Hide Navigation Pane
Show Navigation Pane
Download
SHA1
Table of Contents
- About This Guide
- Introduction to JUNOS Software
- Introducing JUNOS Software for SRX Series Services Gateways
- SRX Series Services Gateways Processing Overview
- Sessions for SRX Series Services Gateways
- Session Characteristics for SRX Series Services Gateways
- Understanding Session Characteristics for SRX Series Services Gateways
- Example: Controlling Session Termination for SRX Series Services Gateways (CLI)
- Example: Disabling TCP Packet Security Checks for SRX Series Services Gateways (CLI)
- Example: Setting the Maximum Segment Size for All TCP Sessions for SRX Series Services Gateways (CLI)
- Monitoring Sessions for SRX Series Services Gateways
- Understanding How to Obtain Session Information for SRX Series Services Gateways
- Displaying Global Session Parameters for All SRX Series Services Gateways
- Displaying a Summary of Sessions for SRX Series Services Gateways
- Displaying Session and Flow Information About Sessions for SRX Series Services Gateways
- Displaying Session and Flow Information About a Specific Session for SRX Series Services Gateways
- Using Filters to Display Session and Flow Information for SRX Series Services Gateways
- Information Provided in Session Log Entries for SRX Series Services Gateways
- Clearing Sessions for SRX Series Services Gateways
- Debugging for SRX Series Services Gateways
- Understanding SRX Series Services Gateways Central Point Architecture
- SRX5600 and SRX5800 Services Gateways Processing Overview
- Understanding First-Packet Processing
- Understanding Fast-Path Processing
- Understanding the Data Path for Unicast Sessions
- Session Lookup and Packet Match Criteria
- Understanding Session Creation: First-Packet Processing
- Step 1. A Packet Arrives at an Interface on the Device and the NPU Processes It.
- Step 2. The Central Point (CP) Creates a Session with a "Pending” State.
- Step 3. The SPU Sets Up the Session.
- Step 4. The CP Installs the Session.
- Step 5. The SPU Sets Up the Session on the Ingress and Egress NPUs.
- Step 6. Fast-Path Processing Takes Place.
- Understanding Fast-Path Processing
- Step 1. A Packet Arrives at the Device and the NPU Processes It.
- Step 2. The SPU for the Session Processes the Packet.
- Step 3. The SPU Forwards the Packet to the NPU.
- Step 4. The Interface Transmits the Packet From the Device.
- Step 5. A Reverse Traffic Packet Arrives at the Egress Interface and the NPU Processes It.
- Step 6. The SPU for the Session Processes the Reverse Traffic Packet.
- Step 7. The SPU Forwards the Reverse Traffic Packet to the NPU.
- 8. The Interface Transmits the Packet From the Device.
- Understanding Packet Processing
- Understanding Services Processing Units
- Understanding Scheduler Characteristics
- Understanding Network Processor Bundling
- SRX3400 and SRX3600 Services Gateways Processing Overview
- SRX210 Services Gateway Processing Overview
- Introducing JUNOS Software for J Series Services Routers
- Understanding Stateful and Stateless Data Processing for J Series Services Routers
- Session Characteristics for J Series Services Routers
- Understanding Session Characteristics for J Series Services Routers
- Example: Controlling Session Termination for J Series Services Routers (CLI)
- Example: Disabling TCP Packet Security Checks for J Series Services Routers (CLI)
- Example: Accommodating End-to-End TCP Communication for J Series Services Routers (CLI)
- Understanding the Data Path for J Series Services Routers
- Security Zones and Interfaces
- Security Policies
- Security Policies
- Security Policies Overview
- Understanding Security Policy Rules
- Understanding Security Policy Elements
- Security Policies Configuration Overview
- Example: Defining Security Policies (J-Web Point and Click CLI)
- Example: Defining Security Policies (CLI)
- Example: Configuring a Policy to Permit Traffic (CLI)
- Example: Configuring a Policy to Deny Traffic (J-Web Point and Click CLI)
- Example: Configuring a Policy to Deny Traffic (CLI)
- Policy Ordering
- Verifying Policy Configuration
- Troubleshooting Security Policies
- Monitoring Policy Statistics
- Security Policy Schedulers
- Security Policy Applications
- Security Policy Applications Overview
- Policy Application Sets Overview
- Example: Configuring Applications and Application Sets (J-Web Point and Click CLI)
- Example: Configuring Applications and Application Sets (CLI)
- Custom Policy Applications
- Understanding Custom Policy Applications
- Custom Application Mappings
- Example: Adding a Custom Policy Application (J-Web Point and Click CLI)
- Example: Adding a Custom Policy Application (CLI)
- Example: Modifying a Custom Policy Application (J-Web Point and Click CLI)
- Example: Modifying a Custom Policy Application (CLI)
- Example: Defining a Custom ICMP Application (J-Web Point and Click CLI)
- Example: Defining a Custom ICMP Application (CLI)
- Policy Application Timeouts
- Understanding the ICMP Predefined Policy Application
- Default Behaviour of ICMP Unreachable Errors
- Understanding Internet-Related Predefined Policy Applications
- Understanding Microsoft Predefined Policy Applications
- Understanding Dynamic Routing Protocols Predefined Policy Applications
- Understanding Streaming Video Predefined Policy Applications
- Understanding Sun RPC Predefined Policy Applications
- Understanding Security and Tunnel Predefined Policy Applications
- Understanding IP-Related Predefined Policy Applications
- Understanding Instant Messaging Predefined Policy Applications
- Understanding Management Predefined Policy Applications
- Understanding Mail Predefined Policy Applications
- Understanding UNIX Predefined Policy Applications
- Understanding Miscellaneous Predefined Policy Applications
- Application Layer Gateways
- ALGs
- H.323 ALGs
- Understanding H.323 ALGs
- Understanding the Avaya H.323 ALG
- H.323 ALG Configuration Overview
- H.323 ALG Endpoint Registration Timeouts
- H.323 ALG Media Source Port Ranges
- H.323 ALG DoS Attack Protection
- H.323 ALG Unknown Message Types
- Example: Passing H.323 ALG Traffic to a Gatekeeper in the Internal Zone (J-Web Point and Click CLI)
- Example: Passing H.323 ALG Traffic to a Gatekeeper in the Internal Zone (CLI)
- Example: Passing H.323 ALG Traffic to a Gatekeeper in the External Zone (J-Web Point and Click CLI)
- Example: Passing H.323 ALG Traffic to a Gatekeeper in the External Zone (CLI)
- Example: Using NAT and the H.323 ALG to Enable Incoming Calls (CLI)
- Example: Using NAT and the H.323 ALG to Enable Outgoing Calls (CLI)
- Verifying H.323 ALG Configurations
- SIP ALGs
- Understanding SIP ALGs
- Understanding SIP ALG Request Methods
- SIP ALG Configuration Overview
- SIP ALG Call Duration and Timeouts
- SIP ALG DoS Attack Protection
- SIP ALG Unknown Message Types
- SIP ALG Call ID Hiding
- SIP ALG Hold Resources
- SIP ALGs and NAT
- Understanding SIP ALGs and NAT
- Understanding Incoming SIP ALG Call Support Using the SIP Registrar and NAT
- Example: Configuring Interface Source NAT for Incoming SIP Calls (CLI)
- Example: Configuring a Source NAT Pool for Incoming SIP Calls (J-Web Point and Click CLI)
- Example: Configuring a Source NAT Pool for Incoming SIP Calls (CLI)
- Example: Configuring Static NAT for Incoming SIP Calls (J-Web Point and Click CLI)
- Example: Configuring Static NAT for Incoming SIP Calls (CLI)
- Example: Configuring the SIP Proxy in the Private Zone and NAT in the Public Zone (CLI)
- Example: Configuring the SIP Proxy and NAT in the Public Zone (J-Web Point and Click CLI)
- Example: Configuring the SIP Proxy and NAT in the Public Zone (CLI)
- Example: Configuring a Three-Zone SIP ALG and NAT Scenario (J-Web Point and Click CLI)
- Example: Configuring a Three-Zone SIP ALG and NAT Scenario (CLI)
- Verifying SIP ALG Configurations
- SCCP ALGs
- MGCP ALGs
- Understanding MGCP ALGs
- MGCP ALG Configuration Overview
- MGCP ALG Call Duration and Timeouts
- Understanding MGCP ALG Call Duration and Timeouts
- Example: Setting MGCP ALG Call Duration (J-Web)
- Example: Setting MGCP ALG Call Duration (CLI)
- Example: Setting MGCP ALG Inactive Media Timeout (J-Web)
- Example: Setting MGCP ALG Inactive Media Timeout (CLI)
- Example: Setting the MGCP ALG Transaction Timeout (J-Web)
- Example: Setting the MGCP ALG Transaction Timeout (CLI)
- MGCP ALG DoS Attack Protection
- MGCP ALG Unknown Message Types
- Example: Configuring Media Gateways in Subscriber Homes Using MGCP ALGs (J-Web Point and Click CLI)
- Example: Configuring Media Gateways in Subscriber Homes Using MGCP ALGs (CLI)
- Example: Configuring Three-Zone ISP-Hosted Service Using MGCP ALGs and NAT (CLI)
- Verifying MGCP ALG Configurations
- RPC ALGs
- User Authentication
- Firewall User Authentication
- Firewall User Authentication Overview
- Pass-Through Authentication
- Web Authentication
- External Authentication
- Client Groups for Firewall Authentication
- Understanding Client Groups for Firewall Authentication
- Example: Configuring Local Users for Client Groups (J-Web Point and Click CLI)
- Example: Configuring Local Users for Client Groups (CLI)
- Example: Configuring a Default Client Group for All Users (J-Web Point and Click CLI)
- Example: Configuring a Default Client Group for All Users (CLI)
- Firewall Authentication Banner Customization
- Verifying Firewall User Authentication
- Monitoring Users and IP Addresses in the Authentication Table
- Infranet Authentication
- UAC and JUNOS
- JUNOS Enforcer and Infranet Controller Communications
- JUNOS Enforcer Policy Enforcement
- JUNOS Enforcer and IPsec
- JUNOS Enforcer and Infranet Agent Endpoint Security
- JUNOS Enforcer and Infranet Controller Cluster Failover
- Virtual Private Networks
- Internet Protocol Security
- VPN Overview
- Understanding IKE and IPsec Packet Processing
- IPsec VPN Configuration Overview
- Phase 1 Proposals for IPsec VPNs
- Understanding Phase 1 of IKE Tunnel Negotiation
- Example: Configuring an IKE Phase 1 Proposal (J-Web Point and Click CLI)
- Example: Configuring an IKE Phase 1 Proposal (CLI)
- Example: Configuring an IKE Policy (J-Web Point and Click CLI)
- Example: Configuring an IKE Policy (CLI)
- Example: Configuring an IKE Gateway (J-Web Point and Click CLI)
- Example: Configuring an IKE Gateway (CLI)
- Phase 2 Proposals for IPsec VPNs
- Understanding Phase 2 of IKE Tunnel Negotiation
- Example: Configuring an IPsec Phase 2 Proposal (J-Web Point and Click CLI)
- Example: Configuring an IPsec Phase 2 Proposal (CLI)
- Example: Configuring an IPsec Policy (J-Web Point and Click CLI)
- Example: Configuring an IPsec Policy (CLI)
- Example: Configuring AutoKey IKE (J-Web Point and Click CLI)
- Example: Configuring AutoKey IKE (CLI)
- Global SPI and VPN Monitoring Features
- Hub-and-Spoke VPNs
- Public Key Cryptography for Certificates
- Understanding Public Key Infrastructure
- Certificates and Certificate Authority
- Understanding Certificates
- Digital Certificates Configuration Overview
- Public-Private Key Pairs
- Certificate Authority Profiles
- Certificate Enrollment
- Example: Generating a Local Certificate Request Manually (CLI)
- Example: Loading CA and Local Certificates Manually (CLI)
- Example: Reenrolling Local Certificates Automatically (CLI)
- Deleting Certificates (CLI Procedure)
- Self-Signed Certificates
- Understanding Self-Signed Certificates
- Using Automatically Generated Self-Signed Certificates (J-Web Point and Click CLI Procedure)
- Using Automatically Generated Self-Signed Certificates (CLI Procedure)
- Manually Generating Self-Signed Certificates (J-Web Point and Click CLI Procedure)
- Example: Manually Generating Self-Signed Certificates (CLI)
- Certificate Revocation Lists
- Understanding Certificate Revocation Lists
- Example: Manually Loading a CRL onto the Device (CLI)
- Example: Verifying Certificate Validity (CLI)
- Example: Checking Certificate Validity Using CRLs (J-Web Point and Click CLI)
- Example: Checking Certificate Validity Using CRLs (CLI)
- Deleting a Loaded CRL (CLI Procedure)
- Dynamic VPNs
- NetScreen-Remote VPN Client
- NetScreen-Remote VPN Client Overview
- System Requirements for the NetScreen-Remote Client Installation
- Installing the NetScreen-Remote Client on a PC or Laptop
- Configuring a Firewall for Use by the NetScreen-Remote Client
- Configuring a Security Zone for the NetScreen-Remote Client
- Configuring a Tunnel Interface for the NetScreen-Remote Client
- Configuring an Access Profile for XAuth for the NetScreen-Remote Client
- Configuring an IKE Gateway for the NetScreen-Remote Client
- Configuring a Policy for the NetScreen-Remote Client
- Configuring the NetScreen-Remote Client for Your PC or Laptop
- Encryption and Hash Algorithm Terms
- Logging In to the NetScreen-Remote Client
- Intrusion Detection and Prevention
- IDP Policies
- IDP Policies Overview
- Example: Enabling IDP in a Security Policy (J-Web Point and Click CLI)
- Example: Enabling IDP in a Security Policy (CLI)
- IDP Rules and Rulebases
- IDP Applications and Application Sets
- IDP Attacks and Attack Objects
- Understanding Custom Attack Objects
- IDP Protocol Decoders
- IDP Signature-Based Attacks
- IDP Protocol Anomaly-Based Attacks
- Example: Specifying IDP Test Conditions for a Specific Protocol (CLI)
- Application-Level Distributed Denial of Service
- IDP Signature Database
- Understanding the IDP Signature Database
- Predefined IDP Policy Templates
- IDP Signature Databases
- Understanding Predefined IDP Attack Objects and Object Groups
- Understanding the IDP Signature Database Version
- Updating the IDP Signature Database Overview
- Updating the IDP Signature Database Manually Overview
- Example: Updating the IDP Signature Database Manually (CLI)
- Example: Updating the Signature Database Automatically (CLI)
- Verifying the Signature Database
- IDP Application Identification
- Understanding IDP Application Identification
- Understanding IDP Service and Application Bindings by Attack Objects
- Example: Configuring IDP Policies for Application Identification (CLI)
- Disabling Application Identification for an IDP Policy (CLI Procedure)
- IDP Application Identification for Nested Applications
- IDP Application System Cache
- IDP Memory and Session Limits
- Verifying IDP Counters for Application Identification Processes
- IDP SSL Inspection
- IDP SSL Overview
- Supported IDP SSL Ciphers
- Understanding IDP Internet Key Exchange
- Understanding IDP SSL Server Key Management and Policy Configuration
- Displaying IDP SSL Keys and Associated Servers
- Adding IDP SSL Keys and Associated Servers
- Deleting IDP SSL Keys and Associated Servers
- Configuring an IDP SSL Inspection (CLI Procedure)
- IDP Performance and Capacity Tuning
- IDP Logging
- Unified Threat Management
- Unified Threat Management Overview
- Antispam Filtering
- Full Antivirus Protection
- Full Antivirus Protection Overview
- Full Antivirus Scanner Pattern Database
- Understanding Full Antivirus Pattern Updates
- Full Antivirus Pattern Update Configuration Overview
- Example: Specifying the Full Antivirus Pattern Update Server (CLI)
- Example: Automatically Updating Full Antivirus Patterns (J-Web)
- Example: Automatically Updating Full Antivirus Patterns (CLI)
- Manually Updating, Reloading, and Deleting Full Antivirus Patterns (CLI Procedure)
- Full Antivirus File Scanning
- Understanding the Full Antivirus Internal Scan Engine
- Global, Profile-Based, and Policy-Based Full Antivirus Scan Settings
- Full Antivirus Scan Modes
- Full Antivirus Intelligent Prescreening
- Full Antivirus Content Size Limits
- Full Antivirus Decompression Layer Limit
- Full Antivirus Scanning Timeout
- Full Antivirus Scan Session Throttling
- Full Antivirus Application Protocol Scanning
- Understanding Full Antivirus Application Protocol Scanning
- HTTP Full Antivirus Scanning
- Understanding HTTP Scanning
- Enabling HTTP Scanning (CLI Procedure)
- Understanding HTTP Trickling
- Configuring HTTP Trickling to Prevent Timeouts During Antivirus Scanning (CLI Procedure)
- Understanding MIME Whitelists
- Example: Configuring MIME Whitelists to Bypass Antivirus Scanning (CLI)
- Understanding URL Whitelists
- Configuring URL Whitelists to Bypass Antivirus Scanning (CLI Procedure)
- FTP Full Antivirus Scanning
- SMTP Full Antivirus Scanning
- POP3 Full Antivirus Scanning
- IMAP Full Antivirus Scanning
- Full Antivirus Scan Results and Notification Options
- Full Antivirus Configuration Overview
- Configuring Full Antivirus (J-Web Procedure)
- Example: Configuring Full Antivirus (CLI)
- Monitoring Antivirus Sessions and Scan Results
- Express Antivirus Protection
- Content Filtering
- Web Filtering
- Web Filtering Overview
- Integrated Web Filtering
- Redirect Web Filtering
- Local Web Filtering
- Monitoring Web Filtering Configurations
- Attack Detection and Prevention
- Attack Detection and Prevention
- Reconnaissance Deterrence
- Reconnaissance Deterrence Overview
- IP Address Sweeps
- Port Scanning
- Network Reconnaissance Using IP Options
- Operating System Probes
- Attacker Evasion Techniques
- Understanding Attacker Evasion Techniques
- Fin Scanning
- TCP SYN Checking
- IP Spoofing
- IP Source Route Options
- Understanding IP Source Route Options
- Example: Blocking Packets with Either a Loose or a Strict Source Route Option Set (J-Web Point and Click CLI)
- Example: Blocking Packets with Either a Loose or a Strict Source Route Option Set (CLI)
- Example: Detecting Packets with Either a Loose or a Strict Source Route Option Set (J-Web Point and Click CLI)
- Example: Detecting Packets with Either a Loose or a Strict Source Route Option Set (CLI)
- Suspicious Packet Attributes
- Denial-of-Service Attacks
- DoS Attack Overview
- Firewall DoS Attacks
- Firewall DoS Attacks Overview
- Session Table Flood Attacks
- Understanding Session Table Flood Attacks
- Understanding Source-Based Session Limits
- Example: Setting Source-Based Session Limits (J-Web Point and Click CLI)
- Example: Setting Source-Based Session Limits (CLI)
- Understanding Destination-Based Session Limits
- Example: Setting Destination-Based Session Limits (J-Web Point and Click CLI)
- Example: Setting Destination-Based Session Limits (CLI)
- SYN-ACK-ACK Proxy Flood Attacks
- Network DoS Attacks
- Network DoS Attacks Overview
- SYN Flood Attacks
- SYN Cookie Protection
- ICMP Flood Protection
- UDP Flood Attacks
- Land Attacks
- OS-Specific DoS Attacks
- Chassis Cluster
- Chassis Cluster
- Chassis Cluster Overview
- Understanding Chassis Cluster Formation
- Chassis Cluster Redundancy Groups
- Understanding Chassis Cluster Redundancy Groups
- Chassis Cluster Redundancy Groups 0 Through 128
- Chassis Cluster Redundancy Group Interface Monitoring
- Chassis Cluster Redundancy Group IP Address Monitoring
- Understanding Chassis Cluster Monitoring of Global-Level Objects
- Chassis Cluster Redundancy Group Failover
- Understanding Chassis Cluster Redundancy Group Failover
- Understanding Chassis Cluster Redundancy Group Manual Failover
- Initiating a Chassis Cluster Manual Redundancy Group Failover
- Example: Configuring Chassis Cluster with a Dampening Time Between Back-to-Back Redundancy Group Failovers (CLI)
- Understanding SNMP Failover Traps for Chassis Cluster Redundancy Group Failover
- Chassis Cluster Redundant Ethernet Interfaces
- Chassis Cluster Control Plane
- Understanding the Chassis Cluster Control Plane
- Understanding Chassis Cluster Control Links
- Example: Configuring Chassis Cluster Control Ports (CLI)
- Understanding Chassis Cluster Dual Control Links
- Connecting Dual Control Links for SRX Series Devices in a Chassis Cluster
- Understanding Chassis Cluster Control Link Heartbeats
- Understanding Chassis Cluster Control Link Failure and Recovery
- Example: Configuring Chassis Cluster Control Link Recovery (CLI)
- Verifying Chassis Cluster Control Plane Statistics
- Clearing Chassis Cluster Control Plane Statistics
- Chassis Cluster Data Plane
- Consequences of Enabling Chassis Cluster
- Understanding What Happens When Chassis Cluster Is Enabled
- Node Interfaces on Active SRX Series Chassis Clusters
- Node Interfaces on Active J Series Chassis Clusters
- Management Interface on an Active Chassis Cluster
- Fabric Interface on an Active Chassis Cluster
- Control Interface on an Active Chassis Cluster
- Building a Chassis Cluster
- Connecting SRX Series Hardware to Create a Chassis Cluster
- Disabling Switching on SRX100, SRX210, and SRX240 Devices Before Enabling Chassis Clustering
- SRX Series Chassis Cluster Configuration Overview
- Connecting J Series Hardware to Create a Chassis Cluster
- J Series Chassis Cluster Configuration Overview
- Example: Setting the Chassis Cluster Node ID and Cluster ID (CLI)
- Example: Configuring the Chassis Cluster Management Interface (CLI)
- Example: Configuring the Number of Redundant Ethernet Interfaces in a Chassis Cluster (CLI)
- Verifying a Chassis Cluster Configuration
- Verifying Chassis Cluster Statistics
- Clearing Chassis Cluster Statistics
- Verifying Chassis Cluster Failover Status
- Clearing Chassis Cluster Failover Status
- Chassis Cluster Upgrades
- Upgrading Each Device in a Chassis Cluster Separately
- Upgrading Both Devices in a Chassis Cluster Using a Low-Impact ISSU
- Upgrading Both Devices in a Chassis Cluster Using an ISSU
- Rolling Back Devices in a Chassis Cluster After an ISSU
- Guarding Against Service Failure in a Chassis Cluster ISSU
- Enabling an Automatic Chassis Cluster Node Failback After an ISSU
- Troubleshooting Chassis Cluster ISSU Failures
- Deciphering Mismatched Control Link Statistics During a Chassis Cluster ISSU
- Disabling Chassis Cluster
- Asymmetric Chassis Cluster Deployment
- Active/Passive Chassis Cluster Deployment
- Active/Passive Chassis Cluster Deployment with an IPsec Tunnel
- Network Address Translation
- Network Address Translation
- NAT Overview
- Understanding NAT Rule Sets and Rules
- Static NAT
- Destination NAT
- Source NAT
- Configuring Proxy ARP (CLI Procedure)
- Verifying NAT Configuration
- GPRS
- General Packet Radio Service
- GPRS Overview
- Policy-Based GTP
- GTP Inspection Objects
- GTP Message Filtering
- GTP Information Elements
- Understanding GGSN Redirection
- Index
