Instruction/ maintenance manual of the product IDP250 Juniper Networks
Go to page of 84
IDP Series Intrusion Detection and Prevention Appliances IDP250 Installation Guide Release 5.0 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.
This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright © 1986-1997, Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain.
END USER LICENSE AGREEMENT READ THIS END USER LICENSE AGREEMENT ( “ AGREEMENT ” ) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERW.
6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer shall exercise all reasonable commercial eff.
agreements relating to the Software, whether oral or written (including any inconsistent terms contained in a purchase order), except that the terms of a separate written agreement executed by an authorized Juniper representative and Customer shall govern to the extent such terms are inconsistent or conflict with terms contained herein.
vi ■.
Table of Contents Preface xi Objectives ......................................................................................................xi Audience .................................................................................................
Part 2 Performing the Installation Chapter 3 Installation Overview 21 Before You Begin ...........................................................................................21 Basic Steps ..........................................................
Part 4 Upgrading Software and Installing Field Replaceable Units Chapter 8 Upgrading Software 49 Updating Software (NSM Procedure) .............................................................49 Upgrading Software (CLI Procedure) .....................
x ■ Table of Contents IDP250 Installation Guide.
Preface This preface includes the following topics: ■ Objectives on page xi ■ Audience on page xi ■ Documentation Conventions on page xi ■ Related Documentation on page xiii ■ Requesting Tec.
Table 2 on page xii defines text conventions used in this guide. Table 2: Text Conventions Examples Description Convention ■ Issue the clock source command. ■ Specify the keyword exp-msg . ■ Click User Objects ■ Represents commands and keywords in text.
Related Documentation Table 4 on page xiii lists related IDP documentation. Table 4: Related IDP Documentation Description Document Contains information about what is included in a specific product release: supported features, unsupported features, changed features, known problems, and resolved problems.
Table 5: Related NSM Documentation (continued) Description Document Describes how to configure and manage IDP devices using NSM. This guide also helps in understanding of how to configure basic and ad.
■ Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/ ■ Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/ ■ Search technical bulletins for relevant hardware and software notifications: https://www.
xvi ■ Requesting Technical Support IDP250 Installation Guide.
Part 1 Hardware and Software Overview ■ Hardware Overview on page 3 ■ Software Overview on page 15 Hardware and Software Overview ■ 1.
2 ■ Hardware and Software Overview IDP250 Installation Guide.
Chapter 1 Hardware Overview This chapter includes the following topics: ■ IDP250 Overview on page 3 ■ Power Supply on page 4 ■ Hard Drive on page 4 ■ Fans on page 4 ■ System Status LEDs on p.
■ Traffic Interface Ports on page 7 ■ IDP250 Technical Specifications on page 59 Power Supply The appliance has one power supply. It is a field replaceable unit (FRU). Related Topics ■ Replacing a Power Supply on page 53 Hard Drive The appliance has one 80 GB hard drive.
USB Port The appliance has a USB port you can use to reimage the appliance, if necessary. Serial Console Port The console serial port provides access, using an RJ-45 connector, to the command-line interface (CLI).
Table 7: Management Port LEDs (continued) Description State LED Connection is 1000 Mbps. Orange TX/RX Connection is 100 Mbps. Green If LINK indicates activity, TX/RX off indicates connection is 10 Mbps. If LINK indicates no activity, TX/RX off indicates no activity as well.
Table 8: High Availability Port LEDs (continued) Description State LED Connection is 1000 Mbps. Orange TX/RX Connection is 100 Mbps. Green If LINK indicates activity, TX/RX off indicates connection is 10 Mbps. If LINK indicates no activity, TX/RX off indicates no activity as well.
Table 9: Copper Port LEDs Description State LED Link is present. Glows green LINK ACT Activity. Blinks green No link present. Off Connection is 100 Mbps. Green LINK SPD Connection is 1 Gbps. Yellow If LINK ACT is on, the connection is 10 Mbps. If LINK ACT is off, LINK SPD off indicates no link is present as well.
Table 10: Fiber Port LEDs Description State LED Link is present. Glows green LINK ACT Activity. Flashes green No link present. Off Connection is 100 Mbps. Green LINK SPD Connection is 1 Gbps. Yellow Connection is 10 Gbps. Orange If LINK ACT is on, the connection is 10 Mbps.
Deployment Mode For each virtual router, you select the deployment mode: ■ Sniffer – In an out-of-path, sniffer mode deployment, the IDP appliance can detect attacks but can take only limited action. You connect the IDP traffic interfaces to a mirrored port of a network hub or switch.
Figure 6: Internal Bypass When the IDP operating system resumes healthy operations, it sends a reset signal to the traffic interfaces, and the interfaces resume normal operation. NOTE: All copper port traffic interfaces support internal bypass. Some, but not all, fiber port traffic interfaces support internal bypass.
External Bypass The External Bypass setting supports third-party external bypass units. When the IDP appliance is turned on and available, it sends NetScreen Redundancy Protocol (NSRP) heartbeats to the external bypass unit. When the NSRP packets flow, the external bypass unit allows connections to proceed through the IDP appliance.
When PPM is enabled, a PPM daemon monitors the health of IDP traffic interfaces belonging to the same virtual router. If a traffic interface loses link, the PPM process turns off any associated network interfaces in the same virtual router so that other network devices detect that the virtual router is down and route around it.
■ If you enable Layer 2 bypass, the interfaces pass through IPv6, internetwork packet exchange (IPX), Cisco Discovery Protocol (CDP), and interior gateway routing protocol (IGRP). ■ If you enable internal bypass, the interfaces do not pass through NetScreen Redundancy Protocol (NSRP) packets even if Layer 2 bypass is enabled.
Chapter 2 Software Overview This chapter includes the following topics: ■ On-Box Software Overview on page 15 ■ Centralized Management with NSM Overview on page 16 ■ J-Security Center Updates Ov.
Table 11: IDP On-Box Utilities (continued) Usage Software You can use the idp.sh utility to start, stop, or get status information on appliance processes. For details, see the IDP Administration Guide . idp.sh utility You can use the sctop utility to monitor connection tables and view status.
For IDP deployments, centralized management provides the following benefits: ■ Centralized management for IDP appliances and other network devices ■ Consolidated logs from different devices in a s.
18 ■ J-Security Center Updates Overview IDP250 Installation Guide.
Part 2 Performing the Installation ■ Installation Overview on page 21 ■ Installing the Appliance to Your Equipment Rack and Connecting Power on page 23 ■ Performing the Initial Network Configura.
20 ■ Performing the Installation IDP250 Installation Guide.
Chapter 3 Installation Overview This chapter includes the following topics: ■ Before You Begin on page 21 ■ Basic Steps on page 22 Before You Begin The location of the device, the layout of the mounting equipment, and the security of your wiring room are crucial for proper system operation.
Related Topics ■ Common Criteria EAL2 Compliance on page 63 Basic Steps Take the following basic steps to install the appliance and connect it to your network: 1. Read the release notes for your release. Release notes make you aware of supported and unsupported features, known issues, and fixed issues.
Chapter 4 Installing the Appliance to Your Equipment Rack and Connecting Power This chapter includes the following topics: ■ Rack Mounting Kits and Required Tools on page 23 ■ Mounting to Midmount.
Mounting to Midmount Brackets To mount the appliance using the midmount brackets: 1. Attach one rack-mounting bracket to each side of the chassis with the bracket screws.
Related Topics ■ Rack Mounting Kits and Required Tools on page 23 Mounting to Rack Rails To mount the device to equipment rack rails: 1. Attach the rails to each side of the chassis with the bracket screws. Make sure the hinged brackets are at the back of the device.
2. Connect the other end of the power cable to the electrical outlet. 26 ■ Connecting Power IDP250 Installation Guide.
Chapter 5 Performing the Initial Network Configuration and Licensing Tasks This chapter includes the following topics: ■ Performing the Initial Configuration on page 27 ■ Getting Started with the .
Table 13: Getting Started Configuration Tools Defaults Applied: You Specify: Getting Started Tool ■ Root password: abc123 ■ Fully qualified domain name: Blank ■ RADIUS support: Disabled ■ Netw.
Getting Started with the EasyConfig Wizard (Serial Console Port) We recommend you get started by running the EasyConfig wizard to assign an IP address to the management interface. Then, you can access the ACM Wizard from a remote location to complete the appliance configuration.
Mask: 255.255.255.0 What IP address do you want to configure for the management interface? [192.168.1.1] 7. Type an IP address and press Enter. The following text appears: What netmask do you want to configure for the management interface? [255.255.255.
To get started with the QuickStart wizard: 1. Connect one end of an Ethernet cable to the management interface port and the other end to the Ethernet port of your laptop. 2. On your laptop, open a Web browser. 3. In the browser Address or Location box, enter https://192.
6. Type the default user name (root) and password (abc123). 7. Click ACM to start the ACM wizard. Complete the wizard steps as described in the online Help. Related Topics ■ Performing the Initial Configuration on page 27 Installing the Product License Key IDP 4.
[root@localhost ~] scio lic add lic.txt 9. Run the following scio command to verify you have successfully added the license key: [root@localhost ~] scio lic list [root@localhost ~]# scio lic list ID M.
34 ■ Installing the Product License Key IDP250 Installation Guide.
Chapter 6 Connecting the IDP Traffic Interfaces to Your Network and Verifying Traffic Flow This chapter includes the following topics: ■ Guidelines for Connecting IDP Interfaces to Your Network Devi.
Table 14: Interface Connection Guidelines (continued) Cable Connection Guidelines Port Sniffer Mode – Copper Ports 1. Connect one end of a CAT-5 straight-through cable to a traffic interface port located at the front of the chassis. 2. Connect the other end to the Switched Port Analyzer (SPAN) port of a switch or a hub.
NOTE: IDP75, IDP250, IDP800, and IDP8200 support auto-MDIX. Connecting Devices That Do Not Support Auto-MDIX For connections to a firewall or server, use a crossover cable. For connections to a switch or hub, use a straight-through cable. NOTE: Conventionally, crossover cables have an orange outer jacket.
3. Slide the clip into the transceiver port until it clicks into place. Because the fit is close, you may have to apply some pressure to seat the clip. Apply pressure evenly and gently to avoid clip breakage. To remove a Gigabit Ethernet cable from a transceiver: 1.
Part 3 Adding the IDP Appliance to NSM ■ Adding the IDP Appliance to NSM on page 41 Adding the IDP Appliance to NSM ■ 39.
40 ■ Adding the IDP Appliance to NSM IDP250 Installation Guide.
Chapter 7 Adding the IDP Appliance to NSM This chapter includes the following topics: ■ Reviewing Compatibility with NSM on page 41 ■ Adding a Reachable IDP Device to NSM on page 41 Reviewing Compatibility with NSM Review the release notes for information regarding compatibility between your IDP Series release and NSM release.
To import an IDP device with a known IP address: 1. In the NSM navigation tree, select Device Manager > Devices . Figure 12: NSM Add Device Wizard: Add Device 2. Click the + icon and select Device to display the Add Device wizard. 3. Select Device Is Reachable (default) and click Next to display the page where you configure connection settings.
■ Enter the password for the device admin user. You set the password for admin when you ran the ACM Wizard. ■ Enter the password for the device root user. You set the password for root when you ran the ACM Wizard. NOTE: In NSM, passwords are case-sensitive.
5. Log into the IDP command-line interface and verify the SSH key fingerprint. Comparing the SSH key fingerprint information enables you to detect man-in-the-middle attacks: a. Connect to the IDP command-line interface: ■ Use SSH to connect to the IP address or hostname for the management interface.
Figure 16: NSM Add Device Wizard: Add Device Confirmation 8. Click Next to import the configuration from the IDP device. Upon success, NSM displays the following message: Figure 17: NSM Add Device Wizard: Configuration Import Confirmation 9. Click Finish .
Figure 18: NSM Device Manager: Viewing Device Status Related Topics ■ Reviewing Compatibility with NSM on page 41 ■ Basic Steps on page 22 46 ■ Adding a Reachable IDP Device to NSM IDP250 Instal.
Part 4 Upgrading Software and Installing Field Replaceable Units ■ Upgrading Software on page 49 ■ Installing Field Replaceable Units on page 53 ■ Reimaging the Appliance on page 55 Upgrading So.
48 ■ Upgrading Software and Installing Field Replaceable Units IDP250 Installation Guide.
Chapter 8 Upgrading Software This chapter includes the following topics: ■ Updating Software (NSM Procedure) on page 49 ■ Upgrading Software (CLI Procedure) on page 51 Updating Software (NSM Procedure) To update IDP software: 1. Add the IDP software to the NSM GUI server.
3. From the Select Software Image list, select the image file you just added to the NSM GUI server. 4. In the Select Devices list, select the IDP devices on which to install the software update.
3. Push a security policy update job to update attack objects in use in your security policy: a. In NSM, select Devices > Configuration > Update Device Config . b. Select devices to which to push the updates and set update job options. c. Click OK .
Next Steps: Download the IDP detector engine and NSM attack database updates to the NSM GUI server: 1. From the NSM main menu, select Tools > View/Update NSM attack database and complete the wizard steps.
Chapter 9 Installing Field Replaceable Units This chapter includes the following topics: ■ Replacing a Power Supply on page 53 Replacing a Power Supply The following procedure applies to models for which the power supply is a field replaceable unit (FRU).
The power supply LED turns amber to indicate that the power supply is receiving power. The LED turns green to indicate that it is receiving power and is giving power to the appliance (only occurs if appliance is on). The high-pitched whine stops and the PS FAIL light on the front of the appliance turns off.
Chapter 10 Reimaging the Appliance This chapter includes the following topic: ■ Reimaging and Relicensing an Appliance on page 55 Reimaging and Relicensing an Appliance The appliance comes with software preinstalled. If needed, you can reinstall the factory image.
56 ■ Reimaging and Relicensing an Appliance IDP250 Installation Guide.
Part 5 Technical Specifications and Compliance Statements ■ Technical Specifications on page 59 ■ Compliance Statements on page 61 ■ Common Criteria EAL2 Compliance on page 63 Technical Specific.
58 ■ Technical Specifications and Compliance Statements IDP250 Installation Guide.
Chapter 11 Technical Specifications This chapter includes the following topics: ■ IDP250 Technical Specifications on page 59 IDP250 Technical Specifications Table 15 on page 59 lists physical specifications. Table 15: Physical Specifications Value Specification 1 RU Form Factor 1.
Table 17: Power Cord Specifications Specifications Country ■ UL-approved and CSA-certified ■ Flexible cord minimum spec: No. 18 (1.5 mm2SVT or SJT, 3-conductor ■ Current capacity of 10A minimum .
Chapter 12 Compliance Statements This chapter includes the following topic: ■ Standards Compliance on page 61 Standards Compliance Table 20: Standards Compliance Category ■ UL 60950, Third Edition — Safety of Information Technology Equipment ■ CSA C2.
62 ■ Standards Compliance IDP250 Installation Guide.
Chapter 13 Common Criteria EAL2 Compliance This chapter includes the following topics: ■ Common Criteria EAL2 Compliance on page 63 Common Criteria EAL2 Compliance Table 21 on page 63Table 21 on page 63 provides guidelines you must observe to deploy and use the IDP appliance in compliance with the Common Criteria EAL2.
64 ■ Common Criteria EAL2 Compliance IDP250 Installation Guide.
Part 6 Index ■ Index on page 67 Index ■ 65.
66 ■ Index IDP250 Installation Guide.
Index Symbols 1998 Class A compliance .............................................61 A ACM ...................................................................... 15, 31 ACM Online Help .........................................................xiii adding a device to NSM .
LEDs fault ........................................................................ 4 HA port ...................................................................6 hard drive ...............................................................4 IDP250 .....
An important point after buying a device Juniper Networks IDP250 (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought Juniper Networks IDP250 yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data Juniper Networks IDP250 - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, Juniper Networks IDP250 you will learn all the available features of the product, as well as information on its operation. The information that you get Juniper Networks IDP250 will certainly help you make a decision on the purchase.
If you already are a holder of Juniper Networks IDP250, but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime Juniper Networks IDP250.
However, one of the most important roles played by the user manual is to help in solving problems with Juniper Networks IDP250. Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device Juniper Networks IDP250 along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center