Below outlines Netcreens Attack Detection and Defense. This is by no means a full guide by acts as a general summary to the various terms and technologies. SCREEN Features legacy security protection, such as SYN, UDP and ICMP floods, Port scans and certain OS-specific DoS attacks. Deep Inspection Allows for inspection at the application layer … Read more
Below will show how to create a basic Remote Access VPN using Pre Shared Keys. This guide presumes that you already have the Netscren Remote VPN Client installed onto your local machine and was created using the following software versions : ScreenOS – 6.2.0r1.0 Netscren Remote VPN Client – 10.8.3 (Build 6) Below is an … Read more
VPN Monitoring This allows you to ping an IP address through the tunnel. In the event of the tunnel going down a SNMP trap will be generated. The settings can be found under “VPNs > AutoKey IKE > Edit > Advanced > VPN Monitor“. The “rekey” option will cause the Netscreen to continuously try and … Read more
Below shows you how to create a route based vpn upon a Netscreen firewall using the firewalls gui interface. This tutorial was created using the ScreenOS version 6.2.0r1.0. The encryption domain for this guide will be, Local Gateway : 1.1.1.1 Local Endpoint : 10.1.1.25/24 Remote Gateway : 192.168.1.107 Remote Endpoint : 172.28.16.0/24 Create Tunnel Interface … Read more
This article will show you how to backup and restore your Juniper NSM. This article was written using NSM version 2008.2r1.Within NSM the HighAvailSvr contains processes that run in both HA and non-HA mode and handles database backups and a watchdog daemon to restart NSM processes in case of failure. Backup Even though you will … Read more
IP tracking allows you to track the connectivity of critical IP`s.This allows you to change your routing based on the connectivity of configured IP`s. There are 3 main points to Track IP : If a Tracked IP becomes unreachable, the weight of the address is added to the overall failed address total. If the total … Read more
Issue Logs received on the NSM are delayed by 6 minutes. The log viewer hangs for close to 6 minutes and then displays all the logs within a group. Also today`s log directory does not get created within /DevSvr/logs. Solution The NSM device server does a log tuple repair for each log received from the … Read more
Issue Logs received on the NSM are delayed by 6 minutes. The log viewer hangs for close to 6 minutes and then displays all the logs within a group. Also today`s log directory does not get created within /DevSvr/logs. Solution The NSM device server does a log tuple repair for each log received from the … Read more
Juniper introduces a new feature to the area of routing, called Virtual Routers. The model consists of: interfaces are applied to zones and zones are applied to Virtual Routers. Virtual routers allow for you to segment routing updates in and from the firewall/router. Virtual RoutersThere are 4 different types of routing tables that you can … Read more
Below are the 2 types of syslog messages. This can be useful to quickly determine on a NSM whether the logs are coming from the NSM or directly from the Firewall via syslog. Syslog from the Firewall Mar 18 17:56:52 [FW IP] [FW NAME]: NetScreen device_id=netscreen2 [Root]system-notification-00257(traffic): start_time=”2009-03-18 16:07:06″ duration=0 policy_id=320001 service=msrpc Endpoint Mapper(tcp) proto=6 … Read more
There are 3 areas with NSM. DevSvr, GuiSvr and HaSvr. The following files and paths are based on NSM 2008. Below shows the main path structure (Redhat) and what each Server (Svr) does. /usr/netscreen/DevSvr/ – DevSvr – Logging and the NSM database/usr/netscreen/GuiSvr/ – GuiSvr – NSM GUI /usr/netscreen/HaSvr/ – HaSvr – Backups and High Availability. … Read more
Source NAT Interface Based Source NAT – Allows the traffic to NAT its source IP to the IP address of the egress interface which it leaves. This feature is enabled on the interface via “NAT-Mode”. And can be disabled via using “Route Mode”. MIP – Provides a static NAT for the specified host, in which … Read more
The below is based on the netscreen ns5gt and the firefox web browser. Issue After setting up your netscreen for DDNS, in the UI of your netscreen the last response is shown as ‘not-init‘ and within the CLI it shows ‘successful updates: 0‘. To get the id of you ddns config run just the command … Read more
Rule Processing Order The general processing order is as follows, Look for a policy between the ingress and egress zones If no policy is found (in step 1), search for a Global policy If no Global policy is found and if the ingress zone is same as the egress zone, apply the intra-zone block i.e … Read more
This article was written based on the ns5gt. By default all interfaces are set to auto negotiate. Show Duplex ns5gt-> get interface trust port phy Port 1: link is up, 100 Mbps, auto negotiated to full duplex Port 2: link is up, 100 Mbps, auto negotiated to full duplex Port 3: link is up, 100 … Read more
In this article we will be looking at the various console commands available to us on the Juniper Netscreen. From entering the get command we can see the current console settings along with console session details, ns5gt-> get console Console timeout: 10(minute), Page size: 22/22, debug: buffer privilege 200, config has not been changed! ID … Read more
Have you lost, forgotten, misplaced the NSM password ?Below are the steps to reset your “super” account password, NSM 2006.x and below Log into the NSM via SSH as root Stop the NSM Server (you should be able to find the init scripts in /etc/init.d) Run the following command /usr/netscreen/GuiSvr/utils/.hashPasswd <new password>, you will receive … Read more
A great debugging tool feature on the Juniper Netscreens is snoop. Snoop is packet capturing tool which allows you to analysis your traffic on a per packet level. Below shows you a example of enabling snoop and viewing its output, 5gt->undebug all5gt->snoop5gt->snoop filter ip 10.1.1.1005gt->snoop info5gt->clear db 5gt->get db str Ok, so what do these … Read more
Interface get counter statistics Show interface statistics (CRC errors etc) get interface trust port phy Show physical ports for a certain zone get driver phy Show all link states of interfaces get counter statistics interface ethernet3 Show hardware stats on interface set interface [interface] no-subnet-conflict-check Allows you to configure multiple interfaces in the same IP … Read more
This guide will show you how to create a policy based VPN on a Netscreen firewall. The encryption domain will be, Local Gateway : 2.2.2.2 Local Endpoint : 10.1.1.0 /24 Remote Gateway : 1.1.1.1 Remote Endpoint : 192.1.1.0 /24 1. Log into the Netscreens GUI 2. Click VPNs > Autokey IKE (Autokey IKE Screen is … Read more
In order to debug and obtain output for the traffic flow through the Netscreen, you will need action a couple of commands, these are shown below, 5gt-> unset ff filter 0 removed 5gt-> undebug all 5gt-> clear db 5gt-> set ff dst-port 8080 filter added 5gt-> debug flow basic 5gt-> get db str Below shows … Read more
Heres a couple of issues I ran into when adding some devices to the NSM, When trying to enable NSM via the GUI you get “No initial ID configured. NSM agent remains disabled” The communication between nsm and screenos is based on public key authentication. You don’t have to enable NSM manually. Cant import the … Read more
Below shows you the various MSS settings that can be set via the CLI, MSS of netscreen – set tcp mss 1460 MSS for VPN traffic – set flow tcp-mss 1460 MSS for clear traffic – set flow all-tcp-mss 1460
Below shows you how to configure basic NSRP cluster, prior to below you would of needed to configure your interfaces. Node A set nsrp rto-mirror syncset nsrp monitor interface eth1set nsrp monitor interface eth3set nsrp cluster id 1set nsrp vsd-group id 0 priority 100save Node B set nsrp rto-mirror syncset nsrp monitor interface eth1set nsrp … Read more
Below is how to set up the basic configuration on a Netscreen firewall.Also bear in mind that if you are setting up a NSRP cluster, be sure to set the management IP to a different IP to the management interface. set hostname myfirewallset ssh enable set admin name rootset admin password mypasswordset admin manager-ip 192.168.1.1 … Read more