This chapter describes various management methods and tools, ways to secure administrative traffic, and the administrative privilege levels that you can assign to admin users:
Management Methods and Tools
The management methods and the tools with which to apply each method are presented in the following sections:
- HTTPS using Secure Sockets Layer (SSL)
- NetScreen-Global Manager
For administrative ease and convenience, you can use the Web user interface (WebUI). NetScreen devices use Web technology that provides a Web-server interface to configure and manage the software.
To use the WebUI, you must have the following:
· Netscape
® Communicator
® (version 4.5 or later) or Microsoft
® Internet Explorer (version 5 or later)
· TCP/IP network connection to the NetScreen device
|
Note: For a complete description of WebUI, refer to the NetScreen WebUI Reference Guide.
|
With a standard Web browser you can access, monitor, and control your network security configurations remotely using the Hypertext Transfer Protocol (HTTP).
You can secure HTTP traffic by either encapsulating it in a virtual private network (VPN) tunnel or through the Secure Sockets Layer (SSL) protocol. You can also secure it by completely separating management traffic from network user traffic. You can run all administrative traffic through the MGT interface (NetScreen-1000) or devote an interface such as the DMZ (NetScreen-10 and -100) entirely to administrative traffic.
Secure Sockets Layer (SSL) is a set of protocols that can provide a secure connection between a Web client and server communicating over a TCP/IP network. NetScreen ScreenOS provides:
· SSL version 3 compatibility
· Netscape Navigator 4.7x and Internet Explorer 5.x compatibility
1
· Public Key Infrastructure (PKI) key management integration
SSL is not a single protocol, but consists of the SSL Handshake Protocol (SSLHP), which allows the server and client to authenticate each other and negotiate an encryption method, and the SSL Record Protocol, which provides basic security services to higher-level protocols such as HTTP.
Independent of application protocol, SSL uses TCP to provide secure service. SSL uses certificates to authenticate first the server or both the client and the server, and then encrypt the traffic sent during the session. Before using SSL, you must first create a public/private key pair and then load a certificate. Because SSL is integrated with PKI key/certificate management, you can select the SSL certificate from one of the certificates in the certificate list. You can also use the same certificate for a VPN.
NetScreen supports the following encryption algorithms for SSL:
· RC4 with 40-bit and 56-bit keys
· DES: Data Encryption Standard
NetScreen supports the same authentication algorithms for SSL as for VPNs-Message Digest version 5 (MD5) and Secure Hash Algorithm version 1 (SHA-1). The RC4 algorithms are always paired with MD5; DES and 3DES with SHA-1.
When you type the IP address for managing the NetScreen device in your browser's URL field, change "http" to "https", and follow the IP address with a colon and the HTTPS (SSL) port number (for example, https://123.45.67.89:1443).
Advanced administrators can attain finer control by using the command line interface (CLI). To configure a NetScreen device with the CLI, you can use any software that emulates a VT100 terminal. With a terminal emulator, you can configure the NetScreen
device using a console from any Windows
®, UNIX, or Macintosh
® operating system. For remote administration through the CLI, you can use Telnet or Secure Command Shell (SCS). With a direct connection through the console port, you can use Hyperterminal
®.
|
Note: For a complete listing of the CLI commands for the NetScreen devices, refer to the NetScreen CLI Reference Guide.
|
Telnet is a login and terminal emulation protocol that uses a client/server relationship to connect to and remotely configure network devices over a TCP/IP network. The administrator launches a Telnet client program on the administration workstation and creates a connection with the Telnet server program on the NetScreen device. After logging in, the administrator can issue CLI commands, which are sent to the Telnet program on the NetScreen device, effectively configuring the device as if operating through a direct connection. Using Telnet to manage NetScreen devices requires the following:
· Telnet software on the administrative workstation
· An Ethernet connection to the NetScreen
device
You can secure Telnet traffic by encapsulating it in a virtual private network (VPN) tunnel or by completely separating it from network user traffic. You can run all administrative traffic through the MGT interface (NetScreen-1000) or devote an interface such as the DMZ (NetScreen-10 and -100) entirely to administrative traffic.
You can use secure shell (SSH) for secure CLI access over unsecure channels. SSH allows you to open a remote command shell
2 securely, execute commands, and copy files to or from the remote device. Secure Command Shell (SCS) is a SSH-compatible utility that allows you to remotely manage your NetScreen device without establishing a VPN.
Using SCS, you can administer NetScreen devices from an Ethernet connection or a dial-in modem. The built-in SCS server on the NetScreen device allows the SSH client, installed on the administrator's workstation, to open an instance of the NetScreen device console, which makes secure configuration and management possible.
You can manage a NetScreen device through a direct serial connection from the administrator's workstation to the NetScreen device via the Console port (Diagnostics port on the NetScreen-5). Although a direct connection is not always possible, this is surely the most secure method for managing the device.
You need the following items to create a serial connection:
· A DB-9 female to DB-25 male serial cable (NetScreen-10 and -100)
· A DB-9 female to DB-9 male serial cable (NetScreen-5)
· A MiniDIN-8 to DB-9 female serial cable (NetScreen-1000)
· Hyperterminal software (or another kind of VT100 terminal emulator) on the management workstation, with the Hyperterminal port settings configured as follows:
- Serial communications 9600 bps
- no flow control
|
Note: For more details on using Hyperterminal, see the "Getting Started" chapter in the NetScreen CLI Reference Guide.
|
If you manage large or dispersed systems, you can use either NetScreen-Global Manager independently or in conjunction with NetScreen-Global PRO to manage and configure all of your NetScreen devices from a central location.
NetScreen-Global Manager allows you to deploy and control up to 1000 NetScreen devices over multiple local-area networks (LANs) or a wide-area network (WAN) from a central location. NetScreen-Global Manager runs on Windows NT and requires network access to each device.
|
Note: For more information, refer to the NetScreen-Global Manager User's Guide.
|
The NetScreen-Global PRO system allows you to control up to 10,000 NetScreen devices from a central location. NetScreen-Global PRO contains the following components:
· The database, which collects reports and statistics
· The master controller, which communicates with the database to retrieve management information and update tables
· The data collector, which collects performance- and fault-related data from the NetScreen devices
These additional components work with the NetScreen-Global PRO system:
· NetScreen devices, which provide data to the data collector
· The administration tool, which allows you to administer the system
·
NetScreen-Global ManagerTM Report Viewer, which displays the Global PRO reports
NetScreen-Global PRO runs on a UNIX® (Solaris) platform.
|
Note: For more information, refer to the NetScreen-Global PRO User's Guide.
|
Administrative Interface Options
You can configure the NetScreen-5, -10, -100, and -1000 to allow administration of the device through one or more interfaces. For example, you might have local management access the device through the Trusted interface and remote management through the Untrusted interface. With a NetScreen-10 or -100, you might use the DMZ interface exclusively for administration, separating management traffic completely from network user traffic for the Trusted and Untrusted interfaces.
To enable an interface to allow various methods of administration to traverse it through the WebUI and the CLI, do the following:
Interface >> Trusted | Untrusted | DMZ: Select the following management service options, and then click
Save and Reset3:
WebUI: Selecting this option allows the interface to receive HTTP traffic to manage the NetScreen device via the Web user interface (WebUI).
SSL: Selecting this option allows the interface to receive HTTPS traffic for secure management of the NetScreen device via the Web user interface (WebUI).
NS-Global: NetScreen offers two applications for central management of multisite networks-NetScreen-Global Manager and NetScreen-Global PRO. Selecting this option allows the interface to receive management traffic from NetScreen-Global Manager.
NS-GlobalPRO: NetScreen offers two applications for central management of multisite networks-NetScreen-Global Manager and NetScreen-Global PRO. Selecting this option allows the interface to receive management traffic from NetScreen-Global PRO
4.
Telnet: A terminal emulation program for TCP/IP networks such as the Internet. Telnet is a common way to remotely control network devices. Selecting this option enables Telnet manageability.
SCS: You can administer the NetScreen device from an Ethernet connection or a dial-in modem using Secure Command Shell (SCS), which is SSH-compatible. You must have a SSH client that is compatible with Version 1.5 of the SSH protocol. These clients are available for Windows 95, Windows 98, Windows NT, Linux, and UNIX. The NetScreen device communicates with the SSH client through its built-in SCS server, which provides device configuration and management services. Selecting this option enables SCS manageability.
SNMP: The NetScreen device supports the Simple Network Management Protocol version 1.5 (SNMPv1), described in RFC1157, and all relevant Management Information Base II (MIB II) groups, as defined in RFC1213. Selecting this option enables SNMP manageability.
set interface {trust | untrust | dmz | mgt} manage {global | global-pro | ping | scs | snmp | ssl | telnet | web}
NetScreen devices support multiple administrative users. The privileges on the NetScreen-1000 differ somewhat from those on the other NetScreen devices because of the administration of virtual systems. Therefore, the administration privileges are treated separately in the following sections.
NetScreen-5, -10, and -100 Administrators
On the NetScreen-5, -10, and -100, there are three administrative levels with the following privileges:
· Level 1: Root Administrator
The Root Administrator has complete administrative privileges.
· Level 2: Super Administrator
The Super Administrator has the same privileges as the Root Administrator, but cannot create, modify, or remove other admin users.
· Level 3: Sub Administrator
The Sub Administrator has viewing privileges only for the WebUI, and can only issue the get and ping CLI commands.
For any configuration changes that an administrator makes, the following information is logged:
· Name of the administrator making the change
· IP address from which the change was made
NetScreen-1000 Administrators
There are four levels of administrative privilege possible for the NetScreen-1000:
· Level 1: Root Administrator
· Level 2: Super Administrator
· Level 3: Sub Administrator
· Level 4: Virtual System Administrator
The Root Administrator has the following privileges:
· Manages the root system of the NetScreen device
· Adds and manages all other administrators
· Establishes and manages Virtual Systems
The Super Administrator, who has root level access (similar to "root privilege" in UNIX), has the following privileges:
· Manages the root system of the NetScreen device
· Creates Virtual Systems and assigns a Virtual System administrator for each one
· Monitors any Virtual System
· Tracks statistics (a privilege that cannot be delegated to a Virtual System administrator)
The Sub Administrator has the following privileges:
· Read-only privileges in the root system, using the following four commands:
enter,
exit,
get, and
ping
· Read-only privileges in Virtual Systems
Virtual System Administrator
You can configure the NetScreen-1000 with up to 100 subsystems called virtual systems. Virtual systems are unique security domains that can be managed by their own administrators (Virtual System Administrators).
Virtual System Administrators independently manage their own virtual systems, either through CLI or the WebUI. On each virtual system, the Virtual System Administrator has the following privileges:
· Creates and edits users
· Creates and edits services
· Creates and edits Access Policies
· Creates and edits addresses
· Creates his or her login password
If necessary, a Virtual System Administrator can set up a VPN tunnel for managing a virtual system securely from a remote location, and for remote users to secure their connections to the virtual system.
The Root Administrator is the only one who can create, modify, and remove admin users. In the following example, the one performing the procedure must be a Root Administrator.
Example: Adding a Sub Administrator
The Root Administrator is adding a new Sub Administrator named Roger with the password 2bd21wG7 to the NetScreen-100.
Admin >> Admin >> New Admin: Enter the following, and then click
OK:
Confirm Password: 2bd21wG7
set admin user Roger password 2bd21wG7 privilege read-only
Securing Administrative Traffic
To secure the NetScreen device during setup, perform these four steps:
1. On the Web interface, change the administrative port.
2. Turn off any unnecessary interface management service options.
3. Disable the ping and ident-reset service options on the interfaces, both of which respond to requests initiated by unknown parties and can reveal information about your network:
Interface >> Trusted | Untrusted | DMZ: Clear the following service options, and then click
OK:
Ping: A utility that enables you to determine whether a specific IP address is accessible. Selecting this option allows people to ping the IP address of the NetScreen device through the Trusted, Untrusted, or DMZ interface.
Ident-reset: Services like Mail and FTP send identification requests. If they receive no acknowledgement, they send the request again. While the request is processing, there is no user access. By enabling the Ident-reset option, the NetScreen device sends a TCP reset announcement in response to an IDENT request to port 113 and restores access that has been blocked by an unacknowledged identification request.
unset interface {trust | untrust | dmz | mgt} manage ping
unset interface {trust | untrust | dmz | mgt} ident-reset
4. Change the user name and password for administration access.
5. Define the management client IP addresses for the admin users.
Changing the System IP Port Number
Changing the port number to which the NetScreen device listens for HTTP management traffic improves security. The default setting is port 80, the standard port number for HTTP traffic. After you change the port number, you must then type the new port number in the URL field in your Web browser when you next attempt to contact the NetScreen device. (In the following example, the administrator needs to enter http://188.30.12.2:15522.)
Example: Changing the Port Number
In this example, the System IP is 188.30.12.2 with the standard port number 80. You change the port number from 80 to 15522.
1. Admin >> Web >> Port: 15522
2. Click
Apply and Reset6.
Changing the Admin Login Name and Password
By default, the initial login name for NetScreen devices is
netscreen.
The initial password is also
netscreen. Because these have been widely published, you should change the login name and password immediately. The login name and password are both case-sensitive. Each must be
one word, alphanumeric, with no symbols. Record the new admin login name and password in a secure manner.
|
Be sure to record your new password! If you forget it, you cannot reset or gain access to the device. It must then be returned to the factory for resetting.
|
Administrative users for the NetScreen device can be authenticated using the internal database and an external RADIUS server
7. When the admin user logs in to the NetScreen device, it first checks the local internal database for authentication. If there is no entry present, it then uses RADIUS to authenticate.The purpose of this feature is to extend the authentication schemes to the management of administrative users.
Example: Changing an Admin User Login Name and Password
The Root Administrator has decided to change a Super Administrator's login name from John to Smith and his password from xL7s62a1 to 3MAb99j2.
Admin >> Admin >> (John) Edit: Enter the following, and then click
OK:
Confirm Password: 3MAb99j2
2. set admin user Smith password 3MAb99j2 privilege all
Example: An Admin User Changing Her Own Password
Non-root users can change their own administrator password, but not their login name. In this example, a Super Administrator with the login name "starling" is changing her password from 3MAb99j2 to ru494Vq5.
Admin >> Admin >> (starling) Edit: Enter the following, and then click
OK:
Confirm Password: ru494Vq5
1. set admin
password ru494Vq5
Restricting Administrative Access
You can administer NetScreen devices from one or multiple addresses of a subnet. By default, any host on the Trusted interface can administer a NetScreen device. To restrict this ability to specific workstations, you must configure Management Client IP addresses.
|
The assignment of a management client IP address takes effect immediately. If you are managing the device via a network connection and your workstation is not included in the assignment, the NetScreen device will immediately terminate your current session and you will no longer be able to manage the device from that workstation.
|
Example: Restricting Administration to a Single Workstation
In this example, the administrator at the workstation with the IP address 172.16.40.42 is the only administrator specified to manage the NetScreen-10.
Admin >> Admin >> New Management Client IP: Enter the following, and then click
OK:
1. set admin manage-ip 172.16.40.42 255.255.255.255
Example: Restricting Administration to a Subnet
In this example, the group of administrators with workstations in the 172.16.40.0/24 subnet are specified to manage the NetScreen-10.
Admin >> Admin >> New Management Client IP: Enter the following, and then click
OK:
1. set admin manage-ip 172.16.40.0 255.255.255.0
The Trusted, Untrusted, and DMZ (NetScreen-10 and -100) interfaces can have two IP addresses: an interface IP address that corresponds with the physical port through which that interface connects to a network, and a Manage IP address that can be used to receive administrative traffic.
You can specify a Manage IP address for managing a NetScreen device through every available interface. Also, when a NetScreen-100 or -1000 is a slave unit in a redundant group for High Availability, you can access and configure the unit through its Manage IP address (or addresses).
Example: Setting Manage IPs for Multiple Interfaces
In this example, a small group of local administrators in the DMZ use the DMZ interface exclusively for HTTP, SNMP, and Telnet traffic. The Untrusted interface must also be able to support administrative traffic from a remote administrator using NetScreen-Global Manager. Manage IP addresses are set for both the DMZ and Untrusted interfaces to allow administrative access from both of those directions.
1. Interface >> DMZ >> Edit: Enter the following, and then click
Save:
IP Address: 211.24.55.144
2. Interface >> Untrusted >> Edit: Enter the following, and then click
Save and Reset:
1. set interface dmz ip 211.24.55.144 255.255.255.0
2. set interface dmz manage-ip 211.24.55.43
3. set interface dmz manage web
4. set interface dmz manage telnet
5. set interface dmz manage web
6. set interface untrust ip 211.24.54.10 255.255.255.0
7. set interface untrust manage-ip 211.24.54.125
8. set interface untrust manage global
9. set interface untrust manage global-pro
The Management (MGT) interface allows you to manage the NetScreen-1000 through a separate interface, moving administrative traffic outside the regular network user traffic. Separating administrative traffic from network user traffic greatly increases administrative security and assures constant management bandwidth.
On the NetScreen-1000, the Management (MGT) interface provides a dedicated connection for management traffic. Connect one end of a Cat-5 serial cable to the MGT interface and the other end to your management network or workstation.
With this arrangement, you can use a Web browser to manage through the WebUI (see
"Web User Interface" on page 9126) or use Telnet (see
"Telnet" on page 9129) to manage through the CLI. You can also manage through the MGT interface by connecting a workstation directly to the console port or modem port and accessing the device through its MGT IP address.
Example: Administration Through the MGT Interface
You can configure the NetScreen-1000 to allow administration through one or more of the Trusted, Untrusted, or Management (MGT) interfaces. To maintain the highest level of security, NetScreen recommends that you limit administrative traffic exclusively to the MGT interface and user traffic to the Trusted and Untrusted interfaces. This prohibits administrative access from Trusted and Untrusted workstations that are connected to your network and assures bandwidth availability for administrative traffic.
In this example, the IP address of the MGT interface is 192.168.20.2/24, and the MGT interface is enabled to receive Telnet and Web administrative traffic.
Interface >> Management >> Edit: Enter the following, and then click
Save and Reset:
Default Gateway: 0.0.0.0.
Enable Manageability: WebUI (select), Telnet (select)
1. set interface mgt ip 192.168.20.2 255.255.255.0
2. set interface mgt manage web
3. set interface mgt manage telnet
You can use a Virtual Private Network (VPN) to secure remote management and monitoring of a NetScreen device from either a dynamically assigned or fixed Untrusted IP address. Using a VPN, you can protect any kind of traffic, such as HTTP, Telnet, or SNMP.
NetScreen supports three methods for creating a VPN tunnel:
·
Manual Key: You manually set the three elements that define a Security Association (SA) at both ends of the tunnel: a Security Parameters Index (SPI), an encryption key, and an authentication key. To change any element in the SA, you must manually enter it at both ends of the tunnel.
·
AutoKey IKE with Preshared Key: One or two preshared secrets-one for authentication and one for encryption-function as seed values. Using them, the IKE protocol generates a set of symmetrical keys at both ends of the tunnel; that is, the same key is used to encrypt and decrypt. At predetermined intervals, these keys are automatically regenerated.
·
AutoKey IKE with Certificates: Using the Public Key Infrastructure (PKI), the participants at both ends of the tunnel use a digital certificate (for authentication) and an RSA public/private key pair (for encryption). The encryption is asymmetrical; that is, one key in a pair is used to encrypt and the other to decrypt.
By default, NetScreen VPN tunnels use the Untrusted interface IP address (in NAT mode) or the System IP address (in Transparent mode) as the tunnel endpoint. Optionally, you can designate the Trusted interface as the endpoint when directing management traffic through a VPN tunnel to an address on the Untrusted side. This allows you to create an Access Policy encrypting management traffic, such as SNMP or syslog, originating within the NetScreen device (with the source address being the Trusted interface) and destined for a remote server on the Untrusted side. To enable this, do the following:
Select one or more of the following check boxes, and then click
OK:
Admin >> Syslog: Enable Syslog VPN encryption: (select)
Admin >> Syslog: Enable WebTrends VPN encryption: (select)
Admin >> SNMP: Enable SNMP VPN encryption: (select)
Admin >> NS Global: Enable Global Manager/PRO VPN encryption: (select)
set {global | snmp | syslog | webtrends} vpn
|
Note: You also need to define the VPN tunnel and create an Access Policy.
|
Example: Administration through a VPN Tunnel on the Trusted Side
In this example, the network security administrator uses a VPN to keep security separate from general network administration. She creates a Manual Key VPN tunnel from her workstation at 10.10.11.56/24 to 10.10.10.1/24, the IP address of the Trusted interface. She has NetScreen-Remote 5.0 installed on her workstation.
1. Address >> Trusted: New Address: Enter the following, and then click
OK:
2. Address >> Untrusted: New Address: Enter the following, and then click
OK:
3. VPN >> Manual Key >> New Manual Key Entry: Enter the following, and then click
OK:
Security Index: 4567 (Local) 5555 (Remote)
Encryption Algorithm: DES-CBC
Generate Key by Password
8: netscreen1
Authentication Algorithm: MD5
Generate Key by Password: netscreen2
Tunnel to Trusted Interface: (select)
|
Note: By default, a VPN tunnel to a NetScreen device terminates at the Untrusted interface. After you select the Tunnel to Trusted Interface option, you cannot clear it. To modify the tunnel to terminate at the Untrusted interface, you must first remove the existing tunnel, and then create a new one. If the NetScreen device is in Transparent mode, then the tunnel from the Trusted side terminates at the system IP address.
|
4. Policy >> Outgoing >> New Policy: Enter the following, and then click
OK:
Source Address: Trusted Interface
Destination Address: Admin 1
1. set address trust "Trusted Interface" 10.10.10.1 255.255.255.255
2. set address untrust "Admin 1" 10.10.11.56 255.255.255.255
3. set vpn trust manual 4567 5555 "Admin tunnel" gateway 10.10.10.56 esp des password netscreen1 auth md5 password netscreen2
4. set policy outgoing "Trusted Interface" "Admin 1" any tunnel vpn "Admin tunnel"
NetScreen-Remote Security Policy Editor
1. Click
Options >> Secure >> Specified Connections.
2. Click the
Add a new connection button, and type
ns100 next to the new connection icon that appears.
3. Configure the connection options:
Connection Security: Secure
Remote Party ID Type: IP Address
4. Click the
PLUS symbol, located to the left of the new connection icon, to expand the connection policy.
5. ns100 >> Security Policy: Use Manual Keys: (select)
6. Click the
PLUS symbol, located to the left of the Security Policy icon, and then the
PLUS symbol to the left of Key Exchange (Phase 2) to expand the policy further.
7. Key Exchange (Phase 2) >> Proposal 1: Select the following IPSec Protocols:
Encapsulation Protocol (ESP): (select)
8. Proposal 1 >> Inbound Keys: In the Security Parameters Index field, type 5555, and then click
Enter Key.
9. Inbound Keys >> Enter Key: Enter the following
9, and then click
OK:
Choose key format: Binary
ESP Encryption Key: dccbee96c7e546bc
ESP Authentication Key: dccbe9e6c7e546bcb0b667794ab7290c
10. Proposal 1 >> Outbound Keys: In the Security Parameters Index field, type 4567, and then click
Enter Key.
11. Outbound Keys >> Enter Key: Enter the following, and then click
OK:
Choose key format: Binary
ESP Encryption Key: dccbee96c7e546bc
12. ESP Authentication Key: dccbe9e6c7e546bcb0b667794ab7290c
13. Click the
Save button.
1
Check your Web browser to see how strong the ciphers can be and which ones your browser supports. (Both the NetScreen device and your Web browser must support the same kind and size of ciphers you use for SSL.) In Internet Explorer 5x, click
Help,
About Internet Explorer, and read "Cipher Strength." To obtain the advanced security package, click the
Update Information link. In Netscape Navigator, click
Help,
About Communicator, and read the section about RSA
®. To change the SSL configuration settings, click
Security,
Navigator,
Configure SSL v3.
2
A command shell is an operating system's outer layer, providing an environment in which you can launch and operate programs running within the operating system's inner layer, or kernel.
3
Through the CLI, you can schedule the NetScreen-5, -10, and -100 to reset at a time that is convenient for maintaining uninterrupted network operation:
set timer <mm|dd|yyyy> <hh:mm> action reset.
4
NetScreen-Global PRO requires the use of NetScreen-Global Manager, so if you want to enable this option, you also need to select the
NetScreen-Global Manager option.
5
The password can be up to 31 characters long. It must be alphanumeric, without any spaces or special characters.
6
Through the CLI, you can schedule the NetScreen-5, -10, and -100 to reset at a time that is convenient for maintaining uninterrupted network operation:
set timer <mm|dd|yyyy> <hh:mm> action reset.
7
Remote Authentication Dial-In User Service (RADIUS) is a protocol for authenticating and authorizing dial-up users. The NetScreen device can act as a client of a RADIUS server.
8
Because NetScreen-Remote processes passwords into keys differently than other NetScreen products do, after you configure the tunnel do the following: (1) Return to the Manual Key
Configuration dialog box (click
Edit in the Configure column for "Admin Tunnel"); (2) copy the generated hexadecimal key; and (3) use that hexadecimal key when configuring the NetScreen-Remote end of the tunnel.
9
These are the two generated keys that you copied after configuring the NetScreen device.