TOC PREV NEXT

Put your logo here!


Chapter 10
Building Blocks for Access Policies and VPNs
This chapter discusses the concepts common to Access Policies and Virtual Private Networks (VPNs). The specific topics discussed are:
· "Addresses" on page 10153
· "Virtual IP" on page 10161
· "Mapped IP" on page 10166
· "Users" on page 10168
· "Dialup User Groups" on page 10173
· "Services" on page 10177
· "Service Groups" on page 10180
· "Schedules" on page 10184
Addresses
The NetScreen ScreenOS classifies the addresses of all other devices by location and netmask. Trusted addresses are located behind the Trusted interface and appear as green in the WebUI. Untrusted addresses are located behind the Untrusted interface and appear as red. DMZ addresses are located behind the DMZ interface (NetScreen-10 and -100) and appear as brown.
Individual hosts have only a single IP address defined and are represented by a single computer icon in the WebUI. Individual hosts must have a netmask setting of 255.255.255.255 (which masks out all but this host).
Subnets have an IP address and a netmask (for example, 255.255.255.0 or 255.255.0.0) and are represented by multiple computer icons in the WebUI.
Before you can configure Access Policies to permit, deny, or tunnel traffic to and from individual hosts and subnets, you must make entries for them in the Trusted, Untrusted, and DMZ (NetScreen-10 and -100) sections of the NetScreen address book.

Note: You do not have to make address book entries for "Inside Any," "Outside Any," or "DMZ Any." These terms automatically apply to all devices physically located beyond these respective interfaces.

Address Book Entries
Before you can set up many of the NetScreen firewall, VPN, and traffic shaping features, you need to define addresses in the address book. The address book contains the IP addresses or domain names1 of hosts or subnets whose traffic is either allowed, blocked, encrypted, or user-authenticated.
Example: Adding Addresses
In this example, you add the subnet "Santa Clara Eng" with the IP address 192.10.10.0/24 as a Trusted address, and the address www.firenet.com as an Untrusted address.
WebUI
1. Address >> Trusted >> New Address: Enter the following information, and then click OK:
Address Name: Santa Clara Eng
IP Address/Domain Name: 192.10.10.0
Netmask: 255.255.255.0
Trust: (select)
2. Address >> Untrusted >> New Address: Enter the following information, and then click OK:
Address Name: FireNet
IP Address/Domain Name: www.firenet.com
Netmask: 255.255.255.255
Untrust: (select)
CLI
1. set address trust "Santa Clara Eng" 192.10.10.0 255.255.255.0
2. set address untrust www.firenet.com 255.255.255.255
3. save
Example: Modifying Addresses
In this example, you change the address entry for the host "Santa Clara Eng" to reflect that this host has moved to Dallas and reassigned an IP address of 192.10.40.0/24.
WebUI
Address >> Trusted >> Edit (for Santa Clara Eng): Change the name and IP address to the following, and then click OK:
Address Name: Dallas Eng
IP Address/Domain Name: 192.10.40.0
CLI
1. unset address trust "Santa Clara Eng"
2. set address trust "Dallas Eng" 192.10.40.0 255.255.255.0
3. save
Note: After you define an address-or an address group-and associate it with an Access Policy, you cannot change the address location to another interface (such as from Trusted to Untrusted). To change its location, you must first disassociate it from the underlying Access Policy.

Example: Deleting Addresses
In this example, you remove the address entry for the subnet "Dallas Eng."
WebUI
Address >> Trusted: Click Remove in the Configure column for Dallas Eng.
CLI
1. unset address trust "Dallas Eng"
2. save
Address Groups
The previous section explained how you create, modify, and delete address book entries for individual hosts and subnets. As you add addresses to the address book, it becomes difficult to manage how Access Policies affect each address entry. NetScreen allows you to create groups of addresses. Rather than manage a large number of address book entries, you can manage a small number of groups. Changes you make to the group are applied to each address entry in the group.

The Address Group option has the following features:
· You can create address groups on the Trusted, Untrusted, or DMZ sides.
· You can create address groups with existing users, or you can create empty address groups and then fill them with users.
· Address group entries can be used like individual address book entries.
· NetScreen applies Access Policies to each member of the group by creating individual Access Policies for each group member. While you only have to create one Access Policy for a group, NetScreen actually creates an Access Policy for each member in the group (as well as for each service configured for each user).2
· When an individual address book entry is deleted from the address book, it is also removed from all groups in which it was referenced.
The following constraints apply:
· Address groups can only contain addresses for one type of interface (Trusted, Untrusted, or DMZ).
· Address names cannot be the same as group names. If the name "Paris" is used for an individual address entry, it cannot be used for a group name.
· If an address group is referenced in an Access Policy, the group cannot be removed. It can, however, be edited.
· When a single Access Policy is assigned to an address group, it is applied to each group member individually, and the NetScreen device makes an entry for each member in the access control list (ACL). If you are not vigilant, it is possible to exceed the number of available Access Policy resources, especially if both the source and destination are address groups
· You cannot add the predefined addresses: "Outside Any," "Inside Any," "DMZ Any," "All Virtual IPs," and "Dial-Up VPN" to groups.
· The following table lists the group size limits for each platform.
Hardware Platform
Number of Groups
Members per Group
NetScreen-5
16
16
NetScreen-10
32
32
NetScreen-100
64
64
NetScreen-1000
256 (Root);
8 (Virtual System)
256 (Root);
16 (Virtual System)

Example: Creating an Address Group
In the following example, you create a group named "HQ 2nd Floor" that includes "Santa Clara Eng" and "Tech Pubs," two Trusted addresses that you have already entered in the address book.
WebUI
1. Address >> Trusted >> New Group: Enter the following group name, move the following addresses, and then click OK:
Group Name: HQ 2nd Floor
Group Members << Available Members:
Santa Clara Eng
Tech Pubs
CLI
1. set group address trust "HQ 2nd Floor" add "Santa Clara Eng"
2. set group address trust "HQ 2nd Floor" add "Tech Pubs"
3. save
Example: Editing a Group Address Entry
In this example, you add Support (an address that you have already entered in the address book) to the HQ 2nd Floor address group.
WebUI
1. Address >> Trusted >> Edit (for HQ 2nd Floor): Move the following address, and then click OK:
Group Members << Available Members: Support
CLI
1. set group address trust "HQ 2nd Floor" add Support
2. save
Example: Removing an Address Group Member and a Group
In this example, you remove the member Support from the HQ 2nd Floor address group, and how to delete Sales, an address group that you had previously created.
WebUI
1. Address >> Trusted >> HQ 2nd Floor >> Edit: Move the following address, and then click OK:
Group Members >> Available Members: Sales
2. Address >> Trusted: Click Remove in the Configure column for Sales.
CLI
1. unset group address trust "HQ 2nd Floor" remove Support
2. unset group address trust Sales
3. save
Note: The NetScreen device does not automatically delete a group from which you have removed all names.

Virtual IP
The Virtual IP (VIP) feature provides network flexibility and security. In a Network Address Translation (NAT) environment, host computers use non-routable IP addresses inside the firewall while maintaining full Internet connection and functionality. This feature gives network administrators flexibility to expand their networks without being constrained by the scarcity of legal IP addresses. In addition, NAT also provides better network security by hiding internal network topology and host information from the outside world.
However, to maintain some Internet services (for example, e-mail, POP3, FTP), a server with a legal IP address must be present to service the requests. VIP allows you to map routable IP addresses to internal servers, thereby providing transparent connections for a NAT network to the Internet. Other benefits of using VIP include:
Scalability: As Internet service demand increases, companies need to improve servers' performance in order to maintain the quality of their services. While upgrading the server to a larger, faster machine generally relieves the short-term pressures, the disruption to services and the prohibitive cost of upgrading quickly make this solution undesirable.
Redundancy: With Virtual IP, servers can be assigned to the same IP address and mirrored to provide High Availability (HA) for network services. Individual servers can also be taken off-line for maintenance without disruption to network traffic.
Reduction in capital cost: Multiple domains and Web servers can be mapped to the same physical server, thus reducing the cost of computer equipment as well as the associated administration tasks.
Flexibility in assigning ports: By setting up Virtual IP (VIP) addresses, you can configure your NetScreen device to route traffic destined for many different IP addresses on the subnet of the Untrusted interface to specific addresses on the Trusted network.

The maximum number of VIPs, and the maximum number of services per VIP that are supported by each NetScreen device are as follows:
VIPs
Services/VIP
NetScreen-5
1
64
NetScreen-10
2
64
NetScreen-100
4
8
NetScreen-1000
6
8

Required Information
You need the following information to define a Virtual IP:
· The IP address for the VIP, which must be in the same subnet as the Untrusted interface and can even be the same address as the Untrusted interface3
· The port number for communication between the Trusted server and the Untrusted interface on the NetScreen device
· The IP address for the server on the Trusted interface that processes the requests
Example: Configuring Virtual IP Servers
In this example, you configure a VIP at 2.2.2.20 to route inbound HTTP traffic to a pool of two Web servers at 172.16.12.10 and 172.16.12.11. (The Untrusted IP address of the NetScreen-100 is 2.2.2.10/24.) The port number for HTTP is translated from 80 (the standard protocol ID number) to 1142.

WebUI
1. Virtual IP >> Virtual IP1 >> Virtual Server IP: Enter the following address, and then click OK:
Virtual IP Address: 2.2.2.20
2. New Service: Enter the following, and then click OK:
Virtual Port: 11424
Service: HTTP5
(NetScreen-100) Load Balance: None
1 Server IP: 172.16.12.10
(NetScreen-100) Server Weight: 1
2 Server IP: 172.16.12.11
(NetScreen-100) Server Weight: 1
CLI
1. set vip 2.2.2.20 1142 http none 172.16.12.10/1
2. set vip 2.2.2.20 1142 http none 172.16.12.11/1
3. save


Example: Editing a VIP Configuration
In this example, you modify the Virtual IP server configuration you just created. In this case, you add an additional server 172.16.12.12.
WebUI
Virtual IP >> Virtual IP1 >> Edit (in the HTTP row): Enter the following, and then click OK:
3 Server IP: 172.16.12.12
(NetScreen-100) Server Weight: 1
CLI
1. set vip 2.2.2.20 1142 http none 172.16.12.12/1
2. save
Example: Removing a VIP Configuration
In this example, you delete the VIP configuration that you just created and modified.
WebUI
Virtual IP >> Virtual IP1 >> Virtual Server IP 2.2.2.20: Click Clear.
CLI
1. unset vip 2.2.2.20
2. save
Note: You cannot edit or remove a Virtual IP entry when existing Access Policies are still associated with it.

Mapped IP
Mapped IP (MIP) is a direct one-to-one mapping of traffic destined for one IP address to another IP address, and is based solely on IP addresses. When the NetScreen device is operating in NAT mode, an MIP provides a means for incoming traffic to reach a private address on the Trusted network. You can configure an MIP address to route traffic destined for an address on the Untrusted subnet to a different address on the Trusted subnet, regardless of the service and corresponding port number involved.
By setting up MIP addresses, you can configure the NetScreen device to route traffic destined for many different IP addresses on the subnet of the Untrusted interface to specific addresses on the Trusted network.

Example: Creating a Mapped IP Address
This example explains how to map incoming traffic destined to the Untrusted IP address 209.122.17.6 to the Trusted IP address 172.16.17.6.

WebUI
Virtual IP >> Mapped IP >> New Entry: Enter the following and then click OK:
Untrusted IP Address: 209.122.17.6
Netmask: 255.255.255.255
Map to IP Address: 172.16.10.2
CLI
1. set mip 209.122.17.6 host 172.16.10.2 255.255.255.255
2. save
Note: You must define an Access Policy allowing the mapped IP address to be accessed. No address book entry is required for a Mapped IP.

You can map an address-to-address or subnet-to-subnet relationship. When a subnet-to-subnet mapped IP configuration is defined, the netmask is applied to both the mapped IP subnet and the original IP subnet.

Users
NetScreen supports three kinds of users:
· Authentication User - A network user who must provide a user name and password for authentication when initiating a connection across the firewall.
· IKE Dynamic Peer - A VPN user with a dynamically assigned IP address. The user provides his or her identity using an e-mail address, an IP address, or a domain name. The VPN can use either AutoKey IKE with a preshared key or AutoKey IKE with a certificate.
· VPN Dialup User - A VPN user with a dynamically assigned IP address. The VPN uses the manual key method for encryption and/or authentication.
Before traffic from an authentication user can traverse the firewall, and before a VPN user participate in a VPN, you must create a configuration profile for each one.

Example: Creating Three New Users
In this example, you create the following users:
· An authentication user named Alice with the password "Nd4syt4."
· An IKE dynamic peer named Carol with the ID carol@netscreen.com
· A VPN dialup user named Phil, who is assigned to the dialup user group "Western" and uses 3DES encryption with SHA-1 authentication.

WebUI
1. Users >> Users >> New User: Enter the following, and then click OK:
User Name: Alice
Authentication User: (select)
Authentication Password: Nd4syt4
Confirm Password: Nd4syt4
Status: Enable (select)
2. Users >> Users >> New User: Enter the following, and then click OK:
User Name: Carol
VIKE Dynamic Peer: (select)
User Group: None
Identity: carol@netscreen.com
3. Users >> Users >> New User: Enter the following, and then click OK:
User Name: Phil
VPN Dialup User - Manual Key Only: (select)
User Group: Western
Security Index: 1000 (Local); 1001 (Remote)
ESP: (select)
ESP-Encryption-Algorithm: 3DES CBC
Generate Key by Password: 12345678
Authentication Algorithm: SHA-1
Generate Key by Password: 99999999
CLI
1. set user Alice password Nd4syt4
2. set user Carol ike-id carol@netscreen.com
3. set user Carol enable
4. set user Phil dialup 1000 1001 esp 3des pass 12345678 auth sha-1 pass 99999999
5. save
User Authentication
There are a number of different protocols that your NetScreen device can use to verify that a user is who they say they are. These different techniques are discussed in this section.
Internal Database

All NetScreen devices support a built-in user database for authentication. The maximum number of entries supported by each device are:
Platform
Total Number of Entries
NetScreen-5
100
NetScreen-10
500
NetScreen-100
1500
NetScreen-1000
2000

After entering the user name and password in the database, you must create an Access Policy that requires a user to authenticate him or herself when initiating a specified connection (for example, outbound or inbound HTTP, or Telnet traffic). When the user attempts to initiate traffic for which the Access Policy applies, he or she is prompted to enter his or her name and password. Before granting permission, the NetScreen device validates the user name and password by checking them against those stored in the database.
RADIUS

The Remote Authentication Dial-In User Service (RADIUS) is a protocol for an authentication server which can be modified to run on different kinds of networks, and makes it easy and efficient to manage large modem pools. The focus for RADIUS is the remote user who needs to dial into the network.
RADIUS uses an authentication server to solve the security problems associated with remote computing. Distributed security separates user authentication and authorization from the communications process and creates a single, central location for user authentication data.
One RADIUS server can support up to tens of thousands of users, making it a very practical service for rapidly growing networks.
The RADIUS client (that is, the NetScreen device) authenticates users through a series of communications between the client and the server. Basically, RADIUS asks the person logging on to enter his or her user name and password. It then compares these values to those in its database, and once a user is authenticated, the client provides the user with access to the appropriate network services.
SecurID
The relationship of NetScreen device and a Security Dynamics Technologies® SecurID® ACE server is similar to that of a NetScreen device and a RADIUS server; that is, the NetScreen device acts as a client, forwarding authentication requests to the external server for approval. SecurID differs from RADIUS in that the user password involves a continually changing string of numbers.

SecurID issues a credit card sized device with an LCD window that displays a randomly generated string of numbers that changes every minute. There is no other information on the card besides the number in the LCD display.

Security Dynamics issues a card and a personal ID number (PIN) to a registered user and maintains the user profile in their database. When the user is prompted to authenticate himself, he enters his name and password, which is his PIN followed by the string of numbers currently displayed on his card. The numbers displayed on the card change every minute. The values that display are generated by an algorithm known only by Security Dynamics. This value is saved to the Security Dynamics database entry for this PIN. When the user to be authenticated enters his PIN and the number on his card, Security Dynamics compares these values to those in the database. If they match, the user is authenticated.
Lightweight Directory Access Protocol

Lightweight Directory Access Protocol (LDAP) is a directory server standard developed by Netscape® to help in authenticating users attempting to connect to networks controlled by directory servers.
LDAP is a client-server protocol for accessing a directory service. It can be used as a front-end to X.500, as a stand-alone protocol, or as a directory server.
LDAP does not require the upper layers OSI stack, it is a simpler protocol to implement (especially in clients), and LDAP is under IETF change control and so can more easily evolve to meet Internet requirements.
The LDAP information model is based on the entry, which contains information about some object (for example, a person). Entries are composed of attributes, which have a type and one or move values. Each attribute has a syntax that determines what kind of values are allowed in the attribute and how those values behave during directory operations.
Examples of attribute syntaxes are for IA5 (ASCII) strings, JPEG photographs, u-law encoded sounds, URLs, and Pretty Good Privacy (PGP) keys.
Dialup User Groups
One of the main reasons organizations use VPNs is to allow remote dialup users to be able to traverse the firewall from anywhere in the world and access their data in a secure environment. The VPN tunnel connection from them to the corporate site assures security as well as access.

To manage a number of remote dialup users, NetScreen enables you to create dialup user groups. Rather than manage each user individually, you can aggregate users into a group. Changes you make to the group are then propagated to each group member. The examples that follow illustrate how to create new dialup user groups and then add users to it. Other examples show how to remove members from a group and move members from one group to another.
Example: Defining a New Dialup User Group
In this example, you define a new dialup user group named Tahoe.
WebUI
Users >> Dialup Group >> New Group: Enter the following, and then click OK:
Dialup Group Name: Tahoe
CLI
1. set dialup-group tahoe
2. save
Example: Adding a Member to a Dialup User Group
In this example, you add a user named Fred to the dialup user group Tahoe.
WebUI
Users >> Users >> Edit (for the user named Fred): Select the following, and then click OK:
VPN Dialup User: (select)
User Group: Tahoe
CLI
1. set dialup-group tahoe + Fred
2. save
Example: Removing an Existing Group Member
In this example, you delete Phil from the Tahoe dialup user group.
WebUI
Users >> Users: Click Remove (for Phil).
CLI
1. set dialup-group Tahoe - Phil
2. save
Example: Moving a Group Member to Another Group
In this example, you move Phil from the dialup user group Tahoe to the group Santa Cruz.
WebUI
1. Users >> Users >> Edit (for Phil): Enter the following, and then click OK:
VPN Dialup User: Select
User Group: Santa Cruz
CLI
1. set dialup-group Tahoe - Phil
2. set dialup-group "Santa Cruz" + Phil
3. save
Services
Services are types of IP traffic for which protocol standards exist. Each service has a port number associated with it, such as 21 for FTP and 23 for Telnet.
The illustration below shows the services supported in ScreenOS 2.5. For information on each service, hold your cursor over the service icon. In this illustration, the mouseover information block is displayed for X-Windows.

When you create an Access Policy, you must specify a service for it. You can select one of the pre-configured services from the service book, or a custom service or service group that you created. You can see which service you can use in an Access Policy by examining the Service drop-down List in the Policy Configuration dialog box (WebUI), or by using the get service command (CLI).
The following section provides examples for viewing the service book and for creating, modifying, and deleting custom services.
Example: Viewing the Service Book
In this example, you view the predefined and custom services in the service book.
WebUI
1. Service >> Pre-defined
2. Service >> Custom
CLI
get service
The output from the CLI is similar to that shown below.

Example: Adding a Custom Service
To add a custom service to the service book, you need the following information:
· A name for the service, in this example "Corporate"
· A range of source port numbers valid for the service. For example, 1500-10000.
· A range of destination port numbers to receive the service request; for example, 15000-25000.
· Whether the service uses TCP or UDP protocol, or some other protocol as defined by the Internet specifications. In this example, the protocol is TCP
WebUI
Service >> Custom >> New Service: Enter the following, and then click OK:
Service Name: Corporate
Source Port Low: 1500
Source Port High: 10000
Destination Port Low: 15000
Destination Port High: 25000
Transport: TCP
CLI
1. set service Corporate + protocol tcp src-port 1500-10000 dst-port 15000-25000
2. set service Corporate + timeout 30
3. save
Example: Modifying a Custom Service
In this example, you change a custom service. In this case, the Transport is UDP, and the Source Port range changes to 1 through 1000.
Use the set service <name> clear command to remove the definition of a custom service without removing the service from the service book:
WebUI
1. Service >> Custom: Enter the following and then click OK:
Service Name: Corporate
Source Port Low: 1
Source Port High: 1000
Destination Port Low: 15000
Destination Port High: 25000
Transport: UDP
CLI
1. set service Corporate clear
2. set service Corporate + protocol udp src-port 1-1000 dst-port 15000-25000
3. save
Example: Removing a Custom Entry
In this example, you remove the custom service "Corporate."
WebUI
Service >> Custom: Click Remove in the Configure column for "Corporate."
CLI
1. unset service Corporate
2. save
Service Groups
A service group is a set of services that you have gathered together under one name. After you create a group containing several services, you can then apply services at the group level to Access Policies, thus simplifying administration.
The NetScreen service group option has the following features:
· Each service book entry can be referenced by one or more service groups.
· Each service group can contain pre-defined and user-defined service book entries.
· Each service group can be referenced by other service groups, providing that a group referencing other groups does not include itself in the reference list.
Service groups are subject to the following limitations:
· Service groups cannot have the same names as services; therefore, if you have a service named "FTP," you cannot have a service group named "FTP."
· If a service group is referenced in an Access Policy, you can edit the group but you cannot remove it until you have first removed the reference to it in the Access Policy.
· If a custom service book entry is deleted from the service book, the entry is also removed from all the groups in which it was referenced.
· The all-inclusive service term "ANY" cannot be added to groups.
· The following table lists the number of service groups supported by platform.
Hardware Platform
Number of Groups
Number of Members
NetScreen-5
16
16
NetScreen-10
32
32
NetScreen-100
64
64
NetScreen-1000
256 (Root);
8 (Virtual System)
64 (Root);
16 (Virtual System)

Example: Creating a Service Group
This example illustrates how you create a custom service named Wiget that supports IKE, FTP, and LDAP services.
WebUI
1. Service >> Custom >> New Group: Enter the following, move the following services, and then click OK:
Group Name: Wiget
Group Members << Available Members:
IKE
FTP
LDAP
CLI
1. set group service Wiget
2. set group service Wiget add ike
3. set group service Wiget add ftp
4. set group service Wiget add ldap
5. save
Note: If you attempt to add a service to a service group that does not exist, the NetScreen device creates the group. Also, ensure that groups referencing other groups do not include themselves in the reference list.

Example: Modifying a Service Group
Although you cannot modify any of the pre-defined NetScreen services, you can modify existing user-defined custom services and service groups.
In this example, you change the existing user-defined services from IKE, FTP, and LDAP to HTTP, FINGER, IMAP, and H.323 protocols.
WebUI
Service >> Custom >> Edit (for Wiget): Move the following services, and then click OK:
Group Members >> Available Members:
IKE
FTP
LDAP
Group Members << Available Members:
HTTP
FINGER
IMAP
H.323
CLI
1. clear group service Wiget
2. set group service Wiget add http
3. set group service Wiget add finger
4. set group service Wiget add imap
5. set group service Wiget add h.323
6. save
Example: Deleting a Service
Although you cannot remove any of the pre-defined NetScreen services, you can remove existing user-defined custom services and service groups.
In this example, you delete HTTP from the service group Wiget.
WebUI
Service >> Custom >> Edit (for Wiget): Move the following service, and then click OK:
Group Members >> Available Members:
HTTP
CLI
1. unset group service Wiget remove http
2. get service Wiget
3. save
Example: Deleting a Service Group
In this example, you delete the service group Wiget.
WebUI
Service >> Custom: Click Remove (for Wiget).
CLI
1. unset group service Wiget
2. save
Note: The NetScreen device does not automatically delete a group from which you have removed all members.

Schedules
A schedule is a configurable object that you can associate with one or more Access Policies to define when they are in effect. Through the application of schedules, you can control network traffic flow and enforce network security.
When you define a schedule, enter values for the following parameters:
Schedule Name: The name that appears in the Schedule drop-down list in the Policy Configuration dialog box. Choose a descriptive name to help you identify the schedule. The name must be unique and is limited to 19 characters.
Comment: Any additional information that you want to add.
Recurring: Enable this when you want the schedule to repeat on a weekly basis.
Start and End Times: You must configure both a start time and an end time. You can specify up to two time periods within the same day.
Once: Enable this when you want the schedule to start and end only once.
mm/dd/yyyy hh:mm: You must enter both start and stop dates and times.
Example: Recurring Schedule
In this example, there is a short-term employee named Tom who is using the company's Internet access for personal pursuits after work. You create a schedule for non-business hours that you can then associate with an Access Policy to deny outbound TCP/IP traffic from that worker's computer (10.10.4.5/24) outside of regular business hours.
WebUI
1. Schedule >> New Schedule: Enter the following, and then click OK:
Schedule Name: After Hours
Comment: For non-business hours
Recurring: (select)
Period 1:
Week Day
Start Time
End Time
Sunday
00:00
23:59
Monday
00:00
06:00
Tuesday
00:00
06:00
Wednesday
00:00
06:00
Thursday
00:00
06:00
Friday
00:00
06:00
Saturday
00:00
23:59

Period 2:
Week Day
Start Time
End Time
Sunday
17:00
23:59
Monday
17:00
23:59
Tuesday
17:00
23:59
Wednesday
17:00
23:59
Thursday
17:00
23:59
Friday
17:00
23:59
Saturday
17:00
23:59

2. Address >> Trusted >> New Address: Enter the following, and then click OK:
Address Name: Tom
IP Address/Domain Name: 10.10.4.5
Netmask: 255.255.255.255
Comment: Temp
Location: Trust
3. Policy >> Outgoing: New Policy: Enter the following, and then click OK:
Name: No Net
Source Address: Tom
Destination Address: Outside Any
Service: HTTP
Action: Deny
Schedule: After Hours
CLI
1. set schedule "after hours" recurrent sunday start 00:00 stop 23:59
2. set schedule "after hours" recurrent monday start 00:00 stop 06:00 start 17:00 stop 23:59
3. set schedule "after hours" recurrent tuesday start 00:00 stop 06:00 start 17:00 stop 23:59
4. set schedule "after hours" recurrent wednesday start 00:00 stop 06:00 start 17:00 stop 23:59
5. set schedule "after hours" recurrent thursday start 00:00 stop 06:00 start 17:00 stop 23:59
6. set schedule "after hours" recurrent friday start 00:00 stop 06:00 start 17:00 stop 23:59
7. set schedule "after hours" recurrent saturday start 00:00 stop 23:59 comment "for non-business hours"
8. set address trust tom 10.10.4.5 255.255.255.0 "temp"
9. set policy outgoing tom outside-any http deny schedule "after hours"
10. save
1
Before you can use domain names for address book entries, you must configure the NetScreen device for Domain Name System (DNS) services.

2
The automatic nature by which NetScreen applies Access Policies to address group members, saves you from having to create them one by one for each address. Furthermore, NetScreen writes these Access Polices to ASIC which makes lookups run very fast.

3
On the NetScreen-5, the Untrusted interface can receive its Untrusted IP address dynamically via DHCP or PPPoE. If you want to use a VIP in such a situation, do either of the following: In the WebUI (Virtual IP >> Virtual Server IP >> Click here to configure), select the Same as the Untrusted IP address option when setting up the VIP; in the CLI, use the set vip untrust-ip command.

4
Using non-standard port numbers adds another layer of security, thwarting attacks that check for services at standard port numbers.

5
When initially configuring a VIP, you can only map one service at a time. For example, if you are mapping six services to a Virtual IP, you must enter each one individually.



NetScreen Technologies Inc.
http://www.netscreen.com
Voice: (408) 730-6000
Fax: (408) 730-6100
sales@netscreen.com
TOC PREV NEXT