IDP Series Intrusion Detection and Prevention Appliances
IDP250 Installation Guide
Release 5.0
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, California 94089
USA
408-745-2000
Part Number: 530-029729-01, Revision 01
Download from Www.Somanuals.com. All Manuals Search And Download.
END USER LICENSE AGREEMENT
READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING,
INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMER
OR IF YOU ARE NOT THE CUSTOMER, AS A REPRESENTATIVE/AGENT AUTHORIZED TO BIND THE CUSTOMER) CONSENT TO BE BOUND BY THIS
AGREEMENT. IF YOU DO NOT OR CANNOT AGREE TO THE TERMS CONTAINED HEREIN, THEN (A) DO NOT DOWNLOAD, INSTALL, OR USE THE SOFTWARE,
AND (B) YOU MAY CONTACT JUNIPER NETWORKS REGARDING LICENSE TERMS.
1. The Parties. The parties to this Agreement are (i) Juniper Networks, Inc. (if the Customer’s principal office is located in the Americas) or Juniper Networks
(Cayman) Limited (if the Customer’s principal office is located outside the Americas) (such applicable entity being referred to herein as “Juniper”), and (ii)
the person or organization that originally purchased from Juniper or an authorized Juniper reseller the applicable license(s) for use of the Software (“Customer”)
(collectively, the “Parties”).
2. The Software. In this Agreement, “Software” means the program modules and features of the Juniper or Juniper-supplied software, for which Customer
has paid the applicable license or support fees to Juniper or an authorized Juniper reseller, or which was embedded by Juniper in equipment which Customer
purchased from Juniper or an authorized Juniper reseller. “Software” also includes updates, upgrades and new releases of such software. “Embedded
Software” means Software which Juniper has embedded in or loaded onto the Juniper equipment and any updates, upgrades, additions or replacements
which are subsequently embedded in or loaded onto the equipment.
3. License Grant. Subject to payment of the applicable fees and the limitations and restrictions set forth herein, Juniper grants to Customer a non-exclusive
and non-transferable license, without right to sublicense, to use the Software, in executable form only, subject to the following use restrictions:
a. Customer shall use Embedded Software solely as embedded in, and for execution on, Juniper equipment originally purchased by Customer from Juniper
or an authorized Juniper reseller.
b. Customer shall use the Software on a single hardware chassis having a single processing unit, or as many chassis or processing units for which Customer
has paid the applicable license fees; provided, however, with respect to the Steel-Belted Radius or Odyssey Access Client software only, Customer shall use
such Software on a single computer containing a single physical random access memory space and containing any number of processors. Use of the
Steel-Belted Radius or IMS AAA software on multiple computers or virtual machines (e.g., Solaris zones) requires multiple licenses, regardless of whether
such computers or virtualizations are physically contained on a single chassis.
c. Product purchase documents, paper or electronic user documentation, and/or the particular licenses purchased by Customer may specify limits to
Customer’s use of the Software. Such limits may restrict use to a maximum number of seats, registered endpoints, concurrent users, sessions, calls,
connections, subscribers, clusters, nodes, realms, devices, links, ports or transactions, or require the purchase of separate licenses to use particular features,
functionalities, services, applications, operations, or capabilities, or provide throughput, performance, configuration, bandwidth, interface, processing,
temporal, or geographical limits. In addition, such limits may restrict the use of the Software to managing certain kinds of networks or require the Software
to be used only in conjunction with other specific Software. Customer’s use of the Software shall be subject to all such limitations and purchase of all applicable
licenses.
d. For any trial copy of the Software, Customer’s right to use the Software expires 30 days after download, installation or use of the Software. Customer
may operate the Software after the 30-day trial period only if Customer pays for a license to do so. Customer may not extend or create an additional trial
period by re-installing the Software after the 30-day trial period.
e. The Global Enterprise Edition of the Steel-Belted Radius software may be used by Customer only to manage access to Customer’s enterprise network.
Specifically, service provider customers are expressly prohibited from using the Global Enterprise Edition of the Steel-Belted Radius software to support any
commercial network access services.
The foregoing license is not transferable or assignable by Customer. No license is granted herein to any user who did not originally purchase the applicable
license(s) for the Software from Juniper or an authorized Juniper reseller.
4. Use Prohibitions. Notwithstanding the foregoing, the license provided herein does not permit the Customer to, and Customer agrees not to and shall
not: (a) modify, unbundle, reverse engineer, or create derivative works based on the Software; (b) make unauthorized copies of the Software (except as
necessary for backup purposes); (c) rent, sell, transfer, or grant any rights in and to any copy of the Software, in any form, to any third party; (d) remove
any proprietary notices, labels, or marks on or in any copy of the Software or any product in which the Software is embedded; (e) distribute any copy of
the Software to any third party, including as may be embedded in Juniper equipment sold in the secondhand market; (f) use any ‘locked’ or key-restricted
feature, function, service, application, operation, or capability without first purchasing the applicable license(s) and obtaining a valid key from Juniper, even
if such feature, function, service, application, operation, or capability is enabled without a key; (g) distribute any key for the Software provided by Juniper
to any third party; (h) use the Software in any manner that extends or is broader than the uses purchased by Customer from Juniper or an authorized Juniper
reseller; (i) use Embedded Software on non-Juniper equipment; (j) use Embedded Software (or make it available for use) on Juniper equipment that the
Customer did not originally purchase from Juniper or an authorized Juniper reseller; (k) disclose the results of testing or benchmarking of the Software to
any third party without the prior written consent of Juniper; or (l) use the Software in any manner other than as expressly provided herein.
5. Audit. Customer shall maintain accurate records as necessary to verify compliance with this Agreement. Upon request by Juniper, Customer shall furnish
such records to Juniper and certify its compliance with this Agreement.
■
iii
Download from Www.Somanuals.com. All Manuals Search And Download.
6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer
shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum includes
restricting access to the Software to Customer employees and contractors having a need to use the Software for Customer’s internal business purposes.
7. Ownership. Juniper and Juniper’s licensors, respectively, retain ownership of all right, title, and interest (including copyright) in and to the Software,
associated documentation, and all copies of the Software. Nothing in this Agreement constitutes a transfer or conveyance of any right, title, or interest in
the Software or associated documentation, or a sale of the Software, associated documentation, or copies of the Software.
8. Warranty, Limitation of Liability, Disclaimer of Warranty. The warranty applicable to the Software shall be as set forth in the warranty statement that
accompanies the Software (the “Warranty Statement”). Nothing in this Agreement shall give rise to any obligation to support the Software. Support services
may be purchased separately. Any such support shall be governed by a separate, written support services agreement. TO THE MAXIMUM EXTENT PERMITTED
BY LAW, JUNIPER SHALL NOT BE LIABLE FOR ANY LOST PROFITS, LOSS OF DATA, OR COSTS OR PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES,
OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, THE SOFTWARE, OR ANY JUNIPER OR
JUNIPER-SUPPLIED SOFTWARE. IN NO EVENT SHALL JUNIPER BE LIABLE FOR DAMAGES ARISING FROM UNAUTHORIZED OR IMPROPER USE OF ANY
JUNIPER OR JUNIPER-SUPPLIED SOFTWARE. EXCEPT AS EXPRESSLY PROVIDED IN THE WARRANTY STATEMENT TO THE EXTENT PERMITTED BY LAW,
JUNIPER DISCLAIMS ANY AND ALL WARRANTIES IN AND TO THE SOFTWARE (WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE), INCLUDING
ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NONINFRINGEMENT. IN NO EVENT DOES JUNIPER
WARRANT THAT THE SOFTWARE, OR ANY EQUIPMENT OR NETWORK RUNNING THE SOFTWARE, WILL OPERATE WITHOUT ERROR OR INTERRUPTION,
OR WILL BE FREE OF VULNERABILITY TO INTRUSION OR ATTACK. In no event shall Juniper’s or its suppliers’ or licensors’ liability to Customer, whether
in contract, tort (including negligence), breach of warranty, or otherwise, exceed the price paid by Customer for the Software that gave rise to the claim, or
if the Software is embedded in another Juniper product, the price paid by Customer for such other product. Customer acknowledges and agrees that Juniper
has set its prices and entered into this Agreement in reliance upon the disclaimers of warranty and the limitations of liability set forth herein, that the same
reflect an allocation of risk between the Parties (including the risk that a contract remedy may fail of its essential purpose and cause consequential loss),
and that the same form an essential basis of the bargain between the Parties.
9. Termination. Any breach of this Agreement or failure by Customer to pay any applicable fees due shall result in automatic termination of the license
granted herein. Upon such termination, Customer shall destroy or return to Juniper all copies of the Software and related documentation in Customer’s
possession or control.
10. Taxes. All license fees payable under this agreement are exclusive of tax. Customer shall be responsible for paying Taxes arising from the purchase of
the license, or importation or use of the Software. If applicable, valid exemption documentation for each taxing jurisdiction shall be provided to Juniper prior
to invoicing, and Customer shall promptly notify Juniper if their exemption is revoked or modified. All payments made by Customer shall be net of any
applicable withholding tax. Customer will provide reasonable assistance to Juniper in connection with such withholding taxes by promptly: providing Juniper
with valid tax receipts and other required documentation showing Customer’s payment of any withholding taxes; completing appropriate applications that
would reduce the amount of withholding tax to be paid; and notifying and assisting Juniper in any audit or tax proceeding related to transactions hereunder.
Customer shall comply with all applicable tax laws and regulations, and Customer will promptly pay or reimburse Juniper for all costs and damages related
to any liability incurred by Juniper as a result of Customer’s non-compliance or delay with its responsibilities herein. Customer’s obligations under this
Section shall survive termination or expiration of this Agreement.
11. Export. Customer agrees to comply with all applicable export laws and restrictions and regulations of any United States and any applicable foreign
agency or authority, and not to export or re-export the Software or any direct product thereof in violation of any such restrictions, laws or regulations, or
without all necessary approvals. Customer shall be liable for any such violations. The version of the Software supplied to Customer may contain encryption
or other capabilities restricting Customer’s ability to export the Software without an export license.
12. Commercial Computer Software. The Software is “commercial computer software” and is provided with restricted rights. Use, duplication, or disclosure
by the United States government is subject to restrictions set forth in this Agreement and as provided in DFARS 227.7201 through 227.7202-4, FAR 12.212,
FAR 27.405(b)(2), FAR 52.227-19, or FAR 52.227-14(ALT III) as applicable.
13. Interface Information. To the extent required by applicable law, and at Customer's written request, Juniper shall provide Customer with the interface
information needed to achieve interoperability between the Software and another independently created program, on payment of applicable fee, if any.
Customer shall observe strict obligations of confidentiality with respect to such information and shall use such information in compliance with any applicable
terms and conditions upon which Juniper makes such information available.
14. Third Party Software. Any licensor of Juniper whose software is embedded in the Software and any supplier of Juniper whose products or technology
are embedded in (or services are accessed by) the Software shall be a third party beneficiary with respect to this Agreement, and such licensor or vendor
shall have the right to enforce this Agreement in its own name as if it were Juniper. In addition, certain third party software may be provided with the
Software and is subject to the accompanying license(s), if any, of its respective owner(s). To the extent portions of the Software are distributed under and
subject to open source licenses obligating Juniper to make the source code for such portions publicly available (such as the GNU General Public License
(“GPL”) or the GNU Library General Public License (“LGPL”)), Juniper will make such source code portions (including Juniper modifications, as appropriate)
available upon request for a period of up to three years from the date of distribution. Such request can be made in writing to Juniper Networks, Inc., 1194
N. Mathilda Ave., Sunnyvale, CA 94089, ATTN: General Counsel. You may obtain a copy of the GPL at http://www.gnu.org/licenses/gpl.html, and
15. Miscellaneous. This Agreement shall be governed by the laws of the State of California without reference to its conflicts of laws principles. The provisions
of the U.N. Convention for the International Sale of Goods shall not apply to this Agreement. For any disputes arising under this Agreement, the Parties
hereby consent to the personal and exclusive jurisdiction of, and venue in, the state and federal courts within Santa Clara County, California. This Agreement
constitutes the entire and sole agreement between Juniper and the Customer with respect to the Software, and supersedes all prior and contemporaneous
iv
■
Download from Www.Somanuals.com. All Manuals Search And Download.
agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a
separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict
with terms contained herein. No modification to this Agreement nor any waiver of any rights hereunder shall be effective unless expressly assented to in
writing by the party to be charged. If any portion of this Agreement is held invalid, the Parties agree that such invalidity shall not affect the validity of the
remainder of this Agreement. This Agreement and associated documentation has been written in the English language, and the Parties agree that the English
version will govern. (For Canada: Les parties aux présentés confirment leur volonté que cette convention de même que tous les documents y compris tout
avis qui s'y rattaché, soient redigés en langue anglaise. (Translation: The parties confirm that this Agreement and all related documentation is and will be
in the English language)).
■
v
Download from Www.Somanuals.com. All Manuals Search And Download.
vi
■
Download from Www.Somanuals.com. All Manuals Search And Download.
Table of Contents
Objectives ......................................................................................................xi
Audience ........................................................................................................xi
Documentation Conventions ..........................................................................xi
Related Documentation ................................................................................xiii
Requesting Technical Support .......................................................................xiv
IDP250 Overview ............................................................................................3
Power Supply ..................................................................................................4
Hard Drive ......................................................................................................4
Fans ................................................................................................................4
System Status LEDs .........................................................................................4
USB Port ..........................................................................................................5
Serial Console Port ..........................................................................................5
Management Interface Port .............................................................................5
High Availability Interface Port ........................................................................6
Traffic Interface Ports ......................................................................................7
Copper Ports .............................................................................................7
Fiber Ports ................................................................................................8
Traffic Interface Features ..........................................................................9
NICs Off ...........................................................................................11
Peer Port Modulation ..............................................................................12
Layer 2 Bypass ........................................................................................13
On-Box Software Overview ...........................................................................15
Table of Contents
■
vii
Download from Www.Somanuals.com. All Manuals Search And Download.
IDP250 Installation Guide
Before You Begin ...........................................................................................21
Basic Steps ....................................................................................................22
Mounting to Rack Rails ..................................................................................25
Connecting Power .........................................................................................25
Performing the Initial Configuration ..............................................................27
Installing the Product License Key .................................................................32
Verifying Traffic Flow ....................................................................................38
viii
■
Table of Contents
Download from Www.Somanuals.com. All Manuals Search And Download.
Table of Contents
Replacing a Power Supply .............................................................................53
IDP250 Technical Specifications ....................................................................59
Standards Compliance ...................................................................................61
Index .............................................................................................................67
Table of Contents
■
ix
Download from Www.Somanuals.com. All Manuals Search And Download.
IDP250 Installation Guide
x
■
Table of Contents
Download from Www.Somanuals.com. All Manuals Search And Download.
Preface
This preface includes the following topics:
■
■
■
■
■
Objectives
Audience
This guide explains how to install, configure, update, and service an IDP Series
Intrusion Detection and Prevention appliance.
This guide is intended for experienced system and network specialists.
Documentation Conventions
This section provides all the documentation conventions that are followed in this
Table 1: Notice Icons
Icon Meaning
Description
Informational note
Caution
Indicates important features or instructions.
Indicates a situation that might result in loss of data or hardware damage.
Warning
Alerts you to the risk of personal injury or death.
Alerts you to the risk of personal injury from a laser.
Laser warning
Objectives
■
xi
Download from Www.Somanuals.com. All Manuals Search And Download.
IDP250 Installation Guide
Table 2 on page xii defines text conventions used in this guide.
Table 2: Text Conventions
Convention
Description
Examples
Bold typeface like this
Represents commands and keywords
in text.
Issue the clock source command.
■
■
■
■
Specify the keyword exp-msg.
Click User Objects
Represents keywords
Represents UI elements
■
■
Represents text that the user must type.
Bold typeface like this
user input
Represents information as displayed on
the terminal screen.
fixed-width font
host1#
show ip ospf
Routing Process OSPF 2 with Router
ID 5.5.0.250
Router is an area Border Router
(ABR)
Key names linked with a plus (+)
sign
Indicates that you must press two or more Ctrl + d
keys simultaneously.
Italics
Emphasizes words
Identifies variables
The product supports two levels of
access, user and privileged.
■
■
■
■
clusterID, ipAddress.
The angle bracket (>)
Indicates navigation paths through the UI Object Manager > User Objects > Local
by clicking menu options and links. Objects
Table 3 on page xii defines syntax conventions used in this guide.
Table 3: Syntax Conventions
Convention
Description
Examples
Words in plain text
Words in italics
Represent keywords
Represent variables
terminal length
mask, accessListName
diagnostic | line
Words separated by the pipe ( | )
symbol
Represent a choice to select one keyword or
variable to the left or right of this symbol. The
keyword or variable can be optional or
required.
Words enclosed in brackets ( [ ] )
Represent optional keywords or variables.
[ internal | external ]
Words enclosed in brackets followed Represent optional keywords or variables that [ level1 | level2 | 11 ]*
by and asterisk ( [ ]*)
can be entered more than once.
Words enclosed in braces ( { } )
Represent required keywords or variables.
{ permit | deny } { in | out } {
clusterId | ipAddress }
xii
■
Documentation Conventions
Download from Www.Somanuals.com. All Manuals Search And Download.
Preface
Related Documentation
Table 4 on page xiii lists related IDP documentation.
Table 4: Related IDP Documentation
Document
Description
Release notes
Contains information about what is included in a specific product release:
supported features, unsupported features, changed features, known problems,
and resolved problems. If the information in the release notes differs from
the information found in the documentation set, follow the release notes.
ACM Online Help
Available through the Appliance Configuration Manager (ACM). The
context-sensitive online help describes how to use the QuickStart and ACM
Wizard pages to configure network settings, network interfaces, and NIC
features.
IDP Series Installation Guide: IDP200,
IDP600, IDP1100
Provides instructions for installing, configuring, updating, and servicing the
IDP Series appliances.
■
IDP75 Installation Guide
■
IDP250 Installation Guide
■
IDP800 Installation Guide
■
IDP8200 Installation Guide
■
IDP Concepts and Examples Guide
IDP Administration Guide
Explains IDP features and provides examples of how to use the system.
Provides procedures for implementing IDP features, monitoring performance,
and monitoring security events.
IDP Custom Attack Objects Reference and
Examples Guide
Provides in-depth examples and reference information for creating custom
attack objects.
IDP Reporter User’s Guide
Describes how to use IDP Reporter to view and generate security reports and
application usage reports.
Table 4 on page xiii lists related NSM documentation.
Table 5: Related NSM Documentation
Document
Description
Network and Security Manager release notes
Provides information about new features, changed features, fixed problems,
and known issues with the NSM release.
Network and Security Manager Installation Guide Describes how to install the NSM management system on a single server or
on separate servers. It also includes information on how to install and run
the NSM user interface. This guide is intended for IT administrators responsible
for the installation and/or upgrade to NSM.
Related Documentation
Download from Www.Somanuals.com. All Manuals Search And Download.
■
xiii
IDP250 Installation Guide
Table 5: Related NSM Documentation (continued)
Document
Description
Describes how to configure and manage IDP devices using NSM. This guide
Network and Security Manager Configuring
Intrusion Detection and Prevention Devices Guide also helps in understanding of how to configure basic and advanced NSM
functionality, including adding new devices, deploying new device
configurations, updating device firmware, viewing log information, and
monitoring the status of IDP devices.
Network and Security Manager Administration
Guide
Describes how to use and configure key management features in the NSM.
It provides conceptual information, suggested workflows, and examples where
applicable. This guide is best used in conjunction with the NSM Online Help,
which provides step-by-step instructions for performing management tasks
in the NSM UI.
This guide is intended for application administrators or those individuals
responsible for owning the server and security infrastructure and configuring
the product for multi-user systems. It is also intended for device configuration
administrators, firewall and VPN administrators, and network security
operation center administrators.
Network and Security Manager Online Help
Provides task-oriented procedures describing how to perform basic tasks in
the NSM user interface. It also includes a brief overview of the NSM system
and a description of the GUI elements.
Requesting Technical Support
Technical product support is available through the Juniper Networks Technical
Assistance Center (JTAC). If you are a customer with an active J-Care or JNASC support
contract, or are covered under warranty, and need post-sales technical support, you
can access our tools and resources online or open a case with JTAC.
■
JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located at
■
■
Product warranties—For product warranty information, visit
JTAC Hours of Operation —The JTAC centers have resources available 24 hours
a day, 7 days a week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with
the following features:
■
■
■
Find CSC offerings: http://www.juniper.net/customers/support/
Search for known bugs: http://www2.juniper.net/kb/
Find product documentation: http://www.juniper.net/techpubs/
xiv
■
Requesting Technical Support
Download from Www.Somanuals.com. All Manuals Search And Download.
Preface
■
■
■
■
■
Find solutions and answer questions using our Knowledge Base:
Download the latest versions of software and review release notes:
Search technical bulletins for relevant hardware and software notifications:
Join and participate in the Juniper Networks Community Forum:
Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlement by product serial number, use our Serial Number
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
■
■
Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, see
Requesting Technical Support
Download from Www.Somanuals.com. All Manuals Search And Download.
■
xv
IDP250 Installation Guide
xvi
■
Requesting Technical Support
Download from Www.Somanuals.com. All Manuals Search And Download.
IDP250 Installation Guide
2
■
Hardware and Software Overview
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 1
Hardware Overview
This chapter includes the following topics:
■
■
■
■
■
■
■
■
■
■
IDP250 Overview
The IDP250 appliance is optimal for medium central sites or large branch offices.
Figure 1 on page 3 shows the location of appliance LEDs and ports.
Figure 1: IDP250 Front Panel
Related Topics
■
■
■
■
■
IDP250 Overview
■
3
Download from Www.Somanuals.com. All Manuals Search And Download.
IDP250 Installation Guide
■
■
Power Supply
The appliance has one power supply. It is a field replaceable unit (FRU).
Related Topics
■
Hard Drive
Fans
The appliance has one 80 GB hard drive. It is not a field replaceable unit (FRU).
When the system is cool, appliance fans spin at a slower speed to reduce noise and
save energy. As the system heats up, the fans run at a faster speed. In the event of
fan failure, the appliance fault LED blinks and the remaining fan or fans run at full
speed until the failed fan is replaced.
The fans for this model are not field replaceable units (FRUs).
System Status LEDs
Table 6 on page 4 describes system status LED states.
Table 6: System Status LED States
LED
Status
Solid green
Off
Description
Power
System is powered on.
System is powered off.
Hard Drives
Fault
Flashing amber
Off
Hard disk is active.
Hard drive has no activity.
Slowly blinking red
Quickly blinking red
Solid red
Power failure.
Fan failure.
Overheating.
Off
Heat and power are normal.
4
■
Power Supply
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 1: Hardware Overview
USB Port
The appliance has a USB port you can use to reimage the appliance, if necessary.
Serial Console Port
The console serial port provides access, using an RJ-45 connector, to the
command-line interface (CLI).
NOTE: Although both the console serial port and the management port use RJ-45
connectors, do not plug the network cable into the console serial port.
Management Interface Port
The management interface port is a 10/100/1000 Mbps Ethernet port. In the
configuration and logs, the port is eth0. Use this port as a dedicated management
port, connecting the device to a switch accessible by your management subnet.
The IP address you assign the management port is the IP address you use to connect
to the Appliance Configuration Manager (ACM) when you initially configure the device.
It is also the address the Network and Security Manager (NSM) uses to connect to
the device.
Figure 2 on page 5 shows the management interface port LEDs.
Figure 2: Management Interface Port LEDs
Table 7 on page 5 describes the management interface port LED states.
Table 7: Management Port LEDs
LED
State
Description
LINK
Glows green
Blinks green
Off
Link is present.
Activity.
No link is present.
USB Port
■
5
Download from Www.Somanuals.com. All Manuals Search And Download.
IDP250 Installation Guide
Table 7: Management Port LEDs (continued)
LED
State
Orange
Green
Off
Description
TX/RX
Connection is 1000 Mbps.
Connection is 100 Mbps.
If LINK indicates activity, TX/RX off indicates connection
is 10 Mbps.
If LINK indicates no activity, TX/RX off indicates no activity
as well.
High Availability Interface Port
The high availability interface port is a 10/100/1000 Mbps Ethernet port. In the
configuration and logs, the port is eth1. The high availability interface is a dedicated
interface used to share state information among IDP appliances in a high availability
cluster.
NOTE: IDP 5.0 does not support high availability.
Figure 3 on page 6 shows the management interface port LEDs.
Figure 3: High Availability Interface Port LEDs
Table 8 on page 6 describes the high availability interface port LED states.
Table 8: High Availability Port LEDs
LED
State
Description
LINK
Glows green
Blinks green
Off
Link is present.
Activity.
No link is present.
6
■
High Availability Interface Port
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 1: Hardware Overview
Table 8: High Availability Port LEDs (continued)
LED
State
Orange
Green
Off
Description
TX/RX
Connection is 1000 Mbps.
Connection is 100 Mbps.
If LINK indicates activity, TX/RX off indicates connection
is 10 Mbps.
If LINK indicates no activity, TX/RX off indicates no activity
as well.
Traffic Interface Ports
You use the traffic interface ports to connect the appliance to your network. The
interfaces receive and forward traffic. The type and capacity of interface ports vary
by model.
The following topics describe features of traffic interface ports:
■
■
■
■
■
Copper Ports
Figure 4 on page 7 shows copper port LEDs.
Figure 4: Copper Port LEDs
Table 9 on page 8 describes copper port LED states.
Traffic Interface Ports
■
7
Download from Www.Somanuals.com. All Manuals Search And Download.
IDP250 Installation Guide
Table 9: Copper Port LEDs
LED
State
Description
LINK ACT
Glows green
Blinks green
Off
Link is present.
Activity.
No link present.
Connection is 100 Mbps.
Connection is 1 Gbps.
LINK SPD
Green
Yellow
Off
If LINK ACT is on, the connection is 10 Mbps. If LINK ACT
is off, LINK SPD off indicates no link is present as well.
BYP
Green
Yellow
Off
Interface is not in bypass mode.
Interface is in bypass mode.
Interface is turned off (NICs off state).
NOTE: For copper interface ports, if failure or shutdown triggers NICs off state, LINK
ACT and LINK SPD LEDs are turned off.
Fiber Ports
Figure 5 on page 8 shows fiber port LEDs.
Figure 5: Fiber Port LEDs
Table 10 on page 9 describes fiber port LED states.
8
■
Traffic Interface Ports
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 1: Hardware Overview
Table 10: Fiber Port LEDs
LED
State
Description
LINK ACT
Glows green
Flashes green
Off
Link is present.
Activity.
No link present.
Connection is 100 Mbps.
Connection is 1 Gbps.
Connection is 10 Gbps.
LINK SPD
Green
Yellow
Orange
Off
If LINK ACT is on, the connection is 10 Mbps. If LINK ACT
is off, LINK SPD off indicates no link is present as well.
BYP
Green
Yellow
Off
Interface is not in bypass mode.
Interface is in bypass mode.
Interface is turned off (NICs off state).
NOTE: For fiber interface ports, if failure or shutdown triggers NICs off state, LINK
ACT and LINK SPD LEDs remain lit.
Traffic Interface Features
In IDP deployments, pairs of traffic interfaces are implemented as virtual routers.
For example, interface ports eth2 and eth3 form a virtual router vr1. For each virtual
router, you use the Appliance Configuration Manager (ACM) to configure the
deployment mode (sniffer or transparent) and bypass options (internal, external, or
off). The following topics describe these settings:
■
■
■
■
For guidance on using ACM to configure virtual router settings, see the ACM online
help.
Traffic Interface Ports
Download from Www.Somanuals.com. All Manuals Search And Download.
■
9
IDP250 Installation Guide
Deployment Mode
For each virtual router, you select the deployment mode:
■
Sniffer–In an out-of-path, sniffer mode deployment, the IDP appliance can detect
attacks but can take only limited action. You connect the IDP traffic interfaces
to a mirrored port of a network hub or switch.
■
Transparent–In an in-path, transparent mode deployment, traffic arrives in one
interface and is forwarded through the other. The IDP appliance detects attacks
and takes action according to your security policy rules. You connect the IDP
traffic interfaces to firewalls or switches in the network path.
You can deploy a mix of sniffer and transparent mode virtual routers on the same
IDP appliance.
For more information on deployment mode, see the IDP Concepts and Examples
Guide.
Internal Bypass
The Internal Bypass setting supports network security policies that privilege availability
over security. In the event of failure or graceful shutdown, with internal bypass
configured, the interfaces to enter an internal bypass state. In internal bypass, physical
interfaces join mechanically to form a circuit that bypasses IDP processing. For
example, if you configure internal bypass for vr0, and the IDP appliance encounters
failure or is shut down, eth2 and eth3 join to form a circuit that avoids the IDP engine
and forwards the traffic to the next network hop.
Internal bypass operates through a timing mechanism. When enabled, the timer on
traffic interfaces counts down to a bypass trigger point. When the IDP appliance is
turned on and available, it sends a reset signal to the traffic interface timer so that
it does not reach the bypass trigger point. If the IDP operating system encounters
failure, then it fails to send the reset signal, the timer counts down to the trigger
point, and the traffic interfaces enter a bypass state. If the IDP appliance is shut down
gracefully, the traffic interfaces immediately enter bypass.
Figure 6 on page 11 shows the communications path when a virtual router is in
internal bypass state.
10
■
Traffic Interface Ports
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 1: Hardware Overview
Figure 6: Internal Bypass
When the IDP operating system resumes healthy operations, it sends a reset signal
to the traffic interfaces, and the interfaces resume normal operation.
NOTE: All copper port traffic interfaces support internal bypass. Some, but not all,
fiber port traffic interfaces support internal bypass. Check with your sales contact
for applicable part numbers.
NOTE: Bypass settings are applicable only for deployments where the virtual router
is in the network path—transparent mode deployments.
NOTE: The bypass and PPM features are applied independently. The Internal Bypass
setting is related to the status of the IDP operating system. The peer port modulation
setting is related to the status of the link. It is possible to have a healthy operating
system and a link with status down, or a failed operating system and a link with
status up.
NICs Off
The NICs Off setting supports network security policies that privilege security over
availability. With NICs Off configured, in the event of failure or graceful shutdown,
the interfaces are turned off and the IDP appliance becomes a point of failure. If your
network design includes redundant network paths, you can configure your routers
to detect the downed IDP interfaces and choose an alternate path.
Traffic Interface Ports
Download from Www.Somanuals.com. All Manuals Search And Download.
■
11
IDP250 Installation Guide
External Bypass
The External Bypass setting supports third-party external bypass units. When the
IDP appliance is turned on and available, it sends NetScreen Redundancy Protocol
(NSRP) heartbeats to the external bypass unit. When the NSRP packets flow, the
external bypass unit allows connections to proceed through the IDP appliance. If IDP
encounters failure or is shut down, it cannot send the NSRP packets. IDP traffic
interfaces enter a bypass state. When the external bypass unit detects this, it forwards
packets around the IDP appliance, according to the rules you configure on the external
Figure 7: Internal Bypass
When the IDP appliance resumes healthy operations, it resumes sending NSRP
packets. The external bypass unit detects this and allows connections to proceed
through the virtual router.
Peer Port Modulation
The peer port modulation (PPM) feature supports deployments where routers monitor
link state to make routing decisions. In these deployments, a router might be set to
monitor link state on only one side of the IDP appliance. Suppose, for example, the
router monitors only the IDP inbound interface. Suppose the inbound interface
remains up but the outbound interface goes down. The router watching the inbound
link would detect an available link and forward traffic to the IDP appliance. Traffic
would be dropped at the point of failure—the outbound link. PPM propagates a link
loss state for one traffic interface to all interfaces in the IDP virtual router.
12
■
Traffic Interface Ports
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 1: Hardware Overview
When PPM is enabled, a PPM daemon monitors the health of IDP traffic interfaces
belonging to the same virtual router. If a traffic interface loses link, the PPM process
turns off any associated network interfaces in the same virtual router so that other
network devices detect that the virtual router is down and route around it. For
example, assume you have enabled PPM and configured IDP virtual routers as shown
Figure 8: Peer Port Modulation
Suppose there is a network problem and eth3 goes down. The PPM daemon detects
this and turns off the other interface in vr0: eth2. The interfaces in vr1, vr2, and vr3
are unaffected. After the you fix the problem with eth3, the PPM daemon detects
this, and turns on eth2.
NOTE: The PPM feature is independent of the bypass feature (NIC state setting). PPM
is related to the status of the link, not the status of the IDP operating system. A link
can be down even when the IDP operating system is healthy. Note, however, that
PPM runs as a control plane process and operates only when the IDP appliance is
turned on and the control plane is available. If the IDP operating system is unavailable,
the PPM feature is also unavailable, regardless of the setting for the NIC state.
Layer 2 Bypass
When you configure virtual routers, you have the option of enabling Layer 2 bypass.
When the IDP appliance is turned on and is operating normally, the traffic interfaces
select Layer 3 connections for inspection and process according to security policy
rules.
For Layer 2 connections, the interfaces either select traffic for inspection, drop it, or
pass it through (uninspected), according to the following rules:
■
The interfaces select address resolution protocol (ARP) and internet protocol
(IPv4) traffic for inspection and process according to security policy rules.
■
By default, the interfaces drop all other Layer 2 traffic.
Traffic Interface Ports
Download from Www.Somanuals.com. All Manuals Search And Download.
■
13
IDP250 Installation Guide
■
If you enable Layer 2 bypass, the interfaces pass through IPv6, internetwork
packet exchange (IPX), Cisco Discovery Protocol (CDP), and interior gateway
routing protocol (IGRP).
■
■
If you enable internal bypass, the interfaces do not pass through NetScreen
Redundancy Protocol (NSRP) packets even if Layer 2 bypass is enabled.
If you enable external bypass, all interfaces pass through the NSRP packets that
are used in communication with the external bypass unit.
14
■
Traffic Interface Ports
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 2
Software Overview
This chapter includes the following topics:
■
■
■
On-Box Software Overview
You use on-box software to get the appliance up and running in the desired
deployment mode, to configure appliance interfaces, and to establish communication
with Network and Security Manager (NSM). You can also use on-box utilities to
manage appliance processes or generate on-box reports.
Table 11 on page 15 summarizes the IDP on-box management software and utilities.
Table 11: IDP On-Box Utilities
Software
Usage
EasyConfig
When you install a new appliance, you can use the EasyConfig script to
assign the appliance an IP address and initialize a simple configuration.
To run the EasyConfig script, connect to the serial port console.
QuickStart
When you install a new appliance, you can use QuickStart to deploy the
appliance with the default virtual router configured in either sniffer or
transparent mode and all configuration defaults.
To access QuickStart, connect to the management interface and open the
QuickStart URL in your browser.
ACM
When you install a new appliance, you can use ACM to configure the network
settings, network interfaces, and user access.
To access ACM, connect to the management interface and open the ACM
URL in your browser.
scio utility
You can use the scio utility to get or set appliance configuration information.
For details, see the IDP Administration Guide.
On-Box Software Overview
Download from Www.Somanuals.com. All Manuals Search And Download.
■
15
IDP250 Installation Guide
Table 11: IDP On-Box Utilities (continued)
Software
Usage
idp.sh utility
You can use the idp.sh utility to start, stop, or get status information on
appliance processes.
For details, see the IDP Administration Guide.
sctop utility
You can use the sctop utility to monitor connection tables and view status.
For details, see the IDP Administration Guide.
bypassStatus
utility
You can use bypassStatus commands to display settings for the daemon
that monitors traffic interface NIC state.
For details, see the IDP Administration Guide.
IDP Reporter
You can use the IDP Reporter to view statistics on attacks IDP has detected
and responded to, as well as application volume tracking (AVT) statistics.
For details, see the IDP Reporter User’s Guide.
Centralized Management with NSM Overview
Juniper Networks Network and Security Manager (NSM) is a central management
server capable of managing hundreds of IDP appliances and other Juniper Networks
devices, such as ScreenOS firewalls, SA Series appliances, and IC Series appliances.
You typically deploy NSM in a management subnet accessible to the NSM-managed
devices.
Figure 9 on page 16 illustrates the flow of information between the tiers of the central
management solution: the NSM user interface, the NSM server, and IDP appliances.
Figure 9: IDP-NSM Communication
The IDP configuration, security policies, attack objects, and log records are stored in
NSM server databases and administered using the NSM user interface. Communication
between the NSM server and IDP appliances, and between the NSM server and the
NSM user interface, is encrypted and authenticated.
16
■
Centralized Management with NSM Overview
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 2: Software Overview
For IDP deployments, centralized management provides the following benefits:
■
■
■
■
■
Centralized management for IDP appliances and other network devices
Consolidated logs from different devices in a single repository
Centralized management of enterprise security policies
Simplified management for attack signature updates
Role-based administration
For information about installing NSM and using NSM distributed management features,
management objects (such as address objects, service objects, and templates), and
navigational and display features, see the NSM documentation.
J-Security Center Updates Overview
The Juniper Networks Security Center (J-Security Center) routinely makes important
updates available to IDP security policy components, including updates to the IDP
detector engine and the NSM attack database.
The IDP detector engine is a dynamic protocol decoder that includes support for
decoding more than 60 protocols and more than 500 service contexts. You should
update IDP detector engine when you first install IDP, whenever you upgrade, and
whenever alerted to do so by Juniper Networks. You can view release notes for
detector engine updates at
The NSM attack database stores data definitions for attack objects. Attack objects
are patterns comprising stateful signatures and traffic anomalies. Security policy
rules direct the IDP engine to inspect traffic for attack objects. We recommend you
schedule automatic updates for the NSM attack database.
For more information about detector engine and attack object updates, see the IDP
Administration Guide.
J-Security Center Updates Overview
Download from Www.Somanuals.com. All Manuals Search And Download.
■
17
IDP250 Installation Guide
18
■
J-Security Center Updates Overview
Download from Www.Somanuals.com. All Manuals Search And Download.
IDP250 Installation Guide
20
■
Performing the Installation
Download from Www.Somanuals.com. All Manuals Search And Download.
Chapter 3
Installation Overview
This chapter includes the following topics:
■
■
Before You Begin
The location of the device, the layout of the mounting equipment, and the security
of your wiring room are crucial for proper system operation.
CAUTION: To prevent abuse and intrusion by unauthorized personnel, install the
appliance in a secure environment.
Observing the following precautions can prevent shutdowns, equipment failures,
and injuries:
■
■
■
■
Before installation, always check that the power supply is disconnected from
any power source.
Ensure that the room in which you operate the device has adequate air circulation
and that the room temperature does not exceed 104°F (40°C).
Do not place the device in an equipment-rack frame that blocks an intake or
exhaust port. Ensure that enclosed racks have fans and louvered sides.
Correct these hazardous conditions before any installation: moist or wet floors,
leaks, ungrounded or frayed power cables, or missing safety grounds.
For a comprehensive presentation on the precautions you must take to prevent
personal injury and damage to the equipment, see the Juniper Networks Security
Products Safety Guide.
Before You Begin
■
21
Download from Www.Somanuals.com. All Manuals Search And Download.
IDP250 Installation Guide
Related Topics
■
Basic Steps
Take the following basic steps to install the appliance and connect it to your network:
1. Read the release notes for your release. Release notes make you aware of
supported and un |