concepts & examples screenos reference guide: part 2

Concepts & ExamplesScreenOS Reference Guide

Fundamentals

Release

6.3.0, Rev. 02

Published: 2012-12-10

Revision 02

Copyright 2012, Juniper Networks, Inc.

Juniper Networks, Inc.1194 North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the UnitedStates and other countries. JunosE is a trademark of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, orregistered service marks are the property of their respective owners.Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,transfer, or otherwise revise this publication without notice.Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that areowned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312,6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.Copyright 2009, Juniper Networks, Inc.All rights reserved.

Revision HistoryDecember 2012Revision 02

Content subject to change. The information in this document is current as of the date listed in the revision history.

SOFTWARE LICENSE

The terms and conditions for using this software are described in the software license contained in the acknowledgment to your purchaseorder or, to the extent applicable, to any reseller agreement or end-user purchase agreement executed between you and Juniper Networks.By using this software, you indicate that you understand and agree to be bound by those terms and conditions.

Generally speaking, the software license restricts the manner in which you are permitted to use the software and may contain prohibitionsagainst certain uses. The software license may state conditions under which the license is automatically terminated. You should consultthe license for further details.

For complete product documentation, please see the Juniper Networks Website atwww.juniper.net/techpubs.

ENDUSER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networkssoftware. Use of such software is subject to the terms and conditions of the End User License Agreement (EULA) posted at

http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditionsof that EULA.

Copyright 2012, Juniper Networks, Inc.ii

www.juniper.net/techpubshttp://www.juniper.net/support/eula.html

Abbreviated Table of Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Part 1 Fundamentals

Chapter 1 ScreenOS Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2 Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Chapter 3 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Chapter 4 Interface Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Chapter 5 Building Blocks for Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Chapter 6 Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Chapter 7 Traffic Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Chapter 8 System Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Part 2 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

iiiCopyright 2012, Juniper Networks, Inc.

Copyright 2012, Juniper Networks, Inc.iv

Fundamentals

Table of Contents


Document Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii

Document Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv

Part 1 Fundamentals


Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Security Zone Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Physical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Subinterfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Virtual Routers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Virtual Private Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Packet-Flow Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Jumbo Frames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

ScreenOS Architecture Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Example: (Part 1) Enterprise with Six Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Example: (Part 2) Interfaces for Six Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Example: (Part 3) Two Routing Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Example: (Part 4) Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Chapter 2 Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Viewing Preconfigured Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Global Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

SCREEN Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Binding a Tunnel Interface to a Tunnel Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

vCopyright 2012, Juniper Networks, Inc.

Configuring Security Zones and Tunnel Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Creating a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Modifying a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Deleting a Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Function Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31


Interface Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Logical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Physical Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Wireless Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Bridge Group Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Subinterfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Aggregate Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Redundant Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Virtual Security Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Function Zone Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Management Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

High Availability Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Tunnel Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Deleting Tunnel Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Viewing Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Configuring Security Zone Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Binding an Interface to a Security Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Unbinding an Interface from a Security Zone . . . . . . . . . . . . . . . . . . . . . . . . . 44

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Addressing an L3 Security Zone Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Public IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Private IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Addressing an Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Modifying Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Creating a Subinterface in the Root System . . . . . . . . . . . . . . . . . . . . . . . . . . 48

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Copyright 2012, Juniper Networks, Inc.vi

Fundamentals

Deleting a Subinterface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Creating a Secondary IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Backup System Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Configuring a Backup Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Configuring an IP Tracking Backup Interface . . . . . . . . . . . . . . . . . . . . . . 50

Configuring a Tunnel-if Backup Interface . . . . . . . . . . . . . . . . . . . . . . . . . 51

Configuring a Route Monitoring Backup Interface . . . . . . . . . . . . . . . . . . 55

Loopback Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Creating a Loopback Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Setting the Loopback Interface for Management . . . . . . . . . . . . . . . . . . . . . . 57

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Setting BGP on a Loopback Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Setting VSIs on a Loopback Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Setting the Loopback Interface as a Source Interface . . . . . . . . . . . . . . . . . . 58

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58

Interface State Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Physical Connection Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Tracking IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Interface Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Security Zone Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Down Interfaces and Traffic Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Failure on the Egress Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Failure on the Ingress Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

viiCopyright 2012, Juniper Networks, Inc.

Table of Contents


Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Zone Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

VLAN Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Predefined Layer 2 Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Traffic Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Forwarding IPv6 traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Unknown Unicast Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Flood Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

ARP/Trace-Route Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Configuring VLAN1 Interface for Management . . . . . . . . . . . . . . . . . . . . . 86

Configuring Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

NAT Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Inbound and Outbound NAT Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Configuring NAT Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Route Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Configuring Route Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99


Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101

Address Entries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Adding an Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Modifying an Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Deleting an Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

Creating an Address Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Editing an Address Group Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Removing a Member and a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Predefined Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Internet Control Messaging Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Handling ICMP Unreachable Errors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Internet-Related Predefined Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Microsoft Remote Procedure Call Services . . . . . . . . . . . . . . . . . . . . . . . 113

Dynamic Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Streaming Video . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Sun Remote Procedure Call Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Security and Tunnel Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

IP-Related Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Instant Messaging Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Management Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Mail Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

UNIX Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Copyright 2012, Juniper Networks, Inc.viii

Fundamentals

Miscellaneous Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Custom Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Adding a Custom Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Modifying a Custom Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

Removing a Custom Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Setting a Service Timeout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124

Service Timeout Configuration and Lookup . . . . . . . . . . . . . . . . . . . . . . 124

Contingencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Defining a Custom Internet Control Message Protocol Service . . . . . . . . . . . 126

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Remote Shell Application Layer Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Sun Remote Procedure Call Application Layer Gateway . . . . . . . . . . . . . . . . 128

Typical RPC Call Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Customizing Sun RPC Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Customizing Microsoft Remote Procedure Call Application Layer

Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Real-Time Streaming Protocol Application Layer Gateway . . . . . . . . . . . . . . 131

Dual-Stack Environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

RTSP Request Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

RTSP Status Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Configuring a Media Server in a Private Domain . . . . . . . . . . . . . . . . . . . 136

Configuring a Media Server in a Public Domain . . . . . . . . . . . . . . . . . . . 138

Stream Control Transmission Protocol Application Layer Gateway . . . . . . . 139

SCTP Protocol Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Point-to-Point Tunneling Protocol Application Layer Gateway . . . . . . . . . . 140

Configuring the PPTP ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Service Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142

Creating a Service Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Creating a Session Cache to Accelerate HTTP Traffic . . . . . . . . . . . . . . . . . . 144

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Dynamic IP Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Port Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Creating a DIP Pool with PAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Modifying a DIP Pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

ixCopyright 2012, Juniper Networks, Inc.

Table of Contents

Sticky DIP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Using DIP in a Different Subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

WebUI (Branch Office A) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

WebUI (Branch Office B) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

CLI (Branch Office A) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

CLI (Branch Office B) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Using a DIP on a Loopback Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Creating a DIP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160

Setting a Recurring Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162


Basic Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Three Types of Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Interzone Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166

Intrazone Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Global Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Policy Set Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Policies Defined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Policies and Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

Anatomy of a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170

Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Wildcard Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

VPN Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

L2TP Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Deep Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Placement at the Top of the Policy List . . . . . . . . . . . . . . . . . . . . . . . . . . 174

Session Limiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Sending a TCP Session Close Notification . . . . . . . . . . . . . . . . . . . . . . . . 175

Source Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175

Destination Network Address Translation . . . . . . . . . . . . . . . . . . . . . . . . 176

No Hardware Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

User Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176

HA Session Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Web Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178

Counting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Traffic Alarm Threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Copyright 2012, Juniper Networks, Inc.x

Fundamentals

Schedules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Antivirus Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Traffic Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Policies Applied . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Viewing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Searching Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Creating Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Creating Interzone Policies Mail Service . . . . . . . . . . . . . . . . . . . . . . . . . 182

Creating an Interzone Policy Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

Creating Intrazone Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Creating a Global Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Entering a Policy Context . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Multiple Items per Policy Component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

Setting Address Negation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Modifying and Disabling Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Policy Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Reordering Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Removing a Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198


Managing Bandwidth at the Policy Level . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

Setting Traffic Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Setting Service Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Traffic Shaping for an ALG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Setting Priority Queuing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Ingress Policing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Shaping Traffic on Virtual Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Interface-Level Traffic Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Policy-Level Traffic Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Packet Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Example: Route-Based VPN with Ingress Policing . . . . . . . . . . . . . . . . . . . . . 212

WebUI (Configuration for Device1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

CLI (Configuration for the Device1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

WebUI (Configuration for Device2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

CLI (Configuration for the Device2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

xiCopyright 2012, Juniper Networks, Inc.

Table of Contents

Example: Policy-Based VPN with Ingress Policing . . . . . . . . . . . . . . . . . . . . . 216


CLI (Configuration for Device1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217


CLI (Configuration for Device2) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

Traffic Shaping Using a Loopback Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

DSCP Marking and Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

Enabling Differentiated Services Code Point . . . . . . . . . . . . . . . . . . . . . . . . . 220

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Quality of Service Classification Based on Incoming Markings . . . . . . . . . . . . . . 222

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

DSCP Marking for Self-initiated Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

DSCP Marking Based on Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 225


Domain Name System Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

DNS Lookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

DNS Status Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Dynamic Domain Name System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Setting Up DDNS for a Dynamic DNS Server . . . . . . . . . . . . . . . . . . . . . 234

Setting Up DDNS for a DDO Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

Proxy DNS Address Splitting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Dynamic Host Configuration Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Configuring a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

Assigning a Security Device as a DHCP Relay Agent . . . . . . . . . . . . . . . . . . . 244

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Copyright 2012, Juniper Networks, Inc.xii

Fundamentals

Using a Security Device as a DHCP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Propagating TCP/IP Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Configuring DHCP in Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Setting DHCP Message Relay in Virtual Systems . . . . . . . . . . . . . . . . . . . . . . . . . 255

Point-to-Point Protocol over Ethernet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Setting Up PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

Configuring PPPoE on Primary and Backup Untrust Interfaces . . . . . . . . . . 258

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

Configuring Multiple PPPoE Sessions over a Single Interface . . . . . . . . . . . . 259

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

PPPoE and High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

License Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Uploading Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Downloading Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Registration and Activation of Subscription Services . . . . . . . . . . . . . . . . . . . . . . 265

Trial Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Updating Subscription Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Adding Antivirus, Web Filtering, Antispam, and Deep Inspection to an Existing

or a New Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

System Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Daylight Saving Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Time Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

Network Time Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Configuring Multiple NTP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Configuring a Backup NTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

Device as an NTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Maximum Time Adjustment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

NTP and NSRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270

Setting a Maximum Time Adjustment Value to an NTP Server . . . . . . . 270

Securing NTP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

xiiiCopyright 2012, Juniper Networks, Inc.

Table of Contents

Part 2 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

Copyright 2012, Juniper Networks, Inc.xiv

Fundamentals

List of Figures


Figure 1: Images in Illustrations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv

Part 1 Fundamentals


Figure 2: Predefined Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Figure 3: Virtual Router Security Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Figure 4: Default Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Figure 5: Policy Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Figure 6: VPN Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Figure 7: VPN Traffic from Untrust Security Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Figure 8: Vsys Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Figure 9: Packet Flow Sequence Through Security Zones . . . . . . . . . . . . . . . . . . . . 11

Figure 10: Zone-to-Virtual Router Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Figure 11: Interface-to-Zone Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Figure 12: Routing Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Figure 13: Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Chapter 2 Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Figure 14: Network > Zones Page in the WebUI . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Figure 15: Get Zone Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Figure 16: Tunnel Zone Routing Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28


Figure 17: Unnumbered Tunnel Interface Bindings . . . . . . . . . . . . . . . . . . . . . . . . . 37

Figure 18: Tunnel Interface to Zone Binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Figure 19: WebUI Interface Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Figure 20: CLI Interface Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

Figure 21: Interface State Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Figure 22: Interface IP Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Figure 23: Get Route Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Figure 24: Get Interface Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Figure 25: Get Route Output With Activated Interfaces . . . . . . . . . . . . . . . . . . . . . 66

Figure 26: Ethernet0/3 and Ethernet0/2 Interface Monitoring . . . . . . . . . . . . . . . 67

Figure 27: Loop Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

Figure 28: Two-Loop Interface Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Figure 29: Four-Interface Loop Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Figure 30: Host A and Host B IP Tracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Figure 31: Host B to Host A Egress Traffic Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Figure 32: Egress IP Tracking Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

xvCopyright 2012, Juniper Networks, Inc.

Figure 33: Host B to Host A Ingress Traffic Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Figure 34: Ingress Host A to Host B Traffic Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Figure 35: Ingress IP Tracking Failure with Traffic Rerouting . . . . . . . . . . . . . . . . . . 76

Figure 36: Ingress IP Tracking Failure with No Rerouting . . . . . . . . . . . . . . . . . . . . 76


Figure 37: Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Figure 38: Flood Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Figure 39: ARP Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Figure 40: Trace-Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Figure 41: Transparent VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Figure 42: Basic Transparent Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Figure 43: NAT Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Figure 44: NAT Traffic Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Figure 45: Device in NAT Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Figure 46: Route Mode Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Figure 47: Device in Route Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98


Figure 48: Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104

Figure 49: Typical RTSP Session . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Figure 50: RTSP Private Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136

Figure 51: RTSP Public Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Figure 52: DIP Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146

Figure 53: DIP Under Another Subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Figure 54: Loopback DIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154

Figure 55: Loopback DIP Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Figure 56: DIP Problems with NAT with One VSI . . . . . . . . . . . . . . . . . . . . . . . . . . 158

Figure 57: Creating Two DIP Pools in One DIP Group . . . . . . . . . . . . . . . . . . . . . . 159


Figure 58: Interzone Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Figure 59: Intrazone Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167

Figure 60: Interzone Policy Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Figure 61: Intrazone Policies Negation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194


Figure 62: Traffic Shaping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201

Figure 63: Priority Queuing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Figure 64: Interface Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Figure 65: Traffic-Shaping Packet Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Figure 66: Route-Based VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Figure 67: Policy-Based VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Figure 68: DSCP Marking for VPN Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225


Figure 69: DNS Refresh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Figure 70: Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Figure 71: Splitting DNS Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Figure 72: Device as DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239

Figure 73: DHCP Relay Agent Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Copyright 2012, Juniper Networks, Inc.xvi

Fundamentals

Figure 74: Device as DHCP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Figure 75: Relaying All DHCP Packets from Multiple DHCP Servers . . . . . . . . . . 249

Figure 76: Device as DHCP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Figure 77: DHCP Propagation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Figure 78: DHCP Relay Services Within a Vsys . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Figure 79: PPPoE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256

Figure 80: PPPoE with Multiple Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260

xviiCopyright 2012, Juniper Networks, Inc.

List of Figures

Copyright 2012, Juniper Networks, Inc.xviii

Fundamentals

List of Tables

Part 1 Fundamentals


Table 1: Route Table for trust-vr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Table 2: Route Table for untrust-vr . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 2 Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Table 3: Function Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31


Table 4: Public Address Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Table 5: Interface States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Table 6: Monitored Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66


Table 7: NAT Mode Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Table 8: Route Mode Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98


Table 9: ICMP Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Table 10: Predefined Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Table 11: Microsoft Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Table 12: Dynamic Routing Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Table 13: Streaming Video Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Table 14: Remote Procedure Call Application Layer Gateway Services . . . . . . . . . 117

Table 15: Supported Protocol Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Table 16: IP-Related Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Table 17: Internet-Messaging Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Table 18: Management Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Table 19: Mail Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Table 20: UNIX Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Table 21: Miscellaneous Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Table 22: Protocol-Based Default Timeout Table . . . . . . . . . . . . . . . . . . . . . . . . . 125

Table 23: Message Descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Table 24: RTSP Request Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Table 25: RSTP Status Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Table 26: RTSP 1.0 Status Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135

Table 27: Authorized Office IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149


Table 28: Basic Policy Elements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Table 29: Traffic-Shaping Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Table 30: Configured Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

xixCopyright 2012, Juniper Networks, Inc.


Table 31: Maximum Bandwidth Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Table 32: DSCP Marking for Clear-Text Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Table 33: DSCP Marking for Policy-Based VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Table 34: DSCP Marking for Route-Based VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . 222


Table 35: DNS Status Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Table 36: DHCP Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Table 37: Predefined DHCP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Table 38: Specifying Next-Server-IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Table 39: NTP Traffic Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

Copyright 2012, Juniper Networks, Inc.xx

Fundamentals

About This Guide

This guide describes the ScreenOS architecture and its elements, including examples

for configuring various elements. This guide contains the following chapters:

ScreenOS Architecture on page 3 presents the fundamental elements of the

architecture in ScreenOS and concludes with a four-part example illustrating an

enterprise-based configuration incorporating most of those elements. In this and all

subsequent chapters, each concept is accompanied by illustrative examples.

Zones on page 25 explains security, tunnel, and function zones.

Interfaces on page 33 describes the various physical, logical, and virtual interfaces

on security devices.

Interface Modes on page 77 explains the concepts behind transparent, Network

Address Translation (NAT), and route interface operational modes.

Building Blocks for Policies on page 101 discusses the elements used for creating

policies and virtual private networks (VPNs): addresses (including VIP addresses),

services, and DIP pools. It also presents several example configurations that support

the H.323 protocol.

Policies on page 165 explores the components and functions of policies and offers

guidance on their creation and application.

Traffic Shaping on page 199 explains how you can prioritize services and manage

bandwidth at the interface and policy levels.

System Parameters on page 229 presents the concepts behind Domain Name System

(DNS) addressing, using Dynamic Host Configuration Protocol (DHCP) to assign or

relay TCP/IP settings, downloading and uploading system configurations and software,

and setting the system clock.

xxiCopyright 2012, Juniper Networks, Inc.

Document Conventions on page xxii

Document Feedback on page xxiv

Requesting Technical Support on page xxiv

Document Conventions

This document uses the conventions described in the following sections:

Web User Interface Conventions on page xxii

Command Line Interface Conventions on page xxii

Naming Conventions and Character Types on page xxiii

Illustration Conventions on page xxiii

WebUser InterfaceConventions

The Web user interface (WebUI) contains a navigational path and configuration settings.

To enter configuration settings, begin by clicking a menu item in the navigation tree on

the left side of the screen. As you proceed, your navigation path appears at the top of

the screen, with each page separated by angle brackets.

The following example shows the WebUI path and parameters for defining an address:

Policy > Policy Elements > Addresses > List > New: Enter the following, then click OK:

Address Name: addr_1IP Address/Domain Name:IP/Netmask: (select), 10.2.2.5/32

Zone: Untrust

To open Online Help for configuration settings, click the question mark (?) in the upper

right of the screen.

The navigation tree also provides a Help > Config Guide configuration page to help you

configure security policies and Internet Protocol Security (IPSec). Select an option from

the list, and follow the instructions on the page. Click the ? character in the upper rightfor Online Help on the Config Guide.

Command LineInterface Conventions

The following conventions are used to present the syntax of command line interface

(CLI) commands in text and examples.

In text, commands are in boldface type and variables are in italic type.

In examples:

Variables are in italic type.

Anything inside square brackets [ ] is optional.

Anything inside braces { } is required.

If there is more than one choice, each choice is separated by a pipe ( | ). For example,

the following command means set the management options for the ethernet1, the

ethernet2, or the ethernet3 interface:

Copyright 2012, Juniper Networks, Inc.xxii

Fundamentals

set interface { ethernet1 | ethernet2 | ethernet3 }manage

NOTE: When entering a keyword, you only have to type enough letters toidentify the word uniquely. Typing set adm uwhee j12fmt54will enter thecommand set admin user wheezer j12fmt54. However, all the commandsdocumented in this guide are presented in their entirety.

Naming Conventionsand Character Types

ScreenOS employs the following conventions regarding the names of objectssuch as

addresses, admin users, auth servers, IKE gateways, virtual systems, VPN tunnels, and

zonesdefined in ScreenOS configurations:

If a name string includes one or more spaces, the entire string must be enclosed within

double quotes; for example:

set address trust local LAN 10.1.1.0/24

Any leading spaces or trailing text within a set of double quotes are trimmed; for

example, local LAN becomes local LAN .

Multiple consecutive spaces are treated as a single space.

Name strings are case-sensitive, although many CLI keywords are case-insensitive.

For example, local LAN is different from local lan .

ScreenOS supports the following character types:

Single-byte character sets (SBCS) and multiple-byte character sets (MBCS). Examples

of SBCS are ASCII, European, and Hebrew. Examples of MBCSalso referred to as

double-byte character sets (DBCS)are Chinese, Korean, and Japanese.

ASCII characters from 32 (0x20 in hexadecimals) to 255 (0xff), except double quotes

( ), which have special significance as an indicator of the beginning or end of a name

string that includes spaces.

NOTE: A console connection only supports SBCS. TheWebUI supportsboth SBCS andMBCS, depending on the character sets that your browsersupports.

IllustrationConventions

Figure 1 on page xxiv shows the basic set of images used in illustrations throughout this

volume.

xxiiiCopyright 2012, Juniper Networks, Inc.

About This Guide

Figure 1: Images in Illustrations

Document Feedback

If you find any errors or omissions in this document, contact Juniper Networks at

[email protected].

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance

Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,

or are covered under warranty, and need postsales technical support, you can access

our tools and resources online or open a case with JTAC.

JTAC policiesFor a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at

http://www.juniper.net/customers/support/downloads/710059.pdf.

Product warrantiesFor product warranty information, visit

http://www.juniper.net/support/warranty/.

JTAC hours of operationThe JTAC centers have resources available 24 hours a day,

7 days a week, 365 days a year.

Copyright 2012, Juniper Networks, Inc.xxiv

Fundamentals

http://www.juniper.net/customers/support/downloads/710059.pdfhttp://www.juniper.net/support/warranty/

Self-HelpOnline Toolsand Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides you with the

following features:

Find CSC offeringshttp://www.juniper.net/customers/support/

Find product documentationhttp://www.juniper.net/techpubs/

Find solutions and answer questions using our Knowledge Basehttp://kb.juniper.net/

Download the latest versions of software and review your release notes

http://www.juniper.net/customers/csc/software/

Search technical bulletins for relevant hardware and software notifications

http://www.juniper.net/alerts/

Join and participate in the Juniper Networks Community Forum

http://www.juniper.net/company/communities/

Open a case online in the CSC Case Manager

http://www.juniper.net/customers/cm/

To verify service entitlement by product serial number, use our Serial Number

Entitlement (SNE) Tool

https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a CasewithJTAC

You can open a case with JTAC on the Web or by telephone.

Use the Case Manager tool in the CSC at http://www.juniper.net/customers/cm/.

Call 1-888-314-JTAC (1-888-314-5822toll free in USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visit us at

http://www.juniper.net/customers/support/requesting-support/.

xxvCopyright 2012, Juniper Networks, Inc.

About This Guide

http://www.juniper.net/customers/support/http://www.juniper.net/techpubs/http://kb.juniper.net/http://www.juniper.net/customers/csc/software/http://www.juniper.net/alerts/http://www.juniper.net/alerts/http://www.juniper.net/company/communities/http://www.juniper.net/customers/cm/https://tools.juniper.net/SerialNumberEntitlementSearchhttp://www.juniper.net/customers/cm/http://www.juniper.net/customers/support/requesting-support/

PART 1

Fundamentals

ScreenOS Architecture on page 3

Zones on page 25

Interfaces on page 33

Interface Modes on page 77

Building Blocks for Policies on page 101

Policies on page 165

Traffic Shaping on page 199

System Parameters on page 229

1Copyright 2012, Juniper Networks, Inc.

CHAPTER 1

ScreenOS Architecture

Juniper Networks ScreenOS architecture offers you flexibility in designing the layout of

your network security. On Juniper Networks security devices with more than two interfaces,

you can create numerous security zones and configure policies to regulate traffic between

and within zones. You can bind one or more interfaces to each zone and enable different

management and firewall options for each zone. ScreenOS allows you to create the

number of zones required by your network environment, assign the number of interfaces

required by each zone, and design each interface according to your needs.

This chapter presents an overview of ScreenOS. It contains the following sections:

Security Zones on page 3

Security Zone Interfaces on page 4

Virtual Routers on page 5

Policies on page 6

Virtual Private Networks on page 8

Packet-Flow Sequence on page 10

Jumbo Frames on page 13

The chapter concludes with a four-part example that illustrates a basic configuration

for a security device using ScreenOS:

Example: (Part 1) Enterprise with Six Zones on page 14

Example: (Part 2) Interfaces for Six Zones on page 15

Example: (Part 3) Two Routing Domains on page 18

Example: (Part 4) Policies on page 19

Security Zones

A security zone is a collection of one or more network segments requiring the regulation

of inbound and outbound traffic via policies (see Policies on page 6). Security zones

are logical entities to which one or more interfaces are bound. With many types of Juniper

Networks security devices, you can define multiple security zones, the exact number of

which you determine based on your network needs. In addition to user-defined zones,


you can also use the predefined zones: Trust, Untrust, and DMZ (for Layer 3 operation),

or V1-Trust, V1-Untrust, and V1-DMZ (for Layer 2 operation). If you want, you can continue

using just the predefined zones. You can also ignore the predefined zones and use

user-defined zones exclusively. Optionally, you can use both kinds of zonespredefined

and user-definedside by side. This flexibility for zone configuration allows you to create

a network design that best suits your specific needs. See Figure 2 on page 4.

NOTE: Theonesecurity zone that requiresnonetwork segment is theglobalzone. (For more information, see Global Zone on page 27.) Additionally,any zone without an interface bound to it nor any address book entries canalso be said not to contain any network segments.If you upgrade from an earlier version of ScreenOS, all your configurationsfor these zones remain intact.You cannot delete a predefined security zone. You can, however, delete auser-defined zone. When you delete a security zone, you also automaticallydelete all addresses configured for that zone.

Figure 2 on page 4 shows a network configured with five security zonesthree default

zones (Trust, Untrust, DMZ) and two user-defined zones (Finance, Eng). Traffic passes

from one security zone to another only if a policy permits it.

Figure 2: Predefined Security Zones

Security Zone Interfaces

An interface for a security zone can be thought of as a doorway through which TCP/IP

traffic can pass between that zone and any other zone.

Through the policies you define, you can permit traffic between zones to flow in one

direction or in both. With the routes that you define, you specify the interfaces that traffic

from one zone to another must use. Because you can bind multiple interfaces to a zone,

the routes you chart are important for directing traffic to the interfaces of your choice.

NOTE: For traffic to flow between interfaces bound to the same zone, nopolicy is requiredbecauseboth interfaceshavesecurityequivalency.ScreenOSrequires policies for traffic between zones, not within a zone.


Fundamentals

To permit traffic to flow from zone to zone, you bind an interface to the zone andfor

an interface in route or NAT mode (see Interface Modes on page 77)assign an IP

address to the interface. Two common interface types are physical interfaces andfor

those devices with virtual-system support

subinterfaces (that is, a Layer 2 substantiation of a physical interface). For more

information, see Interfaces on page 33.

Physical Interfaces

A physical interface relates to components that are physically present on the security

device. The interface-naming convention differs from device to device.

NOTE: To see the naming conventions for a specific security device, see thehardware guide for that device.

Subinterfaces

On devices that support virtual LANs (VLANs), you can logically divide a physical interface

into several virtual subinterfaces, each of which borrows the bandwidth it needs from

the physical interface from which it stems. A subinterface is an abstraction that functions

identically to a physical interface and is distinguished by 802.1Q VLAN tagging. The

security device directs traffic to and from a zone with a subinterface via its IP address

and VLAN tag. For convenience, administrators usually use the same number for a VLAN

tag as the subinterface number. For example, the interface ethernet1/2 using VLAN tag

3 is named ethernet1/2.3. This refers to the interface module in the first bay, the second

port on that module, and subinterface number 3 (ethernet1/2.3).

NOTE: 802.1Q is an IEEE standard that defines themechanisms for theimplementationofvirtualbridgedLANsandtheethernet frameformatsusedto indicate VLANmembership via VLAN tagging.

Note that although a subinterface shares part of its identity with a physical interface, the

zone to which you bind it is not dependent on the zone to which you bind the physical

interface. You can bind the subinterface ethernet1/2.3 to a different zone than that to

which you bind the physical interface ethernet1/2, or to which you bind ethernet1/2.2.

Similarly, there are no restrictions in terms of IP-address assignments. The term

subinterface does not imply that its address be in a subnet of the address space of the

physical interface.

Virtual Routers

A virtual router (VR) functions as a router. It has its own interfaces and its own unicast

and multicast routing tables. In ScreenOS, a security device supports two predefined

virtual routers. This allows the security device to maintain two separate unicast and

multicast routing tables and to conceal the routing information in one virtual router from

the other. For example, the untrust-vr is typically used for communication with untrusted

parties and does not contain any routing information for the protected zones. Routing


Chapter 1: ScreenOS Architecture

information for the protected zones is maintained by the trust-vr. Thus, no internal network

information can be gathered by the covert extraction of routes from the untrust-vr, see

Figure 3 on page 6.

Figure 3: Virtual Router Security Zones

When there are two virtual routers on a security device, traffic is not automatically

forwarded between zones that reside in different VRs, even if there are policies that

permit the traffic. If you want traffic to pass between virtual routers, you need to either

export routes between the VRs or configure a static route in one VR that defines the other

VR as the next hop. For more information about using two virtual routers, see Routing.

Policies

Juniper Networks security devices secure a network by inspecting, and then allowing or

denying, all connection attempts that require passage from one security zone to another.

By default, a security device denies all traffic in all directions. Through the creation of

policies, you can control the traffic flow from zone to zone by defining the kinds of traffic

permitted to pass from specified sources to specified destinations at scheduled times.

At the broadest level, you can allow all kinds of traffic from any source in one zone to

any destination in all other zones without any scheduling restrictions. At the narrowest

level, you can create a policy that allows only one kind of traffic between a specified host

in one zone and another specified host in another zone during a scheduled period, see

Figure 4 on page 7.

NOTE: Some security devices ship with a default policy that allows alloutbound traffic from the Trust to the Untrust zone but denies all inboundtraffic from the Untrust zone to the Trust zone.


Fundamentals

Figure 4: Default Policy

Every time a packet attempts to pass from one zone to another or between two interfaces

bound to the same zone, the security device checks its policy set lists for a policy that

permits such traffic (see Policy Set Lists on page 168). To allow traffic to pass from one

security zone to anotherfor example, from zone A to zone Byou must configure a

policy that permits zone A to send traffic to zone B. To allow traffic to flow the other way,

you must configure another policy permitting traffic from zone B to zone A. For any traffic

to pass from one zone

concepts & examples screenos reference guide: part 2

Documents