ScreenOS6.3 22 8
Agenda NAT Routing IPsec UTM Authentication IPv6 ISG-IDP
NAT
IKE&IPsec NAT-TIKE&IPsec ALG NAT NAT DIP Src-NAT Policy Service IKE-NAT IKE ALG Security > ALG > IPSEC IPSEC Pinhole Lifetime(Default: 30 )
TCP Notification Notification TCP CLI Notification TCP reset Notify Connection Close
TCP Notification Notification TCP SYN check / Zone TCP reset ISG NS5000 TCP sequence check set flow tcp-syn-check TCP SYN check unset flow no-tcp-seq-check TCP sequence check
Proxy ARP Proxy ARP entry MAC IP MAC IP ARP (Dst-NAT ) set arp nat-dst VSYS VSD Proxy ARP ) set arp nat-dst IP Address Range
VIPDst-NAT Port Shift VIP Port Shift set interface <I/F > vip <IP> port-range <xx-xx> server-ip <IP>port-range <xx-xx> ) set interface eth0/0 vip 1.1.1.1 port-range 10001-10010 server-ip 192.168.1.10 port-range 10101-10110 1.1.1.1:10001 1.1.1.1:10002 1.1.1.1:10010 192.168.1.10:10101 192.168.1.10:10102 192.168.1.10:10110
Routing
DSCP ScreenOSDSCP BGP, OSPF, RIP, RIPNG, TELNET, SSH, WEB, TFTP, SNMP, SYSLOG, WEBTRENDS 10 50
IncomingQoS QoS Incoming DSCPQoS Incoming QoS QoS QoS Policy
IPsec
Proxy-ID VPN 1VPNProxy-ID VPN > AutoKey IKE > Advanced Proxy-ID Check VPN > AutoKey IKE > Proxy ID Proxy-ID
Diffie-Hellman key IKEv1Diffie-Hellman Group19 20Proposal Group19 20
Auto Connect VPN AC-VPN Hub SpokeHubVPN SpokeHubVPN monitorhub DownHub NHRP AC-VPNAC-VPN
Auto Connect VPN Hub(Master) Hub(Backup) Hub(Master) Hub(Backup) Spoke 1 Spoke 2 Spoke 1 Spoke 2 Host A Host B Host A Host B HostA HostB Hub(Master)VPN Spoke Hub(Master)Hub(Backup) VPN Spoke Spoke1 Spoke2 VPN
UTM
AV URL 2010-06-22 15:32:15 system warn 00547 AV: VIRUS FOUND: 192.168.1.123:4933->172.17.1.10:25 file _Fromebihara_nox.co.jp Dateebihara_nox.co.jp Subj B k_9_f virus EICAR-Test-File, virus description: http://www.viruslist.com/en/search?vn=eicar-test-file
WF Web < > Profile
WF Profile Priority Profile 2010-07-06 17:07:18 system warn 00769 UF-MGR: URL BLOCKED: USER: user1 192.168.1.123(1249)->219.127.73.208(80) www.nox.co.jp/ CATEGORY: NOX REASON: BY_USER_DEFINED PROFILE: nox-profile
AV/WF extended/itw/standard 3 Juniper Full AntiVirus Database1 SSG520/550 Web Profile 6.2 6.3 SSG520 25 300 SSG550 50 300
SNMPv3 SNMPv3
Disable SSG140-> set interface ethernet0/0 disable Admin status for interface ethernet0/0 has been changed to disable SSG140-> SSG140-> get in A - Active, I - Inactive, U - Up, D - Down, R - Ready H - IPv6 Host Mode, O - IPv6 Router Mode Interfaces in vsys Root: Name IP Address Zone MAC/INT-ID VLAN State VSD eth0/0 192.168.1.1/24 Trust 0017.cb4c.6b00 - D - eth0/1 0.0.0.0/0 DMZ 0017.cb4c.6b05 - D - D(Down)
Log Serial Number CLIset log serial-number enable Jun 22 20:02:45 172.17.9.18 18 SSG140: NetScreen device_id=0185012007000415 [Root]system-information-00767: System configuration saved
USB USB set env config=usb:my-config.txt my-config.txt USB System config (4023 bytes) loaded from USB. Load System Configuration......Disabled licensekey auto update...refresh user list...done system init it done.. USB Load
Authentication
Web Web Auth Web Auth80HTTP 80 HTTP 8000/8001 8080/8081 8100 8200 8888 9080 3128
IPv6
OSPFv3 DNS AAAAIPv4 Link PPP DHCPv6IPv6DNS (CPE) )
ISG-IDP
IPv6 NSM IPv6Any- IPv6IPv6 Log IDP Security module(sm) get session sm-slot slot-id sm-cpu cpu-no SM CPU scio const set sc_enable_cpu_usage 1
SMRAMFlashCF set sm-ctx coresave SM CPU SNMP set flow multicast idp
Scripting Tool exec save SSG140-> set script record SSG140(sgc: recording)-> exec ntp update SSG140(sgc: recording)-> >save SSG140(sgc: recording)-> exit record SSG140-> SSG140-> SSG140-> get script command Script command: ------------------------------- exec ntp update save ------------------------------- exec save
Boot Upgrade Boot LoaderBoot UpgradeGateway TFTP Hit any key to run loader Serial Number [0185072009000149]: READ ONLY HW Version Number [1010]: READ ONLY Self MAC Address [0024-dcdd-1c80]: READ ONLY Boot File Name [Loadssg140v325.d]: ssg140.6.3.0r1.0 Self IP Address [192.168.1.1]: 192.168.1.1 TFTP IP Address [192.168.1.100]: 172.17.9.3 IP MASK [255.255.255.0]: 255.255.255.0 GW IP Address [1.1.1.100]: 192.168.1.254 L SSG5 v133.d ISG1000 v103.d SSG140 v325.d SSG300 v308.dd ISG2000 v117.d NS5000 v104.d d SSG500 v107.d TFTP IP
Boot Loader Version get system Boot Loader SSG140-> get system Product Name: SSG-140 Serial Number: 0185072009000149, Control Number: ffffffff Hardware Version: 1010(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0) Software Version: 6.3.0r3.0, 0 Type: Firewall+VPN Feature: AV-K BOOT Loader Version: 3.2.5 Compiled by build_ master at: Wed Mar 31 20:59:15 PDT 2010 Base Mac: 0024.dcdd.1c80 File Name: ssg140.6.3.0r3.0, Checksum: ae2c7a1b, Total Memory: 512MB Boot Loader
Netscreen Redundancy Protocol(NSRP) CLI get nsrp uptime() <> VSD group info: init hold time: 5 heartbeat lost threshold: 3 heartbeat interval: 1000(ms) master always exist: disabled group priority preempt holddown inelig master PB other members 0 100 no 3 no myself 11212160 total number of vsd groups: 1 Total iteration=363,time=3753794,max=71748,min=7506,average=10341 <OS6.3> VSD group info: init hold time: 8 Uptime() heartbeat lost threshold: 3 heartbeat interval: 1000(ms) master always exist: disabled group priority preempt holddown inelig master PB other members myself uptime 0 100 no 3 no myself 11212160 00:04:11 total number of vsd groups: 1 Total iteration=589,time=5611290,max=86530,min=3349,average=9526
Track-IP Timeout I/F MonitorNSRP Track-IP ICMP Timeout Timeout1 60 (Default 1 ) Timeout
Policy CLI Policy 0 10( ) set policy install hold-interval < > set policy install hold-interval 1 1 set policy install hold-interval 10 10
ISG ISG1000 512 4096 ISG2000 1024 4096 ISG/NS5000 2048 4096 Ipsec-nat alg 180 3600
SSG 550VPN 1000 2048 SNMP 1 40 64 NetScreen 5000BGP redistributable routes 6000 17000
Thank you