ScreenOS Cookbook. Stefan Brunner, Vik Davar, David Delcourt, Ken Draper, Joe Kelly, and Sunil Wadhwa

Similar documents
Junos Security. Rob Cameron, Brad Woodberg, Patricio Giecco, O'REILLY. Tim Eberhard, andjames Quinn INFORMATIQNSBIBLIOTHEK UNIVERSITATSBIBLIOTHEK

Cisco Cookbook. Kevin Dooley and IanJ. Brown. O'REILLY 4 Beijing Cambridge Farnham Koln Paris Sebastopol Taipei Tokyo

Vendor: Juniper. Exam Code: JN Exam Name: FWV, Specialist (JNCIS-FWV) Version: Demo

CCIE Route & Switch Written (CCIERSW) 1.0

Test - Accredited Configuration Engineer (ACE) Exam - PAN-OS 6.0 Version

CISCO EXAM QUESTIONS & ANSWERS

"Charting the Course... Interconnecting Cisco Networking Devices Accelerated 3.0 (CCNAX) Course Summary

Request for Proposal (RFP) for Supply and Implementation of Firewall for Internet Access (RFP Ref )

This article explains how to configure NSRP-Lite for a NS50 firewall to a single WAN.

TEXTBOOK MAPPING CISCO COMPANION GUIDES

Exam Topics Cross Reference

Cisco Certified Network Associate ( )

CCIE(Routing & Switching) Course Catalog

Overview 1. Service Features 1

Syllabus. Cisco Certified Design Professional. Implementing Cisco IP Routing

CCNA Routing and Switching (NI )

CERTIFICATE CCENT + CCNA ROUTING AND SWITCHING INSTRUCTOR: FRANK D WOUTERS JR. CETSR, CSM, MIT, CA

Cisco Technologies, Routers, and Switches p. 1 Introduction p. 2 The OSI Model p. 2 The TCP/IP Model, the DoD Model, or the Internet Model p.

Supported Standards. Class of Service Tagging for Ethernet frames. Multiple Spanning Tree Protocol. Rapid Spanning Tree Protocol

CCNA. Murlisona App. Hiralal Lane, Ravivar Karanja, Near Pethe High-School, ,

CCNP (Routing & Switching and T.SHOOT)

Index. Numerics. Index 1

Concepts & Examples ScreenOS Reference Guide

COURSE OUTLINE: Course: CCNP Route Duration: 40 Hours

Test Accredited Configuration Engineer (ACE) Exam PAN OS 6.0 Version

ASACAMP - ASA Lab Camp (5316)

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

CCIE Routing & Switching

Cisco - ASA Lab Camp v9.0

CCIE Routing and Switching Lab Exam Version 5.0

Cisco 5921 Embedded Services Router

PREREQUISITES TARGET AUDIENCE. Length Days: 5

Transparent or Routed Firewall Mode

Volume 7: Routing. Release 6.2.0, Rev. 01. Concepts & Examples ScreenOS Reference Guide. Juniper Networks, Inc.

Patch For AR450S Routers

New Features for ASA Version 9.0(2)

Deploying Cisco ASA Firewall Solutions (FIREWALL v1.0)

Implementing Cisco IP Routing

Introduction xvii. Assessment Test xxxiii

Cisco 5921 Embedded Services Router

Configuring BGP on Cisco Routers Volume 1

IT114 NETWORK+ Learning Unit 1 Objectives: 1, 2 Time In-Class Time Out-Of-Class Hours 2-3. Lectures: Course Introduction and Overview

Chapter 3 Command List

Juniper.Selftestengine.jn0-694.v by.KIM-HL.52q

Interconnecting Cisco Networking Devices: Accelerated

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

Question No : 1 Which three options are basic design principles of the Cisco Nexus 7000 Series for data center virtualization? (Choose three.

Implementing Cisco IP Routing (ROUTE)

SD-WAN Deployment Guide (CVD)

Transparent or Routed Firewall Mode

Cisco CCNP ROUTE: Implementing Cisco IP Routing (ROUTE) 2.0. Upcoming Dates. Course Description. Course Outline

Feature. *1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

CCIE R&S LAB CFG H2/A5 (Jacob s & Jameson s)

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Any individual involved in implementation and verification of routing protocols in the enterprise networks

Routing Overview. Path Determination

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

The commands in this appendix are organized in the following sections:

Exam Questions JN0-633

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

This document is exclusive property of Cisco Systems, Inc. Permission is granted to print and copy this document for non-commercial distribution and

Contents. Configuring MSDP 1

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Integrating WX WAN Optimization with Netscreen Firewall/VPN

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Juniper JN Enterprise Routing and Switching Support Professional (JNCSP-ENT)

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

D-Link DSR Series Router

Implementing Cisco IP Routing (ROUTE)

Volume 2: Fundamentals

Firepower Threat Defense Cluster for the Firepower 4100/9300

CCNA Exploration Network Fundamentals

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Max sessions (IPv4 or IPv6) 500, , ,000

Certified SonicWALL Security Administrator (CSSA) Instructor-led Training

Interconnecting Cisco Network Devices: Accelerated

Zero To Hero CCIE CCNP

DrayTek Vigor Technical Specifications. PPPoE, PPTP, DHCP client, static IP, L2TP*, Ipv6. Redundancy. By WAN interfaces traffic volume

KillTest. 半年免费更新服务

Some features are not supported when using clustering. See Unsupported Features with Clustering, on page 11.

Routing Overview for Firepower Threat Defense

IP Addressing: NAT Configuration Guide

CertifyMe. CertifyMe

PrepKing. PrepKing

ETSF10 Internet Protocols Routing on the Internet

*1. Firewall throughput measured with App-ID and User-ID features enabled utilizing 64KB HTTP transactions. 2.

Cisco Implementing Cisco IP Routing v2.0 (ROUTE)

Configuring MSDP. Overview. How MSDP operates. MSDP peers

Implementing Cisco IP Routing E-Learning

JUNIPER JN0-643 EXAM QUESTIONS & ANSWERS

Lab 1-2Connecting to a Cisco Router or Switch via Console. Lab 1-6Basic Graphic Network Simulator v3 Configuration

Table of Contents 1 MSDP Configuration 1-1

Actual4Test. Actual4test - actual test exam dumps-pass for IT exams

Nortel Ethernet Routing Switch 5000 Series Configuration IP Routing Protocols. Release: 6.1 Document Revision:

Router 6000 R17 Training Programs. Catalog of Course Descriptions

3. What could you use if you wanted to reduce unnecessary broadcast, multicast, and flooded unicast packets?

CCNA. The knowledge and skills that a learner must have before attending this course are as follows:

MikroTik RouterOS Training. Routing. Schedule. Instructors. Housekeeping. Introduce Yourself. Course Objective 7/4/ :00 10:30 Morning Session I

Transcription:

ScreenOS Cookbook Stefan Brunner, Vik Davar, David Delcourt, Ken Draper, Joe Kelly, and Sunil Wadhwa O'REILLY 8 Beijing Cambridge Farnham Kbln Paris Sebastopol Taipei Tokyo

Credits Preface xiii xv 1. ScreenOS CLI, Architecture, and Troubleshooting 1 1.1 ScreenOS Architecture 9 1.2 Troubleshoot ScreenOS 24 2. Firewall Configuration and Management 36 2.1 Use TFTP to Transfer Information to and from the Firewall 36 2.2 Use SCP to Securely Transfer Information to and from the Firewall 38 2.3 Use the Dedicated MGT Interface to Manage the Firewall 41 2.4 Control Access to the Firewall 44 2.5 Manage Multiple ScreenOS Images for Remotely Managed Firewalls 49 2.6 Manage the USB Port on SSG 52 3. Wireless 54 3.1 Use MAC Filtering 61 3.2 Configure the WEP Shared Key 62 3.3 Configure the WPA Preshared Key 65 3.4 Configure WPA Using 802. lx with IAS and Microsoft Active Directory 68 3.5 Configure WPA with the Steel-Belted Radius Server and Odyssey Access Client 74 3.6 Separate Wireless Access for Corporate and Guest Users 89 3.7 Configure Bridge Groups for Wired and Wireless Networks 93

4. Route Mode and Static Routing 97 4.1 View the Routing Table on the Firewall 102 4.2 View Routes for a Particular Prefix 105 4.3 View Routes in the Source-Based Routing Table 107 4.4 View Routes in the Source Interface-Based Routing Table 109 4.5 Create Blackhole Routes 111 4.6 Create ECMP Routing 116 4.7 Create Static Routes for Gateway Tracking 120 4.8 Export Filtered Routes to Other Virtual Routers 122 4.9 Change the Route Lookup Preference 124 4.10 Create Permanent Static Routes 126 5. Transparent Mode 127 5.1 Enable Transparent Mode with Two Interfaces 129 5.2 Enable Transparent Mode with Multiple Interfaces 132 5.3 Configure a VLAN Trunk 134 5.4 Configure Retagging 137 5.5 Configure Bridge Groups 140 5.6 Manipulate the Layer 2 Forwarding Table 143 5.7 Configure the Management Interface in Transparent Mode 144 5.8 Configure the Spanning Tree Protocol (STP) 146 5.9 Enable Compatibility with HSRP and VRRP Routers 147 5.10 Configure VPNs in Transparent Mode 149 5.11 Configure VSYS with Transparent Mode 152 6. Leveraging IP Services in ScreenOS 155 6.1 Set the Time on the Firewall 156 6.2 Set the Clock with NTP > 157 6.3 Check NTP Status 158 6.4 Configure the Device's Name Service 160 6.5 View DNS Entries on a Device 164 6.6 Use Static DNS to Provide a Common Policy for Multiple Devices 166 6.7 Configure the DNS Proxy for Split DNS 168 6.8 Use DDNS on the Firewall for VPN Creation 172 6.9 Configure the Firewall As a DHCP Client for Dynamic IP Environments 174 6.10 Configure the Firewall to Act As a DHCP Server 175 6.11 Automatically Learn DHCP Option Information 177 6.12 Configure DHCP Relay - 177 6.13 DHCP Server Maintenance 179 I

7. Policies 181 7.1 Configure an Inter-Zone Firewall Policy 184 7.2 Log Hits on ScreenOS Policies 187 7.3 Generate Log Entries at Session Initiation 189 7.4 Configure a Syslog Server 190 7.5 Configure an Explicit Deny Policy 192 7.6 Configure a Reject Policy 194 7.7 Schedule Policies to Run at a Specified Time 197 7.8 Change the Order of ScreenOS Policies 198 7.9 Disable a ScreenOS Policy 200 7.10 Configure an Intra-Zone Firewall Policy 200 7.11 Configure a Global Firewall Policy 203 7.12 Configure Custom Services 206 7.13 Configure Address and Service Groups 207 7.14 Configure Service Timeouts 208 7.15 View and Use Microsoft RPC Services 211 7.16 View and Use Sun-RPC Services 214 7.17 View the Session Table 216 7.18 Troubleshoot Traffic Flows 219 7.19 Configure a Packet Capture in ScreenOS 224 7.20 Determine Platform Limits on Address/Service Book Entries and Policies 228 8. Network Address Translation 230 8.1 Configure Hide NAT 235 8.2 Configure Hide NAT with VoIP 236 8.3 Configure Static Source NAT 237 8.4 Configure Source NAT Pools 238 8.5 Link Multiple DIPs to the Same Policy 240 8.6 Configure Destination NAT 241 8.7 Configure Destination PAT 243 8.8 Configure Bidirectional NAT for DMZ Servers 245 8.9 Configure Static Bidirectional NAT with Multiple VRs 246 8.10 Configure Source Shift Translation 248 8.11 Configure Destination Shift Translation 249 8.12 Configure Bidirectional Network Shift Translation 250 8.13 Configure Conditional NAT 252 8.14 Configure NAT with Multiple Interfaces 254 8.15 Design PAT for a Home or Branch Office 256 I vii

8.16 A NAT Strategy for a Medium Office with DMZ 258 8.17 Deploy a Large-Office Firewall with DMZ 261 8.18 Create an Extranet with Mutual PAT 264 8.19 Configure NAT with Policy-Based VPN 268 8.20 Configure NAT with Route-Based VPN 275 8.21 Troubleshoot NAT Mode 279 8.22 Troubleshoot DIPs (Policy NAT-SRC) 282 8.23 Troubleshoot Policy NAT-DST 285 8.24 Troubleshoot VIPs 287 8.25 Troubleshoot MIPs 291 9. Mitigating Attacks with Screens and Flow Settings 294 9.1 Configure SYN Flood Protection 296 9.2 Control UDP Floods 298 9.3 Detect Scan Activity 299 9.4 Avoid Session Table Depletion 301 9.5 Baseline Traffic to Prepare for Screen Settings 302 9.6 Use Flow Configuration for State Enforcement 306 9.7 Detect and Drop Illegal Packets with Screens 309 9.8 Prevent IP Spoofing 309 9.9 Prevent DoS Attacks with Screens 312 9.10 Use Screens to Control HTTP Content 313 10. IPSecVPN 315 10.1 Create a Simple User-to-Site VPN 333 10.2 Policy-Based IPSec Tunneling with Static Peers 346 10.3 Route-Based IPSec Tunneling with Static Peers and Static Routes 349 10.4 Route-Based VPN with Dynamic Peer and Static Routing 353 10.5 Redundant VPN Gateways with Static Routes 357 10.6 Dynamic Route-Based VPN with RIPv2 365 10.7 Interoperability 372 11. Application Layer Gateways 379 11.1 View the List of Available ALGs 380 11.2 Globally Enable or Disable an ALG 383 11.3 Disable an ALG in a Specific Policy 384 11.4 View the Control and Data Sessions for an FTP Transfer 385 11.5 Configure ALG Support When Running FTP on a Custom Port 391 11.6 Configure and View ALG Inspection of a SIP-Based IP Telephony Call Session 395 viii I

11.7 View SIP Call and Session Counters 401 11.8 View and Modify SIP ALG Settings 404 11.9 View the Dynamic Port(s) Associated with a Microsoft RPC Session 406 11.10 View the Dynamic Port(s) Associated with a Sun-RPC Session 410 12. Content Security 415 12.1 Configure Internal Antivirus 417 12.2 Configure External Antivirus with ICAP 421 12.3 Configure External Antivirus via Redirection 422 12.4 Configure Antispam. 425 12.5 Configure Antispam with Third Parties 426 12.6 Configure Custom Blacklists and Whitelists for Antispam 427 12.7 Configure Internal URL Filtering 427 12.8 Configure External URL Filtering 429 12.9 Configure Custom Blacklists and Whitelists with URL Filtering 430 12.10 Configure Deep Inspection 432 12.11 Download Deep Inspection Signatures Manually 434 12.12 Develop Custom Signatures with Deep Inspection 435 12.13 Configure Integrated IDP 437 13. User Authentication 439 13.1 Create Local Administrative Users 452 13.2 Create VSYS-Level Administrator Accounts 453 13.3 Create User Groups for Authentication Policies 454 13.4 Use Authentication Policies 455 13.5 Use WebAuth with the Local Database 458 13.6 Create VPN Users with the Local Database 460 13.7 Use RADIUS for Admin Authentication 463 13.8 Use LDAP for Policy-Based Authentication 465 13.9 Use SecurlD for Policy-Based Authentication 467 14. Traffic Shaping 469 14.1 Configure Policy-Level Traffic Shaping 473 14.2 Configure Low-Latency Queuing 476 14.3 Configure Interface-Level Traffic Policing 479 14.4 Configure Traffic Classification (Marking) 481 14.5 Troubleshoot QoS 485

15. RIP 492 15.1 Configure a RIP Instance on an Interface 494 15.2 Advertise the Default Route via RIP 498 15.3 Configure RIP Authentication 499 15.4 Suppress RIP Route Advertisements with Passive Interfaces 500 15.5 Adjust RIP Timers to Influence Route Convergence Duration 502 15.6 Adjust RIP Interface Metrics to Influence Path Selection, 508 15.7 Redistribute Static Routes into RIP 509 15.8 Redistribute Routes from OSPF into RIP 511 15.9 Filter Inbound RIP Routes 513 15.10 Configure Summary Routes in RIP 516 15.11 Administer RIP Version 1 518 15.12 Troubleshoot RIP 520 16. OSPF : 523 16.1 Configure OSPF on a ScreenOS Device 527 16.2 View Routes Learned by OSPF 531 16.3 View the OSPF Link-State Database 532 16.4 Configure a Multiarea OSPF Network 537 16.5 Set Up Stub Areas 541 16.6 Create a Not-So-Stubby Area (NSSA) 545 16.7 Control Route Propagation in OSPF 548 16.8 Redistribute Routes into OSPF 550 16.9 Make OSPF RFC 1583-Compatible 554 16.10 Adjust OSPF Link Costs 556 16.11 Configure OSPF on Point-to-Multipoint Links 557 16.12 Configure Demand Circuits 561 16.13 Configure Virtual Links 564 16.14 Change OSPF Timers 567 16.15 Secure OSPF 569 16.16 Troubleshoot OSPF 571 17. BGP 575 17.1 Configure BGP with an External Peer, 580 17.2 Configure BGP with an Internal Peer ' 585 17.3 Configure BGP Peer Groups 589 17.4 Configure BGP Neighbor Authentication 591 x

17.5 Adjust BGP Keepalive and Hold Timers 593 17.6 Statically Define Prefixes to Be Advertised to EBGP Peers 594 17.7 Use Route Maps to Filter Prefixes Announced to BGP Peers 597 17.8 Aggregate Route Announcements to BGP Peers 600 17.9 Filter Route Announcements from BGP Peers 603 17.10 Update the BGP Routing Table Without Resetting Neighbor Connections 607 17.11 Use BGP LocaLPref for Route Selection 608 17.12 Configure Route Dampening 611 17.13 Configure BGP Communities 613 17.14 Configure BGP Route Reflectors 615 17.15 Troubleshoot BGP 618 18. High Availability with NSRP 620 18.1 Configure an Active-Passive NSRP Cluster in Route Mode 626 18.2 View and Troubleshoot NSRP State 630 18.3 Influence the NSRP Master 637 18.4 Configure NSRP Monitors 639 18.5 Configure NSRP in Transparent Mode 641 18.6 Configure an Active-Active NSRP Cluster 644 18.7 Configure NSRP with OSPF 649 18.8 Provide Subsecond Failover with NSRP and BGP 652 18.9 Synchronize Dynamic Routes in NSRP 658 18.10 Create a Stateful Failover for an IPSec Tunnel 662 18.11 Configure NAT in an Active-Active Cluster v 664 18.12 Configure NAT in a VSD-Less Cluster 667 18.13 Configure NSRP Between Data Centers 673 18.14 Maintain NSRP Clusters 675 19. Policy-Based Routing 677 19.1 Traffic Load Balancing 678 19.2 Verify That PBR Is Working for Traffic Load Balancing 681 19.3 Prioritize Traffic Between IPSec Tunnels 682 19.4 Redirect Traffic to Mitigate Threats 689 19.5 Classify Traffic Using the ToS Bits 691 19.6 Block Unwanted Traffic with a Blackhole 693 19.7 View Your PBR Configuration 695

20. Multicast 697 20.1 Allow Multicast Traffic Through a Transparent Mode Device 701 20.2 Use Multicast Group Policies to Enforce Stateful Multicast Forwarding 703 20.3 View mroute State 706 20.4 Use Static mroutes to Allow Multicast Through a Firewall Without Using PIM 709 20.5 Connect Directly to Multicast Receivers 713 20.6 Use IGMP Proxy Mode to Dynamically Join Groups 716 20.7 Configure PIM on a Firewall 720 20.8 Use BSR for RP Mapping 722 20.9 Firewalling Between PIM Domains 725 20.10 Connect Two PIM Domains with Proxy RP 727 20.11 Manage RPF Information with Redundant Routers 733 20.12 PIM and High Availability 735 20.13 Provide Active-Active Multicast 739 20.14 Scale Multicast Replication 742 21. Virtual Systems 748 21.1 Create a Route Mode VSYS 751 21.2 Create Multiple VSYS Configurations 754 21.3 VSYS and High Availability 762 21.4 Create a Transparent Mode VSYS 765 21.5 Terminate IPSec Tunnels in the VSYS 768 21.6 Configure VSYS Profiles 774 Glossary 781 Index 801 xii I

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback