ISG 2000 User's Guide
Contents
1. LED Purpose Color Meaning POWER Power Supply Green Power supply is functioning correctly Off System is not receiving power Red There is a problem with the power ALARM System Alarm Blinking red B Continuous blinking indicates a self test failure during the ScreenOS bootup May also occur due to certain algorithm and ACL failures B Blinks once for each software attack Amber One of the following failures has occurred m Power supply is turned off m Hardware failure E Error with software module Off No alarm condition present TEMP Temperature Green Temperature is within safety range Orange Temperature is above normal alarm range 21352 For 5607C Red Temperature is above severe alarm range gt 150 F or 66 C STATUS System Status Blinking green The system is active Green The system is booting Off The system is off HA High Green Unit is master Availability Status Amber Unit is a backup Red HA has been defined but unit is not the backup system Off No HA activity defined FAN FAN Status Green All fans functioning properly Red One or more fans failed or fan subsystem is not receiving power MODI Green Security module is installed Off No card installed MOD2 Green Security module is installed Off No card installed MOD3 Green Security module is installed Off No card installed FLASH Compact Flash Blinking green Read write activity is detected Status Off Compact flash sl2. 1 Set the system clock with the following command set clock dd mm yyyy hh mm ss where dd mm yyyy day month year and hh mm ss hour minute second for example 07 15 2005 16 40 55 save After you enter the save command the ISG 2000 saves the current configuration to flash memory If you reset the device without saving the latest configuration the ISG 2000 loads the previously saved configuration NOTE To see other options for setting the system clock refer to the Fundamentals volume in the NetScreen Concepts amp Examples ScreenOS Reference Guide 2 Optional By default the console times out and terminates automatically after 10 minutes of idle time To change this timeout interval enter the following set console timeout number save where number is the length of idle time in minutes before session termination To prevent any automatic termination specify a value of 0 This setting is convenient for performing an initial configuration but Juniper Networks does not recommend permanently disabling the console timeout Admin Name and Password Because all NetScreen products use the same admin name and password netscreen it is highly advisable to change your login information immediately To change your login information enter the following commands set admin name name str set admin password pswd str save NOTE For information on creating multiple administrators with different administrative levels
3. ISG 2000 User s Guide ScreenOS 5 0 0 IDP 1 Juniper Networks Inc 1194 North Mathilda Avenue Sunnyvale CA 94089 USA 408 745 2000 www juniper net Part Number 093 1524 000 Rev A Copyright Notice Copyright 2005 Juniper Networks Inc All rights reserved Juniper Networks the Juniper Networks logo NetScreen NetScreen Technologies the NetScreen logo NetScreen Global Pro ScreenOS and GigaScreen are registered trademarks of Juniper Networks Inc in the United States and other countries The following are trademarks of Juniper Networks Inc Deep Inspection ERX ESP Instant Virtual Extranet Internet Processor J Protect JUNOS JUNOScope JUNOScript JUNOSe M5 M7i M10 M10i M20 M40 M40e M160 M320 M series MMD NetScreen 5GT NetScreen 5XP NetScreen 5XT NetScreen 25 NetScreen 50 NetScreen 100 NetScreen 204 NetScreen 208 NetScreen 500 NetScreen 5200 NetScreen 5400 NetScreen IDP 10 NetScreen IDP 100 NetScreen IDP 500 NetScreen IDP 1000 IDP 50 IDP 200 IDP 600 IDP 1100 ISG 1000 ISG 2000 NetScreen Global Pro Express NetScreen Remote Security Client NetScreen Remote VPN Client NetScreen SA 1000 Series NetScreen SA 3000 Series NetScreen SA 5000 Series NetScreen SA Central Manager NetScreen Secure Access NetScreen SM 3000 NetScreen Security Manager GigaScreen ASIC GigaScreen Il ASIC NMC RX SDX Stateful Signature T320 T640 and T series Information in this document is subject to chan
4. The following prompt appears System reset are you sure y n n Press the Y key The system reboots m If you lose your admin name or password you can use the following procedure to reset the NetScreen device to its default settings This destroys any existing configurations but restores access to the device To perform this operation you need to make a console connection as described in Console Connection and Login on page 5 1 At the login prompt type the serial number of the device 2 Atthe password prompt type the serial number again The following message appears TT Lost Password Reset I You have initiated a command to reset the device to factory defaults clearing all current configuration and settings Would you like to continue y n 3 Press the Y key The following message appears II Reconfirm Lost Password Reset If you continue the entire configuration of the device will be erased In addition a permanent counter will be incremented to signify that this device has been reset This is your last chance to cancel this command If you proceed the device will return to factory default configuration which is System IP 192 168 1 1 username netscreen password netscreen Would you like to continue y n 4 Press the Y key to reset the device You can now log in using netscreen as the default admin name and password NOTE By default the device recovery feature is enabled You can disab
5. This zone typically contains your protected internal resources Note This illustration shows the typical uses of each zone However this arrangement is not compulsory You can customize their uses to best suit your network environment You can define more security zones by using the following command set zone name zone I2 id num For information on creating zones see the chapter on zones in the Fundamentals volume in the NetScreen Concepts amp Examples ScreenOS Reference Guide Security Zones and Interfaces m 7 ISG 2000 User s Guide Binding Interfaces to Zones The ISG 2000 supports different types of interface modules in four interface module bays The leftmost interface in the module in the upper left bay is ethernet1 1 The interface to the right of ethernet1 1 is ethernet1 2 If there are more interfaces in that module they are numbered ethernet1 3 ethernet1 4 and so on As you can see the first number represents the position of the interface module in one of the four bays and the second number represents the position of the interface in that module from left to right Figure 8 Interface Numbers Interface Module Bays afaa el e1 2 e1 3 el e34 e3 2 e2 1 e2 2 e4 1 e4 2 e4 3 e4 4 As you can see in the output from the get interface command below none of the interface module interfaces are prebound to a security zone They are all in the Null zone get interface A Active I Inactive U Up D Dow
6. You can also open a support case by calling 1 888 314 JTAC within the United States or 1 408 745 9500 outside the United States X W Technical Support Chapter 1 Configuring This chapter describes how to make a console connection to the ISG 2000 log in and perform a basic configuration Table 1 Important Default Configuration Settings Default MGT IP address 192 168 1 1 24 Default ethernet IP addresses 0 0 0 0 0 Default username netscreen Default password netscreen NOTE You must register your product at www juniper net support so that you can activate specific services such as Intrusion Detection and Prevention IDP After registering your product purchase a license key from your value added reseller VAR and then use NetScreen Security Manager the WebUI or the CLI to load the key For information about registering your product and obtaining and loading license keys see the Fundamentals volume in the NetScreen Concepts amp Examples ScreenOS Reference Guide on the documentation CD that ships with the ISG 2000 This chapter includes the following main configuration sections Before Beginning on page 2 Console Connection and Login on page 5 Basic Configuration on page 4 System Clock and Console Timeout on page 5 Admin Name and Password on page 5 Security Zones and Interfaces on page 6 DNS and Default Route on page 12 Policies on page 15 Intrusion Detectio
7. Chapter 2 Chapter 3 Appendix A Installing CONMECANS the Device TO NeDVORB suroeste tad FOU MENER ACE MOUS vists decease tated t dna eosdem landete ind ent te esatta te Equipment Rack Installation Gudene civic ibero Equipment Rack Accessories and Required Tools 5 tui len Rear andsbrorit MOUNT sud tor ertet bep et od andate dou ele had Mid MOU ent Hardware and Servicing MC QUE octo e A a Mey wer iM PAD A A aste dE MECA AAA O bi o tiem ER Caf anc ue stad Replacing Interac Modules oat haer feine A Op espe hana tala Mt Remove Interface Modules ati IciSerurig Intertace Modules cia Connecting and Disconnectine Gigabit Ethernet Cables eiii Ixeplacme adMIDIPPGBIC T Panis e Ve Eust and ditatus heplacine POW SU DOCS qaos rua rated teen de uetus pde bat ctl alta heplacing AC Powernbsuppl6S etse et ais Replacing DC POWO SUD ONES soils tat cin de Ixeplaeine the Rab EV ouem a Replacine the Fan ray TOT oos det rbi tates ie MER dun a Cut P edades Specifications IS ZOO CWA CU CCS esci acu ep Lad te atio o pd tu ta agli tuc nce t S tis mcis Electrical SpeeltieablOLlS aa AS Envitontental SDC CIE CALI ONS son eee a INEBSSCOTBINOQBIOTIS ad Sane RYG Cr UEC AL OMS see m T T EME SACOS T aad tier ies m aa are COMIC Cl ONS cc 23 24 26 26 26 2 28 29 30 22 23 33 34 35 36 38 20 39 41 44 45 About This Guide This guide describes how to install configure and service the ISG 2000 It presents an example of a basic
8. messages that appear in the event log with their meanings and recommended actions Getting Started Guides and User s Guides Platform specific guides for connecting a NetScreen device to a network and then configuring it Other Resources FIPS certified and Common Criteria certified images and documentation Help files SNMP MIB files Dictionary file for external authentication servers NetScreen device installation steps More You can also get documentation for the following Juniper Networks technologies and products by visiting www juniper net techpubs NetScreen Security Manager Security devices screenOS NetScreen Remote VPN client Intrusion Detection and Prevention IDP Another resource is the WebUI Help When logged in to the ISG 2000 through the WebUI click the Help button to learn more about ScreenOS features Figure 3 WebUI Help ime LEO You can access context sensitive Help by clicking the Help button in the upper right corner of the WebUI Serial Number 0075112003120004 Hest Namn nsmgz rnxi Fesuru paa A bier Rory ES Sao ASEO Pimia Version 5 0 0 9 Fra t PR A vos ae ees or by selecting Help gt Online Help from the menu column The Help menu option also provides shortcuts to online product registration and the NetScreen knowledgebase If you find any errors or omissions in this guide please contact us at techpubs comme
9. 0 0 0 0 0 any IPSec VPN m 17 ISG 2000 User s Guide 5 Seta route to the remote peer s network through tunnel 1 Also set a null route to the peer s network with a less preferable metric If the route through tunnel 1 becomes unavailable the ISG 2000 then uses the null route sending traffic for the remote peer to the null interface which effectively drops it If tunnel 1 goes down the route associated with it becomes inactive If there is no null route the ISG 2000 might use the default route and send unprotected traffic out ethernet1 1 Creating a null route obviates such an unwanted occurrence set vrouter trust vr route 10 2 2 0 24 interface tunnel 1 set vrouter trust vr route 10 2 2 0 24 interface null metric 10 6 Create a pair of policies permitting traffic to flow bidirectionally between the two sites set policy id 8 top from untrust to trust peer1 local any permit set policy id 9 top from trust to untrust local peer1 any permit save Remote Peer After the administrator at the remote site sets up the NetScreen 5GT he can then enter the following commands to configure that end of the VPN tunnel set interface tunnel 1 zone untrust set interface tunnel 1 ip unnumbered interface untrust set address trust local 10 2 2 0 24 set address untrust peer1 10 1 1 0 24 set ike gateway gw1 address 1 1 1 1 aggressive local id peer10jnpr net outgoing interface untrust preshare Iwb715iSF sec level compatible set vpn vpn1 gateway
10. Content Summary This guide contains the following chapters and appendix m Chapter 1 Configuring provides instructions for making a console connection to the ISG 2000 logging in and performing a basic yet complete firewall and VPN configuration m Chapter 2 Installing provides instructions for cabling the ISG 2000 to the network mounting the device in a rack and connecting the power supplies m Chapter 5 Hardware and Servicing provides a detailed overview of the ISG 2000 and procedures for replacing interface modules power supplies and the fan tray m Appendix A Specifications provides a list of physical specifications about the ISG 2000 its modules and its power supplies CLI Conventions The following conventions are used when presenting the syntax of a command line interface CLI command m Anything inside square brackets is optional m Anything inside braces is required m If there is more than one choice each choice is separated by a pipe For example set interface ethernet1 1 ethernet1 2 ethernet2 1 manage means set the management options for the ethernet1 1 ethernet1 2 or ethernet2 1 interface m Variables appear in italic For example set admin user name str password pswd str When a CLI command appears within the context of a sentence it is in bold except for variables which are always in italic For example Use the get system command to display the serial n
11. Enter the get interface mgt command to review the MGT interface settings DNS and Default Route When you enter the DNS server IP addresses that you receive from your ISP the NetScreen device can resolve domain names that you use in your configuration such as addresses in policies or IKE gateways To enter addresses for the two DNS servers in our example use the following commands set dns host dns1 2 2 2 5 set dns host dns1 2 2 2 6 save When the ISG 2000 receives a static IP address the ISP also provides the IP address of the default gateway to which the ISG 2000 sends traffic destined for addresses for which there are no specific routes It is important that the ISG 2000 has a default route pointing to this gateway To enter the address of the default gateway in our example use the following command set vrouter trust vr route 0 0 0 0 0 interface ethernet1 1 gateway 1 1 1 2 save NOTE The ISG 2000 supports a large number of routing environments For information about configuring routing on the device refer to the Routing volume in the NetScreen Concepts amp Examples ScreenOS Reference Guide 12 m ODNS and Default Route Policies Addresses Services Chapter 1 Configuring By default the ISG 2000 does not allow any traffic between zones To permit traffic to cross the firewall you must create policy that specifically permits one or more services to pass from hosts in one zone to others in another zone Because
12. OU sante oie Le ea D Connecdon PROCES es xi ects ant oi 3 connection Fed UNE MENES eeina ok ht ose 2 O 31 SC USS rn 3 D DCODOWEI SUDDIS moserne dota tata 41 COMME CUMS TEC WES tie dto ciao 42 SOU c P Dt 41 MS 9 SETE qt E 43 BE FETS A E T E E E 42 6 Les ESRD ULAR O tia 2 12 STA NOLS MM OT 12 deraut SEO S voters s sda cnt eit pee ec dud 1 dE a AAA A oak 21 ENIE CTO A A trae V SEE 21 A MN MMC RU 21 BAR Se CLO Site cle a ouest tabe ttd it enc eae as Ze documentation TD PVC IAC a ease tea d asd alus uta Re viii fie work SECURE PLO AU ETS o ooo aO ERR ERI ERES ix F fan tray locaton M Iront panl ao e op tes 30 POIS de tede 44 45 replace ET espia au iso ad etd 45 G gigabit ethernet cable CONE CN acid 56 OISCORBECHIIB dentes s Ut LIU I E 37 POMC TING DE POWS soaker A ene dier Sd 41 H Help Webs use ERRARE AM E E S ix AY Ole etc A A tasca etu bci Cip 2 SLE AN gh Ok CN EAE 3 i IDP A o berbere Mateus 15 documentation viii IDP MICE NSE Key disabled Iove ae ia 15 re dme meli S detta ice V viii IKE Bate WO V aan ash oscar dase ws peri alind ota fett used anu o L Dis RET HIMEN 1 Phase Land 2 HOP OS ASS ee ee re aad eae 17 interface modules A Dua bnt opu em pe 99 SCT rita rA uev ouem ados 35 Max MUG UID ET ODO o oeste tono 24 DOSICIONS den CC s serit oae e podeis 8 FORTIO WIS A O 34 A oe P nea rd TRE 33 36 COC sas eater cars lin 24 29 33 NCU SETAC SSMO TEM HIP p ee stone 8 12 assigning an IP Adress td ada em
13. Positive Negative Voltage Voltage Wire Wire 5 Fasten the screws over the connectors 4 Turn on the power switch NOTE If both power supplies are installed and either of them is off the Alarm LED on the front panel glows red This warning indicates that maximum system reliability requires all installed power supplies to be operational To replace one of the DC power supplies 1 Loosen the retaining screws on the terminal block and remove the feed wires 2 Loosen the hex nut on the grounding screw and remove the grounding wire Figure 33 Removing the Feed Wires and Grounding Wire Loosen retaining screws on the terminal block Terminal Block Grounding Wire Feed Wires Replacing Power Supplies m 43 ISG 2000 User s Guide Turn the thumbscrew counterclockwise to release the power supply Lift the handle and gripping the handle pull the power supply straight out Slide the new power supply into one of the power compartments in the back of the system 6 Fasten the power supply to the system by tightening the thumbscrews clockwise 7 If you want to install two power supplies repeat steps 1 and 2 for the remaining power supply Replacing the Fan Tray NOTE During the one year warranty period you can obtain a replacement fan tray by contacting Juniper Networks Technical Support After the warranty period contact the Juniper Networks Sales department You only need to replace the fan tray wh
14. asa firewall and VPN termination point for the network shown in Figure 5 By entering these commands you can perform a basic configuration of the ISG 2000 so that it can perform firewall and VPN functions Figure 5 Basic Firewall and VPN Configuration The NetScreen ISG 2000 permits A route based VPN tunnel provides selected traffic between zones nie Zone secure bidirectional traffic between LAN 10 2 2 0 24 BEunlper a pA c the NetScreen ISG 2000 and a remote peer Internet Remote Peer ISP Default GW 1 1 1 2 DNS 1 2 2 2 5 DNS 2 2 2 2 6 ethernet1 1 14114780 LAN 2 1 2 2 0 29 MGT Zone 10 2 2 0 28 NETWORKS ethernet1 2 1 2 2 1 29 HTTP Server Mail Relay Server www jnpr net smtp jnpr net 1 2 2 2 80 1 2 2 3 25 ethernet2 1 10 2 2 1 28 10 1 1 1 24 NAT mode gt Note The rook icon represents A a security zone interface 4 w Basic Configuration Chapter 1 Configuring System Clock and Console Timeout You need to set the system clock so that the event log entries have the correct date time stamps Also the correct date time is essential if the device has to check the validity of digital certificates You can also change the timeout value for an idle console connection By default the ISG 2000 automatically closes a console connection if it is idle for 10 minutes You can change this to a higher or lower interval or disable the timeout completely
15. continues to run Be sure that the fan tray is not empty for more than two minutes otherwise heat failure or permanent damage can occur MOD2 MOD3 FLASH LED Dashboard The LED dashboard displays up to date information about critical ISG 2000 functions For an explanation of what each LED means see LED Dashboard on page 32 Interface Modules Chapter 3 Hardware and Servicing 10 100 The 10 100 Mbps fast ethernet interface module is appropriate for a 10 100 Base T LAN Connect the ports using a twisted pair cable with RJ 45 connectors See Connecting the Device to a Network on page 24 for cabling guidelines The ISG 2000 supports a maximum port count of 28 If there is an 8 port 10 100 interface module in each bay then ports five through eight on the module in bay 4 are disabled Under this circumstance these ports are unavailable for firewall and Compact Flash Slot The compact flash slot is for downloading or uploading system software or configuration files and for saving log files to a compact flash card To download or upload execute the CLI command save save software config from flash slotl filename to flash slotl filename where flash refers to internal flash memory slot refers to the compact flash slot and filename is the name of the software or configuration file on the card For example the following command downloads the current device configuration to a file nam
16. enter just set interface interface manage the command enables all the interface options except ident reset If you want to enable a subset of all the options you can repeatedly enter the command each time specifying a different management option Untrust Zone Interface In our example ethernet1 1 is bound to the Untrust zone The ISP provided the address for this interface 1 1 1 1 30 Because this interface is going to face unknown and potentially malicious entities in the public network you do not enable any management options on this interface set interface ethernet1 1 ip 1 1 1 1 30 save To review the settings for ethernet1 1 enter the following command get interface ethernet1 1 This command produces the following output Interface ethernet1 1 number 7 if info 57400 if index O mode route link up phy link up full duplex Chapter 1 Configuring vsys Root zone Untrust vr trust vr ip 1 1 1 1 30 mac 0010 db58 bb87 manage ip 1 1 1 1 mac 0010 db58 bb8 7 route deny disable ping disabled telnet disabled SSH disabled SNMP disabled web disabled ident reset disabled SSL disabled webauth disabled webauth ip 0 0 0 0 OSPF disabled BGP disabled RIP disabled bandwidth physical 100Mbps configured OMbps DHCP Relay disabled DMZ Interface In our example ethernet1 2 is bound to the DMZ The ISP also provided you with a range of addresses to use with the jnpr net domain This interface leads to the public facing w
17. gw1 tunnel sec level compatible set vpn vpn1 bind interface tunnel 1 set vpn vpn1 proxy id local ip 10 2 2 0 24 remote ip 10 1 1 0 24 any set vrouter trust vr route 0 0 0 0 0 interface untrust set vrouter trust vr route 10 2 2 0 24 interface tunnel 1 set vrouter trust vr route 10 2 2 0 24 interface null metric 10 set policy id 1 top from untrust to trust peer1 local any permit set policy id 2 top from trust to untrust local peer1 any permit save 18 m IPSec VPN Chapter 1 Configuring Summary of CLI Commands The following sets of commands include all the CLI commands used in the example configuration featured in the previous sections in this chapter The section in which each type of command is described is also provided CLI Commands Example Firewall Configuration Commands Descriptions set clock dd mm yyyy hh mm ss System Clock and Console set console timeout number Timeout on page 5 set admin name name str Admin Name and Password set admin password pswd str on page 5 set interface ethernet1 1 zone untrust Security Zones and set interface ethernet1 2 zone dmz Interfaces on page 6 set interface ethernet2 1 zone trust set interface ethernet1 1 ip 1 1 1 1 30 set interface ethernet1 2 ip 1 2 2 1 29 set interface ethernet2 1 ip 10 1 1 1 24 set interface ethernet2 1 nat set interface mgt ip 1 2 2 1 28 set dns host dns1 2 2 2 5 DNS and Default Route on set dns host dns1 2 2 2 6 page 12 set vrouter trust vr rou
18. installation and configuration that secures resources in the Trust and DMZ security zones sets up a MGT zone for device administrators and defines a route based VPN tunnel between the ISG 2000 and a remote peer see Figure 1 You can use this example as a reference as you perform similar tasks NOTE Intrusion Detection and Prevention IDP requires the installation of at least one security module an advanced license key and an IDP license key To configure IDP on the ISG 2000 you must use NetScreen Security Manager Figure 1 Example Configuration Untrust Zone LAN 10 2 2 0 24 Internet i a E Merkereen far Remote Peer ISP Default GW 1 1 1 2 DNS 1 2 2 2 5 DNS 2 2 2 2 6 Si VPN Tunnel ethernet1 1 RRSO bild LAN T 1 22 0 29 MGT Zone dl E 10 2 2 0 28 e NETWORKS ethernet1 2 1 2 2 1 29 HTTP Server Mail Relay Server www jnpr net smtp jnpr net 1 2 2 2 80 1223725 Note The rook icon represents a security zone interface This guide makes the following assumptions m You are adding the ISG 2000 to an existing network m You have an account with an Internet service provider ISP that has provided you with two sets of IP addresses m An outside address in the ISP s domain 1 1 1 1 in our example A range of addresses in your domain such as 1 2 2 1 1 2 2 6 m You have a registered domain name such as jnpr net ISG 2000 User s Guide
19. mode The NetScreen device forwards traffic arriving at an interface in Transparent mode essentially like a Layer 2 bridge That is the NetScreen device uses the MAC address in the Layer 2 header to forward traffic out onto another segment in the same broadcast domain By default no ISG 2000 security zone interfaces have IP addresses and all are in the Null zone The Null zone is a function zone that holds interfaces until you bind them to a security zone To make a security zone interface operational you must bind it to a security zone and if it is a Layer 5 security zone assign it an IP address NOTE For more information about interface modes see the chapter on interface modes in the Fundamentals volume in the NetScreen Concepts amp Examples ScreenOS Reference Guide Configuring Interfaces 10 m Security Zones and Interfaces After you bind an interface to a security zone you can assign it an IP address and configure other settings for that interface To assign an IP address to an interface use the following command set interface interface ip ip addr netmask where interface is the name of the interface and ip_addr netmask is the IP address and netmask that you assign it To set management options on an interface use the following command set interface interface manage ident reset ping snmp ssh ssl telnet web in which you can specify one or none of the options following the keyword manage If you
20. predefined service any to indicate any type of traffic You can group services together to apply a policy to all the services in that group Also you can create custom services To create a service group use the following command repeating it with the same group name and different service names set group service name add service Policies m 13 ISG 2000 User s Guide 14 m Policies To create a custom service using the TCP or UDP protocols use the following command set service name protocol tcp udp src port number number dst port number number timeout number NOTE For information about creating and grouping services see the section on services in the NetScreen Concepts amp Examples ScreenOS Reference Guide In our example you need to create the following addresses and policies set address dmz web1 1 2 2 2 32 set address dmz mail relay 1 2 2 3 32 set address trust mail1 10 1 1 4 32 set policy id 1 from trust to dmz mail1 mail relay mail permit log count set policy id 2 from trust to dmz any web1 http permit log count set policy id 3 from trust to untrust any any any permit log count set policy id 4 from dmz to trust mail relay mail1 mail permit log count set policy id 5 from dmz to untrust mail relay any mail permit log count set policy id 6 from untrust to dmz any web1 http permit log count set policy id 7 from untrust to dmz any mail relay mail permit log count save The keyword log ins
21. refer to the Administration volume in the NetScreen Concepts amp Examples ScreenOS Reference Guide If you want to return the ISG 2000 to its default configuration including the default login name and password see Returning the Device to Factory Default Settings on page 21 System Clock and Console Timeout m 5 ISG 2000 User s Guide Security Zones and Interfaces 6 m Security Zones and Interfaces A security zone is a collection of one or more network segments requiring the regulation of inbound and outbound traffic through policies You use security zones to separate network segments of differing trust levels and control the flow of traffic between them by the policies that you set Figure 6 Three Security Zones Three security zones requiring interzone policies for traffic to flow from one zone to another Security Zone Security Zone The security zones can be Layer 3 zones or Layer 2 zones Security Zone The ISG 2000 ships with seven predefined security zones including the Global zone which is used mainly for holding mapped IP MIP and virtual IP VIP addresses For information on all zone types and their uses see the Fundamentals volume in the NetScreen Concepts amp Examples ScreenOS Reference Guide To view all the predefined zones enter the get zone command as shown below get zone Total 13 zones created in vsys Root 7 are policy configurable Total policy configurable zones for Roo
22. screw Figure 28 DC Power Supply A WARNING You must shut off current to the DC feed wires before connecting the wires to the power supplies Also make sure that the ON OFF switch is in the off position To connect a DC power supply to a grounding point at your site 1 Loosen or remove the hex nut from the grounding screw by rotating the hexnut counterclockwise Figure 29 Loosening the Hex Nut Rotate the hexnut counterclockwise Replacing Power Supplies m 41 ISG 2000 User s Guide 42 m Replacing Power Supplies 2 Place the ground lug on the grounding screw and tighten the hex nut by rotating it clockwise until it holds firmly Figure 30 Adding the Ground Lug 5 Connect the other end of the grounding wire to a grounding point at your site To connect DC power feed wires to the terminal block 1 To open the three connectors on the terminal block so that they can receive wire feeds use a screwdriver to turn the retaining screws counterclockwise Figure 31 Opening the Connectors Retaining Screws at Top To open connectors of Terminal Block turn retaining screws viewed from above counterclockwise Chapter 3 Hardware and Servicing 2 Insert a OV DC positive voltage return wire into the center COM connector and a 48V DC power feed wire into either the left or right connector Figure 32 Wiring Power Feeds to the Terminal Block Terminal Block Grounding Screw Grounding Wire
23. the ISG 2000 performs stateful inspection you do not need to define a policy to permit return traffic The ISG 2000 maintains a session table that matches responses to requests and thereby determines which traffic arriving at a particular interface does or does not belong to an existing session The command syntax for the core elements of a policy is as follows set policy from src zone to dst zone src addr dst addr service permit deny reject tunnel NOTE Fora complete explanation of all the elements that you can use when creating a policy see the chapter on policies in the Fundamentals volume in the NetScreen Concepts amp Examples ScreenOS Reference Guide You can use the predefined address any to indicate all hosts in a particular zone either the source or destination zone To use a more restrictive source or destination address you must define one using the following command set address zone name ip addr netmask host domainname For example set address dmz web1 1 2 2 2 32 Or set address dmz web1 www jnpr net You can also put a set of addresses together to form a group Use the following command set group address zone name add name str NOTE For information about creating and grouping addresses see the section on addresses in the NetScreen Concepts amp Examples ScreenOS Reference Guide There are over 100 predefined services that you can use when creating policies You can use the
24. 1 1 do the following m Cable the ISG 2000 to the network as described in Connecting the Device to a Network on page 24 m Log in to the device and then enter the following commands set interface ethernet1 1 zone untrust set interface ethernet1 1 ip 1 1 1 1 30 set vrouter trust vr route 0 0 0 0 0 interface ethernet1 1 gateway 1 1 1 2 set nsm enable save You can now connect to the ISG 2000 through ethernet1 1 from NetScreen Security Manager and continue configuring the device Intrusion Detection and Protection m 15 ISG 2000 User s Guide IPSec VPN This section presents a configuration for a route based VPN tunnel between the ISG 2000 and a remote peer with a dynamically assigned IP address The NetScreen device at the remote peer site is a NetScreen 5GT in Trust Untrust mode Because it receives its address dynamically through PPPoE or DHCP Phase 1 negotiations must be in aggressive mode The tunnel configuration uses the following elements m Tunnel interface tunnel 1 in Untrust zone m Outgoing interface ISG 2000 ethernet 1 m NetScreen 5GT Untrust m Phase 1 exchange mode Aggressive m Phase 1 and Phase 2 proposal security levels Compatible m Proxy IDs local 0 0 0 0 0 remote 0 0 0 0 0 service ANY m Preshared key Iwb715iSF m IKE ID for remote peer peer jnpr net VPN Tunnel vpn1 Untrust Zone Agressive Mode Security Level for P1 and P2 Compatible IKE ID for NetScreen 5GT peer1 jnpr net Pres
25. 4 A NES SSD SNEDE TESS REESE SEERNE EEN ENES PERS RENEE FRE TNS 14 A E A 14 MACNN E E TO dan etel cud 14 Orde Qro ea ER SEES PBE A AO tone oan 14 VION O EREE o sal 14 ports CON NE RENT SEES NEN 51 E SA EEEE EEEE E EEES PEE 51 MOOC ae E a LE 51 OWE SUPPE oodd clei tacit Macias dte A en do Da 39 44 A A A 39 DEPOWEr SPD ie do ol cane bot hone 41 DC power Suppl replacing iissa a det 45 52 m Index R Fac IR OU A i eie etu e E 26 28 O Mer ERE RES SELER Er 28 tack MOE KE COM ON S dossiers 26 teat ACTOR es 27 COI ALO DEOQU CE auccm a ter cla 1 ROUTE A O en ee ene ee ener ere 9 routes Se CCE Cane A Rene RE NIRE ORC TIONG A TEEN OIC NERE 12 kuenta 18 S O AN eie Dien BEDRE mcdio NA ME ane Mn eee 25 SECUN ZO ES Au siclos o saad A rco el 6 10 E 6 A sae det eC ae 7 RA MM 7 sn 8 Delano T 6 services CUSTOM sac sonde lo euet leeren ate etes haste i aenadas oe ideae 14 SO Pro E PM eam SCENE SEE name ee 13 AAA A 15 SUDDOPL DeC DEC D ess Ea im ERR UR SR ua ten UM ME MEUS X Sy SUS A ESS A AEI AN E ERE A 5 T LEC MMIC ASU OOK Este soca vacio nOD L NE RER X terminal block or DC DOWER SUD DIY isch opido ponerent 42 LEPEDIHIDIOS V seco etat ceca tp PLI E E M vii BOTHE LO Lo To NRI T E NE NE NE TETUR ERI DT 14 Tan PATENT TH OU unas tente upbeat A 10 tare AE LLC Ce ces ah ae ad etu aem hoste 17 V e doti haer iuuinu Edda deser 26 A a m e M H aun 16 18 IFE SAGWA Tor c 17 A A M REOR 17 Phase rand 2 DF
26. 42 pounds 19 kilograms Electrical Specifications AC voltage 100 240 VAC 10 DC voltage 56 to 60 VDC AC power 250 DC power 250 AC input frequency 47 63 Hz Fuse rating DC PS 12 amps 250 volts AC PS 6 3 amps 250 volts ISG 2000 Attributes m 47 ISG 2000 User s Guide Environmental Specifications The following table provides the environmental specifications Temperature Operating Normal altitude 32 113 F 0 45 C Humidity 10 90 6 RH non condensing The maximum normal altitude is 12 000 feet 5 660 meters NEBS Certifications Level 5 NS ISG 2000 with DC power supply GR 65 Core NEBS Environmental Testing GR 1089 Core EMC and Electrical Safety for Network Telecommunications Equipment Safety Certifications CD CoA CUL UL EMI Certifications FCC class A BSMI CE class A C Tick VCCI class A 48 m Environmental Specifications Connectors The following table lists the RJ 45 connector pinout for both the console and modem ports Table 2 Console and Modem Port Pinouts Pin Signal Abbreviation DCE 1 Request to Send RTS IN gt 2 Data Terminal Ready DTR IN pe iy ae os 3 Transmitted Data TX IN mpm Loop 4 Signal Ground SGDN N A Back 5 Open 6 Received Data RX OUT gt 7 Data Set Ready DSR OUT 8 Clear to Send CTS OUT The mini gigabit transceivers are compatible with the I
27. EEE 802 5z Gigabit Ethernet standard The following table lists media types and distances for the different types of interfaces used in the NetScreen ISG 2000 Table 3 Interface Media Types and Maximum Distances Standard Media Type Maximum Distance 1000 Base SX 50 1254 m Multimode Fiber 500 meters 50 1254 m Multimode Fiber 550 meters 62 5 1254 m Multimode Fiber 220 meters 62 5 1254 m Multimode Fiber 275 meters 1000 Base LX 50 1254 m Multimode Fiber 550 meters 62 511254 m Multimode Fiber 550 meters 9 1254 Single mode Fiber 10 000 meters 100 Base TX Category 5 and higher 100 meters Unshielded Twisted Pair UTP Cable Connectors m 49 ISG 2000 User s Guide 50 m Connectors Index A ACaDOWEPSUIDDIIOS imt Dotsdede nd Ue etate 59 SLOAN GRY QU A ES RENE S FRE SERGE vii addresses o cease co pnt teneis crt 13 14 SASE E be cc e NM UM A ES PS STC ANI do 15 admin hare COD CI ose conce A dut aUo D dose URE COV OLY cane coke ihrer lee dts RSS NEDRE SEE Leste thi lobed 21 IS AD ING gos M 21 C cabling DOWER SUD DINGS eraon btt iem Temi BASERE ebd NDR Zo A A NNNM 24 CLI commands CONVENIO o vi firewallconfistiration Summary suco pneu teda tan 19 VEN CONHSULAtOn SUI i 20 A ed UE EHE D COMO AC LAS Does T RES BE REST sata bdo insti atl 31 configuration Dae LEN A A nederen 4 14 de adit SOU MiG v PT VOCCM 1 example command summary anita 19 20 PP pii Ma A I RUE Sue A tu EE ELE D console Chgnem poalttie
28. ODOSBISs ioo iur be ett RE Ss 17 policies Tor VPN A n haa 18 DIOC A ucro uM UE IU RE A a 17 ENOL SITO SEES S sooo cpr Rd ia oan odd aute a ake eo 18 DEVE ske kat AC ot fos te o old 17 UA e E dum 16 W Wep ULTIC Diea erence ttre at sane ren mre ene E RES BOE ERE tente ix Z zones A A TEN 10 11 14163 PPM lin BEDE TE BEES re EGEN UM 11 ps me EU 10 SECUTI V acis eius satebet a eet epo R 6 10 VIEW INO a Suior tetendit E d tcn aiite 6
29. ach side of the interface module by turning them counterclockwise 2 With your thumbs pull the blue locking levers out Figure 17 Releasing an Interface Module Swivel levers outward 5 Grip the levers then gently slide the card straight out Figure 18 Removing an Interface Module Grip levers and slide out module 34 m Replacing Interface Modules Chapter 3 Hardware and Servicing Inserting Interface Modules To insert an interface module into a module bay perform the following steps WARNING When inserting or removing interface modules be sure that the power is off Interface modules are not hot swappable 1 Align the side edges of the interface module card with the grooves in the side walls of the bay Figure 19 Aligning Interface Module with Positioning Grooves Positioning Groove Align the side edges of the interface module card with the positioning grooves and then slide it into position 2 Push the interface module completely into the bay AA WARNING When inserting and removing interface modules in bays 2 and 4 take care that the electromagnetic interference EMI fingers along the top edge of the front wall of the interface modules do not catch on the lower edge of the modules above them in bays 1 and 5 Replacing Interface Modules m 35 ISG 2000 User s Guide 5 With your thumbs push in the locking levers to secure the module Figure 20 Locking the Interface Modu
30. chanism for filtering the traffic permitted by firewall policies IDP uses a variety of techniques such as examining Layer 5 and 4 packet headers and Layer 7 application content and protocol characteristics in an effort to detect and prevent any attacks or anomalous behavior that might be present in permitted traffic NOTE For more information about IDP see the ISG 2000 Getting Started with IDP Guide You can use NetScreen Security Manager the WebUI or the CLI to install an IDP license key but to configure IDP for the ISG 2000 you must use NetScreen Security Manager NOTE When you install an IDP license key the ISG 2000 automatically disables Deep Inspection DI Minimum Configuration for a NetScreen Security Manager Connection Before you can manage the ISG 2000 with NetScreen Security Manager you need to set up the ISG 2000 on the network so that NetScreen Security Manager can connect to it At a minimum you need to configure the following on the ISG 2000 m Set an IP address for the interface through which NetScreen Security Manager can connect to the ISG 2000 m If there is a network forwarding device between the ISG 2000 and the NetScreen Security Manager server set a route through that device to the server m Enable the ISG 2000 for management from NetScreen Security Manager This is enabled by default For example to set up the ISG 2000 for NetScreen Security Manager to connect to it through ethernet
31. e FCC rules These specifications are designed to provide reasonable protection against such interference in a residential installation However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures a Reorient or relocate the receiving antenna a Increase the separation between the equipment and receiver E Consult the dealer or an experienced radio TV technician for help a Connect the equipment to an outlet on a circuit different from that to which the receiver is connected Caution Changes or modifications to this product could void the user s warranty and authority to operate this device Disclaimer THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY Table of Contents Chapter 1 About This Guide V COMEN SUIT isso iio Vi CLIDCODVeDUOTLISoudqustemtnsre iud ti Lun Crecente drops vi TENNO OY PUER vii IDP Requirements and DOGURIEHEOHOR core dia E CIE POUR Eo E HE d ee Pd viii EUA A renere eN viii IDP Confi
32. eb server and mail relay server so you do not enable any management options on this interface either set interface ethernet1 2 ip 1 2 2 1 29 save In the same way that you reviewed the settings for ethernet1 1 you can use the get interface ethernet1 2 command to review these settings also Trust Zone Interface In our example ethernet2 1 is bound to the Trust zone The Trust zone uses private IP addresses These addresses cannot be used on a public network such as the Internet Therefore when hosts in this zone initiate traffic to a public network the ISG 2000 uses network address translation NAT to translate their private addresses to a public address in the IP packet header In our example the ISG 2000 translates the private addresses to the address of the Untrust zone interface Use the following commands set interface ethernet2 1 ip 10 1 1 1 24 set interface ethernet2 1 nat save NOTE ScreenOS offers several approaches to address translation To learn about the available options refer to the NetScreen Concepts amp Examples ScreenOS Reference Guide You can enter get interface ethernet2 1 to review the Trust zone interface settings MGT Interface The MGT interface is prebound to the MGT zone This zone is a function zone different from a security zone The MGT interface receives management traffic exclusively unlike a security zone interface that can receive management traffic while receiving and forwarding ne
33. ed ns2000 config on a card in the compact flash slot save config from flash to slotl ns2000 config Management Interfaces The following table shows the three management interfaces that ISG 2000 offers Port Description Console This RJ 45 serial port is for local configuration and administration using the CLI Connect the console port to your workstation using an RJ 45 female to DB 9 male straight through serial cable Modem This RJ 45 serial port is for connecting to a modem allowing you to establish a remote console session using a dialup connection through a 9600 bps modem The terminal type for dialup sessions must be vt100 For security reasons it is advisable to use a modem only for troubleshooting or for a one time configuration not for regular remote administration 10 100 MGT This management port has a fixed 10 100 Base T interface and provides a dedicated out of band connection for management traffic It has a separate IP address and netmask configurable with the CLI or WebUI The MGT port is not capable of routing traffic to other interfaces This port is only to be used for management purposes The default IP address for the MGT port is 192 168 1 1 The Front Panel ISG 2000 User s Guide LED Dashboard The LED dashboard displays up to date information about critical ISG 2000 functions The following table shows the LEDs in the dashboard
34. en a failure occurs When this happens the Fan LED glows red and the device generates an event alarm and an SNMP trap Figure 34 Fan Tray Fan Tray Helease Lever To remove the fan tray 1 Turn the lock clockwise to the Unlock position and then pull the release lever until it is fully extended 2 Griping the sides of the front panel slide the fan tray straight out Figure 35 Removing the Fan Tray Grip the front panel and slide the fan tray straight out a WARNING Do not remove the fan tray while the fans are still spinning Also do not insert anything into the spinning fan blades 44 m Replacing the Fan Tray Chapter 3 Hardware and Servicing 5 Insert the new fan tray in the fan bay and then push it straight in 4 Secure the fan tray in place by pushing the release lever flat against the front panel and turning the lock counterclockwise to the Lock position Replacing the Fan Tray Filter Before you replace the fan tray filter make sure you have the following tools m Flashlight or other light source m 18 inch wooden ruler To replace the fan tray filter 1 Remove the fan tray See Replacing the Fan Tray on page 44 2 Pullthe front edge of the filter from the Velcro backing 5 Insert a wooden ruler between the filter and the chassis wall Figure 36 Detaching the Fan Tray Filter To detach the fan tray filter slide the ruler between the filter and the chassis wall Push the w
35. es on page 39 m Replacing DC Power Supplies on page 41 m Replacing the Fan Tray on page 44 s Replacing the Fan Tray Filter on page 45 NOTE For safety warnings and instructions refer to the NetScreen Safety Guide on the documentation CD The NetScreen Safety Guide warns of situations that can cause bodily injury Before working on any equipment be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents ISG 2000 User s Guide The Front 30 Hm The Front Panel Panel The front panel of the ISG 2000 has the following components Interface Modules The front of the ISG 2000 has four interface module bays Each interface module has two four or eight ports and each port has a pair of LEDs WARNING interface modules are not hot swappable You must turn off the power to the ISG 2000 before adding or removing an interface card Mini GBIC The mini GBIC interface module provides connectivity to fiber based gigabit ethernet LANs Connect the module using an optical single mode or multi mode cable You can use both 10 100 and GBIC cards simultaneously in the same ISG 2000 there are no combination restrictions However the cards are not hot swappable Fan Tray The ISG 2000 has a three fan tray which you can access on the left front side of the chassis WARNING if a fan stops operating due to failure or removal the system
36. et1 1 zone untrust set interface ethernet1 2 zone dmz set interface ethernet2 1 zone trust save Figure 9 Interfaces Bound to Security Zones Untrust Zone ethernet1 1 DMZ Zone ethernet1 2 ethernet2 1 uv Note The rook icon represents Trust Zone A a security zone interface Interface Modes An ISG 2000 security zone interface can operate in one of three modes NAT mode Route mode or Transparent mode NAT mode and Route mode operate at the Network Layer Layer 3 in the OSI Model Transparent mode operates at the Data Link Layer Layer 2 Although some interfaces can function in NAT mode while others concurrently function in Route mode both modes operating at Layer 3 the ISG 2000 does not support different interfaces operating concurrently at Layer 3 and Layer 2 Layer 3 Route mode and NAT mode When you bind an interface to a Layer 3 security zone and give it an IP address it can operate in either NAT or Route mode When an interface is in NAT mode the NetScreen device translates the source IP address and source port number on all packets arriving at that interface When an interface is in Route mode the NetScreen device performs Layer 3 routing operations without modifying the source IP address or port number Security Zones and Interfaces m 9 ISG 2000 User s Guide When you bind an interface to a Layer 2 security zone it does not have an IP address and operates in Transparent
37. ge a predefined security zone for protected network resources to which you typically do not allow access from unknown hosts a logical interface that you bind to a route based VPN tunnel a predefined security zone for unknown network hosts typically in a WAN such as the Internet Web user interface a graphical user interface for configuring ScreenOS through a Web browser Terminology m vii viii ISG 2000 User s Guide IDP Requirements and Documentation You can upgrade the ISG 2000 to support Intrusion Detection and Prevention IDP and then use NetScreen Security Manager to configure IDP on the device ISG 2000 Upgrade To run IDP on the ISG 2000 you must set up the device as follows Upgrade the OS loader to v 1 1 5 or later Load the following license keys and firmware m Advanced license key m IDP license key m ScreenOS 5 0 0 IDP1 Install at least one security module To obtain the upgrade kit and security modules contact your value added reseller VAR For information about upgrading the ISG 2000 to support IDP refer to the ISG 2000 Field Upgrade Guide which is included in the ISG 2000 upgrade kit IDP Configuration through NetScreen Security Manager To configure IDP on the ISG 2000 you must use NetScreen Security Manager 2004 FP3r3 or later NOTE NetScreen Security Manager 2004 FP3r3 can operate on Solaris 9 Red Hat Linux 9 0 and Red Hat Enterprise Linux 3 0 operating systems For information
38. ge without notice No part of this document may be reproduced or transmitted in any form or by any means electronic or mechanical for any purpose without receiving written permission from Juniper Networks Inc ATTN General Counsel 1194 N Mathilda Ave Sunnyvale CA 94089 FCC Statement The following information is for FCC compliance of Class A devices This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to part 15 of the FCC rules These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment The equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction manual may cause harmful interference to radio communications Operation of this equipment in a residential area is likely to cause harmful interference in which case users will be required to correct the interference at their own expense The following information is for FCC compliance of Class B devices The equipment described in this manual generates and may radiate radio frequency energy If it is not installed in accordance with NetScreen s installation instructions it may cause interference with radio and television reception This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of th
39. guration through NetScreen Security Manager viii NetScreen Product Documentation UTI Gare es tan Meee btt es dae ix Technical Sup DOEbus auctio tene cias X Configuring 1 Delore DeP ID A asta mia arcc Ont ERA E aT dba 2 Console COMME CHO ANAL O 3 basic CONAN e De a ado ia 4 System COCR and Console TIME aba Lt cH upside bo dues D Ad tuit Name and Pass Wor uestes ae adt iS 5 DEC UT OMICS AiG LOO ES eade arian haan oats ie e ote obediant end EE dE 6 Bindine Inte ra ceso ZONCE Ne cr HU 8 Mer ace MOJE ere ra anne tia 9 COMMPBUGING Itsasondo 10 Umut Zone Jte Fat eStore o tandas 10 IIE OCU at wean ean Smau AS 14 TSL ZONCE do rac vent orta bed euentum aia ieu posta 11 MGT hak cioe ON TP rar re en eee RENEE ere ere rey ae eee 11 IoNS and A ctnteesenden utuemuec Recreate Mee iene E M er ree 12 POMO LT E 15 INN DES cru NE etc suce tutes oC mass ege p oS 15 enge ME 13 CASIO Detection and Protection ide es 15 Minimum Configuration for a NetScreen Security Manager CONTEO tete td tre tapa 15 ger dp a eri a ct dete tat as hh i te eto aera lactis tate erate ee 16 S169 0 019 PE 17 Remote DE cie UEM 18 summary of CELLCOM MANA S a ssdeutisssfeot m aa SENE SENERE ES SEE DSE bus 19 CLI Commands Example Firewall Configuration 19 CLI Commands Example Route Based VPN Configuration 20 Returning the Device to Factory Default Settings sssssssee 21 Table of Contents E ISG 2000 User s Guide iv M Table of Contents
40. hared Key Iwb715iSF Figure 10 IPSec VPN Tunnel in ethernet1 1 1 1 1 1 30 Tunnel Interface tunnel 1 NetScreen ISG 2000 ethernet2 1 i A uniper GT n NetScreen 5 Tunnel Interface D Trust Imre i need 10 2 2 1 24 unnumbered Untrust Interface Untrust Zone Dynamically Assigned IP Address NOTE NetScreen ScreenOS offers a rich variety of options for IPSec VPN tunnels For information about the many available options refer to the VPNs volume in the NetScreen Concepts amp Examples ScreenOS Reference Guide The VPN tunnel configuration for the NetScreen devices at both ends is provided 16 m PSec VPN Chapter 1 Configuring ISG 2000 1 Create a tunnel interface and bind it to the Untrust zone It is unnecessary for the tunnel interface to have a unique IP address so you define it as unnumbered and borrow the IP address from ethernet1 1 set interface tunnel 1 zone untrust set interface tunnel 1 ip unnumbered interface ethernet1 1 2 Create addresses for the local and remote networks for later use in policies set address trust local 10 1 1 0 24 set address untrust peer1 10 2 2 0 24 5 Define the following settings for dynamic IKE gateway gw1 Define the peer s IKE ID This is a string that the peer sends during Phase 1 negotiations to identify itself Define the preshared key that both IKE peers use when generating keying material Specify the o
41. he MGT interface on the ISG 2000 Their workstations are in the 10 2 2 0 28 subnet completely separate from the rest of the network 5 Obtain the IP addresses of the default gateway and external Domain Name System DNS servers from the ISP This guide uses the following addresses m Default gateway 1 1 1 2 m Primary DNS server 2 2 2 5 m Secondary DNS server 2 2 2 6 4 Communicate the IP addresses and host domain names of the mail and web servers to your ISP After an ISP administrator adds this information to its DNS servers they can then answer DNS queries for them 5 Ensure that the hosts in the Trust zone use 10 1 1 1 as their default gateway and that the servers in the DMZ use 1 2 2 1 6 This guide assumes you configure the ISG 2000 through a console connection from the serial port on your workstation to the console port on the ISG 2000 You need the following m VT100 terminal emulator such as Hilgraeve HyperTerminal installed on your workstation HyperTerminal is provided on all Windows operating systems m The RJ 45 straight through ethernet cable and DB9 adapter that ship with the ISG 2000 m Documentation CD that ships with the ISG 2000 For other device configuration methods see the Administration volume in the NetScreen Concepts amp Examples ScreenOS Reference Guide NOTE You must use NetScreen Security Manager to configure Intrusion Detection and Prevention IDP on the ISG 2000 See Minimum Configura
42. ifferent power source if possible If one power source fails the other source might still be operative 4 Connect an RJ 45 or gigabit ethernet cable from the ethernet1 1 interface to an external router possibly a DSL or cable modem in the Untrust zone 5 Connect an RJ 45 or gigabit ethernet cable from the ethernet1 2 port to a hub or Layer 2 switch in the DMZ 6 Connect an RJ 45 or gigabit ethernet cable from the ethernet2 1 port to a hub or Layer 2 switch in the Trust zone 7 Connect an RJ 45 ethernet cable from the MGT interface on the ISG 2000 to a hub or Layer 2 switch that leads to the administrators workstations NOTE Check your router hub switch or computer documentation to see if these devices require any further configuration In addition see if it is necessary to switch off the power to any new device you add to the LAN 8 Press the ON OFF switches on the dual power supplies to the ON position 9 After the ISG 2000 boots up check that the Power Status and Link LEDs light up as follows m The Power LED for each deployed power supply glows green m The Status LED blinks green m The top Link Status LEDs for each interface glows or blinks green For more details about interpreting the Link Status LEDs see LED Dashboard on page 32 Connecting the Device to a Network m 25 ISG 2000 User s Guide Equipment Rack Mounting The ISG 2000 comes with accessories for mounting the device in a standard 19
43. inch equipment rack Equipment Rack Installation Guidelines The location of the chassis the layout of the equipment rack and the security of your wiring room are crucial for proper system operation Use the following guidelines while configuring your equipment rack m Enclosed racks must have adequate ventilation Such ventilation requires louvered sides and a fan to provide cooling air When mounting a chassis in an open rack be sure that the rack frame does not block the intake or exhaust ports If you install the chassis on slides check the position of the chassis when it is seated all the way into the rack m Inan enclosed rack with a ventilation fan in the top equipment higher in the rack can draw heat from the lower devices Always provide adequate ventilation for equipment at the bottom of the rack m Baffles can isolate exhaust air from intake air The best placement of the baffles depends on the airflow patterns in the rack Equipment Rack Accessories and Required Tools Rack mounting requires the following accessories and tools m 1 Phillips head screwdriver not provided m 4 screws to match the rack if the thread size of the screws provided in the ISG 2000 product package do not fit the thread size of the rack m The included rear slide mount kit for the rear and front mount method Figure 12 Rack Mount Kit There are two ways to rack mount the ISG 2000 m Rear and front mount mg Mid m
44. lacing DC Power Supplies on page 41 1 Turn off the power supply 2 Unplug the cord from the power supply 5 Turn the thumbscrews on the sides of the power supply counterclockwise to release it Replacing Power Supplies m 39 ISG 2000 User s Guide 4 Lift the handle and pull the power supply straight out Figure 27 Removing an AC Power Supply 5 Slide the power supply into one of the power supply compartments in the back of the ISG 2000 6 Fasten the power supply to the system by tightening the thumbscrews 7 Connect the female end of a standard power cord to the male connector on the back of each power supply 8 Connect the power cord to a standard 100 240 volt power outlet NOTE Whenever you deploy two power supplies to a ISG 2000 connect each to a different power source Each power supply is intended to receive power from separate feeds 9 Turn on the power switch NOTE If both power supplies are installed and either of them is off the Alarm LED on the front panel glows red This warning indicates that maximum system reliability requires all installed power supplies to be operational 40 m Replacing Power Supplies Chapter 3 Hardware and Servicing Replacing DC Power Supplies A DC power supply weighs about three pounds The faceplate contains a power LED a power switch a cooling fan vent a DC power terminal block with three connectors a handle two thumbscrews and a grounding
45. le in Place Swivel levers inward AN CAUTION If you push in the levers before they contact the ridge on the bay wall the locking tabs click into place prematurely so that you cannot seat the interface module properly 4 Tighten the thumbscrews on each side of the interface module by turning them clockwise Connecting and Disconnecting Gigabit Ethernet Cables To connect a gigabit ethernet cable to a mini GBIC transceiver port 1 If you have not already done so remove the two plastic fiber protection caps from the ends of the cable 2 Hold the cable connector between your thumb and forefinger with your thumb on top and your forefinger underneath Do not press the release on top of the connector 5 Slide the connector into the transceiver port until it clicks into place Because the fit is close you might have to apply some force to insert the connector To avoid damaging the connector apply force evenly and gently Figure 21 Sliding the Connector into the Transceiver Port Slide the connector into the transceiver port until it clicks into position 36 m Connecting and Disconnecting Gigabit Ethernet Cables Chapter 3 Hardware and Servicing To remove the cable from the transceiver port 1 Make sure the transceiver latch is in a secured locked position the latch is flat against the front of the transceiver Otherwise when you attempt to remove the cable the transceiver might come out with the cab
46. le it by entering the following CLI command unset admin device reset Returning the Device to Factory Default Settings m 21 ISG 2000 User s Guide 22 m Returning the Device to Factory Default Settings Chapter 2 Installing This chapter describes how to cable the ISG 2000 to the network and install it in an equipment rack Topics in this chapter include m Connecting the Device to a Network on page 24 m Equipment Rack Mounting on page 26 s Equipment Rack Installation Guidelines on page 26 s Equipment Rack Accessories and Required Tools on page 26 s Rear and Front Mount on page 27 Mid Mount on page 28 Observing the following precautions can prevent injuries equipment failures and shutdowns m Never assume that the power supply is disconnected from a power source Always check first m Room temperature might not be sufficient to keep equipment at acceptable temperatures without an additional circulation system Ensure that the room in which you operate the device has adequate air circulation m Do not work alone if potentially hazardous conditions exist especially when mounting the device in a rack m Do not lift the ISG 2000 by the power supply handles m Look carefully for possible hazards in your work area such as moist floors ungrounded power extension cables frayed power cords and missing safety grounds m Although you can place the device on a desktop for operation it is not advisable t
47. le still attached Figure 22 Checking that the Transceiver Latch is Locked Front Edge 98 N View of transceiver from below Locked Position Unlocked Position Latch is fully extended Latch is pressed in 2 Hold the connector between your thumb and forefinger with your thumb on top and your forefinger underneath 5 Using your thumb press the connector release down then forward This action loosens the connector from the transceiver port Figure 23 Ejecting the Cable 4 Gently but firmly pull the clip from the transceiver port Connecting and Disconnecting Gigabit Ethernet Cables m 37 ISG 2000 User s Guide Replacing a Mini GBIC Transceiver To remove a mini GBIC transceiver from an interface module 1 Push in the transceiver release latch located on the underside of the transceiver until it locks into place disengaging the transceiver Figure 24 Disengaging the Transceiver ba 1 Transceiver i Te Rel Latch Push in the release elease Latc latch to disengage the transceiver 2 Grasp the transceiver at both sides and pull the transceiver toward you to remove it from the interface module To install a mini GBIC transceiver into an interface module 1 Holding the transceiver with the label faceup insert it into the transceiver slot Figure 25 Inserting the Transceiver uH E es ui Label is faceup Slide the transceiver into the transceiver s
48. lot 2 Check that the release latch extends fully at the front of the latch slot 38 m Replacing a Mini GBIC Transceiver Chapter 3 Hardware and Servicing Replacing Power Supplies The ISG 2000 supports two redundant fault tolerant and auto switching power supplies The power supplies are hot swappable so you can remove or replace one power supply without interrupting device operation You can order the ISG 2000 with one or two power supplies DC and AC Although the ISG 2000 can run with one power supply it is advisable to install two This practice minimizes the chance of system failure due to an individual power supply failure A WARNING Do not mix the power supply types because it could seriously damage the device When the ISG 2000 contains two power supplies they share the power load equally If one power supply fails the other assumes the full load automatically and the device sends a system alarm The Power LED only displays two colors green indicating that the power supply is functioning correctly and red which indicates that the power supply has failed Replacing AC Power Supplies The AC power supply weighs about three pounds The faceplate contains a power LED a power switch a cooling fan vent a male power outlet a handle and two thumbscrews Figure 26 AC Power Supply To install and connect the AC power supply perform the following tasks If you need to replace an DC power supply see Rep
49. n R Ready Interfaces in vsys Root Name IP Address Zone MAC VLAN State VSD mgt 192 168 1 1 24 MGT 0010 db58 bb80 D eth1 1 0 0 0 0 0 Null 0010 db58 bb87 D eth1 2 0 0 0 0 0 Null 0010 db58 bb88 D eth1 5 0 0 0 0 0 Null 0010 db58 bb89 D eth1 4 0 0 0 0 0 Null 0010 db58 bb8a D eth2 1 0 0 0 0 0 Null 0010 db58 bb9d D eth2 2 0 0 0 0 0 Null 0010 db58 bb9e D eth3 1 0 0 0 0 0 Null 0010 db58 bb8d D eth3 2 0 0 0 0 0 Null 0010 db58 bb8e D eth4 1 0 0 0 0 0 Null 0010 db58 bb81 D eth4 2 0 0 0 0 0 Null 0010 db58 bb82 D eth4 3 0 0 0 0 0 Null 0010 db58 bb83 D eth4 4 0 0 0 0 0 Null 0010 db58 bb84 D vlani 0 0 0 0 0 VLAN 0010 db58 bb8f 1 D 8 W Security Zones and Interfaces Chapter 1 Configuring NOTE The interface names that appear in the get interface output depend on the type of interface modules installed in the ISG 2000 Most likely the output you see differs from that shown here Before you can make use of an interface you must bind it to a security zone The interface then becomes a point of ingress and egress for traffic to and from that zone You can bind a single interface to only one security zone although that one zone can support multiple different interfaces To bind an interface to a zone use the following command set interface interface zone zone in which interface and zone are the names of the objects you want to bind together For example set interface ethern
50. n and Protection on page 15 IPSec VPN on page 16 Summary of CLI Commands on page 19 Returning the Device to Factory Default Settings on page 21 NOTE For information on different configuration options such as virtual systems and high availability see the NetScreen Concepts amp Examples ScreenOS Reference Guide ISG 2000 User s Guide Before Beginning Before setting up the ISG 2000 you must make a few preparations 1 Consider the network topology and the resources that you want to protect so that you can decide where to put the ISG 2000 You want to make sure that all traffic on which you want to enforce policies flows through the device A typical network topology showing where to put the ISG 2000 is shown in Figure 1 on page v and on Figure 5 on page 4 2 Planoutthe IP addresses and where applicable host domain names that you want each host to use The devices in this guide use the following addresses m ISG 2000 m Untrust zone interface ethernet1 1 1 1 1 1 30 DMZ zone interface ethernet1 2 1 2 2 1 29 m Trust zone interface ethernet2 1 10 1 1 1 24 MGT zone interface MGT 10 2 2 1 28 m HTTP server 1 2 2 2 www jnpr net m Mail relay server 1 2 2 5 smtp jnpr net pop5 jnpr net m Trust zone hosts dynamically receive their addresses and DNS settings from a stand alone DHCP server Their default gateway is 10 1 1 1 m Network security administrators make an out of band connection to t
51. n ions 10 Dinane Eod Se cH y ZOMG uei di oe moet 9 11 ci ie E TEM T 10 12 interface based NAT asc occi e tette he reduces 11 TTR ec slate er PR M ME AR E ORT 11 12 MOE ato tee tiers 9 setting management Options aint otero stands 10 DEBBIE hasc ee Me DET ateliers eb e tet oh 17 DI US llle esae eu dC AE 8 VieWITIS INMI sas 10 Intrusion Detection and Prevention See IDP Index m 51 ISG 2000 User s Guide IPSec VPN See VPN ISG 2000 device desc APUG o ME 29 KONE DAR SE foto bare arne gee mE Om dott or E 30 31 ear DINE ald We St tests Gates ncn d heap lens Saletan A lets dal Seeks 33 ISG 2000 installation aS OUT OOM i e E et M NE ND IT EE V Preparacion LOR ette 2 ISP setings receive pias 2 L LEDs anter DOOU adi 25 alter DOW ELIS ee 40 45 ES O 32 IGC AHORN IA POMC DABIS aen ada 30 PCE ls 7 NE Sal PO A ann Sete ean en say epu 1 A A Ett A in th 14 login CASOS CE Craps m icin oases Solel tse tal anh ca naa one 3 eave EN EEE EE A E E E E 5 changlhe PassWord tirao 5 M MOF TT CO essen A A 11 12 METIDO eika ties end e Tela lle tel at ue col 31 iU SIMON Se SE een eee A esse akon 11 Irun GBIO transceiver replacing ocio pd e mete ett 38 MEdCT D odas credi a tes a EM SML SES 51 N A A 9 Ns A e dabas ons sagittas pu 11 NetScreen Security Manager OCH MERETE OBE P PME viii tamimumdeyice conBigeuratlor BOE eadeni erts 15 NU ZON SET 10 P password ETE A E TEE 5 TESEO RT E 21 Phase tand PO Sanser Eee REE 17 A eadeni RESTERNE Oreo 15 1
52. nd Prevention a technology for performing deep packet inspection and taking preventive action Internet Key Exchange a protocol for securely yet publicly negotiating keys to authenticate and encrypt decrypt traffic Internet Protocol Security a suite of related protocols for cryptographically securing communications at the IP packet layer a key in the form of an alphanumeric string that unlocks features or capacities within ScreenOS a function zone from which administrators can connect to the ISG 2000 exclusively for management purposes a gigabit interface converter that fits in a removable transceiver an operational mode for Layer 5 interfaces that translates the source IP address of packets a management application that configures and monitors multiple devices over a local or wide area network LAN or WAN environment a virtual storage space for interfaces not bound to a zone a rule that permits denies rejects or tunnels specified types of traffic unidirectionally between two points a VPN tunnel bound to a tunnel interface to which a route points an operational mode for Layer 5 interfaces that routes IP packets through the ISG 2000 without modifying the packet header content a collection of one or more network segments requiring the regulation of interzone and intrazone traffic through policies the operating system of the ISG 2000 an operational mode for Layer 2 interfaces that forwards traffic like a switch or brid
53. nts juniper net or complete and submit the documentation feedback form at www juniper net techpubs docbug docbugreport html NetScreen Product Documentation Guide NW IX ISG 2000 User s Guide Technical Support If you need any technical support you can visit the Juniper Networks Customer Support Center CSC There are many useful resources at the CSC such as m A searchable knowledgebase containing solutions to over 2000 customer questions m The latest ScreenOS firmware downloads NOTE Release Notes are part of a firmware download To have access to CSC resources you must first create a customer account and register your NetScreen product To set up such an account go to www juniper net entitlement setupAccountInfo do and follow the online instructions NOTE You need the serial number of the ISG 2000 to complete the account setup and device registration After you have a customer account you can create and submit technical support cases for any product under warranty or with a valid support contract To open a support case do the following 1 Visit www juniper net support 2 Inthe Login to Support Center area enter the user name and password that you created while setting up your customer account 5 Open a support case by clicking Case Management and then filling in the online form Include the output from the get tech and get license commands Also if the network is complex include a network diagram
54. o deploy a ISG 2000 in this manner The best deployment technique is to mount the device in an equipment rack as described in Equipment Rack Mounting on page 26 m To prevent abuse and intrusion by unauthorized personnel install the ISG 2000 in a locked room environment NOTE For further safety warnings and instructions please refer to the NetScreen Safety Guide on the documentation CD The instructions in this guide warn you about situations that could cause bodily injury Before working on any equipment be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents ISG 2000 User s Guide Connecting the Device to a Network The ISG 2000 has four interface module bays which can contain the following types of modules m 10 100 Mbps interface module for 10 100 Base T connections 4 and 8 ports m 10 100 1000 Mbps interface module for 10 100 1000 Base T connections 2 ports m Mini GBIC interface module for fiber optic connections 2 ports The type of network used by your organization determines the kind of interface needed to connect the ISG 2000 For more information on interface modules see The Front Panel on page 50 NOTE Because of the wide variety of available routers hubs and switches the cabling configuration presented here might not satisfy your network connection requirements If the cabling suggested in this guide does not work
55. on configuring IDP on the ISG 2000 through NetScreen Security Manager refer to the following documentation NetScreen Security Manager 2004 FP3 IDPr1 Installer s Guide Instructions on installing NetScreen Security Manager ISG 2000 Getting Started with IDP Guide General instructions to help you get started configuring IDP with NetScreen Security Manager IDP Deployment Strategies Advanced IDP implementation scenarios NetScreen Security Manager 2004 FP3 IDPr1 Administrator s Guide Complete reference guide for NetScreen Security Manager NetScreen Security Manager Online Help Step by step configuration details complementing the information in the administrator s guide The NetScreen Security Manager documentation is available on the Juniper Networks Web site www juniper net techpubs IDP Requirements and Documentation NetScreen Product Documentation Guide To obtain technical documentation for Juniper Networks NetScreen products see the product documentation CD ROM that ships with the ISG 2000 Figure 2 NetScreen Product Documentation CD ROM NetScreen Concepts amp Examples ScreenOS Reference Guide Extensive coverage of all major ScreenOS features with both conceptual background information and configuration examples NetScreen CLI Reference Guide Compendium of all command line reference CLI commands with command syntax and explanations of all keywords NetScreen Messages Reference Guide Collection of the
56. ooden ruler toward the back of the chassis gently lifting the filter 5 After you separate the filter from the Velcro backing use your fingers to pull the filter out of the fan tray bay Figure 37 Removing the Fan Tray Filter Remove the filter 6 Carefully insert a new filter into the chassis Use the wooden ruler as an aid to guide the back edge of the filter to reach the end of the Velcro wall 7 After you completely insert the filter push the wooden ruler against the surface of the filter several times to ensure that it is secure against the chassis wall NOTE Make sure that the filter is secure against the Velcro wall otherwise the filter will tear when you reinstall the fan 8 Replace the fan tray as explained in Replacing the Fan Tray on page 44 Replacing the Fan Tray m 45 ISG 2000 User s Guide 46 m Replacing the Fan Tray Appendix A Specifications This appendix provides general system specifications for the NetScreen ISG 2000 It contains the following sections m ISG 2000 Attributes on page 47 m Electrical Specifications on page 47 m Environmental Specifications on page 48 m NEBS Certifications on page 48 m Safety Certifications on page 48 m EMI Certifications on page 48 m Connectors on page 49 ISG 2000 Attributes Height 5 25 inches 15 centimeters Depth 25 25 inches 59 centimeters Width 17 5 inches 44 5 centimeters Weight
57. ot is empty 32 m The Front Panel Chapter 3 Hardware and Servicing When you turn on the ISG 2000 the Status LED changes from off to blinking green Startup takes around 90 seconds to complete If you want to restart the ISG 2000 wait a few seconds between shutting it down and powering it back up The Rear Panel The rear panel of the ISG 2000 contains dual power supplies These can be AC or DC power supplies Figure 15 Dual AC Power Supplies in Rear Panel Replacing Interface Modules The ISG 2000 has four interface module bays The supplied modules are pre installed although they are removable and replaceable There are four types of interface modules m 10 100 Base T module eight ports m 10 100 Base T module four ports m Mini GBIC interface connector module two ports m 10 100 1000 Base T module two ports Figure 16 Interface Module Types 10 100 Base T Module 10 100 Base T Module 8 ports 4 ports Mini GBIC Interface 10 100 1000 Base T Module Connector Module 2 ports 2 ports You can use these interface modules in whatever combination and arrangement suits the needs of your network infrastructure The Rear Panel m 33 ISG 2000 User s Guide Removing Interface Modules To remove an interface module from a bay A WARNING When inserting or removing interface modules be sure that the power is off Interface modules are not hot swappable 1 Loosen the thumbscrews on e
58. ount NOTE Juniper Networks recommends using the rear and front rack mount when the equipment rack supports it Do not attempt to front mount the ISG 2000 26 m Equipment Rack Mounting Chapter 2 Installing Rear and Front Mount To mount the ISG 2000 with support from the rear and front use the rear slide mount kit 1 Screw the left and right brackets to the front of each side of the ISG 2000 chassis 2 Screw the rear mount sleeves to the left and right rear posts of the rack 5 With the indented groove that runs the length of each slide facing outward screw the slides to the middle of each side of the ISG 2000 chassis NOTE Depending on the depth of your equipment rack you can attach the slides along the length of the sides or extend them over the rear of the chassis 4 Slip the slides into the rear mount sleeves 5 Push the ISG 2000 forward until the left and right brackets contact the front rack posts 6 Screw the front left and right brackets to the front posts of the rack Figure 13 Rear and Front Mounted ISG 2000 sa a Ld E Cc tel i Juniper ISG 2000 Equipment Rack Mounting m 27 ISG 2000 User s Guide Mid Mount To mid mount the ISG 2000 1 Screw the left and right brackets to the middle of each side of the ISG 2000 chassis 2 Position the ISG 2000 in the rack and screw the left and right brackets to the left and right rack posts Figure 14 Mid Mo
59. t is 7 ID 0 O Oo A OQ WN 11 2 13 14 16 Name Null Untrust Trust DMZ Self MGT HA Global V1 Untrust V1 Trust V1 DMZ VLAN Untrust Tun Type Null Sec L3 Sec L3 Sec L3 Func Func Func Sec L3 Sec L2 Sec L2 Sec L2 Func Tun Attr Shared Shared VR untrust vr trust vr trust vr trust vr trust vr trust vr trust vr trust vr trust vr trust vr trust vr trust vr trust vr Default IF hidden null null null self mgt null null v1 untrust v1 trust vi dmz vlan1 hidden 1 VSYS Root Root Root Root Root Root Root Root Root Root Root Root Root Chapter 1 Configuring There are three predefined security zones for interfaces operating at the Network Layer Layer 5 in the Open Systems Interconnection OSI Model and three predefined security zones for interfaces operating at the Data Link Layer Layer 2 m Predefined Layer 3 security zones Untrust Trust and DMZ m Predefined Layer 2 security zones V1 Untrust V1 Trust and V1 DMZ The example in this guide uses the three predefined Layer 5 security zones Figure 7 Untrust DMZ and Untrust Security Zones Untrust Zone This zone typically contains the public network that the NetScreen ISG 2000 protects against DMZ Zone This zone typically contains your public facing resources such as web servers Trust Zone
60. t local peer1 any permit Save Remote Peer Commands Description set interface tunnel 1 zone untrust Remote Peer on page 18 set interface tunnel 1 ip unnumbered interface untrust set address trust local 10 2 2 0 24 set address untrust peer1 10 1 1 0 24 set ike gateway gw1 address 1 1 1 1 aggressive local id peer1 jnpr net outgoing interface untrust preshare Iwb715iSF proposal pre g2 3des sha set vpn vpn1 gateway gw1 tunnel sec level compatible set vpn vpn1 bind interface tunnel 1 set vpn vpn1 proxy id local ip 0 0 0 0 0 remote ip 0 0 0 0 0 any set vrouter trust vr route 0 0 0 0 0 interface untrust set vrouter trust vr route 10 2 2 0 24 interface tunnel 1 set vrouter trust vr route 10 2 2 0 24 interface null metric 10 set policy id 1 top from untrust to trust peer1 local any permit set policy id 2 top from trust to untrust local peer1 any permit Save Chapter 1 Configuring Returning the Device to Factory Default Settings If you want to return the ISG 2000 to its default settings you can do either of the following depending on whether or not your are logged in m If you are logged in you can enter the following sequence of commands unset all The following prompt appears Erase all system config are you sure y n Press the Y key The system configuration is returned to the factory default settings reset The following prompt appears Configuration modified save y n Press the N key
61. te 0 0 0 0 0 interface ethernet1 1 gateway 1 1 1 2 set address dmz web1 1 2 2 2 32 Addresses on page 13 set address dmz mail relay 1 2 2 3 32 set address trust mail1 10 1 1 4 32 set policy id 1 from trust to dmz mail1 mail relay Policies on page 13 mail permit log count set policy id 2 from trust to dmz any web1 http permit log count set policy id 3 from trust to untrust any any any permit log count set policy id 4 from dmz to trust mail relay mail mail permit log count set policy id 5 from dmz to untrust mail relay any mail permit log count save Summary of CLI Commands m 19 ISG 2000 User s Guide CLI Commands Example Route Based VPN Configuration 20 m Summary of CLI Commands ISG 2000 Commands Description set interface tunnel 1 zone untrust ISG 2000 on page 17 set interface tunnel 1 ip unnumbered interface ethernet2 1 set address trust local 10 1 1 0 24 set address untrust peer1 10 2 2 0 24 set ike gateway peer1 dynamic peer1Gjnpr net aggressive outgoing interface ethernet2 1 preshare Iwb715iSF proposal pre g2 3des sha set vpn vpn1 gateway peer1 tunnel sec level compatible set vpn vpn1 bind interface tunnel 1 set vpn vpn1 proxy id local ip 0 0 0 0 0 remote ip 0 0 0 0 0 any set vrouter trust vr route 10 2 2 0 24 interface tunnel 1 set vrouter trust vr route 10 2 2 0 24 interface null metric 10 set policy id 8 top from untrust to trust peer1 local any permit set policy id 9 top from trust to untrus
62. tion for a NetScreen Security Manager Connection on page 15 2 m Before Beginning Chapter 1 Configuring Console Connection and Login To begin configuring the ISG 2000 make a console connection between your workstation and the ISG 2000 and run a vt100 terminal emulator program 1 Connect the power cable to the ISG 2000 and turn on the power 2 Connect the female end of the supplied DB 9 adapter to the serial port or Com port of your workstation 5 Connect one end of the RJ 45 ethernet cable into the console port of the ISG 2000 and the other end of the cable to the DB 9 adapter Figure 4 Console Connection Rear of Workstation Connect the Rj 45 ethernet Plug the DB 9 adapter into the serial port cable to the console port and then connect the ethernet cable to the adapter 4 Start a serial terminal emulation session Use the following settings m Baud Rate to 9600 m Parity to No m Data Bits to 8 m Stop Bit to 1 m Flow Control to none 5 Press the Enter key to see the login prompt 6 Atthe login prompt enter netscreen 7 Atthe password prompt enter netscreen NOTE Thelogin admin name and password are both case sensitive To change the login name and password see Admin Name and Password on page 5 Console Connection and Login m 3 ISG 2000 User s Guide Basic Configuration The following sections contain the CLI commands for setting up the ISG 2000
63. tructs the ISG 2000 to create entries in its traffic log for all traffic to which the policy applies The keyword count instructs the ISG 2000 to keep a running tally of the number of bytes to which the policy applies Both of these options provide useful tools when analyzing traffic patterns and diagnosing problems To view the policies that you have created use the get policy command get policy Total regular policies 7 Default deny ID From To Src address Dst address Service Action State ASTLCB 1 Trust DMZ mail 1 mail relay MAIL Permit enabled XXX 2 Trust DMZ Any web HTTP Permit enabled XXX 3 Trust Untrust Any Any ANY Permit enabled XXX 4 DMZ Trust mail relay mail MAIL Permit enabled XXX 5 DMZ Untrust mail relay Any MAIL Permit enabled XXX 6 Untrust DMZ Any web HTTP Permit enabled XXX 7 Untrust DMZ Any mail relay MAIL Permit enabled XXX The order of policies in the list determines the order in which the ISG 2000 applies them The ISG 2000 first notes the five part tuple of source and destination zone source and destination address and service in a packet arriving atone of its interfaces It then searches for a policy whose components match all five parts of the tuple by starting at the top of the list and continuing down until it finds a match If it does not find a match it drops the packet Chapter 1 Configuring Intrusion Detection and Protection Intrusion Detection and Protection IDP is a me
64. try other cable configurations until a link light indicates an active link The following figure shows typical cabling for 10 100 Base T networks It uses the interfaces configured in Chapter 1 Configuring For fiber optic networks use optical cables for all network connections Figure 11 Cabling the ISG 2000 to the Network Untrust Zone External router DSL modem or cable modem ethernet1 1 ethernet1 2 LAN NOTE The cabling instructions given below reproduce the configuration shown here and assume that all the interfaces are still set as described in the example configuration presented in Chapter 1 However this is not the only possible configuration If you have changed the interface configurations use the instructions below as a reference and make adjustments as necessary 24 m Connecting the Device to a Network Chapter 2 Installing To connect the ISG 2000 to the network do the following 1 Optional Install the ISG 2000 in an equipment rack see Equipment Rack Mounting on page 26 2 Make sure that the ISG 2000 ON OFF switches on the dual power supplies are in the OFF position 5 Connect the power cables included in the product package to the ISG 2000 power supplies and to a power source NOTE Whenever you deploy both power supplies in a ISG 2000 connect each power supply to a d
65. twork user traffic Because the MGT interface is completely separate from network user traffic it is more secure and reliable Even during times when network user traffic is heavy you can maintain connectivity for your management traffic by keeping it completely separate or out of band Security Zones and Interfaces m 11 ISG 2000 User s Guide To use the MGT interface connect an ethernet cable from the MGT interface to a switch or router that leads to an exclusive segment of the network containing only the ISG 2000 administrators workstations Then give the MGT interface an address that is reachable from that network segment The default IP address netmask for the MGT interface is 192 168 1 1 24 Because this address has been widely published Juniper Networks strongly recommends that you change it In our example you assign the MGT interface the IP address 1 2 2 1 28 Use the following command set interface mgt ip 1 2 2 1 28 The network security administrators in our example are going to access the ISG 2000 from workstations in the MGT zone You want them to be able to use Telnet SSH and HTTP only You also want them to be able to ping the MGT interface By default all options except ident reset are enabled on the MGT interface Therefore use the following commands to disable the management options that you do not want the administrators to use unset interface mgt manage snmp unset interface mgt manage ssl save
66. umber of a NetScreen device NOTE When typing a keyword you only have to type enough letters to identify the word uniquely For example typing set adm u joe p j12fmt54 is enough to enter the command set admin user joe password j12fmt54 Although you can use this shortcut when entering commands all the commands documented here are presented in their entirety Vi W Content Summary Terminology The following list contains acronyms and terminology used throughout this guide CLI DMZ function zone Global zone hot swappable IDP IKE IPSec license key MGT zone mini GBIC NAT mode NetScreen Security Manager Null zone policy route based VPN tunnel Route mode security zone ScreenOS Transparent mode Trust zone tunnel interface Untrust zone WebUI command line interface a tool for configuring ScreenOS through a console Telnet or secure shell SSH connection demilitarized zone a predefined security zone for resources such as Web servers to which you allow access from unknown hosts a conceptual location for interfaces providing specific functionality such as device management access or high availability HA links a security zone without an interface that acts as a virtual storage space for mapped IP MIP and virtual IP VIP addresses able to be recognized by a system when connected and disconnected without having to turn off and on the system Intrusion Detection a
67. unted ISG 2000 ISG 2000 28 m Equipment Rack Mounting Chapter 3 Hardware and Servicing The ISG 2000 is a purpose built high performance security system designed to provide a flexible solution to medium and large enterprise central sites and service providers The ISG 2000 security system integrates firewall VPN and Intrusion Detection and Prevention IDP functionality in a low profile modular chassis NOTE IDP requires the installation of at least one security module an advanced license key and an IDP license key To configure IDP on the ISG 2000 you must use NetScreen Security Manager The ISG 2000 is built around a custom fourth generation purpose built GigaScreen ASIC which provides accelerated encryption algorithms The ISG 2000 supports a flexible interface configuration with 4 port and 8 port 10 100 fast ethernet 2 port 10 100 1000 fast ethernet and 2 port gigabit interface modules This chapter describes service and maintenance procedures for your ISG 2000 Topics in this chapter include m The Front Panel on page 50 s LED Dashboard on page 32 m The Rear Panel on page 55 m Replacing Interface Modules on page 55 Removing Interface Modules on page 54 Inserting Interface Modules on page 55 m Connecting and Disconnecting Gigabit Ethernet Cables on page 56 m Replacing a Mini GBIC Transceiver on page 38 m Replacing Power Supplies on page 59 m Replacing AC Power Suppli
68. utgoing interface from which the ISG 2000 sends IKE traffic when performing Phase 1 and 2 negotiations Define the security level for Phase 1 proposals as Compatible This set includes the following four Phase 1 proposals each of which has a lifetime of 28 800 seconds or 8 hours When the lifetime expires the ISG 2000 renegotiates Phase 1 with its peer pre g2 5des sha pre g2 5des md5 pre g2 des sha pre g2 des md5 set ike gateway peer1 dynamic peer1 jnpr net aggressive outgoing interface ethernet1 1 preshare Iwb715iSF sec level compatible 4 Define the following settings for IPSec VPN tunnel vpn1 Define the security level for Phase 2 negotiations as Compatible This set includes the following four Phase 2 proposals each of which has a lifetime of 3600 seconds or 1 hour When the lifetime expires the ISG 2000 renegotiates Phase 2 and possibly Phase 1 also with its peer s nopfs esp 5des sha s nopfs esp 3des md5 nopfs esp des sha E nopfs esp des md5 set vpn vpn1 gateway peer1 tunnel sec level compatible Bind the IKE gateway gw1 to the VPN tunnel set vpn vpn1 bind interface tunnel 1 Set the proxy ID which specifies the local and remote IP addresses and the service that you want to pass through the tunnel Setting the proxy ID as 0 0 0 0 0 0 0 0 ANY imposes no restrictions allowing you to control the traffic flow at the policy level set vpn vpn1 proxy id local ip 0 0 0 0 0 remote ip
Download Pdf Manuals
Related Search