of 37
Instructor: Jai A Singla
IDN Netscreen FirewallFiltering/screening traffic between Verizon Business and Verizon Core NetworksFirewall policies are similar to an access listWebUI or CLI
Primary Firewall hlbfw1IP166.44.55.118WebUIhttps://hlbfw1.mcilink.comCLISSH to hlbfw1
Redundant Firewall pymfw1IP166.35.110.22WebUIhttps://pymfw1.mcilink.comCLISSH to pymfw1
SSH to Netscreen (CLI)-Hummingbird Connectivity 9.0-MCI-Hosts-SSH-SSH Template
CLI CommandsJuniper uses get rather than show.However, we have aliased show into the netscreens with the following:set alias show "get"set alias sh "get"set alias sho "get"
Security ZonesCreates security zonesThe security zones regulate inbound and outbound traffic via policiesThe security zones are logical to a physical interfaceThere are pre-defined zones and you can also create zonesPre-defined zones = trust, untrust, DMZTo permit traffic to flow from zone to zone, you bind an interface to the zone
PoliciesNetScreen devices secure a network by inspecting, and then allowing or denying, all connection attempts from one security zone to anotherThrough the creation of policies, you can control the traffic flow from zone to zone Define the types of traffic permitted to pass from specified sources to specified destinations at scheduled timesFor any traffic to pass from one zone to another, there must be a policy that permits it
***By default, a NetScreen device denies all traffic in all directions
A policy permits, denies, or tunnels specified types of traffic unidirectionally between two pointsRequired Elements:Direction The direction of traffic between two security zones (from a source zone to a destination zone)Source address The address from which traffic initiatesDestination address The address to which traffic is sentService The type of traffic Action permit, deny, or tunnel
Every policy has an ID number, whether you define one or the NetScreen automatically assigns it. You can only define an ID number for a policy through the set policy command in the CLI: set policy id number
Policy ExampleThe policy stated in the following CLI command permits FTP traffic from any address in the Trust zone to an FTP server named server1 in the DMZ zone:
set policy from trust to untrust any server1 ftp permit
Direction: from trust to untrust (that is, from the Trust zone to the Untrust zone)Source Address: any (that is, any address in the Trust zone. The term any stands for a predefined address that applies to any address in a zone)Destination Address: server1 (a user-defined address in the Untrust zone address book)Service: ftp (File Transfer Protocol)Action: permit (that NetScreen device permits this traffic to traverse its firewall)
ServicesServices are objects that identify application protocols using layer 4 information such as standard and accepted TCP and UDP port numbers for application services like Telnet, FTP, SMTP, and HTTPThe ScreenOS includes predefined core Internet services Can define custom services Can define policies that specify which services are permitted, denied, encrypted, authenticated, logged, or counted.
Netscreen Process Incoming PacketChecks the incoming interface/source zonePerforms SCREEN operation (anomalous behavior)Performs session lookupIf the packet matches an existing session, perform operationIf the packet does not match an existing session go to the next stepMIP/VIP -> Host IPPerforms route lookupChecks destination interface/destination zonePerforms policy lookupChecks policy (Permit/Deny)NATIf permitted, it creates a session and performs the operationIf denied, it is dropped
ProceduresUser opens ticket for suspected filter problem or network issues between Verizon Core and VzBENOC2L investigates Checks the firewall policyContact the 4th Level IDN On-Call for any possible Netscreen problems, filter issues, or changes
***Only 4th Level IDN is allowed to make changes on the Netscreen at this time***
Filter RequestsALL filter requests from Verizon Core sites to VzB need to go through http://faas.verizon.com/Verizon Core FAAS will then contact VzB for any possible filter issues on VzB sideUsers are opening firewall tickets on the IDN side Check IDN filter requests and implementationsVerify they have opened a filter request on the verizon core sideTo open a firewall request on the VzB IDN side, the customer must go to http://netconnect.mcilink.com Click on service requestClick on Filter & External Project RequestsClick on Filter Change Request FormFill out the form and be as specific as possible
LoggingWhen you enable logging in a policy, the NetScreen device logs all connections to which that particular policy applies You can view the logs through either the WebUI or CLIIn the WebUI, click Reports > Policies > (for the policy whose log you want to see) In the CLI, use the get log traffic policy id_num command
Enable LoggingGo to WebUIClick on PoliciesLocate the correct policy numberClick on EditClick/check the box next to loggingOptional at session beginningGo to policy
Show config includeExample:sh config | include 166.37.217.172set address Trust "166.37.217.172/32" 166.37.217.17 255.255.255.255 "OMZESMOH5.mcilink.com"associating to trust zone quotes = name associated to ip set policy id 67 name "ONEVIEW #13272" from "Untrust" to "Trust" "Any" "166.37.217.172/32" "TCP-8700" permit count from verizon to idn any verizon source ip to
show log trafficshow log traffic dst-ip 166.37.217.172Example:show log traffic dst-ip 166.37.217.172PID 91, from Untrust to Trust, src 131.146.128.0/20 131.146.144.0/22, dst Any, service ANY, action PermitTotal traffic entries matched under this policy = 64==================================================================================Date Time Duration Source IP Port Destination IP Port Service Xlated Src IP Port Xlated Dst IP Port ID==================================================================================2006-05-30 18:36:11 0:01:29 131.146.128.20 1659 166.37.217.172 8700 TCP PORT 8700 131.146.128.20 1659 166.37.217.172 87002006-05-30 18:36:07 0:01:25 131.146.128.20 1663 166.37.217.172 8700 TCP PORT 8700 131.146.128.20 1663 166.37.217.172 8700*******Output cut off go to netscreen for full output
The TLS 1.0 option should NOT be checked in your Internet Explorer settings.Please follow the instructions below before connecting to the site to assure that this setting is correct.-Open Internet Explorer-Select Tools-Select Internet Options
-Select the Advanced tab-Scroll down to the Security section-Locate the TLS 1.0 and assure it is NOT checked
Open your browser and go to https://vzbgw.mcilink.com
You will be prompted to login with your OneWorld Number (not User ID)And OneWorld Password (instructions on how to locate this information is below)
Once you see the following page, you are successfully connected to the Verizon Business Network and may close the window and begin accessing Verizon Business resources.
Open your browser and go to https://OneWorld.mcilink.comSelect To edit your contact information, please click here
Your OneWorld number is located in the banner of the next page
If you do not know your OneWorld password:Open your browser and go to https://OneWorld.mcilink.comSelect Password Reset and follow the instructions.
