Administering ScreenOS Devices Using NSM Complete System Management
NSM provides the tools and features you need to manage your devices as a complete system, as well as individual networks and devices. The following features are supported in administering ScreenOS devices:
To manage an individual device, create a single device configuration, define a security policy for that device, and monitor the device status.
To manage a network, create multiple device configurations, define and install policies for multiple devices, and view the status of all devices in the same UI.
To manage at the system level, create templates and use them to quickly configure multiple policies and VPNs that control the flow of traffic through your network, view system-wide log information for network security events, and monitor the status of NetScreen Redundancy Protocol (NSRP).
The following topics describe about how to administer ScreenOS devices using the complete system management feature in NSM:
Use VPN Manager to design a system level VPN and automatically set up all connections, tunnels, and rules for all devices in the VPN. Instead of configuring each device as a VPN member and then creating the VPN, start from a system perspective: Determine which users and networks need access to each other, and then add those components to the VPN.
Using AutoKey IKE, you can create the following VPNs with VPN Manager:
Dynamic, route-based VPNs—Provide resilient, always-on access across your network. Add firewall rules on top of route-based VPNs to control traffic flow.
Policy-based VPNs—Connect devices, remote access server (RAS) users, and control traffic flow (traffic flow can also be controlled using L2TP VPNs).
Mixed-mode VPNs—Connect route-based VPNs with policy-based VPNs, giving you flexibility.
Integrated Logging and Reporting
You use the security devices on your network for multiple reasons: to control access to and from your network, to detect and prevent intrusions, and to record security events so you can monitor the important activities occurring on your network. You can use NSM to monitor, log, and report on network activity in real-time to help you understand what is happening on your network. For example, you can:
View traffic log entries generated by network traffic events, configuration log entries generated by administrative changes, or create custom views to see specific information in the Log Viewer.
Create detailed reports from traffic log information in the Report Manager.
Inspect suspicious events by correlating log information in the Log Investigator.
NSM keeps you up-to-date on the health of your network. You can view the following monitoring statuses on your network:
View critical information about your devices and IDP sensors in the Device Monitor:
Configuration and connection status of your security devices
Individual device details, such as memory usage and active sessions
View the status of each individual VPN tunnel in the VPN Monitor.
View redundant devices status in the NSRP Monitor.
View the status of your IDP clusters in the IDP Cluster Monitor.
View the health of the NSM system itself, including CPU utilization, memory usage, and swap status in the Server Monitor.
You can view the progress of communication to and from your devices in the Job Manager. NSM sends commands to managed devices at your request, typically to import, update, or reboot devices, and view configuration and delta configuration summaries. When you send a command to a device or group of devices, NSM creates a job for that command and displays information about that job in the Job Manager module.
Job Manager tracks the progress of the command as it travels to the device and back to the management system. Each job contains the following:
Name of the command
Date and time the command was sent
Completion status for each device that received the command
Detailed description of command progress
Command output, such as a configuration list or CLI changes on the device
Job Manager configuration summaries and job information details do not display passwords in the list of CLI commands for administrators that do not have the assigned activity “View Device Passwords”. By default, only the super administrator has this assigned activity.