book

ScreenOS Cookbook

Name: ScreenOS Cookbook
ISBN: 9780596510039

by Stefan Brunner, Vik Davar, David Delcourt, Ken Draper, Joe Kelly, Sunil Wadhwa

February 2008

Intermediate to advanced

838 pages

23h 24m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Credits
Glossary
Preface
AudienceAssumptions This Book MakesConventions Used in This BookUsing Code ExamplesSafari® Books OnlineComments and QuestionsAcknowledgments
1. ScreenOS CLI, Architecture, and Troubleshooting
1.0. Introduction1.1. ScreenOS Architecture1.2. Troubleshoot ScreenOS
2. Firewall Configuration and Management
2.0. Introduction2.1. Use TFTP to Transfer Information to and from the Firewall2.2. Use SCP to Securely Transfer Information to and from the Firewall2.3. Use the Dedicated MGT Interface to Manage the Firewall2.4. Control Access to the Firewall2.5. Manage Multiple ScreenOS Images for Remotely Managed Firewalls2.6. Manage the USB Port on SSG
3. Wireless
3.0. Introduction3.1. Use MAC Filtering3.2. Configure the WEP Shared Key3.3. Configure the WPA Preshared Key3.4. Configure WPA Using 802.1x with IAS and Microsoft Active Directory3.5. Configure WPA with the Steel-Belted Radius Server and Odyssey Access Client3.6. Separate Wireless Access for Corporate and Guest Users3.7. Configure Bridge Groups for Wired and Wireless Networks
4. Route Mode and Static Routing
4.0. Introduction4.1. View the Routing Table on the Firewall4.2. View Routes for a Particular Prefix4.3. View Routes in the Source-Based Routing Table4.4. View Routes in the Source Interface-Based Routing Table4.5. Create Blackhole Routes4.6. Create ECMP Routing4.7. Create Static Routes for Gateway Tracking4.8. Export Filtered Routes to Other Virtual Routers4.9. Change the Route Lookup Preference4.10. Create Permanent Static Routes
5. Transparent Mode
5.0. Introduction5.1. Enable Transparent Mode with Two Interfaces5.2. Enable Transparent Mode with Multiple Interfaces5.3. Configure a VLAN Trunk5.4. Configure Retagging5.5. Configure Bridge Groups5.6. Manipulate the Layer 2 Forwarding Table5.7. Configure the Management Interface in Transparent Mode5.8. Configure the Spanning Tree Protocol (STP)5.9. Enable Compatibility with HSRP and VRRP Routers5.10. Configure VPNs in Transparent Mode5.11. Configure VSYS with Transparent Mode
6. Leveraging IP Services in ScreenOS
6.0. Introduction6.1. Set the Time on the Firewall6.2. Set the Clock with NTP6.3. Check NTP Status6.4. Configure the Device’s Name Service6.5. View DNS Entries on a Device6.6. Use Static DNS to Provide a Common Policy for Multiple Devices6.7. Configure the DNS Proxy for Split DNS6.8. Use DDNS on the Firewall for VPN Creation6.9. Configure the Firewall As a DHCP Client for Dynamic IP Environments6.10. Configure the Firewall to Act As a DHCP Server6.11. Automatically Learn DHCP Option Information6.12. Configure DHCP Relay6.13. DHCP Server Maintenance
7. Policies
7.0. Introduction7.1. Configure an Inter-Zone Firewall Policy7.2. Log Hits on ScreenOS Policies7.3. Generate Log Entries at Session Initiation7.4. Configure a Syslog Server7.5. Configure an Explicit Deny Policy7.6. Configure a Reject Policy7.7. Schedule Policies to Run at a Specified Time7.8. Change the Order of ScreenOS Policies7.9. Disable a ScreenOS Policy7.10. Configure an Intra-Zone Firewall Policy7.11. Configure a Global Firewall Policy7.12. Configure Custom Services7.13. Configure Address and Service Groups7.14. Configure Service Timeouts7.15. View and Use Microsoft RPC Services7.16. View and Use Sun-RPC Services7.17. View the Session Table7.18. Troubleshoot Traffic Flows7.19. Configure a Packet Capture in ScreenOS7.20. Determine Platform Limits on Address/Service Book Entries and Policies

8. Network Address Translation
8.0. Introduction8.1. Configure Hide NAT8.2. Configure Hide NAT with VoIP8.3. Configure Static Source NAT8.4. Configure Source NAT Pools8.5. Link Multiple DIPs to the Same Policy8.6. Configure Destination NAT8.7. Configure Destination PAT8.8. Configure Bidirectional NAT for DMZ Servers8.9. Configure Static Bidirectional NAT with Multiple VRs8.10. Configure Source Shift Translation8.11. Configure Destination Shift Translation8.12. Configure Bidirectional Network Shift Translation8.13. Configure Conditional NAT8.14. Configure NAT with Multiple Interfaces8.15. Design PAT for a Home or Branch Office8.16. A NAT Strategy for a Medium Office with DMZ8.17. Deploy a Large-Office Firewall with DMZ8.18. Create an Extranet with Mutual PAT8.19. Configure NAT with Policy-Based VPN8.20. Configure NAT with Route-Based VPN8.21. Troubleshoot NAT Mode8.22. Troubleshoot DIPs (Policy NAT-SRC)8.23. Troubleshoot Policy NAT-DST8.24. Troubleshoot VIPs8.25. Troubleshoot MIPs
9. Mitigating Attacks with Screens and Flow Settings
9.0. Introduction9.1. Configure SYN Flood Protection9.2. Control UDP Floods9.3. Detect Scan Activity9.4. Avoid Session Table Depletion9.5. Baseline Traffic to Prepare for Screen Settings9.6. Use Flow Configuration for State Enforcement9.7. Detect and Drop Illegal Packets with Screens9.8. Prevent IP Spoofing9.9. Prevent DoS Attacks with Screens9.10. Use Screens to Control HTTP Content
10. IPSec VPN
10.0. Introduction10.1. Create a Simple User-to-Site VPN10.2. Policy-Based IPSec Tunneling with Static Peers10.3. Route-Based IPSec Tunneling with Static Peers and Static Routes10.4. Route-Based VPN with Dynamic Peer and Static Routing10.5. Redundant VPN Gateways with Static Routes10.6. Dynamic Route-Based VPN with RIPv210.7. Interoperability
11. Application Layer Gateways
11.0. Introduction11.1. View the List of Available ALGs11.2. Globally Enable or Disable an ALG11.3. Disable an ALG in a Specific Policy11.4. View the Control and Data Sessions for an FTP Transfer11.5. Configure ALG Support When Running FTP on a Custom Port11.6. Configure and View ALG Inspection of a SIP-Based IP Telephony Call Session11.7. View SIP Call and Session Counters11.8. View and Modify SIP ALG Settings11.9. View the Dynamic Port(s) Associated with a Microsoft RPC Session11.10. View the Dynamic Port(s) Associated with a Sun-RPC Session
12. Content Security
12.0. Introduction12.1. Configure Internal Antivirus12.2. Configure External Antivirus with ICAP12.3. Configure External Antivirus via Redirection12.4. Configure Antispam12.5. Configure Antispam with Third Parties12.6. Configure Custom Blacklists and Whitelists for Antispam12.7. Configure Internal URL Filtering12.8. Configure External URL Filtering12.9. Configure Custom Blacklists and Whitelists with URL Filtering12.10. Configre Deep Inspection12.11. Download Deep Inspection Signatures Manually12.12. Develop Custom Signatures with Deep Inspection12.13. Configure Integrated IDP
13. User Authentication
13.0. Introduction13.1. Create Local Administrative Users13.2. Create VSYS-Level Administrator Accounts13.3. Create User Groups for Authentication Policies13.4. Use Authentication Policies13.5. Use WebAuth with the Local Database13.6. Create VPN Users with the Local Database13.7. Use RADIUS for Admin Authentication13.8. Use LDAP for Policy-Based Authentication13.9. Use SecurID for Policy-Based Authentication
14. Traffic Shaping
14.0. Introduction14.1. Configure Policy-Level Traffic Shaping14.2. Configure Low-Latency Queuing14.3. Configure Interface-Level Traffic Policing14.4. Configure Traffic Classification (Marking)14.5. Troubleshoot QoS
15. RIP
15.0. Introduction15.1. Configure a RIP Instance on an Interface15.2. Advertise the Default Route via RIP15.3. Configure RIP Authentication15.4. Suppress RIP Route Advertisements with Passive Interfaces15.5. Adjust RIP Timers to Influence Route Convergence Duration15.6. Adjust RIP Interface Metrics to Influence Path Selection15.7. Redistribute Static Routes into RIP15.8. Redistribute Routes from OSPF into RIP15.9. Filter Inbound RIP Routes15.10. Configure Summary Routes in RIP15.11. Administer RIP Version 115.12. Troubleshoot RIP
16. OSPF
16.0. Introduction16.1. Configure OSPF on a ScreenOS Device16.2. View Routes Learned by OSPF16.3. View the OSPF Link-State Database16.4. Configure a Multiarea OSPF Network16.5. Set Up Stub Areas16.6. Create a Not-So-Stubby Area (NSSA)16.7. Control Route Propagation in OSPF16.8. Redistribute Routes into OSPF16.9. Make OSPF RFC 1583-Compatible Problem16.10. Adjust OSPF Link Costs16.11. Configure OSPF on Point-to-Multipoint Links16.12. Configure Demand Circuits16.13. Configure Virtual Links16.14. Change OSPF Timers16.15. Secure OSPF16.16. Troubleshoot OSPF
17. BGP
17.0. Introduction17.1. Configure BGP with an External Peer17.2. Configure BGP with an Internal Peer17.3. Configure BGP Peer Groups17.4. Configure BGP Neighbor Authentication17.5. Adjust BGP Keepalive and Hold Timers17.6. Statically Define Prefixes to Be Advertised to EBGP Peers17.7. Use Route Maps to Filter Prefixes Announced to BGP Peers17.8. Aggregate Route Announcements to BGP Peers17.9. Filter Route Announcements from BGP Peers17.10. Update the BGP Routing Table Without Resetting Neighbor Connections17.11. Use BGP Local_Pref for Route Selection17.12. Configure Route Dampening17.13. Configure BGP Communities17.14. Configure BGP Route Reflectors17.15. Troubleshoot BGP
18. High Availability with NSRP
18.0. Introduction18.1. Configure an Active-Passive NSRP Cluster in Route Mode18.2. View and Troubleshoot NSRP State18.3. Influence the NSRP Master18.4. Configure NSRP Monitors18.5. Configure NSRP in Transparent Mode18.6. Configure an Active-Active NSRP Cluster18.7. Configure NSRP with OSPF18.8. Provide Subsecond Failover with NSRP and BGP18.9. Synchronize Dynamic Routes in NSRP18.10. Create a Stateful Failover for an IPSec Tunnel18.11. Configure NAT in an Active-Active Cluster18.12. Configure NAT in a VSD-Less Cluster18.13. Configure NSRP Between Data Centers18.14. Maintain NSRP Clusters
19. Policy-Based Routing
19.0. Introduction19.1. Traffic Load Balancing19.2. Verify That PBR Is Working for Traffic Load Balancing19.3. Prioritize Traffic Between IPSec Tunnels19.4. Redirect Traffic to Mitigate Threats19.5. Classify Traffic Using the ToS Bits19.6. Block Unwanted Traffic with a Blackhole19.7. View Your PBR Configuration
20. Multicast
20.0. Introduction20.1. Allow Multicast Traffic Through a Transparent Mode Device20.2. Use Multicast Group Policies to Enforce Stateful Multicast Forwarding20.3. View mroute State20.4. Use Static mroutes to Allow Multicast Through a Firewall Without Using PIM20.5. Connect Directly to Multicast Receivers20.6. Use IGMP Proxy Mode to Dynamically Join Groups20.7. Configure PIM on a Firewall20.8. Use BSR for RP Mapping20.9. Firewalling Between PIM Domains20.10. Connect Two PIM Domains with Proxy RP20.11. Manage RPF Information with Redundant Routers20.12. PIM and High Availability20.13. Provide Active-Active Multicast20.14. Scale Multicast Replication
21. Virtual Systems
21.0. Introduction21.1. Create a Route Mode VSYS21.2. Create Multiple VSYS Configurations21.3. VSYS and High Availability21.4. Create a Transparent Mode VSYS21.5. Terminate IPSec Tunnels in the VSYS21.6. Configure VSYS Profiles
About the Authors
Colophon
Copyright

Content preview from ScreenOS Cookbook

Chapter 18. High Availability with NSRP

18.0. Introduction

The NetScreen Redundancy Protocol (NSRP) is a proprietary protocol originally developed by NetScreen Technologies Inc. The goal of NSRP is to ensure that the firewall and virtual private network (VPN) services are available at all times. There are three primary components of NSRP: gateway failover, session synchronization, and failure detection. The first component is relatively straightforward. Much like the Internet Engineering Task Force (IETF) standard protocol, the Virtual Router Redundancy Protocol (VRRP), NSRP provides a virtual Media Access Control (MAC) address and IP address to the network so that hosts and routers can point statically to a gateway IP. In NSRP terms, a virtual interface is known as a Virtual Security Interface (VSI). When a failure condition is detected, the MAC/IP pair for each interface is “migrated” from one device to the other via the use of gratuitous Address Resolution Protocol (ARP) messages. These ARP messages update the switch’s forwarding database so that traffic destined to the virtual MAC is forwarded to the port to which the new “master” is connected. From the network’s point of view, VRRP and NSRP in most cases use identical mechanisms to signal failover to the rest of the network. At this point, the similarities between the two protocols disappear.

Some of the key differentiators between VRRP and NSRP include the following:

NSRP typically utilizes dedicated links for heartbeat traffic, ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Special Edition Using® Crystal Reports® 10

Publisher Resources

ISBN: 9780596510039Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

ScreenOS Cookbook

by Stefan Brunner, Vik Davar, David Delcourt, Ken Draper, Joe Kelly, Sunil Wadhwa

Chapter 18. High Availability with NSRP

18.0. Introduction

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.