Table of Contents

About This Guide
Objectives
Audience
Conventions
Documentation
Requesting Technical Support
Configuring
NSM User Interface and NSM Key Management Features
NSM Overview
Security Integration Management Using NSM Overview
Complete Support
Network Organization
Role-Based Administration
Centralized Device Configuration
Migration Tools
Managing Devices in a Virtual Environment Using NSM
Device Modeling
Rapid Deployment (RD)
Policy-Based Management
Error Prevention, Recovery, and Audit Management Using NSM
Device Configuration Validation
Policy Validation
Atomic Configuration and Updating
Device Image Updates
Auditing
Administering ScreenOS Devices Using NSM Complete System Management
VPN Abstraction
Integrated Logging and Reporting
Monitoring Status
Job Management
NSM User Interface Overview
Configuring UI Preferences
Understanding NSM User Interface Menus and Toolbars
Working with Multiple NSM Administrators Overview
NSM Modules Overview
Navigation Tree
Main Display Area
Investigate Task Modules in the NSM User Interface Overview
Log Viewer
Report Manager
Log Investigator
Realtime Monitor
Security Monitor
Audit Log Viewer
Configure Task Modules in the NSM User Interface Overview
Device Manager
Security Policies
VPN Manager
Object Manager
Administer Task Modules in the NSM User Interface Overview
Server Manager
Job Manager
Action Manager
Understanding Validation Icons and Validation Data in the NSM User Interface
Understanding the Search Function in the NSM User Interface
Device Configuration
Device Configuration Settings Overview
About Configuring Security Devices
About Configuring Extranet Devices
Configuring Advanced Properties for ScreenOS Device Details
Configuring a Blacklisted Entry (NSM Procedure)
Enabling ALGs (NSM Procedure)
Understanding Device Configurations Running ScreenOS 5.4 FIPS and Later Overview
About Configuring Devices Running Future Releases of ScreenOS
Configuring Extranet Devices Overview
Configuring Extranet Devices Details (NSM Procedure)
Understanding Templates and Groups
Using Global Device Templates
Using Device Groups
Configuring Network Settings Options and Descriptions
Network Settings
Configuring Zones and Zone Properties in ScreenOS Devices Overview
Predefined Screen Options Overview
Configuring Flood Defense Settings for Preventing Attacks
Configuring ICMP Flooding Protection
Configuring SYN Flooding Protection
Configuring UDP Flooding Protection
Example: Configuring UDP Flooding Protection (NSM Procedure)
HTTP Components and MS-Windows Defense Method
Protection Against Scans, Spoofs, and Sweeps
IP and TCP/IP Anomaly Detection
Prevention of Security Zones Using Denial of Service Attacks
Malicious URL Protection
Example: Enabling the Malicious URL Blocking Option (NSM Procedure)
Interface Types in ScreenOS Devices Overview
Configuring Physical and Function Zone Interfaces in ScreenOS Devices Overview
Setting Interface Properties Using the General Properties Screen
Setting WAN Properties Using the WAN Properties Screen
Setting Port Properties Using the Port Properties Screen
Using MLFR and MLPPP Options
Setting Physical Link Attributes for Interfaces
Enabling Management Service Options for Interfaces
Setting DHCPv6 Overview
Example: Assigning TCP/IP Settings for Hosts Using DHCP (NSM Procedure)
Configuring Custom DHCP Options (NSM Procedure)
Using Interface Protocol
Using Interface Secondary IP
Enabling ScreenOS Devices for Interface Monitoring
Supporting Generic Routing Encapsulation Using Tunnel Interfaces
Interface Network Address Translation Methods
Interface Network Address Translation Using MIPs
Example: Configuring MIPs (NSM Procedure)
Interface Network Address Translation Using VIPs
Mapping Predefined and Custom Services in a VIP
Example: Configuring VIPs (NSM Procedure)
Interface Network Address Translation Using DIPs
Example: Enabling Multiple Hosts Using Port Address Translation (NSM Procedure)
Example: Translating Source IP Addresses into a Different Subnet (NSM Procedure)
Enabling Managed Devices Using Incoming DIP
Example: Configuring Interface-Based DIP (NSM Procedure)
Example: Configuring DIP Pools on the Untrust Interface (NSM Procedure)
Example: Configuring an Aggregate Interface (NSM Procedure)
Example: Configuring a Multilink Interface (NSM Procedure)
Example: Configuring a Loopback Interface (NSM Procedure)
Configuring Virtual Security Interfaces
Example: Configuring a Redundant Interface (NSM Procedure)
Example: Configuring a Subinterface (NSM Procedure)
Example: Configuring a WAN Interface (NSM Procedure)
Configuring a Tunnel Interface
Using Numbered Tunnel Interfaces
Using Unnumbered Tunnel Interfaces
Configuring Maximum Transmission Unit Size
ADSL Interface in ScreenOS Devices
ADSL, ADSL Interface, and ADSL Settings in ScreenOS Devices
About ADSL
About the ADSL Interface
ADSL Settings from the Service Provider
Determining Physical Ports and Logical Interfaces and Zones Using ScreenOS Devices Port Mode
Backup Connection Using the Untrusted Ethernet Port in ScreenOS Devices
Example: Configuring NetScreen5GT Devices to Permit Internal Hosts (NSM Procedure)
Example: Configuring NetScreen5GT Devices to Connect to the Web Using the PPPoA and ADSL Interfaces (NSM Procedure)
Example: Configuring NetScreen5GT Devices as a Firewall Using the PPPoE and ADSL Interfaces (NSM Procedure)
Wireless Interface on ScreenOS Devices Overview
Configuring DSCP Options Overview
Example: Configuring DIP Groups (NSM Procedure)
DNS Server Configuration Using DNS Settings
Configuring DNS Settings
Configuring DNS Proxy
Example: Configuring DNS Proxy Entries (NSM Procedure)
Example: Configuring DDNS Settings (NSM Procedure)
Advanced Network Settings Overview
Configuring ARP Cache Entries
Configuring VIP Options
Configuring DIP Options
Advanced Network Settings
Configuring Advanced Device Settings Overview
Example: Defining Forced Timeout (NSM Procedure)
Identifying Reasons for Session Close in NSM
Configuring Policy Schedules (NSM Procedure)
Configuring Timeouts for Predefined Services (NSM Procedure)
Configuring Session Cache for Predefined Services (NSM Procedure)
Configuring SIP Settings
Configuring MGCP Settings
Configuring H.323 Settings
Allocating Network Bandwidth Using Traffic Shaping Options
Enabling/Disabling Application Layer Gateway Protocols Overview
Using Packet Flow Options
ICMP Path MTU Discovery
Allow DNS Reply Without Matched Request
Allow MAC Cache for Management Traffic
Allow Unknown MAC Flooding
Skip TCP Sequence Number Check
TCP RST Invalid Session
Check TCP SYN Bit Before Create Session
Check TCP SYN Bit Before Create Session for Tunneled Packets
Use SYN-Cookie for SYN Flood Protection
Enforce TCP Sequence Number Check on TCP RST Packet
Use Hub-and-Spoke Policies for Untrust MIP Traffic
Max Fragmented Packet Size
Flow Initial Session Timeout (Seconds)
Multicast Flow Configuration
TCP MSS
All TCP MSS
GRE In TCP MSS
GRE Out TCP MSS
Aging
Early Ageout Time Before the Session’s Normal Ageout
Percentage of Used Sessions Before Early Aging Begins
Percentage of Used Sessions Before Early Aging Stops
Configuring Features Unsupported in NSM Using Supplemental CLI Options Overview
Configuring ScreenOS with TFTP or FTP Servers Enabled Using TFTP/FTP Options
Configuring Hostnames and Domain Names Overview
Configuring NSGP Overview
NSGP Modules Overview
Example: Configuring NSGP on GTP and Gi Firewalls (NSM Procedure)
Using the PPP Option to Configure Point-To-Point Protocol Connections
About Configuring PPPoE
Example: Updating DNS Servers (NSM Procedure)
Example: Configuring Multiple PPPoE Sessions on a Single Interface (NSM Procedure)
Configuring a PPPoA Client Instance
Configuring a NetScreen Address Change Notification
Interface Failover in ScreenOS Devices
Example: Configuring Modem Connections (NSM Procedure)
Example: Creating Modem Settings (NSM Procedure)
Example: Creating ISP Connection Settings (NSM Procedure)
Setting ISP Priority for Failover
Administration
Device Administration Options for ScreenOS Devices Overview
Importing Device Administrators from a Physical Device Overview
Device Administrator Authentication Overview
Device Administrator Account Configuration Overview
Configuring Privilege Level
Configuring Authentication
Admin Access Lock Setting
Roles for Device Administrator Accounts
Supporting Admin Accounts for Dialup Connections
Restricting Management Connections Using Permitted IPs
Local Access Configuration Using CLI Management Overview
File Formatting in NSM Overview
Port Numbers for SSH and Telnet Connections in NSM Overview
Limiting Login Attempts, Setting Dial-In Authentication, and Restricting Password Length in NSM Overview
Asset Recovery and Reset Hardware in NSM Overview
Console-Only Connections in NSM Overview
Secure Shell Server in NSM Overview
Using SSH Version 1 (SSHv1)
Using SSH Version 2 (SSHv2)
Configuring CLI Banners in NSM Overview
Configuring Remote Access Using Web Management Overview
Configuring HTTP Administrative Connections in ScreenOS Devices Using NSM Overview
Configuring Secure Connections in ScreenOS Devices Using NSM Overview
Configuring Network Time Protocol and NTP Backup Server in NSM Overview
Configuring Network Time Protocol
Configuring an NTP Backup Server
Setting ScreenOS Authentication Options Using General Auth Settings
Clearing RADIUS Sessions
Assigning an Authentication Request Interface
Setting ScreenOS Authentication Options Using Banners Overview
Setting ScreenOS Authentication Options Using Default Servers Overview
Setting ScreenOS Authentication Options Using Infranet Settings Overview
General Report Settings for ScreenOS Devices Overview
Configuring Syslog Host Using NSM (NSM Procedure)
Configuring SNMPv3 in ScreenOS Devices (NSM Procedure)
Security
Classification of Security Options Overview
Classification of Antivirus Scanning Overview
External Antivirus Scanner Settings Overview
Internal Antivirus Scan Manager Settings Overview
Internal Antivirus HTTP Webmail Settings Overview
Antivirus Scanner Settings Overview
Classification of Deep Inspection Methods
Attack Object Database Overview
Using Attack Objects Overview
Antispam Settings in ScreenOS Overview
Configuring Antispam Settings in ScreenOS (NSM Procedure)
Configuring IDP Security Module Settings in ScreenOS Overview
Load-Time Parameters
Run-Time Parameters
Protocol Thresholds and Configuration
Configuring Integrated Web Filtering in ScreenOS (NSM Procedure)
Example: Configuring Integrated Web Filtering (NSM Procedure)
Redirect Web Filtering in ScreenOS Using NSM Overview
Example: Configuring Redirect Web Filtering in ScreenOS (NSM Procedure)
Adding Proxy Addresses Overview
Planning and Preparing VPNs
System-Level and Device-Level VPN Using NSM Overview
System-Level VPN with VPN Manager Overview
Device-Level VPN in Device Manager Overview
VPN Configuration Supported Overview
Planning Your VPN Using NSM Overview
Defining VPN Members and Topology Using NSM
Traffic Protection Using Tunneling Protocol in NSM Overview
Traffic Protection Using IPsec Tunneling Protocol Overview
Using Authentication
Using Encapsulating Security Payload (ESP)
Traffic Protection Using L2TP Tunneling Protocol Overview
VPN Tunnel Types Overview
About Policy-Based VPNs
About Route-Based VPNs
Defining VPN Checklist Overview
Defining Members and Topology in NSM
Defining Traffic Types for Data Protection in NSM
Defining VPN Traffic Using Security Protocols in NSM
Defining Tunnel Creation Methods in NSM
Using VPN Manager
Creating Device-Level VPNs
Preparing Basic VPN Components
Preparing Required Policy-Based VPN Components Overview
Policy-Based VPN Creation Using Address Objects and Protected Resources Overview
Configuring Address Objects
Configuring Protected Resources
Policy-Based VPN Creation Using Shared NAT Objects Overview
Policy-Based VPN Creation Using Remote Access Server Users Overview
Authenticating RAS Users
Configuring Group IKE IDS
Configuring Required Routing-Based VPN Components Overview
Routing-Based VPN Support Using Tunnel Interfaces and Tunnel Zones Overview
Routing-Based VPN Support Using Static and Dynamic Routes Overview
Preparing Optional VPN Components Overview
Optional VPN Support Using Authentication Servers Overview
Optional VPN Support Using Certificate Objects Overview
Configuring Local Certificates
Configuring CA Objects
Configuring CRL Objects
Configuring VPNs
Device Level VPN Types and Supported Configurations Overview
Device Level AutoKey IKE VPN: Using Gateway Configuration Overview
ScreenOS Devices Gateway Properties
ScreenOS Devices IKE IDs or XAuth Identification Number
Security Methods for ScreenOS Devices
Device Level AutoKey IKE VPN: Using Routes Configuration Overview
Device-Level AutoKey IKE VPN: Using VPN Configuration Overview
Device-Level AutoKey IKE VPN Properties
ScreenOS Security Measures Using VPN Configuration
Binding/ProxyID
Monitor Management on ScreenOS Devices Using AutoKey IKE VPN
Device-Level AutoKey IKE VPN: Using VPN Rule Configuration Overview
Device-Level Manual Key VPN: Using XAuth Users Overview
Device-Level Manual Key VPN: Using Routing-Based VPN Overview
Device-Level Manual Key VPN: Using VPN Configuration Overview
Device-Level Manual Key VPN Properties
Binding
Monitor Management on ScreenOS Devices Using Manual Key VPN
Device Level Manual Key VPN: Using VPN Rule Configuration Overview
Device Level L2TP VPN: Using L2TP Users Configuration Overview
Device Level L2TP VPN: Using L2TP Configuration Overview
Device Level L2TP VPN: Using VPN Rule Configuration Overview
Creating Device Level L2TP-over-Autokey IKE VPNs Overview
Adding VPN Rules to a Security Policy Overview
Configuring the VPN
Configuring the Security Policy
Assigning and Installing the Security Policy
Example: Creating Device Level VPN Type 1 (NSM Procedure)
Example: Creating Device Level VPN Type 2 (NSM Procedure)
Example: Creating Device Level VPN Type 3 (NSM Procedure)
L2TP and Xauth Local Users Configuration Overview
Configuring L2TP Local Users (NSM Procedure)
XAuth Users Authentication Overview
Vsys Configurations in NSM Overview
Virtual Router Configurations for Root and Vsys Overview
Zone Configurations for Root and Vsys Overview
Interface Configurations for Root and Vsys Overview
Viewing Root and Vsys Configurations
Managing Inter-Vsys Traffic with Shared DMZ Zones
Example: Routing Traffic to Vsys Using VLAN IDs (NSM Procedure)
Example: Routing Traffic to Vsys Using IP Classification (NSM Procedure)
Layer 2 Vsys Configuration Overview
Assigning L2V VLAN IDs (NSM Procedure)
L2V VLAN Groups in NSM Overview
Predefined L2V Zones in NSM Overview
L2V Interface Management in NSM Overview
Configuring L2V VLAN Management Interfaces
Configuring L2V Aggregate Interfaces
Converting L2V to VLAN Trunking (NSM Procedure)
Configuring Crypto-Policy Overview
Certificate Authentication Support in NSM Overview
Self-Signed Certificates in NSM Overview
Local Certificate Validation of ScreenOS Devices Overview
Generating Certificate Requests to ScreenOS Devices (NSM Procedure)
Loading Local Certificate into NSM Management System
Installing Local Certificates Using SCEP in NSM
Manual Installation of Local Certificates in NSM
Certificate Authority Configuration in NSM Overview
Installing CA Certificates Using SCEP in NSM
Manual Installation of CA Certificates in NSM
Configuring Certificate Revocation Lists (NSM Procedure)
Imported Certificates in NSM Overview
PKI Default Settings Configuration in NSM Overview
Configuring X509 Certificates
Configuring Revocation
Configuring Simple Certificate Enrollment Protocol
Voice Over Internet Protocol
SCCP Support in ScreenOS Devices Overview
Configuring SCCP ALG in ScreenOS Devices (NSM Procedure)
SIP ALG Overview
SIP Request Methods Supported in ScreenOS Devices
Types of SIP Response Classes Supported in ScreenOS Devices
ALG Overview
Configuring SIP ALG in ScreenOS Devices (NSM Procedure)
SDP Session Description Overview
Pinhole Creation in ScreenOS Devices Overview
Session Inactivity Timeout in ScreenOS Devices Overview
Routing
Configuring Virtual Routers
Route Types Overview
Virtual Routers Overview
Configuring Virtual Routers (NSM Procedure)
Virtual Router General Properties Overview
Access List Overview
Example: Configuring Access Lists (NSM Procedure)
Route Map Overview
Export and Import Rules in a Virtual Router Overview
Example: Configuring Export Rules in a Virtual Router (NSM Procedure)
Routing Table Entries Overview
Destination-Based Routes Overview
Source-Based Routes Overview
Example: Configuring Source-Based Routes (NSM Procedure)
Source Interface-Based Routes Overview
Example: Source-Interface-Based Routing (NSM Procedure)
Configuring Route Preferences
Dynamic Routing Configuration Overview
OSPF Protocol Configuration Overview
Enabling OSPF (NSM Procedure)
Global OSPF Settings Overview
Configuring OSPF Parameters
Configuring OSPF Areas
Configuring OSPF Summary Import
Configuring OSPF Redistribution Rules
Configuring OSPF Virtual Links
Configuring OSPF Interface Parameters Overview
Configuring OSPF Neighbors
Configuring OSPF Authentication
Configuring OSPF (NSM Procedure)
RIP Overview
Configuring RIP (NSM Procedure)
Global RIP Settings Overview
Configuring RIP Parameters
Configuring RIP Redistribution Rules
Configuring RIP Summary Import (ScreenOS 5.1 and later only)
RIP Interface Parameters Overview
Configuring RIP Authentication
BGP Overview
Route-Refresh Capabilities Overview
Configuring BGP Networks
Configuring Aggregate Addresses
Configuring Neighbors and Peer Groups Overview
Configuring a BGP Routing Instance (NSM Procedure)
Configuring NHRP Overview
Configuring OSPFv3 Overview
OSPFv3 Support in Virtual Routers
OSPFv3 Support in Interfaces
OSPFv3 Area Parameters
Redistribution Rules
OSPFv3 Interface Parameters
OSPFv3 Route Preference
Configuring RIPng Overview
RIPng Parameters
Redistribution Rules
Multicast Route Overview
Configuring IGMP (NSM Procedure)
Configuring IGMP Proxy (NSM Procedure)
Configuring PIM Sparse Mode (NSM Procedure)
Configuring a Rendezvous Point to Group Mappings (NSM Procedure)
Configuring Acceptable Groups (NSM Procedure)
Example: Configuring Proxy RP
Multicast Routing Table Entries Overview
Multicast Routing Table Preferences Overview
Configuring Multicast Static Routes
Example: Configuring Multicast Static Routes (NSM Procedure)
IRDP Support Overview
Example: Configuring ICMP Router Discovery Protocol (NSM Procedure)
Disabling IRDP
Policy-Based Routing Overview
Example: Configuring Policy-Based Routing (NSM Procedure)
Virtual Systems
Vsys DHCP Enhancement Overview
Vsys Limitations Overview
Example: Configuring Vsys Resource Limits (NSM Procedure)
Vsys Session Limit Overview
Example: Configuring Vsys Session Limit (NSM Procedure)
Vsys CPU Limit Overview
Example: Configuring CPU Limit (NSM Procedure)
User Authentication
IEEE 802.1x Support Overview
Supported EAP Types
High Availability
NSRP Clusters Overview
Creating an NSRP Cluster
Configuring Active/Passive Cluster
Example: Configuring Active/Passive Cluster (NSM Procedure)
Active/Active Configurations Overview
Configuring an Active/Active Cluster (NSM Procedure)
Synchronizing Virtual Router Configurations and RunTime Objects (NSM Procedure)
Synchronizing Virtual Router Configurations
Configuring the Virtual Router Synchronization Settings
Synchronizing Runtime Objects
Changing VSD Group Member States (NSM Procedure)
Example: Changing VSD Group Member States (NSM Procedure)
Configuring NSRP to Detect Interface and Zone Failure
Configuring Track IPs
Configuring Interface Monitoring
Configuring Zone Monitoring
Configuring Monitor Threshold
Vsys Clusters Overview
Exporting and Importing Device Configurations (NSM Procedure)
WAN, ADSL, Dial, and Wireless
Wireless Settings in a Security Device Overview
Configuring General Wireless Settings
Configuring Antennas
Configuring Channels
Configuring Operation Mode Settings
Configuring Transmission Settings
Configuring Advanced Wireless Settings
Configuring Aging
Configuring Beacons
Configuring Burst and Fragment Size
Configuring Control Frame Protection
Configuring Short Slots
Configuring Preambles
Configuring Wireless MAC Access Lists
Configuring MAC Access Mode
Configuring MAC Addresses
Configuring Wireless General SSID Settings
Configuring SSID Authentication and Encryption
Configuring Wired Equivalent Privacy
Configuring WEP Keys
Using Wi-Fi Protected Access
Reactivating Wireless Connections
Conducting a Site Survey for Detecting Access Points
Network, Interface, and Security Modules Supported in Security Devices
Configuring the Network Module
Slot Information in Security Devices
Physical Interface Modules Supported by SSG520 and SSG550 Security Devices
Interface Modules (Copper)
10/100 Mbps
10/100/1000 Mbps
Interface Modules (Fiber)
Secure Port Modules
Chassis Information Overview
WPA2, Extended Range, and Super G Support on NetScreen5GT Wireless Overview
Wi-Fi Protected Access Overview
Configuring Wi-Fi Protected Access (NSM Procedure)
Super G Methods Overview
Configuring Atheros XR (NSM Procedure)
General Packet Radio Service
3GPP R6 Information Elements Support Overview
Radio Access Technology
Routing Area Identity and User Location Information
APN Restriction
IMSI Prefix Filtering
IMEI-SV
Configuring Access Point Name Restriction (NSM Procedure)
Configuring IMSI Prefix Filter (NSM Procedure)
DHCP Relay Overview
Index
Index