http://kb.juniper.net/InfoCenter/index?page=content&id=KB4214&actp=search&viewlocale=en_US&searchid=1296236314942

Summary:
Configuring the Juniper Firewall Traffic Log (Policy Log)
Problem or Goal:

Solution:
Juniper Firewalls provide traffic logs to monitor and record the traffic that policies permit across the firewall. A traffic log notes the following elements for each session:
  • Date and time that the connection started
  • Source address and port number
  • Translated source address and port number
  • Destination address and port number
  • The duration of the session
  • The service used in the session

To log all traffic that a Juniper firewall device receives, you must enable the logging option for all policies.

To log specific traffic, enable logging only on policies that apply to that traffic.

The firewall generates logs when sessions end.  However beginning with ScreenOS 5.2.0 and above, you also have the option to start logging at session initiation.  Logging at session init will not show duration but it can be useful for troubleshooting purposes. 

Note: There are three ways to view the logs:

To configure the Juniper Firewall Traffic Log, perform the following steps:

Step one: Open the WebUI. For assistance, see KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI.


Step two: From the ScreenOS options menu, click Policies.

Image of step two

Step three: In the From drop-down menu, select the desired From and To zones.  For example, in the From drop-down menu, click to select Trust. In the To drop-down menu, click to select Untrust.

Image of step three and four

Step four: Click New or Edit.

Step five:  Click to select Logging.


step five

By checking the first box, the security device generates logs when sessions end. By checking the 'at Session Beginning', the security device generate logs when sessions start. If both are selected, you will get both entries.

Step six:   Click OK.

Note: You can view traffic logs stored in flash storage on the Juniper firewall device through either the CLI or WebUI. You may also open or save the file to the location you specify, and then use an ASCII text editor (such as Notepad or WordPad) to view the file. Alternatively, you can send them to an external storage space, or include traffic logs with event logs sent by email to an administrator. To view the traffic logs through the WebUI, perform the following:

Step seven:   To view the Traffic Logs from the ScreenOS options menu, click Reports, and then select Policies.  To view the Traffic Logs from the CLI, enter the command get log traffic <options>.

Purpose:
Troubleshooting
Related Links:
Posted by 노을지기

Objects > Addresses > List > New: Enter the following, then click OK:
Address Name: addr_1
IP Address/Domain Name:
IP/Netmask: (select), 10.2.2.5/32
Zone: Untrust


Posted by 노을지기
Juniper(주니퍼) NetScreen(NS-5GT)을 사용해 F/W구성실습

2008/04/15 10:341

Juniper(주니퍼) NetScreen(NS-5GT)  Soft Reset (초기화)

출처: http://blog.naver.com/ilmare0569/8005075517

문제 발생시 댓글이나 메일로 보내주세요. 삭제하겠습니다.


1) Console 접속: 하이퍼터미널 연결

login: netscreen
password: *********
ns5gt-> unset all                
Erase all system config, are you sure y/[n] ? y
ns5gt-> reset            
Configuration modified, save? [y]/n   n
Save System Configuration  ...
Done
System reset, are you sure? y/[n]   y
In reset ...

NetScreen NS-5GT Boot Loader Version 2.1.0 (Checksum: 61D07DA5)                                                              
Copyright (c) 1997-2003 NetScreen Technologies, Inc.                                                   

Total physical memory: 128MB
    Test - Pass
    Initialization.... Done

Hit any key to run loader
Hit any key to run loader
Hit any key to run loader
Hit any key to run loader

Loading default system image from on-board flash disk                                                  
Done! (size = 5,439,488 bytes)
Ignore image authentication!

Start loading...
.................................................................                                                                
.................................................................                                                                
.....................
Done.

Juniper Networks, Inc                    
NS-5GT System Software                     
Copyright, 1997-2004                   

Version 5.0.0r11.1
Load Manufacture Information ... init manufacture info Done
Load NVRAM Information ... (5.0)Done
Install module init vectors
allocating 33558528 bytes for memory disk
Formatting RAM disk...

Initialize FBTL.... Done
Initial port mode trust-untrust(1)
Install modules (007e85d8,00cd15b0) ... load dns table . Done

Initializing DI 1.1.0-ns
b371fc011100101f
System config (843 bytes) loaded
.
Done.
Load System Configuration ......................................................
...........Done
system init done..
login: trust interface change state to Up
System change state to Active(1)


login:   ß 이 메시지가 나오면 성공 !!!


2) Telnet 접속

C:\> telnet 192.168.1.1
Remote Management Console
login: netscreen
password: *********
ns5gt->
ns5gt-> unset all
Erase all system config, are you sure y/[n] ?   y
ns5gt-> reset
Configuration modified, save? [y]/n   n
System reset, are you sure? y/[n]   y
In reset ...

호스트에 대한 연결을 잃었습니다.
C:>
C:\> telnet 192.168.1.1  ß 다시 접속해 본다.
Remote Management Console
login:   ß 이 메시지가 나오면 성공 !!!


Juniper NetScreen(NS-5GT)  Hard Reset (초기화)

Configuration Erasure Process has been initiated.  ßreset스위치를 누르면 나옴
Waiting for 2nd confirm 5-6초 정도 누르고 있으면 나옴
2nd push has been confirmed. 스위치를 땠다가 다시 누르면 나옴
Configuration Erase sequence accepted, unit reset.  5-6초 정도 누르고 있으면 나옴

아래 메시지 나오면 성공 !!!!

 

NetScreen NS-5GT Boot Loader Version 2.1.0 (Checksum: 61D07DA5)                                                              
Copyright (c) 1997-2003 NetScreen Technologies, Inc.                                                   

Total physical memory: 128MB
    Test - Pass
    Initialization.... Done

Hit any key to run loader
Hit any key to run loader
Hit any key to run loader
Hit any key to run loader

Loading default system image from on-board flash disk...                                                       
Done! (size = 5,439,488 bytes)
Ignore image authentication!

Start loading...
.................................................................                                                                
.................................................................                                                                
.................................................................                                                                
.....................
Done.

Juniper Networks, Inc
NS-5GT System Software
Copyright, 1997-2004

Version 5.0.0r11.1
Load Manufacture Information ... init manufacture info Done
Load NVRAM Information ... (5.0)Done
Install module init vectors
allocating 33558528 bytes for memory disk
Formatting RAM disk...

Initialize FBTL.... Done
Initial port mode trust-untrust(1)
Install modules (007e85d8,00cd15b0) ... load dns table . Done

Initializing DI 1.1.0-ns
b371fc011100101f
*********************************************************
System time: 23 Nov 2007 23:10:58
If this is the initial device startup,
use the "set clock" command to set the system clock.
*********************************************************
system init done..
login: trust interface change state to Up
System change state to Active(1)

login: ß 이 메시지가 나오면 성공 !!!

 

Juniper Networks NetScreen(NS5GT) 설정방법 정리

console 관리 접속 및 명령어: 하이퍼터미널

login/pass : netscreen/netscreen

set interface untrust ip 10.10.6.200/16

set interface trust ip 192.168.1.1/24

set interface trust dhcp server enable

set interface trust dhcp server ip 192.168.1.2

set interface trust dhcp server ip 192.168.1.3

set interface trust dhcp server option netmask 255.255.255.0

set interface trust dhcp server option gateway 10.10.0.1

set interface trust dhcp server option dns1 168.126.63.1

get interface trust dhcp server ip ß dhcp 클라이언트 현황 확인

 get route ß  Routing Table 확인

unset route 0.0.0.0/0

set route 0.0.0.0/0 interface untrust gateway 10.10.0.1

get route

-------------->set arp 192.168.1.1 00089f2c801c untrust 잘못된 arp를 알아와서
192.168.1.1의 MAC을 세팅해준다

tab키 : 자동완성
? : 도움말

웹 관리 접속 및 명령어
https://192.168.1.1
ID/PASS : netscreen/netscreen


Posted by 노을지기

Juniper 주니퍼 Netscreen NS-025-005 VPN/VPN/Firewall 초기화 예제 및 번역

2009.10.26 09:55 | Juniper Networks | 김광호

http://kr.blog.yahoo.com/kgh57150/2461 

출처: 야후계정이 없어서 댓글을 못 달았습니다.

문제 발생시 메일이나 댓글을 주시면 삭제하겠습니다.

원본 크기의 사진을 보려면 클릭하세요

*** 영문 구글 사전 번역 ***

주 니퍼 네트웍스 주니퍼 네트웍스, 넷스크린 - 보안 관리자가 시스템을 사용하기 쉬운 중앙 집중식 관리 솔루션과 함께 사용하는 부서를 제공함으로써 네트워크 및 보안 관리에 대한 새로운 접근 방법을 필요는 주니퍼 네트웍스의 방화벽의 모든 측면을 제어 /은 IPSec VPN 및 IDP는 장치의 구성을 포함한 제품 네트워크 설정 및 보안 정책. 단일 장치, 넷스크린 - 보안 관리자를 제어하는 여러 관리 도구를 사용하여 필요로하는 일부 솔루션과 달리 IT 부서를 단일 중앙 집중식 솔루션의 전체 라이프 사이클 장치를 제어할 수있습니다. 를 사용하여 넷스크린 - 보안 관리자 시스템, 장치 기술자, 네트워크 관리자, 보안 관리자가 같이 관리 효율 및 보안, 오버헤드 감소를 개선하고, 더 낮은 운영 비용을 사용할 수있습니다.

넷스크린 - 보안 관리자가 시스템에 주니퍼 네트웍스의 통계 보고서 서버를 관리하는 방화벽에서 통계 정보를 저장하기위한 옵션 모듈 / 네트워크에서 IPSec VPN 장치, 그리고이 데이터로부터 생성하는 보고서에 대한 추가보고에 대한 정보를 분석함으로써 사용 보안 배포. 통계에 따르면, 웹 인터페이스에서, 고객의 40 보고서를 선택하여 볼 수 있으며 네트워크 트래픽, 장치 및 VPN, 통계, 시스템 자원 분석, 및 기타 행정 정보를 선택할 수있습니다. 또한 사용자 정의할 수있습니다 손님은 일반적으로 사용되는 리포트를위한 템플릿 및 예약에 따라 정기적 이러한 생성합니다.




Juniper Networks NetScreen-Security Manager system takes a new approach to network and security management by providing IT departments with an easy-to-use centralized management solution that controls all aspects of the Juniper Networks Firewall / IPSec VPN and IDP products including device configuration, network settings, and security policy. Unlike some solutions that require the use of multiple management tools to control a single device, NetScreen-Security Manager enables IT departments to control the entire device life cycle with a single, centralized solution. Using the NetScreen-Security Manager system, device technicians, network administrators, and security administrators can work together to improve management efficiency and security, reduce overhead, and lower operating costs.

The NetScreen-Security Manager system uses Juniper Networks Statistical Report Server, an optional module for storing statistical information from the managed firewall / IPSec VPN devices in the network, and for generating reports from this data, enabling further viewing and analysis of the information about a security deployment. From the Statistical Report Web Interface, customers can choose from a selection of over 40 reports to view and analyze network traffic, device and VPN statistics, system resources, and other administrative information. Customers can also customize templates for commonly used reports, and generate these on a regularly scheduled basis.

*** 부팅 자료 ***

Ignore image authentication!

Start loading...
.........................................................................................................
Done.



Juniper Networks, Inc
Copyright, 1997-2006

Version 5.4.0r8.0
Load Manufacture Information ... Done
Load NVRAM Information ... (5.4.0)Done
Install module init vectors
Verify ACL register default value (at hw reset) ... Done
Verify ACL register read/write ... Done
Verify ACL rule read/write ... Done
Verify ACL rule search ... Done
MD5("a") = 0cc175b9 c0f1b6a8 31c399e2 69772661
MD5("abc") = 90015098 3cd24fb0 d6963f7d 28e17f72
MD5("message digest") = f96b697d 7cb7938d 525a2f31 aaf161d0
Verify DES register read/write ... Done
Install modules (00e40000,01a7c9b4) ...
load dns table : dns table file does not exist.

Initializing DI 1.1.0-ns
System config (4284 bytes) loaded
.
Done.
Load System Configuration .........................................................................................................................................................................................................................................................................................................................................................................................................................................Done
system init done..

login: 0096082006000909 <---- 본체의 시리얼 번호를 입력
password:  <---- 본체의 시리얼 번호를 입력

!!! Lost Password Reset !!! You have initiated a command to reset the device to factory defaults, clearing all current configuration and settings. Would you like to continue? y/[n] y

!! Reconfirm Lost Password Reset !! If you continue, the entire configuration of the device will be erased. In addition, a permanent counter will be incremented to signify that this device has been reset. This is your last chance to cancel this command. If you proceed, the device will return to factory default configuration, which is: System IP: 192.168.1.1; username: netscreen, password: netscreen. Would you like to continue? y/[n] y
In reset ...
?
NetScreen NS-25/50 Boot Loader Version 3.0.0 (Checksum: D1C6421F)
Copyright (c) 1997-2003 NetScreen Technologies, Inc.

Total physical memory: 128MB
Test - Pass
Initialization - Done

Model Number: NS-25

Hit any key to run loader
Hit any key to run loader
Hit any key to run loader
Hit any key to run loader

Loading default system image from on-board flash disk...

Ignore image authentication!

Start loading...
.........................................................................................................
Done.



Juniper Networks, Inc
Copyright, 1997-2006

Version 5.4.0r8.0
Load Manufacture Information ... Done
Load NVRAM Information ... (5.4.0)Done
Install module init vectors
Verify ACL register default value (at hw reset) ... Done
Verify ACL register read/write ... Done
Verify ACL rule read/write ... Done
Verify ACL rule search ... Done
MD5("a") = 0cc175b9 c0f1b6a8 31c399e2 69772661
MD5("abc") = 90015098 3cd24fb0 d6963f7d 28e17f72
MD5("message digest") = f96b697d 7cb7938d 525a2f31 aaf161d0
Verify DES register read/write ... Done
Install modules (00e40000,01a7c9b4) ...
load dns table : dns table file does not exist.

Initializing DI 1.1.0-ns
*********************************************************
System time: 
If this is the initial device startup,
use the "set clock" command to set the system clock.
*********************************************************
system init done..
login: netscreen  <---- 초기화후 기본 패스워드
password: netscreen  <---- 초기화후 기본 패스워드

ns25-> get system  <---- 시스템 상태를 보여주는 명령어

Product Name: NetScreen-25
Serial Number: , Control Number: 00000000
Hardware Version: 4010(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 5.4.0r8.0, Type: Firewall+VPN
Compiled by build_master at: Thu Nov 15 16:51:45 PST 2007
Base Mac:
File Name: ns50ns25.5.4.0r8.0, Checksum: 2252f3a0


Date 10/26/2009 10:44:58, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 0 hours 4 minutes 19 seconds Since 26Oct2009:10:40:39
Total Device Resets: 1, Last Device Reset at: 10/26/2009 10:39:35

System in NAT/route mode.

Use interface IP, Config Port: 80
User Name: netscreen

Interface ethernet1:
description ethernet1
number 0, if_info 0, if_index 0, mode nat
link down, phy-link down
vsys Root, zone Trust, vr trust-vr
dhcp client disabled
PPPoE disabled
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 192.168.1.1/24 mac
*manage ip 192.168.1.1, mac
route-deny disable
bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
Interface ethernet2:
description ethernet2
number 5, if_info 1040, if_index 0, mode nat
link down, phy-link down
vsys Root, zone DMZ, vr trust-vr
dhcp client disabled
PPPoE disabled
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 0.0.0.0/0 mac
*manage ip 0.0.0.0, mac
bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
Interface ethernet3:
description ethernet3
number 6, if_info 1248, if_index 0, mode route
link down, phy-link down
vsys Root, zone Untrust, vr trust-vr
dhcp client disabled
PPPoE disabled
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 0.0.0.0/0 mac
*manage ip 0.0.0.0, mac
bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
Interface ethernet4:
description ethernet4
number 7, if_info 1456, if_index 0
link down, phy-link down
vsys Root, zone Null, vr untrust-vr
admin mtu 0, operating mtu 1500, default mtu 1500
*ip 0.0.0.0/0 mac
bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps


ns25-> ?   <---- HELP와 같은 명령어
clear clear dynamic system info
delete delete persistent info in flash
exec exec system commands
exit exit command console
get get system information
mtrace multicast traceroute from source to destination
ping ping other host
reset reset system
save save command
set configure system parameters
trace-route trace route
unset unconfigure system parameters
ns25->



** Home Page **

(주) 누리인프라

www.hardwarebank.net 

www.hwbank.co.kr   


sales@hwbank.co.kr

** site **

http://kr.blog.yahoo.com/kgh57150

http://blog.paran.com/hardwarebank
http://club.paran.com/club/home.do?clubid=hardwarebank

http://blog.danawa.com/hardwarebank

http://blog.daum.net/hardwarebank/?_top_blogtop=go2myblog
http://cafe.daum.net/hardwarebank

http://blog.naver.com/kkh57150
http://cafe.naver.com/hardwarebank.cafe

http://blog.empas.com/kgh57150/ 

yahoo gugi(야후 거기)

 하드웨어뱅크 or (주)누리인프라

http://kr.gugi.yahoo.com/detail/detailInfo/DetailInfoAction.php?cid=2633928447&p=%C7%CF%B5%E5%BF%FE%BE%EE%B9%F0%C5%A9


http://www.reviewist.co.kr/review/list.php?rg_id=1&rc_id=1


Posted by 노을지기
이전버튼 1 이전버튼