manualshive.com logo in svg

Juniper NETWORK AND SECURITY MANAGER 2010.3, Administration Manual

The Juniper NETWORK AND SECURITY MANAGER 2010.3 is a comprehensive software solution for managing network and security devices. Ensure smooth operations by referring to the detailed Administration Manual available for free download on manualshive.com. Stay up to date with the latest features and enhancements with this essential manual.

Share
Download
background image

Table 124: Deep Inspection Alarm Log Entries

(continued)

Versions

Severity

Attack Description

Attack Name

sos5.1.0

info

This signature detects attempts to login to the MSN network
using an MSN Messenger client.

CHAT:MSN:LOGIN-ATTEMPT

sos5.1.0

high

This signature detects buffer overflow attempts against the
SQLXML-ASAPI Extension in Microsoft SQL Server 2000.
The SQLXML-ASAPI extension handles data queries over
HTTP (SQLXML HTTP); attackers may connect to the target
host and submit maliciously crafted data to create a buffer
overflow.

DB:MS-SQL:SQLXML-ISAPI-OF

sos5.1.0

info

This protocol anomaly is a DNS request/reply in which the
question/resource address class is not IN (Internet Address).
Although allowed by the RFC, this should happen only in
rare circumstances and may indicate an exploit attempt.

DNS:AUDIT:CLASS-NON-IN

sos5.1.0

info

This protocol anomaly is a DNS reply with a resource
specifying a CLASS ID reserved for queries only (QCLASS).
This may indicate an exploit attempt.

DNS:AUDIT:QCLASS-UNEXP

sos5.1.0

info

This protocol anomaly is a DNS reply with a resource
specifying a TYPE ID reserved for queries only (QTYPE). This
may indicate an exploit attempt.

DNS:AUDIT:REP-QTYPE-UNEXPECTED

sos5.1.0

info

This protocol anomaly is a DNS reply with a query/reply bit
(QR) that is unset (indicating a query). This may indicate an
exploit attempt.

DNS:AUDIT:REP-S2C-QUERY

sos5.1.0

info

This protocol anomaly is a DNS request with a query/reply
bit (QR) set (indicating a reply). This may indicate an exploit
attempt.

DNS:AUDIT:REQ-C2S-RESPONSE

sos5.1.0

info

This protocol anomaly is a client-to-server DNS message
with the recursion-available bit (RA) set. This may indicate
an exploit attempt.

DNS:AUDIT:REQ-INVALID-HDR-RA

sos5.1.0

info

This protocol anomaly is a DNS request with request type
set to "ANY".

DNS:AUDIT:TYPE-ANY

sos5.0.0,
sos5.1.0

high

This protocol anomaly is an empty DNS UDP message. This
may indicate an exploit attempt.

DNS:EXPLOIT:EMPTY-UDP-MSG

sos5.0.0,
sos5.1.0

high

This protocol anomaly is an rdataset parameter to the
dns_message_findtype() function in message.c that is not
NULL. In BIND 9 (up to 9.2.0), attackers may cause a
shutdown on an assertion failure. Note: Common queries in
routine operations (such as SMTP queries) may trigger this
anomaly.

DNS:EXPLOIT:EXPLOIT-BIND9-RT

sos5.0.0,
sos5.1.0

high

This protocol anomaly is a DNS message with a set of DNS
pointers that form a loop. This may indicate a
denial-of-service (DoS) attempt.

DNS:EXPLOIT:POINTER-LOOP

Copyright © 2010, Juniper Networks, Inc.

866

Network and Security Manager Administration Guide

Summary of Contents for NETWORK AND SECURITY MANAGER 2010.3

Page 1: ...Juniper Networks Network and Security Manager Administration Guide Release 2010 3 Published 2010 08 17 Revision 1 Copyright 2010 Juniper Networks Inc...

Page 2: ...f the University of California All rights reserved Portions of the GateD software copyright 1991 D L S Associates This product includes software developed by Maker Communications Inc copyright 1996 19...

Page 3: ...re physically contained on a single chassis c Product purchase documents paper or electronic user documentation and or the particular licenses purchased by Customer may specify limits to Customer s us...

Page 4: ...ATE WITHOUT ERROR OR INTERRUPTION OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK In no event shall Juniper s or its suppliers or licensors liability to Customer whether in contract tort inclu...

Page 5: ...ree years from the date of distribution Such request can be made in writing to Juniper Networks Inc 1194 N Mathilda Ave Sunnyvale CA 94089 ATTN General Counsel You may obtain a copy of the GPL at http...

Page 6: ...Copyright 2010 Juniper Networks Inc vi...

Page 7: ...Device Configuration 5 Device Management 6 Importing Devices 6 Device Modeling 6 Rapid Deployment 6 Policy Based Management 6 Error Prevention Recovery and Auditing 7 Device Configuration Validation...

Page 8: ...n and Data Origination Icons 32 Working with Other NSM Administrators 33 Searching in the User Interface 33 Contains String C Search Mode 34 Starts With S Search Mode 34 Regular Expression R Search Mo...

Page 9: ...ation Banner 60 Chapter 3 Configuring Role Based Administration 61 Role Based Administration 61 Domains 61 About Roles 62 Using Role Based Administration Effectively 63 Enterprise Organizations 63 Geo...

Page 10: ...iple Devices 103 Specifying the OS and Version 104 Determining Port Mode ScreenOS Devices Only 104 Trust Untrust Port Mode 105 Home Work Port Mode 105 Dual Untrust Port Mode 106 Combined Port Mode 106...

Page 11: ...lects Two Devices to Update with the Delta Option But Has no Admin Privileges 146 Adding Vsys Devices 146 Placing the Root Device in a Global Domain or a Subdomain 147 Importing Vsys Devices 147 Model...

Page 12: ...id Deployment 177 Modeling and Activating Many Devices with Configlets 178 Activating Many Devices with Configlets 179 Adding Device Groups 179 Example Creating a Device Group 180 Setting Up NSM to Wo...

Page 13: ...211 Identifying Ordered List Entries That Do Not Match the Template or Configuration Group Order 214 Using the Template Operations Directive 215 Select OS Name Section 216 Select Devices Section 216...

Page 14: ...Configuration File 238 Automatic Import of Configuration Files 238 Chapter 6 Updating Devices 239 About Updating 239 How the Update Process Works 240 About Atomic Configuration ScreenOS Devices 241 Ab...

Page 15: ...Page Shared Object 275 Importing Antivirus Live Update Settings 275 Uploading Live Update Settings 275 275 Linking to a Live Update File Shared Object 276 Importing Endpoint Security Assessment Plug i...

Page 16: ...292 Scheduling Security Updates 292 Example Update Attack Objects and Push to Connected Devices 294 Scheduling the Update 294 Example Using Crontab to Schedule Attack Updates 295 Viewing Scheduled Sec...

Page 17: ...dress Object 324 Editing and Deleting Address Objects 325 Replacing Address Objects 325 Adding an Address Object Group 325 Adding a Multicast Group Address Object 326 Adding Static DNS Host Addresses...

Page 18: ...354 Configuring Compound Attack Members 355 Configuring the Direction Filter 357 Creating Custom DI Attack Groups 357 Creating Custom IDP Attack Groups 357 Creating Static Attack Groups 358 Creating D...

Page 19: ...ervice Objects 382 Viewing Predefined Services 382 Creating Custom Services 384 Service Object Groups 385 Example Creating a Custom Service and Group 386 Example Creating a Custom Sun RPC Service 387...

Page 20: ...418 Configuring CRLs 419 Configuring Extranet Policies 419 Configuring Binary Data Objects 420 Adding Binary Data Objects 420 Viewing Editing and Deleting Binary Data Objects 421 Configuring Protecte...

Page 21: ...and Destination Addresses for Firewall Rules 444 Support for Any IPv6 as a Source Address 445 Configuring Services for Firewall Rules 446 Defining Actions for Firewall Rules 446 Selecting Devices for...

Page 22: ...Rules 474 Entering Comments for IDP Rules 474 Configuring multiple IDP policies for an MX Series Router 475 Configuring Application Policy Enforcement APE Rules 476 Adding the APE Rulebase Using the...

Page 23: ...tting an Alert 490 Logging Packets 490 Setting Severity 490 Specifying VLANs 490 Setting Target Devices 490 Entering Comments 491 Configuring SYN Protector Rules 491 The TCP Handshake 491 SYN Floods 4...

Page 24: ...e Options 500 Setting Notification 500 Setting Logging 500 Setting an Alert 500 Logging Packets 500 Setting Severity 501 Specifying VLANs 501 Setting Target Devices 501 Entering Comments 501 Installin...

Page 25: ...prerules and postrules 521 Managing prerules and postrules 521 Add prerules and postrules 521 Push prerules and postrules to Regional Server 521 Modify prerules and postrules 522 Delete prerules and p...

Page 26: ...Protecting Data in the VPN 548 Using IPSec 548 Using L2TP 550 Choosing a VPN Tunnel Type 550 About Policy Based VPNs 550 About Route Based VPNs 551 VPN Checklist 551 Define Members and Topology 551 D...

Page 27: ...ing Users 577 Editing the VPN Configuration 577 Editing VPN Overrides 577 VPN Manager Examples 577 Example Configuring an Autokey IKE Policy Based Site to Site VPN 578 Example Configuring an Autokey I...

Page 28: ...t Mode 621 Using Central Manager 621 Adding a Regional Server Object 621 Deleting a Regional Server Object 622 Logging into a Regional Server 622 Installing Global Policy to a Regional Server 622 Prer...

Page 29: ...figuration Conflicts with the Infranet Controller in the UAC Manager 643 Enabling 802 1X on Enforcement Point Ports in the UAC Manager 644 Disabling 802 1X on Enforcement Point Ports in the UAC Manage...

Page 30: ...ng Server Status 690 Viewing Additional Server Status Details 692 Viewing Process Status 693 Using Management System Utilities 695 Using Schema Information 696 Viewing Device Schema 697 Chapter 18 Ana...

Page 31: ...able Components 718 Stopping Worms and Trojans 719 Example SQL Worm 719 Example Blaster Worm 720 Accessing Data in the Profiler Database 720 About Security Explorer 721 Security Explorer Main Graph 72...

Page 32: ...rends Server 743 Managing Packet Data in Logs 743 Using the Log Viewer 746 Using Log Views 747 About Predefined Log Views 747 Creating Custom Views and Folders 749 Creating Per Session Views 750 Log V...

Page 33: ...it Log Table 779 Managing the Audit Log Table 780 Target View and Device View 782 Setting a Start Time for Audit Log Entries 782 Managing Log Volume 782 Automatic Device Log Cleanup 783 Archiving Logs...

Page 34: ...IDP Reports 802 Screen Reports 803 Administrative Reports 804 UAC Reports 804 Profiler Reports 805 AVT Reports 805 SSL VPN Reports 805 EX Series Switches Report 806 My Reports 806 Shared Reports 806...

Page 35: ...ttack Trends 818 Example Using DI Reports to Detect Application Attacks 819 Using the Watch List 819 Part 5 Appendixes Appendix A Glossary 823 Network and Security Manager NSM Term Definitions 823 App...

Page 36: ...Copyright 2010 Juniper Networks Inc xxxvi Network and Security Manager Administration Guide...

Page 37: ...gure 15 User in Domain global with a Predefined Role 71 Figure 16 User in Domain global with Custom Role r1 71 Figure 17 User in Subdomain d1 With a Predefined Role 72 Figure 18 User in Subdomain d1 W...

Page 38: ...IP Based Session Limit 207 Figure 53 View DoS Value for SYN ACK ACK Proxy Protection Setting 207 Figure 54 View Default SYN ACK ACK Proxy Protection Setting 207 Figure 55 Up and Down Arrows for Chang...

Page 39: ...for AutoKey IKE VPN 581 Figure 91 Add Chicago Protected Resource for AutoKey IKE RAS VPN 583 Figure 92 Add New Local User for AutoKey IKE RAS VPN 583 Figure 93 Configure Security for AutoKey IKE RAS...

Page 40: ...vestigator Results 775 Figure 114 Audit Log Viewer UI Overview 779 Chapter 20 Reporting 799 Figure 115 Generating A Quick Report 815 Figure 116 Logs by User Set Flag Report 816 Figure 117 Top FW VPN R...

Page 41: ...ts 21 Table 13 Validation Status for Devices 31 Table 14 Validation Icons 32 Chapter 3 Configuring Role Based Administration 61 Table 15 How to Authenticate Users 68 Table 16 Predefined NSM Administra...

Page 42: ...ce NAT Configuration Options 412 Table 42 Destination NAT Configuration Options 415 Chapter 9 Configuring Security Policies 429 Table 43 IDP Rule Actions 467 Table 44 Severity Levels Recommended Actio...

Page 43: ...ata 707 Table 86 Network Profiler Data 708 Table 87 Applciation Profiler Data 711 Table 88 Detailed Network Information Data 715 Table 89 Transitional Graphs 726 Chapter 19 Logging 729 Table 90 Event...

Page 44: ...ppendix A Glossary 823 Table 119 CIDR Translation 827 Appendix B Unmanaged ScreenOS Commands 849 Table 120 Unmanaged Commands for Firewall VPN Devices 849 Appendix C SurfControl Web Categories 851 Tab...

Page 45: ...s a technical overview of the management system architecture It also explains how to configure basic and advanced NSM functionality including adding new devices deploying new device configurations upd...

Page 46: ...rts you to the risk of personal injury from a laser Laser warning Table 2 on page xlvi defines text conventions used in this guide Table 2 Text Conventions Examples Description Convention Issue the cl...

Page 47: ...tional or required Words separated by the pipe symbol internal external Represent optional keywords or variables Words enclosed in brackets level 1 level 2 11 Represent optional keywords or variables...

Page 48: ...Devices Guide Provides procedures for basic tasks in the NSM user interface It also includes a brief overview of the NSM system and a description of the GUI elements Network and Security Manager Onlin...

Page 49: ...al pdf resource guides 7100059 en pdf Product warranties For product warranty information visit http www juniper net support warranty JTAC Hours of Operation The JTAC centers have resources available...

Page 50: ...AC on the Web or by telephone Use the Case Management tool in the CSC at http www juniper net cm Call 1 888 314 JTAC 1 888 314 5822 toll free in the USA Canada and Mexico For international or direct d...

Page 51: ...he management system and describe how to prepare to integrate your existing network security structure using NSM role based administration tools Part 1 contains the following chapters Introduction to...

Page 52: ...Copyright 2010 Juniper Networks Inc 2 Network and Security Manager Administration Guide...

Page 53: ...anaging all device parameters for devices NSM works with networks of all sizes and complexity You can add a single device or create device templates to help you deploy multiple devices You can create...

Page 54: ...stinct systems or to control administrative access to individual systems With multiple domains you can create objects policies and templates in the global domain and then create subdomains that automa...

Page 55: ...n groups In Junos devices configuration groups allow you to create a group containing configuration statements and to direct the inheritance of that group s statements in the rest of the configuration...

Page 56: ...your devices with a single update You can implement a new routing protocol across your network design and deploy a new security policy with traffic shaping or create a new VPN tunnel that connects a b...

Page 57: ...Configuration Validation NSM alerts you to configuration errors while you work in the UI Each field that has incorrect or incomplete data displays an error icon Move your cursor over the icon to see d...

Page 58: ...M provides the tools and features you need to manage your devices as a complete system as well as individual networks and devices To manage an individual device create a single device configuration de...

Page 59: ...devices in the Device Monitor Configuration and connection status of your managed devices Individual device details such as memory usage and active sessions Device statistics View the status of each i...

Page 60: ...urity Manager Installation Guide Architecture NSM is a three tier management system made up of a user interface UI management system and managed devices The devices process your network traffic and ar...

Page 61: ...gement system is made up of two components GUI Server Device Server See Figure 2 on page 11 Figure 2 NSM System Architecture GUI Server The GUI Server manages the system resources and data that drive...

Page 62: ...tion data to the NSM UI for viewing or to the local data store for later retrieval guiSvrMasterController GUI Server License Manager is responsible for license storage retrieval and validation guiSvrL...

Page 63: ...ogWalker Device Server Database Server devSvrDBServer Device Server Profiler Manager devSvrProfilerMgr Managed Devices In addition to dedicated security devices such as firewalls and IDP sensors your...

Page 64: ...en 204 ScreenOS 5 0 5 0 FIPS 5 1 5 2 5 3 5 3 TMAV 5 4 5 4 FIPS Juniper Networks NetScreen 208 ScreenOS 5 0 5 0 FIPS 5 0 NSGP 5 0 GPRS 5 1 5 1 GPRS 5 1 shotglass 5 2 5 3 5 3 TMAV 5 4 5 4 FIPS Juniper N...

Page 65: ...enOS 6 0r2 and later 6 1 6 2 6 3 Juniper Networks SSG 320M ScreenOS 6 0r2 and later 6 1 6 2 6 3 Juniper Networks SSG 350 ScreenOS 6 0r2 and later 6 1 6 2 6 3 Juniper Networks SSG 350M ScreenOS 5 1 SSG...

Page 66: ...outage and a longer upgrade time SSG 5 SB replaces NetScreen 5GT SSG 5 SB is a 10 user variant of SSG 5 similar to the existing 10 user variant of NS 5GT Devices Running Junos OS Devices running Juno...

Page 67: ...per Networks J4350 Services Router with IDP Junos OS Release 9 3 9 4 9 5 9 6 10 0 10 1 10 2 via schema update Juniper Networks J6350 Services Router Junos OS Release 9 5 9 6 10 0 10 1 Juniper Networks...

Page 68: ...0 2 via schema update Juniper Networks M10i Junos OS Release 9 3 9 4 9 5 9 6 10 0 10 1 10 2 via schema update Juniper Networks M40e Junos OS Release 9 3 9 4 9 5 9 6 10 0 10 1 10 2 via schema update Ju...

Page 69: ...10 1 10 2 via schema update Juniper Networks EX2200 48P Junos OS Release 10 1 10 2 via schema update Juniper Networks EX2200 48T Junos OS Release 9 2 9 3 9 4 9 5 9 6 10 0 10 1 10 2 via schema update J...

Page 70: ...Secure Access products and operating system versions supported by NSM 2010 3 Table 11 Secure Access Products NSM Supports Versions of SA Software NSM Supports Security Device SA Release 6 3 6 4 6 5 Ju...

Page 71: ...configuration data for all objects in a specific domain When you use the UI to interface with your managed devices the ADM and DMs work together When you update a device configuration the GUI Server t...

Page 72: ...Devices on page 13 for lists of specific models of these products that support management through NSM Unlike schemas for ScreenOS and IDP devices schemas for these devices can be updated asynchronousl...

Page 73: ...n Attempts The NSM UI blocks hosts that fail to login after 10 attempts by default Use the Tools Preferences System Properties option to change the number of attempts Use the Tools Manage Blocked Host...

Page 74: ...cies VPNs and other objects Administer panel Provides NSM modules with tree structures for managing the NSM servers ongoing jobs and other actions For details about each module see NSM Modules on page...

Page 75: ...re Modules on page 27 Administer Modules on page 31 Investigate Modules The Investigate panel includes the following top level modules Log Viewer on page 25 Report Manager on page 26 Log Investigator...

Page 76: ...X Series devices NSM does not support report management for SRX Series devices M Series devices and MX Series devices Log Investigator The Log Investigator contains tools for analyzing your log entrie...

Page 77: ...page 29 Device Manager The Device Manager contains the device objects that represent your managed devices You can create or modify ScreenOS security devices and IDP sensors The devices you use to ena...

Page 78: ...tiple devices Delete policies If the device configurations that you import from your security devices contain policies the Policy Manager displays those imported policies For details on editing those...

Page 79: ...owing objects in NSM Access Profiles An access profile consists of a set of attributes that defines access to a device You can create access profile objects and share them across security policies tha...

Page 80: ...eated Regional Servers Represent NSM servers managed by a Central Manager Zone objects Represent zones in a Central Manager or Regional Server Schedule objects Represent specific dates and times You c...

Page 81: ...ctives that NSM sends to your managed devices You can view summaries or details for active jobs and completed jobs For more details on Job Manager see Tracking Device Updates on page 254 Action Manage...

Page 82: ...4 on page 32 Table 14 Validation Icons Priority Meaning Message Type Icon Highest Indicates that a configuration or parameter is not configured correctly in the NSM UI Updating a device with this mode...

Page 83: ...ed enabling other administrators to edit it However because the UI does not immediately refresh the object values you must manually refresh the UI to view the most recent versions When you attempt to...

Page 84: ...ey to end the search operation and close the window The following sections provide examples of each search mode Contains String C Search Mode Use to locate a pattern anywhere in a string For example t...

Page 85: ...bjects that detect denial of service attacks 1 In the main navigation tree select Object Manager Attack Objects DI Objects and then select the Predefined Attacks tab 2 Select the first entry in the co...

Page 86: ...ess Table tab 2 Select the first entry in the column IP Domain Name and then press the backslash key to display the search mode window 3 Enter I and then enter 5 5 5 The UI automatically highlights th...

Page 87: ...ing bbbb 1 In the main navigation tree select Object Manager Address Objects then select the Address Table tab 2 Select any entry in the Namecolumn and then press the backslash key to display the sear...

Page 88: ...lated information If you select Name you must enter the name of the object in the Name field You can then specify whether you want the search to be a Case Sensitive or Regular Expression type of searc...

Page 89: ...button to execute the search The Search Results appear at the bottom of the dialog box The applicable search category is listed to the left and the matching search objects are listed to the right 5 U...

Page 90: ...Copyright 2010 Juniper Networks Inc 40 Network and Security Manager Administration Guide...

Page 91: ...e 45 Simplifying Management on page 54 Creating an Information Banner on page 57 Configuring Devices Overview To manage Juniper Networks devices that already exist on your network you can import their...

Page 92: ...imports the existing device configuration it automatically creates all objects and policies in the configuration NOTE NSM does not import IDP rulebases in a security policy when importing the device c...

Page 93: ...nfigurations for similar devices For ScreenOS 5 x and later devices you can use Rapid Deployment RD to deploy multiple devices in nontechnical locations Use RD to stage and configure devices quickly a...

Page 94: ...ion to a device see Updating Devices on page 239 7 Create VPN rules Create Protected Resources Create user objects and User Groups for RAS VPNs Use VPN Manager to select VPN members and then automatic...

Page 95: ...etScreen IDP 4 x The NSM system consists of the Device Server and the GUI Server the NSM User Interface is a client application used to access information stored in the NSM system Guidance for Intende...

Page 96: ...configuring and managing IDP on the ISG2000 and ISG1000 devices Although you can use the ScreenOS CLI or Web UI to configure the firewall VPN capabilities of the security device you must use the NSM U...

Page 97: ...xisting ISG2000 or ISG1000 device that is currently managed by NSM then upgrade the device firmware to ScreenOS 5 0 0 IDP1 NOTE After you have upgraded the firmware you must reimport the device config...

Page 98: ...tack object database on the selected managed devices Adding Objects Optional Create address objects for the network components you want to protect with IDP These components can be routers servers work...

Page 99: ...have configured basic security device settings such as assigning interfaces to zones setting the administrative password and configuring default routes For details about configuring these settings see...

Page 100: ...a rule in the IDP rulebase the security module attempts to match the traffic against the Exempt rulebase before performing the specified action or creating a log record for the event Add the Exempt r...

Page 101: ...n the left side of the Security Policy window click the Add icon to open a default rule For rules in the IDP rulebase you define the type of network traffic to monitor the attacks to detect the action...

Page 102: ...viewing the security policy in Expanded Mode To change the view mode of a policy from the menu bar select View Show Expanded Mode View Show Compact Mode or View Show Custom Mode Configure Notificatio...

Page 103: ...ve enabled IDP on the device and installed a security policy that uses the IDP detection and prevention functionality IDP logs begin to appear in the NSM Log Viewer assuming you enabled IDP logging fo...

Page 104: ...ally has all IDP related permissions A custom role for IDP administrators might include the following permissions Attack Update Create View Edit Delete Policies Create View Edit Delete Backdoor and ID...

Page 105: ...generic NetScreen 5GT device template that you can use each time you add a device of that type Or you can apply multiple templates to the same device You can map a maximum of 63 templates to the same...

Page 106: ...y understood by your users and administrators and that still has room to grow For example you might use the naming convention city name with a naming theme of Greek mythology figures some sample devic...

Page 107: ...example Wendy Parker working in Texas on a Windows 2000 Pro laptop would see her machine name as tx_wparker_m_2kpro Creating an Information Banner Central Manager administrators and regional server s...

Page 108: ...ant to add the banner server wide and click the Edit icon as shown in Figure 11 on page 58 Figure 11 Selecting the GUI Server in Central Manager 3 Enter the customized text in the Log In Warning Messa...

Page 109: ...available to NSM users connected to the server as shown in Figure 13 on page 59 Figure 13 Information Banner Login into Central Manager The NSM user must click Yes to access the GUI server 59 Copyrig...

Page 110: ...iately available to all NSM users server wide Deleting an Information Banner This procedure assumes that a Central Manager administrator is logged onto a Central Manager client or a super user is logg...

Page 111: ...egy and how to prepare your network for NSM NSM includes many features specifically designed for managing multiple Juniper Networks devices such as device groups and templates This chapter contains th...

Page 112: ...tant if you plan to use VPNs in your network Because you can create VPNs only between devices in the same domain be sure to add the devices you want to connect with a VPN to the same domain About Role...

Page 113: ...se multiple domains to segregate large geographically distant networks into locally managed sections Permission Structure Use multiple domains to segregate critical devices and systems from less impor...

Page 114: ...ed with security policies Administrator Types Many organizations have different types of administrators for different roles within the company Each organization has a unique vision for the granularity...

Page 115: ...ive Management A management administrator creates administrators and manages their permissions The super administrator creates a management administrator to delegate administrator management For examp...

Page 116: ...more customer subdomains enabling the customer administrator to handle multiple customer networks without access to the CNM internal network Additionally the super administrator can create a role str...

Page 117: ...dministrator permissions in only one subdomain create the administrator in that subdomain Configuring General Settings To create an NSM administrator account click the Add icon in the Administrator ta...

Page 118: ...ooks at the local database to find the user and then if no match is found to the RADIUS server You can also define the role assignment for each user directly from the RADIUS server NOTE You must confi...

Page 119: ...S vendor specific attribute VSA is available to allow vendors to support their own extended attributes If you use a RADIUS server other than Steel Belted RADIUS you must enter the following NSM attrib...

Page 120: ...dministrator Read Only System Administrator System Administrator Predefined roles do not belong to any domain The format for predefined roles is DomainName1 predefined role name DomainName1 is the dom...

Page 121: ...must configure the role mapping list for each user on the RADIUS server Figure 15 on page 71 through Figure 21 on page 73 show examples of assigning predefined and custom roles through RADIUS All exam...

Page 122: ...d1 With a Custom Role r1 Create the custom role r1 in the subdomain d1 Figure 19 Assigning Multiple Roles to a User in Global Domain Roles r1 and r2 are the custom roles assigned to the user Copyrigh...

Page 123: ...1 Assigning Roles Defined in Domain global The user role r1 is defined in global domain but the user has access to only a subdomain d1 and therefore gets a the global role r1 Figure22 AssigningRolesDe...

Page 124: ...or or to create administrators when your organization s existing permission structure maps closely to the permissions defined in the default role All roles default and custom are created from activiti...

Page 125: ...ss profiles across security policies that are assigned to J Series Services Routers and SRX Series Services Gateways managed by NSM View Create Edit Delete Access Profile Objects An admin role defines...

Page 126: ...s on your network The information stored in an authentication server determines the privileges of each administrator Create Delete Edit View Authentication Server Updates the pattern file on the devic...

Page 127: ...vice troubleshooting commands debug exec and get Edit View Custom Troubleshoot Commands Known targets and sources of attacks or suspected targets and sources of attacks can be added to source or desti...

Page 128: ...sical device and the modeled device configuration in NSM View Device Delta Config The device firmware is the software image used on the managed device Update Device Firmware A device log comment is a...

Page 129: ...mation such as networking settings interface settings or DNS settings View Create Edit Delete Devices Device Groups and Templates Deep Inspection DI attack objects contain attack patterns and protocol...

Page 130: ...Edit View Group Expressions GPRS Tunneling Protocol GTP objects applied to a security policy rule enable a security device to manage GTP traffic If a GTP packet matches the rule the device attempts t...

Page 131: ...ative Log Reports This activity allows an administrator to manage IP pools An IP pool object contains IP ranges a range of IP addresses within the same subnet You use IP Pool objects to assign IP addr...

Page 132: ...tics you must enable NSRP Monitor in the NSRP properties for each cluster device View NSRP Monitor Allows an administrator to manage permitted objects You configure permitted objects in Profiler consi...

Page 133: ...defines the DNS and WINS servers that are assigned to L2TP RAS users after they have connected to the L2TP tunnel You can use remote settings objects in an L2TP VPN and when configuring a local user o...

Page 134: ...objects represent the IP traffic types for existing protocol standards Create Delete Edit View Service Objects A shared historical log report is a user defined historical log report that is available...

Page 135: ...ined by SurfControl Update System UrlCategory Allows an administrator to perform template operations N A Template Operations Allows an administrator to manage threats to the network through the creati...

Page 136: ...ables a system administrator to configure the resource limits for a vsys device by creating or editing a vsys profile and assigning it to the vsys device Create Delete Edit View VSYS Profile Objects A...

Page 137: ...run the Import Admin directive A new role Export Import Device Config to File has been created to allow permission to run the Export Device Config To File and Import Device Config From File directive...

Page 138: ...istrator the activity or role is not visible in the list of available activities or roles Within a domain you can view only the custom roles that you have created or that have been assigned to you You...

Page 139: ...tion includes the following columns Home Domain The name of the domain in which the administrator was created Admin Name The name of the administrator who is logged in Status Whether a user has been a...

Page 140: ...log out from his own session Server resources such as the GUI Server connection to a client and a port are freed In a central or a regional server setup forced logout applies only to a server The admi...

Page 141: ...the co location facility and provide read only permission for customers to view log entries and generate reports No VPNs are used To configure this domain structure use the following process Create th...

Page 142: ...ries and generate reports for devices in their subdomain 1 Using the domain menu at the top of the navigation tree select the first subdomain MA_company1 NSM loads the subdomain 2 From the Menu bar cl...

Page 143: ...enables all functionality for the domain However the domain menu at the top of the navigation tree displays only the current domain restricting the domain administrator to that domain Repeat for each...

Page 144: ...Copyright 2010 Juniper Networks Inc 94 Network and Security Manager Administration Guide...

Page 145: ...PART 2 Integrating Adding Devices on page 97 Configuring Devices on page 185 Updating Devices on page 239 Managing Devices on page 261 95 Copyright 2010 Juniper Networks Inc...

Page 146: ...Copyright 2010 Juniper Networks Inc 96 Network and Security Manager Administration Guide...

Page 147: ...eenOS releases 5 0r11 5 1r4 5 2r3 5 3r10 5 4r11 6 0r2 6 1r4 6 2 and 6 3 Before you can manage a device with NSM you must add the device to the management system NSM supports adding individual devices...

Page 148: ...lowing types of devices Physical devices Importing Devices on page 112 and Modeling Devices on page 130 later in this chapter provide details on how to add an existing or new device into NSM These dev...

Page 149: ...ice you must verify the device configuration Determine Device Status How you add your devices to the management system depends on the network status of the device You can import deployed devices or yo...

Page 150: ...ice This summary is known as a Get Running Config summary Managing the Device After adding a device you can manage its configuration objects and security policies in the UI You can also view traffic l...

Page 151: ...e device into NSM a new policy is automatically created using the following naming syntax device_1 Each new policy increments the name Devices are not assigned to the new policy If you reimport a devi...

Page 152: ...es NSM includes a global domain by default You can also create additional domains called subdomains that exist within the global domain Before you add the device you must select the domain that contai...

Page 153: ...use the Activate Device wizard You can import or model device configurations from a device running ScreenOS 5 0 x or later except 6 0r1 IDP 4 0 or later Junos 9 0 or later SA 6 2 or later or IC 2 2 o...

Page 154: ...SM no longer supports devices running 4 x or earlier versions of ScreenOS If you are not running a supported version you must upgrade your devices before adding them into the management system Contact...

Page 155: ...ch is bound to the Trust security zone Home Work Port Mode Home Work mode binds interfaces to the Untrust security zone and to Home and Work security zones The Home and Work zones enable you to segreg...

Page 156: ...primary interface See Figure 27 on page 106 for port interface and zone bindings Figure 27 Dual Untrust Port Mode Bindings This mode provides the following bindings Binds the Untrusted Ethernet port t...

Page 157: ...y interface to the Untrust security zone Binds the Ethernet ports 3 and 2 to the ethernet2 interface which is bound to the Home zone Binds Ethernet port 1 to the ethernet1 interface which is bound to...

Page 158: ...serial interface which you can bind as a backup interface to the Untrust security zone Trust Untrust DMZ Extended Mode Trust Untrust DMZ Extended mode binds interfaces to the Untrust Trust and DMZ se...

Page 159: ...ScreenOS 5 1 and later See Figure 31 on page 109 for port interface and zone bindings Figure 31 DMZ Dual Untrust Port Mode This mode provides the following bindings Binds the Ethernet ports 1 and 2 to...

Page 160: ...ome Work Mode Trust Untrust Mode Port Zone Interface Zone Interface Zone Interface Untrust ethernet3 Untrust ethernet3 Untrust Untrust Untrusted Trust ethernet1 Work ethernet1 Trust Trust 1 Trust ethe...

Page 161: ...Supported Add Device Workflows by Device Family Table 22 on page 111 summarizes the methods or workflows you can use to add devices from each supported device family Table 22 Supported Add Device Work...

Page 162: ...0 or later SA 6 2 or later or IC 2 2 or later When importing from a device the management system connects to the device and imports Data Model DM information that contains details of the device config...

Page 163: ...NACN The device must be operating in the desired port mode You cannot change the operational mode after importing the device into NSM Port modes apply only to some ScreenOS devices Adding and Importi...

Page 164: ...ected device name within the device from its config editor page in NSM and select Update device If you modified the device host name through the Junos OS CLI SNMP or J Web interface you can modify the...

Page 165: ...n the Add Device wizard 4 Select Device Is Reachable default 5 Click Next The Specify Connection Settings dialog box opens 6 Enter the following connection information Enter the IP Address of the Sens...

Page 166: ...ted Device Configurations on page 127 for details Junos Devices You can add any device running Junos OS an EX Series virtual chassis or an SRX virtual chassis to NSM using the static IP address method...

Page 167: ...nager to view the imported configuration To check the device configuration status mouse over the device in Device Manager or check the configuration status in Device Monitor The device status displays...

Page 168: ...ith Dynamic IP Addresses A dynamic IP address is an IP address that changes To add a device that uses a dynamic IP address the device must support NACN ScreenOS Devices To import a ScreenOS device wit...

Page 169: ...connection to the physicaldevice pastethecommands andexecutethemtoenableNSMmanagement of the device 11 To check the device configuration status mouse over the device in Device Manager or check in Dev...

Page 170: ...n on the Specify Name Color OS Name Version and Platform screen Enter a name and select a color to represent the device in the UI From the OS Name list select ScreenOS IDP From the Platform Name list...

Page 171: ...s to verify the imported configuration using the Device Monitor or the Device Manager See Verifying Imported Device Configurations on page 127 for details Adding and Importing an Infranet Controller o...

Page 172: ...and create a new NSM agent administrator realm for the NSM agent on the device Use role mapping to associate the NSM agent role and realm Do not apply any role or realm restrictions for the NSM agent...

Page 173: ...he device Make a note of this password The device administrator will need it to configure the connectivity with NSM NOTE All passwords handled by NSM are case sensitive d Click Finish to complete the...

Page 174: ...ged OS version when adding the device into NSM Delete the device from NSM and add it again using the correct managed OS version 2 Import the device configuration a Right click the device in the Device...

Page 175: ...latform screen Enter a name and select a color to represent the device in the UI From the OS Name list select Junos The Junos OS Type list appears Select the Junos OS type for the device you want to a...

Page 176: ...ible and has the connection status Never connected 8 Give the unique external ID and the one time password to the device manager Configure and Activate Connectivity on a Junos Device The device admini...

Page 177: ...List verify the connection status of the newly added device The status changes from Never connected to Up If the configuration status is device platform mismatch you selected the wrong device platfor...

Page 178: ...g a NetScreen 500 5000 series or ISG series security device you must manually configure the network module slot before the imported physical interfaces appear in the NSM UI For details on defining the...

Page 179: ...ou the differences between the configuration you see in the NSM UI and the configuration on the physical device To get a delta configuration summary from the Device Manager launchpad click Summarize D...

Page 180: ...evices Using CSV Files on page 168 Requirements To model a device you must know the device type and OS name and version that is running on the device To activate a device You must have the device conn...

Page 181: ...es select the appropriate port mode from the Device subtype list after you select the device type NSM automatically sets the license mode to Extended 8 Enable transparent mode if desired ScreenOS devi...

Page 182: ...address 1 Check the device configuration state by holding your mouse cursor over the device in Device Manager or by checking the configuration status in Device Monitor The device configuration state s...

Page 183: ...device configurationstatus shoulddisplay Modeled indicating that the management system is waiting for the device to be activated 2 Right click the device and select Activate Device to display the Act...

Page 184: ...words handled by NSM are case sensitive 5 Click Next The Verify Device Authenticity dialog box opens The device wizard displays the RSA Key FingerPrint information To prevent man in the middle attacks...

Page 185: ...ent and set the management IP address to the Device Server IP address enable the Management Agent set the Unique External ID and set the device OTP Copy and paste these commands into a text file and t...

Page 186: ...ive rights 2 Activate the device in NSM a In Device Manager right click the device and then select Activate Device from the list b In the Activate Device dialog box select Device is deployed but not r...

Page 187: ...g services netconf device id external id from nsm nsm device server ip port 7804 For example set system services outbound ssh client nsm wei secret 123456789 services netconf device id abcdef 10 150 4...

Page 188: ...e When the job status displays successful completion click Close Using Rapid Deployment ScreenOS Only Rapid Deployment RD enables deployment of multiple security devices in a large network environment...

Page 189: ...has successfully connected to the management system the NSM administrator installs the modeled device configuration on the physical device The onsite administrator works locally at the physical devic...

Page 190: ...age 143 Updating the Device Configuration on page 145 Creating the Configlet After you have created a device configuration for the undeployed device you are ready to activate the device and create the...

Page 191: ...rcuit Logical Link Control LLC carries several protocols to be carried on the same ATM virtual circuit This option is the default for the ADSL1 interface on the NetScreen 5GTADSL security device RFC14...

Page 192: ...e configlet 11 Click Finish to close the Activate Device wizard 12 Send the configlet to the onsite administrator using email CD or another out of band method The onsite administrator must complete th...

Page 193: ...ernet cable to connect to the device 3 Change the IP address of the standalone computer to 192 168 1 2 and the default gateway to 192 168 1 1 To change an IP address see your computer s operating syst...

Page 194: ...IP via PPPoE Enter the username and password for your PPPoE account If your firewall device uses a static IP address select Using ISP supplied Settings Static IP and enter the IP address Netmask and...

Page 195: ...fig on a device before you update the device You can cancel the Update Device directive as well as save the SummarizeConfig output The UpdateDevice has the following two phases Summarize Delta Config...

Page 196: ...d devices 3 Select two devices you want to update 4 Deselect Run Summarize Delta Config if selected and then click Apply Changes NSM displays the updated device job results for both devices Example Us...

Page 197: ...devices in the global domain and one or more subdomains add the root device to the global domain To add vsys devices in a single subdomain add the root device to that subdomain An example is shown in...

Page 198: ...matically imports the selected vsys configurations and the new vsys devices appear in the Device Manager list 7 To check the device configuration status mouse over the vsys in Device Manager or check...

Page 199: ...ice The name can contain letters and numbers and can be no longer than 20 characters In the Domain field select the domain in which to model the device The wizard automatically completes the device ty...

Page 200: ...oot system When modeling an L2V root ensure that the ScreenOS version is set to 5 0L2V and the operating mode is set to Transparent By default the root system is modeled as a neutral vsys enabling you...

Page 201: ...tion settings enabling a device to handle traffic for another if one device fails Adding a cluster is a two stage process 1 Add the cluster device object 2 Add the members of the cluster to the cluste...

Page 202: ...ter members have been added to the cluster device object before configuring the cluster By default the cluster propagates settings made in one device member to the other device member However the foll...

Page 203: ...franet Controller cluster nodes can be recognized by NSM Nodes from this cluster that subsequently contact NSM will be represented by fully functional member icons in the Cluster Manager Cluster membe...

Page 204: ...h NSM 5 Import the cluster In the Device Manager open the cluster icon right click on one cluster member and select Import Device from the list You do this only once and for the entire cluster because...

Page 205: ...o import the configuration only once because both members share the same configuration file Similarly to update the configuration on the cluster you need to push the configuration to only the primary...

Page 206: ...SRX Series as the Junos OS Type Provide the platform and managed OS version The Junos OS type platform and OS version must match those on the physical devices 3 In NSM add each cluster member Right c...

Page 207: ...one Junos device except that you must specify a member ID and you also have the option of adding a second modeled cluster member within the same workflow You can add the second cluster members later i...

Page 208: ...of three major steps Adding the Cluster on page 158 Adding the Cluster Members on page 159 Importing the Cluster configuration on page 160 Adding the Cluster Add a new cluster to NSM as follows 1 Sel...

Page 209: ...need it to connect the device to NSM h Check the Keep Adding Cluster Members box to add another cluster member The Finish button changes to the Next button i Click Next and repeat the process for the...

Page 210: ...ce from the list NSM starts a job to import the configuration A job window reports the progress of the job When the job finishes the configuration status for each cluster member changes from Import Ne...

Page 211: ...mber ID as 0 Figure 35 Adding the First Member to a J Series Cluster 4 Click Next to finish adding the first member A plus sign appears next to the cluster icon in the Device Manager indicating that t...

Page 212: ...M administrator 2 In NSM activate each cluster member as follows a Expand J Cluster in the Device Manager to show the icons for each of the cluster members b Right click the cluster member icon J 1 in...

Page 213: ...and later versions of the operating system use the following command syntax set system services outbound ssh client name secret secret string services netconf device id external id from nsm nsm device...

Page 214: ...anaged Adding a Vsys Cluster and Vsys Cluster Members A vsys cluster is a vsys device that has a cluster as its root device Adding a vsys cluster is a three stage process 1 Add a vsys device that uses...

Page 215: ...A and OfficeB as shown in Figure 38 on page 165 As you add each cluster member NSM automatically creates both the cluster member and the vsys cluster member Figure 38 Configuring Cluster Members for P...

Page 216: ...main Click Next to continue d Configure the vrouter for the vsys as the Default Vrouter and then click Next to continue e Click Finish to add the new vsys cluster device In the security device tree th...

Page 217: ...evices when they are added into NSM For example when a device at IP address 10 204 32 155 is added to NSM its name will be USA_10 204 32 155 Check the Use Host Name if Available checkbox if you want t...

Page 218: ...ices at a time to a single domain you cannot add multiple devices to different domains at one time Additionally for some types of ScreenOS devices you can create configlets to activate rapidly your ne...

Page 219: ...separate CSV file for the following devices Devices with static IP addresses In this CSV file you define the device parameters required to add and import the device configurations from all supported...

Page 220: ...e bulkadd_ipreachable sample csv or bulkadd_ipreachable DMIDMI sample csv from the C Program Files Network and Security Manager utils directory 2 Using one row for each device you want to add enter th...

Page 221: ...t ns5GTadsl Extended ns5XP ns5GTadslwlan Extended ns5GTadslwlan Home Work ns5Gtadslwlan Trust Untrust ns5Gtwlan Extended ns5Gtwlan Dmz Dual Untrust ns5Gtwlan Combined ns5Gtwlan Home Work ns5Gtwlan Dua...

Page 222: ...name IC IC 4000 IC 4500 IC 6000 IC 6500 yes String Platform continued Set to none yes String Device subtype With OS name ScreenOS see Table 7 on page 13 for a list of OS versions that apply to each S...

Page 223: ...if desired 3 Save the file to a location on your local drive Example Using a Text File to Add Multiple Dynamic IP Devices To add four devices that use dynamic IP addresses create a text file with the...

Page 224: ...ction type is static String Device IP Address 8 24 28 32 Any valid netmask in CIDR format yes when connection type is static String Device Netmask yes when connection type is static String Device Gate...

Page 225: ...2 off Save the file as a csv file Validating the CSV File When you add the device NSM validates the configuration information in the csv file and creates a Validation Report The report lists any incor...

Page 226: ...dd Many Devices process Select Add Valid Devices to begin adding the devices for which you have provided valid device configurations The Add Device wizard adds the valid devices and automatically impo...

Page 227: ...ce wizard Select Model Device Specify the location of the CSV file 5 Click Next The Add Device wizard validates the CSV file and provides a Validation Report Select Cancel to quit the Add Many Devices...

Page 228: ...UI 5 Send the cfg file to the onsite administrator for the corresponding device After the onsite administrator installs the configlet on the physical security device the device automatically contacts...

Page 229: ...in any configlet file run the Activate Many Device wizard to regenerate the configlet 5 Send the cfg file to the onsite administrator for the corresponding device After the onsite administrator insta...

Page 230: ...late to a device group You must apply templates to individual devices in a device group If you need to apply the same set of templates to multiple devices you can create a single template that include...

Page 231: ...Authorization Server Object on page 181 Avoiding NACN Password Conflicts on page 183 Avoiding Naming Conflicts of the Authorization Server Object To avoid naming conflicts with the authorization serv...

Page 232: ...devices b Right click each Infranet Enforcer firewall device in turn and select Delete from the list 5 On NSM delete the infranet instances from the Object Manager a Select Object Manager Authenticati...

Page 233: ...to add and import the device e Repeat steps b through d for each Infranet Enforcer device Avoiding NACN Password Conflicts When you need to manage the Infranet Enforcers reimport the configuration eac...

Page 234: ...Copyright 2010 Juniper Networks Inc 184 Network and Security Manager Administration Guide...

Page 235: ...he managed device for your changes to take effect For details on updating devices see Updating Devices on page 239 Use security policies to configure the rules that control traffic on your network For...

Page 236: ...overview of each of these device families and lists of supported platforms and operating system versions Most devices can be configured using the following interfaces Native Web UI Native CLI NSM UI...

Page 237: ...29 Configuration Features You can edit the device object configuration through the device editor or you can use templates or configuration files to simplify configuration NOTE These features edit only...

Page 238: ...ration Groups Configuration groups are similar to device templates in that you define configuration data to be used multiple times In configuration groups the configuration data is used within the sam...

Page 239: ...and Configuration Tabs The Device Info tab contains information maintained in NSM This information can neither be imported from the device nor is it ever pushed to the device by an Update Device dire...

Page 240: ...device families Figure 41 on page 190 shows an example Figure 41 ScreenOS and IDP Device Configuration Information Validation and Data Origination Icons The device editor might display some of the ic...

Page 241: ...guration group Changes to the configuration group are also shown in the device editor Configuration Group Values Lowest A value is set for a field in a template or configuration group definition This...

Page 242: ...our changes and continue making changes Click Cancel to discard all changes and close the device configuration To reset a device feature to its default value right click on the feature name in the dev...

Page 243: ...s Guide and IDP ACM Help for more information Configuring functions that require device administrator intervention such as Secure Command Shell SCS and Secure Shell SSH client operation Executing debu...

Page 244: ...nterfaces In this example the view is of the Network Settings screen Figure 43 Secure Access Device Object For details about configuring Secure Access devices see the Configuring Secure Access Devices...

Page 245: ...ly as shared objects and then link to those objects from the stubs in the device configuration See Managing Large Binary Data Files Secure Access and Infranet Controller Devices Only on page 271 for d...

Page 246: ...configuration information across multiple devices In a template you need define only those configuration parameters that you want to set you do not need to specify a complete device configuration Temp...

Page 247: ...hich enhances the usability of the template If template categories are not selected the default display is a full tree view You can also view the associated template categories in the Device Template...

Page 248: ...er Device Templates 2 Click the Add icon in the Device Template Tree or the Device Template List and select ScreenOS IDP Template from the list The New Device Template dialog box displays the template...

Page 249: ...h as device platform or release version Applying the Template Apply the template as follows 1 Ensure that the device you want to apply the template to has been added or modeled in the management syste...

Page 250: ...d values override values inherited from the template so that the effective device object configuration matches the device The live relationship with the template is preserved however so that reverting...

Page 251: ...dden value a tool tip message appears showing the name of the template whose value has been overridden Figure 46 Template Override Icon For values inherited from the template the message From template...

Page 252: ...sage appears If the template specifies a field that the device supports but the value is outside the permitted range for the device a validation message appears in the Device dialog box A template val...

Page 253: ...configuration screen appears d Click the Add icon in the Zone configuration screen and select Pre Defined Security Zone trust untrust dmz global The Predefined Zone dialog box appears NOTE Because the...

Page 254: ...g box appears b Select Screen Denial of Service Defense and review the values applied by the template as shown in Figure 48 on page 204 Figure 48 View Denial of Service Defense Values from DoS Templat...

Page 255: ...een 208 device a In the navigation tree select Device Manager Devices Double click the NetScreen 208 device icon to open the Device dialog box b Select Info Templates in the device navigation tree Cli...

Page 256: ...e untrust Predefined Zone dialog box appears b Select Screen Denial of Service Defense and review the values applied by the template as shown in Figure 51 on page 206 Although both the DoS and DoS2 te...

Page 257: ...ot a template by moving the cursor over the field name The message From object appears as shown in Figure 54 on page 207 Figure 54 View Default SYN ACK ACK Proxy Protection Setting Template Limitation...

Page 258: ...When creating or editing predefined interfaces in a template you must use the exact name for each interface When adding an entity in a template ensure that the menu option you select is appropriate fo...

Page 259: ...is not significant to you To specify a sequence in which the list or table entry order matters select the entry in the template and then use the up and down arrows at the top of the dialog box The up...

Page 260: ...e are reversed D1 D2 T2 T1 Now consider what happens when you reimport the configuration from the device To preserve the relationship between the template and the device object the T1 and T2 entries m...

Page 261: ...applies the new template order for the subsequence to the device Entries added in a template are placed in the same sequence in the device that is an entry follows the entry in the device that precede...

Page 262: ...e 3 The following example shows entries inserted into the list on the device such that there is no matching subsequence The user then reorders the entries in the template C B A Template Sequence C 2 B...

Page 263: ...nd The same rule still applies After D C B A Template Sequence 2 1 D C B A Device Sequence Example 2 In the following example the device has reordered the entries that it inherited from the template T...

Page 264: ...reen highlights in the first data column indicate that entries in the regular configuration are not in the order specified in the template NSM finds the longest common subsequence between the template...

Page 265: ...er of its neighbors in the template NOTE If multiple subsequences tie for the longest common subsequence then NSM picks either one but not both NSM recomputes the longest common subsequence each time...

Page 266: ...mine which set of templates and devices to show Select Devices Section In this section select one or more devices for template operations Select Template Section Select one or more templates to apply...

Page 267: ...an templates previously assigned to the device Values in these templates will override values applied by lower priority templates Remove templates Removes all selected templates from each selected dev...

Page 268: ...orts any errors Template Operations Box Recommended Workflow The Template Operations dialog box can be used in many ways This section describes one recommended workflow Step 1 Look at the Effect of Pl...

Page 269: ...nerated in Step 1 Resolve any conflicts missing assignments or other errors as desired Repeat steps 1 and 2 until you are satisfied with your planned changes Step 3 Apply Templates and Clear Overrides...

Page 270: ...1 From the Device Manager launch pad select Export Import and then select Export Device Template to File 2 In the Export Config to File dialog box select the template you want to export and then clic...

Page 271: ...up mechanism is separate from the grouping mechanisms used elsewhere in the Junos configuration such as Border Gateway Protocol BGP groups Configuration groups provide a generic mechanism that can be...

Page 272: ...evice Manager and select the Configuration tab 2 In the configuration tree select Config Groups List 3 Click the Add icon and select Regular The New dialog box appears It looks like the device configu...

Page 273: ...223 Mouse over the icons to see a summary of what has been set and where the information came from Figure 60 Adding a Configuration Group 6 Click OK to save the configuration group The new configurati...

Page 274: ...Consider a configuration group containing the following list of interface definitions specified in the order shown For each list item the first entry is the interface name and the second an assigned...

Page 275: ...roup in the list has the highest priority This convention is the reverse of the ordering for templates where the last template in the list has the highest priority Figure 62 Configuration Group Applie...

Page 276: ...ups After you apply the configuration group tooltip icons identify where configuration groups have affected the configuration You can mouse over these items to display information about them When you...

Page 277: ...d Consider two configuration groups J and K Configuration group J contains the following list items in the stated order c a b Configuration group K contains the following list items in the stated orde...

Page 278: ...roup data For simplicity we recommend that you use either templates or configuration groups for each part of the configuration but not both Avoid applying a configuration group in a device object to p...

Page 279: ...n and select Junos Template c From the Junos Product Series list select Junos J Series to create a new template for J Series devices d Click Next and then Finish to create a new template for J Series...

Page 280: ...to 0 the port range to 0 1 and click OK The new interfaces show in the Interface List for the template d Set the MTU for fe 0 0 0 to 6K i Click on the fe 0 0 0 interface in the Interface List and cli...

Page 281: ...to the device 7 Check the device object configuration a Select the Configuration tab b Expand Interfaces if necessary and click Interface List c fe 0 0 0 has an MTU of 5120 because the regular config...

Page 282: ...ber you can view its configuration In the Info tab of the open cluster select Members Icons representing the members of the cluster appear in the main display area Select the cluster member you want t...

Page 283: ...ase of management we recommend placing all your member specific configuration data in one configuration group for each member You can apply multiple configuration groups to each member NOTE Imported c...

Page 284: ...Features configured in these special Routing Engine configuration groups appear only in the Routing Engine configuration to which they were applied They do not appear in the global configuration regar...

Page 285: ...ct Device Manager Devices 2 In the Device Tree double click the Junos router with redundant Routing Engines 3 In the Info tab of the device editor select Routing Engine Configuration 4 Double click on...

Page 286: ...thers are backups If the master fails one of the backup routers becomes the new master providing a virtual default router and ensuring that traffic on the LAN is continuously routed The NSM implementa...

Page 287: ...terface follows the naming conventions of the NSRP VSI interface and is defined as interface group id You must select a group id between 1 and 7 To enable VRRP from the Physical Interface screen of th...

Page 288: ...he confirmation prompts NSM launches a job that updates the device with the selected configuration file Importing or Viewing the Current Version of the Configuration File Select Config File Management...

Page 289: ...tion to the management server This chapter contains the following sections About Updating on page 239 Knowing When to Update on page 244 Using Preview Tools on page 248 Performing an Update on page 25...

Page 290: ...essful update These tools include Audit Log Viewer This NSM module records changes made to a device configuration The audit log entry also identifies the administrator who performed the change shows w...

Page 291: ...o differences between the new configuration and the old configuration on the device you have successfully updated the running configuration About Atomic Configuration ScreenOS Devices NSM uses atomic...

Page 292: ...n is enhanced Atomic updating also enables the device to temporarily lose connection to NSM during the update process If the management connection is down when the device has finished executing the co...

Page 293: ...to reconnect are unsuccessful for two hours the update timer expires and the device automatically resets The device unlocks the active configuration and restores the saved active configuration the dev...

Page 294: ...NSM To synchronize the configuration data NSM imports the configuration after the update If an Update Device directive causes implicit configuration changes on one or more devices each device reports...

Page 295: ...tor displays the current status of the device Up status The device is connected to the Device Server and is running properly Before you can update a device it must be in the Up state Down status An ev...

Page 296: ...sical device configuration the configuration on the physical device is newer than the modeled configuration To synchronize the two configurations import the configuration from the physical device Mana...

Page 297: ...evice type and OS version IP address domain the Attack Db version if it is a Firewall IDP device and the connection and configuration states To manually verify the configuration status for devices For...

Page 298: ...ger to determine when you are receiving too many attacks of a certain type and order them by an IP address For example if you determine that the current device configuration and security policy cannot...

Page 299: ...ommands run a configuration summary 1 From the launchpad select Devices Config Options Summarize Config The launchpad displays the Summarize Config dialog box 2 Select the devices or device groups for...

Page 300: ...h the modeled configuration you might want to identify and verify the configuration you are installing on the device After updating Ensure that the device received the configuration as you expected an...

Page 301: ...251 Figure 66 Delta Configuration Summary Example Occasionally the delta configuration report might display discrepancies that do not actually exist between the running configuration and the modeled...

Page 302: ...evices vsys devices clusters virtual chassis or device groups using the same process Before updating Ensure that you have configured the device correctly created and assigned a policy to the device an...

Page 303: ...ing any out of band changes made enable the option Do not Update If Device Has Changed Configuring Update Options You can configure device update and retry options on a systemwide basis in the UI pref...

Page 304: ...e Manager and select Update Attacks When disabled the update options dialog box does not appear for single device updates initiated from the Device Manager Alternatively to disable from within the per...

Page 305: ...ns in the NSM UI including the Devices and Tools menus in the NSM toolbar to access the Update directive from the File menu select Devices Configuration Update Device Configuration The Job Manager mod...

Page 306: ...d on a single device For multiple device updates Job Manager tracks the progress of each job on each device in addition to the overall progress for all devices To view the Job status for an individual...

Page 307: ...Passwords By default only the super administrator has this assigned activity Device States During Update During an update the managed device changes device state You can view the current device state...

Page 308: ...plays the Job Status as Failed You can also check the Connection Status and Configuration Status columns for the device in the Realtime Monitor to determine whether the device is running After a devic...

Page 309: ...ation Generated 5 Delta Config CLI Commands Specifically the update could not set the command pppoe name untrust clear on disconnect The delta configuration summary correctly detected a difference bet...

Page 310: ...Copyright 2010 Juniper Networks Inc 260 Network and Security Manager Administration Guide...

Page 311: ...e added to NSM without the need to upgrade NSM This feature applies only to devices with XML based schemas This chapter contains the following sections Managing Device Software Versions on page 262 Ma...

Page 312: ...er from the menu bar The Software Manager lists all software image files in the repository To add the one you just downloaded click the Add icon navigate to the software image file you just downloaded...

Page 313: ...8 a NetScreen 50 and a NetScreen 5XP at the same time but the image files for each device type must exist on the Device Server and must be the same OS version When a new version of Junos is installed...

Page 314: ...e NSM If the software version of a device is upgraded outside NSM through the device CLI or Web UI NSM behaves differently depending on whether the upgraded software version is published and whether i...

Page 315: ...upgrade by NSM See Upgrading the Device Software Version on page 262 To reconcile the OS versions right click a device and select Adjust OS Version to display the Adjust OS Version Wizard Follow the...

Page 316: ...ice support The directive performs the following actions Performs an Adjust OS Version from the previously known ScreenOS version to the new version of ScreenOS running on the selected devices Optiona...

Page 317: ...ickly view all license keys installed on a device and the features and capacities available on the device To import or view license key information 1 In the main navigation tree right click the device...

Page 318: ...is upgraded through the Web UI or CLI new software packages are installed or a new license key is installed on the device then the inventory on the device is no longer synchronized with the NSM datab...

Page 319: ...le how many VPNs a license supports how many licensed units are already in use and how many more are needed The license details include the key name or ID of the license the date the license was creat...

Page 320: ...ry changes to Out of Sync in the Device List the Device Monitor and the device tooltip and the Reconcile button in the Device Inventory window becomes active 4 When you have finished viewing the diffe...

Page 321: ...d Infranet Controller devices are handled differently from the remainder of the configuration in NSM The size of some of these binary files could make configurations large enough to overload resources...

Page 322: ...ata file and linking that file into the Secure Access or Infranet Controller device configuration tree Subsequent sections provide details about each type of large binary data file To upload and link...

Page 323: ...evice to open the device editor and then select the Configuration tab b Navigate to the node in the configuration where you want to load the binary file For example to load an ESAP package expand Auth...

Page 324: ...ry data list by clicking the Add icon The Binary Data dialog box appears as in step 3 d Click OK to save the newly configured links Importing Custom Sign In Pages The customized sign in pages feature...

Page 325: ...gn in Pages and then click the Add icon in the right pane 6 Enter a name for the access page 7 Select Custom Sign in Pages 8 Select a shared binary data object from the Custom Pages Zip File list 9 Cl...

Page 326: ...In the Device Manager double click the Secure Access or Infranet Controller device to open the device editor and then select the Configuration tab 2 Expand Authentication 3 Select Endpoint Security 4...

Page 327: ...the link and again to save the configuration Importing Third Party Host Checker Policies For Windows clients you can create global Host Checker policies that take a third party J E D I DLL that you up...

Page 328: ...ow these steps 1 In the Device Manager double click the Secure Access or Infranet Controller device to open the device editor and then select the Configuration tab 2 Expand Authentication 3 Select End...

Page 329: ...files to NSM shared objects Archive files can contain Java applets and files referenced by the applets Within the zip cab or tar file the Java applet must reside at the top level of the archive To ens...

Page 330: ...ole Options tab select a shared binary data object from the Citrix Client CAB File list 6 Click OK to save the configuration Backing up and Restoring SA and IC Devices NSM allows you to create multipl...

Page 331: ...ces to which you want to restore the backup version and click OK Backing up multiple SA or IC Devices To create backup versions of the data in multiple IC or SA devices 1 Select Devices Configuration...

Page 332: ...e the backed up version from the NSM database NOTE The backup and restore feature is available in the NSM UI on root clusters but not on cluster members However when the backup restore operation is pe...

Page 333: ...IP is not reachable 1 Click Next The Specify the connections settings dialog box opens 2 Specify the First Connection One Time Password OTP that authenticates the device 3 Edit the Device Server Conne...

Page 334: ...2 User Name text box to enter user name search string By default this will be You can specify any regular expression string here 3 Sort on drop down list box to select the name of the field to sort o...

Page 335: ...ly paid subscription To register your product go to www juniper net support After you have registered your product you can retrieve the service subscription To obtain the subscription for a service 1...

Page 336: ...nload new attack objects from the server To update a managed device with new DI attack objects you must first obtain a DI subscription for your device For details see Activating Subscription Services...

Page 337: ...P zip Download the file to your local disk Do not change the filename 4 Put both files in a local directory on the NSM GUI Server or on an internal Web server that is reachable by the NSM GUI Server 5...

Page 338: ...oaded manually To load the attack object database update to your managed devices 1 From the Device Manager launchpad select Security Updates Update Device Attack Database or from Devices in the menu b...

Page 339: ...IDP rules for the device from the GUI Server to the device For a security policy that uses DI attack objects NSM pushes all updated signatures from the GUI Server to the device Verifying the Attack O...

Page 340: ...en you update the device configuration on a device you must also update the database on the managed device to match the version of the database on the GUI Server if the version on the GUI Server is mo...

Page 341: ...eries devices Automatic updates to the IDP engine occur when you Upgrade security device firmware The upgraded firmware includes the most recent version of the IDP engine as well as a new version of S...

Page 342: ...mary 3 Click Cancel to exit the Attack Update Manager Scheduling Security Updates For security devices running ScreenOS 5 0 0 IDP1 5 1 and later and IDP 4 0 and later J Series devices SRX Series devic...

Page 343: ...ng unexpected changes To handle unconnected devices during the update you must also specify additional post action options shown in Table 30 on page 293 Table 30 Scheduled Security Update SSU Command...

Page 344: ...tils guiSvrCli sh update attacks post action update devices skip Scheduling the Update You can perform a one time security update using guiSvrCli sh directly or you can use crontab or another scheduli...

Page 345: ...ing the update the guiSvrCli utility updates its the attack object database then performs the post actions After updating and executing actions the system generates an exit status code of 0 no errors...

Page 346: ...Admin Name Domain The administrator name for security update is guiSvrCli and the domain is Global entry appears as guiSvrCli Global Action The action appears as Scheduled Attack and Device Update To...

Page 347: ...ecurity device you want to contact SurfControl 2 In the Device Manager launchpad select Security Updates Update System Categories This option updates the NSM management system predefined categories fr...

Page 348: ...fied by the device and not by NSM Invoking the Launch Telnet menu item causes the Telnet window to appear even if the Telnet service is not enabled in the device The Launch Telnet menu is disabled if...

Page 349: ...ries it connects to the previously configured DNS server to perform a lookup of each entry in its table To direct one or more devices to refresh their DNS table entries 1 From the Device Manager launc...

Page 350: ...forms asset recovery Sets the device to FIPS mode Resets the device to its default settings Updates the OS Loads configuration files After you change the root administrator login and password only per...

Page 351: ...to send a device back to the factory and replace it with a new device you can set the device to the RMA state This state allows NSM to retain the device configuration without a serial number or connec...

Page 352: ...ws you to upgrade the firmware version in the physical device before RMA After upgrading NSM puts the device in the Update needed state NOTE The current OS version of the device is also stored in the...

Page 353: ...wireless security device during the device update process NOTE When using an authentication server for wireless authentication if you enable 802 1X support on that server you must also reactive the W...

Page 354: ...When you create update or import a device the GUI Server edits the ADM to reflect the changes then translates that information to the DM Data Model Schema The structure of the ADM and DM is determined...

Page 355: ...arranged similarly to objects in the management console each item VPN policy device device group and so on is represented by an object In the DM each item is a property of a single device During the d...

Page 356: ...s interfaces routing tables users and VPN rules in the DM for each device The DM contains only the VPN information that relates to the specific device not the entire VPN During the device model update...

Page 357: ...objects and object attributes in the ADM domain When you import a device configuration using the management console the device sends CLI commands to the Device Server which translates the CLI commands...

Page 358: ...es the CLI commands into a DM with device configuration information The GUI Server translates the device configuration in the DM into objects and object attributes in the ADM The GUI Server then reads...

Page 359: ...vers For details on stopping starting and restarting processes on the management system refer to the Network and Security Manager Installation Guide Archiving Logs and Configuration Data To archive lo...

Page 360: ...up and restore procedures To restore log and configuration data 1 Stop Device Server and GUI Server processes 2 Use the mv command to transfer data from the var directories to a safe location This pre...

Page 361: ...nistrator role has all the permissions necessary to manage schemas Alternatively you can define a custom role for schema management Three activities are relevant to defining such a role View Schema De...

Page 362: ...the server Choose File to retrieve the schema from an intermediary file 4 Click Next to display information about the latest schema on the source Juniper Update Server or file along with current schem...

Page 363: ...affected by the change Compare the version numbers to tell whether the staged schema is more recent than the currently running schema Check the information about the schema to determine whether you w...

Page 364: ...Copyright 2010 Juniper Networks Inc 314 Network and Security Manager Administration Guide...

Page 365: ...Configuring Voice Policies on page 527 Configuring Junos NAT Policies on page 531 Configuring VPNs on page 543 Central Manager on page 619 Topology Manager on page 625 Role based Port Templates on pa...

Page 366: ...Copyright 2010 Juniper Networks Inc 316 Network and Security Manager Administration Guide...

Page 367: ...on page 318 Configuring Address Objects on page 322 Configuring Application Objects on page 328 Configuring Schedule Objects on page 330 Configuring Access Profile Objects on page 330 Configuring Qual...

Page 368: ...evice configuration NSM automatically imports all objects defined in that configuration The Object Manager displays objects created in the current domain only When you work in the global domain all cu...

Page 369: ...affic AV Profiles define the server that contains your virus definitions and antivirus software Web Filtering Profiles define the URLs the Web categories and the action you want a security device to t...

Page 370: ...n VPN You cannot use a subdomain user object in a global domain VPN When creating a subdomain protected resource you can include a subdomain address object and a global domain service object but you c...

Page 371: ...h by unchecking unnecessary categories Right click on a shared object node for example Address Objects and select Search Unused Objects 2 Select the search categories and click Next The Unused Shared...

Page 372: ...to delete NSM displays a message that the selected objects will be deleted and a warning that the operation cannot be reversed NOTE When you select a group of duplicate objects such as an address grou...

Page 373: ...k As you add address objects they appear in the tree and table tabs Creating Address Objects You can create the following address objects Host Represents devices such as workstations or servers connec...

Page 374: ...address it displays the same address under the domain name This is an indication that a name is not configured for this address 6 Click OK to add the address object The new host address object immedi...

Page 375: ...permission to view global domain objects for the objects you are replacing then all objects for the selected category in the current domain and the global domain are displayed in the Replace With wiza...

Page 376: ...address objects into and out of address groups from the main address tree 8 Click OK to add the group You can create address object groups with existing users or create empty address object groups an...

Page 377: ...firewall policy the device will resolve the address object s hostname to the correct IP for that device as defined by its static host entry 1 In the navigation tree select Object Manager Address Objec...

Page 378: ...e either a TCP or UDP field while optionally you can configure both Port Range The type of application predefined or custom type Port Binding is required for a custom type application while it is not...

Page 379: ...pplication Type Select a predefined or custom application type from the drop down list This is a mandatory field TCP Port Binding Specify comma separated ports A range of ports is not allowed You must...

Page 380: ...day Sunday Combine a one time and recurrent schedule to define a repeated time interval Creating Schedule Objects To add a schedule object 1 In the NSM GUI navigation tree Schedule Objects The schedul...

Page 381: ...Configuring Quality of Service Profiles On SSG Series Secure Services Gateways running ScreenOS 6 3 and later you can define Quality of Service QoS profiles as objects under the Object Manager These p...

Page 382: ...0 Guaranteed bandwidth in kbps 0 1000000 in Kbit per sec The default setting is 0 5 Click OK After creating a QoS profile you can add it to a policy You cannot however delete a QoS profile after it h...

Page 383: ...can use in a DI Profile to match traffic against known and unknown attacks NOTE NSM displays a superset of all predefined DI attack objects Based on the platform and ScreenOS firmware version security...

Page 384: ...e edit or delete predefined DI attack objects or groups but you can update the attack object database with new attack objects created by Juniper Networks Updates can include New descriptions or severi...

Page 385: ...ecurity device drops a matching packet before it can reach its destination but does not close the connection Use this action to drop packets for attacks in traffic that is prone to spoofing such as UD...

Page 386: ...get definition for the period of time specified in the timeout setting and sends a Reset RST for TCP traffic to the source and destination addresses IP Close The security device logs the event but doe...

Page 387: ...ack Groups The Predefined Attack Group tab displays the following predefined attack groups All a list of all attack objects organized in the categories described below Recommended a list of all attack...

Page 388: ...efined attack objects and groups on a regular basis with newly discovered attack patterns You can update the attack object database on your security devices by downloading the new attacks and groups t...

Page 389: ...attack object information fields Attack Version information After you have selected the target platforms you must supply information about the attack version including the protocol and context used t...

Page 390: ...n can help you remember important information about the attack Severity Select the severity that matches the lethality of this attack on your network Severity categories in order of increasing lethali...

Page 391: ...mation you are ready to enter the external references Configuring External References In the External References tab enter the external references such as links to the security community s official de...

Page 392: ...objects A signature attack object uses a stateful attack signature a pattern that always exists within a specific section of the attack to detect known attacks Stateful signature attack objects also i...

Page 393: ...and count that determine when a traffic abnormality is identified as an attack The following sections detail the attack version general properties Configuring False Positives Select a false positive s...

Page 394: ...6 43 ROUTING 44 FRAGMENT 46 RSVP 47 GRE 50 ESP 51 AH 58 ICMPV6 59 NONE 60 DSTOPTS 92 MTP 98 ENCAP 103 PIM 108 COMP 255 RAW ICMP TCP and UDP Attacks that do not use a specific service might use a speci...

Page 395: ...cted to general attack contexts packet first packet stream stream 256 or line context To detect these attacks configure the service binding to match the attack service See Table 35 on page 345 Table 3...

Page 396: ...Remote Authentication Dial In User Service RADIUS Rexec rexec TCP 513 rlogin rlogin rsh rsh rtsp rtsp Server Message Block SMB TCP 25 UDP 25 Simple Mail Transfer Protocol SMTP TCP 161 UDP 161 Simple N...

Page 397: ...Protocol Anomaly Segment Out of Window is harmless and is occasionally seen on networks Thousands of these anomalies between given peers however is suspicious If you bind the attack object to multipl...

Page 398: ...y the PCRE library package which is open source software written by Philip Hazel and copyright by the University of Cambridge England Table 37 on page 348 lists some example syntax matches Table 37 At...

Page 399: ...ervice but are unsure of the specific service context select Other then select one of the following general contexts NOTE If you select a line stream stream 256 or a service context you cannot specify...

Page 400: ...detects the attack only in client to server traffic Server to Client detects the attack only in server to client traffic Any detects the attack in either direction Configuring Attack Flows Select the...

Page 401: ...bled attacks are supported only on ISG1000 with SM and ISG2000 with SM devices Type of Service Specify an operand none and a decimal value for the service type Common service types are 0000 Default 00...

Page 402: ...r Specify an operand none and a decimal value for the ACK number of the packet This number identifies the next sequence number the ACK flag must be set to activate this field Header Length Specify an...

Page 403: ...pe Specify an operand none and a decimal value for the primary code that identifies the function of the request reply ICMP Code Specify an operand none and a decimal value for the secondary code that...

Page 404: ...device identifies traffic as an attack NSM 2006 1 and later releases also support Boolean expressions for standalone IDP signatures NOTE Compound attack objects are supported by IDP capable security...

Page 405: ...all signatures and anomalies within the compound attack object before the device considers the traffic as an attack To be explicit about the events in an attack you can also specify the order in which...

Page 406: ...all members but the attack pattern or protocol anomalies can appear in the attack in random order To configure an ordered match enable Ordered Match and use the arrow keys to reorder members Or use th...

Page 407: ...do not change To add or delete an attack object from the group you must manually edit the group members A custom attack object group can contain custom attack objects and other custom attack object g...

Page 408: ...ed static groups BSD Linux Solaris and Windows The BSD group contains the predefined dynamic group BSD Services Critical to which attack objects can be added during an attack database update To create...

Page 409: ...d on their last modification date Add Recommended Filter to include only attacks designated to be the most serious threats to the dynamic group In the future Juniper Networks will designate only attac...

Page 410: ...a Add a Products filter to add attack objects that detect attacks against all Microsoft Windows operating systems b Add a Severity filter to add attack objects that have a severity level of critical...

Page 411: ...group criteria The update also reviews updated attack objects to determine if they now meet any other dynamic group criteria and adds them to those groups if necessary For all deleted attack objects...

Page 412: ...ellaneous UTM Features on page 366 ScreenOS Threat Management Features on page 368 Creating UTM Profiles A UTM profile can define more than one UTM feature You can have more than one custom feature pr...

Page 413: ...content size Mouse over the field to see a tool tip with the allowed values The allowed range is 20 20000 Set a time out period The allowed range is 1 1800 Set the decompression limit in the range of...

Page 414: ...e and edit custom profiles 3 Select in the Custom UTM AS Profiles table The New Anti Spam Profile window opens 4 Enter a name for the profile 5 Enter a comment or description 6 Select a color from the...

Page 415: ...indow opens 3 Enter a name for the profile 4 Enter a comment or description 5 Select a color from the drop down list 6 Select the engine type If you select Surf control Integrated set the following De...

Page 416: ...ermitted or denied by creating profiles The maximum number of characters allowed in a MIME name are 29 in a MIME entry 40 and a MIME list 1023 The maximum of user defined MIME lists is system dependen...

Page 417: ...Enter a name for the profile 4 Enter a comment or description 5 Select a color from the drop down list 6 Enter the extension types for the profile 7 Select OK Command Lists A command list defines var...

Page 418: ...rvers Configuring Antivirus Objects on page 368 Configuring External AV Profiles on page 369 Configuring Internal AV Profiles on page 370 Configuring ICAP AV Servers and Profiles on page 371 Configuri...

Page 419: ...ecify the IP address and port number of the external antivirus server that contains your virus definitions Protocols and Timeouts You must specify the protocols HTTP and SMTP that the external AV serv...

Page 420: ...llowing settings for each enabled protocol Scan Mode All Intelligent or by File Extension If you select Scan by File Extension you must populate the Ext List Include field Scanning Timeout Scans that...

Page 421: ...sign some or all of them to server groups You can then assign this server object or server group to an AV profile then assign that profile to a security policy To specify a server you will need the fo...

Page 422: ...the MIME list that will be used for comparison See Multipurpose Internet Mail Extension MIME Lists on page 366 for information on creating MIME lists SMTP tab SMTP Enable Selecting this check box in...

Page 423: ...es Custom Lists and Predefined Categories Custom Lists You can group URLs and create custom lists specific to your needs You can include up to 20 URLs in each list When you create a list you can add e...

Page 424: ...r filtering mechanism for the information reduces data redundancy in the case where all rules need to have the same e mail address associated with them and provides multiple properties for user s need...

Page 425: ...ity policy rules and will ask you for confirmation of the command Once you confirm that you want to delete the object NSM will remove all usages of the object you are deleting from the security policy...

Page 426: ...you can configure a security policy that enables a device to control GTP traffic differently based on source and destination zones and addresses action and so on You configure GTP objects in the Objec...

Page 427: ...ng the GPRS Tunneling Protocol GTP Because GSNs have a limited capacity for GTP tunnels you might want to configure the security device to limit the number of GTP tunnels created To limit GTP tunnels...

Page 428: ...PP networks enable Remove r6 IE Inspecting Tunnel Endpoint IDs You can configure the security device to perform Deep Inspection on the tunnel endpoint IDs TEID in G PDU data messages To perform Deep I...

Page 429: ...y for every two messages above the set rate limit To view GTP traffic log entries use the Log Viewer Configuring IMSI Prefix and APN Filtering You can use the IMSI Prefix and APN to restrict access to...

Page 430: ...nd that the HLR did not verify the user s subscription to the network Verified MS or Network provided APN subscription verified This Selection Mode indicates that the MS or the network provided the AP...

Page 431: ...configure the following Set Subscribers Set the number of number of subscribers that the security device actively traces concurrently The default number of simultaneous active traces is three 3 Specif...

Page 432: ...protocol standards Security devices monitor and manage network traffic using these protocols NSM includes predefined service objects for most standard services You can also create custom service obje...

Page 433: ...service timeout value you can view the following service settings For Non ICMP services the service object displays the protocol ID source port range and destination port range For ICMP services the G...

Page 434: ...at service object Creating Custom Services You can create custom service objects to represent protocols that are not included in the predefined services or to meet the unique needs of your network NOT...

Page 435: ...different ports Service Object Groups You can group services together as a service object group then use that group in security policies and VPNs to simplify administration Each service object can be...

Page 436: ...ervices Entries area click the Add icon and select TCP The New Service Entry dialog box appears Configure the following a For Source Port select Range b For Source Port Range enter 0 to 65535 c For De...

Page 437: ...ontains these two numbers The ALG maps the program numbers into dynamically negotiated TCP UDP ports and permits or denies the service based on a policy you configure To create the Sun RPC service 1 I...

Page 438: ...them you create an ms exchange info store service object that contains these four UUIDs The ALG maps the program numbers into dynamically negotiated TCP UDP ports based on these four UUIDs and permit...

Page 439: ...t with a service group object that contains the replaced service object You cannot undo or roll back a Replace With operation NOTE Replacing service objects only applies to those objects in the domain...

Page 440: ...rators and remote access services RAS users on your network The information stored in an authentication server determines the privileges of each administrator When the security device receives a conne...

Page 441: ...at the authentication period never times out Admin user If the length of idle time reaches the timeout threshold the security device terminates the administrator session To continue managing the devic...

Page 442: ...is not required to configure a RADIUS authentication server However you might need to configure this setting when implementing a new RADIUS server with an existing network and established usernames To...

Page 443: ...sends authentication requests The default port number is 1645 RADIUS Secret The secret password shared between a security device and the RADIUS server The RADIUS server uses the shared secret to gener...

Page 444: ...You can separate the authentication and accounting functions by specifying different RADIUS Authentication and Accounting servers In ScreenOS devices running 6 2 and later you can enable or disable th...

Page 445: ...ictionary files one for Funk Software RADIUS servers and one for Cisco RADIUS servers For Funk Software RADIUS server dictionary file go to http www juniper net customers csc research netscreen_kb dow...

Page 446: ...that it can support queries for the following vendor specific attributes VSAs user groups administrator privileges remote L2TP and XAuth settings 1 In the main navigation tree select Object Manager A...

Page 447: ...between the security device and the SecurID ACE server SDI or DES Client Retries The number of times that the SecurID client the security device tries to establish communication with the SecurID ACE...

Page 448: ...inguished Name dn The path used by the LDAP server before using the common name identifier to search for a specific entry For example c us o juniper where c stands for country and o for organization S...

Page 449: ...represent the user account on your security devices To add a local user object 1 In the navigation tree double click the Object Manager select User Objects then select Local Users In the main display...

Page 450: ...rnal user is included in a security policy under Authentication rule options the security device uses the external server to authenticate that user To configure an external user 1 In the navigation tr...

Page 451: ...TP tunnel that users in the group use to connect to the device 5 Click OK to save the new group Using Radius with User Groups In this example you configure an external RADIUS auth server named radius1...

Page 452: ...ckup Server enter IP 10 20 1 110 for Secondary Backup Server enter IP 10 20 1 120 c For timeout enter 30 d Select For Firewall Auth Users e For Server Type select RADIUS then configure the RADIUS serv...

Page 453: ...For a single VLAN tag specify the tag For a range of VLAN tags specify the lowest and highest values in the range Configuring IP Pools An IP pool object contains IP ranges a range of IP addresses wit...

Page 454: ...you configure an IP pool with the ranges 1 1 1 1 1 1 1 10 and 2 2 2 2 2 2 2 20 1 In the navigation tree select Object Manager IP Pools 2 In the main display area click the Add icon The New IP Pool di...

Page 455: ...y policy defines authentication for a AND a member of group b the security device authenticates the user only if those two conditions are met AND If the security policy defines authentication for any...

Page 456: ...Select the operator you want to use in the expression OR AND NOT and then configure the operands For NOT expressions use Operand 1 to select the user object group or expression that cannot be present...

Page 457: ...device see Network and Security Manager Configuring ScreenOS and IDP Devices Guide Security devices incorporate DNS domain name server and WINS support to permit the use of domain names as well as IP...

Page 458: ...routing instance object in the Object Manager You can also perform a Find Usages operation and view the version history of a routing instance object For more information on configuring routing instanc...

Page 459: ...y NAT Objects A global NAT object contains references to device specific NAT configurations enabling multiple devices to share a single object Use the Device Manager to configure NAT for each device t...

Page 460: ...name color IP version IPv4 or IPv6 and comment for the object then click the Add icon to specify the device specific MIP Device Select the security device that includes the MIP Interface Select the in...

Page 461: ...user defined address pool and is used during source address translation You can use this object while configuring a rule so that when the rule is matched the source IP address of the packet is transl...

Page 462: ...he pool Descriptive name for the pool Name General Select the routing instance name The values are listed only if you have added them previously To add a new routing instance to a device select Object...

Page 463: ...The JunosSource NAT dialog box appears 4 Select the device to edit 5 Select the Edit icon The Junos Source NAT dialog box appears 6 Edit the values of the source NAT object 7 Click OK Deleting a Sour...

Page 464: ...e parameters for the new destination NAT object The New Junos Destination NAT dialog box appears Here you must select the device that performs the translation and define the address pool 3 Select a de...

Page 465: ...x enter the name of the interface To navigate to this dialog box see steps 1 to 4 of Adding a Destination NAT Object on page 414 2 Specify the hosts range of IP addresses whose ARP requests this devic...

Page 466: ...for those devices Generate a local and CA certificate in one click using SCEP Use OCSP to automatically check for revoked certificates ScreenOS 5 0 or later devices only Use a certificate chain that i...

Page 467: ...back to the root Partial Use partial validation to validate the certificate path only part of the way to the root Revocation Check Check for revocation Select this option to enable revocation checking...

Page 468: ...icate CA IDENT Enter the name of the certificate authority to confirm certificate ownership Challenge Enter the challenge words sent to you by the CA that confirm the security device identity to the C...

Page 469: ...our rule in an Extranet Policy object To create an Extranet Policy object 1 In the Object Manager select Extranet Policies The New ExtranetPolicyObject window appears 2 Enter the name of the Extranet...

Page 470: ...Third party host checker policies Secure virtual workspace wallpaper images Hosted Java applets Custom Citrix client CAB files See Managing Large Binary Data Files Secure Access and Infranet Controlle...

Page 471: ...es consist of the following elements IP Address The address represents the computer network or range of addresses to be considered part of this protected resource The address can be an individual host...

Page 472: ...eway to the protected resource You can add multiple security gateways to provide redundant access for the protected resource Editing Protected Resources You can edit protected resources to accommodate...

Page 473: ...proposals from VPN Manager select IKE Phase1 Proposals or IKE Phase2 Proposals Creating Custom IKE Phase1 Proposals Create a custom proposals for a specific combination of authentication and encryptio...

Page 474: ...ault value is 28800 seconds 8 hours Click OK to add the custom IKE object to the management system Creating Custom IKE Phase 2 Proposals Create a custom proposals for a specific combination of authent...

Page 475: ...n only then select the desired algorithm NOTE We strongly recommend that you do not use null AH with ESP Click OK to add the custom IKE object to the management system Configuring Dial in Objects Nets...

Page 476: ...vice a gateway in the device and a service point in the gateway BSG Admission Controllers BSG Admission Controllers control Session Initiation Protocol SIP dialogs and transactions You can define the...

Page 477: ...ported in Junos OS Release 9 5 and later When updating devices running under earlier versions of Junos OS the admission controller setting is dropped 427 Copyright 2010 Juniper Networks Inc Chapter 8...

Page 478: ...Copyright 2010 Juniper Networks Inc 428 Network and Security Manager Administration Guide...

Page 479: ...ll as how that traffic is treated while inside A security policy can contain firewall rules in the Zone and Global rulebases multicast rules in the Multicast rulebase and IDP rules in the Application...

Page 480: ...signing a policy to a device see Assigning a Security Policy to a Device on page 501 Viewing Rulebase Columns for a Security Policy By default each rulebase displays a subset of available columns for...

Page 481: ...x Viewing and Editing Custom Policy Fields NSM allows you to create multiple fields under Rule Options You can customize this fields to save metadata and you can edit and filter the values in each of...

Page 482: ...rulebase when you need to control traffic between specific zones The zone specific rulebase can contain firewall rules and VPN rules and links Global Contains rules that are valid across all zones Cre...

Page 483: ...s by ensuring that the three way handshake is performed successfully for specified TCP traffic If you know that your network is vulnerable to a SYN flood use the SYN Protector rulebase to prevent it T...

Page 484: ...rk traffic flowing from one zone to another zone After you have added a device in NSM you can create rules in the firewall rulebases of your security policy You can build multiple firewall rules in bo...

Page 485: ...You can install the same rule on multiple devices To begin configuring firewall rules for your managed devices see Configuring Firewall Rules on page 442 VPN Links and Rules The rules for your rule ba...

Page 486: ...t group address in an internal zone to a different address on the outgoing interface specify both the original multicast address and the translated multicast group address in a multicast rule When you...

Page 487: ...n detect and block attacks For example you can deploy the device with integrated Firewall VPN IDP capabilities between the Internet and an enterprise LAN WAN or special zones such as DMZ This is the d...

Page 488: ...y and so on Validate a security policy before installing it on your managed devices Merge multiple security policies into a single policy for easier management For example after importing or re import...

Page 489: ...You can apply the same object column value to a selection of policy rules Rule groups must be in an expanded state to apply the same object to the rules of a rule group Columns that disallow duplicate...

Page 490: ...l filter conditions for different attributes The filter only applies to the current selected rulebase The filter results are displayed in the same rulebase Rules that do not match filter conditions ar...

Page 491: ...ssociated with the attack object severity and protocol groups You should customize these templates to work on your network by selecting your own address objects as the Destination IP and choosing IDP...

Page 492: ...s Security policies start with a minimum of rules and rulebases You can add additional rules to the rulebases as needed To add a rulebase 1 In the main navigation tree select Policies then double clic...

Page 493: ...on addresses using the Select Address Dialog box In this dialog box you can populate hosts networks group addresses and polymorphic objects based on the context of the IP version selected The policy f...

Page 494: ...ts of a rule right click in the Source or Destination column of a rule and select Add Address Next click the Add icon at the top of the New Source Addresses or New Destination Addresses dialog box and...

Page 495: ...ress group object that represents your Marketing servers and the destination address to the address group object that represents your Engineering servers The more specific you are in defining the sour...

Page 496: ...TP HTTP IMCP ANY and TELNET service objects You can create your own service objects to use in rules using the Object Editor such as service objects for protocols that use nonstandard ports If you use...

Page 497: ...o enable or disable DI IDP and Application Services To use this feature 1 Select a zone based firewall policy and right click on the Rule Options column 2 When the DI Enable IDP Appl Srvcs dialog box...

Page 498: ...on page 456 Configuring a DI Profile Enable IDP for Firewall Rules on page 457 Configuring the Session Close Notification Rule on page 458 To quickly configure all rule options right click the Rule O...

Page 499: ...Series devices you can configure a NAT for a policy rule as one of the following An interface A pool of a specific device interface A PoolSet defined under the source NAT setting for a device collect...

Page 500: ...r security device passes permitted traffic according to the priority level specified in the matching rule The higher the priority level of the rule the faster the matching traffic for that rule passes...

Page 501: ...NSM to provide additional notification when a rule is matched such as an alert in the log entry An alert is a notification icon that appears in a log entry in the Log Viewer When you enable alerts in...

Page 502: ...s script must be located in the usr netscreen DevSvr var scripts global directory In the event that the script fails you can also configure the system to retry or skip running the script again You can...

Page 503: ...security device you can view that rule by logging in locally to the device with the WebUI or CLI where the rule appears as an individual policy The individual policy on the device has the same ID as t...

Page 504: ...HTTP request to the categories in the profile in the following sequence Black List White List Custom URL Lists Predefined Web categories If no custom profile is bound to the firewall rule the securit...

Page 505: ...ile as an authentication option from the Access Profile drop down list box Web Authentication Use for RAS users using HTTP to connect to the protected network Infranet Authentication Use this option t...

Page 506: ...destination address To authentication RAS users with Web Authentication you must include HTTP service object in the Service column of the rule To make a connection to the destination address in the ru...

Page 507: ...ected in permitted traffic You can configure one DI Profile for each rule When the device detects a match between the permitted network traffic and an attack object within the selected DI Profile the...

Page 508: ...When the sessions reach the threshold limit the system drops all subsequent sessions If you enable the alarm without drop packet option the packet is not dropped but an alarm message is raised If you...

Page 509: ...Options Session Close Notification A Session Close Notification window opens 2 Check the option Notify both ends if TCP session isn t normally terminated 3 Click OK configure the Session Close Notifi...

Page 510: ...optionally the multicast group address on the outgoing interface Specify the access list that identifies the permitted multicast groups Select any to accept traffic for all multicast groups Configurin...

Page 511: ...s Rules Antivirus settings are stored in a profile To assign an antivirus profile to a policy do the following 1 Double click the Rule Options cell in a rule 2 In the Configure Options dialog click th...

Page 512: ...ll matches are executed You can specify that a rule is terminal if IDP encounters a match for the source destination and service specified in a terminal rule it does not examine any subsequent rules f...

Page 513: ...you can select source and destination zones includes the predefined and custom zones that have been configured for all devices managed by NSM Therefore you should only select zones that are applicable...

Page 514: ...ies Select a device policy and add an IDP rulebase Right click on the User Role column You can then Select Filter or Edit user roles If you select user roles the Select User Roles dialog box opens Sel...

Page 515: ...n you select an attack object in the Attack column the service associated with that attack object becomes the default service for the rule To see the exact service view the attack object details Selec...

Page 516: ...ntly leave your network open to attacks by creating an inappropriate terminal rule Remember that traffic matching the source destination and service of a terminal rule is not compared to subsequent ru...

Page 517: ...tion IDP causes the firewall to drop the session upon detection of an attack However it cannot prevent the attack packet from reaching its destination because in the inline tap mode the IDP only recei...

Page 518: ...inline tap mode the session is dropped but the attack packet would have been let through If using TCP in the inline mode the IDP drops the connection In the inline tap mode the IDP drops the connecti...

Page 519: ...can Add all attack objects select All Attacks Consider carefully before selecting this option using all attack objects in a rule can severely impact performance on the security device Add one or more...

Page 520: ...ommended Action Cause Severity Logging Alert Drop Packet Attacks attempt to evade an IDS crash a machine or gain system level privileges Critical Logging Alert Drop Packet Drop Connection Attacks atte...

Page 521: ...an action to detect and prevent current malicious connections from reaching your address objects Then right click in the IP Action column of the rule and select Configure The Configure IP Action dial...

Page 522: ...k information that you can view real time in the Log Viewer For more critical attacks you can also set an alert flag to appear in the log record To log an attack for a rule right click the Notificatio...

Page 523: ...oose to apply rules to traffic on certain VLANs only Normally for a rule to take effect it must match the packet source destination service and attack objects If the VLAN cell is populated with a valu...

Page 524: ...1024 characters in the Comments field You can deploy an ISG2000 or ISG1000 gateway as a standalone IDP security system protecting critical segments of your private network For example you might alread...

Page 525: ...ow 3 Click Add in the Policies panel 4 Enter a name for the policy and comments if desired in the pop up menu and click OK The new IDP policy is added to the Policies panel To add rules to the IDP pol...

Page 526: ...you want IDP to monitor for applications such as source destination zones source destination address objects and the application layer protocols services supported by the destination address object Y...

Page 527: ...APE rule the APE rulebase is automatically created NOTE If you do not have appropriate access control permission and you attempt to create APE rules the wizard returns an error message stating that y...

Page 528: ...can create custom zones for some security devices The list of zones from which you can select source and destination zones includes the predefined and custom zones that have been configured for all de...

Page 529: ...role right click the User Role column of a rule and select Select User Role 2 From the Select User Roles dialog box select a device from the Device drop down menu 3 Use the Add or Remove button to add...

Page 530: ...perform actions against the connection Remember that the device can drop traffic only when IDP is enabled in inline mode when IDP is enabled in inline tap sniffer mode it cannot perform drop or close...

Page 531: ...olicy in Expanded Mode To change the security policy view from Compact Mode to Expanded Mode from the menu bar select View Expanded Mode If the current network traffic matches a rule the security devi...

Page 532: ...e no logging options set Setting Timeout Options You can set the number of seconds that you want the IP action to remain in effect after a traffic match For permanent IP actions leave the timeout at 0...

Page 533: ...with packet capture enabled match the same attack the security device captures the maximum specified number of packets For example you configure Rule 1 to capture 10 packets before and after the attac...

Page 534: ...NOTE If you delete the IDP rulebase the Exempt rulebase is also deleted You might want to use an exempt rule when an IDP rule uses an attack object group that contains one or more attack objects that...

Page 535: ...ve been configured for all devices managed by NSM Therefore you should only select zones that are applicable for the device on which you will install the security policy Configuring Source and Destina...

Page 536: ...ight want to use this method to quickly eliminate rules that generate false positive log records To create an exempt rule from the Log Viewer 1 View the IDP DI logs in the Log Viewer 2 Right click a l...

Page 537: ...tor To detect incoming interactive traffic set the Source to any and the Destination to the IP address of network device you want to protect To detect outgoing interactive traffic set the Source to th...

Page 538: ...ddress Objects In NSM address objects are used to represent components on your network hosts networks servers and so on Typically a server or other device on your network is the destination IP for inc...

Page 539: ...to the client Close Server Setting Notification You can choose to log an attack and create log records with attack information that you can view real time in the Log Viewer For more critical attacks y...

Page 540: ...the packets after the attack If multiple rules with packet capture enabled match the same attack IDP captures the maximum specified number of packets For example you configure Rule 1 to capture 10 pac...

Page 541: ...that attackers can use to disable the system a SYN flood Most systems allocate a large but finite number of resources to a connection table that is used to manage potential connections While the conne...

Page 542: ...window or click the policy name and then select the Edit icon 2 Click the Add icon in the upper right corner of the Security Policy window and select Add SYN Protector Rulebase to open the SYN Protec...

Page 543: ...ction timer expires IDP resets the connection to free resources on the server Setting Notification You can choose to log an attack and create log records with attack information that you can view real...

Page 544: ...th rules match the same attack IDP attempts to capture 10 packets before and after the attack NOTE Packet captures are restricted to 256 packets before and after the attack Setting Severity You can ov...

Page 545: ...Detecting TCP and UDP Port Scans To detect TCP and UDP port scans set a port count number of ports scanned and the time threshold the time period that ports are counted in seconds Example Traffic Anom...

Page 546: ...t the source IP to your Internal Network and the configure the session count as 200 session sec To block traffic that exceeds the session limit set an IP action of IDP Block and chose Source Protocol...

Page 547: ...pted to log all attacks and let the policy run indefinitely Don t do this Some attack objects are informational only and others can generate false positives and redundant logs If you become overloaded...

Page 548: ...fter the attack NOTE Packet captures are restricted to 256 packets before and after the attack Setting Severity You can override the inherent attack severity on a per rule basis within the SYN Protect...

Page 549: ...to add the Network Honeypot rulebase to a security policy 1 In the main navigation tree select Policies Open a security policy by double clicking the policy name in the Security Policies window or cl...

Page 550: ...you can view real time in the Log Viewer For more critical attacks however you might want to be notified immediately by e mail have IDP run a script in response to the attack or set an alarm flag to...

Page 551: ...Entering Comments You can enter notations about the rule in the Comments column Anything you enter in the Comments column is not pushed to the target devices To enter a comment right click the Comment...

Page 552: ...vice Validating Security Policies You should validate a security policy to identify potential problems before you install it NSM contains a Policy Validation tool to help you locate common problems su...

Page 553: ...stem vulnerabilities and packet dropping Policy validation identifies rule shadowing You should modify or delete all rules that overshadow others When a packet comes in a security device compares it t...

Page 554: ...policy to the devices you want to use that policy Assigning a policy to a device links the device to that policy enabling NSM to install the policy on that device Selected the correct devices for the...

Page 555: ...400000 The setting is measured in milliseconds 1000 s of a second So 2400000 milliseconds is equal to 40 minutes Updating Existing Security Policies To install a new or modified policy on a managed de...

Page 556: ...ical device without resetting the policy NSM must reset the policy when the security policy you are installing already exists on the physical device but an object within the policy has changed in NSM...

Page 557: ...device in one policy The Policies navigation tree lists security policies alphabetically You can create or import an unlimited number of security policies Each security policy contains a default firew...

Page 558: ...e rule unique this is especially useful for rules that contain detailed rule options such as attack protection NOTE When you cut and paste a rule your preferred ID is retained However when you copy an...

Page 559: ...Policy pane to easily select and add shared objects including address service Global MIP Global VIP attack device VLAN and custom field objects to your security policies Select the object and drag it...

Page 560: ...ules you want to include in the group then right click and select create rule group Enter a name and description for the rule group then click OK Combining rules into a rule group can help you better...

Page 561: ...y and a target policy The source policy contains the rules that you want to merge into another policy in the UI this is the From Policy The target policy receives the rules from the source policy in t...

Page 562: ...12 Figure 84 Security Policy A Rules Before Policy Merge Policy B contains the rules as shown in Figure 85 on page 512 Figure 85 Security Policy B Rules Before Policy Merge To merge Policy A from poli...

Page 563: ...pand rule groups Show expanded view Print filter condition Link all shared object details Run in background Click the Browse button to select a default export directory for all future exports Click Ex...

Page 564: ...s how to use the GUI to make NSM default to automatic policy versioning To set the NSM default to policy versioning 1 In the NSM GUI select Tools Preferences 2 Under Object Versioning check Policy NOT...

Page 565: ...M GUI right click on a policy 2 In the popup menu select View Versions The Version History window appears 3 In the window select the version and click Filter Search The Version Filter Definition dialo...

Page 566: ...are two versions 1 In the NSM GUI right click on a policy 2 In the popup menu select View Versions The Version History window appears 3 Select two versions in the window 4 Click Compare to view the di...

Page 567: ...g Database Version Filters enter appropriate values in the fields listed below Click OK to set the filter You can search for existing filter settings by viewing the current settings in the Filter Sear...

Page 568: ...etwork and Security Manager on page 3 and the Network and Security Manager Configuring ScreenOS and IDP Devices Guide 5 When you are finished reviewing data about the different versions click Close on...

Page 569: ...are two sets of rules of any rulebase type that can be created for any domain Configuration of pre post rules are located in the main navigational tree under Policy Manager called Central Manager Pol...

Page 570: ...rules the device uses Subdomain postrules Global domain postrules Central Manager postrules ScreenOS Devices ScreenOS devices require rules to have unique IDs Rules pushed to devices are the merged r...

Page 571: ...main navigation tree select Policy Manager Central Manager Policies 2 Select either Central Manager Pre Rules or Central Manager Post Rules 3 Click the Add icon in the toolbar and select Add Rule 4 S...

Page 572: ...Policy Manager Central Manager Policies 2 Select either Central Manager Pre Rules or Central Manager Post Rules 3 Right click the rule you want to modify and select Delete Associated shared objects if...

Page 573: ...es Change name color and other attributes Yes Yes if not referenced by central rules Yes Delete Validation of Polymorphic Object When an administrator first creates a polymorphic object the customizat...

Page 574: ...a Polymorphic Object This procedure assumes that a Central Manager administrator is logged onto a Central Manager client To create a polymorphic object 1 In the main navigation tree select Object Mana...

Page 575: ...to the selected regional servers 3 In the main navigation tree of the regional server select Object Manager Address Object to show the polymorphic address objects pushed to this regional server 4 Doub...

Page 576: ...Copyright 2010 Juniper Networks Inc 526 Network and Security Manager Administration Guide...

Page 577: ...these shared objects into the transaction rule Juniper Networks M Series and MX Series routers running Junos 9 5 and later can be managed in two modes Central Policy management CPM and In Device manag...

Page 578: ...est source Enter a regular expression Contacts Enter a regular expression 7 Select the desired action for the rule under the Then header The actions are Accept Accept the traffic and send it to its de...

Page 579: ...from log reports Admission controller settings are dropped from the policies pushed to devices running Junos OS Releases earlier than 9 5 NOTE NSM 2009 1 and later releases support BSG transactions in...

Page 580: ...Copyright 2010 Juniper Networks Inc 530 Network and Security Manager Administration Guide...

Page 581: ...t to this NAT rulebase A rule set consists of a general set of matching conditions for traffic If the traffic matches these conditions then that traffic is selected for NAT A rule set can contain mult...

Page 582: ...Rule Set to the Source NAT Rulebase To add a rule set to the source NAT rulebase 1 Click at the upper left corner of the Source NAT tab 2 Select Add Rule Set to add a new rule set The New Rule Set di...

Page 583: ...ing a Rule to a Source NAT Rule Set To add a new rule to a rule set 1 From the Source NAT tab select the rule set to which you want to add the rule 2 Click at the upper left corner of the Source NAT t...

Page 584: ...tions to perform Under the Name header Add Rule Enables you to add rules to the rule set from the New Rule dialog box Specify the values and click OK Add Source Enables you to view and modify the sour...

Page 585: ...t All requests from a specific internal IP address and port are mapped to the same reflexive transport address Target host port All requests from a specific internal IP address and port are mapped to...

Page 586: ...set to the destination NAT rulebase 1 Click at the upper left corner of the Destination NAT tab 2 Select Add Rule Set to add a new rule set The New Rule Set dialog box appears Here you must specify a...

Page 587: ...le to a Destination NAT Rule Set To add a new rule to a rule set 1 From the Destination NAT tab select the rule set to which you want to add the rule 2 Click at the upper left corner of the Destinatio...

Page 588: ...e source that you set previously Under the Match header Src Address Edit Enables you to cut copy and paste the values that are within this field Add Src address Enables you to add additional sources E...

Page 589: ...is rulebase For more information on adding a static NAT rule sets to the rulebase see Adding a Rule Set to a Static NAT Rulebase on page 539 Adding a Rule Set to a Static NAT Rulebase To add a rule se...

Page 590: ...name gets created and is displayed in the Security Policy window The next step is to add rules to the rule set For more information see Adding a Rule to a Static NAT Rule Set on page 540 Adding a Rule...

Page 591: ...are satisfied with the values click OK Add Source Enables you to view and modify the source that you set previously Under the Zone RJ Interface header View Modify Source Enables you to view and modify...

Page 592: ...Copyright 2010 Juniper Networks Inc 542 Network and Security Manager Administration Guide...

Page 593: ...appear as a single wide area network WAN VPNs replace costly Point to Point Protocol PPP and Frame Relay connections that require dedicated lines and sometimes even satellites between your private net...

Page 594: ...single device Creating System Level VPNs with VPN Manager For AutoKey IKE and L2TP VPNs create the VPN at the system level using VPN Manager VPN Manager supports AutoKey IKE VPNs In policy based or ro...

Page 595: ...or policy based VPNs or to control traffic through the tunnel for route based VPNs You can also create AutoKey IKE L2TP and L2TP over AutoKey IKE VPNs at the device level Supported VPN Configurations...

Page 596: ...termination points are the end points of the tunnel traffic enters and departs the VPN tunnel through these end points Each tunnel has two termination points a source and destination which are the sou...

Page 597: ...through a VPN member that does not contain protected resources Dual Hubs and Spokes In VPNs running ScreenOS 6 3 and later you can use Next Hop Resolution Protocol NHRP combined with IPSEC to establis...

Page 598: ...ore IPSec services to establish the tunnel and protect your data Typically VPNs use encryption and authentication services to enable basic security between devices however for critical data paths usin...

Page 599: ...ire before it can be broken By also exchanging authentication algorithms IKE can confirm that the communication in the VPN tunnel is secure Because all security parameters are dynamically assigned VPN...

Page 600: ...ets for encryption authentication or other data protection services you must further encapsulate the L2TP packet using AutoKey IKE Choosing a VPN Tunnel Type You can configure three types of VPN tunne...

Page 601: ...Because the tunnel is an always on connection between two network points the security device views the tunnel as a static network resource through which to route traffic To create the termination poi...

Page 602: ...te a Manual Key VPN You must also decide if you want to use certificates to authenticate communication between the VPN members Define Method VPN Manager or Device Level How do want to create the tunne...

Page 603: ...etween RAS users and protected resources An L2TP RAS VPN supports Policy based VPNs AH Authentication PPP or other non IP traffic Remote access users L2TP over Autokey IKE RAS VPN Use to authenticate...

Page 604: ...ting VPNs see the NSM Online Help topic VPNs Preparing Basic VPN Components To create any type of VPN ensure that all security devices you want to use in the VPN are managed by NSM and configured corr...

Page 605: ...igure each device to be a part of the VPN To manage different services for the same network component create multiple protected resource objects that use the same address object and security device bu...

Page 606: ...oKey IKE groups that use a shared Group IKE ID NOTE We strongly recommend that you do not use null AH with ESP L2TP Uses Password Authentication Protocol PAP and Challenge Handshake Authentication Pro...

Page 607: ...y one value per identity field for example ou eng or ou sw but not ou eng ou sw The ordering of the identity fields in the two ASN1 DN strings are inconsequential In this IKE ID matching part we need...

Page 608: ...VPN you can link A single VPN tunnel to multiple tunnel interfaces Multiple VPN tunnels to a single tunnel interface For details on tunnel interfaces and tunnel zones see the Network and Security Mana...

Page 609: ...ember receiving it The CA also issues certificates often with a set time limit If you do not renew the certificate before the time limit is reached the CA considers the certificate inactive A VPN memb...

Page 610: ...guring CRL Objects A Certificate Revocation List CRL identifies invalid certificates You can obtain a CRL file crl from the CA that issued the local certification and CA certificate for the device the...

Page 611: ...E RAS VPN Use to connect L2TP RAS users and protected resources An L2TP over AutoKey IKE RAS VPN supports policy based VPNs and L2TP RAS users but does not support routing based or mixed mode VPNs 2 E...

Page 612: ...do not use NAT on your network you do not need to configure NAT for the VPN The following sections detail how to configure NAT and L2TP Configuring NAT Below the Protected Resources window select NAT...

Page 613: ...se for the interface Global VIP Select the global VIP object that represents the virtual IP address you want to use for the interface Global DIP Outgoing You can enable the security device to use a Dy...

Page 614: ...S users to the VPN When configuring an AutoKey IKE VPN this area does not appear Click the Users link to display the user selection dialog box then click the Edit icon to select the predefined RAS use...

Page 615: ...ies in the Next Hop Tunnel Binding NHTB table enable Generate NHTB entries for 5 x devices When this option is selected VPN Manager autogenerates NHTB entries for each VPN tunnel NOTE If you are using...

Page 616: ...or another main When configuring a VPN that uses multiple mains you can select to mesh all mains all mains can communicate with each other or disable all main meshing Branch A branch can connect to a...

Page 617: ...mmary Edit Router Dynamic Routing Protocol NHRP Redistribution Rules Add the NHRP option to the OSPF BGP and RIP redistribution rules You can make these settings from VPN Manager VPNs AutoKey IKE VPN...

Page 618: ...the device Configuring Gateways To configure the gateways for VPN click the Gateway Parameters link Configuring Gateway Properties In the Properties tab specify the following gateway values Selecting...

Page 619: ...e the traffic To use NAT T enable NAT Traversal and specify UDP Checksum A 2 byte value calculated from the UDP header footer and other UDP message fields that verifies packet integrity You must enabl...

Page 620: ...negotiations You can use a preshared key or certificates for authentication Preshared Key Certificate For Phase 1 select a Preshared Key Information or PKI Information Preshared Key Use if your VPN in...

Page 621: ...IKE ID to authenticate the VPN member VPN Manager automatically creates the default IKE ID for you based on the policy or route based members and RAS users so you do not need to configure this option...

Page 622: ...cket in the payload of another IP packet and attaches a new IP header This new IP packet can be authenticated encrypted or both Use transport mode for L2TP over AutoKey IKE VPNs NSM does not encapsula...

Page 623: ...sed VPN at the Phase2 configuration level devices running ScreenOS 6 1 and later allow you to on both ASIC and non ASIC platforms ScreenOS 6 1 and later support the DSCP value configuration for tunnel...

Page 624: ...VPN After you have inserted the VPN link into a security policy you can install that policy on your devices using the Updated directive Create static or dynamic routes for route based VPNs To autogen...

Page 625: ...mixed mode VPNs this displays the tunnel interfaces and virtual routers configured on the VPN member To override the general properties and dynamic routing protocols for each tunnel interface right c...

Page 626: ...ed device However the security policy does not display the VPN You can manually add a VPN link to your security policy a VPN link creates a link between the security policy and VPN the link points to...

Page 627: ...Remote User Make your changes then click OK to save your changes Editing the VPN Configuration To add or delete a member edit any VPN parameter or reconfigure the VPN topology select the VPN and clic...

Page 628: ...Trust zone Ethernet3 is the Untrust IP 2 2 2 2 24 in the Untrust zone 2 Create the address objects that you will use to create Protected Resources for details on creating or editing address objects I...

Page 629: ...e Paris Protected Resource Object for AutoKey IKE VPN 5 Create the VPN In the navigation tree double click VPN Manager then right click VPNs and select AutoKey IKE VPN The New AutoKey IKE VPN dialog b...

Page 630: ...Hub and Supernet leave the default of none Enable Mesh Main s In the Mains window select the Paris and Tokyo security devices c Click OK to return to the Topology dialog box then click OK to return to...

Page 631: ...y policy and the VPN Manager autogenerated rules You create this link by inserting a VPN link in the zone rulebase this links points to the VPN rules that exist in the VPN Manager In Security Policies...

Page 632: ...the Untrust zone 2 Create the address objects that you will use to create Protected Resources for details on creating or editing address objects a Add the Chicago Corporate Trusted LAN 10 1 1 0 24 as...

Page 633: ...User Objects In the main display area click the Add icon and select Local Configure then click OK Figure 92 Add New Local User for AutoKey IKE RAS VPN 6 Create the VPN In the navigation tree double cl...

Page 634: ...porate to use ethernet3 as the termination point this is the Untrust interface then click OK to return to the main display area 9 Configure the remote users for the VPN a In the Remote Users section c...

Page 635: ...at the top of the policy but you can move the VPN link anywhere in the policy just as you would a firewall rule Example Configuring an Autokey IKE Route Based Site to Site VPN In this example an AutoK...

Page 636: ...dress Netmask enter 10 2 2 0 24 For Color select magenta For Comment enter Paris Trust Zone Create the VPN In the navigation tree double click VPN Manager Right click VPNs and select AutoKeyIKEVPN The...

Page 637: ...it icon to add the pre g2 3des sha proposal 11 Click Save to save your configuration changes to the VPN Because this VPN is route based no rules are autogenerated However you can view the device tunne...

Page 638: ...face 5 Click OK to save your changes to the virtual router then click OK to save your changes to the Tokyo device 6 Configure the route on the Paris security device 7 In Device Manager double click th...

Page 639: ...oading the dictionary file onto a RADIUS server refer to the RADIUS server documentation If you are using a Microsoft IAS RADIUS server there is no dictionary file to load Instead define the correct v...

Page 640: ...r Comment enter Reseller VPN XAuth RADIUS For color enter green Add jhansen as a member 5 Add a Network address object to represent the network used by Reseller group In the Object Manager select Addr...

Page 641: ...ler Remote Access VPN appears in the main display area 1 Configure the policy based members In the main display area select the Protected Resources link In the Protected Resources list select the rsl...

Page 642: ...teway The autogenerated gateway for the Bozeman appears in the main display area Right click the autogenerated gateway and select Edit The Properties tab appears In the IKE IDs XAuth tab configure the...

Page 643: ...VPNs do not support RAS users L2TP VPNs support transport mode and can be policy based Creating AutoKey IKE VPNs Creating device level AutoKey IKE VPNs is a four stage process Configure Gateway Confi...

Page 644: ...vice Each security device member has a remote gateway that it sends and receives VPN traffic to and from To configure a gateway for a VPN member you need to define the local gateway the interface on t...

Page 645: ...ateways that are users select the User object or User Group object that represents the RAS user Dynamic IP Address For remote gateways that use a dynamic IP address select dynamic IP address Outgoing...

Page 646: ...stract Syntax Notation version 1 is a data representation format that is non platform specific Distinguished Name is the name of the computer Use ASN1 DN to create a Group ID that enables multiple RAS...

Page 647: ...l CHAP for authentication password is sent in the clear User Name and Password Enter the user name and password that the RAS user must provide for authentication NOTE All passwords handled by NSM are...

Page 648: ...and ensure compatibility Configuring Routes Route based only For a routing based VPN member you must configure Tunnel zone or tunnel interfaces on the member Static or dynamic routes from the member t...

Page 649: ...ransport mode for L2TP over IPSec NSM does not encapsulate the IP packet meaning that the original IP header must remain in plaintext However the original IP packet can be authenticated and the payloa...

Page 650: ...one on the security device to bind the VPN tunnel directly to the tunnel zone The tunnel zone must include one or more numbered tunnel interfaces when the security device routes VPN traffic to the tun...

Page 651: ...when multiple VPN tunnels are bound to a single tunnel interface Optimized When enabled the device optimizes its VPN monitoring behavior as follows Considers incoming traffic in the VPN tunnel as ICMP...

Page 652: ...rom the member to other VPN members VPN traffic flows through the tunnel zones or tunnel interfaces on the security device and uses static or dynamic routes to reach other VPN members You must create...

Page 653: ...nnel interface or tunnel zone to increase the number of available interfaces in the security device To use a tunnel interface and or tunnel zone in your VPN you must first create the tunnel interface...

Page 654: ...e next hop tunnel binding table NHTB table and the route table when multiple VPN tunnels are bound to a single tunnel interface Optimized When enabled the device optimizes its VPN monitoring behavior...

Page 655: ...NS information assigned by the user s ISP However when the L2TP RAS user sends VPN traffic through the tunnel the security device assigns a new IP address and WINS DNS information that enables the tra...

Page 656: ...g L2TP on page 605 3 Configure Peer Gateway see Configuring Gateways on page 594 4 Configure Routes Route based only see Configuring Routes Route based only on page 598 5 Add VPN to Device see Configu...

Page 657: ...member that contains the termination interface for the VPN tunnel To Zone Select the zone on the destination VPN member that contains the termination interface for the VPN tunnel Service column Select...

Page 658: ...and Paris security devices 2 Configure the Tokyo device with the following interfaces Ethernet1 is the Trust IP 10 1 1 1 24 in the Trust zone Ethernet3 is the Untrust IP 1 1 1 1 24 in the Untrust zone...

Page 659: ...erties tab as shown below For Name enter Tokyo_Paris For Gateway enter 2 2 2 2 For Local SP enter 3020 For Remote SPI enter 3030 For Outgoing Interface select ethernet3 For ESP AH select ESP CBC For E...

Page 660: ...gure a route from the untrust interface to the gateway and then click OK Figure 95 Configure Tokyo Route for RB Site to Site VPN MK 17 Configure route from the trust zone to the tunnel interface and t...

Page 661: ...he General Properties screen appears 3 Configure the following then click OK For Zone select untrust For IP Options select Unnumbered For Source Interface select ethernet3 4 Create the Paris VPN In th...

Page 662: ...tables ScreenOS 5 1 and later devices display destination based source based and source interface based routing tables 4 Configure a route from the untrust interface to the gateway then click OK 5 Con...

Page 663: ...routes on each device Finally you create VPN rules in a security policy to create the VPN tunnel between the two sites Create VPN Components 1 Security Devices 2 Address Objects Create the Tokyo VPN...

Page 664: ...n navigation tree select Policies Click the Add icon to display the new Security Policy dialog box 2 Configure the following then click OK For Security Policy Name enter Corporate Policy Based VPN Opt...

Page 665: ...r Betty then click OK For Name enter Betty Select Enable then select L2TP Select Password then enter and confirm the password BviPsoJ1 3 Configure an L2TP user object for Carol then click OK For Name...

Page 666: ...ises Each branch site spoke is connected to a central site hub The communication between spoke sites must go through the hub which does not scale as the number of spoke sites increases Using the auto...

Page 667: ...ins pane select each device you want to be a main Main devices can communicate with every other device in the topology Click OK and then click the Save button to save the VPN configuration 4 Configure...

Page 668: ...d then click Edit Virtual Router The Virtual Router dialog box appears Click Dynamic Routing Protocol NHRP Parameters Verify that the ACVPN Profile setting has been populated Click OK 9 For the spoke...

Page 669: ...are used by Central Manager pre post rules are available in regional servers attack db and so on When you update pre post rules the Central Manager and regional server versions must match NOTE You can...

Page 670: ...any of the regional servers managed by Central Manager and begin managing the servers using all assigned permissions No extra log on off steps are required for administrators to navigate from one reg...

Page 671: ...r and the VPN manager NOTE You cannot switch a J Series or SRX Series device from central management mode to device management mode if the device has an assigned policy Using Central Manager This sect...

Page 672: ...r administrators can log into regional servers directly from Central Manager The following procedure assumes that a Central Manager administrator is logged onto a Central Manager client and a regional...

Page 673: ...pdated only if they are actually being used by the pre post rules on the Central Manager server All new shared objects are replicated inserted into the global domain of the regional server Objects tha...

Page 674: ...added existing polymorphic object are kept and incoming global policy rules use existing polymorphic object Incoming polymorphic object with the same name are discarded Name conflict with a regional s...

Page 675: ...networkcan include J Series M Series MX Series and EX Series devices as well as ScreenOS and IDP devices IP phones desktops printers and servers The Topology Manager also provides details about connec...

Page 676: ...ws and not the different table views To add a device a Select the Manage Devices icon A dialog opens b Enter the SSH user name and password c Select OK Set Preferences Use this tool to set preferences...

Page 677: ...all switches and switch ports as well as on all LLDP or LLDP MED enabled devices such as IP Phones Ensure that the included subnets specified in Topology Manager preferences are sufficient for all swi...

Page 678: ...tween network and end point devices 9 Select Free Ports to view a list of EX Series switches and the available ports on these switches About the NSM Topology Map Views The NSM Topology Manager provide...

Page 679: ...the right click menu in the topology map view Locate Devices Use this tool to locate a specific device within a particular topology view To find a device within a topology cloud 1 Expand a topology cl...

Page 680: ...views of your network topology A tabular view of the topology lists all the network elements and devices connected to them A tabular view does not display information related to the links and the typ...

Page 681: ...s device is indicated in the DeviceStatus column You can save the information in the table as comma separated values in a file You can right click on a free port listed in the topology tabular view an...

Page 682: ...owed and denied subnets You must specify included subnets because topology discovery happens only for those included subnets that you configure Discovery does not take place if there are neither inclu...

Page 683: ...e the changed configuration on the device View device details in the topology map You can view details of a managed device in the topology view View link details between devices in the topology map Yo...

Page 684: ...Copyright 2010 Juniper Networks Inc 634 Network and Security Manager Administration Guide...

Page 685: ...ethernet switching port mode is set to access RSTP is enabled with the edge option and port security parameters MAC limit 1 dynamic ARP Inspection and DHCP snooping enabled are set Layer 2 Uplink Port...

Page 686: ...ion to resolve conflicts between the port template configuration and the actual configuration on the associated device See Detect and Resolve Configuration Conflicts on page 638for details Customize p...

Page 687: ...save the changes and close the Manage Template Port Association screen To edit port template parameters 1 Select the port template from the list in the ManageTemplatePortAssociation screen 2 Click Edi...

Page 688: ...administrator you can create port templates using the Customize Port Template feature 2 To modify the default template name type a name in the Template Name field 3 To modify the default description...

Page 689: ...duler Map Name field 4 To edit scheduler settings click Edit Scheduler The Edit Scheduler screen is displayed Specify the following Scheduler name Transmit Rate Select one Unconfigured if you do not w...

Page 690: ...Copyright 2010 Juniper Networks Inc 640 Network and Security Manager Administration Guide...

Page 691: ...of Infranet Controllers IC and Enforcement Points EP The Infranet Controller View on page 641 The Enforcement Point View on page 642 The Infranet Controller View The NSM main display area is horizont...

Page 692: ...n the selected IC Each EP can be associated with only one Location Group available in the IC 5 Enter the Infranet Controller port to which the EP should communicate The default port is 1812 6 Enter th...

Page 693: ...ation Conflicts with the Infranet Controller in the UAC Manager Before you resolve configuration conflicts perform an Import Device to identify the actual conflicts in the configuration To ensure that...

Page 694: ...tify these entries from the RADIUS client of the IC Enabling 802 1X on Enforcement Point Ports in the UAC Manager To enable 802 1X on ports on Enforcement Points EP 1 Select an EP on whose ports you w...

Page 695: ...Resolving Configuration Conflicts Between Devices and 802 1X Ports in the UAC Manager The Resolve Configuration Conflict option allows you to detect any inconsistency between the device configuration...

Page 696: ...Copyright 2010 Juniper Networks Inc 646 Network and Security Manager Administration Guide...

Page 697: ...PART 4 Monitoring Realtime Monitoring on page 649 Analyzing Your Network on page 699 Logging on page 729 Reporting on page 799 647 Copyright 2010 Juniper Networks Inc...

Page 698: ...Copyright 2010 Juniper Networks Inc 648 Network and Security Manager Administration Guide...

Page 699: ...time Monitor on page 687 Monitoring the Management System on page 687 About the Realtime Monitor The Realtime Monitor module in NSM enables you to monitor real time status and statistics about all the...

Page 700: ...sessions that have been implemented within the domain you are working in From the VPN Monitor you can determine if a VPN tunnel is up down or not monitored NSPR Monitor Displays status information ab...

Page 701: ...ously detected in NSM This could happen in the event that the automatic adjustment option was cleared during a change device firmware directive or an Update Device directive was issued to an IDP devic...

Page 702: ...device in NSM Up Device is currently connected to NSM Down Device is not currently connected to NSM but has connected in the past Never Connected Device has never connected to NSM The Device Server c...

Page 703: ...The inventory information in the NSM database is synchronized with the licenses on the device Out Of Sync The inventory information in the NSM database is not synchronized with the licenses on the de...

Page 704: ...formation appears in the Device Monitor in the Device Summary Interface Viewing Device Monitor Alarm Status Alarms refresh automatically through periodic polling To view the Alarm status and time 1 Fr...

Page 705: ...tus Table 51 Device Detail Status Items Description Item ScreenOS firmware version running on the device OS Version Current operation mode of the device Network Address Translation NAT Transparent or...

Page 706: ...ndow NOTE The information in the Device Statistics window appears slightly different for firewall VPN devices and IDP sensors Device Statistics Summary The Device Statistics Summary displays the follo...

Page 707: ...from Greenwich Mean Time this is not displayed in the Vsys view GMT Time Offset Hours Whether you have enabled the security device to adjust time for daylight savings DayLight Saving Additional Devic...

Page 708: ...ecurity device Enables you to view CPU Memory and Session Utilization trends Resource Statistics System View administrator and user activities active VPNs and authenticated users on a security device...

Page 709: ...al number of data connections Total Connections The relative percentage of connections Connection Rel The total numerical difference between the current connection value and the previous connection va...

Page 710: ...enabled for each security device You can view up to ten protocols A bar graph displays a percentage of the absolute number of bytes for the top 10 protocols by default Table 55 on page 660 describes...

Page 711: ...and data depicted graphically in the same way that you adjust the Policy Distribution graphs You can also adjust the data types in the Protocol Distribution graph by Bytes In Bytes Out Packets In Pac...

Page 712: ...fic over the tunnel such as bytes in out packets in out utilization Table 56 on page 662 describes all the information that is available from the VPN Monitor Table 56 VPN Monitor Table Description Ite...

Page 713: ...outgoing packets handled by the protocol through the security device Packets Out Total numerical difference between the current packets out value and the previous packets out value Delta Packets Out...

Page 714: ...ctive VPN Peer Address Monitoring capability status for the VPN ON or OFF Monitor IPSec IP security protocol for the active VPN AH Authentication Header or ESP Encapsulating Security Payload IPSec SPI...

Page 715: ...curity devices DMZ interface available on NetScreen 25 NetScreen 50 and NetScreen 500 devices the NetScreen 5XP device has no DMZ interface HA interface and management interface available on NetScreen...

Page 716: ...hrough the security device over the selected interface CRC Errors The number of Frame Checksum FCS errors Alignment Errors The number of frames that are not of the correct length ShortFrame The number...

Page 717: ...ections that occurred for a given interface Connections The number of incoming packets dropped by a given interface Packets Dropped The number of incoming packets denied on the virtual interface by th...

Page 718: ...lock any attempt of this nature and records such attempts as a Land attack Land Attack ICMP pings can overload a system with so many echo requests that the system expends all its resources responding...

Page 719: ...ag TCP packet that does not have any bits set in the flags TCP no Flag The security device drops packets where the protocol field is set to 101 or greater These protocol types are reserved and undefin...

Page 720: ...ckets that have both the SYN and FIN bits set in the flags field SYN n FIN TCP packet with a FIN set but no ACK set in the flags field FIN no ACK When you enable Malicious URL Detection the security d...

Page 721: ...are fragmented No of Fragment Blocks The number of currently active sessions Active Sessions The number of allocated sessions Allocated Sessions The maximum sessions allowed Max Sessions Allowed The...

Page 722: ...ts and protocol type about the active sessions on the security device by default You can also view extended information about the session such as session ID ICMP type if applicable total incoming byte...

Page 723: ...fetch specific sessions on a security device that match specific criteria that you set The session filter defines the overall data set that you can view from the Active Sessions view After you config...

Page 724: ...t number or Port Range 4 Click in the Translated tab to specify the sessions that you want to view according to Translated IP Address and Port number or Port Range 5 Click in the Protocol tab to speci...

Page 725: ...5 describes all of the information that is available from the HA Statistics view Table 65 HA Statistics View Description Item The group ID that is associated with the VSD or RTO VSD Group ID The numbe...

Page 726: ...d The sensor exists in NSM but a connection to the sensor has not yet been established RMA Equivalent to bringing the sensor into the Modeled state RMA results from an administrator selection in the U...

Page 727: ...last time the sensor connected to the NSM Device Server Latest Connect The last time the sensor disconnected from the NSM Device Server Latest Disconnect Viewing IDP Device Detail and Statistics If a...

Page 728: ...centage of used memory Mem Usage Total amount in megabytes of swap space Total Swap Amount in megabytes of used swap space Used Swap Percentage of used swap space Swap Usage Viewing IDP Process Status...

Page 729: ...The Device Statistics Summary displays the following details Details describing the sensor for example firmware version and mode Packet and flow information Table69onpage679detailsadditionalinformati...

Page 730: ...rity devices used in the VPN For example a root security device named NS5000 with an IP address of 1 1 1 1 appears as NS5000 1 1 1 1 For a Vsys 1 NS5000 1 1 1 1 1 appears FromHostname IP Vsys Domain i...

Page 731: ...nclude all selected devices TIP In the Selected Devices Vsys area by default all devices or virtual systems are included in the filter To improve system performance you can remove devices or virtual s...

Page 732: ...Active VPN Details Refer to Viewing Active VPN Information on page 663 for more information on the Active VPN Details table Viewing Device Specific VPN Information To view security device specific in...

Page 733: ...ous ARPs No of Gratuitous arps The total number of Critical events that occurred Critical Events The total number of Major events that occurred Major Events The total number of Minor events that occur...

Page 734: ...is available from the VSD counters view Table 73 VSD Counter Details Description Item The devices that are associated with the VSD or RTO Device The number of units associated with the VSD or RTO Numb...

Page 735: ...ction of the RTO In or Out Direction The number of heartbeats not received from the RTOs peers Lost Heartbeat The number of times that the RTO was placed to Active Counter to Active The number of time...

Page 736: ...ter on a given Ethernet segment retrieved from all nodes Cluster ID Whether the Cluster is in Hot standby or Load Sharing mode HA Mode Total number of IDP sensors that are associated with the cluster...

Page 737: ...to temporarily indicate as DOWN The Device Monitor still indicates that the security device is DOWN You next try to ping the security device If you are successful in reaching the device you can send a...

Page 738: ...ss The port open on the Device Server for security devices running ScreenOS 5 0 and later Read Only Device Server Manager Port The port open on the IDP Device Server for security devices IDP Device Se...

Page 739: ...tics every 300 seconds by default If you wish to change this behavior you can edit the interval using the Device Polling tab High Availability HA To configure a secondary Device Server you need to spe...

Page 740: ...have installed a primary and secondary GUI Server in a high availability configuration you can use the Server Monitor to monitor which GUI Server is currently active The Server Monitor provides two c...

Page 741: ...ed on CPU or memory utilization OK Warning Critical Down Note By default the Status field for each server appears Green OK if the usage on either the CPU memory or disk is less than 90 It appears Yell...

Page 742: ...itional Server Status Details If you are interested in monitoring additional details about your server s status you can view the Server Detail Status window by double clicking any of the servers that...

Page 743: ...ew the status of all running server processes on the GUI Server or Device Server This view is useful for troubleshooting If you are having problems with the server you can quickly identify if a specif...

Page 744: ...page 694 lists and describes the information that appears in the Process Status Table 82 Process Status Description Name Name of the GUI Server or Device Server process Name Displays if the process is...

Page 745: ...lities Description Name Provides information on peak average logging rate total log database size and average log size This utility is located on the Device Server at usr netscreen DevSvr utils logcou...

Page 746: ...xdbAuditLogConverter sh In NSM enhancements to the audit log exporter tool allow you to Invoke detailed help messages from the audit log exporter tool with xdbAuditLogConverter help Use showdiff to v...

Page 747: ...es Viewing Device Schema To view current and running schema 1 In the User Interface click Administer 2 In the navigation tree select Server Manager Schema Information The main display area displays th...

Page 748: ...Copyright 2010 Juniper Networks Inc 698 Network and Security Manager Administration Guide...

Page 749: ...ime monitor of these watch lists and the top 10 attacks within the previous hour The interval at which these lists are updated ranges from 2 minutes default rate to 30 minutes The lists are updated au...

Page 750: ...orate network while working in a conference room Normal Event Wendy holds a meeting every Tuesday at 4 00 PM in conference room A Every meeting she connects her laptop to the network and accesses docu...

Page 751: ...ate and recover from any damage For details see Stopping Worms and Trojans on page 719 Detect violations of your corporate security policy The Profiler can help you confirm suspected violations such a...

Page 752: ...ternal hosts Include Non tracked IP Profiles Maximum database size for the Profiler on each device By default the maximum database size is 3 GB db limit in MB Enables the Profiler to perform passive O...

Page 753: ...icating to www yahoo com and www cnn com as one entry in the Profiler DB You can select unlimited internal network objects You can also use the Exclude List tab to select the network objects that repr...

Page 754: ...e database size You can configure the maximum limit of the Profiler DB using the dbLimit parameter in the General tab of the Profiler Settings dialog box The default limit is the value that has been s...

Page 755: ...click on any device from the Device Manager and select IDP Profiler Stop Profiler NOTE After you stop the Profiler for a specific device the Enable Protocol Profiler setting in the device is automati...

Page 756: ...with the Source Destination IP and Source Destination MAC and Organizationally Unique Identifier OUI Use this view to quickly see which hosts are communicating with other hosts and what services are...

Page 757: ...able recorded Context When you select a context the values that your devices recorded for a selected context Value Source MAC addresses of traffic profiled Src MAC Destination MAC addresses of traffic...

Page 758: ...ongs Role All services of traffic profiled Service Type of the traffic profiled Access indicates a successful connection during which the device recorded valid requests and responses from the server t...

Page 759: ...only those items that violate the criteria that you set Configuring Permitted Objects Permitted objects are shared objects specific to the Profiler They enable you to configure objects in the Profiler...

Page 760: ...he traffic you do not want on your network take the appropriate security measures for example remove the unauthorized network components incorporate the components services into your existing corporat...

Page 761: ...de the aggregate traffic volume information from the parent application group As you move up the root of the application hierarchy you can view the total network traffic volume The Application Profile...

Page 762: ...ny of the columns that appear in the Filter Criteria A dialog box lets you add entries that match the column you selected as a criterion to filter the Profiler view The Profiler view automatically upd...

Page 763: ...e First Seen timestamp as the last 2 days Use the Last Seen setting to define a last timestamp threshold If the device logged an event and the event timestamp is before the last timestamp the event ap...

Page 764: ...Sort on any column except the Application column The Application column does not support sorting because application values are similar for each application group When you perform a sort on any other...

Page 765: ...umn Details about the selected host IP including IP Address MAC Address OUI Organizationally unique identifier a mapping of the first three bytes of the MAC address and the organization that owns the...

Page 766: ...menu to change these parameters To manually purge the Profiler DB of all records click Clear All DB This operation can take up to one minute During this time a message appears on all other connected...

Page 767: ...e from a few hours to a few weeks Setting a Baseline When you are satisfied that the Profiler has detected each host protocol and port that you want to profile you have successfully created a network...

Page 768: ...users change the default password immediately However for convenience some users leave the default configuration password unknowingly opening a security hole in the network The Profiler captures user...

Page 769: ...rate security policy does not permit SQL servers on the internal network However during a regular Microsoft update SQL applications are installed on a network server without your knowledge Because you...

Page 770: ...of the Blaster worm From the Profiler 1 Restart the Profiler 2 Select the Network Profiler to quickly see the source destination and service of traffic on your network 3 In the Service data table sel...

Page 771: ...nables you to visualize and correlate network behavior based on data collected in the Profiler Log Viewer and Report Manager You can use the Security Explorer to perform the following tasks Get a dyna...

Page 772: ...that displays the following nodes Host Displayed as an IP address Network Displayed using CIDR notation ip class 8 16 24 Protocol These include TCP ICMP and so on Attack Specific attack object name Se...

Page 773: ...ver Profiles One host or network and the context for server related traffic Every context is connected to its host network related value for example on a host is an SSL server running version 3 1 The...

Page 774: ...ve selected Reports Viewer Use the Reports tab to generate and view one of the following reports in Security Explorer Top Alarms Top Traffic Alarms Top Traffic Logs Top IDP DI Attacks Top Screen Attac...

Page 775: ...n other activities you may want to use with Security Explorer you also may need proper administrative privileges to View Profiler View Device Logs View Historical Log Reports View Devices View Shared...

Page 776: ...l information related to your point of reference Depending upon the type of icon that you select you can transition to another graph Table 89 on page 726 describes the graphs that you can transition t...

Page 777: ...an also view additional data and graphs by adding and removing additional panels to Security Explorer Use the icon to add a Security Explorer panel The new panel appears as a new tab in the main graph...

Page 778: ...Copyright 2010 Juniper Networks Inc 728 Network and Security Manager Administration Guide...

Page 779: ...tive event such as the administrator name timestamp of the change and job details You can configure each managed device to generate and export specific log records to multiple formats and locations su...

Page 780: ...for each event that matches that rule An event matches a predefined set of conditions configured on a managed device or the management system Some events generate log entries that appear in the Log V...

Page 781: ...res immediate action Alert Log entries triggered when system encounters critical conditions Critical Log entries triggered when system becomes unusable Emergency Log entries triggered when system enco...

Page 782: ...ng logs from ScreenOS andIDPdevicesaredisplayedasDevice_critical_logandDevice_warning_log Ifupgrading from an earlier release you may need to modify your action manager criteria to match the new conve...

Page 783: ...re is not supported Log Investigator analysis can only be applied to those partially structured syslogs that provide the source address and destination address in related columns Log Viewer provides o...

Page 784: ...estination except Firewall Options Table 93 Destinations of Log Entry Severities Severities Description Destination All severities The PC you use to view log entries in NSM Console Emergency Alert Cri...

Page 785: ...was dropped or terminated at the device When negotiating an IKE key the VPN client communicates with the security device Log IKE Packets to Self Creates a log entry for an SNMP packet that was droppe...

Page 786: ...ged device to report specific events to NSM Select the appropriate NSM Device Server then select the events that are logged on the device and reported to NSM The following sections detail each event N...

Page 787: ...ribes the security event that triggered the alarm Traffic alarms generate log entries that appear in the Alarm category To receive traffic alarm log entries you must Enable the device to generate traf...

Page 788: ...Inspection Alarm Log Entries on page 864 Severity Configuration Log Entries The device generates configuration log entries for events that change the configuration on the device Specifically any comm...

Page 789: ...ou must Enable the device to generate self log entries for NSM in Report Settings NSM Enable the device to send specific self log entries to NSM in Report Settings General Firewall Options For details...

Page 790: ...e 667 Ethernet Statistics The device forwards statistics for Ethernet activity on the device Ethernet statistics do not generate log entries the statistics are used by the Realtime Monitor module For...

Page 791: ...s Use SNMP settings to configure the Simple Network Management Protocol SNMP agent for the managed device The SNMP agent provides a view of statistical data about the network and the devices on it and...

Page 792: ...SNMPv1 SNMPv2c or both SNMP versions as required by the SNMP management stations For backward compatibility with earlier ScreenOS releases that only support SNMPv1 security devices support SNMPv1 by d...

Page 793: ...ends dialog box Enter appropriate data into the following fields Table 97 WebTrends Settings for Log Entries Description Field Directs NSM to forward a log to the WebTrends server Enable WebTrends Mes...

Page 794: ...s stored permanently on the NSM server until or unless it is purged by the user To store the packet data on the IDP sensor double click an IDP sensor select Report Settings in the navigation tree and...

Page 795: ...Figure 103 View Packet Data in a Log Figure 104 on page 746 provides an example of packet data 745 Copyright 2010 Juniper Networks Inc Chapter 19 Logging...

Page 796: ...ity Using Log Views on page 747 The Log Viewer includes several predefined views for critical severity attacks configuration log entries scans and other important activity This section describes how t...

Page 797: ...Viewer Integration on page 766 This section describes how to use the Log Viewer integration to jump from a log entry directly to the responsible security policy or managed device configuration Identi...

Page 798: ...pe Category Admin 13 Admin SUBCATEGORY SYS10061 SYS10062 Cluster Subcategory AUT23523 AUT23524 Dynamic Policy Evaluation Category Events 14 Events Subcategory SYS24013 SYS24014 SYS24015 ERR24016 SYS24...

Page 799: ...te Exceeded UDP Port Scan UDP Port Scan In Progress Scans Creating Custom Views and Folders A custom view enables you to organize log entries in a format that is most helpful to you Because the custom...

Page 800: ...lect Save As In the New View dialog box enter a name for the custom view enter a name for the folder that you want to save the view in and click OK The new view is displayed in the navigation tree in...

Page 801: ...egory A category is either admin alarm config custom event implicit info predefined profiler screen self sensors traffic urlfiltering or user A subcategory is an attack type Default Category Subcatego...

Page 802: ...since the beginning of the current session No Elapsed Secs Specifies if this log has associated packet data No Has Packet Data A destination port that has undergone NAT and is associated with the pack...

Page 803: ...3 and later and Junos firewall devices The Policy ID column remains empty for older logs Log Viewer Detail Panes The Log Viewer contains additional panes that provide summary and detail information fo...

Page 804: ...to top of log entry list Page up within log entry list Scroll up within log entry list Use the slider to move up or down within log entry list The farther you drag the slider from the center the faste...

Page 805: ...pecific log entry immediately Typically you use a log ID search when you have previously viewed the log entry and need to find it again quickly A value search that searches for a log entry based on th...

Page 806: ...use the Out and In buttons From left to right the time blocks are 14 days 7 days 3 days 1 day 12 hours 6 hours 3 hours 1 hour 30 minutes 1 minute Click the Out button to select the time block to the...

Page 807: ...guration log entries from that device 3 Select Tailing Logs The view jumps to the bottom of the log entry list and remains there as new configuration log entries for the device arrive they appear at t...

Page 808: ...ons Edit Use this option to set multiple filters for cell content at the same time Select to display the Filter dialog box for that column then select the columns you want to filter on To display only...

Page 809: ...Filter Set Filter Select the flag types that you want to use as the filter criteria then click OK NSM applies the filter to all log entries and displays only the log entries that match the specified f...

Page 810: ...hen applied this filter displays log entries for events that were generated or received before or at the specified end time To filter on a time period select From and To then enter the start and end d...

Page 811: ...ytes only select From and enter a value When applied this filter displays log entries for events that received or transmitted more than or equal to the specified minimum number of bytes To filter on a...

Page 812: ...e view The more columns you configure to appear in the Log Viewer the more information you can see at one time and the more you must scroll from side to side to view all columns setting fewer columns...

Page 813: ...e columns to narrow your search To configure the column settings 1 In the navigation tree select the Log Viewer module 2 From the View menu select Choose Columns NSM displays the Column Settings dialo...

Page 814: ...splayed 2 From the Filter Summary dialog box select a column on which you want to filter log entries 3 Select the filter settings you wish to apply for the specified column then click OK 4 To select a...

Page 815: ...a Log Viewer column that was selected for filtering log entries 1 Select View Filter Summary The Filter Summary dialog box is displayed 2 To clear a single column Clear the column check box that you d...

Page 816: ...ase snapshots also enable you to view previous object versions For details on database snapshots see Automatic Policy Versioning on page 514 Other options for archiving and restoring logs and configur...

Page 817: ...network Use the information in Table 105 on page 767 to determine if the attack is relevant Table 105 Irrelevant Versus Relevant Attacks Relevant Attacks Irrelevant Attacks Attack attempts to exploit...

Page 818: ...formation in table and chart format Configuring Log Investigator Options on page 770 Configure the criteria the Log Investigator uses to create the matrix including the time period Left and Top Axes s...

Page 819: ...is setting which determines data set that is used for Top Axis setting Top Axis The controlled axis for log entry data the dependent axis The Log Investigator collects log entry data for the Left Axis...

Page 820: ...nterface time to initially locate problems After you have identified the issues you want to investigate set a shorter time interval to eliminate irrelevant log entry data After you have determined the...

Page 821: ...to the data type Top Sources After the Left Axis data set has been determined the Log Investigator searches that data set for data that matches the Top Axis setting By default the Top Axis is set to...

Page 822: ...most popular source addresses are generating attacks against the most popular destinations Select the Left Axis the independent axis as Top Sources Select the Top Axis the dependant axis as Top Destin...

Page 823: ...ria for log entries and the Log Investigator filters out log entries that do not match the filter criteria Using the Filter Summary dialog box you can select and apply multiple filters to the Log Inve...

Page 824: ...level of a generated alarm User Flag Severity Alarm Filters Various Details Protocol Category Alert Roles User Application name Miscellaneous Filters NOTE For a complete list of log entry columns ava...

Page 825: ...are ready to begin investigating your log entry data Using Rows and Columns Each row or column in the Log Entry matrix represents events for a single data type When selecting a row or column you are...

Page 826: ...nternal trojan You probably need to get more details such as destination ports used and attack subcategories for the events before you can resolve the issue Table 107 on page 776 details the benefits...

Page 827: ...f attacks received by that port number Because services are mapped to specific port numbers you can use the port number to identify the service used in the attack The right pane displays a chart using...

Page 828: ...en investigating events that generate lower values To exclude a specific attack from the Log Investigator calculations right click the attack cell and select Exclude To help you keep track of excluded...

Page 829: ...hich a user is allowed to view audit logs The values are empty Audit log entries created prior to this NSM release that do not have targeted objects or devices These logs can be viewed by all NSM user...

Page 830: ...Log table The following sections describe these data management options Select Audit Log Table Use the Set Audited Activities option in the Edit menu to select read write or read only auditable activ...

Page 831: ...ield filter right click a column field and select Filter to display the filter menu options Time based column filter To create a time based filter right click a field in the Time Generated column and...

Page 832: ...hange Device View For a change made to the device itself such as adding the device autodetecting a device or rebooting a device select the audit log entry for that change in the Audit Log table then v...

Page 833: ...of free disk space on the Device Server NOTE Use the Server Manager node in the NSM UI to configure e mail notification Refer to Configuring Servers on page 688 for more information storageManager mi...

Page 834: ...ion indicating the day contained in the directory Do not attempt to archive the current day s files You can automate archival using cron To archive logs 1 Use scp to copy all directories in usr netscr...

Page 835: ...The location of the archive is user configurable from the Disk and Log Management dialog box The options are Local and Remote Local To archive logs locally specify the directory location for file sto...

Page 836: ...ault e mail address in the EMail section for the From e mail address 3 Click the Add icon to open the New Add Edit EMail Address dialog box 4 Enter the default To e mail address for all log actions in...

Page 837: ...ou want to send qualified logs NSM uses the specified server when exporting qualified log entries to the system log To actually export logs to a system log server you must select Syslog Enable using t...

Page 838: ...xporting qualified log entries to e mail These settings define the e mail and SMTP settings for the management system NOTE After editing your e mail settings you must restart the Device Server for you...

Page 839: ...qualified log records to a script you must configure the following Script Enable Script To Run Select the script you want to run from the Script To Run list For a script to appear in the list the scr...

Page 840: ...sing Filters The log2action utility generates data for a maximum of 100 000 logs NOTE If you want to generate more than 100 000 logs use the matches to return option to specify the number of logs that...

Page 841: ...n path yes yes domain a b c d n a b c d Destination IP address yes yes dst ip 0 65535 0 65535 Destination port yes yes dst port yyyymmdd 0 MAX yyyymmdd 0 MAX From Log ID To Log ID no yes log id 1 4294...

Page 842: ...mmon Filter with Multiple Entries To set a filter that displays all log entries for IDP and EX Series devices type devSvrCli sh log2action filter device family idp junos ex action csv file path tmp mo...

Page 843: ...ic Filters You can use the following required and optional format specific filters for exporting to XML Meaning Required Multiple CSV Specifies where the system should direct the output For example my...

Page 844: ...ain Version Policy Rulebase Rule Number Policy ID Action Severity Is Alert Details User App URI Elapsed Secs Bytes In Bytes Out Bytes Total Packets In Packets Out Packets Total Repeat Count Has Packet...

Page 845: ...estination port nat dst ip nat dst port protocol rule domain rule domain version policy rulebase rulenumber action severity isalert details user str application str uri str elapsed secs bytes in bytes...

Page 846: ...fy the receiving e mail address for the SMTP log records Yes Yes recipient Specify the sender e mail address No No sender Exporting to syslog The syslog action directs the system to output logs to a s...

Page 847: ...tion name device family policy id Exporting to a Script The script action directs the system to execute a script use STDIN to pass log records formatted as XML to the script and report output status Y...

Page 848: ...ts the system to try the action again for the same log When using this filter you must also specify retry interval Specifies the number of seconds until the action is tried again num retries Specifies...

Page 849: ...ing The Report Manager module in NSM is a powerful and easy to use tool that enables you to generate reports summarizing key log and alarm data originating from the managed devices in your network The...

Page 850: ...administrators and operations staff interested in tracking and analyzing specific types of information to work only within the group of reports that they need For details on each of the specific repo...

Page 851: ...801 DI IDP Reports on page 802 Screen Reports on page 803 Administrative Reports on page 804 UAC Reports on page 804 Profiler Reports on page 805 AVT Reports on page 805 SSL VPN Reports on page 805 EX...

Page 852: ...20 IP addresses that have most frequently been prevented from attacking the network during the last 24 hours Top 20 Attackers Prevented All Attacks last 24 hours 20 IP addresses that have most frequen...

Page 853: ...s listed in the Profiler over the last 7 days Profiler New Ports last 7 days New Protocols listed in the Profiler over the last 7 days Profiler New Protocols last 7 days The total number of log entrie...

Page 854: ...es generated by specific rules in your ScreenOS DI policies You can use the Top Rules report to identify those rules that are generating the most log events This enables you to better optimize your ru...

Page 855: ...tracking Table 116 AVT Reports Description Report Ten applications with highest volume in bytes in the past 24 hours Top 10 Applications by Volume Ten application categories with highest volume in byt...

Page 856: ...ibing each report refer to the Network and Security Manager Online Help My Reports Once you are comfortable using reports you can create your own custom reports to provide the exact information that y...

Page 857: ...ecting the corporate DMZ network A Top Attacks report comes predefined in IDP but the report displays attacks on the entire network and you are interested only in the DMZ To create a custom report bas...

Page 858: ...nd Security Manager Online Help Generating Reports Automatically You can generate scheduled log based reports automatically by using the guiSvrCli sh command line utility located on the NSM GUI Server...

Page 859: ...iSvr lib scripts for your convenience To use these scripts we recommend that you first copy them to usr netscreen GuiSvr var scripts and then change the permissions on the scripts so that they are bot...

Page 860: ...sendmail t Directory prefix for report directory my prefix usr netscreen GuiSvr var Report extension type my type html Mail output file Capture sent email in this file dev stdout for screen my mail_o...

Page 861: ...system and shell for example export NSMPASSWD password c Specify a guiSvrCli command string usr netscreen GuiSvr utils guiSvrCli sh generate reports report global system Top Screen Attacks script ftp...

Page 862: ...options in each report Report title Report type Columns for the report Time period Data point count Chart type You can also access the Set Report Options dialog by right clicking the chart on each rep...

Page 863: ...t of log information available Configuring the Data Point Count Typically the top 50 occurrences of each data type are displayed in each report You can configure a report to display more or fewer data...

Page 864: ...ences option in the Tools menu and select Reports In the New Preference Settings dialog box click in the Enable Warnings check box and use the up and down arrows to specify 1 000 000 as the number of...

Page 865: ...reports in NSM Example Using Administrative Reports to Track Incidents In this example firewall administrators use the Log Viewer to monitor and investigate log events They are specifically interested...

Page 866: ...ou are a security administrator responsible for implementing new rules to your firewall rulebase After you have updated the new security policy on the managed security devices in your network you want...

Page 867: ...nd optimize the rulebases implemented in your security policies Example Using EX Switch Reports to Track Configuration Changes In this example you are a switch administrator responsible for configurin...

Page 868: ...in the network operations center responsible for tracking potential network attacks You daily generate and track an Attacks By Severity report Over time you notice that the number of critical attacks...

Page 869: ...ng and configuring these reports refer to the Network and Security Manager Online Help Using the Watch List NSM lets you create and configure both a destination and a source watch list The Destination...

Page 870: ...Copyright 2010 Juniper Networks Inc 820 Network and Security Manager Administration Guide...

Page 871: ...ixes Glossary on page 823 Unmanaged ScreenOS Commands on page 849 SurfControl Web Categories on page 851 Common Criteria EAL2 Compliance on page 859 Log Entries on page 861 821 Copyright 2010 Juniper...

Page 872: ...Copyright 2010 Juniper Networks Inc 822 Network and Security Manager Administration Guide...

Page 873: ...you through activating a modeled device in the NSM User Interface Add Device Wizard The Add Device wizard guides you through importing or modeling a new device to the NSM User Interface Address Objec...

Page 874: ...the timeout process returns to normal Antivirus AV Scanning A mechanism for detecting and blocking viruses in File Transfer Protocol FTP Internet Message Access Protocol IMAP Simple Mail Transfer Prot...

Page 875: ...connectivity to the management system the device rolls back to the last installed configuration This minimizes downtime and ensures that NSM always maintains a stable connection to the managed device...

Page 876: ...d with the minimal software to support a single network service BGP Neighbor Also known as a BGP Peer BGP is a the Border Gateway Patrol dynamic routing protocol A BGP neighbor is another device on th...

Page 877: ...m the World Wide Web to provide quicker access to content for users and to increase server security Classless Routing Support for interdomain routing regardless of the size or class of the network Net...

Page 878: ...tween the configuration running on the physical device and the difference between the configuration in NSM are known as deltas Demilitarized Zone A DMZ is an area between two networks that are control...

Page 879: ...chemas for configuration inventory management logging and status monitoring DMI schemas can be updated without the need to upgrade NSM DNS The Domain Name System maps domain names to IP addresses Doma...

Page 880: ...P provides confidentiality to IP datagrams Ethernet Ethernet is a local area network LAN technology invented at the Xerox Corporation Palo Alto Research Center Ethernet is a best effort delivery syste...

Page 881: ...interface between two GSNs located in different PLMNs GPRS General Packet Radio Service A packet based technology that enables high speed wireless Internet and other data communications GPRS provides...

Page 882: ...pplication Layer Gateway ALG lets you to secure Voice over IP VoIP communication between terminal hosts such as IP phones and multimedia devices In such a telephony system gatekeeper devices manage ca...

Page 883: ...the Device Editor on a specific device and not through the central NSM Policy Manager If you select this method to manage policies on a J Series or SRX Series device the NSM Policy Manager Object Mana...

Page 884: ...networks See also DES CBC ESP AH IP Sweep An IP sweep is similar to a port scan attack Attackers perform IP sweeps by sending ICMP echo requests or pings to different destination addresses and wait f...

Page 885: ...ead of relying on rumored information from directly connected neighbors as in distance vector protocols each router in a link state system maintains a complete topology of the network and computes SPF...

Page 886: ...can deploy the GUI Server and Device Server on separate servers however the combination of the two servers is known as the management system Mapped IP Address A MIP is a direct one to one mapping of t...

Page 887: ...guring a BGP network you need to establish a connection between the current device and a counterpart adjacent device known as a neighbor or peer While this counterpart device may seem like unneeded in...

Page 888: ...routers do not track sessions except when doing NAT which tracks the session for NAT purposes PDP Packet Data Protocol PDP Context A user session on a GPRS network PDU Protocol Data Unit Peer See Nei...

Page 889: ...ces in hopes that one port will respond If a remote host scans 10 ports in 0 3 seconds the security device flags this as a port scan attack and drops the connection Preference A value associated with...

Page 890: ...at one program can use to request a service from a program located in another computer in a network Role Based Administration RBA Role based administration enables you to define strategic roles for yo...

Page 891: ...s are session table entries ARP cache entries certificates DHCP leases and IPSec Phase 2 security associations SAs S Scheduled Object A schedule object defines a time interval that a firewall rule is...

Page 892: ...m Service Object Service objects represent the IP traffic types for existing protocol standards Security devices monitor and manage network traffic using these protocols NSM includes predefined servic...

Page 893: ...tively predictable and where network design is relatively simple Status Bar The status bar is the lower section of the NSM UI The status bar displays supplemental information Subdomain A subdomain is...

Page 894: ...cify a complete device configuration The software remembers static routes until you remove them However you can override static routes with dynamic routing information through judicious assignment of...

Page 895: ...r that supports VPN tunneling the remote user as well as the organization knows that it is a secure connection All remote dial in users are authenticated by an authenticating server at the Internet Se...

Page 896: ...ir location on a physical subnetwork but through the use of tags in the frame headers of their transmitted data VLANs are described in the IEEE 802 1Q standard Virtual Private Network VPN A VPN is an...

Page 897: ...ou can configure the security device to scan any incoming Microsoft NetBIOS Session Service packets modify them and record the event as a WinNuke attack Worm A worm is a self replicating attack progra...

Page 898: ...Copyright 2010 Juniper Networks Inc 848 Network and Security Manager Administration Guide...

Page 899: ...t this command the security device displays an error message common criteria These commands define environment variables Security devices use environment variables to make special configurations at st...

Page 900: ...trol MAC address for a security device interface set mac These commands display timer settings or configure a security device to automatically execute management or diagnosis at a specified time All t...

Page 901: ...r sexually violent text or graphics Bondage fetishes genital piercing Nudist sites that feature nudity Erotic or fetish photography which depicts nudity NOTE We do not include sites regarding sexual h...

Page 902: ...rugs or abuse of other legal substances Distributing alcohol illegal drugs or tobacco free or for a charge Displaying selling or detailing use of drug paraphernalia NOTE We do not include sites that d...

Page 903: ...e Beauty and cosmetics Modeling information and agencies Glamour and Intimate Apparel Government services such as taxation armed forces customs bureaus emergency services Local government sites Politi...

Page 904: ...the group Sets itself outside of society Hate General health such as fitness and wellbeing Medical information about ailments conditions and drugs Medical reference Medical procedures including electi...

Page 905: ...buying or selling a home Real estate agents Home improvement and inspection sites Real Estate Personal professional or educational reference Online dictionaries maps and language translation sites Cen...

Page 906: ...rist information Weather bureaus Car Rentals Travel Newsgroups Opinion or discussion forums Weblog blog sites Usenet News Forums Newsgroups Opinion or discussion forums Weblog blog sites Usenet News F...

Page 907: ...on or poisonous substances Displaying or detailing the use of guns weapons ammunition or poisonous substances Clubs which offer training on machine guns automatics and other assault weapons and or sni...

Page 908: ...Copyright 2010 Juniper Networks Inc 858 Network and Security Manager Administration Guide...

Page 909: ...stalled on dedicated systems These dedicated systems must not contain user processes that are not required to operate the NSM software Guidance for Personnel There must be one or more competent indivi...

Page 910: ...Copyright 2010 Juniper Networks Inc 860 Network and Security Manager Administration Guide...

Page 911: ...larm Log Entries The Screen category contains the subcategories shown in Table 122 on page 861 Table 122 Screen Alarm Log Entries ScreenOS Message ID Attack Attacks Alert 00017 Address Sweep Attack At...

Page 912: ...IP Spoof Attack Attacks Alert 00010 Land Attack Attacks Critical 00032 Malicious URL Protection Auth Alert 00003 Multiple Authentications Failed Attacks Emergency 00007 Ping of Death Attack Policies A...

Page 913: ...30 CPU Usage High DHCP Alert 00029 DHCP Critical 00029 DHCP DNS Critical 00021 DNS Host Interface Critical 00090 Interface Failover Device Critical 00022 Hardware ARP Critical 00031 IP Conflict Loggin...

Page 914: ...e High Availability Critical 00071 NSRP VSD Master High Availability Critical 00072 NSRP VSD Pbackup OSPF Critical 00206 OSPF Packet Flood RIP Critical 207 RIP Packet Flood OSPF Critical 200 Route add...

Page 915: ...ther user CHAT AUDIT YMSG FILE SEND sos5 1 0 info This protocol anomaly is a Yahoo Messenger e mail address that exceeds the user defined maximum A Yahoo Messenger server sends an e mail address as pa...

Page 916: ...EP QTYPE UNEXPECTED sos5 1 0 info This protocol anomaly is a DNS reply with a query reply bit QR that is unset indicating a query This may indicate an exploit attempt DNS AUDIT REP S2C QUERY sos5 1 0...

Page 917: ...protocol anomaly is a DNS name that exceeds 255 characters This may cause problems for some DNS servers DNS OVERFLOW NAME TOO LONG sos5 1 0 critical This protocol anomaly is a suspiciously large NXT...

Page 918: ...ignature detects attempts to exploit a vulnerability in a LinkSys Cable DSL router Attackers may submit an overly long sysPasswd parameter within a malicious HTTP request to crash a LinkSys Cable DSL...

Page 919: ...s users but relative to for users with accounts specifying the actual bin rather than ftp bin Attackers may establish an FTP account on the system and run the site exec command to gain access to the b...

Page 920: ...crash the service or execute arbitrary code FTP EXPLOIT WIN32 WFTPD BOF sos5 1 0 medium This signature detects an attempt by an attacker to exploit a directory traversal vulnerability in the SunFTP da...

Page 921: ...ay gain write access remotely create long pathnames and overflow the buffer to gain root access FTP OVERFLOW PATH LINUX X86 1 sos5 0 0 sos5 1 0 critical This signature detects attempts to exploit a re...

Page 922: ...ccounts using easily guessed passwords FTP PASSWORD COMMON PASSWD sos5 0 0 sos5 1 0 high This signature detects attempts to use the default rootkit password h0tb0x to access a FreeBSD rootkit account...

Page 923: ...he FTP daemon uses a vulnerable version of GNU ls attackers may send an oversized width parameter to GNU ls to cause the server CPU utilization to temporarily reach 100 and exhaust system memory This...

Page 924: ...NIX and Linux systems Wu ftpd versions 2 6 1 to 2 6 18 are vulnerable Attackers may send a maliciously crafted pathname in a CWD or LIST command to the FTP server to execute arbitrary commands as root...

Page 925: ...lear its logs Attackers may use spoofed IP address to send a log clear request without authenticating HTTP 3COM LOG CLEAN sos5 0 0 sos5 1 0 high This signature detects attempts to exploit a vulnerabil...

Page 926: ...ache HTTP daemon the daemon may require a manual restart HTTP APACHE PHP INVALID HDR sos5 1 0 low By submitting a malformed HTTP GET request to an Apache server using the default configuration supplie...

Page 927: ...ings in hex code ie 2e 2e 2f in a query to access the remote administration utility password and gain full remote administration abilities HTTP CGI ALTAVISTA TRAVERSAL sos5 1 0 sos5 1 0 high This sign...

Page 928: ...loit a vulnerability in IkonBoard a popular Web based discussion board Attackers may send a maliciously crafted cookie that contains illegal characters to IkonBoard to execute arbitrary code with Ikon...

Page 929: ...stem files HTTP CGI WEBSPIRS FILE DISCLSR sos5 0 0 sos5 1 0 medium This signature detects attempts to exploit a vulnerability in the YaBB pl CGI script Attackers may view arbitrary files HTTP CGI YABB...

Page 930: ...ver Attackers may pass a semicolon character to JRun to expose the script source code and other sensitive files HTTP COLDFUSION JRUN SC PARSE sos5 1 0 high This signature detects attempts to exploit a...

Page 931: ...us Web site appears as the destination IP address HTTP EXPLOIT IE ZONE SPOOF sos5 0 0 sos5 1 0 medium This signature detects illegal characters in a Host header field of an HTTP 1 1 request Attackers...

Page 932: ...WD REQ sos5 0 0 sos5 1 0 medium This signature detects attempts to exploit a vulnerability in the browse asp script supplied with Hosting Controller a tool that allows Microsoft Windows network admini...

Page 933: ...ects buffer overflow attempts against Microsoft ISAPI Indexing Service for IIS Index Server 2 0 and Indexing Service 2000 in IIS 6 0 beta and earlier versions are vulnerable Attackers may send a long...

Page 934: ...Microsoft IIS 5 0 Attackers may send malicious PROPFIND requests to the server to crash it HTTP IIS PROPFIND sos5 1 0 medium This signature detects the sadmind IIS worm attempting to infect Microsoft...

Page 935: ...e parameters on the same line as the request method This may indicate a poorly written Web application or HTTP tunneling HTTP INFO HTTPPOST GETSTYLE This signature detects attempts to bypass directory...

Page 936: ...his signature detects an attempt to gain unauthorized administrative access to an EmuLive Server4 daemon HTTP MISC EMULIVE ADMIN sos5 0 0 sos5 1 0 medium This signature detects denial of service DoS a...

Page 937: ...his signature detects denial of service DoS attempts that exploit the Web Publishing REVLOG command in Netscape Enterprise Server 3 x HTTP NETSCAPE ENTERPRISE DOS sos5 0 0 sos5 1 0 medium This signatu...

Page 938: ...ength header HTTP OVERFLOW CONTENT LENGTH sos5 1 0 medium DI has detected a suspiciously long Content Location header HTTP OVERFLOW CONTENT LOCATION sos5 1 0 medium DI has detected a suspiciously long...

Page 939: ...D ROOT OF sos5 0 0 sos5 1 0 medium This signature detects denial of service DoS attempts against Pi3Web Server Attackers may send a URL with more than 354 Slashes to crash the server HTTP OVERFLOW PI3...

Page 940: ...ttackers may bypass user authorization to gain administrative privileges HTTP PHP GALLERY EMBED AUTH sos5 1 0 high This signature detects attempts to exploit a vulnerability in Gallery a Web based pho...

Page 941: ...rative password of the board without user verification and access restricted files on the local system HTTP PHP PHORUM ADMIN PW CHG sos5 0 0 sos5 1 0 high This signature detects access to the vulnerab...

Page 942: ...m This signature detects attempts to exploit a vulnerability in PHP Nuke AttackersmayexecutearbitrarySQLcommands on a Web server HTTP PHP PHPNUKE CID SQL INJECT sos5 0 0 sos5 1 0 medium This signature...

Page 943: ...included with the VBulletin package Attackers may run the vbull c exploit to execute arbitrary commands with Web Server user permissions HTTP PHP VBULL CAL EXEC sos5 0 0 sos5 1 0 medium Any user on th...

Page 944: ...nerable Internet Explorer users may use these malicious URLs to evade web proxies and gain direct access to the internet HTTP PROXY DOUBLE AT AT sos5 0 0 sos5 1 0 medium This signature detects attempt...

Page 945: ...a SQL injection attack However it may be a false positive Some attempts at Cross Site Scripting attacks will also trigger this signature HTTP SQL INJECTION GENERIC sos5 0 0 sos5 1 0 medium This signat...

Page 946: ...e detects the download of a maliciously crafted WinAmp playlist file Using WinAmp to open this file may execute arbitrary code HTTP STC WINAMP CDDA OF2 sos5 1 0 medium This signature detects attempts...

Page 947: ...sion 1 0 and earlier are vulnerable Attackers may navigate to any directory on the server HTTP WASD DIR TRAV sos5 0 0 sos5 1 0 medium This signature detects attempts to exploit a vulnerability in Bea...

Page 948: ...e information such as usernames passwords credit card numbers social security numbers bank accounts etc HTTP XSS HTML SCRIPT IN URL PRM sos5 1 0 medium This signature detects cross site scripting atta...

Page 949: ...ly is an IMAP reference field that is too long This may indicate a buffer overflow attempt IMAP OVERFLOW REFERENCE sos5 0 0 sos5 1 0 high This protocol anomaly is an IMAP tag field that is too long Th...

Page 950: ...EPM WRONG RHS LEN sos5 1 0 high This protocol anomaly is an EPM message with a tower length that is inconsistent with message s LHS and RHS lengths MS RPC ERR EPM WRONG TOWER LEN sos5 1 0 medium This...

Page 951: ...This protocol anomaly is too many DCE RPC ISystemActivate requests Excessive requests can cause a denial of service DoS in the RPCSS module MS RPC MSRPC ISYSACTIVATE RACE sos5 1 0 medium This signatur...

Page 952: ...protocol anomaly is label for the second level encoding of a Netbios name that contains a pointer NETBIOS NBDS BAD_LABEL_FORMAT sos5 1 0 medium This protocol anomaly is an invalid first level encodin...

Page 953: ...TBIOS NBNS INVALID HDR Z sos5 1 0 high This protocol anomaly is a label for the second level encoding of a Netbios name that has a label length larger than 63 or the label is the first label and the l...

Page 954: ...protocol anomaly is a Gnutella message with a payload type that is not defined in the Gnutella RFC P2P AUDIT GNUTELLA MESSAGE sos5 1 0 info This protocol anomaly is a Gnutella message with a payload l...

Page 955: ...use of the Direct Connect Plus Plus DC file sharing client P2P DC DC PP ACTIVE sos5 1 0 info This signature detects version checks by eDonkey 2000 a peer to peer file sharing client The eDonkey clien...

Page 956: ...e vulnerable Attackers may send a maliciously crafted DELE or UIDL request to the POP3 daemon to crash the POP3 SMTP and IMAP services POP3 DOS MDAEMON POP DOS sos5 1 0 high This protocol anomaly is a...

Page 957: ...EXT DOT CMD sos5 1 0 medium This signature detects e mail attachments with the extension com received via POP3 This may indicate an incoming e mail virus COMs executable files contain one or more scr...

Page 958: ...ved using POP3 This may indicate an incoming e mail virus HTA files are HTML application files that can be executed by a web browser Generally HTA files are not sent via e mail As a general network se...

Page 959: ...s this may indicate an incoming e mail virus Attackers may create malicious scripts tricking users into executing the file and infecting the system POP3 EXT DOT MDB sos5 1 0 high This signature detect...

Page 960: ...ers may create malicious entries tricking users into executing the file and infecting the system POP3 EXT DOT REG sos5 1 0 high This signature detects e mail attachments with the extension scr sent vi...

Page 961: ...malicious scripts tricking the user into executing the file and infecting the system POP3 EXT DOT WSC sos5 1 0 high This signature detects e mail attachments with the extension wsf received via POP3 T...

Page 962: ...s POP3 OVERFLOW BOUNDARY_OVERFLOW sos5 0 0 sos5 1 0 high This protocol anomaly is a POP3 command that exceeds 4 bytes the standard length for a POP3 command This may indicate a nonstandard POP3 client...

Page 963: ...other attacks SCAN AMAP FTP ON HTTP sos5 1 0 low This signature detects the scanner tool AMAP made by The Hacker sChoice THC AttackersmayuseTHC AMAPduring their initial reconnaissance to determine se...

Page 964: ...s PACKETS for a HP UX PA RISC instruction sequence common in buffer overflow exploits You may want to apply this signature to all non TCP traffic to your HP UX servers SHELLCODE HP UX HP NOOP 2 PKT so...

Page 965: ...SMBFS implemented in the Linux kernel Kernels 2 4 and 2 6 are vulnerable Attackers may gain root access on the target host SMB EXPLOIT LINUX TRANS2 OF sos5 1 0 medium This protocol anomaly is an empty...

Page 966: ...NETBIOS names are 16 bytes and may encode to a maximum of 34 bytes SMB NETBIOS INV SNAME LEN sos5 1 0 medium This signature detects attempts to remotely access the Windows registry Attackers may use a...

Page 967: ...hich can lead to remote code execution SMTP EMAIL EUDORA SPOOF3 sos5 1 0 medium This signature detects attempts to spoof an e mail attachment Eudora Windows 6 2 0 7 and earlier versions are vulnerable...

Page 968: ...an e mail message with an empty charset value in the MIME header to cause a denial of service DoS SMTP EXCHANGE DOS sos5 1 0 high This protocol anomaly is a BDAT command that is not chunk size SMTP EX...

Page 969: ...ripts tricking users into executing the macros and infecting the system SMTP EXT DOT ADP sos5 1 0 medium This signature detects e mail attachments that have the extension bas and were sent via SMTP Be...

Page 970: ...nature detects GRP files sent over SMTP GRP files can contain Windows Program Group information and may be exploited by malicious users to deposit instructions or arbitrary code on a target s system U...

Page 971: ...infecting the system SMTP EXT DOT JSE sos5 1 0 medium This signature detects e mail attachments that have the extension lnk and were sent via SMTP Because LNKs Windows link files can point to any prog...

Page 972: ...TP EXT DOT PCD sos5 1 0 medium This signature detects e mail attachments with the extension pif sent via SMTP This may indicate an incoming e mail virus PIFs Program Information Files are standard Mic...

Page 973: ...cute arbitrary code SMTP EXT DOT WMF sos5 1 0 medium This signature detects e mail attachments with the extension wsc sent via SMTP This may indicate an incoming e mail virus WSCs Windows Script Compo...

Page 974: ...eds actual multipart data all data is processed but unfinished boundary delimiters exist SMTP INVALID UNFIN MULTIPART sos5 0 0 sos5 1 0 high This signature detects attempts to send shell commands via...

Page 975: ...of SQLsnake a MSSQL worm SQLsnake infects Microsoft SQL Servers that have SA administrative accounts without passwords The worm sends a password list and other system information via e mail to ixltd p...

Page 976: ...maliciously crafted SMTP messages to execute arbitrary code at the same privilege level as the target typically a user Note Systems that typically carry non English e mail messages should not include...

Page 977: ...thin specified mail to and or rcpt to e mail addresses to cause Sendmail to reroute data to another program attackers receive a 550 error message SMTP RESPONSE PIPE FAILED sos5 1 0 medium This signatu...

Page 978: ...nds spam from an infected host machine TROJAN PHATBOT FTP CONNECT sos5 0 0 sos5 1 0 high This signature detects the string nongmin_cn within an SMTP header from field sent from a remote system to loca...

Page 979: ...a upon reboot VIRUS POP3 FIX2001 sos5 1 0 high This signature detects e mail attachments named Link vbs sent via POP3 This may indicate the VBS Freelink e mail virus is attempting to enter the system...

Page 980: ...soft Outlook preview pane once triggered the CHM file runs myromeo exe in the background Myromeo exe obtains e mail addresses from the Microsoft Outlook database sends infected e mail messages to all...

Page 981: ...lated files Nimda then obtains e mail addresses and sends infected messages to all addresses found using its own SMTP server VIRUS POP3 NIMDA sos5 1 0 critical This signature detects e mail attachment...

Page 982: ...irus does not carry a payload and is apparent only through a video effect VIRUS POP3 SIMBIOSIS sos5 1 0 critical This signature detects e mail attachments named Suppl doc sent via POP3 This may indica...

Page 983: ...POP3 TOADIE sos5 1 0 high This signature detects e mail attachments named 666test vbs sent via POP3 This may indicate the e mail virus TripleSix is attempting to enter the system The executed file di...

Page 984: ...POP3 This may indicate the e mail virus Zelu is attempting to enter the system disguised as the utility ChipTec Y2K Freeware Version The executed file scans available directories corrupts writeable f...

Page 985: ...e mail virus Nail to enter the system When executed the virus assigns the Microsoft Word auto dot template to a template located on an attacker Web site enabling the attacker to upload new virus code...

Page 986: ...F SMTP sos5 0 0 sos5 1 0 high This signature detects the Berbew worm as it uploads keylogger information to a listening post Berew monitors user keystrokes for financial data and reports that informat...

Page 987: ...il attachments containing the W32 Sobig E worm sent via SMTP WORM EMAIL W32 SOBIG E sos5 1 0 high This signature detects the Mimail A worm attachment in SMTP traffic After infecting a Windows based ho...

Page 988: ...TTP WORM NIMDA MSADC ROOT sos5 1 0 medium This signature detects attempts to create EML files on the system a common sign of the NIMDA worm The worm browses remote directories and creates EML files th...

Page 989: ...ew targets for infection The source IP of this log is likely infected with a variant of Santy WORM SANTY GOOGLE SEARCH sos5 1 0 high This signature detects a machine infected with the Santy worm attem...

Page 990: ...DIP DNS Notification 00004 DNS DNS Notification 00029 DNS REP System Notification 00023 Erase System Notification 00006 Hostname Interface Notification 00009 Interface MIP Notification 00021 MIP High...

Page 991: ...tion 00026 SSH SSL Notification 00035 SSL Syslog and WebTrends Notification 00019 Syslog High Availability Notification 00050 Track IP WEB Filtering Notification 00013 URL User Notification 00014 User...

Page 992: ...tion 00553 Configuration Size N A Device Connect N A Device Disconnect DHCP Information 00530 DHCP CLI DNS Information 00004 DHCP DNS System Information 00767 Generic VIP Notification 00533 VIP Svr Up...

Page 993: ...ation 00533 VIP Server Status DHCP Information 00527 DHCP Server Status NOTE For security devices running ScreenOS 5 0 x or higher Network and Security Manager does not generate information logs for d...

Page 994: ...warded prohibited state invalid rate limited or tunnel limited Interface vsys or vrouter name if applicable For log entries generated by GTP objects with Extended logging enabled you can view the foll...

Page 995: ...PART 6 Index Index on page 947 945 Copyright 2010 Juniper Networks Inc...

Page 996: ...Copyright 2010 Juniper Networks Inc 946 Network and Security Manager Administration Guide...

Page 997: ...te 76 audit logs 76 auditable activities 76 authentication server 76 AV pattern 76 backdoor rulebase 76 blocked IP 76 CA 76 catalog objects 76 channel 77 CLI based reports 77 CLI based security update...

Page 998: ...84 supplemental CLIs in devices and templates 85 SYNProtector rulebase 85 system status monitor view 85 system URL categories 85 template operations 85 traffic signature rulebase 85 troubleshoot devi...

Page 999: ...ntext 349 custom signature service binding 343 custom signature stream 256 context 350 custom signature stream context 350 custom signature supported services 345 custom signature TCP header matches 3...

Page 1000: ...ing Junos 233 configuring SRX Series 233 editing the configuration 232 IDP adding 152 Infranet Controller adding 152 Infranet Controller importing 154 J Series activating 157 J Series adding 155 J Ser...

Page 1001: ...ng 699 Data Model defined 304 importing 307 updating 305 data model defined 829 data origination icons 190 data point count configuring 772 813 data types 771 Deep Inspection activating subscription o...

Page 1002: ...132 adding multiple with CSV file 168 adding multiple with discovery rules 166 configuring 185 EX Series activating 134 136 EX Series importing 116 124 extranet adding 150 IDP sensors activating 135 I...

Page 1003: ...484 exempt rules configuring attacks 485 configuring from the Log Viewer 486 configuring match columns 485 configuring source and destination 485 entering comments 486 expanded VPN view 544 576 expor...

Page 1004: ...ng 510 deny action 447 disabling 510 negating source or destination 444 permit action 446 reject action 447 reject action changed to deny 504 rule groups 510 using MIPs as source or destination 444 VP...

Page 1005: ...ctivating with dynamic IP address 135 IKE proposals 422 IMSI prefix filter 380 information banner 57 information logs report 802 Infranet Controller clusters adding 152 importing 154 Infranet Controll...

Page 1006: ...ice from Log Viewer 766 list key parameters in templates 208 local attack object update 286 local user groups 399 local users 556 log actions about 787 csv 787 e mail 788 SNMP 787 syslog 787 xml 788 l...

Page 1007: ...7 generating a Quick Report 815 hiding and moving columns 762 integration with reports 814 linking to a device 766 log categories 758 log entry event details 753 log ID 758 log sub categories 758 pred...

Page 1008: ...bal 410 NAT Traversal 569 navigation tree 24 negating source or destination in firewall rules 444 NetScreen Redundancy Protocol See NSRP network honeypot rules configuring services 499 NetworkProfiler...

Page 1009: ...tack pattern syntax 348 custom signature attacks false positive setting 343 custom signature attacks first packet context 349 custom signature attacks IP header matches 351 custom signature attacks IP...

Page 1010: ...t profiles 703 customizing preferences 705 data viewer 708 709 filtering and sorting 712 MAC view area 715 operations on devices without IDP rules 705 setting up 701 settings 702 starting 705 stopping...

Page 1011: ...Logs 801 Top Information Logs 802 Top Rules 804 Top Self Logs 802 Top Targets Screen 804 Top Traffic Alarms 801 Top Traffic Log 801 Unified Access Control UAC 804 using to optimize rulebases 816 using...

Page 1012: ...5 using 721 usingt 724 views 721 Security Monitor about 27 using 699 security policies 429 about 28 430 assigning to a device 501 changing rule order 508 cut copy paste 508 device policy pointers 511...

Page 1013: ...tatic NAT policy 539 statistics Ethernet 740 flow 740 policy 740 status bar 25 storing log files 784 stream 256 context for custom attack object 350 stream context for custom attack object 350 sub cat...

Page 1014: ...ce viewing 658 traffic log report 801 traffic shaping about 449 DSCP class selector 450 mode 450 troubleshooting sending commands to device 674 Trust Untrust port mode 105 Trust Untrust DMZ port mode...

Page 1015: ...configuring topology 566 configuring topology full mesh 568 configuring topology hub and spoke 566 configuring topology main and branch 567 configuring topology site to site 568 configuring XAuth 569...

Page 1016: ...all rules 454 create custom category 373 custom Web categories 454 permissions to update Web categories 79 predefined Web categories 374 454 SurfControl CPA Integrated in rules 454 SurfControl SCFP We...

Reviews:

No comments

Related manuals for NETWORK AND SECURITY MANAGER 2010.3

Panasonic PT-D10000 Series Setup And Operation Manual preview
PT-D10000 Series
Brand: Panasonic Pages: 37
Xerox 850DP - Phaser Color Solid Ink Printer Installation Instructions preview
850DP - Phaser Color Solid Ink Printer
Brand: Xerox Pages: 2
Adobe CAPTIVATE 2 Use Manual preview
CAPTIVATE 2
Brand: Adobe Pages: 306
Polycom ConferenceSuite Brochure preview
ConferenceSuite
Brand: Polycom Pages: 2
Avaya one-X Deskphone Edition Installation And Maintenance Manual preview
one-X Deskphone Edition
Brand: Avaya Pages: 74
Intel 512AN_HMW User Manual preview
512AN_HMW
Brand: Intel Pages: 212
Nikon 25385 - Capture NX - Mac User Manual preview
25385 - Capture NX - Mac
Brand: Nikon Pages: 268
MACROMEDIA COLDFUSION MX 61-CFML Reference preview
COLDFUSION MX 61-CFML
Brand: MACROMEDIA Pages: 806
MACROMEDIA DIRECTOR MX-USING DIRECTOR MX Use Manual preview
DIRECTOR MX-USING DIRECTOR MX
Brand: MACROMEDIA Pages: 624
Campbell PC208W Instruction Manual preview
PC208W
Brand: Campbell Pages: 156
Tadiran Telecom Coral SeaBeam Installation And Configuration Reference Manual preview
Coral SeaBeam
Brand: Tadiran Telecom Pages: 68
HP Pro 3330 Illustrated Parts & Service Map preview
Pro 3330
Brand: HP Pages: 3
HP Pro 3400 Series Quickspecs preview
Pro 3400 Series
Brand: HP Pages: 13
HP Pro 3120 Minitower PC Manual preview
Pro 3120 Minitower PC
Brand: HP Pages: 4
HP Pro 3130 - Minitower PC Manual preview
Pro 3130 - Minitower PC
Brand: HP Pages: 4
HP Pro 3400 Series Maintenance And Service Manual preview
Pro 3400 Series
Brand: HP Pages: 210
HP Pro 3330 Maintenance & Service Manual preview
Pro 3330
Brand: HP Pages: 226
Samsung Z82 User Manual preview
Z82
Brand: Samsung Pages: 113

Brands by name

Popular brands

Load more brands