Example: Configuring NSGP on GTP and Gi Firewalls (NSM Procedure)

In this example, you configure NSGP on both the GTP firewall (client) and the Gi firewall (server). First, you must create the GTP object for the client connection. Then, to enable NSGP on the security device, you must configure both the server and client side connection parameters:

Finally, you create a firewall rule that includes the GTP object, the GTP firewall, and the Gi firewall.

To configure a firewall rule:

  1. Create a GTP object named GPRS1. For information about how to create a GTP object, see the Network and Security Manager Administration Guide.
  2. Add the Gi Firewall (server) as a NetScreen-500 running ScreenOS 5.1, and then configure the network module:
    • Double-click the device icon to open the device configuration. In the device navigation tree, select Network > Slot.
    • Double-click slot 1 to display the slot configuration dialog box. For Card Type, select 2 Interfaces (10/100), and then click OK.
  3. Add the GTP firewall (client) as a NetScreen-500 running ScreenOS 5.0 GPRS, and then configure the network module:
    • Double-click the device icon to open the device configuration. In the device navigation tree, select Network > Slot.
    • Double-click slot 1 to display the slot configuration dialog box. For Card Type, select 2 Interfaces (10/100).
    • Click OK to save the slot configuration.
  4. Configure the Gi firewall (server):
    • In the device navigation tree, select Advanced > NSGP Server Side.
    • Leave the default port number and enter an MD5 password.
  5. In the NSGP Context IDs area, click the Add icon to display the New Context Entry dialog box. Configure the following options, and then click OK:
    • For Context Entry, enter 2.
    • For Zone, select untrust.
  6. In the Interface NSGP Settings area, right-click ethernet1/2 and select Edit icon. The General Properties screen appears. Configure the following options:
    • Ensure that the Zone is untrust and the Mode is Route.
    • For IP Address, enter 2.2.1.4.
    • For Netmask, enter 24.
    • Ensure that Manageable is enabled and that the Management IP is 2.2.1.4.
  7. In the interface navigation tree, select Service Options. Configure the following options:
    • Select Telnet.
    • Select NSGP Enabled.
    • Select Enforce IPSec to encrypt the GTP connection.
  8. Click OK to save your changes to the interface, and then click OK to save your changes to the device.
  9. Configure the GTP firewall (client):
    • In the device navigation tree, select Advanced > NSGP > NSGP Connections. Click the Add icon to display the New NSGP Connection dialog box.
    • For Source Interface, select ethernet 1/2.
    • For Destination, click Copy Existing NSGP Server Setting. The Copy Existing NSGP Server Info dialog box appears.
  10. Configure the following:
    • For NSGP Server Info, select Gi firewall (server).
    • For Destination Interface, select ethernet1/2.
  11. Click OK to copy the NSGP server settings to the GTP client. NSM automatically completes the destination server settings for the GTP client.
  12. In GTP Objects, select the GPRS1 object.
  13. Click OK to save the NSGP Connection.
  14. Configure a firewall rule to handle GTP traffic.

Related Documentation