NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
-
Upload
tiplo-mimolet -
Category
Documents
-
view
259 -
download
0
Transcript of NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
1/577
1HW6FUHHQ&RQFHSWV([DPSOHV
1HW6FUHHQ&RQFHSW([DPSOHV
6FUHHQ265HIHUHQFH*XLGH
9HUVLRQ
31
5HY&
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
2/577
http://www.netscreen.com/ -
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
3/577
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
4/577
1HW6FUHHQ&RQFHSWV([DPSOHV LY
the exclusions and limitations of incidental, consequential orspecial damages, so the above exclusions and limitations may notapply to you.
8. Export Law Assurance. You understand that the Software issubject to export control laws and regulations. YOU MAY NOTDOWNLOAD OR OTHERWISE EXPORT OR RE-EXPORT THESOFTWARE OR ANY UNDERLYING INFORMATION ORTECHNOLOGY EXCEPT IN FULL COMPLIANCE WITH ALL UNITEDSTATES AND OTHER APPLICABLE LAWS AND REGULATIONS.
9. U.S. Government Restricted Rights. If this Product is beingacquired by the U.S. Government, the Product and related
documentation is commercial computer Product anddocumentation developed exclusively at private expense, and (a) ifacquired by or on behalf of civilian agency, shall be subject to theterms of this computer Software, and (b) if acquired by or onbehalf of units of the Department of Defense (DoD) shall besubject to terms of this commercial computer Software licenseSupplement and its successors.
10. Tax Liability. You agree to be responsible for the payment ofany sales or use taxes imposed at any time whatsoever on thistransaction.
11. General. If any provisions of this Agreement are held invalid,the remainder shall continue in full force and effect. The laws ofthe State of California, excluding the application of its conflicts oflaw rules shall govern this License Agreement. This Agreementwill not be governed by the United Nations Convention on theContracts for the International Sale of Goods. This Agreement isthe entire agreement between the parties as to the subject matterhereof and supersedes any other Technologies, advertisements,or understandings with respect to the Software and
documentation. This Agreement may not be modified or altered,except by written amendment, which expressly refers to thisAgreement and which, is duly executed by both parties.
You acknowledge that you have read this Agreement, understandit, and agree to be bound by its terms and conditions.
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
5/577
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
6/577
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
7/577
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
8/577
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
9/577
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
10/577
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
11/577
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
12/577
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
13/577
1HW6FUHHQ&RQFHSWV([DPSOHV [LLL
3UHIDFH
NetScreen devices are ASIC-based, ICSA-certified1Internet security appliances that integrate firewall, virtual private
networking (VPN), and traffic-shaping features to provide complete protection of your local area network (LAN)when connecting to the Internet.
Firewall: A firewall screens traffic crossing the boundary between a private LAN and the public network,such as the Internet.
VPN: A VPN provides a secure communications channel between two or more remote network appliances.
Traffic Shaping: Traffic shaping functionality allows administrative monitoring and control of traffic passingacross the NetScreen
firewall to maintain a networks quality-of-service (QoS) level.
1. The Internet Computer Security Association (ICSA) is an organization focused on all types of network security for Internet-connected companies. Among itsmany functions, ICSA provides product certification for several kinds of security products such as virus protection, firewall, PKI, intrusion detection, IPSec,and cryptography. ICSA has certified all NetScreen products for firewall and IPSec.
Note:For information on NetScreen compliance with Federal Information Processing Standards (FIPS) and forinstructions on setting a FIPS-compliant NetScreen device in FIPS mode, see theNetScreen-100 Cryptographic
Module Security Policy on the documentation CD-ROM.
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
14/577
1HW6FUHHQ&RQFHSWV([DPSOHV [LY
NetScreen ScreenOS version 3.0.0 is the operating system that provides all the features needed to set up andmanage any NetScreen security appliance or system. The NetScreen Concepts & Examples ScreenOS ReferenceGuideprovides a useful reference guide for configuring and managing a NetScreen appliance through theScreenOS.
VPNs: Securecommunication tunnelsbetween sites for traffic
passing through the Internet
Firewall: Screening trafficbetween the protected LAN
and the Internet
LAN LAN
LAN
Traffic Shaping: Efficientprioritization of traffic as it
traverses the firewall
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
15/577
1HW6FUHHQ'RFXPHQWDWLRQ
1HW6FUHHQ&RQFHSWV([DPSOHV [Y
1(76&5((1'2&80(17$7,21
In addition to the NetScreen Concepts & Examples ScreenOS Reference Guide guide, there are other technicalpublications available from NetScreen. These publications are as follows:
Whats New in ScreenOS 3.1.0
This manual describes all new features in ScreenOS 3.1.0. In addition, it lists all commands that have been removedsince version 3.0.0 and all commands that have remained the same. It also presents full descriptions of all newcommands, and all commands that have undergone modification.
NetScreen WebUI Reference GuideThis manual presents a brief introduction to the WebUI management application, with a glossary of importanttechnical terms, and general instructions on how to use the application.
NetScreen CLI Reference Guide
This manual provides descriptions of all command line interface (CLI) commands. Each command descriptionpresents the commands syntax and basic elements, including options, parameters, switches, and element
dependencies. The descriptions also provide practical examples of command execution.NetScreen-5XP Installers Guide, NetScreen-10 Installers Guide, NetScreen-25 Installers Guide, NetScreen-50Installers Guide, NetScreen-204/208 Installers Guide
These manuals provide instructions for connecting a NetScreen-5XP, -10, -25, and -50 device respectively to anetwork, and performing an initial configuration. The instructions explain how to set up the device in Transparent,NAT, or Route mode, how to configure an access policy permitting outbound traffic only, and how to change theadmins login name and password. Each manual also provides an overview of the hardware for each specific
platform.
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
16/577
1HW6FUHHQ'RFXPHQWDWLRQ
1HW6FUHHQ&RQFHSWV([DPSOHV [YL
NetScreen-100 Installers Guide, NetScreen-204/208 Installers Guide, NetScreen-500 Installers Guide, andNetScreen-1000 Installers Guide
These manuals provide instructions for connecting a NetScreen-100, -204/208, -500, and -1000 device respectivelyto a network, and performing an initial configuration. The instructions explain how to set up the device inTransparent, NAT, or Route mode, how to configure an access policy permitting outbound traffic only, and how tochange the admins login name and password. The manual also provides an overview of the hardware, and cablingand configuration instructions for single appliances and redundant appliances using High Availability (HA).
NetScreen-Remote Administrators Guide
This manual provides instructions for installing and using the NetScreen-Remote client software, which allows aremote user to connect with a NetScreen security device through a virtual private network (VPN) tunnel.
NetScreen Message Log Reference Guide
This manual documents the log messages that appear in ScreenOS 3.0.0. Each log message entry includes themessage text, its meaning, and any recommended action to take upon receiving the message.
If you find any errors or omissions in the content of this or any other NetScreen manual, please contact us at the
e-mail address below:[email protected]
mailto:[email protected]:[email protected] -
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
17/577
&RQFHSWV([DPSOHV0DQXDO2UJDQL]DWLRQ
1HW6FUHHQ&RQFHSWV([DPSOHV [YLL
&21&(376(;$03/(60$18$/25*$1,=$7,21
The following are summaries of each of the chapters in the NetScreen Concepts & Examples ScreenOS ReferenceGuide:
Chapter 1,Universal Security Gateway Architecture presents the fundamental elements of USGAthearchitecture presented in ScreenOS 3.1.0and concludes with a four-part example illustrating an enterprise-basedconfiguration incorporating most of those elements. In this and all subsequent chapters, each concept isaccompanied by illustrative examples.
Chapter 2, Zones explains security zones, tunnel zones, and function zones.
Chapter 3, Interfaces describes the various physical, logical, and virtual interfaces on NetScreen devices, explainsthe concepts behind Transparent, Network Address Translation (NAT), and Route operational modes, and includesinformation on various firewall attacks and the attack blocking options that NetScreen provides.
Chapter 4,System Parameters presents the concepts behind Domain Name System (DNS) addressing; usingDynamic Host Configuration Protocol (DHCP) to assign or relay TCP/IP settings; URL filtering; downloading anduploading system configurations and software; and setting the system clock.
Chapter 5, Administration explains the different means available for managing a NetScreen device both locallyand remotely. This chapter also explains the privileges pertaining to each of the four levels of network administratorsthat can be defined. Finally, it explains how to secure local and remote administrative traffic.
Chapter 6, Monitoring NetScreen Devices explains various monitoring methods and provides guidance ininterpreting monitoring output.
Chapter 7, Virtual Routers presents the concept of a virtual router and explains how to configure the virtual routers
on the NetScreen device. It also contains information on routing table entries.Chapter 8, Building Blocks for Access Policies and VPNs discusses the elements used for creating accesspolicies and virtual private networks (VPNs): addresses (including VIP addresses), users, and services. It alsopresents several example configurations support for the H.323 protocol.
Chapter 9, Access Policies explores the components and functions of access policies and offers guidance on theircreation and application.
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
18/577
&RQFHSWV([DPSOHV0DQXDO2UJDQL]DWLRQ
1HW6FUHHQ&RQFHSWV([DPSOHV [YLLL
Chapter 10, IPSec provides background information bout IPSec, presents a flow sequence for Phase 1 in IKEnegotiations in Aggressive and Main modes, and concludes with information regarding NAT-Traversal.
Chapter 11, Public Key Cryptography provides information on how to obtain and load digital certificates andcertificate revocation lists (CRLs).
Chapter 12, Routing-Based VPNs provides extensive examples of routing-based VPN configurations, includinghub-and-spoke and back-to-back tunnel designs.
Chapter 13, Policy-Based VPNs provides extensive examples of policy-based VPN configurations for LAN-to-LANand client-to-LAN communication using Manual Key and AutoKey IKE mechanisms. It also details how to make use
of tunnel interfaces to provide policy-based NAT to traffic flowing through VPN tunnels between sites that havetrusted networks with an overlapping address space.
Chapter 14, L2TP explains the Layer 2 Tunneling Protocol (L2TP), its use alone and in conjunction with IPSec(L2TP-over-IPSec).
Chapter 15, Policy-Based NAT explains how to provide NAT services for network traffic at the policy level.
Chapter 16, Traffic Shaping explains how you can manage bandwidth at the interface and Access Policy levels
and prioritize services.Chapter 17, Virtual Systems presents the concepts of virtual systems and virtual local area networks (VLANs),and explains how to set up virtual systems and create virtual system administrators.
Chapter 18,High Availability explains how to cable, configure, and manage two or more NetScreen-100, -204/208,-500, or -1000 devices in a redundant group to provide high availability.
Appendix A,SNMP MIB Files lists and briefly describes the Management Information Base (MIB) files available for
MIB compilers.Appendix B,Glossary provides a reference for the terms and acronyms used in the Security and Firewall field.
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
19/577
&RQYHQWLRQV
1HW6FUHHQ&RQFHSWV([DPSOHV [L[
&219(17,216
This book presents two management methods for configuring a NetScreen device: the Web user interface (WebUI)and the command line interface (CLI). The conventions used for both are introduced below.
:HE8,1DYLJDWLRQ&RQYHQWLRQV
Throughout this book, a double chevron ( >> ) is used to indicate navigation through the WebUI by clicking buttons,tabs, and links.
([DPSOH931V!!*DWHZD\3!!1HZ5HPRWH7XQQHO*DWHZD\
To access the Remote Tunnel Gateway Configuration dialog box to define the VPN tunnel gateway of an IKE peer,do the following:
1. Click the VPNs button in the menu column.
2. Click the Gateway (P1) tab.
3. Click the New Remote Tunnel Gateway link.The Remote Tunnel Gateway Configuration dialog box appears.
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
20/577
&RQYHQWLRQV
1HW6FUHHQ&RQFHSWV([DPSOHV [[
&/,&RQYHQWLRQV
The CLI conventions are as follows:
A parameter inside [ ] (square brackets) is optional.
A parameter inside { } (braces) is required.
Anything inside < > is a variable.
If there is more than one choice for a parameter inside [ ] and { }, they are separated by a pipe( | ). Forexample, [auth {md5 | sha-1}] means choose either MD5 or SHA-1 as your authentication method.
For example, when entering a route to the route table for the IP address 2.2.2.2/32 via the untrusted interface, usethe following syntax:
set route interface { trust | untrust | dmz | mgt | tunnel/ } [ gateway ][ metric ]
to produce this command:
set route 2.2.2.2 255.255.255.255 interface untrust
Because the gateway IP address and the metric2 are optionalthese arguments are presented within brackets [ ]you can omit them from the command. In this example, the gateway IP address would be that of a router on theuntrusted side through which you want to route traffic bound for 2.2.2.2/32. By not specifying a router, the defaultrouter for the untrusted interface is used.
If you want to see the options following part of a command, press the SPACE key and then type ? (question mark).For example, typing set interface ? displays the following options: trust, untrust, dmz, mgt, ha1, ha2, tunnelwhichare the available options that you can enter after typing set interface.
2. The metric argument specifies the number of hops between the NetScreen-500 and the specified gateway. In this example, you do not specifya gateway; consequently, you do not specify a metric for it. However, even if you do specify a gateway, specifying a metric is optional.
Note:When typing a key word, you only have to type enough letters to identify the word uniquely. For example,typingset in t nis enough to enter the commandset interface trust nat.
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
21/577
1HW6FUHHQ&RQFHSWV([DPSOHV
8 u h r
8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUHNetScreen ScreenOS 3.1.0 introduces Universal Security Gateway Architecture (USGA), an architecture that offersgreat flexibility in designing the layout of your network security. On NetScreen devices with multiple interfaces, youcan create numerous security zones and configure access policies to regulate traffic between them. You can bindone or more interfaces to each zone and enable a unique set of management and firewall attack screening optionson a per-interface basis. Essentially, USGA allows you to create the number of zones your network environment
requires, assign the number of interfaces each zone requires, and design each interface to your specifications.
This chapter presents an overview of USGA, covering the following key components:
Multiple Security Zones on page 2
Security Zone Interfaces on page 3
Virtual Routers on page 5
Access Policies on page 7
VPNs on page 8
Virtual Systems on page 10
Furthermore, to better understand the ScreenOS mechanism for processing traffic, you can see the flow sequencefor an incoming packet in Packet Flow Sequence on page 13.
The chapter concludes with a four-part example that illustrates a basic configuration for a NetScreen device usingScreenOS 3.1.0 with USGA.
Example (Part 1): Enterprise with Six Zones on page 16
Example (Part 2): Interfaces for Six Zones on page 18
Example (Part 3): Enterprise with Two Routing Domains on page 23
Example (Part 4): Access Policies for an Enterprise with Six Zones on page 26
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
22/577
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 0XOWLSOH6HFXULW\=RQHV
1HW6FUHHQ&RQFHSWV([DPSOHV
08/7,3/(6(&85,7
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
23/577
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 6HFXULW\=RQH,QWHUIDFHV
1HW6FUHHQ&RQFHSWV([DPSOHV
6(&85,7
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
24/577
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 6HFXULW\=RQH,QWHUIDFHV
1HW6FUHHQ&RQFHSWV([DPSOHV
6XELQWHUIDFHV
On devices that support virtual systems, you can logically divide a physical interface into several virtual
subinterfaces, each of which borrows the bandwidth it needs from the physical interface from which it stems. Asubinterface is an abstraction that functions identically to an interface for a physically present port and isdistinguished by 802.1Q VLAN tagging
4. The NetScreen device directs traffic to and from a zone with a subinterface
via its IP address and VLAN tag. For convenience, administrators usually assign a VLAN tag that is the same as theinterface number. For example, an interface using VLAN tag 3 and named ethernet1/2.3refers to the interfacemodule in the first bay, the second port on that module, and interface number 3(ethernet1/2.3).
Note that although a subinterface shares part of its identity with a physical interface, the zone to which you bind it is
not dependent on the zone to which you bind the physical interface. You can bind the subinterface ethernet1/2.3toa different zone than that to which you bind the physical interface ethernet1/2, or to which you bind ethernet1/2.2.Similarly, there are no restrictions in terms of IP address assignments. The term subinterfacedoes not imply that itsaddress be in a subnet of the address space of the physical interface.
4. 802.1Q is an IEEE standard that defines the mechanisms for the implementation of virtual bridged LANs and the ethernet frame formats used to indicateVLAN membership via VLAN tagging.
Note:For more information on interfaces, seeUniversal Security Gateway Architecture on page 1.
1/1 1/2 3/1 3/2
2/1 2/2 4/1 4/2
Subinterface Assignments
1/1.11/1.2
1/2.11/2.2
2/1.12/1.2
2/2.12/2.2
4/1.14/1.2
4/2.14/2.2
3/1.13/1.23/1.3
3/2.13/2.23/2.3
&K W 8 L O 6 LW * W $ KLW W 9L W O 5 W
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
25/577
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 9LUWXDO5RXWHUV
1HW6FUHHQ&RQFHSWV([DPSOHV
9,578$/5287(56A virtual router (VR) functions identically to a nonvirtual router. It has its own interfaces and its own routing table. InUSGA, a NetScreen device supports two virtual routers. This allows the NetScreen device to maintain two separaterouting tables and conceal the routing information in one virtual router from the other. For example, virtual router 1,which is typically used for communication with untrusted parties, does not contain any routing information for any ofthe protected zones, which is maintained by virtual router 2. Thus, no internal network information can be gleaned bythe surreptitious extraction of routes from virtual router 1.
Note:To create additional VRs, you must first obtain and load a virtual router software key on the NetScreen device.
Untrust-VR Routing DomainVR1
Route Redistribution
Finance
Trust
Eng
Untrust
DMZ
Trust-VR Routing Domain
Note:The castle icon represents aninterface for a security zone.
&KDSWHU 8QL HUVDO 6HF ULW *DWH D $UFKLWHFW UH 9LUW DO 5R WHUV
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
26/577
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 9LUWXDO5RXWHUV
1HW6FUHHQ&RQFHSWV([DPSOHV
5RXWH5HGLVWULEXWLRQ
Each virtual router (VR) maintains a routing table with unique entries for its routing domain. That is, the entries in
VR1 are completely different from those maintained in VR2. Because the routing table entries in VR2 cannot befound in VR1, the VR1 routing table must include a route pointing to VR2 for any routes that it does not have andthat you want to make accessible for traffic from VR1. (Likewise, the reverse is required for traffic in the otherdirection; that is, from VR2 to VR1.) The term for this link between the two virtual routers is route redistribution.
Note:For more information about virtual routers, seeChapter 7, Virtual Routers.
eth1/1
eth1/2
eth2/1
eth4/1
eth3/1To Use
10.10.1.0/24 eth1/1
10.10.2.0/24 eth1/2
10.10.3.0/24 eth2/1
0.0.0.0/0 VR1
Finance
10.10.1.0/24
Trust10.10.2.0/24
Engineering10.10.3.0/24
Untrust210.10.1.0/24
DMZ210.10.2.0/24
To Use
210.10.1.0/24 eth3/1
210.10.2.0/24 eth4/1
10.10.0.0/16 VR2
0.0.0.0/0 eth3/1
Trust-VR (VR2) Routing Domain Untrust-VR (VR1) Routing Domain
Route Redistribution
&KDSWHU 8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH $FFHVV 3ROLFLHV
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
27/577
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH $FFHVV3ROLFLHV
1HW6FUHHQ&RQFHSWV([DPSOHV
$&&(6632/,&,(6Every time a packet attempts to pass from one zone to another, the NetScreen device checks its access control list(ACL) for a policy that permits such traffic. To allow traffic to pass from one security zone to anotherfor example,from zone A to zone Byou must configure an access policy that permits zone A to send traffic to zone B. To allowtraffic to flow the other way, you must configure another policy permitting traffic from zone B to zone A. For anytraffic to pass from one zone to another, there must be an access policy that permits it.
Note:For information about access policies, seeChapter 9, Access Policies.
PolicyEngine
Finance
Trust
Eng
Untrust
DMZNote:The black lines represent traffic
between security zones.
Route Redistribution
Untrust-VR Routing DomainTrust-VR Routing Domain
&KDSWHU 8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH 931V
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
28/577
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 931V
1HW6FUHHQ&RQFHSWV([DPSOHV
9316USGA supports several VPN configuration options, some of which allow the separation of virtual private network
(VPN) tunnels and access policies5. Once configured, such tunnels exist as available resources for securing trafficen route between one security zone and another.
The main steps for configuring a VPN tunnel independent of any access policy are as follows:
1. While configuring the VPN tunnel (for example, vpn-to-SF, where SF is the destination or end entity),specify a physical or subinterface on the local device. (The IP address for this interface is what the remotepeer must use when configuring its remote gateway.)
2. Create a tunnel interface (for example, tunnel.1 ), and bind it to a security zone6
.3. Bind the tunnel interface tunnel.1 to the VPN tunnel vpn-to-SF.
4. To direct traffic through this tunnel, set up a route stating that traffic to SFmust use tunnel.1 .
At this point, the tunnel is ready for traffic bound for SF. You can now set up access policies to permit or block trafficfrom a specified source to that destination.
5. In earlier versions of ScreenOS, a VPN policy must explicitly specify tunneling and name a specific VPN tunnel. You can still configure VPN policies this wayin ScreenOS 3.1.0. However, you can also configure policies that only permit or deny traffic between two security zones. If permitted, that traffic is tunneledif the route to the specified destination points to an interface bound to a VPN tunnel.
6. You do not have to bind the tunnel interface to the same zone from which VPN traffic originates locally. Traffic from any zone can access a tunnel interfaceif a route points to that interface.
RoutingTable
------------------------------------------------
VPN tunnel Destination ZoneSource Zone Tunnel
Interface
Packet sent
Policy
Engine
Packet arrives
&KDSWHU 8QLYHUVDO 6HFXULW\ *DWHZD\ $UFKLWHFWXUH 931V
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
29/577
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 931V
1HW6FUHHQ&RQFHSWV([DPSOHV
Zone: Financeeth1/110.10.1.1/24
VPN Tunnelvpn-to-SF
To Reach Use
10.20.2.0/24 tunnel.1
10.10.1.0/24 eth1/1
0.0.0.0/0 VR1
SF LAN
10.20.2.0/24
To Reach Use
210.10.1.0 eth3/1
0.0.0.0/0 210.10.1.2/24
Local Device
Traffic from security zone Finance to SF LAN in security zone Untrust is routed to thetunnel interface tunnel.1. Because tunnel.1 is bound to VPN tunnel vpn-to-SF, the trafficis sent through that tunnel to the remote gateway at SF LAN.
Zone: Untrusteth3/1210.10.1.1/24
Interface:tunnel.1
VR1: Untrust Virtual Router
VR2: Trust Virtual Router
Default Gateway:210.10.1.2
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 9LUWXDO6\VWHPV
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
30/577
S \ \ \
1HW6FUHHQ&RQFHSWV([DPSOHV
9,578$/6
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
31/577
1HW6FUHHQ&RQFHSWV([DPSOHV
=RQHVLQD9LUWXDO6\VWHP
When a root-level admin creates a virtual system, the following zones are automatically inherited or created:
Shared Untrust Zone (inherited from the root system)
Shared Null Zone (inherited from the root system)
Trust- Zone
Untrust-Tun- Zone
Self- Zone
Global- Zone
All virtual systems share the untrust and null zones with the root system. Note that because the root system and allvirtual systems share the untrust zone, they also share the address book for the untrust zone.
All other zones in a vsys are owned by that vsys.
In addition, a root-level admin can create one user-defined zone for each virtual system.
,QWHUIDFHV
A virtual system can have any of the following three types of interfaces bound to the untrust zone:
One or more vsys can share the physical interface that is bound to the untrust zone with the root system.
A vsys can have its own subinterface bound to the untrust zone, and use VLAN tagging as the means for
trunking8 inbound and outbound traffic.
A vsys can have its own physical interface bound to the untrust zone or to trust- zone.
You can bind one, two, or all three of the above interface types to the untrust zone concurrently. You can also bindmultiple interfaces of each type to the untrust zone.
Note:For information on each of these zone types, see Chapter 2, Zones.
8. VLAN trunking allows one physical interface to support multiple logical subinterfaces, each of which must be identified by a unique VLAN tag. The VLANidentifier (tag) on an incoming ethernet frame indicates its intended subinterfaceand hence the virtual systemto which it is destined.
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 9LUWXDO6\VWHPV
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
32/577
1HW6FUHHQ&RQFHSWV([DPSOHV
You can bind either a subinterface (with VLAN tagging to trunk traffic) or a physical interface to thetrust- zone. You can also bind multiple interfaces of each type to these zones.
9LUWXDO5RXWHUV
When a root-level admin creates a virtual system, the vsys automatically has the following two virtual routersavailable for its use:
A shared virtual router: untrust-vr In the same way that a vsys and the root system share the untrust zone,they also share untrust-vr, which maintains the routing information for that zone.
Its own virtual router: -vr This is a vsys-specific virtual router that, by default, maintains therouting table for the trust- zone.
If you, as a root-level administrator, want all of the vsys zones to be in the untrust-vr routing domainfor example, ifall the interfaces bound to the vsys-trust zone are in Route modeyou can dispense with the trust-vr by changingthe zone bindings from the trust-vr to the untrust-vr. For more information on virtual routers, see Chapter 7, VirtualRouters.
Note:ScreenOS 3.1.0 does not support user-defined virtual routers within a vsys.
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 3DFNHW)ORZ6HTXHQFH
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
33/577
1HW6FUHHQ&RQFHSWV([DPSOHV
3$&.(7)/2:6(48(1&(In ScreenOS 3.1.0, the flow sequence of an incoming packet progresses as presented below.
3
If network traffic, sourcezone = security zone towhich interface orsubinterface is bound.
If VPN traffic to tunnelinterface bound to VPNtunnel, source zone =security zone in whichtunnel interface isconfigured
If VPN traffic to tunnelinterface in a tunnelzone, source zone =carrier zone
SourceZone
IncomingInterface
MIP/VIPHost IP
RouteLookup
Route Table10.10.10.0/24 eth1/1
0.0.0.0/0 untrust-vr
PolicyLookup
ACLsrc dst service action
( ) Src AddrTranslation( )
DestinationInterface and
Destination Zone
Permit = Forward packetDeny = Drop packetTunnel = Use specifiedtunnel for VPN encryption
1 4 5 6
If destination zone = security zone,use that zone for policy lookup.
If destination zone = tunnel zone, useits carrier zone for policy lookup
IncomingPacket
SecurityZones
TunnelZone
72
SessionLookup
If packet does notmatch an existing
session, performsteps 3-8.
If it does match, godirectly to step 8.
CreateSession
Session Tableid 977 vsys id 0, flag 000040/00,
pid -1, did 0, time 18013 (01) 10.10.10.1/1168 ->211.68.1.2/80, 6, 002be0c0066b,subif 0, tun 0
8
PerformOperation
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 3DFNHW)ORZ6HTXHQFH
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
34/577
1HW6FUHHQ&RQFHSWV([DPSOHV
1. The interface module identifies the incoming interface and, consequently, the source zone to which theinterface is bound.
The source zone determination is based on the following criteria: If the packet is not encapsulated, the source zone is the security zone to which the incoming interface
or subinterface is bound.
If the packet is encapsulated and the tunnel interface is bound to a VPN tunnel, the source zone is thesecurity zone in which the tunnel interface is configured.
If the packet is encapsulated and the tunnel interface is in a tunnel zone, the source zone is thecorresponding carrier zone (a security zone that carriesa tunnel zone) for that tunnel zone.
2. The session module performs a session lookup, attempting to match the packet with an existing session.
If the packet does not match an existing session, the NetScreen device performs First Packet Processing, aprocedure involving the following steps 3 through 8.
If the packet matches an existing session, the NetScreen device performs Fast Processing, using theinformation available from the existing session entry to process the packet. Fast Processing bypasses steps3 through 7 because the information generated by those steps has already been obtained during theprocessing of the first packet in the session.
3. If a mapped IP (MIP) or virtual IP (VIP) address is used, the address-mapping module resolves the MIP orVIP so that the routing table can search for the actual host address.
4. The route table lookup finds the interface that leads to the destination address. In so doing, the interfacemodule identifies the destination zone to which that interface is bound.
The destination zone determination is based on the following criteria:
If the destination zone is a security zone, that zone is used for the policy lookup.
If the destination zone is a tunnel zone, the corresponding carrier zone is used for the policy lookup.
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 3DFNHW)ORZ6HTXHQFH
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
35/577
1HW6FUHHQ&RQFHSWV([DPSOHV
5. The policy engine searches the access control list (ACL) for a policy between the addresses in the identifiedsource and destination zones.
The action configured in the policy determines what the NetScreen firewall does with the packet: If the action is permit, the firewall determines to forward the packet to its destination.
If the action is deny, the firewall determines to drop the packet.
If the action is tunnel, the firewall determines to forward the packet to the VPN module, whichencapsulates the packet and transmits it using the specified VPN tunnel settings.
6. If source address translation is specified (either interface-based NAT or policy-based NAT), the NAT moduletranslates the source address before forwarding it either to its destination or to the VPN module.
7. The session module creates a new entry in the session table containing the results of steps 1 through 6.
The NetScreen device then uses the information maintained in the session entry when processingsubsequent packets of the same session.
8. The NetScreen device performs the operation specified in the session.
Some typical operations are source address translation, VPN tunnel selection and encryption, decryption,and packet forwarding.
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 3DFNHW)ORZ6HTXHQFH
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
36/577
1HW6FUHHQ&RQFHSWV([DPSOHV
([DPSOH3DUW(QWHUSULVHZLWK6L[=RQHV
This is the first part of an ongoing example. For the next part, in which the interfaces for each zone are set, see
Example (Part 2): Interfaces for Six Zones on page 18. Here you configure the following six zones for anenterprise:
The zones Trust, Untrust, and DMZ are preconfigured. You must configure the zones Finance, Eng, and Mail. Bydefault, a user-configured zone is placed in the virtual router trust-vr. Thus, you do not have to specify a virtual routerfor the Finance and Eng zones. However, in addition to configuring the Mail zone, you must also specify that it be inthe virtual router untrust-vr
9. For both the DMZ and the Mail zones, you enable intra-zone blocking.
Finance
Trust
Eng
Mail
Untrust
DMZ
9. For more information on virtual routers and their routing domains, see Chapter 7, Virtual Routers.
Finance
Trust
Eng
Mail
Untrust
DMZ
Trust-VR RoutingDomain
Untrust-VR RoutingDomain
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 3DFNHW)ORZ6HTXHQFH
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
37/577
1HW6FUHHQ&RQFHSWV([DPSOHV
:HE8,
1. Zone >> New Entry: Enter the following, and then click OK:
Name: Finance
Virtual Router Name: trust-vr
Zone Type: Regular: (select)
2. Zone >> New Entry: Enter the following, and then click OK:
Name: Eng
Virtual Router Name: trust-vr
Zone Type: Regular: (select)
3. Zone >> New Entry: Enter the following, and then click OK:
Name: Mail
Intra-Zone Blocking: (select)
Virtual Router Name: untrust-vr
Zone Type: Regular: (select)
4. Zone >> Edit (for DMZ): Select Intra-Zone Blocking, and then click OK.
&/,
1. set zone name finance
2. set zone name eng3. set zone name mail
4. set zone mail vrouter untrust-vr
5. set zone mail block
6. set zone dmz block
7. save
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 3DFNHW)ORZ6HTXHQFH
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
38/577
1HW6FUHHQ&RQFHSWV([DPSOHV
([DPSOH3DUW,QWHUIDFHVIRU6L[=RQHV
This is the second part of an ongoing example. For the first part, in which zones are configured, see
Example (Part 1): Enterprise with Six Zones on page 16. For the next part, in which virtual routers areconfigured, see Example (Part 3): Enterprise with Two Routing Domains on page 23. This part of theexample demonstrates how to configure interfaces and bind them to zones.
Finance10.10.1.1/24
eth3/2.1
Trust10.10.2.1/24
eth3/2
Eng10.10.3.1/24
eth3/1
DMZ210.10.4.1/24
eth2/2
Untrust210.10.3.1/24
eth1/2
Mail
210.10.1.1/24
eth1/1
210.10.2.2/24eth1/1.2
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 3DFNHW)ORZ6HTXHQFH
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
39/577
1HW6FUHHQ&RQFHSWV([DPSOHV
:HE8,
,QWHUIDFHHWKHUQHW
1. Interfaces >> Physical >> Edit (for ethernet3/2): Enter the following, and then click Save :
IP Address: 10.10.2.1
Netmask: 255.255.255.0
Zone Name: Trust
Interface Mode: NAT (select)
Management Services: WebUI, Telnet, SNMP, SCS (select)
Other Services: Ping (select)
,QWHUIDFHHWKHUQHW
2. Interfaces >> Physical >> New Sub-i/f (for ethernet3/2): Enter the following, and then click Save:
Interface Name: ethernet3/2.: 1
IP Address: 10.10.1.1
Netmask: 255.255.255.0
VLAN Tag: 1
Zone Name: Finance
Interface Mode: NAT (select)
Other Services: Ping (select),QWHUIDFHHWKHUQHW
3. Interfaces >> Physical >> Edit (for ethernet3/1): Enter the following, and then click Save :
IP Address: 10.10.3.1
Netmask: 255.255.255.0
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 3DFNHW)ORZ6HTXHQFH
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
40/577
1HW6FUHHQ&RQFHSWV([DPSOHV
Zone Name: Eng
Interface Mode: NAT (select)
Other Services: Ping (select)
,QWHUIDFHHWKHUQHW
4. Interfaces >> Physical >> Edit (for ethernet1/1): Enter the following, and then click Save :
IP Address: 210.10.1.1
Netmask: 255.255.255.0
Zone Name: Mail
,QWHUIDFHHWKHUQHW
5. Interfaces >> Physical >> Sub-i/f (for ethernet1/1): Enter the following, and then click Save:
Interface Name: ethernet1/1.: 2
IP Address: 210.10.2.2
Netmask: 255.255.255.0VLAN Tag: 2
Zone Name: Mail
,QWHUIDFHHWKHUQHW
6. Interfaces >> Physical >> Edit (for ethernet1/2): Enter the following, and then click Save :
IP Address: 210.10.3.1Netmask: 255.255.255.0
Zone Name: Untrust
Management Services: SNMP (select)
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 3DFNHW)ORZ6HTXHQFH
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
41/577
1HW6FUHHQ&RQFHSWV([DPSOHV
,QWHUIDFHHWKHUQHW
7. Interfaces >> Physical >> Edit (for ethernet2/2): Enter the following, and then click Save :
IP Address: 210.10.4.1
Netmask: 255.255.255.0
Zone Name: DMZ
&/,
,QWHUIDFHHWKHUQHW
8. set interface eth3/2 zone trust
9. set interface eth3/2 ip 10.10.2.1/24
10. set interface eth3/2 nat
11. set interface eth3/2 manage ping
12. set interface eth3/2 manage webui
13. set interface eth3/2 manage telnet14. set interface eth3/2 manage snmp
15. set interface eth3/2 manage scs
,QWHUIDFHHWKHUQHW
1. set interface eth3/2.1 zone finance
2. set interface eth3/2.1 ip 10.10.1.1/24 tag 1
3. set interface eth3/2.1 nat
4. set interface eth3/2.1 manage ping
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 3DFNHW)ORZ6HTXHQFH
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
42/577
1HW6FUHHQ&RQFHSWV([DPSOHV
,QWHUIDFHHWKHUQHW
5. set interface eth3/1 zone eng
6. set interface eth3/1 ip 10.10.3.1/247. set interface eth3/1 nat
8. set interface eth3/1 manage ping
,QWHUIDFHHWKHUQHW
9. set interface eth1/1 zone mail
10. set interface eth1/1 ip 210.10.1.1/24
,QWHUIDFHHWKHUQHW
11. set interface eth1/1.1 zone mail
12. set interface eth1/1.1 ip 210.10.2.2 /24 tag 2
,QWHUIDFHHWKHUQHW
13. set interface eth1/2 zone untrust14. set interface eth1/2 ip 210.10.3.1/24
15. set interface eth1/2 manage snmp
,QWHUIDFHHWKHUQHW
16. set interface eth2/2 zone dmz
17. set interface eth2/2 ip 210.10.4.1/24
18. save
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 3DFNHW)ORZ6HTXHQFH
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
43/577
1HW6FUHHQ&RQFHSWV([DPSOHV
([DPSOH3DUW(QWHUSULVHZLWK7ZR5RXWLQJ'RPDLQV
This is the third part of an ongoing example. For the previous part, in which interfaces for the various security zones
are defined, see Example (Part 2): Interfaces for Six Zones on page 18. For the next part, in which the accesspolices are set, see Example (Part 4): Access Policies for an Enterprise with Six Zones on page 26 . In thisexample, you only have to configure a route for the default gateway to the internet. The other routes areautomatically created by the NetScreen device when you create the interface IP addresses.
Finance10.10.1.1/24
eth3/2.1, NAT
Trust10.10.2.1/24eth3/2, NAT
Eng10.10.3.1/24
eth3/1, NAT
Mail
Untrust210.10.3.1/24eth1/2, Route
DMZ210.10.4.1/24
eth2/2, Route
210.10.3.254
To
Internet
210.10.1.1/24eth1/1, Route
210.10.2.2/24eth1/1.2, Route
RouteRedistribution
Trust-VR Routing Domain Untrust-VR Routing Domain
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 3DFNHW)ORZ6HTXHQFH
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
44/577
1HW6FUHHQ&RQFHSWV([DPSOHV
:HE8,
1. Routing >> Route Table >> New Entry: Enter the following, and then click OK:
Virtual Router Name: untrust-vr
Network Address: 0.0.0.0
Netmask: 0.0.0.0
Gateway IP Address: 210.10.2.254
Interface: ethernet1/2(untrust-vr)
&/,
1. set vrouter untrust-vr route 0.0.0.0/0 interface eth1/2 gateway 210.10.1.254
2. save
To see the route table entries for the ongoing example, look at the tables on the next page.
Note: This is the onlyuser-configured entry.
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 3DFNHW)ORZ6HTXHQFH
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
45/577
1HW6FUHHQ&RQFHSWV([DPSOHV
The NetScreen device automatically creates the following routes (in black):
To Reach: Use Interface: Use Gateway:0.0.0.0/0 n/a Untrust-VR
10.10.3.0/24 eth3/1 0.0.0.0
10.10.2.0/24 eth3/2 0.0.0.0
10.10.1.0/24 eth3/2.1 0.0.0.0
To Reach: Use Interface: Use Gateway:
210.10.4.0/24 eth2/2 0.0.0.0
210.10.3.0/24 eth1/2 0.0.0.0
210.10.2.0/24 eth1/1.2 0.0.0.0
210.10.1.0/24 eth1/1 0.0.0.0
0.0.0.0/0 eth1/2 210.10.3.254
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 3DFNHW)ORZ6HTXHQFH
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
46/577
1HW6FUHHQ&RQFHSWV([DPSOHV
([DPSOH3DUW$FFHVV3ROLFLHVIRUDQ(QWHUSULVHZLWK6L[=RQHV
This is the last part of an ongoing example. The previous part is Example (Part 3): Enterprise with Two Routing
Domains on page 23. This part of the example demonstrates how to configure new access policies.
For the purpose of this example, before you begin configuring new access policies, you need to create new servicegroups.
Note:When you create a zone, the NetScreen device automatically creates the addressAnyfor all hosts within thatzone. This example makes use of the addressAnyfor the hosts.
Finance
Trust
Eng DMZ
Untrust
Mail
PolicyEngine
Route Redistribution
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 3DFNHW)ORZ6HTXHQFH
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
47/577
1HW6FUHHQ&RQFHSWV([DPSOHV
:HE8,
6HUYLFH*URXSV
1. Services >> Custom >> New Group: Enter the following, and then click OK.
Group Name: Mail-Pop3
Group Members > Custom >> New Group: Enter the following, and then click OK.
Group Name: HTTP-FTPGet
Group Members > New Policy: Enter the following, and then click OK:
Source Address: Any
Destination Address: Any
Service: Mail-Pop3
Action: Permit
4. Policy (From Zone: Trust, To Zone: Mail) >> New Policy: Enter the following, and then click OK:
Source Address: Any
Destination Address: Any
Service: Mail-Pop3
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 3DFNHW)ORZ6HTXHQFH
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
48/577
1HW6FUHHQ&RQFHSWV([DPSOHV
Action: Permit
5. Policy (From Zone: Eng, To Zone: Mail) >> New Policy: Enter the following, and then click OK:
Source Address: AnyDestination Address: Any
Service: Mail-Pop3
Action: Permit
6. Policy (From Zone: Untrust, To Zone: Mail) >> New Policy: Enter the following, and then click OK:
Source Address: Any
Destination Address: Any
Service: Mail
Action: Permit
7. Policy (From Zone: Finance, To Zone: Untrust) >> New Policy: Enter the following, and then click OK:
Source Address: Any
Destination Address: Any
Service: HTTP-FTPGet
Action: Permit
8. Policy (From Zone: Finance, To Zone: DMZ) >> New Policy: Enter the following, and then click OK:
Source Address: Any
Destination Address: AnyService: HTTP-FTPGet
Action: Permit
9. Policy (From Zone: Trust, To Zone: Untrust) >> New Policy: Enter the following, and then click OK:
Source Address: Any
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 3DFNHW)ORZ6HTXHQFH
D ti ti Add A
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
49/577
1HW6FUHHQ&RQFHSWV([DPSOHV
Destination Address: Any
Service: HTTP-FTPGet
Action: Permit10. Policy (From Zone: Trust, To Zone: DMZ) >> New Policy: Enter the following, and then click OK:
Source Address: Any
Destination Address: Any
Service: HTTP-FTPGet
Action: Permit
11. Policy (From Zone: Eng, To Zone: DMZ) >> New Policy: Enter the following, and then click OK:
Source Address: Any
Destination Address: Any
Service: HTTP-FTPGet
Action: Permit
12. Policy (From Zone: Eng, To Zone: DMZ) >> New Policy: Enter the following, and then click OK:
Source Address: Any
Destination Address: Any
Service: FTP-Put
Action: Permit
13. Policy (From Zone: Untrust, To Zone: DMZ) >> New Policy: Enter the following, and then click OK:Source Address: Any
Destination Address: Any
Service: HTTP-FTPGet
Action: Permit
&KDSWHU8QLYHUVDO6HFXULW\*DWHZD\$UFKLWHFWXUH 3DFNHW)ORZ6HTXHQFH
&/,
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
50/577
1HW6FUHHQ&RQFHSWV([DPSOHV
&/,
6HUYLFH*URXSV
1. set group service mail-pop3 add mail
2. set group service mail-pop3 add pop3
3. set group service http-ftpget add http
4. set group service http-ftpget add ftpget
$FFHVV3ROLFLHV
5. set policy from finance to mail any any mail-pop3 permit6. set policy from trust to mail any any mail-pop3 permit
7. set policy from eng to mail any any mail-pop3 permit
8. set policy from untrust to mail any any mail permit
9. set policy from finance to untrust any any http-ftpget permit
10. set policy from finance to dmz any any http-ftpget permit
11. set policy from trust to untrust any any http-ftpget permit12. set policy from trust to dmz any any http-ftpget permit
13. set policy from eng to untrust any any http-ftpget permit
14. set policy from eng to dmz any any http-ftpget permit
15. set policy from eng to dmz any any ftp-put permit
16. set policy from untrust to dmz any any http-ftpget permit
17. save
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
51/577
1HW6FUHHQ&RQFHSWV([DPSOHV
8 u h r !
=RQHV
A zone can be a segment of network space to which security measures are applied (a security zone), a logicalsegment to which a VPN tunnel interface is bound (a tunnel zone), or either a physical or logical entity that performsa specific function (a function zone). This chapter examines each type of zone, with particular emphasis given to thesecurity zone, and is organized into the following sections:
Security Zones on page 33
Tunnel Zones on page 34
Function Zones on page 37
When you first boot up a NetScreen device, you can see a number of preconfigured zones. In the WebUI, click Zonein the menu column on the left. In the CLI, use the get zone command.
&KDSWHU=RQHV
The output of the get zone command:
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
52/577
1HW6FUHHQ&RQFHSWV([DPSOHV
The output of the get zone command:
The preconfigured zones shown above can be grouped into three different types:
Security Zones: Untrust, Trust, DMZ, Global, V1-Untrust, V1-Trust, V1-DMZ
Tunnel Zone: Untrust-Tun
Function Zones: Null, Self, MGT, HA
These zones providebackward compatibility when
upgrading to ScreenOS3.1.0the top 3 for devices in
NAT or Route mode, thebottom 3 for devices in
Transparent mode.
ns500-> get zone
Total of 12 zones in vsys root
------------------------------------------------------------------------
Id Name Type Attr VR Default-If vsys
0 Null Null Shared trust-vr null Root
1 Untrust Reg Shared untrust-vr ethernet1/2 Root
2 Trust Reg trust-vr ethernet3/2 Root
3 DMZ Reg untrust-vr ethernet2/2 Root
4 Self Reg trust-vr self Root5 MGT Reg trust-vr mgt Root
6 HA Reg trust-vr ha1 Root
10 Global Reg trust-vr null Root
11 V1-Untrust L2 trust-vr v1-untrust Root
12 V1-Trust L2 trust-vr v1-trust Root
13 V1-DMZ L2 trust-vr v1-dmz Root
16 Untrust-Tun Tun trust-vr tunnel Root
------------------------------------------------------------------------
The root and virtual systems
share these zones.
These zones do not andcannot have an interface.
By default, VPN tunnel interfaces are bound to the Untrust-Tunzone, whose carrier zone is the Untrust zone. (When upgrading to
ScreenOS 3.1.0, existing tunnels are bound to the Untrust-Tun zone.)
Zone ID numbers 79 and 1415are reserved for future use.
&KDSWHU=RQHV 6HFXULW\=RQHV
6(&85,7< =21(6
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
53/577
1HW6FUHHQ&RQFHSWV([DPSOHV
6(&85,7
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
54/577
1HW6FUHHQ&RQFHSWV([DPSOHV
7811(/=21(6A tunnel zone is a logical segment that hosts one or more tunnel interfaces. A tunnel zone is associated with a
security zone that acts as its carrier. The NetScreen device uses the routing information for the carrier zone to directtraffic to the tunnel endpoint. The default tunnel zone is Untrust-Tun, and it is associated with the Untrust zone. Youcan create other tunnel zones and bind them to other security zones, with a maximum of one tunnel zone per carrierzone per virtual system
1.
By default, a tunnel zone is in the Trust-VR routing domain, but you can also move a tunnel zone into anotherrouting domain.
&UHDWLQJD=RQHTo create a security zone or tunnel zone, do either of the following:
:HE8,
Zone >> New Entry: Enter the following, and then click OK:
Name: Type a name for the zone.
Block Intra-Zone Traffic: Select this if you want to block traffic between hostswithin the same security zone. By default, intra-zone blocking is disabled.
Virtual Router Name: Select the virtual router in whose routing domain youwant to place the zone.
Zone Type: Select Regular to create a zone to which you can bind interfacesin NAT or Route mode. Select Layer 2 to create a zone to which you can
bind interfaces in Transparent mode. Select Tunnel Out Zone whencreating a tunnel zone and binding it to a carrier zone, and then select aspecific carrier zone from the drop-down list.
1. The root system and all virtual systems can share the Untrust zone. However, each system has its own separate Untrust-Tun zone.
&KDSWHU=RQHV 7XQQHO=RQHV
&/,
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
55/577
1HW6FUHHQ&RQFHSWV([DPSOHV
&
set zone name [ l2 | tunnel ]
set zone block
set zone vrouter
0RGLI\LQJD=RQH
To modify the ID number or name of a security zone or tunnel zone, you must first delete the zone2, and then create
it again with the new name. To change the intra-zone blocking option or to change the virtual router, you can modify
those settings on the existing zone.
:HE8,
0RGLI\LQJWKH=RQH1DPH
1. Zone: Click Remove (for the zone whose ID number or name you want to modify).
2. When the prompt appears, asking for confirmation of the removal, click Yes.
3. Zone >> New Entry: Enter the zone settings, modifying the ID number or name, and then click OK.
&KDQJLQJWKH,QWUD=RQH%ORFNLQJ2SWLRQRU9LUWXDO5RXWHU
1. Zone >> Edit (for the zone that you want to modify): Enter the following, and then click OK:
Intra-Zone Blocking: To enable, select the check box. To disable, clear it.
Virtual Router Name: From the drop-down list, select the virtual router into
whose routing domain you want to move the zone.
2. Before you can remove a zone, you must first unbind all interfaces bound to it.
&KDSWHU=RQHV 7XQQHO=RQHV
&/,
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
56/577
1HW6FUHHQ&RQFHSWV([DPSOHV
0RGLI\LQJWKH=RQH1DPH
1. unset zone
2. set zone name [ l2 | tunnel ]
&KDQJLQJWKH,QWUD=RQH%ORFNLQJ2SWLRQRU9LUWXDO5RXWHU
{ set | unset } zone block
set zone vrouter
'HOHWLQJD=RQH
To delete a security zone or tunnel zone, do either of the following3:
:HE8,
1. Zone: Click Remove (for the zone you want to delete).
2. When the prompt appears, asking for confirmation of the removal, click Yes.
&/,
unset zone
3. Before you can remove a zone, you must first unbind all interfaces bound to it.
&KDSWHU=RQHV )XQFWLRQ=RQHV
)81&7,21 =21(6
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
57/577
1HW6FUHHQ&RQFHSWV([DPSOHV
)81&7,21=21(6The four function zones are Null, MGT, HA, and Self. Each zone exists for a single purpose, as explained below.
1XOO=RQH
This zone serves as temporary storage for any interfaces that are not bound to any other zone.
0*7=RQHThis zone hosts the out-of-band management interface, MGT.
+$=RQH
This zone hosts the high availability interfaces, HA1 and HA2.
6HOI=RQH
This zone hosts the interface for remote management connections. When you connect to the NetScreen device viaHTTP, SCS, or Telnet, you connect to the Self zone.
Note:Although you can set interfaces for the MGT and HA zones, the zones themselves are not configurable.
&KDSWHU=RQHV )XQFWLRQ=RQHV
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
58/577
1HW6FUHHQ&RQFHSWV([DPSOHV
8 u h r "
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
59/577
1HW6FUHHQ&RQFHSWV([DPSOHV
,QWHUIDFHV
Creating an interface is the next step following the creation of a zone. You must create an interface and bind it to azone to allow traffic to flow in and out of the zone. Then, you must set routes and configure access policies to allowtraffic to pass from interface to interface . Physical interfaces and subinterfaces, like doorways, allow traffic to enterand exit a zone. You can assign multiple interfaces to a zone, but an interface can only be assigned to one zone.
For more information on configuring access policies, see Access Policies on page 249, and Policy-Based VPNs
on page 381 for VPN tunnels. For more information on configuring routes, see Virtual Routers on page 179.
The great flexibility of USGA enables you to set DHCP service and firewall options on a per interface basis.
This chapter contains the following sections:
Interface Types on page 40
Interface Settings and Operational Modes on page 45
Transparent Mode on page 45 Network Address Translation Mode on page 52
Route Mode on page 58
Secondary IP Addresses on page 63
Management Services Options on page 65
Interface Services Options on page 66
Firewall Options on page 67 Configuring an interface on page 78
&KDSWHU,QWHUIDFHV ,QWHUIDFH7\SHV
,17(5)$&(7
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
60/577
1HW6FUHHQ&RQFHSWV([DPSOHV
This section describes physical interfaces, subinterfaces, and tunnel interfaces. For information on how to view a
table of all these interfaces, see Viewing interfaces on page 42.
6HFXULW\=RQH,QWHUIDFHV
The purpose of physical interfaces and subinterfaces is to provide an opening through which network traffic canpass between zones.
3K\VLFDOEach port on your NetScreen device represents a physical interface, and the name of the interface ispredefined. The name of a physical interface is composed of the media type, slot number (for someNetScreen devices), and port number, for example, ethernet3/2or ethernet2(see alsoSecurity ZoneInterfaces on page 3). For backward compatibility, certain interfaces can still be named Trust, Untrust, andDMZ as in the old version of ScreenOS. You can bind a physical interface to any security zone where it actsas a doorway through which traffic enters and exits the zone. Without an interface, no traffic can access the
zone or leave it.
Three of the physical ethernet interfaces are pre-bound to specific zonesTrust, Untrust, or DMZ andwhich interface is bound to which zone is specific to each platform. For more information on the Trust,Untrust, and DMZ zones, see Multiple Security Zones on page 2.
6XELQWHUIDFH
A subinterface, like a physical interface, acts as a doorway through which traffic enters and exits a securityzone. You can logically divide a physical interface into several virtual subinterfaces. Each virtualsubinterface borrows the bandwidth it needs from the physical interface from which it stems, thus its name isan extension of the physical interface name, for example, ethernet3/2.1 or ethernet2.1 (see alsoSecurityZone Interfaces on page 3).
&KDSWHU,QWHUIDFHV ,QWHUIDFH7\SHV
You can bind a subinterface to any zone. You can bind a subinterface to the same zone as its physicalinterface or you can bind it to a different zone
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
61/577
1HW6FUHHQ&RQFHSWV([DPSOHV
interface, or you can bind it to a different zone.
)XQFWLRQ=RQH,QWHUIDFHVFunction zone interfaces, such as Management and HA, each serve a special purpose.
0DQDJHPHQW,QWHUIDFH
On some NetScreen devices, you can manage the device through a separate physical interfacetheManagement (MGT) interfacemoving administrative traffic outside the regular network user traffic.Separating administrative traffic from network user traffic greatly increases security and assures constantmanagement bandwidth.
+$,QWHUIDFH
With NetScreen devices with dedicated High Availability (HA) interfaces, you can link two or more devicestogether to form a redundant group, or cluster. In a redundant group, one unit acts as the master, performingthe network firewall, VPN, and traffic-shaping functions, while the other units act as backups, basicallywaiting to take over the firewall functions should the master unit fail. The HA interface is a physical port usedexclusively for HA functions.
9LUWXDO+$,QWHUIDFH
On NetScreen devices without a dedicated HA interface, a Virtual High Availability (HA) interfaceprovides the same functionality. Because there is no separate physical port exclusively used for HAtraffic, the Virtual HA interface must be bound to one of the physical portstrust, untrust, or DMZ.
Note:For information on configuring the device for administration, seeAdministration on page 123.
&KDSWHU,QWHUIDFHV ,QWHUIDFH7\SHV
7XQQHO,QWHUIDFHV
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
62/577
1HW6FUHHQ&RQFHSWV([DPSOHV
A tunnel interface acts as a doorway to a VPN tunnel. Traffic enters and exits a VPN tunnel via a tunnel interface.
By binding a tunnel interface to a VPN, you can separate the policy from the VPN tunnel. This way, you canconfigure one tunnel, and define multiple policies to regulate the traffic that flows through that tunnel. When there isno tunnel interface bound to a VPN tunnel, you can only define one policy per VPN tunnel.
You can perform policy-based NAT on outgoing or incoming traffic using a pool of dynamic IP (DIP) addresses in thesame subnet as the tunnel interface. A typical reason for using policy-based NAT on a tunnel interface is to avoid IPaddress conflicts between the two sites on either end of the VPN tunnel. You can use the same tunnel interface andDIP pool for more than one VPN tunnel.
In USGA, you can bind a tunnel interface to any zone.
9LHZLQJLQWHUIDFHV
You can view a table that lists all interfaces on your NetScreen device. Because they are predefined,physical interfaces are listed regardless of whether or not you configure them. Subinterfaces and tunnelinterfaces are only listed once you create and configure them.
To view the interface table in the WebUI, click Interface in the menu column on the left, and to view it in theCLI, use the get interface command. In the CLI, the get interface command includes tunnel interfaces. Inthe WebUI, tunnel interfaces are separated from other interfaces. To view them, click Interfaces >>Tunnel.
,QWHUIDFH7DEOHThe interface table displays the following information on each interface:
Name: This field identifies the name of the interface.
IP/Netmask: This field identifies the IP address and netmask address of the interface.
Zone: This field identifies the zone to which the interface is bound.
Note:For information on how to configure an interface, seeConfiguring an interface on page 78.
&KDSWHU,QWHUIDFHV ,QWHUIDFH7\SHV
Link: This field identifies whether the interface is active (Up) or inactive (Down).
Configure: This field allows you configure and modify interfaces through these options:
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
63/577
1HW6FUHHQ&RQFHSWV([DPSOHV
Configure: This field allows you configure and modify interfaces through these options:
Edit: Configure a physical interface for the first time, or modify an existing configuration.
New Sub-i/f: Create a new subinterface, or click Edit to modify an existing configuration.
Remove: Delete an interface.
MIP: Create a mapped IP address.
DIP: Create a dynamic IP address pool.
2IP: Create a secondary IP address.VIP: Create a virtual IP address.
Screen: Select Network Attack Blocking Engine (Screen) options to counter network attacks suchas the ones listed in the Firewall Options on page 67.
Note:In the WebUI, in the physical interfaces and subinterfaces table, yellow rows identify physicalinterfaces, and green rows identify subinterfaces (seeWebUI Interface Table on page 44). In the CLI,
you can distinguish a subinterface from a physical interface by its VLAN tag (seeCLI Interface Table onpage 44).
&KDSWHU,QWHUIDFHV ,QWHUIDFH7\SHV
WebUI Interface Table
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
64/577
1HW6FUHHQ&RQFHSWV([DPSOHV
CLI Interface Table
VLAN Tag VLAN Tag
&KDSWHU,QWHUIDFHV ,QWHUIDFH6HWWLQJVDQG2SHUDWLRQDO0RGHV
,17(5)$&(6(77,1*6$1'23(5$7,21$/02'(6
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
65/577
1HW6FUHHQ&RQFHSWV([DPSOHV
Interfaces can operate in three different modes: Network Address Translation (NAT), Route, and Transparent
modes. You select an operational mode when you configure an interface.
7UDQVSDUHQW0RGH
When an interface is in a Transparent mode, the NetScreen device filters packets traversing the firewall withoutmodifying any of the source or destination information in the IP packet header. All interfaces behave as though theyare part of the same network, with the NetScreen device acting much like a layer-2 switch or bridge. In Transparentmode, the IP addresses of interfaces are set at 0.0.0.0, making the presence of the NetScreen device invisible, ortransparent, to users.
ExternalRouter
Public AddressSpace
Switch
209.122.30.1
209.122.30.2209.122.30.3
209.122.30.4
209.122.30.5
Trust Zone
Untrust Zone
To Internet
&KDSWHU,QWHUIDFHV ,QWHUIDFH6HWWLQJVDQG2SHUDWLRQDO0RGHV
Transparent mode is a convenient means for protecting Web servers, or any other kind of server that mainlyreceives traffic from untrusted sources. Using Transparent mode offers the following benefits:
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
66/577
1HW6FUHHQ&RQFHSWV([DPSOHV
No need to reconfigure the IP settings of routers or protected servers
No need to create Mapped or Virtual IP addresses for incoming traffic to reach protected servers
,QWHUIDFH6HWWLQJV
Interfaces in transparent mode can only be managed through the VLAN1 interface. By default, ScreenOS alwayscreates a VLAN1 interface, and three VLAN1 zones: V1-Trust, V1-Untrust, V1-DMZ.
9/$1,QWHUIDFH
While ScreenOS creates the VLAN1 interface, you need to configure it before you can use it to manage anyinterface. The VLAN1 interface has in fact two main purposes: one is to provide an address for managingthe device, and the other is to terminate VPN traffic when the device is in transparent mode. The VLAN1interface has the same configuration and management abilities as a physical interface.
You can configure the VLAN1 interface to permit hosts in the VLAN1 zones to manage it, in which case, youmust set the VLAN1 interface IP to be in the same subnet as the hosts.
The VLAN1 interface IP overrides the system IP and the manage IP. When the VLAN1 interface isconfigured, neither the system IP nor the manage IP have any effect on interfaces in transparent mode.
9/$1=RQHV
VLAN1 zones are also referred to as Layer 2 zones because they share the same layer 2 domain. Whenyou configure an interface in one of the VLAN1 zones, it gets added to the layer 2 domain shared by allinterfaces in all the VLAN1 zones.
By default the following physical interfaces are bound to the VLAN1 zones:
Zone NetScreen 200 Series Interface NetScreen 500 Interface
V1-Trust ethernet1 ethernet3/2
V1-DMZ ethernet2 ethernet2/2
V1-Untrust ethernet3 ethernet1/2
&KDSWHU,QWHUIDFHV ,QWHUIDFH6HWWLQJVDQG2SHUDWLRQDO0RGHV
All hosts in the VLAN1 zones must be on the same subnet to communicate, and you must define policies toallow hosts to communicate between zones. For more information on how to set policies, see AccessP li i 249
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
67/577
1HW6FUHHQ&RQFHSWV([DPSOHV
Policies on page 249.
([DPSOH+RZWR'HILQHWKH9/$1,QWHUIDFH
This example demonstrates how to define an IP address for the VLAN1 interface, management options, and a routeto enable management traffic to flow to and from the NetScreen device.
:HE8,
1. Interfaces >> Physical >> Edit (for the VLAN1 interface): Enter the following, and then click OK.IP Address: 209.122.30.254
Netmask: 255.255.255.0
Management Services: WebUI, Telnet, SCS (select)
Other Services: Ping (select)
&/,
1. set interface vlan1 ip 209.122.30.254/24
2. set interface vlan1 manage webui telnet scs ping
3. save
([DPSOH7UDQVSDUHQW0RGH
The following example illustrates a basic configuration for a single LAN protected by a NetScreen device inTransparent mode. Access policies permit outgoing traffic for all four hosts in the Trust zone, incoming mail for themail server, and incoming FTP for the FTP server. The device is managed through its VLAN1 IP address.
&KDSWHU,QWHUIDFHV ,QWHUIDFH6HWWLQJVDQG2SHUDWLRQDO0RGHV
Router209.122.17.253/24
Mail Server209.122.17.249/24
FTP Server209.122.17.250/24
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
68/577
1HW6FUHHQ&RQFHSWV([DPSOHV
:HE8,
1. Interfaces >> Physical >> Edit (for the VLAN1 interface): Enter the following, and then click Apply:
IP Address: 209.122.17.252
Netmask: 255.255.255.0
Management Services: WebUI, Telnet, SCS (select)
Other Services: Ping (select)
2. Admin >> Web: Enter the following, and then click Apply:
HTTP Port: 55551
3. Interfaces >> Physical >> Edit (for ethernet1): Enter the following, and then click Save:
IP Address: 0.0.0.0
1. The default port number is 80. Changing this to any number between 1024 and 32,767 is advised for discouraging unauthorized access to the configuration.When logging in to manage the device later, enter the following in the URL field of your Web browser: http://209.122.17.252:5555.
Internet
NetScreen Device
VLAN1 IP209.122.17.252
Port 5555
PC #1
209.122.17.1/24
PC #2
209.122.17.2/24
Trust Zone
&KDSWHU,QWHUIDFHV ,QWHUIDFH6HWWLQJVDQG2SHUDWLRQDO0RGHV
Netmask: 0.0.0.0
Manage IP: 0.0.0.0
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
69/577
1HW6FUHHQ&RQFHSWV([DPSOHV
Traffic Bandwidth: 0
Zone Name: Trust
4. Interfaces >> Physical >> Edit (for ethernet3): Enter the following, and then click Save:
IP Address: 0.0.0.0
Netmask: 0.0.0.0
Manage IP: 0.0.0.0
Traffic Bandwidth: 0
Zone Name: Untrust
5. Addresses >> Address (under the New column for the Trust zone): Enter the following and then click OK:
Address Name: Mail Server
IP Address/Domain Name: 209.122.17.249
Netmask: 255.255.255.2556. Addresses >> Address (under the New column for the Trust zone): Enter the following and then click OK:
Address Name: FTP Server
IP Address/Domain Name: 209.122.17.250
Netmask: 255.255.255.255
7. Policies >> From Zone: Trust, To Zone: Untrust >> New Policy: Enter the following and then click OK:
Source Address: Any
Destination Address: Any
Service: Any
Action: Permit
&KDSWHU,QWHUIDFHV ,QWHUIDFH6HWWLQJVDQG2SHUDWLRQDO0RGHV
8. Policies >> From Zone: Untrust, To Zone: Trust >> New Policy: Enter the following and then click OK:
Source Address: Any
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
70/577
1HW6FUHHQ&RQFHSWV([DPSOHV
Destination Address: Mail Server
Service: Mail
Action: Permit
9. Policies >> From Zone: Untrust, To Zone: Trust >> New Policy: Enter the following and then click OK:
Source Address: Any
Destination Address: FTP Server
Service: FTP
Action: Permit
Note:To get the Mail Server address, it must already exist in the address list. You can create this addressby selecting Addresses >> Address (under the New column for the appropriate zone) and specifying themail servers name and IP address.
Note:Because PC #1 and PC #2 are not specified in an access policy, they do not need to be added to theaddress book. The term Any applies to any device connected to the interface in the Trust zone.
&KDSWHU,QWHUIDFHV ,QWHUIDFH6HWWLQJVDQG2SHUDWLRQDO0RGHV
&/,
1 set interface vlan1 ip 209 122 17 252
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
71/577
1HW6FUHHQ&RQFHSWV([DPSOHV
1. set interface vlan1 ip 209.122.17.252
2. set admin port 55552
3. set interface ethernet1 zone trust
4. set interface ethernet1 ip 0.0.0.0/0
5. set interface ethernet3 zone untrust
6. set interface ethernet3 ip 0.0.0.0/0
7. set address trust Mail_Server 209.122.17.249/24
8. set address trust FTP_Server 209.122.17.250/249. set policy from trust to untrust any any any permit
10. set policy from untrust to trust any 209.122.17.250/24 mail permit
11. set policy from untrust to trust any 209.122.17.249/24 ftp permit
12. save
2. When logging in to manage the device later, enter the following in the URL field of your Web browser: http://209.122.17.252:5555
&KDSWHU,QWHUIDFHV ,QWHUIDFH6HWWLQJVDQG2SHUDWLRQDO0RGHV
1HWZRUN$GGUHVV7UDQVODWLRQ0RGH
When an interface is in Network Address Translation (NAT) mode, the NetScreen device, acting like a layer-3 switch
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
72/577
1HW6FUHHQ&RQFHSWV([DPSOHV
When an interface is in Network Address Translation (NAT) mode, the NetScreen device, acting like a layer 3 switch(or router), translates two components in the header of an outgoing IP packet traversing the firewall across aninterface in NAT mode: its source IP address and source port number. The NetScreen device replaces the source IPaddress of the host that sent the packet with the IP address of the interface of the destination zone. Also, it replacesthe source port number with another random port number generated by the NetScreen device.
When the reply packet arrives at the NetScreen device, the device translates two components in the IP header ofthe incoming packet: the destination address and port number, which are translated back to the original numbers.The packet is then forwarded to its destination.
NAT adds a level of security not provided in Transparent mode: The addresses of hosts connected to the trustedport are never exposed to the network in the Untrust or DMZ zones.
Private AddressSpace
Trust Zone
Untrust Zone
10.16.20.1
10.16.20.210.16.20.3
10.16.20.4
10.16.20.5
Trust ZoneInterface
10.16.20.10
Untrust ZoneInterface
209.122.30.10
Internet
Public Address
Space
&KDSWHU,QWHUIDFHV ,QWHUIDFH6HWWLQJVDQG2SHUDWLRQDO0RGHV
Also, NAT preserves the use of Internet-routable IP addresses. With only one public, Internet-routable IP addressthat of the interface in the Untrust zonethe LAN in the Trust zone, or any other zone using NAT services, can havea vast number of hosts with private IP addresses. The following IP address ranges are reserved for private IP
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
73/577
1HW6FUHHQ&RQFHSWV([DPSOHV
p g g pnetworks and must not get routed on the Internet:
10.0.0.0 - 10.255.255.255172.16.0.0 - 172.31.255.255192.168.0.0 - 192.168.255.255
A host in a zone sending traffic through an interface in NAT mode can initiate outbound traffic to another zone if anaccess policy permits it, but it cannot receive traffic from another zone unless a Mapped IP (MIP), Virtual IP (VIP), orVPN tunnel is set up for it.
Note:For more information about MIPs, seeMapped IP on page 476. For more about VIPs, seeVirtual IP onpage 204.
&KDSWHU,QWHUIDFHV ,QWHUIDFH6HWWLQJVDQG2SHUDWLRQDO0RGHV
,QWHUIDFH6HWWLQJV
For NAT mode, define the following interface settings, where and represent numbers in an
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
74/577
1HW6FUHHQ&RQFHSWV([DPSOHV
IP address, represents the numbers in a netmask, represents the number of a VLAN tag, represents the name of a zone, and represents the bandwidth size in kbps:
([DPSOH1$70RGH
The following example illustrates a simple configuration for a LAN with a single subnet in the Trust zone. The LAN isprotected by a NetScreen device in NAT mode. Access policies permit outgoing traffic for all three hosts in the Trustzone and incoming mail for the mail server. The incoming mail is routed to the mail server through a Virtual IPaddress.
Zone Interfaces Settings Zone Subinterfaces
Trust and User-Defined Zones using NAT IP:
Netmask:
Manage IP*:
Traffic Bandwidth:
NAT: (select)
* You can set the manage IP address on a per interface basis. Its primary purpose is to provide an address for accessing a specificdevice when it is in a high availability configuration. You can also use the manage IP address for management purposes when using
the NetScreen device as a single security appliance.
Optional setting for traffic shaping.
Selecting NAT defines the interface mode as NAT. Selecting Route defines the interface mode as Route.
IP:
Netmask:
VLAN Tag:
Zone Name:
NAT: (select)
Untrust and DMZ IP:
Netmask:
Manage IP*:
Traffic Bandwidth:
IP:
Netmask:
VLAN Tag:
Zone Name:
Note:Compare this example with that for Route mode onpage 60.
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
75/577
&KDSWHU,QWHUIDFHV ,QWHUIDFH6HWWLQJVDQG2SHUDWLRQDO0RGHV
2. Interfaces >> Physical >> Edit (for ethernet3): Enter the following, and then click Save:
IP Address4: 200.2.2.2
Netmask: 255 255 255 0
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
76/577
1HW6FUHHQ&RQFHSWV([DPSOHV
Netmask: 255.255.255.0
Manage IP: 0.0.0.0
Traffic Bandwidth: 0
Zone Name: Untrust
3. Interfaces >> Physical >> VIP (for ethernet3) >> New Entry: Enter the following, and then click OK:
Virtual IP Address: 200.2.2.3
4. Interfaces >> Physical >> VIP (for ethernet3) >> Services: Enter the following, and then click OK:
Virtual Port: 25
Service: Mail
Map to IP: 172.16.10.253
5. Policies >> From Zone: Trust, To Zone: Untrust >> New Policy: Enter the following, and then click OK:
Source Address: AnyDestination Address: Any
Service: Any
Action: Permit
6. Policies >> From Zone: Untrust, To Zone: Trust >> New Policy: Enter the following and then click OK:
Source Address: Any
Destination Address: VIP(200.2.2.3)
Service: Mail
Action: Permit
4. If the IP address in the Untrust zone on the NetScreen device is dynamically assigned by an ISP, leave the IP address and netmask fields empty and selectDHCP. If the ISP uses Point-to-Point Protocol over Ethernet, select PPPoE and enter the name and password.
&KDSWHU,QWHUIDFHV ,QWHUIDFH6HWWLQJVDQG2SHUDWLRQDO0RGHV
&/,
1. set admin sys-ip 0.0.0.0
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
77/577
1HW6FUHHQ&RQFHSWV([DPSOHV
2. set interface ethernet1 zone trust3. set interface ethernet1 ip 172.16.10.1 255.255.255.0
4. set interface ethernet1 NAT5
5. set interface ethernet3 zone untrust6
6. set interface ethernet3 ip 200.2.2.2 255.255.255.0
7. set interface ethernet3 ip 0.0.0.0 0.0.0.0
8. set vip ethernet3 200.2.2.3 25 mail 172.16.10.2539. set policy from trust to untrust any any any permit
10. set policy from untrust to trust any vip 200.2.2.3 mail permit
11. save
5. The set interface ethernetnat command determines that the NetScreen device operates in NAT mode.
6. If the IP address in the Untrust zone on the NetScreen device is dynamically assigned by an ISP, use the following command: set interface untrust dhcp.If the ISP uses Point-to-Point Protocol over Ethernet, use the set pppoe and exec pppoe commands. For more information, see the NetScreen CLIReference Guide.
&KDSWHU,QWHUIDFHV ,QWHUIDFH6HWWLQJVDQG2SHUDWLRQDO0RGHV
5RXWH0RGH
When an interface is in Route mode, the NetScreen device routes traffic between different zones without performingNAT; that is the source address and port number in the IP packet header remain unchanged as it traverses the
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
78/577
1HW6FUHHQ&RQFHSWV([DPSOHV
NAT; that is, the source address and port number in the IP packet header remain unchanged as it traverses theNetScreen device. Unlike NAT, you do not need to establish Mapped and Virtual IP addresses on an interface inRoute mode to allow inbound sessions to reach hosts. Unlike Transparent mode, the interfaces in the Trust zoneand the interfaces in the Untrust zone are on different subnets.
Instead of applying NAT at the interface level so that all source addresses initiating outgoing traffic get translated tothe IP address of the destination interface, when an interface operates in Route mode, you can perform NATselectively at the policy level. You can determine which network and VPN traffic to route and on which traffic toperform NAT by creating access policies that enable NAT for specified source addresses on either incoming or
Trust Zone
Untrust Zone
210.45.30.1
210.45.30.2210.45.30.3
210.45.30.4
210.45.30.5
Trust ZoneInterface
210.45.30.10
Untrust Zone
Interface209.122.30.10
Internet
Public AddressSpace
Public Address
Space
&KDSWHU,QWHUIDFHV ,QWHUIDFH6HWWLQJVDQG2SHUDWLRQDO0RGHV
outgoing traffic. For network traffic, you can perform NAT using the IP address or addresses of the destination zoneinterface from a Dynamic IP (DIP) pool, which is in the same subnet as the destination zone interface. For VPNtraffic, you can perform NAT using the destination zone interface IP address or an address from its associated DIPpool or a tunnel interface IP address or an address from its associated DIP pool
-
8/2/2019 NetScreen Concepts and Examples ScreenOS Version 3 1 RevC
79/577
1HW6FUHHQ&RQFHSWV([DPSOHV
pool, or a tunnel interface IP address or an address from its associated DIP pool.
3DFNHW)ORZ6HTXHQFH
For information and examples on packet flow sequence, see Packet Flow Sequence on page 13.
,QWHUIDFH6HWWLQJVFor Route mode, define the following interface settings, where and represent numbers inan IP address, represents the numbers in a netmask, represents the number of a VLAN tag, represents the name of a zone, and represents the bandwidth size in kbps:
Note:For more information about configuring policy-based NAT, seeChapter 15, Policy-Based NAT on page 471.
Zone Interfaces Settings Zone Subinterfaces
Trust and User-Defined Zones using NAT IP:
Netmask: Manage IP*:
Traffic Bandwidth:
Route: (select)
* You can set the manage IP address on a per interface basis. Its primary purpose is to provide an address for accessing a specificdevice when it is in a high availability configuration. You can also use the manage IP address for management purposes when usingthe NetScreen device as a single security appliance.
Optional setting for traffic shaping.
Selecting NAT defines the interface mode as NAT. Selecting Route defines the interface mode as Route.
IP:
Netmask: VLAN Tag:
Zone Name:
Route: (select)
Untrust and DMZ IP:
Netmask:
Manage IP*:
Traffic Bandwidth:
IP:
Netmask:
VLAN Tag:
Zone Name:
&KDSWHU,QWHUIDFHV ,QWHUIDFH6HWWLQJVDQG2SHUDWLRQDO0RGHV
([DPSOH5RXWH0RGH
In the previous example, Example: NAT Mode on page 54, the h