Notice Copyright Notice Copyright 2003 by Aprisma Management Technologies, Inc. All rights reserved worldwide. Use, duplication, or disclosure by the United States government is subject to the restrictions set forth in DFARS 252.227-7013(c)(1)(ii) and FAR 52.227-19. Liability Disclaimer Aprisma Management Technologies, Inc. ( Aprisma ) reserves the right to make changes in specifications and other information contained in this document without prior notice. In all cases, the reader should contact Aprisma to inquire if any changes have been made. The hardware, firmware, or software described in this manual is subject to change without notice. IN NO EVENT SHALL APRISMA, ITS EMPLOYEES, OFFICERS, DIRECTORS, AGENTS, OR AFFILIATES BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS) ARISING OUT OF OR RELATED TO THIS MANUAL OR THE INFORMATION CONTAINED IN IT, EVEN IF APRISMA HAS BEEN ADVISED OF, HAS KNOWN, OR SHOULD HAVE KNOWN, THE POSSIBILITY OF SUCH DAMAGES. Trademark, Service Mark, and Logo Information SPECTRUM, IMT, and the SPECTRUM IMT/VNM logo are registered trademarks of Aprisma Management Technologies, Inc., or its affiliates. APRISMA, APRISMA MANAGEMENT TECHNOLOGIES, the APRISMA MANAGEMENT TECHNOLOGIES logo, MANAGE WHAT MATTERS, DCM, VNM, SpectroGRAPH, SpectroSERVER, Inductive Modeling Technology, Device Communications Manager, SPECTRUM Security Manager, and Virtual Network Machine are unregistered trademarks of Aprisma Management Technologies, Inc., or its affiliates. For a complete list of Aprisma trademarks, service marks, and trade names, go to: http://www.aprisma.com/manuals/trademark-list.htm All referenced trademarks, service marks, and trade names identified in this document, whether registered or unregistered, are the intellectual property of their respective owners. No rights are granted by Aprisma Management Technologies, Inc., to use such marks, whether by implication, estoppel, or otherwise. If you have comments or concerns about trademark or copyright references, please send an e-mail to spectrum-docs@aprisma.com; we will do our best to help. Restricted Rights Notice (Applicable to licenses to the United States government only.) This software and/or user documentation is/are provided with RESTRICTED AND LIMITED RIGHTS. Use, duplication, or disclosure by the government is subject to restrictions as set forth in FAR 52.227-14 (June 1987) Alternate III(g)(3) (June 1987), FAR 52.227-19 (June 1987), or DFARS 52.227-7013(c)(1)(ii) (June 1988), and/or in similar or successor clauses in the FAR or DFARS, or in the DOD or NASA FAR Supplement, as applicable. Contractor/manufacturer is Aprisma Management Technologies, Inc. In the event the government seeks to obtain the software pursuant to standard commercial practice, this software agreement, instead of the noted regulatory clauses, shall control the terms of the government's license. Virus Disclaimer Aprisma makes no representations or warranties to the effect that the licensed software is virus-free. Aprisma has tested its software with current virus-checking technologies. However, because no antivirus system is 100-percent effective, we strongly recommend that you write protect the licensed software and verify (with an antivirus system with which you have confidence) that the licensed software, prior to installation, is virus-free. Contact Information Aprisma Management Technologies, Inc., 273 Corporate Drive, Portsmouth, NH 03801 USA Phone: 603.334.2100 U.S. toll-free: 877.468.1448 Web site: http://www.aprisma.com Page 2
Contents Notice... 2 Preface... 5 Intended Audience... 5 How to Use This Guide... 5 Text Conventions... 6 Document Feedback... 6 Online Documents... 6 Required Reading... 7 Overview... 8 Device Support... 8 Device MIB Support... 9 Traps, Events, and Alarms... 11 Standard Trap Support...11 Device-Specific Trap Support...11 Application Support... 14 RFC and IEEE Standard Applications...14 Device Views... 15 Tunnel If Modeling Options...15 VPN Option...17 Netscreen VPN View...17 Netscreen VPN IP Pool View...18 Policy Option...19 Netscreen Policy View...19 Netscreen Policy Traffic View...20 Tunnel Interfaces... 21 Modeling Site-To-Site Tunnel Interfaces...21 Modeling Other Types of Tunnel Interfaces...21 Page 3
Tunnel Interface Stacking...22 Automatic Connectivity Mapping...22 Interface Model Identification...22 Status Monitoring of Tunnel Interfaces...23 Recommendations for Management of s with SPECTRUM... 24 SPECTRUM Management Settings...24 Automatically Reconfigure Interfaces...24 Reconfigure on LINK change...24 Discovery after Reconfigure...24 Create Sub-Interfaces...25 Suppress Linked Port Alarms...25 Index... 26 Page 4
Preface Welcome to the user guide for SPECTRUM s Netscreen Firewall (SM-NSC1000) management module. Please take a moment to read through this short preface, which explains how the information in this guide is organized and presented and lets you know how to access information about other SPECTRUM products. In this section: Intended Audience [page 5] How to Use This Guide [page 5] Text Conventions [page 6] Document Feedback [page 6] Online Documents [page 6] Required Reading [page 7] Intended Audience This guide is intended for users of SPECTRUM s (SM- NSC1000) management module. How to Use This Guide Use this document as a guide for managing the Netscreen devices described on [page 8] with SPECTRUM management module SM-NSC1000. The guide is organized as follows: Overview [page 8] Traps, Events, and Alarms [page 11] Application Support [page 14] Device Views [page 15] Tunnel Interfaces [page 21] Page 5
Recommendations for Management of s with SPECTRUM [page 24] For general information about device management using SPECTRUM and explanations of SPECTRUM functionality and navigation techniques, refer to the topics listed under Required Reading [page 7]. Text Conventions The following text conventions are used in this document: Element Convention Used Example User-supplied parameter names Courier and Italic in angle brackets <>. The user needs to type the password in place of <password>. On-screen text Courier The following line displays: path= /audit User-typed text Courier Type the following path name: C:\ABC\lib\db Cross-references References to SPECTRUM documents (title and number) Functionality enabled by SPECTRUM Alarm Notification Manager (SANM) Underlined and hypertextblue Italic SANM in brackets []. See Document Feedback [page 6]. SPECTRUM Installation Guide (0675) [SANM] AGE_FIELD_ID Document Feedback Please send feedback regarding SPECTRUM documents to the following e-mail address: spectrum-docs@aprisma.com Thank you for helping us improve our documentation. Online Documents SPECTRUM documents are available online at: Page 6
http://www.aprisma.com/manuals Check this site for the latest updates and additions. Required Reading To use this documentation effectively, you must be familiar with the information covered by the SPECTRUM documents listed below. Getting Started with SPECTRUM for Operators (1763) Getting Started with SPECTRUM for Administrators (0985) How to Manage Your Network with SPECTRUM (1909) SPECTRUM Views (2517) SPECTRUM Menus (2519) SPECTRUM Icons (2518) Application View and MIBs (2560) SPECTRUM Software Release Notice Page 7
Overview This section introduces the SPECTRUM documentation for the management module. In this section: Device Support [page 8] Device MIB Support [page 9] Device Support SPECTRUM management module SM-NSC1000 currently provides modeling for the following devices (Table 1). Figure 1 shows the Device Icon in the Topology view. Table 1: Supported Devices, Firmware, and Model Type Device Firmware Revision Model Type NetScreen-5 ScreenOS4.1 NSFirewallVPN NetScreen-10 ScreenOS4.1 NSFirewallVPN NetScreen-100 ScreenOS4.1 NSFirewallVPN NetScreen-1000 ScreenOS4.1 NSFirewallVPN NetScreen-500 ScreenOS4.1 NSFirewallVPN NetScreen-50 ScreenOS4.1 NSFirewallVPN NetScreen-25 ScreenOS4.1 NSFirewallVPN NetScreen-204 ScreenOS4.1 NSFirewallVPN NetScreen-208 ScreenOS4.1 NSFirewallVPN NetScreen-5XT ScreenOS4.1 NSFirewallVPN NetScreen-5XP ScreenOS4.1 NSFirewallVPN NetScreen-5000 ScreenOS4.1 NSFirewallVPN Page 8
Figure 1: Device Icon NetScreen s firewalls provide VPN, firewall, and traffic management services to your network environment. The Netscreen firewalls supported by this management module range in scale from those used at small branch offices to large scale enterprise deployments. They allow you to create secure network segments or customer environments with a distinct firewall, security policy, and management. By segmenting the network with firewalls and access control, you can prevent users from unauthorized roaming while containing any damages sustained from successful attacks. If you re a service provider, you can leverage segmentation capabilities to create secure customer environments on a single appliance. Device MIB Support SPECTRUM supports a number of device-specific MIBs for the Netscreen Firewall (SM-NSC1000) management module. These MIBs are shown in Table 2 below. Table 2: Netscreen Hardware MIBS Netscreen Hardware MIBS NS-ADDR.mib NS-DHCP-CFG.mib NS-IDS.mib NS-INTERFACE.mib NS-IP-ARP.mib NS-NAT.mib ns-nsrp.mib NS-POLICY.mib NS-PRODUCTS.mib NS-QOS.mib Page 9
Netscreen Hardware MIBS NS-RES.mib NS-SCHEDULE.mib NS-SERVICE.mib NS-SET-ADMIN-USR.mib NS-SET-AUTH.mib NS-SET-DHCP.mib NS-SET-DNS.mib NS-SET-EMAIL.mib NS-SET-GEN.mib NS-SET-GLB.mib NS-SET-LOG.mib NS-SET-SNMP.mib NS-SET-SYSTIME.mib NS-SET-URL-FILTER.mib NS-SET-WEB.mib NS-SMI.mib NS-TRAPS.mib NS-VPN-CERT.mib NS-VPN-GW.mib NS-VPN-IKE.mib NS-VPN-IPPOOL.mib NS-VPN-L2TP.mib NS-VPN-MANUAL.mib NS-VPN-MON.mib NS-VPN-PH1.mib NS-VPN-PH2.mib NS-VPN-USR.mib NS-VSYS.mib NS-ZONE.mib Page 10
Traps, Events, and Alarms This section describes standard and device-specific events and alarms supported by the (SM- NSC1000) management module. Standard Trap Support [page 11] Device-Specific Trap Support [page 11] Standard Trap Support The following standard traps are supported. Standard Trap Name OID coldstart 0.0 warmstart 1.0 linkdown 2.0 linkup 3.0 authenticationfailure 4.0 Device-Specific Trap Support The management module supports the device-specific traps shown in Table 3 [page 12]. Some of these traps generate events and alarms conditionally, based on the value of one or more of their variable bindings. For example, if the netscreentraphw is generated and the value of the variable binding netscreentraptype = 19 (device-dead), then the event 0x49b0006 is generated. This event generates a red alarm. The processing for each of the supported traps including any conditional processing is explained in Table3 [page12]. Page 11
Table 3: Device-Specific Trap Support Trap Name OID Variable Bindings Event Generated Alarm Generated Alarm Severity netscreentraphw 1.3.6.1.4.1.3224.100 1.3.6.1.4.1.3224.2.1 netscreentraptype 1.3.6.1.4.1.3224.2.3 netscreentrapdesc 0x49b0000 NA NA if netscreentraptype= device-dead(19), then 0x49b0006 is generated if netscreentraptype= low-memory(20), then 0x49b0007 is generated if netscreentraptype= generic-hw-fail(22), then 0x49b0008 is generated if netscreentraptype= cpu-usage-high(30), then 0x49b0009 is generated if netscreentraptype < 19 OR netscreentraptype > 21, then 0x49b1000 is generated 0x49b0006 0x49b0007 0x49b0008 0x49b0009 NA Red Orange Red Orange NA netscreentrapfw 1.3.6.1.4.1.3224.200 1.3.6.1.4.1.3224.2.1 netscreentraptype 1.3.6.1.4.1.3224.2.3 netscreentrapdesc 0x49b0001 NA NA Page 12
Trap Name OID Variable Bindings Event Generated Alarm Generated Alarm Severity netscreentrapsw 1.3.6.1.4.1.3224.300 1.3.6.1.4.1.3224.2.1 netscreentraptype 1.3.6.1.4.1.3224.2.3 netscreentrapdesc netscreentraptrf 1.3.6.1.4.1.3224.400 1.3.6.1.4.1.3224.2.1 netscreentraptype 1.3.6.1.4.1.3224.2.3 netscreentrapdesc netscreentrapvpn 1.3.6.1.4.1.3224.500 1.3.6.1.4.1.3224.2.1 netscreentraptype 1.3.6.1.4.1.3224.2.3 netscreentrapdesc netscreentrapnsrp 1.3.6.1.4.1.3224.600 1.3.6.1.4.1.3224.2.1 netscreentraptype 1.3.6.1.4.1.3224.2.3 netscreentrapdesc 0x49b0002 NA NA 0x49b0003 NA NA 0x49b0004 NA NA 0x49b0005 NA NA if netscreentraptype= nsrp-trackip-failover(64), then 0x49b000a is generated if netscreentraptype!= nsrp-trackip-failover(64), then 0x49b1000 is generated 0x49b000a NA Major NA Page 13
Application Support This section describes the applications supported by the management module. In This Section RFC and IEEE Standard Applications [page 14] RFC and IEEE Standard Applications The management module has the ability to support various RFC and IEEE standard applications. The applications are created and associated with the device model based on the specific device s capabilities. The following guides contain complete documentation for each of the standard applications supported by SPECTRUM: Bridging Applications (2562) MIB II Applications (2561) Routing Applications (3080) Technology Applications (5065) Transmission Applications (5064) Page 14
Device Views This section describes device-specific MIB views for the that are accessible from the Icon Subviews menu of the Device icon. In This Section Tunnel If Modeling Options [page 15] VPN Option [page 17] Policy Option [page 19] Tunnel If Modeling Options Note: From the icon subviews menu of the device icon, choose Tunnel If Modeling Options. This view allows you to configure the creation of Tunnel Interface models in the Device Topology and Device views. The following settings are available: Create If Tunnels If the Create Tunnel IFs option is set to TRUE, SPECTRUM will create Tunnel Interfaces based on various external tables that define the Tunnel IFs present in this node. If you change this value from FALSE to TRUE, you must reconfigure the model using either the Manually Poll Device option or by enabling automatic polling. Both of these options are explained below. Poll Enable Note: In addition to the Create If Tunnels option, the device s Create Sub-Interface attribute must be set to TRUE in order for the Tunnel Interface models to be created. This attribute can be set from the Configuration tab of the Global Attribute Editor, or from the Redundancy and Model Reconfiguration Options view available from the device s Configuration View. If Poll Enable is set to TRUE and the Polling Interval is set to a non-zero value, SPECTRUM will automatically poll the device. If physical changes Page 15
have taken place on the device, the device and interface models will be reconfigured based on the results of the poll. If Create If Tunnels is set to TRUE, the Interface Tunnels will also be reconfigured. Poll Interval (sec) The interval (in seconds) at which SPECTRUM will poll the device if Poll Enable is set to TRUE. It is recommended that this value is never set to less than 3600 seconds. By default, polling is turned off because it generates a significant level of SNMP traffic. Manually Poll Device The Manually Poll Device button causes all interfaces to be reconfigured. If the Create Tunnel Interface option is set to TRUE, the Tunnel Interfaces will be updated as well. If the configuration displayed in the Device Topology and Device views are out of date, it is recommended that you select Manually Poll Device to update this configuration. Note: A change on the device may take up to 20 minutes to appear in the Device Topology and Device views after a manual or automatic poll has been performed. Figure 2: Tunnel If Modeling Options View Page 16
VPN Option This option allows you to select from two sub-options, Configuration or IP Pool. Netscreen VPN View Note: From the icon subviews menu of the device icon, choose VPN > Configuration. This view contains attributes from the nsvpnmontable in the NS-VPN- MON.mib. These attributes are used to monitor the status of VPN tunnels. All of the fields in this view are read only. Figure 3: Netscreen VPN View Page 17
Netscreen VPN IP Pool View Note: From the icon subviews menu of the device icon, choose VPN > IP Pool. This view contains attributes from the nsvpnippooltable in the NS-VPN- IPPOOL.mib. These attributes show IP pool configuration information for the device. The fields in this view are read only. Figure 4: Netscreen VPN IP Pool View Page 18
Policy Option This option allows you to select from two sub-options, Configuration or Traffic. Netscreen Policy View Note: From the icon subviews menu of the device icon, choose Policy > Configuration. This view contains attributes from the nsplytable in the NS-POLICY.mib. Access policies allow you to permit, deny, encrypt, authenticate, prioritize, schedule, and monitor the traffic to cross your firewall. This table collects all the policy configuration information existing on the device. The fields in this view are read only. Figure 5: Netscreen Policy View Page 19
Netscreen Policy Traffic View Note: From the icon subviews menu of the device icon, choose Policy > Traffic. This view contains attributes from the nsplymontable in the NS- POLICY.mib. These attributes specify traffic information for the policybased traffic. The fields in this view are read only. Figure 6: Netscreen Policy Traffic View Page 20
Tunnel Interfaces This section describes the Netscreen Tunnel Interface model type (nstunnelif) and its functionality. In This Section Modeling Site-To-Site Tunnel Interfaces [page 21] Modeling Other Types of Tunnel Interfaces [page 21] Tunnel Interface Stacking [page 22] Automatic Connectivity Mapping [page 22] Interface Model Identification [page 22] Status Monitoring of Tunnel Interfaces [page 23] Modeling Site-To-Site Tunnel Interfaces There are various attributes that control whether or not site-to-site Tunnel Interfaces are modeled on your Netscreen Device. See the Tunnel If Modeling Options [page 15] for a complete explanation of these options. Modeling Other Types of Tunnel Interfaces By default SPECTRUM does not model Dialup Tunnels or Tunnels whose monitor state is set to OFF. To enable the modeling of these types of tunnels, you use the Model Type Editor. Instructions are outlined in the steps below: Procedure 1. Shut down the SpectroSERVER and start the Model Type Editor. 2. To allow Dialup Tunnels to be modeled, use the Find Attribute function to find the NSFirewallVPN model type s TunnelFilterTypes attribute (0x12a17). Remove the value 1 from the list of values for this attribute. 3. To allow tunnels whose monitor state is off to be modeled, use the Find Attribute function to find the NSFirewallVPN model type s Page 21
TunnelFilterStates attribute (0x12a19). Remove the value 0 from the list of values for this attribute. 4. Save your changes in the Model Type Editor and re-start the SpectroSERVER. 5. Reconfigure the Netscreen models using the Manually Poll Device option available for each device model. (See Tunnel If Modeling Options [page 15] for instructions.) See the Model Type Editor User s Guide (0659) for instructions on performing specific tasks with the Model Type Editor. Tunnel Interface Stacking Tunnel interface models are created as sub-interfaces of the physical interface whose IP address matches the tunnel's local address as indicated in the VPN-MON.mib. Since NetScreen devices don't support the ifstacktable, this mechanism of determining the lower-layer interface is necessary and effective. Automatic Connectivity Mapping When a tunnel interface model activates for the first time (i.e. during initial device modeling or during an interface reconfiguration), SPECTRUM will search for a tunnel interface model representing the other end-point of the tunnel. If such a model is found, the connection between these two interfaces is modeled. SPECTRUM uses the local address and remote address indicated in the VPN-MON.mib to find the other end-point of the tunnel. Interface Model Identification Tunnel interface models are now identified uniquely by their local address and remote address as indicated in the VPN-MON.mib. This enables SPECTRUM to preserve the interface model even if the ifindex of the interface changes. Page 22
Status Monitoring of Tunnel Interfaces On the NetScreen device, the ifoperstatus of a tunnel interface entry is always UP, right up to the point when it disappears from the iftable. If a tunnel model becomes stale, and no link down trap has yet been processed for the tunnel, SPECTRUM will generate a red alarm on the model. This alarm will be suppressed in the following cases: If the lower layer, i.e. physical interface, is down (same case in which a link down trap alarm would be suppressed). If the Suppress Linked Port Alarms setting of the Live Pipes model is set to TRUE, and either of the following conditions are met: - The connected device is unreachable (by the SpectroSERVER) - The linked tunnel interface model is alarmed (RED) This status monitoring functionality is only available when Live Links are enabled for the port which is associated with the tunnel interface. For information on enabling Live Links, see the Enabling or Disabling Live Pipes on Individual Links section of How to Manage Your Network with SPECTRUM (2770). Page 23
Recommendations for Management of s with SPECTRUM Some changes to the SPECTRUM configuration settings may be required to achieve the best possible management of your NetScreen devices. In This Section SPECTRUM Management Settings [page 24] SPECTRUM Management Settings The following SPECTRUM management settings are recommended. Automatically Reconfigure Interfaces Set this attribute to TRUE for NetScreen models if you want SPECTRUM to manage the branch tunnels of the device. For devices that only support User tunnels, this setting should be FALSE. When TRUE, SPECTRUM will reconfigure the interface models whenever the ifnumber object of the device's SNMP agent changes. Reconfigure on LINK change Aprisma recommends this attribute be set to FALSE for all NetScreen models. When set to TRUE, SPECTRUM performs an interface reconfiguration after every link up or link down trap received. Discovery after Reconfigure Aprisma recommends this attribute be set to FALSE (the default setting) for all NetScreen models. SPECTRUM will model connections between newly found tunnels regardless of this setting. SPECTRUM's Autodiscovery process can add little or no value after most link state changes, especially for the NetScreen devices, for which, most link state changes will represent tunnels coming up and going down, and not new router or bridge ports being configured. Page 24
Create Sub-Interfaces Set this attribute to TRUE for NetScreen models if you want SPECTRUM to monitor the branch tunnels. If this attribute is set to FALSE, SPECTRUM will not create models for the tunnel interfaces. All of these settings can be modified using the Configuration tab of the Global Attribute Editor or the Redundancy and Model Reconfiguration Options GIB for a particular device model. Suppress Linked Port Alarms Aprisma recommends setting this attribute of the Live Pipes model to TRUE. This will suppress port alarms when either the connected device is unreachable or the linked port model is already alarmed. This setting can be modified from the Live Pipes Model Information View, which can be accessed from the VNM model's Configuration GIB. Page 25
Index A Alarm Generated [12] Alarm Severity [12] Automatically Reconfigure Interfaces [24] C conditional event generation [11] Create Sub-Interfaces [25] D device-specific MIBs [9] device-specific traps [11] Dialup Tunnels [21] Discovery after Reconfigure [24] E Event Generated [12] F Firmware [8] I ifstacktable [22] interface reconfiguration [16] M MIB Support [9] Model Type [8] monitor state [21] Page 26
N netscreentrapdesc [12] netscreentrapfw [12] netscreentraphw [12] netscreentrapnsrp [13] netscreentrapsw [13] netscreentraptrf [13] netscreentraptype [12] netscreentrapvpn [13] O OID [12] P Poll Enable [15] Poll Interval [16] R Reconfigure on LINK change [24] S standard traps [11] Supported Devices [8] Suppress Linked Port Alarms [25] T Trap Name [12] Trap Support [11] tunnel inteface configuration [21] Tunnel Interface model configuration [15] Page 27