netscreen-global pro™ policy manager tutorialglobal pro policy manager, to manage up to 25 or 100...

NETSCREEN-GLOBAL PRO™ POLICY MANAGER TUTORIAL

Version 4.1 P/N 093-0932-000 Rev. C

Product License Agreement

Licenses, Copyrights, and Trademarks

THE SPECIFICATIONS REGARDING THE NETSCREEN PRODUCTS IN THIS DOCUMENTATION ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS DOCUMENTATION ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR USE AND APPLICATION OF ANY NETSCREEN PRODUCTS. NO PART OF THIS DOCUMENTATION MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS, ELECTRONIC OR MECHANICAL, FOR ANY PURPOSE, WITHOUT RECEIVING WRITTEN PERMISSION FROM NETSCREEN TECHNOLOGIES, INC.

NETSCREEN-GLOBAL PRO LICENSE AGREEMENT

PLEASE READ THIS LICENSE AGREEMENT (“AGREEMENT”) CAREFULLY BEFORE USING THIS PRODUCT. BY INSTALLING AND OPERATING THE NETSCREEN-GLOBAL PRO PRODUCT ACCOMPANYING THIS AGREEMENT, YOU INDICATE YOUR ACCEPTANCE OF THE TERMS OF THIS AGREEMENT, ARE CONSENTING TO BE BOUND BY ITS TERMS, AND ARE BECOMING A PARTY TO THIS AGREEMENT. THIS AGREEMENT IS A VALID AND BINDING OBLIGATION ON YOU. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, DO NOT START THE INSTALLATION PROCESS.

This is a license, not a sales agreement, between you, as an end user, and NetScreen Technologies, Inc. (“NetScreen”), as the owner and provider of the “NetScreen-Global PRO Product”. The NetScreen-Global PRO Product consists of NetScreen-Global PRO Realtime Monitor, NetScreen-Global PRO Data Collector, NetScreen-Global PRO Policy Manager, NetScreen-Global PRO Realtime Monitor Console, NetScreen-Global PRO Policy Manager Console, and third party software licensed or sublicensed, to you, as part of a single system for use within a single network. The NetScreen-Global PRO Product is pre-installed and delivered to you on a dedicated Sun Microsystems, Inc. Netra® server. For purposes of this Agreement, the term “security device” means NetScreen network security hardware devices purchased and used by you.

Any and all documentation and all software releases, corrections, updates, and enhancements that are or may be provided to you by NetScreen shall be considered part of the NetScreen-Global PRO Product and be subject to the terms of this Agreement.

1. License Grant. Subject to the terms of this Agreement, NetScreen grants you a limited, non-transferable, non-exclusive, revocable, license and right to the following:

a. Number of Security Devices. The NetScreen-Global PRO Product, and all components thereof, is licensed to you for use within a single network with up to 25 or 100 security devices, as indicated on the license certificate purchased by you from NetScreen.

b. Use of Components. To use, on the server provided, one (1) copy of NetScreen-Global PRO Realtime Monitor, NetScreen-Global PRO Data Collector, and NetScreen-Global PRO Policy Manager, to manage up to 25 or 100 security devices, as indicated on the license certificate provided to you by NetScreen. These components are provided on a single Sun Microsystems, Inc. Netra® server and cannot be used as separate products.

c. Use of Consoles. To use, for purposes of administration, monitoring, and reporting, the NetScreen-Global PRO Realtime Monitor Console and the NetScreen-Global PRO Policy Manager Console, which may be installed on an unlimited number of user desk-top machines.

d. Use Within a Single System and Network. The foregoing rights are granted only to you and your users engaged in the management and administration of network security of a single network. Each component of the NetScreen-Global PRO Product must be used in combination with one another (i.e., a single system), on a single network, and in the manner set forth in the applicable documentation. The NetScreen-Global PRO Product is considered “in use” when its software is loaded into permanent or temporary memory (i.e. RAM) or when the software preinstalled on the server is invoked. For purposes of this Agreement, the term “user” or “users” means your employees, contractors, and consultants performing services for you in connection with your networks. Other than the rights granted in this paragraph (d), no right to copy, distribute, or sell, and no other right to install and use the NetScreen-Global PRO Product, or any component thereof, is granted to you.

e. Create Backup. No backup copy of NetScreen-Global PRO Product is permitted.

2. Limitation on Use. You are only licensing the rights set forth above to the NetScreen-Global PRO Product. You may not engage in activity designed (or otherwise attempt), and if you are a corporation will use your best efforts to prevent your employees and contractors from engaging in activity designed (or otherwise attempting): (a) to modify, translate, reverse engineer, decompile, disassemble, create derivative works of, or distribute the NetScreen-Global PRO Product (or any component thereof) and the accompanying documentation; (b) to distribute, sell, transfer, sublicense, rent, or lease any rights in the NetScreen-Global PRO Product (or any component thereof) or accompanying documentation in any form to any person; or (c) to remove any proprietary notice, product identification, copyright notices, other notices or proprietary restrictions, labels, or trademarks on the NetScreen-Global PRO Product, documentation, and containers. The NetScreen-Global PRO Product is not designed or intended for use in online control of aircraft, air traffic, aircraft navigation or aircraft communications; or in the development, design, construction, operation or maintenance of nuclear, chemical, or biological weapons of mass destruction or any nuclear facility. You warrant that you will not use or redistribute the NetScreen-Global PRO Product (or any component thereof) for such purposes.

ii NetScreen-Global PRO Policy Manager Version 4.0


3. Procedure for Creating and Installing Unique Keys for NetScreen-Global PRO. NetScreen takes certain precautions such as the use of a “secure room”, coded access and other procedures identified in the accompanying NetScreen-Global PRO Product documentation in delivering the NetScreen-Global PRO Product with a private key to authenticate NetScreen-Global PRO Product shipped to you during the setup of Transport Layer Security (TLS). It is recommended that you obtain a secure key or digital certificate from a separate third party or Certificate Authority for the protection of your network. NETSCREEN MAKES NO WARRANTIES, EXPRESS OR IMPLIED, WITH RESPECT TO THE PROCEEDURES USED TO CREATE OR THE VALIDITY OF THE SECURE KEY DELIVERED WITH THE NETSCREEN-GLOBAL PRO PRODUCT, OR WHETHER OR NOT THE SECURE KEY CAN OR CANNOT BE COMPRIMISED. NETSCREEN DISCLAIMES ALL WARRANTIES RELATED TO SUCH KEY, INCLUDING MECHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

4. Proprietary Rights. All rights, title and interest in and to, and all intellectual property rights, including copyrights, in and to the NetScreen-Global PRO Product and documentation, remain with NetScreen. You acknowledge that no title or interest in and to the intellectual property associated with or included in the NetScreen-Global PRO Product and NetScreen products is transferred to you and you will not acquire any rights to the NetScreen-Global PRO Product except for the license as specifically set forth herein.

5. Term and Termination. The term of the license is for the duration of NetScreen's copyright in the NetScreen-Global PRO Product. NetScreen may terminate this Agreement immediately without notice if you breach or fail to comply with any of the terms and conditions of this Agreement. You agree that, upon such termination, you will either destroy all copies of the documentation or return all materials to NetScreen. The provisions of this Agreement, other than the license granted in Section 1 (“License Grant”) shall survive termination.

6. Limited Warranty. For a period of ninety (90) days after delivery to you, NetScreen will repair or replace any defective NetScreen-Global PRO Product (excluding the Sun Microsystems, Inc. Netra® server) shipped to you, provided it is returned to NetScreen at your expense within that period. NetScreen warrants to you that the NetScreen-Global PRO Product (excluding the Sun Microsystems, Inc. Netra® server) will substantially conform with NetScreen's published specifications for that product if properly used in accordance with the procedures described in documentation supplied by NetScreen. For a period of one year after delivery to you, NetScreen will replace any defective Sun Microsystems, Inc. Netra® server shipped to you as a component of this Product, provided it is returned to NetScreen at your expense within that period.

NetScreen's exclusive obligation with respect to non-conforming product shall be, at NetScreen's option, to repair or replace the product or use commercially reasonable efforts to provide you with a correction of the defect, or to refund to you the purchase price paid for the unit. Defects in the product will be reported to NetScreen in a form and with supporting information reasonably requested by NetScreen to enable it to verify, diagnose, and correct the defect. For returned product, you shall notify NetScreen of any nonconforming product during the warranty period, obtain from NetScreen a return authorization for the nonconforming product, and return the nonconforming product to NetScreen's factory of origin with a statement describing the nonconformance.

The warranties set forth above shall not apply to any product which has been modified, repaired or altered, except by NetScreen, or which has not been maintained in accordance with any handling or operating instructions supplied by NetScreen, or which has been subjected to unusual physical or electrical stress, misuse, abuse, negligence or accidents.

THE FOREGOING WARRANTIES ARE THE SOLE AND EXCLUSIVE WARRANTIES EXPRESS OR IMPLIED GIVEN BY NETSCREEN IN CONNECTION WITH THE NETSCREEN-GLOBAL PRO PRODUCT, INCLUDING THE SUN MICROSYSTEMS, INC. NETRA® SERVER, AND NETSCREEN DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. NETSCREEN DOES NOT WARRANT THAT THE NETSCREEN-GLOBAL PRO PRODUCT, OR THE SUN MICROSYSTEMS, INC. NETRA® SERVER, IS ERROR-FREE OR WILL OPERATE WITHOUT INTERRUPTION.

7. Limitation of Liability. IN NO EVENT SHALL NETSCREEN OR ITS LICENSORS BE LIABLE UNDER ANY THEORY FOR ANY INDIRECT, INCIDENTAL, COLLATERAL, EXEMPLARY, CONSEQUENTIAL, SPECIAL, OR PUNITIVE DAMAGES OR LOSSES SUFFERED BY YOU OR ANY THIRD PARTY, INCLUDING WITHOUT LIMITATION LOSS OF USE, REVENUE, PROFITS, GOODWILL, SAVINGS, LOSS OF DATA, DATA FILES OR PROGRAMS THAT MAY HAVE BEEN STORED OR AFFECTED BY THE USE OF THE NETSCREEN-GLOBAL PRO PRODUCT OR THE SUN MICROSYSTEMS, INC. NETRA® SERVER.

IN NO EVENT WILL NETSCREEN'S OR ITS LICENSORS' AGGREGATE LIABILITY CLAIMED BY YOU, OR ANYONE CLAIMING THROUGH OR ON BEHALF OF YOU, EXCEED THE ACTUAL AMOUNT PAID BY YOU TO NETSCREEN FOR NETSCREEN-GLOBAL PRO PRODUCT AND THE SUN MICROSYSTEMS, INC. NETRA® SERVER. Some jurisdictions do not allow the exclusions and limitations of incidental, consequential or special damages, so the above exclusions and limitations may not apply to you.

Policy Manager Tutorial iii


NetScreen shall take reasonable efforts to follow your instructions with regard to any Information contained on a Sun Microsystems, Inc. Netra® server returned for repair replacement. HOWEVER, IN NO EVENT WILL NETSCREEN BE LIABLE TO YOU WITH REGARD TO ANY CLAIM ARISING FROM THE BREACH OF ANY INFORMATION CONTAINED ON A SUN MICROSYSTEMS, INC. NETRA® SERVER RETURNED TO NETSCREEN OR NETSCREEN MANUFACTURER.

8. Export Law Assurance. You understand that the NetScreen-Global PRO Product is subject to export control laws and regulations. YOU MAY NOT DOWNLOAD OR OTHERWISE EXPORT OR RE-EXPORT THE NETSCREEN-GLOBAL PRO PRODUCT OR ANY UNDERLYING INFORMATION OR TECHNOLOGY, EVEN IF TO DO SO WOULD BE ALLOWED UNDER THIS AGREEMENT, EXCEPT IN STRICT COMPLIANCE WITH ALL UNITED STATES AND OTHER APPLICABLE LAWS AND REGULATIONS. Specifically, you agree that you are responsible for obtaining licenses to export, re-export, or import NetScreen-Global PRO Product. The NetScreen-Global PRO Product may not be downloaded, or the NetScreen-Global PRO Product otherwise exported or re-exported (i) into, or to a national or resident of, Cuba, Iraq, Iran, North Korea, Libya, Sudan, Syria, or any country to which the U.S. has embargoed goods; or (ii) to anyone on the U.S. Treasury Department's lists of Specially Designated Nationals, Specially Designated Terrorists, or Specially Designated Narcotic Traffickers, or otherwise on the U.S. Commerce Department's Table of Denial Orders.

9. U.S. Government Restricted Rights. The NetScreen-Global PRO Product is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7202-1(a) and 227.7202-3(a) (1995), DFARS 252.227-7013(c)(1)(ii) (OCT 1988), FAR 12.212(a)(1995), FAR 52.227-19, or FAR 52.227-14(ALT III), as applicable.

10. Tax Liability. You agree to be responsible for the payment of any sales or use taxes imposed at any time whatsoever on this transaction.

11. General. If any provisions of this Agreement are held invalid, the remainder shall continue in full force and effect. The laws of the State of California, excluding the application of its conflicts of law rules shall govern this Agreement. This Agreement will not be governed by the United Nations Convention on the Contracts for the International Sale of Goods. This Agreement is the entire agreement between the parties as to the subject matter hereof and supersedes any other agreements, advertisements, or understandings with respect to the NetScreen-Global PRO Product and documentation. This Agreement may not be modified or altered, except by written amendment, which expressly refers to this Agreement and which, is duly executed by both parties.

You acknowledge that you have read this Agreement, understand it, and agree to be bound by its terms and conditions.

Copyright Notice

Copyright© 1998-2003 NetScreen Technologies, Inc.

All rights reserved. Printed in USA.

Trademarks

NetScreen Technologies, Inc., the NetScreen logo, NetScreen-5, NetScreen-5XP, NetScreen-10, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-500, NetScreen-1000, NetScreen-Global Manager, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote, GigaScreen ASIC, and ScreenOS are trademarks and NetScreen is a registered trademark of NetScreen Technologies, Inc.

All other company and product names referenced in this documentation are the trademarks of their respective owners.

iv NetScreen-Global PRO Policy Manager Version 4.0

Contents

ContentsPreface..................................................................................................................... i

Purpose....................................................................................................................... i

Intended Audience .................................................................................................... i

Assumptions ................................................................................................................ i

Scope ......................................................................................................................... i

Content and Organization......................................................................................... ii

Document Conventions ............................................................................................ iii

Related Publications ................................................................................................. iii

Publication Table ...................................................................................................... iii

Chapter 1 Introduction.................................................................................................................... 1

About this Chapter ....................................................................................................1Assumptions and approach ............................................................................ 1Background Information.................................................................................. 1Other Information ............................................................................................ 1

NetScreen-Global PRO Management Systems .........................................................2NetScreen-Global PRO Product Line................................................................ 2

Policy Manager Components and Features .............................................................2Key Features.................................................................................................... 2

Chapter 2 Starting the Policy Manager Console............................................................................. 5

About this Chapter ....................................................................................................5Assumptions and approach ............................................................................ 5Background Information.................................................................................. 5Procedural Information.................................................................................... 5Other Information ............................................................................................ 5

System Requirements ................................................................................................6

Installation Steps .......................................................................................................6

Installing the Policy Manager ...................................................................................7

Logging On - Initial login ........................................................................................10

Understanding and Creating a Policy Domain .......................................................12

Basic Operations - Changing the Background File .................................................14

Policy Manager Tutorial v

Contents

Chapter 3 Adding and Configuring VPNs...................................................................................... 15

About this Chapter ..................................................................................................15Assumptions and approach .......................................................................... 15Background Information................................................................................ 15Procedural Information.................................................................................. 15Other Information .......................................................................................... 15

Understanding VPNs ................................................................................................16

Policy Manager and VPN Management .................................................................17VPN Tunnel Creation and Configuration........................................................ 17VPN Connection Options ............................................................................... 18Security and Encryption Options ................................................................... 18Other Facilities ............................................................................................... 18

VPN Requirements - Problem Statement .................................................................19

Before Configuring VPNs .........................................................................................19Designing the Network Topology................................................................... 19

Adding Devices and Protected Resources .............................................................21Analyzing VPN Configuration Requirements .................................................. 28

Adding and Configuring VPNs ................................................................................32Adding a VPN (All Main or Full Mesh) ............................................................. 32Adding a Main and Branch VPN.................................................................... 35Adding a Hub and Spoke VPN ...................................................................... 36

Chapter 4 Adding Remote VPN Users ............................................................................................ 37


Understanding Remote VPN Access ........................................................................38

Policy Manager and Remote VPN Access ..............................................................38

Adding Users and User Groups ................................................................................40

Configuring Remote VPN Access ............................................................................43

Chapter 5 Creating Access Policies .............................................................................................. 45


vi NetScreen-Global PRO Policy Manager Version 4.0

Contents

Understanding Security Policies ..............................................................................46

NetScreen Policy Builder and Security Policies .......................................................46Policy Types in NetScreen Policy Builder........................................................ 46

Policy Requirements and Policy Builder Solution .....................................................47

Defining the Access Filters Policy ............................................................................47

Applying Access Filters to NetScreen Devices ........................................................52Creating the Device Group........................................................................... 53Applying Access Filters to Device Groups ..................................................... 55

Chapter 6 Creating Admin Role Rules........................................................................................... 57


Understanding Admin Roles Policy Type .................................................................58

Admin Roles Requirements - Problem Statement ....................................................58

Adding the Admin Users ..........................................................................................59

Adding and Configuring Admin Role Rules ............................................................60Adding Admin Role Rules .............................................................................. 60Configuring Admin Role Rules - NOC ADMINs ............................................... 61Viewing Admin Roles Configuration Summaries ............................................ 64Applying Policy Rules to Admins/Admin Groups ............................................ 65

Logging On as New Admin User(s) ..........................................................................66

Chapter 7 Updating Devices......................................................................................................... 67


Understanding Policy Manager’s “Update Devices” ...............................................68Advantages and Benefits .............................................................................. 68

Before Updating - Disaster Recovery Preparation ...................................................69

Updating Devices ...................................................................................................70Viewing Update Results ................................................................................. 72

Chapter 8 Conclusion and Exit ..................................................................................................... 73

Policy Manager Tutorial vii

Contents


Concluding Remarks ..............................................................................................74

Terminating a Session - Log Out Versus Exit .............................................................75Backing Up a Policy Domain ......................................................................... 75Logging Out of the Policy Domain ................................................................ 77Closing the Policy Manager Console ............................................................ 77

Appendix A Glossary ..................................................................................................................... 79

viii NetScreen-Global PRO Policy Manager Version 4.0

List of Procedures

List of Procedures

To add a new user group: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

To add Admin Role Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .60

To add and configure the access filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49

To add members to a group (Remote VPN Group 1): . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

To add new VPN users: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40

To add Protected Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

To add the NetScreen devices: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21

To apply rules in ASIA ADMINs policy to ASIA ADMIN GROUP . . . . . . . . . . . . . . . . . . . . . . . . . . .65

To apply rules in NOC ADMINs policy to ASIA ADMIN GROUP . . . . . . . . . . . . . . . . . . . . . . . . . . .65

To apply the access policy to NetScreen devices or device groups . . . . . . . . . . . . . . . . . . . . .55

To back up a Policy Domain: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

To build (add) a VPN between Protected Resources: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

To change the background view in the Viewing panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14

To close the Policy Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77

To configure access limitations in ASIA ADMINs policy: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62

To configure IP addresses and firewalls (General page) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

To configure the NOC ADMINs policy: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61

To create the device group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

To create your Policy Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12

To download and save a Running Config: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69

Policy Manager Tutorial 1

List of Procedures

To install the Policy Manager Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

To install the Policy Manager Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

To Log on as a new Admin user (NOC ADMIN-1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

To log on to the Policy Manager Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

To log out of the Policy Manager: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

To modify an existing VPN to create a Hub and Spoke VPN: . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

To modify an existing VPN to create a Main and Branch VPN: . . . . . . . . . . . . . . . . . . . . . . . . . 35

To provide remote VPN access for a user group: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

To provide remote VPN access for a user: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

To select the Access Filters policy type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

To update a device: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

To view a summary configuration of an Admin Roles policy . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

To view the Update Report: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

2 NetScreen-Global PRO Policy Manager Version 4.0

Preface

PURPOSE This document is designed to familiarize new users with the NetScreen

Global-PROTM

Policy Manager (Policy Manager). It is organized in the form of a tutorial and provides a logical sequence of use case examples that utilize key features supported by the Policy Manager application.

INTENDED AUDIENCE

System administrators, network management, and network operations personnel who are new to NetScreen Policy Manager, or are interested in evaluating the system for their environment.

ASSUMPTIONS

It is assumed that the Policy Manager server is already installed and running. Otherwise, you are not able to install the client component, called the Policy Manager Console and run the tutorial. Procedures to install the Policy Manager are fully documented in “NetScreen-Global PRO™ Policy Manager Installer & User’s Guide.”

Note: NetScreen® devices are not required to complete the configurations that appear in

this tutorial.

SCOPE

The tutorial describes the key features of the Policy Manager and shows you how to perform the following tasks:

• Install the Policy Manager Console.

• Log on to the Policy Manager with “root” or super user privileges.

• Understand and define a Policy Domain.

• Add and configure NetScreen devices for different VPN options.

• Add remote VPN users to your VPNs.

• Add and configure security (access) policies and apply the settings to your NetScreen devices.

• Add users (Admins) and define access privileges.

• Update your NetScreen devices to maintain settings you configured.

• Log out and exit the Policy Manager Console.

Policy Manager Tutorial i

Preface

CONTENT AND ORGANIZATION

This contents of this tutorial are organized as follows:

• Introduction, describes Policy Manager and lists its key features.

• Starting the Policy Manager Console, describes how to install the Policy Manager Console and log on to the system. Introduces Policy Domains, Arbitrators, and the Update Manager as they appear during log on.

• Adding and Configuring VPNs, shows the ease with which you can create and then add/reconfigure VPNs. A sample network topology is presented and procedures to add and configure the required devices, Protected Resources, and VPNs, are provided.

• Adding Remote VPN Users, shows how to provide remote users access to a VPN by adding/configuring Users and User Groups and then adding them to VPNs configured earlier.

• Creating Access Policies, describes how to create security policies and access filters in the Policy Manager and mass produce the configurations on NetScreen devices. Emphasizes policy access filters procedures to define and configure access filters on devices created earlier.

• Creating Admin Role Rules, defines an Admin Role rule and its role in configuring access levels to Policy Manager commands by network administrators. Provides procedures to create a User Group, add users to the Group, and define access levels in the Admin Roles policy.

• Updating Devices, describes how to update device settings in the Policy Manager and apply the settings to the device. Describes tools to back up restore device configurations.

• Conclusion and Exit, explains the differences between Exit, and Logout, and provides a brief recap of material covered in the document.

• Glossary. Applicable technical terms and acronyms are either described as they appear, or defined in the Glossary.

• Index.

ii NertScreen-Global PRO Policy Manager Version 4.1

DOCUMENT CONVENTIONS

Font StylesFont styles used to differentiate text that is displayed by an interface and text that is selected or typed by the user are as follows:

RELATED PUBLICATIONS• NetScreen ScreenOS Concepts & Examples Reference Guide

• NetScreen-Global PRO™ Policy Manager Installer & User’s Guide

• NetScreen-Global PRO Express Realtime Monitor Console Installer & User’s Guide.

PUBLICATION TABLE

Font Usage Example

Bold User selection: Item selected by the user from a window.

In the main window, select File>>Exit>>OK.

Italics Emphasis: Indicates a new term or a document title

For more information, refer to Policy Manager User’s Guide.

>> The double chevron (>>) is used as a command separator.

In the main window, select File>>Exit>>OK.

monospaced Screen text: Text displayed in a command line or application interface such as a window, dialog box, or web page.

The IP Address field displays Conf, when the NetScreen device is configured.

<monospaced italics> Screen text variable: Text displayed in a command line or application interface.

Locate <name>: <passwd>where <name> is the name of the Admin you are deleting.

monospaced bold User input: Text typed at a command line or application interface.

At prompt, type accept to agree to the terms and conditions of the license agreement.

<monospaced bold italics> User input variable: Text entered at a command line or application interface

At prompt, type cd <HTTP_ROOT>, where <HTTP_ROOT> is the root directory on your Policy Manager Console.

P/N 093-0932-000NertScreen-Global PRO Policy Manager Version 4.1 Policy Manager Tutorial

Version 4.1 Rev. C Thursday, April 03, 2003 3:40 pm

Policy Manager Tutorial iii

Preface

iv NertScreen-Global PRO Policy Manager Version 4.1

1Chapter 1

Introduction

ABOUT THIS CHAPTERThis chapter describes the NetScreen-Global PRO Policy Manager and introduces some of the key features of the product.

Assumptions and approachMaterial in this chapter assume that you are a system administrator (Sys Admin) or a technical manager seeking to become familiar with the Policy Manager and the operational benefits that it offers.

The following background information is provided to aid you in this process.

Background Information • "NetScreen-Global PRO Management Systems" on page 2

• "Policy Manager Components and Features" on page 2.

Other InformationIn addition to cited references, acronyms and terms that appear in this chapter, are either explained as they are introduced, or described in the “Glossary” on page 79.


Chapter 1 Introduction

NETSCREEN-GLOBAL PRO MANAGEMENT SYSTEMSThe NetScreen-Global PRO line of security management systems offers enterprises and service providers the necessary tools to manage NetScreen’s integrated security systems and appliances across the network. The suite includes the Policy Manager, Real Time Monitor, and Report Manager. The Policy Manager includes a Graphical User Interface (GUI) to facilitate the management of network security policies.

In this tutorial, acting as an administrator, you will use the GUI to quickly and efficiently define and apply policies to individual devices and device groups, and users and user groups.

NetScreen-Global PRO Product LineThe NetScreen-Global PRO comes in the following two models:

• NetScreen-Global PRO, is designed for large enterprise or service provider deployments of up to ten thousand devices. NetScreen-Global PRO is a bundle of two components, Policy Manager, a central policy configuration system pre-installed on a rack-mountable server, and Report Manager, a software for customized monitoring and reporting.

• NetScreen-Global PRO Express, is designed to support up to one hundred NetScreen devices. NetScreen Global PRO Express supports virtually every policy management and system administration function provided by NetScreen Global PRO. The NetScreen Global PRO Express is delivered with Policy Manager and Realtime Monitor, a subset of Report Manager, on a pre-configured server.

POLICY MANAGER COMPONENTS AND FEATURESPolicy Manager software includes a server component, called the Policy Manager Server and a client component, called the Policy Manager Console. The server component is delivered as a network appliance on a Sun NETRA server running the Solaris 8 operating system. The system is designed to manage NetScreen devices from a central location.

Key Features The following is a brief summary of some of the key features that enable the Policy Manager to greatly facilitate major network security management, administration, operations, and maintenance functions.


Policy Manager Components and Features

Central Policy ManagementThe NetScreen-Global PRO provides central configuration management to efficiently distribute hundreds or even thousands of policies to NetScreen devices, to groups of devices and to NetScreen-Remote clients at any location.

Secure TransmissionsEvery server ships with an existing certificate that is enabled as the default certificate. You have the option to replace this certificate with a different certificate after bringing up the system.

Figure 1-1 Secure transmission between Policy Manger Console and Server

Virtual Private Network (VPN) ManagementRapid and accurate configuration of large-scale complex virtual private network (VPN) deployments. Instant full-mesh, hub-and-spoke, main-and-branch, or point-to-point VPNs. Since NetScreen-Global PRO supports the centralized management of NetScreen-Remote clients, Sys Admins can easily create remote access policies for individual or groups of VPN clients.

Flexible AdministrationThe NetScreen-Global PRO offers role-based management to easily set privileges and access levels for all Sys Admin users.

Simultaneous System AccessThe Policy Manager is a multi-user system that allows simultaneous access by multiple users. While users are transparent to each other, the latest modification in an existing configuration always overrides the previous saved configuration. For example, if you modify the IP address of a given device and another authorized Admin alters your modification, the changes that you made earlier are lost.


Chapter 1 Introduction

Scalable ArchitectureTo meet the needs of expanding networks, the system is designed to support configuring and monitoring up to ten thousand NetScreen security systems and appliances with the aid of the following additional facilities:

• An Oracle® back-end database (used by the Report Manager) for data storage and retrieval.

• A PostgreSQL by the Realtime monitor.

• The Light Weight Directory Access Protocol (LDAP) by the Poliicy Manager. See below.

Figure 1-2 Policy Manager Basic Architecture

Easy to Use and Maintain The NetScreen-Global PRO incorporates various capabilities to make the product easy to install and operate. All device configuration information is stored in a pre- configured LDAP directory tree on the Policy Manager server. In addition, the Policy Manager incorporates pre-installed SSL certificates that are utilized to authenticate the Policy Manager server and encrypt traffic between the consoles and the Policy Manager server.

InterpretabilityData from the system is be easily integrated into many third-party provisioning, fault management, billing, and reporting applications. This is possible with NetScreen’s open database schema and the fact that it uses an PostreSQL database and the LDAP directory.


2Chapter 2

Starting the Policy Manager Console

ABOUT THIS CHAPTER This chapter provides the following information:

• Installing the Policy Manager Console

• Logging on to the system

• Creating a Policy Domain

• Adding an Arbitrator

• Changing the Background File

Assumptions and approachYou are the global Sys Admin exposed to product highlights presented earlier in Chapter 1. At this time, you are about to install the software and bring up the application.

The following background and procedural information is provided to help you perform these tasks.

Background Information • "System Requirements" on page 6.

• "Installation Steps" on page 6.

Procedural Information • "Installing the Policy Manager" on page 7.

• "Logging On - Initial login" on page 10.

• "Understanding and Creating a Policy Domain" on page 12.

• "Basic Operations - Changing the Background File" on page 14.



Chapter 2 Starting the Policy Manager Console

SYSTEM REQUIREMENTSAs indicated earlier, the server component runs on a Sun NETRA under the Solaris 8 operating system and requires minimal installation.

Figure 2-1 NetScreen Global-PRO and Global-PRO Express

The Policy Manager Console (client) runs on Windows® platforms with the following

minimum configurations:

INSTALLATION STEPSThe sequence of tasks to install and configure the client and server components are as follows.

1. Establish network connection.

2. Assign the server’s IP address.

Note: The server comes with a default IP address that you change during installation.

3. Download and install the Policy Manager Console.

4. Log on to the Policy Manager.

Note: You can download and install the Policy Manager Console after the Policy Manager Server is installed.

Processor Pentium II 500 MHz processor

Memory 256 MBytes or higher

Operating System Windows 2000 Professional/Server/Advanced Server


Installing the Policy Manager

INSTALLING THE POLICY MANAGER

To install the Policy Manager Server:

As indicated earlier, the assumption is that the server component is already installed. For installation procedures, refer to NetScreen-Global PRO™ Policy Manager Installer & User’s Guide.

To install the Policy Manager Console:

1. Point your web browser to the Global Pro Express IP address (http://#.#.#.#) and press ENTER (IP address provided with your NetScreen appliance).

Depending on your browser, the following Security Warning dialogs may appear and prompt you to run a file trusted by NetScreen Technologies, Inc.

Figure 2-2 Security warning dialogs

2. If these dialogs appear, click Yes in both cases to continue.

The Download Progress dialog shown in Figure 2-3 appears.



Figure 2-3 Download Progress dialog

3. Click Start Installer for Windows....

The NetScreen installer guides you through the installation process and at anytime during this process, you can return to the previous screen, or exit the installation.

Figure 2-4 Installation Wizard

4. Click Next.

5. Agree to licensing agreement prompts and click Next.


Installing the Policy Manager

The Choose Install Folder dialog appears.

Figure 2-5 Choose Installation Folder dialog

6. Accept the default location or click Choose to select another location. You can use Restore Default Location to restore the installation directory default.

7. Select the desired installation folder and click Next. The Choose Shortcut Location screen appears.

Figure 2-6 Choose Shortcut Location dialog

8. Make your selection and click Next. The Installation Summary dialog, listing items installed, appears.

9. In Installation Summary, click Install. A progress bar illustrates the installation progress and upon completion, the Install Complete dialog appears.

10. Click Done. You can open the Policy Manager from the desktop and Start menu.



LOGGING ON - INITIAL LOGIN

To log on to the Policy Manager Console:

1. From your Windows client, select Start>>NetScreen-Global PRO>>Policy Manager>>Policy Manager Console, or simply double-click on the Policy Manager icon on the desktop.

After the database initialization message, the NetScreen Policy Manager Login dialog appears.

Figure 2-7 Authentication message and Login dialog

2. Log on as the superuser as follows:

• In the User and Password fields, type netscreen. This is the default user ID and password for the initial login.

• The Domain field is left blank when logging on as superuser.

• The Arbitrator List is formed automatically from the Policy Manager during installation. Each member of the Arbitrator List corresponds to one Policy Manager Server. You can add, modify, and delete members in the Arbitrator List by pressing the Add, Edit, or Delete buttons to the right of the Arbitrator List box. Since this tutorial uses only one arbitrator, you do not need to take any action.

Note: You can add multiple Arbitrators. This is particularly useful when you are servicing multiple organizations.


Logging On - Initial login

3. Click Login.

The Update Manager dialog appears.

Figure 2-8 Update Manager Update Status displays

Understanding The Update Manager

Before connecting to the Server, the Update Manager verifies the current version of the Console software on your workstation and checks for new versions. If an update is required, the Update Manager downloads the new image and updates the Console, eliminating the need for manual updates.

4. If the Update Status dialog appears, click PROCEED to continue.

The user is authenticated to the Policy Manager and the Policy Domain dialog opens with a list of Policy Domain and Administration options.

Figure 2-9 Policy Domain and New Policy Domain dialogs



UNDERSTANDING AND CREATING A POLICY DOMAINPolicy Domains are individual directories, or folders, in the LDAP directory. They are used to maintain information about the network objects and security policies in your network. For example, NetScreen devices, users, VPNs, and so on. A single organization, regardless of its size, does not need more than one Policy Domain. Multiple Policy Domains are used by service providers to completely separate customer network environments, thus preventing organizations from accessing and modifying data owned by another organization. A device resides in one Policy Domain only. Depending on your user access privileges, you can manage one or more Policy Domains.

Figure 2-10 Policy Domain Examples

To create your Policy Domain:

1. In Policy Domain dialog (Figure 2-9), select Create new Policy Domain>>OK.

The New Policy Domain dialog opens.

2. In the New Policy Domain dialog do as follows:

• Type Tutorial in Name:

• Set Directory Context: to o=Policy Manager (if not already there as default).

Note: This field is always set to o=Policy Manager by default. You can use it for integration with an external LDAP server.

3. Click OK.


Understanding and Creating a Policy Domain

The Policy Manager opens in the Global View. Note the Policy Domain name that you typed earlier, appears in the window’s title bar.

Figure 2-11 Policy Manager Console - Global view

Viewing Panel

View selection

Pull down menu

Main toolbar

tree



BASIC OPERATIONS - CHANGING THE BACKGROUND FILEPolicy Manager Admin Console is a Java-based GUI that communicates with the Policy Manager server. Information configured using the Admin Console is sent and stored on the Policy Manager Appliance. The Policy Manager Console components and operations are fully documented in the NetScreen-Global PRO™ Policy Manager Installer & User’s Guide.

To facilitate the visual display of different sites and network objects such as NetScreen devices located in these sites, you can change the background file in the viewing panel to show the geographic deployment of your NetScreen devices in according to their location.

To change the background view in the Viewing panel.

1. In the Viewing panel area, right-click the mouse. The Object Properties box appears.

Figure 2-12 Changing the background file

2. In the Object Properties box, click Change Background File. The Open dialog appears.

3. In the Open dialog, select world-map.gif>>Open. The NetScreen background in the Viewing panel is replaced with a map of the world.

Note: You can supply your own background file in .gif format to use as the background for Global View. In this case, and if multiple users are accessing the Policy Manager server from different consoles, it is necessary to copy your own .gif file to the Global View directory on each Policy Manager Console.


3Chapter 3

Adding and Configuring VPNs

ABOUT THIS CHAPTER This chapter provides the following information to manage VPNs:

• A synopsis of VPN concepts and preparatory steps for those new to VPN.

• Policy Manager procedures to add and configure the NetScreen devices.

• Policy Manager procedures to define Full Mesh, Main and Branch, and Hub and Spoke and IKE VPNs.

Assumptions and approachMaterial in this chapter build on topics discussed earlier. The assumption is that you have received your first assignment as your employer’s Global Sys Admin to configure secure communications (VPN connections) between resources in the Corporate LAN and satellite offices in Asia and Europe. The problem statement requires three VPN solutions.

To help you analyze VPN requirements and implement the required solutions, the following background and procedural information is provided.

Background Information • "Understanding VPNs" on page 16.

• "Policy Manager and VPN Management" on page 17.

• "Before Configuring VPNs" on page 19.

• "Analyzing VPN Configuration Requirements" on page 30.

• "Device Type Designation" on page 33

Procedural Information • "Adding Devices and Protected Resources" on page 21

• "Adding a VPN (All Main or Full Mesh)" on page 33.

• "Adding a Main and Branch VPN" on page 38.

• "Adding a Hub and Spoke VPN" on page 39.



Chapter 3 Adding and Configuring VPNs

UNDERSTANDING VPNSVPN connects resources and people to each other, offering secure exchange of data. The idea of the VPN is to give the customer the same capabilities provided by a system of owned or leased lines, at much lower costs, using the Internet (shared public telecommunication infrastructure). To this end, VPNs move IP packets across the Internet using encryption and authentication to guarantee secure exchange of data. While encryption assures security, authentication ensures resources at the other end are authentic and authorized to use the connection.

Figure 3-1 VPNs connect resources and people to each other


Policy Manager and VPN Management

POLICY MANAGER AND VPN MANAGEMENTPolicy Manager significantly simplifies your Sys Admin tasks in the creation, configuration, and maintenance of VPNs across the global network with the aid of the following facilities:

• VPN Tunnel creation and Configuration

• VPN Connection Options

• Security and Encryption Options

• Other VPN Configurations Facilities

Figure 3-2 Policy Manager simplifies VPN management

VPN Tunnel Creation and ConfigurationPolicy Manager makes it easy to configure VPN tunnels between devices as follows.

Note that establishing VPN tunnels between two devices A and B, requires 4 rules as follows:

•

•

Hence, for 3 devices in the network, you must configure 12 rules, for 4 devices 24, and so on. By using R and D as the number of rules and devices respectively, the number of rules that you must configure is:

•

Accordingly, in a network of 100+ devices, you must perform 19,800+ configurations. Policy Manager practically eliminates these steps by allowing you to configure a rule and apply it to any number of devices. You simply add a device and relate it to the rule.

A B 2 rules ,⇔

B A 2 rules ,⇔

R 2D D 1–( )×=



VPN Connection Options Using the Policy Manager, you can easily establish the following VPN connections:

• Site-to-site VPN, a connection that tunnels large volumes of traffic data between the two network sites.

• Remote/Dial-up VPN, a tunnel for individual users accessing a corporate site using the NetScreen Remote software.

Security and Encryption OptionsPolicy Manager provides additional security as follows:

• Internet Key Exchange (IKE), a method for exchanging keys for encryption and authentication over an unsecured medium, such as the Internet.

• IP Security (IPSec), a security standard produced by the Internet Engineering Task Force (IETF). It is a protocol suite that provides everything you need for secure communications—authentication, integrity, and confidentiality—and makes key exchange practical even in larger networks

Other FacilitiesPolicy Manager simplifies configuring the direction and flow traffic between sites. These capabilities simplify configuring the all Main, Hub and Spoke, and Main and Branch VPN requirements. For procedures, see "Analyzing VPN Configuration Requirements" on page 30 and "Device Type Designation" on page 33.


VPN Requirements - Problem Statement

VPN REQUIREMENTS - PROBLEM STATEMENTYour Sys Admin assignment is to use the Policy Manager to configure the following VPN configurations for evaluation by technical management:

• First Configuration, Resources in each site can communicate freely with resources at any other site.

• Second Configuration, Resources in Asia and Europe are not allowed to communicate directly with each other. However, they can communicate with Corporate and transmit data to other sites via Corporate LAN.

• Third Configuration, There is no traffic between Asia and Europe, even through Corporate, and resources in Asia and Europe are configured to communicate solely with Corporate.

Your network consists of the following three NetScreen devices with additional information shown in Figure 3-3 on page 20.

• NetScreen NS25 in Asia

• NetScreen NS5XP in Europe

• NetScreen NS50 in Corporate LAN

BEFORE CONFIGURING VPNS To define VPNs, you must poses an understanding of network components in the topology. It is therefore recommended that you consult the network design document, or design and use your own if one is not available.

Note: You must add the NetScreen devices that are used to create the required VPNs to the Policy Manager model. For procedures, see "Adding Devices and Protected Resources" on page 21.

Designing the Network TopologyYour network model in the tutorial is shown in Figure 3-3 and provides the following information:

• Network objects and IP addresses.

• NetScreen devices that stand between the Trusted (behind the firewall) and Untrusted networks.

• Resources (workstations, servers, and LANs behind the firewall (Trust) that you must include in the VPN for protection by the device.



Figure 3-3 Network topology


Adding Devices and Protected Resources

ADDING DEVICES AND PROTECTED RESOURCESProceed to add and configure the three devices shown in Figure 3-3 using the following names:

• Asia NS25-1

• Europe NS5XP-1

• Corporate NS50-1

Note: There are blank spaces in the device names above. Although the Policy Manager allows blank spaces in device names, NetScreen OS will insert “_” between blanks when it applies these names to the actual device. Avoiding blanks in device names is not a bad idea.

To add the NetScreen devices:

Note: New devices are added with the aid of the Device Wizard dialog.

1. You can add new devices in one of the following ways:

• From the Policy Manager menu. To begin adding a device from the Policy Manager menu, click on the Edit menu and clickon the Add Objects option. Then click on the Devices option in the right popup menu.

• From the Toolbox. To begin adding a device from the Toolbox, drag the Add Device icon from the toolbox into the right panel background. You can open the wizard from the Toolbox by selecting and holding the Add Device Tool icon and dragging it to the Right Pane.



The Device Wizard opens and displays the New Device - General Device Information dialog.

Figure 3-4 New Device - General Device Information Dialog Box

2. In the New Device - General Device Information dialog box, type the name of your first device name (Asia NS25-1), select Device Type from the drop-down menu (NetScreen-25), set the Device Version (4.0+) and select the icon size from the drop-down menu.

3. Click NEXT.

The Device Setup page appears. You have the option to provide the required configuration data now, or at later time. Proceed to complete this page as shown in the next step.

4. In the Device Setup page, do as follows:

• In the Device Address field, type 10.100.30.1 as the IP address of the device.

Note: If the Policy Manager is using the device’s actual IP address to connect to the device, you must first configure a policy to the enable traffic from the Policy Manager to the Trust side of the device. However, after establishing the VPN, this policy is no longer needed and you can remove it. For information on security policies, see "Understanding Security Policies" on page 46.

• In the Admin Name and Admin Password fields, type name and password. For example, netscreen. This is the root admin name and password for the NetScreen device.

• In the Use SCS drop-down menu, select YES to use an encrypted secure configuration session to configure the device.

Hide/displayToolbox

Edit Menu

Device Tool



Note: To use SCS, you must first enable it on the device. If you don’t select an encryption option, telnet, which sends unencrypted data, is used for this purpose.

• Ignore the KEY field it at this time, since there are no actual devices involved.

Note: Key is a hash of the public RSA key generated on the NetScreen for SCS (sshv1.5 compatible) and is displayed as the RSA1 key fingerprint on the NetScreen device. You can copy the key fingerprint from the console on the NetScreen and paste it in the Key field in order to manage the NetScreen securely by the Policy Manager.

5. Click DONE.

The NS25 device that you just added, appears in the Policy Manager Console’s viewing panel.

6. Repeat Step 1 through Step 5 to add NS50: Corporate (10.100.10.1) and NS5XP: Europe (10.100.20.1) to the network.

7. In the toolbar, click Save.

8. In Policy Manager Console, arrange the devices according to their locations as shown below.

Figure 3-5 Newly added devices To configure the NetScreen devices:

To configure IP addresses and firewalls using the the General dialog box:

1. In the Policy Manager Left Navigation Pane, click Devices/Groups.



2. Right click on a device icon and select the Edit option. For example, Asia NS25-1. Policy Manager displays the General dialog box for this device.

Figure 3-6 General Dialog Box

3. Complete fields in the General dialog box as follows:

• Assign a default Gateway and click off option for Transparent (Operation Mode)



• No action is required for the Contact Information box. You provided the required information when adding the device.

4. Click on the Network heading in the Left Navigation Pane. Click the Zones/Interfaces option to open the Network tab for this device.

Figure 3-7 Network Dialog Box (Untrust Zone parameters)

5. Highlight and complete the Untrusted Zone fields for Asia NS25-1 as shown below.

• In the IP Address box, do as follows:

– Click radio button to select Static IP Address.

– In the IP Address field, Type 1.1.1.30, the Untrusted address for this device.

– In the Mask (Netmask) field, type 255.255.255.0 to refer to all hosts in the 1.1.1.30/24 subnet.

6. In the allowed Management Traffic box, be sure to check SCS and any other type of traffic that you want to allow passage.

7. Select Trusted Zone to configure Trusted parameters. See Figure 3-8.

8. Provide IP Address, Mask, and other information similar to the Untrusted interface.



9. Select NAT option below IP Address area.

Figure 3-8 Network Dialog Box (Trust Zone parameters)

To add Protected Resources:

1. Under the VPN header in the Left Navigation Pane, click on the Protected Resources option.

2. Policy Manager displays the Prtotected Resources dialog box shown in Figure 3-9.

Figure 3-9 Device Configuration - Protected Resources Dialog Box



Understanding Protected Resources

VPNs connect devices through their Protected Resources. Protected Resources are subnets (servers, workstations, other network objects) and services (protocols and port numbers) that you want to include in the VPN for protection by the device.

For each device in the VPN, you must define its protected resources. Protected Resources are configured using Policy Manager’s Address Entries window and Service Entries window and then added to the device during configuration.

1. In Protected Resources dialog, click Add.

The Resources Definitions dialog appears.

Figure 3-10 Resources Definition Dialog Box

2. In Resources Definitions, do as follows:

• In the Name field, type Protected by Asia NS25-1 as the name for resources protected by this device during VPN access.

• Configure Address in later steps that follow.

• In Service Type select ANY. That is, any protocol or port.

You can also select Pre-defined, to select a service from a list of built-in service definitions such as AOL, BGP, or select Service to select from a list of custom defined services. Service options are shown if Pre-defined option is chosen.

• In Zone / Interface Binding, select the Trusted zone as the source of the packet, because the resource is located on the Trust side of Asia NS25-1.

To complete the Address field:

1. Under the Objects heading in the Left Navigation Pane, click on the Addresses option.

2. Right click anywhere in the Right Pane.

Policy Manager displays the address configuration popup menu.

3. Click on the Add option.



Policy Manager displays the Object Create dialog box.

Figure 3-11 Address Book entries dialog

4. In the New Entry dialog, type Asia Network addresses and click OK.

The name appears in the Address Entries column.

5. Click on the entry and click on the Edit option.



Policy Manager displays the Edit Address dialog box.

6. Click the Add button located over the Network Mask Pairs table.

Figure 3-12 Add Address Dialog Box

7. In the IP Address/Host name field, type 10.100.30.0. and in the Netmask field type 255.255.255.0.

8. Click OK.

9. On Address Editor, save changes by clicking OK.



Configuring NS50: Corporate and NS5XP: Europe To configure the NS50: Corporate and the NS5XP: Europe devices, independently, follow the next steps.

For Protected Resources, and Address entries, configure devices as follows:

• For NS50: Corporate:

Type: Protected by Corporate NS50-1, as the name of resources protected by these devices and save changes.

Trust range: IP address 10.100.10.0, Subnet Mask: 255.255.255.0

• For NS5XP: Europe:

Type: Protected by Europe NS5XP-1, as the name of resources protected by these devices and save changes.

Trust range: IP address 10.100.30.0, Subnet Mask: 255.255.255.0

10. After completing configuration click APPLY. Then click OK. These steps complete the addressentry process. The new protected resources will appear in the Protected Resources list area.

Analyzing VPN Configuration RequirementsThe VPN problem statement mentioned the need for three configurations as follows:

• No restriction in traffic between the three sites. That is, you can build a VPN tunnel between all three.

• Do not allow direct traffic between satellites, but enable traffic between satellites via the Corporate LAN. That is, no VPN tunnels between satellites, while allowing satellite traffic via Corporate LAN can.

• Do not allow direct or indirect traffic between satellites and all traffic from satellites terminate at the corporate LAN (VPN). Hence, no VPN tunnels are allowed between satellites.

These configurations are called Full Mesh or Site-Site, Main and Branch, and Hub and Spoke respectively. As indicated earlier, Policy Manager fully supports these configurations and provides the following facilities to simplify your Sys Admin tasks.



Full Mesh or All Main VPNThe first of the three VPN configurations required open traffic between all sites. This is called a Full Mesh or an all Main configuration. A Full Mesh VPN is deployed when no control or limitation of traffic is necessary. For example, each site has its own independent web server and users on the three sites need access to the web serve

Figure 3-13 Full Mesh VPN.



Main and BranchThe second VPN configuration must meet the following criteria:

• The three independent web sites are integrated on one server at Corporate headquarters. The e-mail server is located and maintained at the Corporate

• All users through out the network need access to these two servers,

• No direct, or indirect traffic (VPN tunnels) between satellites since to avoid additional Sys Admin tasks and limit unauthorized access. That is, traffic generated at each site must terminate at the Corporate site.

The Main and Branch configuration is the solution to this scenario.

Figure 3-14 Main and Branch VPN

Hub and Spoke In the third scenario, VPN requirements stated in Main and Branch are changed as follows:

• The two satellites need access to each other’s engineering and research data maintained on local servers.

• The number of satellite offices are increasing rapidly, requiring a VPN solution that is easy to configure and maintain.

One option is a Full Mesh VPN. With two sites (devices A and B), you only need to create one tunnel to establish secure exchange of data. With four devices A, B, C, and D, you must add 12 additional VPN tunnels. Suppose you had 100+ devices. So Full Mesh is not a very efficient solution.

On the other hand, with Hub & Spoke, you can build a single incoming and outgoing tunnel from a satellite office (spoke) to the Corporate LAN (VPN Hub) allowing communication to all spokes. Using Hub & Spoke, you realize the following advantages:

• Reduce network administration tasks.

• Reduce the demand for additional network resources such as local servers.

• Avoid tunnel Limitations imposed on smaller NetScreen devices.



Figure 3-15 Hub and Spoke VPN

Device Type DesignationThe Policy Manager facilitates these configurations by enabling the following device designations:

• Main Device, where a VPN tunnel is built between Main and a Main or a Main and a Branch.

• Branch Device, where a VPN tunnel is built between a Main and a Branch. No tunnels are built between a Branch and a Branch.

• Hub and Spoke, where VPN tunnels are built between a Hub and Spokes for traffic to pass from one Spoke to another via the Hub.

ADDING AND CONFIGURING VPNSIn Policy Manager, adding VPNs is connecting Protected Resources located in one site to Protected Resources located in other site(s).

Adding a VPN (All Main or Full Mesh)To build (add) a VPN between Protected Resources:

1. In Policy Manager Console, select the Edit menu and click on the Add Object(s) option.

Policy Manager displays a right popup menu.

2. Click on the VPN option in the right popup menu.

Policy Manager displays the Add VPNs dialog box.



Figure 3-16 Add VPNs dialog

Understanding fields in the Add VPNs dialog

Name: identifies the VPN. It is recommended that you use VPN names that make it easy to locate and identify the VPNs. In the VPN Type box, you select the encryption protocol to ensure security. Your options are listed below. For more information, refer to NetScreen ScreenOS Concepts & Examples Reference Guide.

• IKE Autokey for Site-to-Site, Hub and Spoke, and Full Mesh. Two kinds of VPNs are available:

– Route Based VPNs. These VPNs are based on tunnel interfaces. Tunnel interface VPNs provide greater flexibility but are hard to configure and troubleshoot.

– Policy Based VPNs. These VPNs are based on protected resources. While NetScreen provides an easily configurable environment for protected resources, a protected-resource VPN is less flexible as it can only create VPN phases based on the resource values.

• L2TP for L2TP non-encrypted.

• L2TP over IPsec for L2TP encapsulated by IPsec.

• Manual for Manually creating keys on all VPN devices.

3. Complete the Add VPNs dialog as follows:

• Type Tutorial all Main VPN with IKE (that is, Full Mesh) in the name field.

• In the Add VPN menu select IKE AutoKey for VPN type and select Policy Based sub-option. The IKE AutoKey is recommended since there are numerous tunnels to configure, and you need an automated method to avoid large numbers of manual configurations.

• Select either the Route Based or Policy Based radio button under the IKE AutoKey option.



– If you want more flexibility to perform a wider range of tasks with your VPN, click on the Route Based radio button

– If you want to configure a less flexible VPN more quickly, click on the Policy Based radio button.

4. Click Apply to add the VPN.

5. Click Close to stop further VPN additions.

The VPN that you added appears in the VPN list in the Right Pane.

Figure 3-17 VPN List in the Right Pane

Note: You have defined and added the VPN, but Protected Resources are not included in the VPN. The next step is to add Protected Resources defined earlier.

6. Right click on the VPN entry and click on the Edit option.

Policy Manager displays the General dialog box.



7. Click on the Members - Resources option in the Left Navigation Pane.

8. Policy Manager displays the Members - Resources dialog box.

Figure 3-18 VPNs Members - Resources interface

9. In the Members - Resources dialog box, click the right double-arrow button to include the Protected Resource in the VPN.

10. Click Apply and OK on the bottom of the VPN screen to save changes.

Note: Using the toggle switch, you can add members as Main Office or Branch Office. Since this is an all Main (Full Mesh) VPN, all resources are labeled Main.



11. In Policy Manager Console, click Global View to view the graphical representation of the Full Mesh VPN.

Figure 3-19 All Main (Full Mesh) VPN



Adding a Main and Branch VPNTo configure the Main and Branch, you have the following options:

• Modify the existing all Main VPN to a Main and Branch configuration.

• Define a new VPN and then configure it as a Main and Branch VPN.

Use the following procedure to modify the current Full Mesh VPN to form a Main and Branch VPN. In this configuration, the Corporate network is the Main and the Asian and European satellites are branches.

To modify an existing VPN to create a Main and Branch VPN:


Policy Manager displays the Members - Resources dialog box.

2. In the Members column, click Protected by Corporate NS50-1... to ensure the designation is Main.

3. In the Members column, click Protected by Asia NS25-1... and Protected by Europe NS5XP-1... to ensure the designations are Branch.

4. Click Apply and OK to apply to save changes.

5. In Policy Manager Console, click Global View to view the graphical representation of the Main and Branch VPN.

Figure 3-20 Main and Branch VPN



Adding a Hub and Spoke VPN Adding a Hub and Spoke VPN configuration is slightly different, yet it is equally as simple. Since you have already added VPNs, only modifying an existing VPN is addressed.

To modify an existing VPN to create a Hub and Spoke VPN:


Policy Manager displays the Members - Resources dialog box.

2. Move all the Resources from the Members column to the Not Included column using the left arrow buttons.

3. Click Hub/Spoke option in the Left Navigation Pane.

Figure 3-21 Hub / Spoke VPN dialog

4. Select YES to enable Hub / Spoke.5. Select NS50: Corporate as the hub device for the VPN and click Apply at the

bottom of the screen to save changes and continue working. 6. Click Members - Resource option7. Policy Manager displays the Members - Resource dialog box.8. In the Members - Resource dialog box do as follows to move the VPN hub to

Members column:a. Select Protected by Corporate NS50-1and click Add as Main Office

selector button.b. Click on a Move (> or >>) button to move the resource to the Members column

as a Main resource.c. Select and move the Protected by Asia NS25-1 and Protected by Europe

NS5XP-1 to the Members column as Main VPNs.d. Click Apply and Ok at the bottom of the screen.

This completes the Hub / Spoke configuration step.

9. You can view the graphical representation by clicking Global View.

Note: The graphical representation resembles the Hub and Spoke VPN.


4Chapter 4

Adding Remote VPN Users

ABOUT THIS CHAPTERThis chapter provides the following information to enable remote users access your centrally located network system.

• A description of Authentication, Users, User Groups, and the RADIUS authentication method.

• Procedures to add and configure users and user groups to remotely access VPNs created in Chapter 3.

Assumptions and approachThis chapter is a continuation of Chapter 3. Among your users in the global network, some of them require remote access to resources in one or more VPNs described earlier. These are users who telecommute or spend a great deal of time on travel.


Background Information • "Understanding Remote VPN Access" on page 38.

• "Policy Manager and Remote VPN Access" on page 38.

• "Understanding Remote VPN Access" on page 38.

Procedural Information • "Adding Users and User Groups" on page 40.

• "Configuring Remote VPN Access" on page 43.



Chapter 4 Adding Remote VPN Users

UNDERSTANDING REMOTE VPN ACCESS A remote VPN user is located outside the VPN and requires access the VPN from any location outside of the network. For example, a telecommuting employee who needs access the corporate LAN to check e-mail messages or upload and download data on network file servers.

There are special protocols (See Adding Users and User Groups) to establish connections from the dialup user to the corporate site. These protocols enable remote user access into the network with the equivalent of personal VPN tunnels. If you consider Internet VPNs as highways that connect an organization’s branch offices with tunnels, then personal tunnels are the auxiliary roads that connect individual users into the Internet VPN.

The VPN tunnel connection from the dialup user to the corporate site provides the required security and access. To grant access, VPNs authenticate users and allow the remote dialup user passage through firewalls to access the protected resources inside. Authentication is the method that verifies a user’s authenticity.

POLICY MANAGER AND REMOTE VPN ACCESSPolicy Manager provides capabilities to support managing remote VPN user accounts. These are similar to those described in Chapter 3.

Protocols Supported Policy Manager provides the following tunneling protocols for remote VPN access:

• Layer 2 Tunneling Protocol (L2TP), a way for a dial-up user to make a virtual Point-to-Point Protocol (PPP) connection to an L2TP network server (LNS), which can be a NetScreen device.

• L2TP over IPSec, where IPSec is a protocol applied as an encryption scheme to encrypt an L2TP tunnel.

Managing Remote Accounts in Expanding NetworksIn Chapter 3, you saw how Policy Manager reduced the number of device configurations when adding new devices in a VPN. In a similar way, for each new remote VPN user on a device, you must add 2 rules. This rule is generalized as follows.

If the D is the number of devices, and U the number of remote user accounts, then R, the number rules that you must configure is:

•

Thus, in an average sized network with 200+ remote user accounts and say three devices, you must configure:

• or 1200+ rules

Now, consider larger networks with greater concentration of devices and remote accounts. Without the Policy Manager, you have to manually add all these rules, increasing the potential for errors that can cause network downtime.

R 2D U×=

R 2 3( ) 200×=


Policy Manager and Remote VPN Access

Policy Manager simplifies the management of large numbers of remote VPN user accounts in the following ways:

• You can reduce potential downtime by modelling and testing configured rules in the Policy Manager before applying them to your devices.

• You can off load remote VPN user accounts in the RADIUS database to help manage attributes such as passwords. For example, if you have 10,000 users, there are 20,000 rules that you must add. By off loading the accounts in the the RADIUS database, you don’t have to add the 10,000 users (they already in the database), Policy Manager configures the 20,000 new rules, and you don’t have to manage user attributes such as passwords.

Authentication - RADIUS Database Note: The Policy Manager distinguishes between a Local and Remote user in the way it

maintains their authentication data.

NetScreen Global-PRO Policy Manager uses the RADIUS service to authenticate dialup users. RADIUS allows you to add users at your existing centrally located network point and administer remote access that is authenticated via the RADIUS server.

The RADIUS server is attached to the network as a third-party authentication service. Remote users dial into the access server (NetScreen Global-PRO Policy Manager), and the access server requests authentication services from the RADIUS server. The RADIUS server authenticates users and allows them access to resources protected by the VPN. The access server (NetScreen Global-PRO Policy Manager) is a client to the RADIUS server. A single RADIUS server can support tens of thousands of users, making it ideal for expanding networks

Figure 4-1 Remote Dialup VPN and RADIUS server

Users and User GroupsThis feature propagates properties of the group to all users in the group, thereby eliminating individual user configurations and VPN memberships.



ADDING USERS AND USER GROUPSNote: Users and user groups are first created and then added to existing, or newly created

VPNs. You can create and then add users to a VPN as individual members, or as members in a group.

Adding UsersIn the following procedures, you are adding and configuring two users to remotely access existing VPNs.

To add new VPN users:

1. Click on the Users and Groups heading in the Left Navigation Pane.

Policy Manager displays the Users and Groups environment in the Right Pane.

2. Right click anywhere in the Right Pane.

Policy Manager displays the user configuration popup menu.

3. Click on the Add User option.

Policy Manager displays the Add User dialog box.

Figure 4-2 Add User dialog

4. Review the following field descriptions to understand the Add User dialog box.

Understanding Fields in the Add User dialog box

5. In the Add User dialog box, perform the following tasks:

• In the Name field, type Dialup Remote User-1.

Field Description

Name Used by the system to identify the user.

Password Used by the system for dynamic downloading of the VPN configuration data in the case of non-Admin users and to authenticate Admin users to access NetScreen device configuration commands.

Confirm Self explanatory.

Auth Mode Authentication mode, Local (on the Arbitrator) or RADIUS server.


Adding Users and User Groups

• In the Password and Confirm fields, type netscreen respectively.

• In the Auth. Mode, select Local.

6. Click Apply.

The Add User dialog reappears and prompts you to add additional users.

7. This time, add a user called, Dialup Remote User-2, whose password is also netscreen, and select Local in Auth. Mode.

Note: The difference between “Local” and “Remote” users is the way their authentication data is stored and maintained (Data pertaining to the Remote user is maintained in the RADIUS server database and those belonging to the Local user are maintained in the local LDAP directory). Moreover, password has no effect if the RADIUS authentication mode is specified. However, the user’s name must be the same as the one in the RADIUS server. For more information, see NetScreen publications cited in "Preface" on page i.

8. In the Add User dialog box, click Apply and then click Close.

The names of the newly defined and authenticated users appear in the Users list The General screen displays both, name and Authentication Mode.

Figure 4-3 General Dialog Box for Users

Note: The General dialog box displays the same data for both user types. The Password button in the Local user screen is active. As the authorized user (Admin), you can change the password for either user by selecting the Actions screen.



9. Click OK if parameters are set properly. In the main toolbar, click Save to complete this procedure.

Adding User Groups To manage larger numbers of remote dialup accounts, NetScreen enables you to define dialup user groups. With groups, changes made to the group, for example, removing the group from one VPN, or adding the group to another VPN will propagate to each member in the group.

Before providing VPN access to a remote user group, you must first define the group and then add users (members) as shown below.

To add a new user group:



2. Right click anywhere in the Right Pane and click on the Add User Groups option.

3. Policy Manager displays the Add User Groups dialog box.

Figure 4-4 Add User Group dialog

4. In the Name field, type Remote VPN Group 1 and click Apply.

The General screen of the User Groups screen appears in the viewing panel.

To add members to a group (Remote VPN Group 1):

Proceed with the following steps to make users in "To add new VPN users:" on page 40 members of your new user group called Remote VPN Group 1.



2. Right click on a Users Group entry that you want to configure and click on the Edit option.


Configuring Remote VPN Access

3. In the Members screen, select users to be added to member section (right pane 1st column) by clicking in selection checkboxes. Added members will be displayed in right panes 2nd column. To unselect members uncheck appropriate user boxes.

Figure 4-5 User Groups Members Dialog Box

CONFIGURING REMOTE VPN ACCESSSo far, you have defined users and added them to a user group whose members require dialup access to your existing VPNs.

The next step is to use the Policy Manager, to provide the following:

• Dialup access to your Tutorial Hub and Spoke VPN defined in "Adding and Configuring VPNs" on page 33 for users called “Dialup Local User” and “Dialup Remote User”

• Dialup access to your Tutorial all Main VPN with IKE defined in "Main and Branch" on page 32 for user group called “Remote VPN Group 1.”

Use the following procedures to complete these steps.

To provide remote VPN access for a user:

1. In Policy Manager Console, select VPN and then point to and select an existing VPN in the VPNs column. In this case, Tutorial Hub and Spoke.

2. In the panel, select Members - Remote Users.

3. Move the two single users from Not Include to members column.



4. Click Apply and Ok to save settings.

Figure 4-6 Add remote users

To provide remote VPN access for a user group:

Recall, you want to provide dialup access for the user group called Remote VPN Group 1 to VPN called Tutorial all Main VPN with IKE.

1. In Policy Manager Console, select VPNs>>Tutorial all Main VPN with IKE>>Members - Remote Users.

2. In the Members - Remote Users screen, move Remote VPN Group 1 to the members column.

Figure 4-7 Add remote user group


Configuring Remote VPN Access

3. Click Apply and OK to save and close screen.

You just provided dialup access for:

• Users called Dialup Remote User-1 and Dialup Remote User-2 to your Tutorial Hub and Spoke VPN

• User group called Remote VPN Group 1 to VPN called Tutorial all Main VPN with IKE.


5Chapter 5

Creating Access Policies

ABOUT THIS CHAPTERThis chapter provides the following information:

• A brief overview of security policies and access filters in the NetScreen Policy and Shared Config sections

• Procedures and background information to define and configure an access filter in policy section.

Assumptions and approachIn this exercise, your Sys Admin assignment is to configure the devices you created in Chapter 3 to manage outgoing traffic in compliance with corporate security policy. In this case, unrestricted outgoing traffic from the three sites.

The following background and procedural information is provided to help you complete this assignment.

Background Information • "Understanding Security Policies" on page 46.

• "Policy Requirements and Solutions" on page 47.

Procedural Information • "Adding Admin Role Rules" on page 60.

• "Configuring Admin Role Rules - NOC ADMINs" on page 61.

• "Viewing Admin Roles Configuration Summaries" on page 64.

• "Applying Access Filters to Device Groups" on page 53.



Chapter 5 Creating Access Policies

UNDERSTANDING SECURITY POLICIESIn general, a security policy is a set of rules associated with a service. For example, FW, NAT, VPN, or QoS. The security policy, residing on a policy server, examines and evaluates incoming or outgoing packets to determine if the security policy allows these packets passage to or from the internal network.

Not only does the device examine IP addresses, it also looks at the data in the packets to stop hackers from hiding information in the packets.

NETSCREEN SECURITY POLICIESAn Access Policy in the Policy Manager is a set of configurations that you define and apply to NetScreen devices (the policy server). The NetScreen Policy section makes it easy to configure services on your NetScreen devices, particularly, when the network contains large numbers of NetScreen devices. This mass production of policies alone, eliminates many repetitive tasks when configuring large numbers of devices.

Policy Types in NetScreen Policy NetScreen Policy screens and Shared Config sections provide a list of different policy types for you to choose from. This approach both simplifies and speeds up configuring policies such as:

• A DNS policy to configure DNS server entries.

• An Access Filter section to configure rules to access devices using IP addresses.

• An Admin Roles policy to configure administrator privileges to access Policy Manager configuration tasks.

In these instances, you simply select the relevant policy type from the list of access filters, configure it, and then apply the configuration to any device or device group in the network.

The following table summarizes policy types in the Policy and Shared Config sections.

Policy Type Function and Description

Policy (Access Filter)

Configure rules to access NetScreen devices using their IP addresses.

Admin Roles Configure administrator rules for access to NetScreen Policy Manager configuration tasks.

Shared Config

CA Certificates Install CA certificates on NetScreen devices.

CRL Install certificate revocation lists on NetScreen devices.

DNS Configure DNS server entries.

Defense Configure firewall protections features on NetScreen devices.


Policy Requirements and Solutions

POLICY REQUIREMENTS AND SOLUTIONSThe problem statement in "Assumptions and approach" on page 45 required establishing access rules for outgoing packets. That is, applying a set of access rules (access filters) to your NetScreen devices to allow packets generated behind the firewall (Trust) passage to any trust/untrust destination.

DEFINING THE ACCESS FILTERS POLICY This step involves selecting the Policy Type (Access Filters in this case) and adding and configuring, the selected policy type as shown below.

To select the Access Filters policy type:

1. In Policy Manager Console, select Policy on the left console pane. Right mouse click on a policy group entry right pane and select Add Policy Group from the access filter configuration menu. The Policy name input screen opens.

Figure 5-1 Policy Group List in the Right Pane

E-Mail Alerts Configure E-mail server and user entries for mail alerts on NetScreen devices.

AuthServer Configure the type of server (local, RADIUS, LDAP, SecureID) on NetScreen devices.

Global Pro Monitoring

Configure Global Pro settings on NetScreen devices.

NTP / Clock Configure NTP settings on NetScreen devices.

Packet Flow Configure the TCP Mss and other Flow settings on NetScreen devices.

SNMP Configure SNMP on NetScreen devices.

Syslog Generate system event messages and send them to a syslog host.

URL Filter Configure Websense and URL blocking on NetScreen devices.

WebTrends Configure Webtrends logging on NetScreen devices.



Understanding Policy Components and Options2. Highlight Policy in left pane and, right mouse click in right pane (Policy Entries

section) to Add a new Policy Entry.

Figure 5-2 Input dialog to add a new policy

3. In Input dialog, type Outgoing Access Filter as the name of the Access Filters policy and press OK to display the Access Filters Specifications tab in the viewing panel.

Figure 5-3 Policy Specifications tab

Understanding Fields in the Policy Specifications Tab shown above

Field Description

# Sequentially assigned policy number (side arrow appears if there are multiple items) (also “more” link shown above figure)

Source Source IP address (can show multiple)

Src. Zone Trust/Untrust (examples shown) other choices are avalable such as HA, DMZ, etc.

Destination Destination IP address (can show multiple)

Dest. Zone Trust/Untrust

Service List of pre-defined or custom services to select from (can show multiple)

NAT Network Address Translation - enable (icon present for NAT on/off, plus DIP on/off text)

Action Permit / deny

Option In Access Filter Wizard: Log, Counter, User Auth. Alarm, Traffic Shaping, or Schedule.

Enable(*) Enable/Disable policy to check packets (*- now selected via right mouse click menu)

Installed on All

Shows devices governed by policy.


Defining the Access Filters Policy

To add and configure the policy specifications:

1. If you are adding a completely new policy the Policy Specifications area will appear blank. Right mouse click over empty table area New Policy to Policy. A default policy will appear per you perference. If are adding policies to existing entries click over an existing Policy entry and select appropriate option (see options in figure 5-4).

Figure 5-4 Editing Access Filters - Number Configuration Menu

2. After adding a policy, you can then edit various parameters by right mouse clicking over areas in context. For example, if you ant to edit a Source Zone field, right mouse click over the Source Zone cell to be edited. The options in the popup menu will change depending on what field you right click. An object browser window opens with source zone options to select.



Figure 5-5 Configure Options Dialog Screen

In Chapter 3, you added NetScreen devices to provide controlled access to your VPN sites, but you did not define any device groups. Device groups are similar to user groups. You simply define a device group comprising devices in a given location, or in a Policy Domain, and then add these devices to a device group.

Policy Manager provides an easy interface to add device groups to apply rules in existing access filters to your of NetScreen devices.

Field Description

Logging YES/NO. Log/do not log events to a log servers.

Authentication Authentication selection, Auth Sever selection, Restrict Usage selection

- Counting & - Alarm Threshold

- YES/NO. Count/don’t count the number of logged events.

- Set size and frequency of alarms.

Traffic Shaping Traffic Shaping Configuration - Guaranteed Bandwidth (kbps - text field), Max. Bandwidth (kbps - text field), Traffic Priority selection, and DS Codepoint Marking (yes/no)

Schedule Schedule selection



Creating the Device GroupTo define a device group, you must first define the devices you want included in the group. The following procedure creates a device group called Device Group: Tutorial PD. Members are devices are the ones you created on page 21.

To create the device group.

1. In Policy Manager - Devices and Groups console, right mouse click over Devices and Groups and select Add Device Group in mouse menu. A “Add Device Group” dialog screen will appear.

Figure 5-6 Add Device Group dialog

2. In the Name field, type Device Group: Tutorial PD.

3. Click Apply and Close (to stop further device group additions).

The Device Groups interface appears, displaying data identifying the new device group.

Figure 5-7 General Dialog Box of Device Groups interface



4. To add devices to your newly created Device Group, click Members.

Figure 5-8 Members screen of Device Groups interface

5. In the Members screen click the checkboxes of the 3 devices on the left object browser column to move the three devices in your network (Policy Domain) to the members list column, that appears on the right.

Note: You can use the Memo page to record notes or comments for future reference.

6. Click Apply and OK to save the new device group and close the screen.

7. Use the remaining procedure to apply your access rules to your device group.



Applying Access Filters to Device GroupsIn the following procedure, shows how to apply access rules defined in the Outgoing Access Filter policy to device group called Device Group: Tutorial PD.

To apply the access policy to NetScreen devices or device groups.

1. In the Policy area, select the access policy filter that you want to apply to your devices and then click the right click over “Installed On” cell and select devices in Object browser by clicking the appropriate check boxes. Devices should now appear in cell. The devices will also reside on “Installed On All” tab.

Figure 5-9 Policy Screen Members tab

2. Click Apply and OK to save and close screen.

Note: The next time you perform a device update, all the devices in Device Group: Tutorial Domain are configured with options set in the Outgoing Access Filter policy.

*cb**


6Chapter 6

Creating Admin Role Rules


• A description of Admin Roles rules

• How to define rules for system administrators to access NetScreen Policy Manager configuration tasks.

Assumptions and approachThis chapter builds on network objects introduced and configured earlier. The assumption is that you are about to add and configure Sys Admins to perform their network management tasks.


Background Information • "Understanding Admin Roles Policy Type" on page 58

• "Understanding Data Displayed in Admins Roles Specifications Screen" on page 61

• "Understanding Data Displayed in EDIT dialog Specifications Tab" on page 62

Procedural Information • "Adding Admin Role Rules" on page 60

• "Configuring Admin Role Rules - NOC ADMINs" on page 61

• "Applying Policy Rules to Admins/Admin Groups" on page 65

• "Applying Policy Rules to Admins/Admin Groups" on page 65


.


Chapter 6 Creating Admin Role Rules

UNDERSTANDING ADMIN ROLES POLICY TYPEAn Admin Role policy is a set of access rules. Admin Role policies are designed to help define rules for network administrators to access NetScreen configuration tasks. You can configure very specific rules and apply them to groups of policies in a given Policy Domain.

Once you have identified and grouped your Sys Admins by the type of access that they require, providing the necessary access levels is reduced to the following simple steps.

1. Create Admin User Groups for each Admin type according to your organization’s security policies and procedures. For example, NOC ADMIN GROUP for network operations center (NOC) administrators, SITE ADMIN GROUP for site administrators, and so on.

2. Add members (Admins) to respective groups. That is, NOC admins to NOC ADMIN GROUP, site admins to SITE ADMIN GROUP, and so on.

3. Configure Admin Roles access rules (policies) that reflect your organization’s security policies and procedures. For example, NOC ADMIN POLICY for NOC manager admins, SITE ADMIN POLICY for administrators, and so on.

Note: Admin Role policies are applied to network administrators, and not to other users seeking remote VPN access, or NetScreen Remote access.

4. Apply rules defined in NOC ADMIN POLICY to NOC ADMIN GROUP, SITE ADMIN POLICY to SITE ADMIN GROUP, and so on.

In addition to procedural simplifications, Admin Role rules bring about the following operational efficiencies as well:

• Enable group account management. That is, any time there are changes in policies governing Sys Admins, you simply modify the specific Admin Roles policy and changes will propagate to all members in that user group.

• Eliminate the need to individually configure users. Anytime you need to add a new user, there is no need to configure the user. You simply associate the new user with the appropriate group, thereby inheriting all group properties.

ADMIN ROLES REQUIREMENTS - PROBLEM STATEMENT• Define and add Sys Admin users to manage the Corporate LAN and the two

satellites.

• Configure access rules based on your organization’s security policies for the Sys Admin users.

• Apply these access rules to the Sys Admin user accounts.


Adding the Admin Users

ADDING THE ADMIN USERSUse the procedures utilized in Chapter 4 to add the following Sys Admin users and user groups.

Note: For all your Sys Admins, use netscreen and Local for password and Auth. Mode respectively.

Add NOC AdminsNOC Admins have access to all object types. Objects types are Address Book, Arbitrator, Device Groups, Global View, Policy Domains, Schedule Book, Service Book, Shared Resources, User Groups, Users, and VPN.

Add the following NOC Admins with access to all objects in the Corporate LAN in NY and resources in your sites in Asia and Europe.

• NOC ADMIN-1

• NOC ADMIN-2

• NOC ADMIN-n

Add Site Admins for AsiaThe following Asia Admins do not have permission to add, modify, or delete Admin Role rules, nor can they access devices located in other sites, or perform a device Firmware Update.

• ASIA ADMIN-1

• ASIA ADMIN-2

• ASIA ADMIN-n

Add Admin GroupsDefine three Admin Groups as follows:

• NOC ADMIN GROUP, to include all NOC admins as its member.

• ASIA ADMIN GROUP, to include all Asia admins as its member.

Add Members to Admin GroupsAdd the members to Admin Groups as follows:

• Add NOC ADMIN-1 to NOC ADMIN-n to NOC ADMIN GROUP members.

• Add ASIA ADMIN-1 to ASIA ADMIN-n to ASIA ADMIN GROUP members.

Save these configurations After completion, save these users, user groups, and group affiliations in the Policy Manager.



ADDING AND CONFIGURING ADMIN ROLE RULES To continue, define and configure the following two Admin Role rules:

• NOC ADMINs for your NOC ADMIN GROUP

• ASIA ADMINs for your ASIA ADMIN GROUP

Adding Admin Role RulesUse the procedures below to add the two Admin Roles rules.

To add Admin Role rules:

1. In Policy Manager, select Admin Roles from master branch on left console pane. Right mouse on right Admin Roles pane to select Add from right click mouse menu.

2. In Input dialog, type NOC Admins as the name of your first policy and then click OK.

The Admin Roles dialog box displays the Specifications dialog box of this policy. For a description of items in the main menu and toolbar, see Figure 5-1.

Figure 6-1 Admin Roles Policy - Specifications screen

3. Right mouse on right Admin Roles pane again to select Add from right click mouse menu to add a second Admin Roles policy, the one called the Asia Admins..


Adding and Configuring Admin Role Rules

Understanding Data Displayed in Admins Roles Specifications Screen

Configuring Admin Role Rules - NOC ADMINs Use the following procedures to configure the NOC ADMINs and ASIA ADMINs Admin Role rules:

To configure the NOC ADMINs policy:

1. In Policy Manager, highlight NOC ADMINS in right Admin Roles pane and select Edit from right mouse menu.

Note: Recall, NOC Admins must access all objects and perform all applicable configurations on these objects. By default, Admin Role Members have access to all objects, unless otherwise specified in the EDIT dialog.

2. To make sure Admin members have the necessary permissions, in Object Types, select each object from the list and make sure all Control Options are checked for each Type of Access.

3. Upon completion, select Apply and OK to apply and close the screen.

Data Item Description and Purpose

Object Type Pull down menu to choose the type of object from the drop-down list to set access levels. By default, Admin Role members have access to all objects. Object Types are: Address Book, Arbitrator, Device Groups, Devices, Global View, Policies, Policy Domains, Schedule Book, Service Book, Shared Resources, User Groups, Users, and VPN. For each selected object, options listed in Types of Access and Control Options box vary according to the selected Object Type. See Configuring Admin Role Rules - NOC ADMINs.

Edit View Admin Role Access dialog to grant/deny access to objects. See Configuring Admin Role Rules - NOC ADMINs.

Type of Access View and select configuration options for the selected object. For example, select Devices, in Object Type and Reboot, Update Device, and Update Firmware, in the Types of Access list. To enable the Admin to perform these configurations, on these functions, check Execute Control Options box.

Control Options Enable/disable functions Admins can perform. For example, if you selected Policies in Object Type, followed by Admin Roles in Type of Access, you can enable/disable Read, Modify, Add, or Delete functions.



To configure access limitations in ASIA ADMINs policy:

1. In Policy Manager, highlight ASIA ADMINS in right Admin Roles pane and select Edit from right mouse menu.

Note: Recall, Asia Admins are not configured to add, modify, or delete Admin Role rules, nor can they access devices located in other sites, or delete arbitrators.

2. To block access to devices located in the other two sites, in Specifications tab, select Object Types>> Devices>>EDIT to open the EDIT dialog.

Figure 6-2 EDIT dialog

Understanding Data Displayed in EDIT dialog Specifications Tab

3. In the EDIT dialog, type the names of the devices in Asia, Europe, and North America as shown in Figure 6-2. and click OK.

Note: This configuration provides access to the referenced NetScreen device in Asia while blocking access to devices in North America and Europe.

Data Item Description and Purpose

contain Use this field to specify objects that are accessible. A good naming convention is indispensable. Hence, only objects with names that starts with XXX are accessible.

do not contain Use this field to specify objects that are not accessible. Objects with names that starts with XXX are not accessible

RESTORE DEFAULT

Self explanatory.



The Specifications tab reappears and displays the permissions and limitations set in the EDIT dialog.

Figure 6-3 Set permissions to access Devices objects

4. Limit privileges in Admin Role rules, to Read only, by selecting Object Types>> Policies>>Admin Roles (in Type of Access box). Then, in Control Options box, clear all check boxes with the exception of the Read box as shown below.

Figure 6-4 Set permissions to access Policies objects

5. To disable device firmware update, select Devices (in Object Type)>> Update Firmware (in Type of Access box) and uncheck Execute in the Control Options.

6. Select Apply and OK to apply and close the screen.



Viewing Admin Roles Configuration SummariesWhen configuring an Admin Roles policy, you have the option to view a configuration summary report as follows.

To view a summary configuration of an Admin Roles policy:

1. In Policy Builder, select Admin Roles>>ASIA ADMINs>>Summary.

The Summary screen opens and displays a summary of Admin Roles configuration.

Figure 6-5 Admin Roles configuration summary

2. Make modification, or click Save Summary.

3. Select Apply and OK to apply and close the screen.

No firmware

Read onlyaccess

update access



Applying Policy Rules to Admins/Admin GroupsTo apply rules in ASIA ADMINs policy to ASIA ADMIN GROUP:

1. In Admin Roles screens, select ASIA ADMINs>>Admin Members screen.

Figure 6-6 Applying ASIA ADMINs rules to Admins in ASIA ADMIN Group

2. In Admin Members, move ASIA ADMIN GROUP from Not Included to Members.

To apply rules in NOC ADMINs policy to ASIA ADMIN GROUP:

1. In Policy Builder, select NOC ADMINs>>Admin Members screen

Figure 6-7 Applying NOC ADMINs rules to Admins in NOC ADMIN Group

2. In Admin Members, move NOC ADMIN GROUP from Not included to Members.



LOGGING ON AS NEW ADMIN USER(S)To log on as one of the newly created Admin users, for example, NOC ADMIN-1, you need to specify the domain context as shown below.

To Log on as a new Admin user (NOC ADMIN-1):

1. Bring up the Policy Manager Console as shown in "Logging On - Initial login" on page 10.

2. Type cn=Users,cn=Tutorial,o=Policy Manager and complete the Login dialog as shown in Figure 6-8.

Figure 6-8 Changing the domain context

3. Click Login to continue.


7Chapter 7

Updating Devices


• A description of Policy Manager’s Update Devices facility.

• Procedures to model and update device configurations.

Assumptions and approachUpdating Devices makes use of material presented earlier in the tutorial. So far, you have defined and configured devices and access rules in Chapter 3 through Chapter 6. The assumption is that all devices are configured and you are about to update these configurations in the Policy Manager and apply them to NetScreen devices in the network.

The following background and procedural information is provided to help you in this process.

Background Information • "Understanding Policy Manager’s “Update Devices”" on page 68.

• "Advantages and Benefits" on page 68.

Procedural Information • "Before Updating - Disaster Recovery Preparation" on page 69.

• "Updating Devices" on page 70

• "Viewing Update Results" on page 72.‘



Chapter 7 Updating Devices

UNDERSTANDING POLICY MANAGER’S “UPDATE DEVICES” Update Devices supports and simplifies your device configuration tasks and maintaining the operational readiness of your NetScreen devices. It enables you to model settings in the Policy Manager before applying them to the selected device(s). To propagate the new settings to the device, it generates a CLI configuration and automatically transmits it to the device. You can view configuration changes before applying the settings.

Note: Configuration settings made in the Policy Manager on devices, do not take effect on the device unless the configuration is applied to the device. As indicated earlier, there are no actual devices used in this tutorial and all operations occur in the Policy Manager.

Advantages and BenefitsThe following is a summary of Policy Manager’s Device Updates features designed to support Sys Admin duties and ensure greater network availability.

Modeling before ModifyingIt is important to note the difference between Update Devices and actual device configurations. Update Devices allows you to build, test, and debug models without the need for NetScreen devices or prematurely affecting the configuration of devices on your network.

The Delta Update MechanismBefore updating a device, Policy Manager first checks for differences between the model in the Policy Manager and the configuration on the device and only updates modified settings. The advantage is that existing sessions are not disrupted if the policy is not changed. After an update is complete, the device configuration matches the configuration in the Policy Manager.

Multiple Device UpdatesYou can perform device updates on one or more devices, and one or more device groups.

Disaster Recovery Tools NetScreen provides tools to save current settings and enable future restorations. See "Before Updating - Disaster Recovery Preparation" on page 69.

Secure Device Updates A device update generates a CLI configuration that you can securely transmit to the NetScreen devices via SCS.

IP Address FlexibilityUpdate Devices has the ability to talk to any IP address on your devices where management is enabled. This ability exists even if NAT is applied to device addresses.


Before Updating - Disaster Recovery Preparation

BEFORE UPDATING - DISASTER RECOVERY PREPARATIONIt is prudent to backup your settings before and after every significant change you make. NetScreen provides the following tools to save and retrieve device settings:

• CLI and WebUI, using the CLI, you can download device setting to any local directory as a backup precaution. You can restore the settings using the CLI, or WebUI. See NetScreen ScreenOS Concepts & Examples Reference Guide.

• Policy Manager, you can view and save a current device configuration before performing a device update. See Downloading and Saving Device Configurations below. This feature enables recovering the previous running configuration in the event the new configurations do not function properly. Recovery is via CLI or the WebUI mentioned above.

Note: With Policy Manager, You can back up and restore the entire Policy Domain. See "Backing Up a Policy Domain" on page 75.

Downloading and Saving Device ConfigurationsTo download and save a Running Config:

1. In Policy Manager Console, select Tools>>Get Running Config to open the Running Config dialog.

2. In Running Config, select and move the desired device from Not Included to Included.

You have the option to display and/or save the Running Config Summary by checking the Generate Report and/or Write separately to directory boxes. If you check Write separately to directory, you must also specify a directory on your local drive.

3. Click Generate Now.

Policy Manager will contact the NetScreen device and will display/save the current running CLI configuration of the device, save it to the specified directory.

Figure 7-1 Running Config dialog



4. Save the configuration file on your workstation.

Note: If necessary, you can retrieve this file and reapply the configuration using the CLI or Web GUI.

UPDATING DEVICES This procedure is simple to perform. You can view the status and progress of the update while the process and view update results upon completion.

To update a device:

1. In Policy Manager Console, select Tools>>Update Devices to open the Update Devices dialog. See Figure 7-3.

Figure 7-2 Tools menu commands

Note: For a description of the commands in the Tools menu, see the NetScreen-Global PRO™ Policy Manager Installer & User’s Guide.


Updating Devices

2. In Update Devices dialog, select the device, devices, or device groups that you want to update and use the single chevron button to move them to the Members column. Note that you can move the entire devices in a single step by using the double chevron button.

Figure 7-3 Update Devices Dialog

3. Click Update Now.

The Update Status dialog displays progress of the update process. However, since there are no physical devices involved, no upgrade occurs and the device name appears in the FAILURE box. Otherwise, the device name would appear in the SUCCESS box.

Figure 7-4 Update Status Dialog

Single chevron button

Double chevron button

Stop update

Update Now buttonAlternateupdatebutton

Generate

Update results

Report button



Viewing Update ResultsPolicy Manager provides a summary in the “Update Report Summary.”

To view the Update Report:

1. When Update Devices is complete, in Update Status dialog, press Generate Report button shown in Figure 7-4.

The Update Summary Report appears.

Figure 7-5 Update Report Summary

2. Use the scroll bar to view the entire report.

Note: You have the option to view an “Executive Summary” or report “Details” by clicking the respective links.

3. In Update Report Summary, click the Save button to open the Save dialog and select a folder to save the report on a local drive.

Figure 7-6 Save Config Report dialog

Save button


8Chapter 8

Conclusion and Exit


• Backing up your Policy Domain(s).

• Logging out and closing the system.

• A recap of topics addressed.

Assumptions and approachYou have completed assigned Admin tasks and are about to logout of the Policy Manager Console or close down the Policy Manager.

Background Information • "Terminating a Session - Log Out Versus Exit" on page 75.

• "In Policy manager, select Policy Domain>> Exit." on page 77.

Procedural Information • "Backing Up a Policy Domain" on page 75.

• "Logging Out of the Policy Domain" on page 77.

• "Closing the Policy Manager Console" on page 77.



Chapter 8 Conclusion and Exit

CONCLUDING REMARKS This chapter marks the conclusion of this first publication of the Policy Manager tutorial. The sole remaining task is to log out and exit the system which you will do next.

Material presented sought to provide both background and procedural information to enable a new user install the Policy Manager and use the key features of the product.

To this end, topics addressed included the following:

• Installation and log on

• VPN management with Policy Manager

• Access policies (Access filters and Admin privileges) in Policy Manager

• Modelling device configurations and device updates

• Backup tools and procedures

In presenting these topics, realistic “Use Case” scenarios were used as much as possible. For example,

• All configurations were modelled in the Policy Manager to avoid the need for actual devices.

• Not only features were explained, why they were used is also presented.

• Configuration problems and Policy Manager solutions resemble field deployments.

Nonetheless, this material is not field tested and your comments will serve to make this document more useful. Please direct all comments and suggestions plus any errors and omissions to: [email protected]


http://mailto:[email protected]

http://mailto:[email protected]

Terminating a Session - Log Out Versus Exit

TERMINATING A SESSION - LOG OUT VERSUS EXIT When terminating a session, you can choose:

• Logout, to leave the Policy Domain only. See To log out of the Policy Manager:

• Exit, to leave the Policy Domain and close the Policy Manager Console. See To close the Policy Manager

Backing Up a Policy DomainIn a production environment, it is recommended that you always back up your Policy Domain before terminating a session. These procedures are described below.

To back up a Policy Domain:

1. In Policy Manager, select Policy Domain>> Backup to open the Backup Domain Wizard (1 of 5). See Figure 8-1.

Figure 8-1 Policy Domain menu and Backup Domain Wizard (1-5)

2. In Backup Domain Wizard (1-5), select Tutorial (Policy Domain you have used in the Tutorial) and move it to the Members column.

3. In the Members column, select the Policy Domain you want to back. This is necessary if there is more than one entry.



4. In Backup Wizard (1 of 5), click NEXT to open Policy Domain Wizard (2 of 5).

Figure 8-2 Backup Domain Wizard (2-5)

5. Type and then retype password and click NEXT to view Policy Domain Wizard (3 of 5). See Figure 8-2.

Figure 8-3 Backup Domain Wizard (3-5)

6. Type path in Save To: filed, or click Browse to open the Save dialog to choose a location. to save the Policy Domain and click NEXT to view confirmation of the saved location in Backup Domain Wizard (4-5).

7. In Backup Domain Wizard (4-5), click NEXT.

The Backup Domain Wizard (5-5) opens and displays the progress and outcome of the back up process.

8. Click DONE. The backup process, is now complete.


Terminating a Session - Log Out Versus Exit

Logging Out of the Policy DomainTo log out of the Policy Manager:

1. In Policy Manger, select Policy Domain>> Logout.

The Policy Manager logout prompt appears.

Figure 8-4 NetScreen Policy Manager - Logout prompt

2. Click Yes. The Policy Manager logs you out of the Policy Domain and returns you to the Login dialog.

Figure 8-5 Login dialog

Closing the Policy Manager ConsoleTo close the Policy Manager:

After saving all configuration changes, you can close the Policy Manager as follows:

• In Policy manager, select Policy Domain>> Logout and then click Quit in the Login dialog.

Or,

• In Policy manager, select Policy Domain>> Exit.


AAppendix A

Glossary

Address Book Maintains Address Book Entries, created for Access Filter Poli-cies and Device Protected Resources for VPNs.

Authentication Ensures digital data transmissions are delivered to intended re-ceivers. Also assures receivers of the integrity of the message and its source. In its simplest form, requires user name and password.

CA Certificate Authority. A trusted third party for verifying your identity. The CA server can be owned and operated by an independent CA, or by your own orga-nization, in which case you become your own CA.

Certificates A digital certificate is an electronic means to verify your identity through the word of a trusted third party, known as a Certificate Authority (CA).

CRL Certificate Revocation Lists. When you use a CA, you must get the address of their CA and CRL servers to obtain certificates, certificate revocation lists, and information they require to submit personal certificate requests.

IKE Internet Key Exchange, method for exchanging keys for encryption and au-thentication over an unsecured medium, such as the Internet

Key The code for deciphering encrypted data.

Netmask Shows which parts in an IP address identify the network and the host. For example, IP address and netmask or 10.20.30.1 255.255.255.0 refers to all hosts in the 10.20.30.0 subnet, but 10.20.30.1 255.255.255.255 refers to a single host.

NTP Network Time Protocol, used to synchronize the system time on a computer to that of a server or other reference source such as a radio, satellite receiver, or modem to provide time accuracy within milliseconds.

Policy Domain Individual directories, or folders, in the LDAP directory. They are used to maintain information about objects and policies in your network. For example, NetScreen devices, users, VPNs, and so on.

RSA Founded in 1982 by Rivest, Shamir, and Adleman, inventors of RSA public-key cryptosystem. RSA technologies are part of emerging standards for the Inter-net and WWW, ITU, ISO, ANSI, IEEE, and financial and electronic commerce networks.


Appendix A Glossary

SCS Secure Command Shell. The NetScreen device communicates with the SSH client through its built-in SCS server, which provides device configuration and management services. Selecting this option enables SCS manageability.

SNMP Simple Network Management Protocol. The network management proto-col of TCP/IP. In SNMP, agents, both hardware and software, monitor the activity in the various devices on the network and report to the network console workstation.

Subnet Mask The part of the IP address which is used to represent a subnetwork within a network. Subnet masks allows you to use network address space that is unavailable and ensures network traffic is not sent to the whole network unless intended.

TCP Transmission Control Protocol. Governs the breakup of data messages into packets sent via IP, and reassembly and verification of the complete messages from packets received by IP. TCP corresponds to the transport layer in the ISO/OSI model.

UDP User Datagram Protocol. Connectionless protocol within TCP/IP, corre-sponds to the transport layer in the ISO/OSI. Converts data messages generated by an application into packets to be sent via IP but does not verify messages are delivered correctly.

WebTrends WebTrends Firewall Suite allows you to customize syslog reports to display the information you want in the format you specify. You can create reports that focus on areas such as firewall activity, network traffic flow, or event alarms.


Index


Index

Cconsole

closing 77installationchoose shortcut location 9Update Manager version check 11

Iinstallation

choose console shortcut location 9process 8

installer 8

Llicense

agreement 8login

root or superuser 10

Ppolicy domain

logging out 77

Rrestore default location 9

Ssecurity warnings 7

Uuninstalling the consoleconsole

uninstalling 4

netscreen-global pro™ policy manager tutorialglobal pro policy manager, to manage up to 25 or 100...

Documents