 View SIP Call and Session Counters View and Modify SIP ALG Settings View the Dynamic Port(s) Associated with a Microsoft RPC Session View the Dynamic Port(s) Associated with a Sun-RPC Session Content Security Configure Internal Antivirus Configure External Antivirus with ICAP Configure External Antivirus via Redirection Configure Antispam Configure Antispam with Third Parties Configure Custom Blacklists and Whitelists for Antispam Configure Internal URL Filtering Configure External URL Filtering Configure Custom Blacklists and Whitelists with URL Filtering Configure Deep Inspection Download Deep Inspection Signatures Manually Develop Custom Signatures with Deep Inspection Configure Integrated IDP User Authentication Create Local Administrative Users Create VSYS-Level Administrator Accounts Create User Groups for Authentication Policies Use Authentication Policies Use WebAuth with the Local Database Create VPN Users with the Local Database Use RADIUS for Admin Authentication Use LDAP for Policy-Based Authentication Use SecurlD for Policy-Based Authentication Traffic Shaping Configure Policy-Level Traffic Shaping Configure Low-Latency Queuing Configure Interface-Level Traffic Policing Configure Traffic Classification (Marking) Troubleshoot QoS 485

7 15. RIP Configure a RIP Instance on an Interface Advertise the Default Route via RIP Configure RIP Authentication Suppress RIP Route Advertisements with Passive Interfaces Adjust RIP Timers to Influence Route Convergence Duration Adjust RIP Interface Metrics to Influence Path Selection, Redistribute Static Routes into RIP Redistribute Routes from OSPF into RIP Filter Inbound RIP Routes Configure Summary Routes in RIP Administer RIP Version Troubleshoot RIP OSPF : Configure OSPF on a ScreenOS Device View Routes Learned by OSPF View the OSPF Link-State Database Configure a Multiarea OSPF Network Set Up Stub Areas Create a Not-So-Stubby Area (NSSA) Control Route Propagation in OSPF Redistribute Routes into OSPF Make OSPF RFC 1583-Compatible Adjust OSPF Link Costs Configure OSPF on Point-to-Multipoint Links Configure Demand Circuits Configure Virtual Links Change OSPF Timers Secure OSPF Troubleshoot OSPF BGP Configure BGP with an External Peer, Configure BGP with an Internal Peer ' Configure BGP Peer Groups Configure BGP Neighbor Authentication 591 x

8 17.5 Adjust BGP Keepalive and Hold Timers Statically Define Prefixes to Be Advertised to EBGP Peers Use Route Maps to Filter Prefixes Announced to BGP Peers Aggregate Route Announcements to BGP Peers Filter Route Announcements from BGP Peers Update the BGP Routing Table Without Resetting Neighbor Connections Use BGP LocaLPref for Route Selection Configure Route Dampening Configure BGP Communities Configure BGP Route Reflectors Troubleshoot BGP High Availability with NSRP Configure an Active-Passive NSRP Cluster in Route Mode View and Troubleshoot NSRP State Influence the NSRP Master Configure NSRP Monitors Configure NSRP in Transparent Mode Configure an Active-Active NSRP Cluster Configure NSRP with OSPF Provide Subsecond Failover with NSRP and BGP Synchronize Dynamic Routes in NSRP Create a Stateful Failover for an IPSec Tunnel Configure NAT in an Active-Active Cluster v Configure NAT in a VSD-Less Cluster Configure NSRP Between Data Centers Maintain NSRP Clusters Policy-Based Routing Traffic Load Balancing Verify That PBR Is Working for Traffic Load Balancing Prioritize Traffic Between IPSec Tunnels Redirect Traffic to Mitigate Threats Classify Traffic Using the ToS Bits Block Unwanted Traffic with a Blackhole View Your PBR Configuration 695

9 20. Multicast Allow Multicast Traffic Through a Transparent Mode Device Use Multicast Group Policies to Enforce Stateful Multicast Forwarding View mroute State Use Static mroutes to Allow Multicast Through a Firewall Without Using PIM Connect Directly to Multicast Receivers Use IGMP Proxy Mode to Dynamically Join Groups Configure PIM on a Firewall Use BSR for RP Mapping Firewalling Between PIM Domains Connect Two PIM Domains with Proxy RP Manage RPF Information with Redundant Routers PIM and High Availability Provide Active-Active Multicast Scale Multicast Replication Virtual Systems Create a Route Mode VSYS Create Multiple VSYS Configurations VSYS and High Availability Create a Transparent Mode VSYS Terminate IPSec Tunnels in the VSYS Configure VSYS Profiles 774 Glossary 781 Index 801 xii I