ScreenOS Cookbook

Stefan Brunner has been a technology consultant for more than 15 years, helping enterprises to leverage technology for their business model and deploy technology solutions. Stefan is the lead architect in Juniper Networks' Service Layer Technology Professional Services group. Prior to Juniper, Stefan worked with NetScreen Technologies as a network security consultant. Stefan holds an MBA in innovations research and technology management from Ludwig-Maximilians-University of Munich, and a certificate degree in telecommunications engineering from the University of California at Berkeley. He lives with his wife and daughter in the Hill Country of Austin, Texas.Vik Davar has been working in the IT field for more than 15 years, holding positions in financial services firms and technology companies including Juniper Networks and Goldman Sachs. Vik is the president of 9 Networks, an IT services company. He has a master's degree in electrical engineering from Columbia University and a bachelor's degree in electrical engineering from The Cooper Union in New York City. He is also a CISSP and CCIE# 8377. He lives in New Jersey with his wife and two children.David Delcourt has worked in the data communications industry for the past 13 years for enterprise equipment vendors including Cabletron Systems and NetScreen Technologies. He has held a variety of positions, including advanced TAC engineer, technical trainer, and product manager at Cabletron Systems, and senior security consultant at NetScreen Technologies. He is currently the security practice manager in Professional Services for Juniper Networks, supporting the Americas. He lives in New Hampshire with his wife and daughter, and their two dogs and two cats.Ken Draper has spent the past 20 years in the networking industry, and has focused on security solutions for the past 11 years. He is CISSP certification #22627 and holds numerous other certifications. Ken has worked at such networking equipment manufacturers as Infotron, Gandalf, Synoptics, Bay Networks, Nortel, NetScreen, and now Juniper Networks. He has more than six years of experience with ScreenOS and large-scale security solutions, he has held a variety of technical engineering positions including systems engineer and solutions architect, and he is currently a Juniper Networks consulting engineer specializing in the large-scale virtual private network (VPN), firewall, intrusion prevention, and centralized management markets. Ken lives outside Dallas with his wife and two dogs.Joe Kelly has been involved in data networking for more than 12 years, focusing on the realms of network security and routing. He started his career in the service provider space at IDT Corporation, where he held roles in network operations and engineering. After IDT, he spent time with various network service providers in engineering and architectural capacities. In 2001, Joe joined NetScreen Technologies as a senior systems engineer in the Financial and Service Provider verticals, where he specialized in high- availability, high-performance networks. Joe joined Juniper Networks in 2004 with the acquisition of NetScreen, and he is currently the technical lead on the Global Banking and Finance team. He lives in New Jersey with his beautiful wife, Jacqueline, and his three children, Hannah, Ben, and Tristan.Sunil Wadhwa has been in the data networking industry for more than 13 years, focusing on systems, network routing, and security in enterprise and service provider organizations. He started his career in India at GTL Limited and SAP India, and then held a variety of roles in technical support, network operations, and engineering. He moved to the United States and worked with E4E as a network consultant for routing and security, and then joined Juniper Networks as an advanced technical support engineer for firewall/VPN products. He currently leads the Advance Technical Support team for Juniper Networks, supporting enhanced services products. He lives

Credits
Preface
1. ScreenOS CLI, Architecture, and Troubleshooting
1.1 ScreenOS Architecture
1.2 Troubleshoot ScreenOS
2. Firewall Configuration and Management
2.1 Use TFTP to Transfer Information to and from the Firewall
2.2 Use SCP to Securely Transfer Information to and from the Firewall
2.3 Use the Dedicated MGT Interface to Manage the Firewall
2.4 Control Access to the Firewall
2.5 Manage Multiple ScreenOS Images for Remotely Managed Firewalls
2.6 Manage the USB Port on SSG
3. Wireless
3.1 Use MAC Filtering
3.2 Configure the WEP Shared Key
3.3 Configure the WPA Preshared Key
3.4 Configure WPA Using 802.1x with IAS and Microsoft Active Directory
3.5 Configure WPA with the Steel-Belted Radius Server and Odyssey Access Client
3.6 Separate Wireless Access for Corporate and Guest Users
3.7 Configure Bridge Groups for Wired and Wireless Networks
4. Route Mode and Static Routing
4.1 View the Routing Table on the Firewall
4.2 View Routes for a Particular Prefix
4.3 View Routes in the Source-Based Routing Table
4.4 View Routes in the Source Interface-Based Routing Table
4.5 Create Blackhole Routes
4.6 Create ECMP Routing
4.7 Create Static Routes for Gateway Tracking
4.8 Export Filtered Routes to Other Virtual Routers
4.9 Change the Route Lookup Preference
4.10 Create Permanent Static Routes
5. Transparent Mode
5.1 Enable Transparent Mode with Two Interfaces
5.2 Enable Transparent Mode with Multiple Interfaces
5.3 Configure a VLAN Trunk
5.4 Configure Retagging
5.5 Configure Bridge Groups
5.6 Manipulate the Layer 2 Forwarding Table
5.7 Configure the Management Interface in Transparent Mode
5.8 Configure the Spanning Tree Protocol (STP)
5.9 Enable Compatibility with HSRP and VRRP Routers
5.10 Configure VPNs in Transparent Mode
5.11 Configure VSYS with Transparent Mode
6. Leveraging IP Services in ScreenOS
6.1 Set the Time on the Firewall
6.2 Set the Clock with NTP
6.3 Check NTP Status
6.4 Configure the Device's Name Service
6.5 View DNS Entries on a Device
6.6 Use Static DNS to Provide a Common Policy for Multiple Devices
6.7 Configure the DNS Proxy for Split DNS
6.8 Use DDNS on the Firewall for VPN Creation
6.9 Configure the Firewall As a DHCP Client for Dynamic IP Environments
6.10 Configure the Firewall to Act As a DHCP Server
6.11 Automatically Learn DHCP Option Information
6.12 Configure DHCP Relay
6.13 DHCP Server Maintenance
7. Policies