Академический Документы
Профессиональный Документы
Культура Документы
,QVWDOOHUV *XLGH
P/N 093-0573-000 Rev.E Version 4.0
Copyright Notice
NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo are registered trademarks of NetScreen Technologies, Inc. NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-1000, NetScreen-5200, NetScreen5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of NetScreen Technologies, Inc. All other trademarks and registered trademarks are the property of their respective companies.Information in this document is subject to change without notice. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from NetScreen Technologies, Inc. 350 Oakmead Parkway Sunnyvale, CA 94085 U.S.A. www.netscreen.com
may radiate radio-frequency energy. If it is not installed in accordance with NetScreens installation instructions, it may cause interference with Radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital devices in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and
Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.
Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR NETSCREEN REPRESENTATIVE FOR A COPY.
7DEOH RI &RQWHQWV
3UHIDFH YLL
*XLGH 2UJDQL]DWLRQ YLL &RPPDQG /LQH ,QWHUIDFH &/, &RQYHQWLRQV YLLL &/, &RPPDQG 9DULDEOHV YLLL 9DULDEOH 1RWDWLRQ YLLL &RPPRQ &/, 9DULDEOHV YLLL &/, &RPPDQG 6\QWD[ L[ 'HSHQGHQF\ 'HOLPLWHUV L[ 1HVWHG 'HSHQGHQFLHV [ $YDLODELOLW\ RI &/, &RPPDQGV DQG )HDWXUHV [ 1HW6FUHHQ 3XEOLFDWLRQV [L +RZ 7R *HW 0RUH ,QIRUPDWLRQ [L
2YHUYLHZ
1HW6FUHHQ 6\VWHPV 1HW6FUHHQ 1HW6FUHHQ 3RZHU 6XSSOLHV 1HW6FUHHQ 3RZHU 5HFRPPHQGDWLRQV 1HW6FUHHQ 3RZHU 5HFRPPHQGDWLRQV 7KH '& 3RZHU 6XSSO\ 7KH $& 3RZHU 6XSSO\ )DQ 0RGXOHV 1HW6FUHHQ 0RGXOHV 0DQDJHPHQW 0RGXOH 7KH 0 0DQDJHPHQW 0RGXOH 6HFXUH 3RUW 0RGXOHV 7KH * 630 7KH *)( 630
,QVWDOOHUV *XLGH
LLL
7DEOH RI &RQWHQWV
LY
1HW6FUHHQ 6HULHV
,QVWDOOHUV *XLGH
7DEOH RI &RQWHQWV
,QGH[
L
YL
1HW6FUHHQ 6HULHV
3UHIDFH
The NetScreen-5000 Series consists of purpose-built, high-performance security systems that provide IPSec VPN and firewall services for large-scale carrier, enterprise, and datacenter networks. Built around NetScreens third-generation ASIC technology and distributed system architecture, the NetScreen-5000 Series offers excellent scalability and flexibility. The NetScreen-5000 series includes the following device models: The NetScreen-5200, a chassis-based, two-slot network security device. The NetScreen-5400, a chassis-based, four-slot network security device.
NetScreen-5000 system architecture features multiple processing modules. These include a management module that provides overall system control, and security processing modules that allow a variety of port configurations. Together, these modules provide a wide range of performance and security gateway configurations. Because the modules can work in many combinations, you can customize NetScreen-5000 devices to accommodate the specific requirements of your organization. The NetScreen-5000 Series also employs a switch fabric for data exchange and a separate multi-bus channel for control information, thus delivering scalable performance for the most demanding environments.
*8,'( 25*$1,=$7,21
This manual has four chapters and three appendices. Chapter 1, "Overview" provides a detailed overview of the system, its modules, Fast Ethernet (FE) and mini-GBIC connectors, power supplies and fan tray. Chapter 2, "Installing the Device" details how to rack-mount the NetScreen-5000 systems, connect the power supplies, and connect the modules to the network in addition to providing desktop site requirements and guidelines for rack mounting. Chapter 3, "Configuring the Device" details how to obtain an IP address for an interface on one of the modules and how to aggregate ports on one of the modules. Chapter 4, "Servicing the Device" provides procedures on how to replace your module and power supplies. Appendix A, "Specifications" provides a list of physical specifications about the NetScreen5000 Series, the modules, and power supplies. Appendix B, "Port Descriptions and LED Status" provides descriptions of port and LED behavior. Appendix C, "Configuration for Common Criteria, EAL2" provides information about configuring NetScreen devices for Common Criteria, EAL2 compliance.
,QVWDOOHUV *XLGH
YLL
3UHIDFH
9DULDEOH 1RWDWLRQ
The variable notation used in this manual consists of italicized parameter identifiers. For example, the set arp command uses four identifiers, as shown here:
YLLL
,QVWDOOHUV *XLGH
id_num ip_addr key_str loc_str mac_addr mask name_str number pol_num port_num pswd_str ptcl_num serv_name shar_secret spi_num string time_str url_str zone
An identification number. An IP address. A key, such as a session key, a private key, or a public key. A location of a file or other resource. A MAC address. A subnet mask, such as 255.255.255.0 or /24. The name of an item, such as an address book entry. A numeric value, usually an integer, such as a threshold or a maximum. A policy number. A number identifying a logical port. A password. A number uniquely identifying a protocol, such as TCP, IP, or UDP. The name of a server. A shared secret value. A Security Parameters Index (SPI) number. A character string, such as a comment. A time value. A URL, such as www.acme.com. The name of a security zone.
'HSHQGHQF\ 'HOLPLWHUV
Each syntax description shows the dependencies between command features by using special characters. The { and } symbols denote a mandatory feature. Features enclosed by these symbols are essential for execution of the command. The [ and ] symbols denote an optional feature. Features enclosed by these symbols are not essential for execution of the command, although omitting such features might adversely affect the outcome.
1HW6FUHHQ 6HULHV
L[
3UHIDFH
The | symbol denotes an or relationship between two features. When this symbol appears between two features on the same line, you can use either feature (but not both). When this symbol appears at the end of a line, you can use the feature on that line, or the one below it.
1HVWHG 'HSHQGHQFLHV
Many CLI commands have nested dependencies, which make features optional in some contexts, and mandatory in others. The three hypothetical features shown below demonstrate this principle.
ns-> set interface vlan1 broadcast flood ns-> set interface vlan1 broadcast arp ns-> set interface vlan1 broadcast arp trace-route
ns-> set vpn ? ns-> set vpn vpn_name ? ns-> set vpn gateway gate_name ?
,QVWDOOHUV *XLGH
1HW6FUHHQ 3XEOLFDWLRQV
1(76&5((1 38%/,&$7,216
To obtain technical documentation for any NetScreen product, visit www.netscreen.com/ support/manuals.html. To access the latest NetScreen documentation, see the Current Manuals section. To access archived documentation from previous releases, see the Archived Manuals section. To obtain the latest technical information on a NetScreen product release, see the release notes document for that release. To obtain release notes, visit www.netscreen.com/support and select Software Download. Select the product and version, then click Go. (To perform this download, you must be a registered user.) If you find any errors or omissions in the following content, please contact us at the e-mail address below: techpubs@netscreen.com
1HW6FUHHQ 6HULHV
[L
3UHIDFH
[LL
,QVWDOOHUV *XLGH
8uhr
2YHUYLHZ
Topics explained in this chapter include: NetScreen-5000 Systems on page 2 Power Supplies on page 3 Fan Modules on page 5 NetScreen-5000 Modules on page 5
This chapter provides detailed descriptions of the NetScreen-5000 Series system devices, modules, power supplies, and fan assemblies.
Note: For safety warnings and instructions, please refer to the NetScreen Safety Guide. The instructions in this guide warn you about situations that could cause bodily injury. Before working on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents.
,QVWDOOHUV *XLGH
&KDSWHU 2YHUYLHZ
1(76&5((1 6<67(06
This section describes the NetScreen-5000 Series, which currently includes the NetScreen-5200 device and the NetScreen-5400 device.
1HW6FUHHQ
The NetScreen-5200 is a chassis-based, two-slot network security device. Slot 1 is for the Management Module and Slot 2 is for the Secure Port Module (SPM). The device has two hot-swappable power supplies for power redundancy, and a removable fan module. The figure below shows a NetScreen-5200 with a Management Module in Slot 1 (top) and a SPM in Slot 2 (bottom).
1HW6FUHHQ
The NetScreen-5400 is a chassis-based, four-slot network security device with a 5U (rack unit) chassis. The top slot (slot 1) holds the Management Module, and the bottom slots (slots 2-4) hold up to three Secure Port Modules (SPMs) for flexible, high-density port configurations. The device has three hot-swappable power supplies for power redundancy, and a removable fan module.
,QVWDOOHUV *XLGH
3RZHU 6XSSOLHV
The figure below shows a NetScreen-5400 fully populated with a Management Module in slot 1 (top) and SPMs in slots 2 through 4.
32:(5 6833/,(6
NetScreen-5000 devices can use two kinds of power supplies: Alternating Current (AC) Power Supply Direct Current (DC) Power Supply
The slots for these power supplies are located in the back of the NetScreen-5200 device and on the front of the NetScreen-5400 device. Note: You can order a NetScreen-5000 device that runs on DC power. For DC-powered units, the power supply has a DC terminal block with three sockets. When two or more power supplies are in service, they share the power load equally. The power supplies are hot-swappable, so you can remove one and replace it without affecting operation. Each power supply is intended to receive power from separate feeds. When one power supply fails, the others automatically assume the full load and the device logs a system alarm. This alarm is viewable through the WebUI, or a console accessing the NetScreen Command Line Interface (CLI). The Alarm LED on the Management Module glows red in response to any power supply failure.
1HW6FUHHQ 6HULHV
&KDSWHU 2YHUYLHZ
Power LED
Power Switch
,QVWDOOHUV *XLGH
)DQ 0RGXOHV
Power Switch
)$1 02'8/(6
The NetScreen-5200 has a three-fan module, and the NetScreen-5400 has a two-fan module. On either device model, you can access the fan module from the left front side of the chassis. To remove the NetScreen-5200 fan module, turn the fan lock knob clockwise. Then gently pull the fan module lever toward you and slide the module out. To remove the NetScreen-5400 fan module, loosen the two thumb screws that secure the fan module, then gently slide the module out.
If a fan stops operating due to failure or removal, the system continues to run and generates an alarm. To avoid heat failure, be sure to replace the fan within 10 minutes.
1(76&5((1 02'8/(6
All NetScreen-5000 Series devices support two module types: NetScreen-5000 Management Modules NetScreen-5000 Secure Port Modules (SPMs)
Management Module Secure Port Module Management Module Secure Port Module
1HW6FUHHQ 6HULHV
&KDSWHU 2YHUYLHZ
0DQDJHPHQW 0RGXOH
The Management Module provides general-purpose CPU delivery, and contains dedicated high-availability (HA) and management interfaces. It handles tasks such as management access, session setup and termination, and IKE negotiation. Note: The currently-available Management Module is the 5000-M model, described below.
The 5000-M also has port link and activity LEDs, CPU utilization indicators, a highavailability (HA) LED, an alarm LED, a status LED, a flash memory LED, and a power LED. In addition, it has a compact flash slot for flash memory card installation.
CPU Utilization LEDs Compact Flash Slot Management Port
Power LED
Status LED
HA LED
Alarm LED
Flash LED
Console Port
Modem Port
,QVWDOOHUV *XLGH
1HW6FUHHQ 0RGXOHV
Power LED
Link LED
Status LED
Transmit/Receive LED
1HW6FUHHQ 6HULHV
&KDSWHU 2YHUYLHZ
Mini-GBIC transceivers are hot swappable. For details on connecting or removing a miniGBIC transceiver and connecting or disconnecting a Gigabit Ethernet cable, see Chapter 4, "Servicing the Device".
24 10/100 Fast Ethernet RJ-45Ports
Power LED
Link LED
Status LED
Transmit/Receive LED
,QVWDOOHUV *XLGH
8uhr!
This chapter describes how to install a device in an equipment rack or on a desktop, and how to configure the device on a network.
Installing and Connecting the AC Power Supply on page 13 Installing and Wiring a DC Power Supply on page 13 Connecting the NetScreen-5000 System to a Router or Switch on page 15
,QVWDOOHUV *XLGH
Important! Although you can place the device on a desktop for operation, NetScreen does not recommend deploying a NetScreen-5000 Series system in this manner. Warning! To prevent abuse and intrusion by unauthorized personnel, it is extremely important to install the NetScreen system in a locked-room environment.
You can mount the device in a standard 19-inch equipment rack. Rack mounting requires the following tools: 1 Phillips-head screwdriver Rack-compatible screws The included rear slide kit (for the rear and front mount method) on the NetScreen-5200. Front-mount brackets
,QVWDOOHUV *XLGH
There are two ways to rack-mount the NetScreen-5200: Mid mount Rear and front mount
You can only front-mount the NetScreen-5400. Note: NetScreen strongly recommends the rear and front rack mount configuration for the NetScreen-5200.
4.
1HW6FUHHQ 6HULHV
2.
2.
,QVWDOOHUV *XLGH
4. 5.
1HW6FUHHQ 6HULHV
The DC power supply, ON/OFF switch, grounding screw, and terminal blocks, are located on the faceplate of the power supply unit. Thumbscrew Thumbscrew
Power LED
Power Switch
Warning: You must shut off current to the DC feed wires before connecting the wires to the power supplies. Also, make sure that the ON/OFF switch is in the OFF position. To connect the DC power supply to a grounding point at your site: 1. 2. 3. Remove the hex nut on the grounding screw. Place the ground lug on the screw and tighten the hex nut securely. Connect the other end of the grounding lug wire to a grounding point at your site.
To connect DC power feeds to the terminal blocks, do the following: 1. 2. Loosen the three retaining screws on each terminal block. Insert the 0V DC return wire into the left power connector, the -48V DC power feed wire into the middle power connector, and the ground wire into the ground (E) on the right. Fasten the screws over the connectors and ground.
3.
Turn the Power switches ON. Note: If there are multiple power supplies in the NetScreen-5000 device and any of them are OFF, the Alarm LED on the Management Module glows solid red. This warning indicates that maximum system stability requires all installed power supplies to be operational.
,QVWDOOHUV *XLGH
(VWDEOLVKLQJ DQ +$ &RQQHFWLRQ
(67$%/,6+,1* $1 +$ &211(&7,21
To assure continuous traffic flow in the event of system failure, you can cable and configure two NetScreen devices in a redundant cluster, with one device acting as a master and the other as its backup. The master propagates all its network, configuration and session information to the backup. Should the master fail, the backup is promoted to master and takes over the traffic processing. To physically connect the master and backup devices, the 5000-M Management Module provides a pair of high-availability (HA) ports. To connect the devices, you can use the provided Gigabit Ethernet mini-GBIC cable. Use this cable to connect the HA1 port on one system to the HA1 port on another system. For information on setting up HA configurations, see the NetScreen Concepts and Examples Guide.)
1HW6FUHHQ 6HULHV
,QVWDOOHUV *XLGH
8uhr"
This chapter describes how to perform initial configuration on a NetScreen-5000 Series device once you have mounted it in a rack or desktop, plugged in the necessary cables, and turned the power on.
Performing Initial Connection and Configuration on page 20 Establishing a Terminal Emulator Connection on page 20 Changing Your Login Name and Password on page 21 Setting Port and Interface IP Addresses on page 22 Starting a Console Session Using Telnet on page 24 Starting a Console Session Using Dialup on page 25 Establishing a GUI Management Session on page 25
Configuring the Device for Telnet and WebUI Sessions on page 24 Configuring the Chassis Alarm on page 26 Configuring Aggregate Interfaces on page 26 Resetting the Device to Factory Default Settings on page 27
Note: For safety warnings and instructions, please refer to the NetScreen Safety Guide. The instructions in this guide warn you about situations that could cause bodily injury. Before working on any equipment, be aware of the hazards involved with electrical circuitry and be familiar with standard practices for preventing accidents.
,QVWDOOHUV *XLGH
23(5$7,21$/ 02'(6
The NetScreen-5000 device supports two device modes, Transparent mode and Route mode. The default mode is Transparent.
7UDQVSDUHQW 0RGH
In Transparent mode, the NetScreen-5000 device operates as a Layer-2 bridge. Because the device cannot translate packet IP addresses, it cannot perform Network Address Translation (NAT). Consequently, for the device to access the Internet, any IP address in your trusted (local) networks must be routable and accessible from untrusted (external) networks. In Transparent mode, the IP addresses for the Layer-2 security zones V1-Trust, V1-DMZ, and V1-Untrust are 0.0.0.0, thus making the NetScreen device invisible to the network. However, the device can still perform firewall, VPN, and traffic management according to configured security policies.
5RXWH 0RGH
In Route mode, the NetScreen-5000 device operates at Layer 3. Because you can configure each interface using an IP address and subnet mask, you can configure individual interfaces to perform NAT. When the interface performs NAT services, the device translates the source IP address of each outgoing packet into the IP address of the untrusted port. It also replaces the source port number with a randomly-generated value. When the interface does not perform NAT services, the source IP address and port number in each packet header remain unchanged. Therefore, to reach the Internet your local hosts must have routable IP addresses.
For more information on NAT, see the NetScreen Concepts and Examples ScreenOS Reference Guide. Important! Performing the setup instructions below configures your device in Route mode. To configure your device in Transparent mode, see the NetScreen Concepts and Examples ScreenOS Reference Guide.
,QVWDOOHUV *XLGH
1HW6FUHHQ ,QWHUIDFHV
The NetScreen-5200 device shown below contains one management module (in slot 1) and one 5000-8G SPM (in slot 2). Console Port Modem Port MGT Port
HA Ports
1HW6FUHHQ ,QWHUIDFHV
A NetScreen-5400 device contains one management module (in slot 1) and up to three SPMs. In the illustrations below, the device contains three 5000-8G SPMs. Console Port Modem Port MGT Port HA Ports
1HW6FUHHQ 6HULHV
&RQILJXUDEOH ,QWHUIDFHV
The configurable interfaces available on a NetScreen-5000 Series device are as follows:
Interface Type Ethernet interfaces Description ethernetn1/n2 specifies a physical ethernet interface, denoted by an interface module in a slot (n1) and a physical port (n2) on the module. ethernetn1/n2.n3 specifies a logical interface, denoted by an interface module in a slot (n1), a physical port (n2) on the module, and a logical interface number ( .n3). You create logical interfaces using the set interface command. Layer-2 interfaces vlan1 specifies the interface used for VPNs while the NetScreen device is in Transparent mode. v1-trust specifies a Layer-2 interface bound to the Trust zone. Use this interface when the device is in Transparent mode. v1-untrust specifies a Layer-2 interface bound to the Untrust zone. Use this interface when the device is in Transparent mode. v1-dmz specifies a Layer-2 interface bound to the DMZ zone. Use this interface when the device is in Transparent mode. Tunnel interfaces Function interfaces tunnel.n specifies a tunnel interface. Use this interface for VPN traffic. mgt specifies an interface bound to the MGT zone. ha1 and ha2 specify the names of the dedicated HA ports.
,QVWDOOHUV *XLGH
3.
Launch a Command Line Interface (CLI) session between your PC and the NetScreen-5000 device using a standard serial terminal emulation program such as Hilgreave Hyperterminal (provided with your Windows PC). The settings should be as follows: Baud Rate to 9600 Parity to No Data Bits to 8 Stop Bit to 1 Flow Control to none
4. 5. 6.
Press the ENTER key to see the login prompt. At the login prompt, type netscreen. At the password prompt, type netscreen. Note: Use lowercase letters only. Both login and password are case-sensitive.
7.
(Optional) By default, the console times out and terminates automatically after 10 minutes of idle time. To change this timeout interval, execute the following command: set console timeout number where number is the length of idle time in minutes before session termination. To prevent any automatic termination, specify a value of 0.
1HW6FUHHQ 6HULHV
get interface
This command displays current port names, IP addresses, MAC addresses, and other useful information.
,QVWDOOHUV *XLGH
3.
Set the IP address and subnet mask by executing the following command:
1HW6FUHHQ 6HULHV
save
Important! Your network might require a more restrictive policy than the one created in the example above. The example is NOT a requirement for initial configuration. For detailed information about access policies, see the NetScreen Concepts and Examples ScreenOS Reference Guide.
,QVWDOOHUV *XLGH
5.
(Optional) By default, the console times out and terminates automatically after 10 minutes of idle time. To change this timeout interval, execute the following command: set console timeout number where number is the length of idle time in minutes before session termination. To prevent any automatic termination, specify a value of 0.
2.
10.100.2.183
The NetScreen WebUI software displays the Enter Network Password prompt.
1HW6FUHHQ 6HULHV
3.
Enter netscreen in both the User Name and Password fields, then click OK. (Use lowercase letters only. The User Name and Password fields are both case sensitive.) The NetScreen WebUI application window appears.
get chassis
The 5000-8G SPM supports only certain combinations of ports for aggregate interfaces. For example, a 5000-8G SPM residing in Slot 2 only supports the following port combinations: Ethernet2/1 and Ethernet2/2 Ethernet2/3 and Ethernet2/4 Ethernet2/5 and Ethernet2/6 Ethernet2/7 and Ethernet2/8
,QVWDOOHUV *XLGH
You must assign one of the following names to the aggregate interface: aggregate1, aggregate2, aggregate3, or aggregate4. In the following example, you combine two Gigabit Ethernet mini-GBIC ports, each running at 1 Gbps, into an aggregate interface running at 2-Gbps. The aggregate interface consists of Ethernet ports 1 and 2 on a 5000-8G SPM (residing in Slot 2). To create the aggregate interface: 1. (Optional) To see what physical ports are available on your NetScreen-5000 system, execute the following command:
get interface
2. To create an aggregate interface name, execute the following command:
set interface ethernet2/1 aggregate aggregate1 set interface ethernet2/2 aggregate aggregate1
4. (Optional) To see the updated port list and details about the new aggregate interface, execute the following commands:
1HW6FUHHQ 6HULHV
To perform this operation, you need to make a console connection, as described in Establishing a Terminal Emulator Connection on page 20. Note: By default the device recovery feature is enabled. You can disable it by entering the following CLI command: unset admin device-reset 1. 2. At the login prompt, type the serial number of the device. At the password prompt, type the serial number again. The following message appears: !!! Lost Password Reset !!! You have initiated a command to reset the device to factory defaults, clearing all current configuration, keys and settings. Would you like to continue? y/[n] 3. Press the y key. The following message appears: !! Reconfirm Lost Password Reset !! If you continue, the entire configuration of the device will be erased. In addition, a permanent counter will be incremented to signify that this device has been reset. This is your last chance to cancel this command. If you proceed, the device will return to factory default configuration, which is: System IP: 192.168.1.1; username: netscreen; password: netscreen. Would you like to continue? y/[n] 4. Press the y key to rest the device. You can now login in using netscreen as the default username and password. Note: After you successfully reset and reconfigure the NetScreen device, you should back up the new configuration setting. As a precaution against lost passwords, you should back up a new configuration that contains the NetScreen default password. This will ensure a quick recovery of a lost configuration. You should change the password on the system as soon as possible.
,QVWDOOHUV *XLGH
8uhr#
This chapter details service and maintenance of various components in your NetScreen5000 system. Topics in this chapter include:
,QVWDOOHUV *XLGH
To install a module in a NetScreen-5000 system, perform the following: 1. 2. 3. 4. Be sure the module is right-side-up and the ejector/injector levers are extended. Slide the module into the appropriate slot of the chassis, until it is seated in the backplane. To secure the module in the chassis, close the ejector/injector levers by pushing on them toward the center of the module Tighten the screws using a #2 Phillips-head screwdriver.
,QVWDOOHUV *XLGH
When a fan or fan module fails, the FAN LED glows red, and the system generates an event alarm and a SNMP trap. Although a NetScreen-5000 system can operate for short periods with a fan out of service, there is serious risk of overheating. When overheating occurs, the TEMP LED glows red. When you remove the fan module, you must reinstall it (or replace it) within ten minutes, or system failure may occur. Note: During the one-year warranty period, you can obtain a replacement fan module by contacting NetScreen Technical support. After the warranty period, contact the NetScreen Sales department. To replace the fan module on a NetScreen-5200: Warning! If the device becomes too hot, the system shuts down automatically. 1. 2. 3. Remove the fan module by turning the fan lock knob clockwise (to the right). Rotate the ejector/injector lever out to disengage the fan module from the fan bay. Grip the fan module lever and gently slide the fan module straight out. Warning! Do not remove the fan module while the fans are still spinning. 4. Insert the new fan module in the fan bay, and push it straight in.
1HW6FUHHQ 6HULHV
5. 6.
Close the injector/ejector level to fully seat the fan module. Secure the fan module in place by tightening the thumbscrew counterclockwise (to the left).
To replace the fan module on a NetScreen-5400: 1. 2. Unloosen the top and bottom thumbscrews, turning them counterclockwise (to the left). Grip the screws and gently slide the fan module out. Warning! Do not remove the fan module while the fans are still spinning. 3. 4. Insert the new fan module in the fan bay, and push it straight in. Secure the fan module in place by tightening the thumbscrews clockwise (to the right).
2.
2. 3. 4.
,QVWDOOHUV *XLGH
To install a mini-GBIC transceiver into a module: 1. 2. Grasp the transceiver with the label facing up, and insert it into the transceiver slot until seated. Check to see if the black transceiver ejector extends fully out to the front of the ejector slot, flush with the port portion of the transceiver.
1HW6FUHHQ 6HULHV
,QVWDOOHUV *XLGH
6rqv6
6SHFLILFDWLRQV
NetScreen-5200 Attributes on page 2 NetScreen-5400 Attributes on page 2 Electrical Specification on page 2 Fuse Rating: 3.15A / 250V on page 2 NEBS Certifications on page 2 Safety Certifications on page 3 EMI Certifications on page 3 Connectors on page 3
This appendix provides general system specifications for the NetScreen-5200 and NetScreen-5400 systems.
,QVWDOOHUV *XLGH
$
$SSHQGL[ $ 6SHFLILFDWLRQV
1(76&5((1 $775,%87(6
Height: 3.4 inches Depth: 19.5 inches Width: 17.5 inches Weight: 32 pounds (without power supply)
1(76&5((1 $775,%87(6
Height: 8.62 inches Depth: 14 inches Width: 17.5 inches Weight: 42 pounds (without power supply)
(/(&75,&$/ 63(&,),&$7,21
AC voltage: 100-240 VAC +/- 10% DC voltage: -36 to -60 VDC AC Watts: 150 Watts DC Watts: 150 Watts Fuse Rating: 3.15A / 250V
(19,5210(17$/
Temperature Normal altitude Relative humidity Non-condensing Operating 0-40 C, 32-105F 10-90% 10-90% Non-operating -4070 C, -40-158 F 5-95% 5-95%
1(%6 &(57,),&$7,216
Level 3 NS-5200 with DC power supply. GR-63-Core: NEBS, Environmental Testing GR-1089-Core: EMC and Electrical Safety for Network Telecommunications Equipment
$
1HW6FUHHQ 6HULHV
$SSHQGL[ $ 6SHFLILFDWLRQV
6$)(7< &(57,),&$7,216
UL, CUL, CSA, CE, CB, Austel
(0, &(57,),&$7,216
FCC class A, BSMI, CE class A, C-Tick, VCCI class A
&211(&7256
The RJ-45 twisted-pair ports are compatible with the IEEE 802.3 Type 10/100 BaseT standard. The mini-Gigabit transceivers used in NetScreen-5000 modules are Shortwave or SX type, so they are good for up to 550 meters. (This varies by manufacturer.) The limit is 850 for the optic LC-type connector. The mini-Gigabit transceivers are compatible with the IEEE 802.3z Gigabit Ethernet standard. The following table lists media types and distances for the different types of connectors used in the NetScreen-5000 Series.
Standard 1000Base-SX Media Type 50/125 m Multimode Fiber 50/125 m Multimode Fiber 62.5/125 m Multimode Fiber 62.5/125 m Multimode Fiber 1000Base-LX 50/125 m Multimode Fiber 62.5/125 m Multimode Fiber 9/125 Single-mode Fiber 100Base-TX Category 5 and higher Unshielded Twisted Pair (UTP) Cable Mhz/Km Rating 400 500 160 200 400 500 Maximum Distance 500 Meters 550 meters 220 meters 275 meters 550 meters 550 meters 10,000 meters 100 meters
,QVWDOOHUV *XLGH
$
$SSHQGL[ $ 6SHFLILFDWLRQV
$
1HW6FUHHQ 6HULHV
6rqv7
This appendix provides detail on port descriptions and LED status for the NetScreen-5000 Series System modules.
,QVWDOOHUV *XLGH
%
Modem MGT
RJ-45
Enables a connection for establishing out-ofRJ-45 band management sessions from outside of the network. Enables connection with another device in a mini-GBIC redundancy cluster, where one device serves as the master (primary) device, and the other serves as the backup (secondary) device. Enables connection with another device in a mini-GBIC redundancy cluster, where one device serves as the master (primary) device, and the other serves as the backup (secondary) device.
HA1
HA2
The following table describes the ports on the 5000-8G Secure Port Module (SPM).
Port Network Ports 1-8 Description Type Speed/Protocol 1 Gbps/ Gigabit Ethernet
Eight Gigabit ports with an aggregate throughput mini-GBIC of 8 Gbps per second.
Network Ports Two high-speed network ports for general mini-GBIC 1-2 connection to the network. Network Ports 24 network ports for general connection to RJ-45 3-26 the network.
%
1HW6FUHHQ 6HULHV
LED
CPU Utilization
LED Color
Green
Off PWR Green Off Red STATUS Green Amber Off HA Green Red Amber Off Alarm Red
Off
Indicates the system has not detected an event or error at the current time.
,QVWDOOHUV *XLGH
%
Flash
Green
Indicates the flash card is installed. Blinking indicates flash card activity.
Off
%
1HW6FUHHQ 6HULHV
Yes. Not turned on. No Yes Yes Yes No Yes. Not turned on. Yes
,QVWDOOHUV *XLGH
%
Yes. Not turned on. No Yes Yes Yes No Yes. Not turned on. Yes
a. If the NetScreen-5400 contains more than on SPM, the system requires at least two functioning power supplies. If a second power supply is not present or is present but not turned on, the alarm LED will be off, but you will see a console message directing you to install and turn on another power supply.
%
1HW6FUHHQ 6HULHV
6rqv8
&
All NetScreen devices are designed to meet the Common Criteria requirements, and are currently under evaluation for Common Criteria, EAL2. However, there are certain configuration actions that are required for a security administrator to properly secure the device to be in compliance with the Common Criteria EAL2 security target. While these requirements are for anyone needing Common Criteria assurance, they can also be used as general guidelines for administrators wishing to better secure the deployment of a NetScreen device.
3523(5/< ,'(17,)<,1* 7+( 1(76&5((1 '(9,&( )25 &20021 &5,7(5,$ ($/ &203/,$1&(
Before carrying out any step to secure a NetScreen device, you must make sure that the received product has not been tampered with, and ensure that the product received matches the version that is certified as Common Criteria EAL2 compliant. To ensure that the product has not been tampered with, verify two items: The outside packaging cannot show damage, or evidence that it has been opened. If the cardboard shows damage that would allow the device to be removed or exchanged, this may be evidence of tampering. The internal packaging cannot show damage or evidence of tampering. The plastic bag should not have a large hole and the label that seals the plastic bag should not be detached or missing. If the bag or the seal are damaged in any way, this may be evidence of tampering.
Both of these tamper evidence criteria must be met to ensure that the product has not been tampered with during shipment. To verify that the product received is the correct version of hardware and software, run the following command from the Command Line Interface (CLI):
get system
The output of this command includes two key items, hardware version and software version. The Common Criteria evaluated versions are listed in NetScreens Security Target for Common Criteria EAL2, section 1.1. The hardware and software versions must match the Security Target to be in full compliance with the Common Criteria evaluation.
,QVWDOOHUV *XLGH
&
3523(5 67(36 72 6(&85( $ 1(76&5((1 '(9,&( )25 &20021 &5,7(5,$ ($/ &203/,$1&(
To configure a NetScreen device to operate securely, and in conformance with the requirements outlined in NetScreens Security Target for Common Criteria EAL2, the following actions must be taken: You must configure a Syslog server as a backup for security audit information, and for long-term audit log information storage. This will help prevent a loss in security audit information. See Chapter 2, Monitoring NetScreen Devices, in Volume 3 of the NetScreen Concepts & Examples manual for more information on how to set up and configure a Syslog server to work with NetScreen devices. The specific commands required to set up a Syslog server are listed below:
set syslog enable set syslog traffic set log module system level level destination syslog
Note: You must enter the set log command once for each message level. The options for level are listed below: emergency alert critical error warning notification information There are cases where more auditable events can occur than the NetScreen device is able to write to a syslog server. To be compliant with Common Criteria requirements, the NetScreen device must stop further auditable events from occurring until the audit trail is able to handle more traffic. An authorized administrator must enable the following command:
&
1HW6FUHHQ 6HULHV
The NetScreen-5XP and NetScreen-5XT have a default policy that allows traffic to traverse the device from the interface in the Trust zone to the interface in the Untrust zone. You must delete this default policy to avoid inadvertently allowing information to traverse the device. See the policy commands in the NetScreen CLI Reference Guide for more information on how to set and unset policies. To disable this default policy on the NetScreen-5XP and -5XT, enter the following CLI command:
unset policy id 0
NetScreen devices must be configured to prevent all types of Denial of Service (DoS) and attack signatures on every security zone to prevent these types of attacks from occurring on the LAN. See Chapter 2, Zones, in Volume 2 in the NetScreen Concepts & Examples manual for more information on configuring the Screen functions and for descriptions of the attacks that the Screen functions are designed to prevent. You must turn on IP spoofing and enable dropping of traffic where there is no source route by using the following command:
All other security zones have no screens enabled by default. The CLI command below enables all screens, on a per-zone basis (and are applied to all interfaces within that zone):
set zone untrust screen all set zone trust screen all
,QVWDOOHUV *XLGH
&
You must run the same command for each additional security zone that is configured and used. NetScreen device administrators must choose logins and passwords that are not only long (at least 8 characters), but that also employ as many types of characters as possible. Passwords are case sensitive, so mixing lower case and upper case is required to ensure proper protection. In addition, user names and passwords should not be easily guessed, such as a mothers maiden name, a birth date, or names of relatives. NetScreen devices ship with a default user name and password of netscreen. You must change this as soon as possible to prevent unauthorized access. See Chapter 1, Administration, in Volume 3 in the NetScreen Concepts & Examples manual for more information on administrative passwords. The recommended time between password changes is no longer than 30 days to mitigate the effects of a compromised administrator identity. The following CLI commands, in order, are required to set a new administrator name and password:
&
1HW6FUHHQ 6HULHV
NetScreen-204: unset interface ethernet1 manage NetScreen-208: unset interface ethernet1 manage NetScreen-500: unset interface ethernet3/2 manage NetScreen-5200: unset interface ethernet2/2 manage There are two important steps to take every time a policy is being created. First, all security policies that are created must have counting and logging enabled to ensure that all audit log information is maintained for traffic passing through the device. Second, policies must be as specific as possible to ensure that the traffic being permitted is done intentionally, and not as part of a generic policy. When creating a policy, always make sure that counting and logging are enabled. This ensures that all traffic matching the policy is logged appropriately. When creating a policy, always use specific source IP, destination IP, source zone, destination zone, protocol, and service when feasible. One example where it may not make sense to be specific is for traffic destined for an external network for general web access. The following is an example of a valid policy:
set policy id 1 from trust to untrust 192.168.1.2 1.1.1.1 ftp permit count log
The above policy allows traffic from 192.168.1.2 to 1.1.1.1 for FTP traffic only, with the Trust zone as the source and the Untrust zone as the destination, and enables logging and counting. All traffic from an internal network to an external network must flow through the NetScreen device. Setting up network connections that do not cross the NetScreen device is not a secure setup and leaves the network susceptible to intrusion attacks. The CLI is the only administration interface available in the evaluated configuration of the NetScreen devices for Common Criteria EAL2. Currently, NetScreen devices are in evaluation for Common Criteria EAL2. This certification is for NetScreen devices to be deployed in environments where the threat of malicious attacks aimed at discovering exploitable vulnerabilities is considered low.
set log module system level level-name dest syslog unset log module system level level-name dest syslog
where level-name is one of the following:
,QVWDOOHUV *XLGH
&
Alarm log was reviewed by admin name Traffic log was reviewed by admin name Asset recovery log was reviewed by admin name Self log was reviewed by admin name Event log was reviewed by admin name
where name is the person making the change.
&
1HW6FUHHQ 6HULHV
,QGH[
,QGH[
1XPHULFV
5000-24FE, description 7 5000-M, figure 6 5000-M, system status LEDs 3 5008-G, description 7 5008-G, figure 7 5008-G, port status LEDs 4 5008-G, system status LEDs 4
)
fan tray 31 replacing 32
*
guide organization vii
+
high availability 14 high availability, establishing an HA connection 14
$
AC power supply 5 AC power supply, replacing 31 aggregate ports 26 asset recovery 27
,
installation guidelines 10 installing modules 5
&
cabling network interfaces 24 changing login and password 21 configuring aggregate ports 26 connecting the power supply 13 connecting, serial connection 25 connecting, system to a router or switch 15 connecting, system to other devices 14 console changing timeout 21, 25 console session, establishing 20 console session, using a dialup connection 25
/
LED status 3 LED status types 3 Logging on 25 login name changing (CLI) 24 login, changing 21
0
Management Module 6 Management Module, 5000-M 6 management port, setting an IP address 22 management session 25 modules 5 modules, 5000-24FE 7 modules, 5000-M 6 modules, 5008-G 7 modules, allowable slots 5 modules, installing 5 modules, Management Module 6 modules, Secure Port Modules 7
'
DC power supply 4 DC power supply, replacing 30 DC power supply, wiring 13 dialup connection 25
1HW6FUHHQ 6HULHV
,QGH[
mounting, mid-mount rack installation 12 mounting, rear and front rack installation 11, 12
1
NetScreen Publications xi NetScreen-5000, connecting to a router or switch 15 NetScreen-5000, connecting to other devices 14 NetScreen-5000, modules 5 NetScreen-5200, about 2 NetScreen-5400, about 2
power supply, connecting to the system 13 power supply, DC 4 power supply, installing 13 power supply, recommendations 4
5
Rack 10 mounting 10 rack installation guidelines 10 replacing a DC power supply 30 replacing an AC power supply 31 reset 27
3
password changing (CLI) 24 forgetting 27 password, changing 21 port settings, viewing 22 port status LEDs, 5008-G 4 power supplies AC, replacing 31 DC ground posts 14 DC terminal blocks 14 DC, replacing 30 DC, wiring 14 power supply, AC 5
6
Secure Port Modules 7 Secure Port Modules, 5000-24FE 7 Secure Port Modules, 5008-G 7 system status LEDs, 5000-M 3 system status LEDs, 5008-G 4
7
Transparent mode 18
9
Ventilation 10 viewing port settings 22
LL
,QVWDOOHUV *XLGH