Page 2 - ii
This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright © 1986-1997, EpilogueTechnology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the publicdomain. ...
Page 3 - END USER LICENSE AGREEMENT; iii
END USER LICENSE AGREEMENT READ THIS END USER LICENSE AGREEMENT (“AGREEMENT”) BEFORE DOWNLOADING, INSTALLING, OR USING THE SOFTWARE. BY DOWNLOADING, INSTALLING, OR USING THE SOFTWARE OR OTHERWISE EXPRESSING YOUR AGREEMENT TO THE TERMS CONTAINED HEREIN, YOU (AS CUSTOMEROR IF YOU ARE NOT THE CUSTOMER,...
Page 4 - iv
6. Confidentiality. The Parties agree that aspects of the Software and associated documentation are the confidential property of Juniper. As such, Customer shall exercise all reasonable commercial efforts to maintain the Software and associated documentation in confidence, which at a minimum include...
Page 7 - Hardware and Software Overview; vii
Table of Contents Preface xi Objectives ......................................................................................................xiAudience ........................................................................................................xiDocumentation Conventions ..................
Page 8 - viii
Part 2 Performing the Installation Chapter 3 Installation Overview 21 Before You Begin ...........................................................................................21Basic Steps ....................................................................................................22 Chapt...
Page 9 - ix
Part 4 Upgrading Software and Installing Field Replaceable Units Chapter 8 Upgrading Software 49 Updating Software (NSM Procedure) .............................................................49Upgrading Software (CLI Procedure) ..............................................................51 Chapte...
Page 11 - Preface; Table 1: Notice Icons; xi
Preface This preface includes the following topics: ■ Objectives on page xi ■ Audience on page xi ■ Documentation Conventions on page xi ■ Related Documentation on page xiii ■ Requesting Technical Support on page xiv Objectives This guide explains how to install, configure, update, and service an ID...
Page 12 - Table 2 on page xii defines text conventions used in this guide.; Table 2: Text Conventions; Table 3 on page xii defines syntax conventions used in this guide.; Table 3: Syntax Conventions; xii
Table 2 on page xii defines text conventions used in this guide. Table 2: Text Conventions Examples Description Convention ■ Issue the clock source command. ■ Specify the keyword exp-msg . ■ Click User Objects ■ Represents commands and keywordsin text. ■ Represents keywords ■ Represents UI elements ...
Page 13 - Table 4 on page xiii lists related IDP documentation.; Table 4: Related IDP Documentation; Table 4 on page xiii lists related NSM documentation.; Table 5: Related NSM Documentation; xiii
Related Documentation Table 4 on page xiii lists related IDP documentation. Table 4: Related IDP Documentation Description Document Contains information about what is included in a specific product release:supported features, unsupported features, changed features, known problems,and resolved proble...
Page 14 - Product warranties—For product warranty information, visit; Self-Help Online Tools and Resources; Search for known bugs:; xiv
Table 5: Related NSM Documentation (continued) Description Document Describes how to configure and manage IDP devices using NSM. This guidealso helps in understanding of how to configure basic and advanced NSMfunctionality, including adding new devices, deploying new deviceconfigurations, updating d...
Page 15 - Opening a Case with JTAC; You can open a case with JTAC on the Web or by telephone.; xv
■ Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/ ■ Download the latest versions of software and review release notes: http://www.juniper.net/customers/csc/software/ ■ Search technical bulletins for relevant hardware and software notifications: https://www.junipe...
Page 16 - xvi
xvi ■ Requesting Technical Support IDP250 Installation Guide
Page 17 - Hardware Overview on page 3
Part 1 Hardware and Software Overview ■ Hardware Overview on page 3 ■ Software Overview on page 15 Hardware and Software Overview ■ 1
Page 19 - Chapter 1; Hardware Overview; Figure 1: IDP250 Front Panel
Chapter 1 Hardware Overview This chapter includes the following topics: ■ IDP250 Overview on page 3 ■ Power Supply on page 4 ■ Hard Drive on page 4 ■ Fans on page 4 ■ System Status LEDs on page 4 ■ USB Port on page 5 ■ Serial Console Port on page 5 ■ Management Interface Port on page 5 ■ High Availa...
Page 20 - Related Topics; Replacing a Power Supply on page 53; Hard Drive; The fans for this model are not field replaceable units (FRUs).; System Status LEDs; Table 6 on page 4 describes system status LED states.; Table 6: System Status LED States
■ Traffic Interface Ports on page 7 ■ IDP250 Technical Specifications on page 59 Power Supply The appliance has one power supply. It is a field replaceable unit (FRU). Related Topics ■ Replacing a Power Supply on page 53 Hard Drive The appliance has one 80 GB hard drive. It is not a field replaceabl...
Page 21 - . Use this port as a dedicated management; Figure 2: Management Interface Port LEDs
USB Port The appliance has a USB port you can use to reimage the appliance, if necessary. Serial Console Port The console serial port provides access, using an RJ-45 connector, to thecommand-line interface (CLI). NOTE: Although both the console serial port and the management port use RJ-45 connector...
Page 22 - Table 7: Management Port LEDs; . The high availability interface is a dedicated; Figure 3: High Availability Interface Port LEDs
Table 7: Management Port LEDs (continued) Description State LED Connection is 1000 Mbps. Orange TX/RX Connection is 100 Mbps. Green If LINK indicates activity, TX/RX off indicates connectionis 10 Mbps. If LINK indicates no activity, TX/RX off indicates no activityas well. Off High Availability Inter...
Page 23 - Table 8: High Availability Port LEDs; Figure 4: Copper Port LEDs
Table 8: High Availability Port LEDs (continued) Description State LED Connection is 1000 Mbps. Orange TX/RX Connection is 100 Mbps. Green If LINK indicates activity, TX/RX off indicates connectionis 10 Mbps. If LINK indicates no activity, TX/RX off indicates no activityas well. Off Traffic Interfac...
Page 24 - Table 9: Copper Port LEDs; ACT and LINK SPD LEDs are turned off.; Fiber Ports; Figure 5 on page 8 shows fiber port LEDs.; Figure 5: Fiber Port LEDs; Table 10 on page 9 describes fiber port LED states.
Table 9: Copper Port LEDs Description State LED Link is present. Glows green LINK ACT Activity. Blinks green No link present. Off Connection is 100 Mbps. Green LINK SPD Connection is 1 Gbps. Yellow If LINK ACT is on, the connection is 10 Mbps. If LINK ACTis off, LINK SPD off indicates no link is pre...
Page 25 - Table 10: Fiber Port LEDs; ACT and LINK SPD LEDs remain lit.; Traffic Interface Features; Deployment Mode on page 10
Table 10: Fiber Port LEDs Description State LED Link is present. Glows green LINK ACT Activity. Flashes green No link present. Off Connection is 100 Mbps. Green LINK SPD Connection is 1 Gbps. Yellow Connection is 10 Gbps. Orange If LINK ACT is on, the connection is 10 Mbps. If LINK ACTis off, LINK S...
Page 26 - Deployment Mode; For each virtual router, you select the deployment mode:; Internal Bypass
Deployment Mode For each virtual router, you select the deployment mode: ■ Sniffer–In an out-of-path, sniffer mode deployment, the IDP appliance can detectattacks but can take only limited action. You connect the IDP traffic interfacesto a mirrored port of a network hub or switch. ■ Transparent–In a...
Page 27 - Figure 6: Internal Bypass; status of the IDP operating system; NICs Off
Figure 6: Internal Bypass When the IDP operating system resumes healthy operations, it sends a reset signalto the traffic interfaces, and the interfaces resume normal operation. NOTE: All copper port traffic interfaces support internal bypass. Some, but not all, fiber port traffic interfaces support...
Page 28 - External Bypass; Figure 7: Internal Bypass; Peer Port Modulation
External Bypass The External Bypass setting supports third-party external bypass units. When theIDP appliance is turned on and available, it sends NetScreen Redundancy Protocol(NSRP) heartbeats to the external bypass unit. When the NSRP packets flow, theexternal bypass unit allows connections to pro...
Page 29 - Figure 8: Peer Port Modulation; is related to the; Layer 2 Bypass; By default, the interfaces drop all other Layer 2 traffic.
When PPM is enabled, a PPM daemon monitors the health of IDP traffic interfacesbelonging to the same virtual router. If a traffic interface loses link, the PPM processturns off any associated network interfaces in the same virtual router so that othernetwork devices detect that the virtual router is...
Page 31 - Chapter 2; Software Overview; This chapter includes the following topics:
Chapter 2 Software Overview This chapter includes the following topics: ■ On-Box Software Overview on page 15 ■ Centralized Management with NSM Overview on page 16 ■ J-Security Center Updates Overview on page 17 On-Box Software Overview You use on-box software to get the appliance up and running in ...
Page 33 - IDP
For IDP deployments, centralized management provides the following benefits: ■ Centralized management for IDP appliances and other network devices ■ Consolidated logs from different devices in a single repository ■ Centralized management of enterprise security policies ■ Simplified management for at...
Page 35 - Installation Overview on page 21
Part 2 Performing the Installation ■ Installation Overview on page 21 ■ Installing the Appliance to Your Equipment Rack and ConnectingPower on page 23 ■ Performing the Initial Network Configuration and Licensing Tasks on page 27 ■ Connecting the IDP Traffic Interfaces to Your Network and Verifying T...
Page 37 - Chapter 3; Installation Overview; appliance in a secure environment.
Chapter 3 Installation Overview This chapter includes the following topics: ■ Before You Begin on page 21 ■ Basic Steps on page 22 Before You Begin The location of the device, the layout of the mounting equipment, and the securityof your wiring room are crucial for proper system operation. CAUTION: ...
Page 38 - Common Criteria EAL2 Compliance on page 63; and download the
Related Topics ■ Common Criteria EAL2 Compliance on page 63 Basic Steps Take the following basic steps to install the appliance and connect it to your network: 1. Read the release notes for your release. Release notes make you aware ofsupported and unsupported features, known issues, and fixed issue...
Page 39 - Chapter 4; Table 12: Rack Mounting Hardware and Required Tools
Chapter 4 Installing the Appliance to YourEquipment Rack and Connecting Power This chapter includes the following topics: ■ Rack Mounting Kits and Required Tools on page 23 ■ Mounting to Midmount Brackets on page 24 ■ Mounting to Rack Rails on page 25 ■ Connecting Power on page 25 Rack Mounting Kits...
Page 40 - To mount the appliance using the midmount brackets:
Mounting to Midmount Brackets To mount the appliance using the midmount brackets: 1. Attach one rack-mounting bracket to each side of the chassis with the bracketscrews. Figure 10: 1-RU Midmount Bracket 2. With another person, place the chassis into position between rack posts in theequipment rack a...
Page 41 - Figure 11: Rail with Hinged Rear Bracket; Connecting Power
Related Topics ■ Rack Mounting Kits and Required Tools on page 23 Mounting to Rack Rails To mount the device to equipment rack rails: 1. Attach the rails to each side of the chassis with the bracket screws. Make surethe hinged brackets are at the back of the device. Make sure the rails arepositioned...
Page 42 - Connect the other end of the power cable to the electrical outlet.
2. Connect the other end of the power cable to the electrical outlet. 26 ■ Connecting Power IDP250 Installation Guide
Page 43 - Chapter 5
Chapter 5 Performing the Initial NetworkConfiguration and Licensing Tasks This chapter includes the following topics: ■ Performing the Initial Configuration on page 27 ■ Getting Started with the EasyConfig Wizard (Serial Console Port) on page 29 ■ Getting Started with the QuickStart Wizard (Manageme...
Page 44 - Table 13: Getting Started Configuration Tools; Getting Started with the ACM Wizard (Management Port) on page 31
Table 13: Getting Started Configuration Tools Defaults Applied: You Specify: Getting Started Tool ■ Root password: abc123 ■ Fully qualified domain name: Blank ■ RADIUS support: Disabled ■ Network interfaces: Auto-negotiatespeed/duplex ■ Virtual routers: ■ Sniffer mode: One virtual router (vr0) ■ Tra...
Page 47 - IP
To get started with the QuickStart wizard: 1. Connect one end of an Ethernet cable to the management interface port and theother end to the Ethernet port of your laptop. 2. On your laptop, open a Web browser. 3. In the browser Address or Location box, enter https://192.168.1.1 . NOTE: ACM access use...
Page 49 - Basic Steps on page 22
[root@localhost ~] scio lic add lic.txt 9. Run the following scio command to verify you have successfully added the licensekey: [root@localhost ~] scio lic list [root@localhost ~]# scio lic listID Machine ID Issue Date Expiration OK Feature-- ---------------- ------------------------ ---------------...
Page 51 - Chapter 6; Table 14: Interface Connection Guidelines
Chapter 6 Connecting the IDP Traffic Interfaces toYour Network and Verifying Traffic Flow This chapter includes the following topics: ■ Guidelines for Connecting IDP Interfaces to Your Network Devices on page 35 ■ Choosing Cables for Traffic Interfaces (Copper Ports) on page 36 ■ Connecting and Disc...
Page 53 - Connecting Devices That Do Not Support Auto-MDIX; For connections to a firewall or server, use a crossover cable.; Connecting Devices to Support Internal Bypass; To connect a Gigabit Ethernet cable to a transceiver:
NOTE: IDP75, IDP250, IDP800, and IDP8200 support auto-MDIX. Connecting Devices That Do Not Support Auto-MDIX For connections to a firewall or server, use a crossover cable. For connections to a switch or hub, use a straight-through cable. NOTE: Conventionally, crossover cables have an orange outer j...
Page 54 - Purpose
3. Slide the clip into the transceiver port until it clicks into place. Because the fit isclose, you may have to apply some pressure to seat the clip. Apply pressureevenly and gently to avoid clip breakage. To remove a Gigabit Ethernet cable from a transceiver: 1. Hold the cable clip firmly but gent...
Page 55 - Adding the IDP Appliance to NSM on page 41
Part 3 Adding the IDP Appliance to NSM ■ Adding the IDP Appliance to NSM on page 41 Adding the IDP Appliance to NSM ■ 39
Page 57 - Chapter 7; The schema update is also known as the; Adding a Reachable IDP Device to NSM on page 41; Adding a Reachable IDP Device to NSM
Chapter 7 Adding the IDP Appliance to NSM This chapter includes the following topics: ■ Reviewing Compatibility with NSM on page 41 ■ Adding a Reachable IDP Device to NSM on page 41 Reviewing Compatibility with NSM Review the release notes for information regarding compatibility between your IDPSeri...
Page 58 - Device Manager > Devices; Figure 12: NSM Add Device Wizard: Add Device; Device; Figure 13: NSM Add Device Wizard: Connection Settings; admin
To import an IDP device with a known IP address: 1. In the NSM navigation tree, select Device Manager > Devices . Figure 12: NSM Add Device Wizard: Add Device 2. Click the + icon and select Device to display the Add Device wizard. 3. Select Device Is Reachable (default) and click Next to display ...
Page 59 - Select; SSH Version 2; Click; Next; Figure 14: NSM Add Device Wizard: SSH Key Fingerprint Information
■ Enter the password for the device admin user. You set the password foradmin when you ran the ACM Wizard. ■ Enter the password for the device root user. You set the password for rootwhen you ran the ACM Wizard. NOTE: In NSM, passwords are case-sensitive. ■ Select SSH Version 2 and port 22. Click Ne...
Page 60 - Figure 15: NSM Add Device Wizard: Inventory Information
5. Log into the IDP command-line interface and verify the SSH key fingerprint.Comparing the SSH key fingerprint information enables you to detectman-in-the-middle attacks: a. Connect to the IDP command-line interface: ■ Use SSH to connect to the IP address or hostname for the managementinterface. Lo...
Page 61 - Figure 16: NSM Add Device Wizard: Add Device Confirmation; to import the configuration from the IDP device. Upon success, NSM; Finish
Figure 16: NSM Add Device Wizard: Add Device Confirmation 8. Click Next to import the configuration from the IDP device. Upon success, NSM displays the following message: Figure 17: NSM Add Device Wizard: Configuration Import Confirmation 9. Click Finish . For IDP 4.1 and later devices, NSM next run...
Page 62 - Reviewing Compatibility with NSM on page 41
Figure 18: NSM Device Manager: Viewing Device Status Related Topics ■ Reviewing Compatibility with NSM on page 41 ■ Basic Steps on page 22 46 ■ Adding a Reachable IDP Device to NSM IDP250 Installation Guide
Page 65 - Chapter 8; Upgrading Software; Tools > Software Manager
Chapter 8 Upgrading Software This chapter includes the following topics: ■ Updating Software (NSM Procedure) on page 49 ■ Upgrading Software (CLI Procedure) on page 51 Updating Software (NSM Procedure) To update IDP software: 1. Add the IDP software to the NSM GUI server. 2. Push the IDP software fr...
Page 67 - root; version; reboot; Adjust OS Version
3. Push a security policy update job to update attack objects in use in your securitypolicy: a. In NSM, select Devices > Configuration > Update Device Config . b. Select devices to which to push the updates and set update job options. c. Click OK . Related Topics ■ Upgrading Software (CLI Proc...
Page 69 - Chapter 9; Installing Field Replaceable Units
Chapter 9 Installing Field Replaceable Units This chapter includes the following topics: ■ Replacing a Power Supply on page 53 Replacing a Power Supply The following procedure applies to models for which the power supply is a fieldreplaceable unit (FRU). For information on obtaining spares, contact ...
Page 71 - Reimaging the Appliance; reimaging; Next Steps
Chapter 10 Reimaging the Appliance This chapter includes the following topic: ■ Reimaging and Relicensing an Appliance on page 55 Reimaging and Relicensing an Appliance The appliance comes with software preinstalled. If needed, you can reinstall thefactory image. This process is known as reimaging t...
Page 75 - Technical Specifications; Table 15 on page 59 lists physical specifications.; Table 15: Physical Specifications; Table 16: Power Specifications; Table 17 on page 60 lists power cord specifications.
Chapter 11 Technical Specifications This chapter includes the following topics: ■ IDP250 Technical Specifications on page 59 IDP250 Technical Specifications Table 15 on page 59 lists physical specifications. Table 15: Physical Specifications Value Specification 1 RU Form Factor 1.69 in. (4.3 cm) Hei...
Page 76 - Table 17: Power Cord Specifications; Table 18 on page 60 list environmental specifications.; Table 18: Environmental Specifications
Table 17: Power Cord Specifications Specifications Country ■ UL-approved and CSA-certified ■ Flexible cord minimum spec: No. 18 (1.5 mm2SVTor SJT, 3-conductor ■ Current capacity of 10A minimum ■ Earth-grounding attachment plug with NEMA 5-15P(10A, 125V) configuration United States and Canada Table 1...
Page 77 - Compliance Statements; This chapter includes the following topic:
Chapter 12 Compliance Statements This chapter includes the following topic: ■ Standards Compliance on page 61 Standards Compliance Table 20: Standards Compliance Category ■ UL 60950, Third Edition — Safety of Information Technology Equipment ■ CSA C2.22 No. 60950, Third Edition — Safety of Informati...
Page 79 - Common Criteria EAL2 Compliance; Network and Security Manager Administration Guide; Table 21: Common Criteria EAL2 Compliance; Standards Compliance on page 61
Chapter 13 Common Criteria EAL2 Compliance This chapter includes the following topics: ■ Common Criteria EAL2 Compliance on page 63 Common Criteria EAL2 Compliance Table 21 on page 63Table 21 on page 63 provides guidelines you must observe todeploy and use the IDP appliance in compliance with the Co...
Page 81 - Index on page 67
Page 83 - Symbols; HA port
Index Symbols 1998 Class A compliance.............................................61 A ACM ......................................................................15, 31ACM Online Help.........................................................xiiiadding a device to NSM......................................
Page 84 - See
LEDs fault........................................................................4HA port...................................................................6hard drive...............................................................4IDP250.................................................................
