NetScreen JNCIS-FWV Study Guide

15 Oct, 2009 | Written by PassGuide Juniper Test Software | under Study Guide

www.PassGuide.com-The best Juniper certification material provider covers JNCIA,JNCIS of Certification Exams

1. Introduction ……………………………………………………………………………………………………………………………….. 6
1.1. Exam Information ………………………………………………………………………………………………………………………. 6
1.2. Exam Content ……………………………………………………………………………………………………………………………. 7
2. Basic Firewall/VPN Operations ……………………………………………………………………………………………………. 9
2.1. NetScreen Firewall Systems………………………………………………………………………………………………………… 9
2.1.1. NS500 9
2.1.2. NS5000………………………………………………………………………………………………………………………………… 11
2.2. Interfaces………………………………………………………………………………………………………………………………… 14
2.2.1. Security Interfaces …………………………………………………………………………………………………………………. 16
2.2.2. Functional Interfaces………………………………………………………………………………………………………………. 16
2.2.3. Tunnel Interfaces …………………………………………………………………………………………………………………… 17
2.3. Advanced Interfaces…………………………………………………………………………………………………………………. 17
2.3.1. Subinterfaces………………………………………………………………………………………………………………………… 17
2.3.2. Aggregate Interfaces………………………………………………………………………………………………………………. 18
2.3.3. Redundant Interfaces……………………………………………………………………………………………………………… 18
2.3.4. Virtual Security Interfaces ……………………………………………………………………………………………………….. 19
2.4. Zones 19
2.4.1. Security Zones………………………………………………………………………………………………………………………. 21
2.4.2. Function Zones ……………………………………………………………………………………………………………………… 22
2.5. Virtual Routers…………………………………………………………………………………………………………………………. 23
2.5.1. Static Routes ………………………………………………………………………………………………………………………… 23
2.6. Security Policies ………………………………………………………………………………………………………………………. 27
2.6.1. Interzone Policies ………………………………………………………………………………………………………………….. 28
2.6.2. Intrazone Policies ………………………………………………………………………………………………………………….. 29
2.6.3. Global Policies ………………………………………………………………………………………………………………………. 29
2.6.4. Policy Configuration Order ………………………………………………………………………………………………………. 30
2.7. Network Address Translation……………………………………………………………………………………………………… 30
2.7.1. Interface NAT………………………………………………………………………………………………………………………… 31
2.7.2. Policy NAT-src ………………………………………………………………………………………………………………………. 31
2.7.3. DIPs 32
2.7.4. Policy NAT-dst ………………………………………………………………………………………………………………………. 33
3. VPNs………………………………………………………………………………………………………………………………………… 43
3.1. PKI 43
3.1.1. Digital Certificates………………………………………………………………………………………………………………….. 43
3.1.2. Certificate Authorities……………………………………………………………………………………………………………… 43
3.1.3. Certificate Revocation…………………………………………………………………………………………………………….. 44
3.1.4. Configuring Digital Certificates on a NetScreen………………………………………………………………………….. 44
3.2. IKE 45
3.2.1. Modes 46
3.2.2. Proposals……………………………………………………………………………………………………………………………… 47
3.3. IPSec 47
3.3.1. Protocols………………………………………………………………………………………………………………………………. 47
3.3.2. Encapsulation ……………………………………………………………………………………………………………………….. 48
3.3.3. Perfect Forward Secrecy ………………………………………………………………………………………………………… 48
3.3.4. Proposals……………………………………………………………………………………………………………………………… 48
3.3.5. Proxy-IDs ……………………………………………………………………………………………………………………………… 48
3.4. Policy-Based VPNs…………………………………………………………………………………………………………………… 49
3.5. Route-Based VPNs…………………………………………………………………………………………………………………… 49
3.6. IPSec Packet Flow……………………………………………………………………………………………………………………. 51
3.7. Dynamic Peers ………………………………………………………………………………………………………………………… 54
3.8. Hub and Spoke VPNs………………………………………………………………………………………………………………..55
3.8.1. Back-to-Back VPNs ………………………………………………………………………………………………………………..58
3.8.2. VPNs using the NHTB ……………………………………………………………………………………………………………. 60
3.9. Overlapping VPN Networks ……………………………………………………………………………………………………….. 64
3.10. VPN Monitoring ……………………………………………………………………………………………………………………….. 66
3.10.1. Rekey 67
3.10.2. Optimisation………………………………………………………………………………………………………………………….. 67
3.11. VPN Groups ……………………………………………………………………………………………………………………………. 67
3.11.1. Priorities……………………………………………………………………………………………………………………………….. 68
3.12. VPN Troubleshooting………………………………………………………………………………………………………………… 69
3.12.1. IKE 69
3.12.2. Security Associations……………………………………………………………………………………………………………… 72
3.12.3. Common VPN Errors ……………………………………………………………………………………………………………… 73
3.13. Review Questions…………………………………………………………………………………………………………………….. 78
3.13.1. Review Answers ……………………………………………………………………………………………………………………. 83
4. Network Management ………………………………………………………………………………………………………………..88
4.1. Local Management …………………………………………………………………………………………………………………… 88
4.2. Remote Management ………………………………………………………………………………………………………………..88
4.3. Manage/r IPs …………………………………………………………………………………………………………………………… 88
4.3.1. Manage IPs…………………………………………………………………………………………………………………………… 88
4.3.2. Manager IPs …………………………………………………………………………………………………………………………. 90
4.4. Management Methods ………………………………………………………………………………………………………………. 90
4.4.1. CLI 91
4.4.2. WebUI 92
4.4.3. NSM 93
4.5. User Privileges ………………………………………………………………………………………………………………………… 93
4.5.1. Root User……………………………………………………………………………………………………………………………… 93
4.5.2. Root System Write/Read Users ……………………………………………………………………………………………….. 94
4.5.3. Root System Read Only Users ………………………………………………………………………………………………… 94
4.5.4. Virtual System Write/Read Users …………………………………………………………………………………………….. 94
4.5.5. Virtual System Read Only Users ……………………………………………………………………………………………… 94
4.6. Firewall Logs …………………………………………………………………………………………………………………………… 94
4.6.1. Self Log………………………………………………………………………………………………………………………………… 95
4.6.2. Event Log……………………………………………………………………………………………………………………………… 95
4.6.3. Traffic Log…………………………………………………………………………………………………………………………….. 98
4.7. Counters …………………………………………………………………………………………………………………………………. 98
4.7.1. Flow Counters……………………………………………………………………………………………………………………….. 98
4.7.2. Screen Counters……………………………………………………………………………………………………………………. 99
4.7.3. Hardware Counters………………………………………………………………………………………………………………. 100
4.7.4. Policy Counters……………………………………………………………………………………………………………………. 101
4.8. SYSLOG……………………………………………………………………………………………………………………………….. 101
4.9. SNMP 102
4.10. Traffic Alarms ………………………………………………………………………………………………………………………… 104
4.11. Review Questions…………………………………………………………………………………………………………………… 105
4.11.1. Review Answers ………………………………………………………………………………………………………………….. 108
5. Troubleshooting Traffic Flows …………………………………………………………………………………………………. 110
5.1. Debugging …………………………………………………………………………………………………………………………….. 110
5.1.1. The Debug Buffer ………………………………………………………………………………………………………………… 110
5.2. Snoop 111
5.2.1. Activating Snoop………………………………………………………………………………………………………………….. 111
5.2.2. Filtering with Snoop ……………………………………………………………………………………………………………… 111
5.2.3. Snoop Output………………………………………………………………………………………………………………………. 113
5.3. Flow Filters ……………………………………………………………………………………………………………………………. 114
5.3.1. Using Flow Filters ………………………………………………………………………………………………………………… 115
5.3.2. Flow Filter Output ………………………………………………………………………………………………………………… 117
5.4. Session Information………………………………………………………………………………………………………………… 121
5.5. Review Questions…………………………………………………………………………………………………………………… 122
5.5.1. Review Answers ………………………………………………………………………………………………………………….. 128
6. Traffic Management…………………………………………………………………………………………………………………. 132
6.1. Interface Bandwidth………………………………………………………………………………………………………………… 132
6.2. Policies and Bandwidth Management ………………………………………………………………………………………… 132
6.2.1. Priority Queuing …………………………………………………………………………………………………………………… 133
6.2.2. Guaranteed Bandwidth …………………………………………………………………………………………………………. 134
6.2.3. Maximum Bandwidth…………………………………………………………………………………………………………….. 134
6.2.4. DSCP 135
6.3. Review Questions…………………………………………………………………………………………………………………… 135
6.3.1. Review Answers ………………………………………………………………………………………………………………….. 138
7. Virtual Systems ………………………………………………………………………………………………………………………. 140
7.1. Creating Virtual Systems …………………………………………………………………………………………………………. 140
7.1.1. Administration ……………………………………………………………………………………………………………………… 141
7.1.2. Sharing ………………………………………………………………………………………………………………………………. 142
7.1.3. Exporting and Importing………………………………………………………………………………………………………… 143
7.2. Traffic Sorting ………………………………………………………………………………………………………………………… 144
7.2.1. Self Traffic…………………………………………………………………………………………………………………………… 144
7.2.2. Through Traffic ……………………………………………………………………………………………………………………. 144
7.2.3. VLAN-based Classification ……………………………………………………………………………………………………. 146
7.2.4. IP-based Classification …………………………………………………………………………………………………………. 147
7.3. InterVSYS Communication ………………………………………………………………………………………………………. 148
7.3.1. Routing ………………………………………………………………………………………………………………………………. 148
7.3.2. Policies ………………………………………………………………………………………………………………………………. 148
7.4. Review Questions…………………………………………………………………………………………………………………… 148
7.4.1. Review Answers ………………………………………………………………………………………………………………….. 150
8. NSRP ……………………………………………………………………………………………………………………………………… 152
8.1. Clustering ……………………………………………………………………………………………………………………………… 152
8.2. VSD Groups ………………………………………………………………………………………………………………………….. 153
8.2.1. VSIs 153
8.2.2. Prioritities ……………………………………………………………………………………………………………………………. 153
8.2.3. Preempt Option……………………………………………………………………………………………………………………. 154
8.2.4. States 154
8.2.5. Heartbeat Messages…………………………………………………………………………………………………………….. 155
8.3. Active/Passive ……………………………………………………………………………………………………………………….. 156
8.4. Synchronisation ……………………………………………………………………………………………………………………… 157
8.4.1. Synchronising Configurations ………………………………………………………………………………………………… 157
8.4.2. Synchronising Files………………………………………………………………………………………………………………. 158
8.4.3. Run-Time Objects………………………………………………………………………………………………………………… 158
8.4.4. Synchronising Time ……………………………………………………………………………………………………………… 159
8.5. HA Interfaces…………………………………………………………………………………………………………………………. 160
8.5.1. Control Messages………………………………………………………………………………………………………………… 160
8.5.2. Data Messages……………………………………………………………………………………………………………………. 160
8.5.3. Link Probes…………………………………………………………………………………………………………………………. 160
8.6. Active/Active ………………………………………………………………………………………………………………………….. 161
8.7. Failover 164
8.7.1. Failover Monitoring ………………………………………………………………………………………………………………. 164
8.8. Review Questions…………………………………………………………………………………………………………………… 166
8.8.1. Review Answers ………………………………………………………………………………………………………………….. 169

Introduction
Juniper Network’s Certified Internet Specialist in Firewall and VPN (JNCIS-FWV) is a new
stream of certification as part of Juniper Network’s Technical Certification Program (JNTCP).
The exam is derived from the previous NCSP (NetScreen Certified Security Professional)
certification and focuses on advanced configuration and troubleshooting of NetScreen
firewall Appliances and Systems.
This study guide will attempt to get you familiar with advanced NetScreen configuration and
administration and provide you with the necessary theoretical and practical training in order
to obtain your JNCIS-FWV certification.
!
Disclaimer: While this study guide was written to assist you in preparing for
the JNCIS-FWV exam, it does not guarantee that you will pass it. The author
has tried their darndest to ensure it includes all the relevant content that is
covered by the exam; you will have to study rigorously in order to understand
and remember it all (and there is plenty to remember).

1.1. Exam Information
The exam is structured around:
• 75 multiple choice questions
• 90 minutes completion time
• A pass grade of 70 out of a possible 100
!
Some questions only require one answer, but others will require multiple
answers (i.e. select the best 3 answers). However, not all questions will
specify how many answers you need to select! If you only select 2 answers
when the question requires 3 (no, it doesn’t warn you that you haven’t
selected enough – silly I know), you will get that question wrong. Make sure
you check at the bottom left hand corner of the screen. That is where it will
list how many answers you need to select.

The exam is regarded as “difficult” and it is recommended that candidates have at least 1
year of experience with NetScreen firewall products.
All questions relating to configuration examples and command syntax are based around the
Command Line Interface (CLI). There are no questions, or multiple choice answers based on
the Web User Interface (WebUI).
The exam is generally based on the ScreenOS version 5.0.x firmware.
Although this study guide and accompaniments are self-contained (and hopefully all you
need to pass the exam), additional resources are available to assist in your studies:
Juniper’s NetScreen Concepts and Examples ScreenOS Reference Guide v5.0.0:

http://www.juniper.net/techpubs/software/screenos/screenos5x/

Juniper ScreenOS Knowledgebase:

https://www.juniper.net/customers/support/NetScreen_kb/

And worst case, if you need references on standards or a certain technology in general,
remember: Google is your best friend (www.google.com). This guide will not attempt to
cover the detailed theories of the diverse range of technologies that the product taps into. It
is assumed that you understand those technologies, or can quickly pick them up if need be.
2. Exam Content
JNCIS-FWV focuses on 7 specific areas of the NetScreen Firewall products:
1. Basic Firewall/VPN Operations:
NetScreen firewall Systems specifications (NS500 and NS5000 series), virtual router
configuration, advanced routing (static routing only), security zones, interfaces (sub,
aggregate, tunnel and redundant), security policies, packet flows and network
address translation.
2. VPNs:
PKI, IKE, IPSec, Policy-based and Route-based VPNs, dynamic peers, NHTB, Hub
and Spoke VPNs, VPN groups and advanced VPN troubleshooting.
3. Network Management:
Local and remote administration configuration, securing administration traffic, user
privileges, management IP addresses, logging (self, event and traffic), counters,
SYSLOG and SNMP.
4. Troubleshooting with Debug/Snoop:
Configuring, using and understanding debug output from Flow Filters and Snoop.
5. Traffic Management:
Interface bandwidth, policy guaranteed bandwidth and maximum bandwidth, priority
queues and DSCP.
6. Virtual Systems:
Virtual System creation, administration, sharing of virtual routers and zones,
importing and exporting interfaces, intraVSYS routing and policies and traffic sorting
(IP Classification and VLANs).
7. NSRP