Interface Configuration

Note: The interface configuration options you see depend upon the device model and on certain configuration selections, such as the zone to which the interface is bound.

1. On the Interface List page, click Edit for the physical (Ethernet) interface you want to configure, and then enter the necessary information:

Interface Name: (Read-only) The name of a physical interface is composed of the media type, slot number (for some devices), and port number, for example, ethernet3/2 or ethernet2.

As Member of loopback group: To allow the interface to use the MIP on the loopback interface, configure the interface as a member of the loopback interface group.

As Member of group: Select the redundant oraggregate* interface of which you want this physical interface to be a member.

Zone Name: The name of the zone to which the interface is bound.

Obtain IP using DHCP: (For appliances only) Select this option to enable the device to act as a DHCP client, receiving a dynamically assigned IP address for its interface from an ISP.

Automatic update DHCP server parameters: Select this check box to forward TCP/IP settings from the DHCP client module on the Untrust interface to the DHCP server module on the default interface in the Trust zone.

Obtain IP using PPPoE: (For appliances only) Select this option to enable the device to act as a PPPoE client, receiving an IP address for its interface from an Internet Service Provider (ISP).

Create new PPPoE setting: You can configure a new instance of PPPoE, which, once saved, gets added to the Obtain IP using PPPoE drop-down list.

Connect: Click this button to initiate a PPPoE session, and Disconnect to terminate a session.

Status: (Read-only) The status of a PPPoE session is indicated as either Disabled (currently inactive) or Enabled (currently in progress).

Static IP: (For appliances only) Select this option to assign a unique and fixed IP address to the interface.

IP Address/Netmask: Enter the IP Address and netmask of the interface.

Manageable: Select this option to enable management of the device using the interface IP address.

Manage IP: The logical IP address through which you can manage the device. You can set a different Manage IP address on each available interface. The Manage IP address must be on the same subnet as the physical IP address.

Interface Mode: (Appears only when you enter and save a static IP address and netmask.) Select NAT so that the IP addresses of the devices on this interface have private, non-routable IP addresses. Select Route so that the IP addresses of the devices on this interface have public, routable IP addresses. NAT is the default mode.

Note: Interface-based NAT only applies to traffic sent to the Untrust zone. To use NAT for traffic sent to other zones, you must specify it in a policy.

For more information on operational modes, such as NAT, Route, or Transparent, see Operational Modes.

Block Intra-Subnet Traffic: (only available for tunnel interfaces with an IP address/netmask) Select this check box to block traffic that routes back out the same interface that it entered.

Management Services:

WebUI: Select this option to enable management through the Web user interface (WebUI).

SNMP: Select this option to enable the use of SNMP. The device supports the SNMPv1 protocol (described in RFC-1157) and all relevant MIB II (Management Information Base II) groups defined in RFC-1213.

Telnet: Select this option to allow management through a terminal emulation program for TCP/IP networks such as the Internet. Telnet is a common way to remotely control a network device.

SSL: Select this option to allow the interface to receive HTTPS traffic for secure management of the device via the WebUI.

SSH: Select this option to enable management using a secure command shell (SSH). You can administer the device from an Ethernet connection or a dial-in modem using SSH.

Other Services:

Ping: Select this option to allow the device to respond to ICMP echo requests, or "pings". Ping is a utility that determines whether a specific IP address is accessible or not.

Ident-reset: Services like Mail and FTP send identification requests. If they receive no acknowledgment, they send the request again. While the request is processing, there is no user access. An ident-reset restores access that has been blocked by an unacknowledged identification request.

Overbilling: (For systems only.) Enables the device to receive and send Overbilling Attack information through this interface.

Enforce-IPSEC: (For systems only.) Sets the interface to only accept incoming connections from an IPSec tunnel.

Maximum Transfer Unit (MTU): If the MTU of the network to which the interface connects is smaller than 1500 bytes (the default), enter that value here.

DNS Proxy: Select this option if you want the NetScreen device to proxy (forward) DNS queries received on this interface to the appropriate DNS server as configured on the DNS Proxy Configuration page.

Note: The DNS Proxy option does not apply to Layer 2 interfaces.

WebAuth: (Appears only when an IP address/netmask is entered and applied) Select this option to enable WebAuth authentication for this interface. Enter the IP address that receives authentication requests for the WebAuth server. The WebAuth IP address must be in the same subnet as the interface IP address.

SSL Only: Select this option to require that all WebAuth authentication requests use SSL. The URL that a WebAuth authentication user enters in his or her Web browser must be https://ip_addr, in which ip_addr is the IP address that receives authentication requests for the WebAuth server.

Traffic Bandwidth: The traffic bandwidth in kilobits per second (kbps) that you assign to the interface.

2. Click OK to save your changes and return to the Interface List. Click Apply to continue configuring the interface. 

    

1. On the Interface List page, click Edit for the serial interface, and then enter the necessary information:

Interface Name: (Read-only) The Media Access Control (MAC) address for the serial interface appears in parentheses.

Zone Name: The name of the zone to which the interface is bound.

2. Click OK to save your changes and return to the Interface List. Click Apply to configure the ISP and modem settings for the serial interface.

ISP Configuration

You configure the device to automatically dial to an Internet Service Provider (ISP) account when failover to the serial interface occurs. To configure ISP information for the serial interface, click ISP.

For more information, see ISP Configuration.

Modem Configuration

You configure the device to automatically dial to an ISP account when failover to the serial interface occurs. To configure modem information for the serial interface, click Modem.

For more information, see Modem Configuration.

Note: The interface configuration options you see depend upon the device model and on certain configuration selections, such as the zone to which the interface is bound.

1. On the Interface List page, click Edit for the serial interface, and then enter the necessary information:

Interface Name (read-only): The name of a physical interface is composed of the media type, slot number (for some devices), and port number, for example, serial1/0 or serial6/0.

WAN Configuration

Member Link: Select this option if the interface is to be added to a multilink interface (also called a bundle).

Note: You must create the multilink interface, configure the encapsulation, and bind the multilink interface to a security zone before member links can be added. To create and configure a multilink interface, see See PPP options or Frame Relay options.

Multilink Interface: Select the multilink interface to which the WAN interface is added.

Main Link: Select this option if the WAN interface is not part of a multilink interface.

BRI Mode: Select Leased Line Mode or Dial Using BRI to configure the device for ISDN support.

Note: If you uncheck the Leased Line and Dial Using BRI options and click Apply, then the
Dialer Poollink is displayed at the top of the Interface Properties screen. The dialer pool is another method to configure the device for ISDN support using the dialer interface Configuring your device for ISDN support:

Use the dialer interface method to dial out to multiple destinations, when the number of destinations exceeds the number of available physical lines.
This configuration supports dial-on-demand Routing (DDR) and bandwidth-on-demand.

The dialer pool utilizes ISDN BRI by using logical dial peers via the dialer interfaces. This separates the actual physical links from all the potential destinations. A physical interface (brix/0) is configured as a member of a dialer pool. The physical interface can also belong to more than one pool, allowing the single line to be used to dial more than one destination..  

Leased Line Mode: The interface in this mode is a Layer 3 interface and is predefined for a data rate of 128 Kbps. There is no signaling on the D-channel and the leased line is used to deliver data only. Leased line mode supports PPP encapsulation only.

Dial Using BRI: Check this option to use the ISDN BRI to dial out.Click Apply and edit the Dialer Enable Options Edit the following to configure the dialer for Bridge Route Interface (BRI):

Primary and Alternative Number: Enter the remote destination to call. If the primary number is not connected, alternative-number is used. The primary–number and alternative-number is a string of characters 1-15.

Load Threshold: Enter the threshold (in percent) to set up the second B-channel. For bandwidth on demand, if traffic is greater than the defined load-threshold, the second B-channel is setup. The range for this B-channel is 1 to 100. The default is 80.

Idle Time: If there is no traffic before the idle-time expires (in seconds), the connection is lost. The range for idle time is 0 to 60000, where 0 = never idle. The default is 180.

Retry Times: Enter the number of times to redial if the dial number fails. The range is 1-6 and the default is 3.

Interval: The dial interval (in seconds) between retries. The range is from 1 to 60 and the default is 30..

WAN Encapsulation:

None: Sets no encapsulation method

PPP: Sets the WAN interface to use Point-to-Point Protocol as the encapsulation method

Frame Relay: Sets the WAN interface to use Frame Relay as the encapsulation method

Cisco HDLC: Sets the WAN interface to use Cisco HDLC as the encapsulation method

Binding a PPP Profile (appears after you select PPP  or MLPPP encapsulation and click Apply): Select the PPP access profile.

Note: For an interface with PPP encapsulation, you must bind a PPP access profile to the interface. You must create a PPP access profile even if no authentication is used on the PPP data link. See PPP access profiles.

Zone Name: Select the zone to which the interface is bound.

Fixed IP option:

IP Address/Netmask: Enter the IP Address and netmask of the interface.

Manageable: Select this option to enable management of the device using the interface IP address.

Manage IP: The logical IP address through which you can manage the device. You can set a different Manage IP address on each available interface. The Manage IP address must be on the same subnet as the physical IP address.

Unnumbered: Sets the WAN interface to use a unnumbered interface.

Interface: Selects the unnumbered interface.

Management Services:

WebUI: Select this option to enable management through the Web user interface (WebUI).

SNMP: Select this option to enable the use of SNMP. The device supports the SNMPv1 protocol (described in RFC-1157) and all relevant MIB II (Management Information Base II) groups defined in RFC-1213.

Telnet: Select this option to allow management through a terminal emulation program for TCP/IP networks such as the Internet. Telnet is a common way to remotely control a network device.

SSL: Select this option to allow the interface to receive HTTPS traffic for secure management of the device via the WebUI.

SSH: Select this option to enable management using a secure command shell (SSH). You can administer the device from an Ethernet connection or a dial-in modem using SSH.

Other Services:

Ping: Select this option to allow the device to respond to ICMP echo requests, or "pings". Ping is a utility that determines whether a specific IP address is accessible or not.

Path MTU (IPV4): Sets the device to use the smallest MTU for all the links in a path.

Ident-reset: Services like Mail and FTP send identification requests. If they receive no acknowledgment, they send the request again. While the request is processing, there is no user access. An ident-reset restores access that has been blocked by an unacknowledged identification request.

Maximum Transfer Unit (MTU): The default protocol MTU is 1500 bytes for serial, T1, E1, ISDN BRI, and multilink interfaces and 4470 bytes for T3 interfaces. If the MTU of the network to which the interface connects is different, enter that value here. You can specify a value between 800 and 8192 bytes.

DNS Proxy: Select this option if you want the device to proxy (forward) DNS queries received on this interface to the appropriate DNS server as configured on the DNS Proxy Configuration page.

Note: The DNS Proxy option does not apply to Layer 2 interfaces.

WebAuth checkbox: (Appears only when an IP address/netmask is entered and applied) Select this option to enable WebAuth authentication for this interface.

IP: Enter the IP address that receives authentication requests for the WebAuth server. The WebAuth IP address must be in the same subnet as the interface IP address.

SSL Only checkbox: Select this option to require that all WebAuth authentication requests use SSL. The URL that a WebAuth authentication user enters in his or her Web browser must be https://ip_addr, in which ip_addr is the IP address that receives authentication requests for the WebAuth server.

After the Basic WAN interface parameters are configured, specific WAN interface options can be configured.  To configure WAN interface specific features, click WAN at the top of the interface Properties. Depending upon the interface you are configuring, you will see one of the following options:

• Serial Interface Options

• T1 Interface Options

• E1 Interface Options

• T3 Interface Options

• ISDN Options

• Dialer Pool Options

Once the Basic WAN interface parameters are configured, WAN encapsulation can be configured. To configure the encapsulation method, click PPP, FR, or Cisco HDLC at the top of the page:

To configure PPP options for the interface. See PPP options.

To configure Frame Relay options for the interface. See Frame Relay options.

To configure Cisco HDLC options for the interface. See Cisco HDLC options.

2. Click OK to save your changes and return to the Interface List. Click Apply to continue configuring the interface. 

 

Note: The interface configuration options you see depend upon the device model and on certain configuration selections, such as the zone to which the interface is bound.

1. On the Interface List page, click Edit for the VLAN1 interface, then enter the necessary information:

Interface Name: (Read-only) The name of the interface is VLAN1.

Zone Name: (Read-only) The  VLAN1 interface is bound to the VLAN zone.

IP Address/Netmask: Enter the IP address and netmask of the VLAN1 interface.

Manageable: Select this option to enable management of the device using the interface IP address.

Note: To allow hosts in the VLAN1 zones to manage the VLAN1 interface, set the IP address in the same subnet as the hosts.

Manage IP: The logical IP address through which you can manage the device. You can set a different Manage IP address on each available interface. The Manage IP address must be on the same subnet as the physical IP address.

Broadcast:

Arp: Select this option to enable the device to send Address Resolution Protocol (ARP) requests through this interface.

Trace Route: When this option is enabled, the device generates a trace-route packet (an ICMP echo request, or PING) at the same time as it generates an ARP query (arpq) with a time-to-live (TTL) flag of 1. You can disable this option if you wish.

Flood: Select this option to enable the device to use flooding.

Bypass Non-IP Packets: Select All to allow non-IP traffic, such as IPX, to pass through the device in Transparent mode. (ARP is a special case for non-IP traffic. It is always passed, even if the feature is disabled.) Select Broadcast/Multicast to only allow broadcast and multicast traffic to pass through. Select Off to disable the feature.

Bypass IPSec Packets for Others: Select this option to pass all IPSec traffic through the device in Transparent mode. The device does not act as a VPN tunnel gateway, but passes the IPSec packets onward to other gateways.

Management Services:

WebUI: Select this option to enable management through the Web user interface (WebUI).

SNMP: Select this option to enable the use of SNMP. The device supports the SNMPv1 protocol (described in RFC-1157) and all relevant MIB II (Management Information Base II) groups defined in RFC-1213.

Telnet: Select this option to allow management through a terminal emulation program for TCP/IP networks such as the Internet. Telnet is a common way to remotely control a network device.

SSL: Select this option to allow the interface to receive HTTPS traffic for secure management of the device via the WebUI.

SSH: Select this option to enable management using Secure Shell (SSH). You can administer the device from an Ethernet connection or a dial-in modem using SSH.

Other Services:

Ping: Select this option to allow the device to respond to ICMP echo requests, or "pings". Ping is a utility that determines whether a specific IP address is accessible or not.

Ident-reset: Services like Mail and FTP send identification requests. If they receive no acknowledgment, they send the request again. While the request is processing, there is no user access. An ident-reset restores access that has been blocked by an unacknowledged identification request.

Vlan Trunk: Select this option to  have the device forward VLAN tagged frames according to MAC addresses, ignoring the VLAN tags. If this option is not selected, the device drops VLAN tagged frames. For this feature to work, the device must be in Transparent mode.

DNS Proxy: Select this option if you want the device to proxy (forward) DNS queries received on this interface to the appropriate DNS server as configured on the DNS Proxy Configuration page.

WebAuth: (Appears only when an IP address/netmask is entered and applied) Select this option to enable WebAuth authentication for this interface. Enter the IP address that receives authentication requests for the WebAuth server. The WebAuth IP address must be in the same subnet as the interface IP address.

SSL Only: Select this option to require that all WebAuth authentication requests use SSL. The URL that a WebAuth authentication user enters in his or her Web browser must be https://ip_addr, in which ip_addr is the IP address that receives authentication requests for the WebAuth server.

Note: When interfaces are operating in Transparent mode, you must also enable WebAuth for all security zones hosting interfaces that receive WebAuth authentication requests.

2. Click OK to save your changes and return to the Interface List. Click Apply to continue configuring the interface.

    

Note: The interface configuration options you see depend upon the device model and on certain configuration selections, such as the zone to which the interface is bound.

1. On the Interface List page, click Edit for the appropriate interface, and then enter the necessary information.

Interface Name: (Read-only) The name of the interface.

Zone Name: Select the Layer 2 zone to which the interface is bound.

IP Address/Netmask: Enter 0.0.0.0. In Transparent mode, the IP addresses of interfaces are set at 0.0.0.0.

Maximum Transfer Unit (MTU): If the MTU of the network to which the interface connects is smaller than 1500 bytes (the default), enter that value here.

Traffic Bandwidth: The traffic bandwidth in kilobits per second (kbps) that you assign to the interface.

2. Click OK to save your changes and return to the Interface List. Click Apply to continue configuring the interface.

Note: You can enable Management services and other services such as Ping at the zone level.

 

Note: The interface configuration options you see depend upon the device model and on certain configuration selections, such as the zone to which the interface is bound.

1. On the Interface List page, click Edit for the appropriate interface, then enter the necessary information:

Interface Name: (Read-only) The name of the interface.

As Member of loopback group: To allow the interface to use the MIP on the loopback interface, configure the interface as a member of the loopback interface group.

Zone Name: Select the zone.

Bind to SSID: Select the SSID assigned to the interface.

Wlan Mode: For security devices with two radios, select which radio the wireless interface uses:

• 2.4G(802.11b/g): Enables only the 2.4 GHz radio for 802.11b and 802.11g.

• 5G(802.11a): Enables only the 5 GHz radio for 802.11a.

• Both(802.11a/b/g): Enables both radio on the interface for 802.11a, 802.11b, and 802.11g. This is the default setting.

IP Address/Netmask: Enter the IP Address and netmask of the interface.

Manageable: Select this option to enable management of the device using the interface IP address.

Manage IP: The logical IP address through which you can manage the device. You can set a different Manage IP address on each available interface. The Manage IP address must be on the same subnet as the physical IP address.

Management Services:

WebUI: Select this option to enable management through the Web user interface (WebUI).

SNMP: Select this option to enable the use of SNMP. The device supports the SNMPv1 protocol (described in RFC-1157) and all relevant MIB II (Management Information Base II) groups defined in RFC-1213.

Ping: Select this option to allow the device to respond to ICMP echo requests, or "pings". Ping is a utility that determines whether a specific IP address is accessible or not.

Telnet: Select this option to allow management through a terminal emulation program for TCP/IP networks such as the Internet. Telnet is a common way to remotely control a network device.

SSL: Select this option to allow the interface to receive HTTPS traffic for secure management of the device via the WebUI.

Ident-reset: Services like Mail and FTP send identification requests. If they receive no acknowledgment, they send the request again. While the request is processing, there is no user access. An ident-reset restores access that has been blocked by an unacknowledged identification request.

SSH: Select this option to enable management using a secure command shell (SCS). You can administer the device from an Ethernet connection or a dial-in modem using SCS (which is SSH-compatible). To do this, you must have an SCS client that is compatible with Version 1.5 of the SSH protocol. These clients are available for Windows 95, Windows 98, Windows NT, Linux, and UNIX. The device communicates with the SCS client through its built-in SCS server, which provides device configuration and management services.

WebAuth: Select this option to enable WebAuth authentication through this interface. Enter the IP address of the WebAuth server performing the authentication.

2. Click OK to save your changes and return to the Interface List. Click Apply to continue configuring the interface.

Note: The interface configuration options you see depend upon the device model and on certain configuration selections, such as the zone to which the interface is bound.

1. On the Interface List page, click Edit for the grouped (bgroup)  interface you want to configure, and then enter the necessary information:

Interface Name: (Read-only) The name of a physical interface is composed of the media type, slot number (for some devices), and port number, for example, ethernet3/2,ethernet2, or bgroup0.

As Member of group: Select the redundant oraggregate* interface of which you want this physical interface to be a member.

Description: The name of the bgroup (bgroup0--4).

Zone Name: The name of the zone to which the interface is bound.

Obtain IP using DHCP: (For appliances only) Select this option to enable the device to act as a DHCP client, receiving a dynamically assigned IP address for its interface from an ISP.

Automatic update DHCP server parameters: Select this check box to forward TCP/IP settings from the DHCP client module on the Untrust interface to the DHCP server module on the default interface in the Trust zone.

Obtain IP using PPPoE: (For appliances only) Select this option to enable the device to act as a PPPoE client, receiving an IP address for its interface from an Internet Service Provider (ISP).

Create new PPPoE setting: You can configure a new instance of PPPoE, which, once saved, gets added to the Obtain IP using PPPoE drop-down list.

Connect: Click this button to initiate a PPPoE session, and Disconnect to terminate a session.

Status: (Read-only) The status of a PPPoE session is indicated as either Disabled (currently inactive) or Enabled (currently in progress).

Static IP: (For appliances only) Select this option to assign a unique and fixed IP address to the interface.

IP Address/Netmask: Enter the IP Address and netmask of the interface.

Manageable: Select this option to enable management of the device using the interface IP address.

Manage IP: The logical IP address through which you can manage the device. You can set a different Manage IP address on each available interface. The Manage IP address must be on the same subnet as the physical IP address.

Interface Mode: (Appears only when you enter and save a static IP address and netmask.) Select NAT so that the IP addresses of the devices on this interface have private, non-routable IP addresses. Select Route so that the IP addresses of the devices on this interface have public, routable IP addresses. NAT is the default mode.

Note: Interface-based NAT only applies to traffic sent to the Untrust zone. To use NAT for traffic sent to other zones, you must specify it in a policy.

For more information on operational modes, such as NAT, Route, or Transparent, see Operational Modes.

Block Intra-Subnet Traffic: (only available for tunnel interfaces with an IP address/netmask) Select this check box to block traffic that routes back out the same interface that it entered.

Management Services:

WebUI: Select this option to enable management through the Web user interface (WebUI).

SNMP: Select this option to enable the use of SNMP. The device supports the SNMPv1 protocol (described in RFC-1157) and all relevant MIB II (Management Information Base II) groups defined in RFC-1213.

Telnet: Select this option to allow management through a terminal emulation program for TCP/IP networks such as the Internet. Telnet is a common way to remotely control a network device.

SSL: Select this option to allow the interface to receive HTTPS traffic for secure management of the device via the WebUI.

SSH: Select this option to enable management using a secure command shell (SSH). You can administer the device from an Ethernet connection or a dial-in modem using SSH.

Other Services:

Ping: Select this option to allow the device to respond to ICMP echo requests, or "pings". Ping is a utility that determines whether a specific IP address is accessible or not.

Ident-reset: Services like Mail and FTP send identification requests. If they receive no acknowledgment, they send the request again. While the request is processing, there is no user access. An ident-reset restores access that has been blocked by an unacknowledged identification request.

Overbilling: (For systems only.) Enables the device to receive and send Overbilling Attack information through this interface.

Enforce-IPSEC: (For systems only.) Sets the interface to only accept incoming connections from an IPSec tunnel.

Maximum Transfer Unit (MTU): If the MTU of the network to which the interface connects is smaller than 1500 bytes (the default), enter that value here.

DNS Proxy: Select this option if you want the NetScreen device to proxy (forward) DNS queries received on this interface to the appropriate DNS server as configured on the DNS Proxy Configuration page.

Note: The DNS Proxy option does not apply to Layer 2 interfaces.

WebAuth: (Appears only when an IP address/netmask is entered and applied) Select this option to enable WebAuth authentication for this interface. Enter the IP address that receives authentication requests for the WebAuth server. The WebAuth IP address must be in the same subnet as the interface IP address.

SSL Only: Select this option to require that all WebAuth authentication requests use SSL. The URL that a WebAuth authentication user enters in his or her Web browser must be https://ip_addr, in which ip_addr is the IP address that receives authentication requests for the WebAuth server.

Traffic Bandwidth: The traffic bandwidth in kilobits per second (kbps) that you assign to the interface.

2. Click OK to save your changes and return to the Interface List. Click Apply to continue configuring the interface. 

    

Note: The interface configuration options you see depend upon the device model and on certain configuration selections, such as the zone to which the interface is bound.

1. On the Interface List page, select Dialer IF and click New. Then enter the necessary information:

Interface Name: The dialer interface name is identified as dialerx, where x is a number from 1 to 10.

Dialer Options

Primary/alternate number(s): The primary number provides a remote destination for the security device to call. If the primary number is not connected, the alternate number is used. The primary and alternate numbers can be any string length less than 32 characters.

Load threshold: This option provides additional bandwidth on demand. If you set this option and the traffic exceeds the load threshold you specified for one B-channel, then the second B-channel is utilized. The traffic is recalculated at an interval of 30 sec.  The range for the B-channel load threshold is 1 to 100 (in percent). The default is 80 percent.

Idle time: Use this option to set the amount of time (in seconds) you want the device to wait for traffic before it drops the connection. The idle time can be set for 0 to 60000 seconds, where a setting of zero (0) means the connection cannot be idle. The default is 180 seconds.

Retry times: Use this option to set the number of attempts you want the security device to dial the phone number specified. If the call does not connect, the number is redialed (one to six times) the number of attempts specified. The default is three attempts.

Interval: Use this option to set the dial interval (in seconds) between redial attempts caused by no connection. You can specify 1 to 60 seconds; the default is 30 seconds.

Dialer pool: Use this option to identify the dialer pool that you want the dialer interface to use. The dialer pool identification can be any string length less than 32 characters. See Dialer Pool.

WAN Encapsulation:

None: Sets no encapsulation method.

PPP: Sets the WAN interface to use Point-to-Point Protocol as the encapsulation method.

Multi-link PPP: Sets the WAN interface to use multi-link Point-to-Point Protocol as the encapsulation method.

Binding a PPP Profile (appears after you select PPP  or MLPPP encapsulation and click Apply): Select the PPP access profile.

Note: For an interface with PPP encapsulation, you must bind a PPP access profile to the interface. You must create a PPP access profile even if no authentication is used on the PPP data link. See PPP access profiles.

Zone Name: The name of the zone to which the interface is bound.

Fixed IP option:

IP Address/Netmask: Enter the IP Address and netmask of the interface.

Manageable: Select this option to enable management of the device using the interface IP address.

Manage IP: The logical IP address through which you can manage the device. You can set a different Manage IP address on each available interface. The Manage IP address must be on the same subnet as the physical IP address.

Unnumbered: Sets the WAN interface to use a unnumbered interface.

Interface: Selects the unnumbered interface.

Management Services:

WebUI: Select this option to enable management through the Web user interface (WebUI).

SNMP: Select this option to enable the use of SNMP. The device supports the SNMPv1 protocol (described in RFC-1157) and all relevant MIB II (Management Information Base II) groups defined in RFC-1213.

Telnet: Select this option to allow management through a terminal emulation program for TCP/IP networks such as the Internet. Telnet is a common way to remotely control a network device.

SSL: Select this option to allow the interface to receive HTTPS traffic for secure management of the device via the WebUI.

SSH: Select this option to enable management using a secure command shell (SSH). You can administer the device from an Ethernet connection or a dial-in modem using SSH.

Other Services:

Ping: Select this option to allow the device to respond to ICMP echo requests, or "pings". Ping is a utility that determines whether a specific IP address is accessible or not.

Ident-reset: Services like Mail and FTP send identification requests. If they receive no acknowledgment, they send the request again. While the request is processing, there is no user access. An ident-reset restores access that has been blocked by an unacknowledged identification request.

Overbilling: (For systems only.) Enables the device to receive and send Overbilling Attack information through this interface.

Enforce-IPSEC: (For systems only.) Sets the interface to only accept incoming connections from an IPSec tunnel.

Maximum Transfer Unit (MTU): If the MTU of the network to which the interface connects is smaller than 1500 bytes (the default), enter that value here.

2. Click OK to save your changes and return to the Interface List. Click Apply to continue configuring the interface. 

 

Note: The interface configuration options you see depend upon the device model and on certain configuration selections, such as the zone to which the interface is bound.

Set up this ISDN configuration if you are dialing out to a single destination only, when you have intermittent traffic between two sites. The connection drops when there is no traffic.

To set up the ISDN Basic Rate Interface (BRI) as a dialer:

1. Select the ISDN switch type (Switch Type after Reboot option).

2. Create a PPP profile.

3. Set up the BRI as a dialer.
   (a) Check the Dial Using BRI option.
   (b) Enter the Primary Number to dial out.
   (c) Select the WAN Encapsulation.
   (d) Click Apply.
   (e) Bind the PPP profile.

4. Route traffic through the ISDN interface (BRI).

 

Note: The interface configuration options you see depend upon the device model and on certain configuration selections, such as the zone to which the interface is bound.

Use this method to dial out to multiple destinations, when the number of destinations exceeds the number of available physical lines. This configuration supports dial-on-demand Routing (DDR) and bandwidth-on-demand.

To dial out, using the dialer interface as a dialer:

1. Select the ISDN switch type (Switch Type after Reboot option).

2. Create a PPP profile.

3. Set up the dialer interface.

1. Create a dialer interface and bind the PPP profile.

   1. On the Interface List page, select Dialer IF and click New.

   Interface Name: The dialer interface name is identified as dialerx, where x is a number from 1 to 10.

   Dialer Options:

   Primary/alternate number(s): The primary number provides a remote destination for the security device to call. If the primary number is not connected, the alternate number is used. The primary and alternate numbers can be any string length less than 32 characters.

   WAN Encapsulation:

   Multi-link PPP: Sets the WAN interface to use multi-link Point-to-Point Protocol as the encapsulation method.

   Binding a PPP Profile: This option appears after you select PPP or MLPPP encapsulation and click Apply.

   2. Click OK to save your changes and return to the Interface List. Click Apply to continue configuring the interface.

2. Create a dialer pool and bind the dialer pool to the dialer interface.

   1. On the Interface List page, select dialerx and click Edit.

   2. Create a dialer pool. Enter a pool name and click Add.

   3. On the Interface List page, select bri and click Edit.

   4. Select Dialer Pool.
      The Dialer Pool option appears only when both BRI Modes (Leased Line and Dial using BRI are unchecked. Click Apply.

   5. Set the priority for the dialer pool and check the Select as Member box.

   6. Click OK to save your changes and return to the Interface List. Click Apply to continue configuring the interface.

    

    

    

3. Add the ISDN Basic Rate interface (BRI) to the dialer pool (select a BRI as a pool member).

4. Route traffic through the dialer interface.

 

Note: The interface configuration options you see depend upon the device model and on certain configuration selections, such as the zone to which the interface is bound.

If the BRI is configured for leased-line mode, it becomes a Layer 3 interface that can only deliver data, so the D-channel is not required. Only one channel (B+B) with a total data rate of 128Kbps is supported.

Use this configuration method to connect two sites with a cost-effective and reliable, high-speed connection as and when required.

To dial out, using the BRI as a leased line:

1. Select the ISDN switch type (Switch Type after Reboot option).

2. Create a PPP profile.

3. Set up the BRI mode for Leased Line.
   
   (a) Check the Leased Line option.
   (b) Select the WAN Encapsulation.
   (c) Click Apply.
   (d) Bind the PPP profile.

4. Route traffic through the ISDN interface (BRI).

 

Note: The interface configuration options you see depend upon the device model and on certain configuration selections, such as the zone to which the interface is bound.

1. On the Interface List page, select Tunnel IF, click New, and then enter the required information:

Tunnel Interface Name: Enter an ID number for the tunnel interface.

Zone (VR): Select the zone and virtual router to which you want to bind the tunnel interface.

Fixed IP: Select this option if you want the tunnel interface to support policy-based NAT.

IP Address/Netmask: Enter the IP address and netmask of the tunnel interface.

Unnumbered: Select this option if the tunnel interface does not need to support policy-based NAT and if your configuration does not require the tunnel interface to be bound to a tunnel zone.

An unnumbered interface borrows the IP address from another interface that is bound to the same security zone. You must specify which interface the tunnel interface will borrow the IP address from.

Interface: Select the interface from which the tunnel interface will borrow the IP address. The interface must be in the same security zone as the tunnel interface.

Maximum Transfer Unit (MTU): If you know the MTU of the VPN data path and it is smaller than 1500 bytes (the default), enter that value here. The device first fragments a VPN-destined packet if the packet size exceeds the MTU on the outgoing physical interface. Then the device encapsulates and encrypts the fragment. (When the device fragments a packet, it reserves at least 200 bytes for encapsulation and encryption.) If the VPN data path requires a smaller MTU than 1500 bytes, intermediary network devices must defragment, reassemble, and again fragment oversized VPN packets as they receive them. Use this option to avoid adding such unnecessary strain to the network.

DNS Proxy: Select this option if you want the device to proxy (forward) DNS queries received on this tunnel interface to the appropriate DNS server as configured on the DNS Proxy Configuration page.

2. Click OK to save your changes and return to the Interface List. Click Apply to continue configuring the interface.

Block Intra-Subnet Traffic: (only available for tunnel interfaces with an IP address/netmask) Select this check box to block traffic that routes back out the same tunnel interface that it entered.

Note: For more information on tunnel interfaces, see Tunnel Interface Configuration.

 

Note: The interface configuration options you see depend upon the device model and on certain configuration selections, such as the zone to which the interface is bound.

1. On the Interface List page, select Redundant IF, click New, and then enter the necessary information:

Interface Name: Enter a number next to "redundant".

As Member of loopback group:  (Appears only when you enter and apply an IP address/netmask.)To allow the interface to use the MIP on the loopback interface, configure the interface as a member of the loopback interface group.

Members: (Read-Only) The name of the physical interfaces that are members of the redundant interface. You can assign physical interfaces to the redundant interface through the physical interface configuration.

Zone Name: Select the zone to which you want to bind the interface.

IP Address/Netmask: Enter the IP address and netmask of the redundant interface.

Manageable: Select this option to enable management of the device using the interface IP address.

Manage IP: (Appears only when you enter and apply an IP address/netmask.)The logical IP address through which you can manage the device. You can set a different Manage IP address on each available interface. The Manage IP address must be on the same subnet as the physical IP address.

Interface Mode: (Appears only when you enter and save a static IP address and netmask) Select NAT so that the IP addresses of the devices on this interface have private, non-routable IP addresses. Select Route so that the IP addresses of the devices on this interface have public, routable IP addresses. NAT is the default mode.

Note: Interface-based NAT only applies to traffic sent to the Untrust zone. To use NAT for traffic sent to other zones, you must specify it in a policy.

For more information on operational modes, such as NAT, Route, or Transparent, see Operational Modes.

Block Intra-Subnet Traffic: (Appears only when you enter and apply an IP address/netmask.) Select this check box to block traffic that routes back out the same interface that it entered.

Management Services:

WebUI: Select this option to enable management through the Web user interface (WebUI).

SNMP: Select this option to enable the use of SNMP. The device supports the SNMPv1 protocol (described in RFC-1157) and all relevant MIB II (Management Information Base II) groups defined in RFC-1213.

Telnet: Select this option to allow management through a terminal emulation program for TCP/IP networks such as the Internet. Telnet is a common way to remotely control a network device.

SSL: Select this option to allow the interface to receive HTTPS traffic for secure management of the device via the WebUI.

SSH: Select this option to enable management using a secure command shell (SSH). You can administer the device from an Ethernet connection or a dial-in modem using SSH.

Other Services:

Ping: Select this option to allow the device to respond to ICMP echo requests, or "pings". Ping is a utility that determines whether a specific IP address is accessible or not.

Ident-reset: Services like Mail and FTP send identification requests. If they receive no acknowledgment, they send the request again. While the request is processing, there is no user access. An ident-reset restores access that has been blocked by an unacknowledged identification request.

Overbilling: (Appears only when you enter and apply an IP address/netmask on systems.) Enables the device to receive and send Overbilling Attack information through this interface.

Enforce-IPSEC: (Appears only when you enter and apply an IP address/netmask on systems.) Sets the interface to only accept incoming connections from an IPSec tunnel.

Maximum Transfer Unit (MTU): If the MTU of the network to which the interface connects is smaller than 1500 bytes (the default), enter that value here.

DNS Proxy: Select this option if you want the device to proxy (forward) DNS queries received on this interface to the appropriate DNS server as configured on the DNS Proxy Configuration page.

WebAuth: (Appears only when an IP address/netmask is entered and applied) Select this option to enable WebAuth authentication for this interface. Enter the IP address that receives authentication requests for the WebAuth server. The WebAuth IP address must be in the same subnet as the interface IP address.

SSL Only: Select this option to require that all WebAuth authentication requests use SSL. The URL that an WebAuth authentication user enters in his or her Web browser must be https://ip_addr, in which ip_addr is the IP address that receives authentication requests for the WebAuth server.

2. Click OK to save your changes and return to the Interface List. Click Apply to continue configuring the interface.

 

1. On the Interface List page, select VSI IF, click New, and then enter the necessary information:

Interface Name: Select an interface from the drop-down menu next to "VSI  Base", and select a number from the drop-down menu next to "VSD Group".

As member of loopback group: (Appears only when you enter and apply an IP address/netmask) To allow the interface to use the MIP on the loopback interface, configure the interface as a member of the loopback interface group.

VSD Group: Select the VSD group to which the virtual security interface belongs.

IP Address/Netmask: Enter the IP address and netmask of the virtual security interface.

Manageable: Select this option to enable management of the device using the interface IP address.

Interface Mode: (Appears only when you enter and save a static IP address and netmask.) Select NAT so that the IP addresses of the devices on this interface have private, non-routable IP addresses. Select Route so that the IP addresses of the devices on this interface have public, routable IP addresses. NAT is the default mode.

Note: Interface-based NAT only applies to traffic sent to the Untrust zone. To use NAT for traffic sent to other zones, you must specify it in a policy.

For more information on operational modes, such as NAT, Route, or Transparent, see Operational Modes.

Block Intra-Subnet Traffic: (Appears only when you enter and apply an IP address/netmask) Select this check box to block traffic that routes back out the same interface that it entered.

Management Services:

WebUI: Select this option to enable management through the Web user interface (WebUI).

SNMP: Select this option to enable the use of SNMP. The device supports the SNMPv1 protocol (described in RFC-1157) and all relevant MIB II (Management Information Base II) groups defined in RFC-1213.

Telnet: Select this option to allow management through a terminal emulation program for TCP/IP networks such as the Internet. Telnet is a common way to remotely control a network device.

SSL: Select this option to allow the interface to receive HTTPS traffic for secure management of the device via the WebUI.

SSH: Select this option to enable management using a secure command shell (SSH). You can administer the device from an Ethernet connection or a dial-in modem using SSH.

Other Services:

Ping: Select this option to allow the device to respond to ICMP echo requests, or "pings". Ping is a utility that determines whether a specific IP address is accessible or not.

Ident-reset: Services like Mail and FTP send identification requests. If they receive no acknowledgment, they send the request again. While the request is processing, there is no user access. An ident-reset restores access that has been blocked by an unacknowledged identification request.

Overbilling: (Appears only for systems when you enter and apply an IP address/netmask.) Enables the device to receive and send Overbilling Attack information through this interface.

Enforce-IPSEC: (Appears only for systems when you enter and apply an IP address/netmask.) Sets the interface to only accept incoming connections from an IPSec tunnel.

Maximum Transfer Unit (MTU): If the MTU of the network to which the interface connects is smaller than 1500 bytes (the default), enter that value here.

DNS Proxy: Select this option if you want the device to proxy (forward) DNS queries received on this interface to the appropriate DNS server as configured on the DNS Proxy Configuration page.

WebAuth: (Appears only when an IP address/netmask is entered and applied) Select this option to enable WebAuth authentication for this interface. Enter the IP address that receives authentication requests for the WebAuth server. The WebAuth IP address must be in the same subnet as the interface IP address.

SSL Only: Select this option to require that all WebAuth authentication requests use SSL. The URL that an WebAuth authentication user enters in his or her Web browser must be https://ip_addr, in which ip_addr is the IP address that receives authentication requests for the WebAuth server.

2. Click OK to save your changes and return to the Interface List. Click Apply to continue configuring the interface.

    

Note: The interface configuration options you see depend upon the device model and on certain configuration selections, such as the zone to which the interface is bound.

1. On the Interface List page, select Sub-IF, click New, and then enter the necessary information:

Interface Name: Select an interface from the drop-down menu, and enter a number after the period (.).

Zone Name: Select the zone to which you want to bind the interface.

IP Address/Netmask: Enter the IP address and netmask of the virtual security interface.

Manageable: Select this option to enable management of the device using the interface IP address.

VLAN Tag: Enter a VLAN tag number. A sub-interface is an abstraction that functions identically to an interface for a physically present port and is distinguished by 802.1Q VLAN tagging. The device directs traffic to and from a zone with a sub-interface via its IP address and VLAN tag. For convenience, administrators usually assign a VLAN tag that is the same as the interface number.

Interface Mode: (Appears only when you enter and save a static IP address/netmask and VLAN tag.) Select NAT so that the IP addresses of the devices on this interface have private, non-routable IP addresses. Select Route so that the IP addresses of the devices on this interface have public, routable IP addresses. NAT is the default mode.

Note: Interface-based NAT only applies to traffic sent to the Untrust zone. To use NAT for traffic sent to other zones, you must specify it in a policy.

For more information on operational modes, such as NAT, Route, or Transparent, see Operational Modes.

Management Services:

WebUI: Select this option to enable management through the Web user interface (WebUI).

SNMP: Select this option to enable the use of SNMP. The device supports the SNMPv1 protocol (described in RFC-1157) and all relevant MIB II (Management Information Base II) groups defined in RFC-1213.

Telnet: Select this option to allow management through a terminal emulation program for TCP/IP networks such as the Internet. Telnet is a common way to remotely control a network device.

SSL: Select this option to allow the interface to receive HTTPS traffic for secure management of the device via the WebUI.

SSH: Select this option to enable management using a secure command shell (SSH). You can administer the device from an Ethernet connection or a dial-in modem using SSH.

NSM: Select this option to allow the interface to receive NetScreen-Security Manager traffic.

Other Services:

Ping: Select this option to allow the device to respond to ICMP echo requests, or "pings". Ping is a utility that determines whether a specific IP address is accessible or not.

Ident-reset: Services like Mail and FTP send identification requests. If they receive no acknowledgment, they send the request again. While the request is processing, there is no user access. An ident-reset restores access that has been blocked by an unacknowledged identification request.

DNS Proxy: Select this option if you want the device to proxy (forward) DNS queries received on this interface to the appropriate DNS server as configured on the DNS Proxy Configuration page.

WebAuth IP: (Appears only after you enter and save a static IP address and netmask.) Select this option to enable WebAuth authentication for this interface. Enter the IP address of the WebAuth server performing the authentication.

SSL Only: Select this option to require that all authentication requests to the WebAuth authentication server use SSL. If this option is cleared, the WebAuth server responds to either HTTP (clear-text) or HTTPS (cipher-text) authentication requests.

2. Click OK to save your changes and return to the Interface List. Click Apply to continue configuring the interface.

    

1. On the Interface List page, select Aggregate IF, click New, and then enter the necessary information:

Interface Name: Enter a number from 1 to 4 next to "aggregate".

Members: (Read-Only) The name of the two ports that are members of the aggregate-port interface. You assign ports to the aggregate-port interface through the physical interface configuration.

Note: To be available for port aggregation, both ports in a pair must be free (not bound to a zone). Also, note that each port can only be paired with one particular port. The legal pairs are: Ethernet2/1 – Ethernet2/2; Ethernet2/3 – Ethernet2/4; Ethernet2/5 – Ethernet2/6; Ethernet2/7 – Ethernet2/8.

Zone Name: The name of the zone to which the aggregate-port interface is bound.

IP Address/Netmask: Enter the IP address of the aggregate-port interface and the subnet mask for the subnet on which the aggregate-port interface IP address is located.

Manageable: Select this option to enable management of the NetScreen device using the interface IP address.

Manage IP: The logical IP address through which you can manage the NetScreen device. You can set a different Manage IP address on each available interface. The Manage IP address must be on the same subnet as the physical IP address.

Interface Mode: (Appears only when you enter and save a static IP address and netmask.) Select NAT so that the IP addresses of the devices on this interface have private, non-routable IP addresses. Select Route so that the IP addresses of the devices on this interface have public, routable IP addresses. NAT is the default mode.

Note: Interface-based NAT only applies to traffic sent to the Untrust zone. To use NAT for traffic sent to other zones, you must specify it in a policy.

For more information on operational modes, such as NAT, Route, or Transparent, see Operational Modes.

Management Services:

WebUI: Select to enable management through the Web user interface (WebUI).

Telnet: Select to allow management through a terminal emulation program for TCP/IP networks such as the Internet. Telnet is a common way to remotely control a network device.

SSL: Selecting this option allows the interface to receive HTTPS traffic for secure management of the NetScreen device via the WebUI.

SNMP: Select to enable the use of SNMP. The NetScreen device supports the SNMPv1 protocol (described in RFC-1157) and all relevant MIB II (Management Information Base II) groups defined in RFC-1213.

SSH: Select this option to enable management using a secure command shell (SSH). You can administer the NetScreen device from an Ethernet connection or a dial-in modem using SSH.

Other Services:

Ping: Select to allow the NetScreen device to respond to an ICMP echo request, or "ping," which is a utility that enables you to determine whether a specific IP address is accessible.

Ident-reset: Services like Mail and FTP send identification requests. If they receive no acknowledgment, they send the request again. While the request is processing, there is no user access. An ident-reset restores access that has been blocked by an unacknowledged identification request.

DNS Proxy: Select this option if you want the NetScreen device to proxy (forward) DNS queries received on this interface to the appropriate DNS server as configured on the DNS Proxy Configuration page.

WebAuth: (Appears only when an IP address/netmask is entered and applied) Select this option to enable WebAuth authentication for this interface. Enter the IP address that receives authentication requests for the WebAuth server. The WebAuth IP address must be in the same subnet as the interface IP address.

SSL Only: Select this option to require that all WebAuth authentication requests use SSL. The URL that an WebAuth authentication user enters in his or her Web browser must be https://ip_addr, in which ip_addr is the IP address that receives authentication requests for the WebAuth server.

2. Click OK to save your changes and return to the Interface List. Click Apply to continue configuring the interface.