All rights reserved. Training Courses. Search Results Don't see what you're looking for? Click the New Search button and try using different search options. How to Use this On Demand Course.
|Published (Last):||5 June 2005|
|PDF File Size:||17.61 Mb|
|ePub File Size:||18.24 Mb|
|Price:||Free* [*Free Regsitration Required]|
Learn more about Scribd Membership Home. Much more than documents. Discover everything Scribd has to offer, including books and audiobooks from major publishers. Start Free Trial Cancel anytime.
Edu Jun Cjfv Sg Text. Uploaded by Raj Karan. Document Information click to expand document information Description: Junos. Date uploaded Feb 28, Did you find this document useful? Is this content inappropriate? Report this Document.
Description: Junos. Flag for Inappropriate Content. Download Now. Related titles. Carousel Previous Carousel Next. Jump to Page. Search inside document. Functionality Policy Configuration. Common Problems.. Address Translation. MIP Addresses. Lab 6: Address Translation Too!
Transparent Mode Optional Description. Configuration Verifying Operations Lab 7: Transparent Mode VPN Concepts. Concepts and Terminology.. IP Security. Verifying Operations Route-Based VPNs. Intended Audience This course is intended for network engineers, support personnel, reseller support, and others responsible for implementing Juniper Networks products.
Course Level This is an introductory-tevel course. To make the language of these documents easier to read, we distinguish GUI and CLI text from chapter text according to the following table.
Often this will be shown in the context of where you must enter it. We use bold style to distinguish text that is Input versus text that is simply displayed. CLI Input Text that you must enter. Type set. Previous and later versions of software may behave differently so you should always consult the documentation and release notes for the version of code you are running before reporting errors.
This document is written and maintained by the Juniper Networks Education Services development team. Please send questions and suggestions for improvement to training juniper.
Documentation sets and CDs are available through your local Juniper Networks sales office or account representative. What kind of network experience do you have? Depending on the class you are taking, please complete the survey at the end of the class, or be sure to look for an e-mail about two weeks from Class completion that directs you to complete an online survey form be sure to provide us with your current e-mail address.
We thank you in advance for taking the time to help us improve our educational offerings. Ifyou have any questions or concerns about the class you are attending, we suggest that you voice them now so that your instructor can best address your needs during class. We discuss the highlighted topic first.
We take a closer look at these operations on the next few pages. Ey Layer 2 Frame Forwarding An inline security device must be able to forward traffic it receives. Therefore, at a minimum, the security device must be able to track MAC addresses on a per-port, basis so as to make intelligent forwarding decisions.
If the destination is in the table, the frame is forwarded only out the associated port. Ifthe destination is not in the table, the frame is forwarded out all ports other than the ingress port. When individual packets are received by a firewall, they are compared with a set of rules, Each rule consists of a source and destination IP address, Layer 4 protocol, source and destination ports, and most importantly, an action permit or deny.
Transiation can consist of replacing the IP address, port numbers, of both, depending on the configuration. We discussed. We define the elements of this architecture on the next few slides. But no matter the name, an interface is assigned an IP address only if the firewall is operating in Layer 3 mode.
Zones are logical groupings of subnets and interfaces. All devices within a zone share the same security requirements. Zone configuration can be as simple as a two-zone setup-all interfaces connected to internal networks are in one zone, all interfaces connected to the external world are in a different zone.
A more complicated configuration might divide interfaces based on internal department or function in addition to external and DMZ connections. The Juniper Networks firewall implements security based on policies.
A security policy Isa rulebase that specifies which traffic is to be permitted to pass through the firewall, based on the same parameters that are used to identify traffic flow. Policies are implemented on a zone basis; that is, one policy set applies to traffic leaving Zone A and entering Zone B, while a different set of policies can apply to traffic leaving Zone A and entering Zone C.
A virtual router VR isa logical routing construct within the Juniper Networks device. Each VR maintains its own routing table and routing logic. For traffic to flow between VRs, inter-VR routing must be configured.
Continued on next page. Each VSYS operates as its own firewall with its own set of policies. Juniper Networks firewalls track traffic passing through the firewall based on flows. VR ote Int. Zone a eae papers alii Zones and Interface Assignments The Juniper Networks internal architecture is designed with a strict hierarchical relationship between virtual routers, zones, and interfaces.
An interface cannot be Configured for IP connectivity without first being associated with a zone. Only the high-end Juniper Networks firewalls support virtual systems. You can see that on the different platforms interfaces have different names. The device also modifies session states based on changing elements such as dynamic port changes or session termination.
When a responding TCP packet arrives, the device compares the information reported in its header with the state of its associated session stored in the inspection table. The ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic policies to permit the traffic to pass securely through the security device.
SCREEN options apply to traffic reaching the Juniper Networks security device through any interface bound to a zone for which you enabled such options. You can apply other network security options, such as Web filtering, antivirus checking, and intrusion detection and prevention IDP at the policy level. These options only apply to traffic under the jurisdiction of the policies in which they are enabled. The session module performs a session lookup, attempting to match the packet with an existing session.
If the packet does not match an existing, session, the security device performs first:packet processing, a procedure involving the following Steps 4 through 9. If PBR is not enabled, the route table lookup finds the interface that leads to the destination address.
In so doing, the Interface module identifies the destination zone to which that interface is bound. The policy engine searches the policy setlists for a policy between the addresses in the identified source and destination zones. If destination address translation NAT-dst is specified in the policy, the NAT module translates the original destination address in the IP packet header to a different address. The security device then uses the Information maintained in the session entry when processing subsequent packets of the same session.
The security device performs the operation specified in the session. In this case, Host B at The traffic passes through the Juniper Networks firewall and therefore is subject to the decision process. Existing session? Destination reachable? Interzone traffic?
Following the flowchart, we can track the progress of the packet through the Juniper Networks device: 4. Based on a lookup in the session table, we determine that this is not an existing session.
The forwarding table shows that we know how to reach the destination network. Theinterfaces are in different zones, so we must examine the associated policy.
Permitted by policy?
All-Access Training Pass
Edu Jun Cjfv Sg Text