Juniper Networks 5XT manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of Juniper Networks 5XT, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of Juniper Networks 5XT one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of Juniper Networks 5XT. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of Juniper Networks 5XT should contain:
- informations concerning technical data of Juniper Networks 5XT
- name of the manufacturer and a year of construction of the Juniper Networks 5XT item
- rules of operation, control and maintenance of the Juniper Networks 5XT item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of Juniper Networks 5XT alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of Juniper Networks 5XT, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the Juniper Networks service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of Juniper Networks 5XT.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the Juniper Networks 5XT item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 1 of 42 Juniper Networks NetScreen Release Notes Product: Juniper NetS creen-5XT, Juniper NetScreen-204, Juniper NetScreen-208, Juniper NetScreen -500, Juniper NetScreen-5200, Juniper NetScreen-5400 Version: ScreenOS 5.0.0r9-FIPS Release Status: Private Part Number: 093-1638-000, Rev. A Date: 6-01[...]

  • Page 2

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 2 of 42 5. Known Issues o n page 29 5.1 Limitation s of Features in ScreenOS 5.0.0 on page 29 5.2 Compatibility Issues in ScreenOS 5.0.0 on page 30 5.2.1 Upgrade Paths from P revious Releases on page 31 5.3 Known Issues in Scre enOS 5.0.0 o n page 32 5.3.[...]

  • Page 3

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 3 of 42 Refer to the following table to understan d what ScreenOS v ersions map to w hich product. 2. New Features and Enhancements The following sections detail new featur es and enhancements in ScreenOS 5.0.0 releases. For a complete list and descriptio[...]

  • Page 4

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 4 of 42 According to Trend Micro, the categories of viruses bypassed include HTML and Javascript. However, the subset o f the bypassed viruses can be described as the following: Javascript/Jscript/HTML embedded in HTML code (having HTTP content type of te[...]

  • Page 5

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 5 of 42 3. Changes to Default Behavior There are numerous changes in default behavior. For detailed information on changes to default behavior in ScreenOS 5.0.0, refer to the Juniper Networks NetScreen ScreenOS Migration Guide . Specific changes in defaul[...]

  • Page 6

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 6 of 42 • 03537 – The device failed when it incorrectly sent the DHCPDISCOVER packet out in the callback function. • 03528 – The subscription key retrieval oper ation worked only intermittently because the device did not cl ose the SSL socket prop[...]

  • Page 7

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 7 of 42 • 03358 – A very long URL entry when y o u attempt to perform URL filtering sometimes caused th e device to fail. • 03356 – The Phase 2 rekey sometimes fail ed after the Phase 1 expired when you used Kbytes as the criteria to trigger a Pha[...]

  • Page 8

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 8 of 42 • 03269 – The Juniper Net Screen-5GT incorre ctly autonegotiat ed to 10MBps half duplex after it had initi ally set itself to 10MBps full duplex. • 03267 – The anti-virus feature had a problem handling the HTTP packets because a web serve [...]

  • Page 9

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 9 of 42 • 03132 – When using Juniper NetScreen- Remote to connect to a Juniper NetScreen-500 dial-up VPN usin g the WebUI, the IKE Gateway Configuratio n displays as user instead of user-g roup . • 03128 – Mistakes occurred with (MIP) Mapp ed IP t[...]

  • Page 10

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 10 of 42 • 02986 – SSHv2 with RADIUS auth entication failed to authenticate external users properly. • 02985/02996 – The Juniper NetScreen-5000 Se ries systems sometimes failed from memory corruption due to kernel locking. • 02975 – While perf[...]

  • Page 11

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 11 of 42 • 02867 – If the DHCP relay se rver is set with an IP address, the dev ice incorrectly attempted to resolve the IP address with the host name even though there was no hostname. • 02861 – IP swapping issues occ urred on the Juniper NetScre[...]

  • Page 12

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 12 of 42 • 02580 – When you created a new custom service, and then confi gured a VPN using IKE, the Proxy ID setting in the VPN Autokey IKE configuration incorrectly defaults to the n ew custom se rvice, and n ot the ANY se rvice. • 02555 – The sy[...]

  • Page 13

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 13 of 42 • 01998 – You could n ot save the set console aux disable command into the device config uration. • 01739 – Ping oper ations would not work if fast agi ng out of MAC addresses did not occur when a PC migrated from one Juniper NetScreen-5G[...]

  • Page 14

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 14 of 42 whenever the device restarts and does not effect the normal operation of the device. • 36473 – Restarting a Juniper Networks secu rity appliance while it was performing an operatio n in flash some times damaged the data on the device and caus[...]

  • Page 15

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 15 of 42 • 02926 – The number of syslog messages sent per second from the Juniper Networks security applia nce were being limite d by an in ternal process. • 02924 – SMTP (Simple Mail Transfer Prot ocol) queued emai ls on Microsoft Outlook 2003 cl[...]

  • Page 16

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 16 of 42 • 02822 – The DHCP utility did not work on one of the redundant interfaces on a device. The interface did not appe ar in the DHCP environment in the WebUI. • 02814 – The SNMP interface in dex values were inconsistent through the SNMP tree[...]

  • Page 17

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 17 of 42 • 02709 – When you set a manual VPN auth entication setting to NULL on a Juniper Networks security appliance, th e device failed because a Null length is invalid. • 02707 – When performing an anti-virus scan on a Juni per NetScreen-5GT de[...]

  • Page 18

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 18 of 42 • 02655 – The event log timesta mp changed to Daylight Savings Time (DST) even though DST was not enabled. • 02642 – After configuring SCREEN setting threshol ds on a device usi ng the WebUI or CLI, the get config | include < screen_se[...]

  • Page 19

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 19 of 42 • 02551 – An NSRP backup devic e indicated that a failov er occurred continuously when no failure on the primary device occurred. • 02543 – A device rebooted because of an improperly processed checksum. • 02542 – When upgra ding a Jun[...]

  • Page 20

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 20 of 42 • 02333 – When a device att empted to bloc k files with a .exe extension, it incorrectly block ed files with .zi p extension s. • 02326 – A device incorrectly created sessi ons if the IP address had a unicast destination while the destina[...]

  • Page 21

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 21 of 42 4.3 Addressed Issues from ScreenOS 5.0.0r7 Manufacturing-only release. 4.4 Addressed Issues from ScreenOS 5.0.0r6 • 38268 – A J uniper Networks security applia nce running a BGP peer vi rtual routing instance cannot use an MD5 type password w[...]

  • Page 22

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 22 of 42 • 02384 – The device failed if you connecte d an Ethernet cable to the untrust interface in the v1-untrust zone w hil e the device was in transparent mode. • 02383 – Under some circumstances, the OSPF routing instance could not build an a[...]

  • Page 23

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 23 of 42 • 02272 – HTTP and HTTPS packets passe d through VPN tunnels more slowly than expected, sometimes to th e point of timing out and causing the device to continually retransmit the pac kets. • 02250 – The device sometimes generated an error[...]

  • Page 24

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 24 of 42 • 37069 – The configuration wizard option in the WebUI that enables you to skip the wizard screens was not present on the initial wizard screen. This option enables you to go directly to the WebUI login wi ndow to enter the device to manage i[...]

  • Page 25

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 25 of 42 • 02134 – When a policy specified a service that conta ined the same ranges for both the source port and destin ation port, traffic associated with other services with the same port ranges ma tched the conditions of t he policy and the policy[...]

  • Page 26

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 26 of 42 discrepancy, you had to read the text de scription of the trap type to identify it. Now you can refer to the trap type value to identify it. For e xample, the traditional SNMP trap type value for a Cold Start event is 0. Please check the ScreenOS[...]

  • Page 27

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 27 of 42 • 01985 – You could not schedule a policy using the WebUI. • 01970 – Under cert ain circumstances, th e Juniper Networks security appliance did not send email alert s. • 01943 – When the DH CP payload (i nformati on included with the [...]

  • Page 28

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 28 of 42 • 36717 – When upgrading to ScreenOS 5.0.0, the maxi mum number of address groups allowed for Layer2 predefined zones incorrectl y got set to the same number as for custom zones. As a result, if the numbe r of address groups in Layer2 predefi[...]

  • Page 29

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 29 of 42 • 01958 – An internal mishandling of the MAC cache could ca use a security appliance to crash . • 01944 – The group addresses for V1-untrust zone were getting lost after upgrading a device from a previo us rele ase. The group address for [...]

  • Page 30

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 30 of 42 • SSH Version 1 Interoperability – The embedded SSH server in ScreenOS 5.0.0 has issues wi th the client fr om SSH Communications Security when operating in SSH version 1 mode. W/A: Use SSH version 2 or a different SSH version 1 client, such [...]

  • Page 31

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 31 of 42 – Freeswan - The Freeswan 1.3 VPN client is incompat ible with ScreenOS 5.0.0 in certain co nfigurations due to IKE feature s that Freeswan doe s not fully support . The result is tha t Phase 2 negot iations and Phase 2 SA will not complete if [...]

  • Page 32

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 32 of 42 Juniper NetScreen- 5000 series only : Before you upgrade a Jun iper Networks security applia nce to ScreenOS 5.0.0, we recommend that you verify the amount of memory on the device us ing the get system CLI command. You ne ed 1 gigaby te of memory[...]

  • Page 33

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 33 of 42 • 03504 – The value of the sysUpTime variable from an SNMP query incorrectly displays as more than 497 da ys. • 03495 – When the dev ice drops packets after you issued the set f low tcp- syn-check command, ScreenOS does no t log the drop [...]

  • Page 34

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 34 of 42 W/A: Execute the save command first, be fore executing the save config from flash to slot1 command. 5.3.3 Known Issues from ScreenOS 5.0.0r7 None. 5.3.4 Known Issues from ScreenOS 5.0.0r6 None. 5.3.5 Known Issues from ScreenOS 5.0.0r5 None. 5.3.6[...]

  • Page 35

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 35 of 42 5.3.7 K nown Issues from Scre enOS 5.0.0r3 for the 5000-M2 • 38001 – When you run the get sessi on command, ScreenOS sometimes displays the policy ID n umber incorre ctly as a negative nu mber. • 37993 – When enabled on a Juniper NetScree[...]

  • Page 36

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 36 of 42 • 36807, 36876 – When a 10 0Mbps link between a Juniper NetScreen-5 000 Series system and another device reve rts to a 10Mbps throughpu t level on the other device, the Juni per NetScreen-5000 Series system remains at the 100Mbps throughput l[...]

  • Page 37

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 37 of 42 exceeds the maximum number of routes permitted on a single page, all subsequent pages display the routes from the first page. • 35417 - If you set the guaranteed or maximum bandwidth (GBW or MBW) higher than the interface bandwidth , traffic do[...]

  • Page 38

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 38 of 42 displays only when you issue a ‘get event' CLI command, and not when you issue a 'g et log event' CLI command. • 33916 - A Juniper Networks securit y appliance supports a maximum of 256 OSPF interfaces. • 33598 - For inter-vs[...]

  • Page 39

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 39 of 42 number to the same port number as th e original destination port. This does not affect traffic. • 30844 - When AV is enabled, you cannot down load files to the Juniper Networks security appliance through a VPN using the WebUI. W/A: Specify a pe[...]

  • Page 40

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 40 of 42 • 28138 - The Websense server provides erroneous protocol version information, which the J uniper Netw orks security appliance displays. • 28016 - Juniper Networks secu rity appliances do not support a MIP in the same zone as the destination [...]

  • Page 41

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 41 of 42 6. Getting Help For further assistance with Ju niper Netwo rks products, visit www.juniper.n et/support Juniper Networks occasionally provides maintenance releases (updates and upgrades) for ScreenOS firm ware. To have access to these releases, y[...]

  • Page 42

    Junipe r Networks NetScreen Release No tes ScreenOS 5.0.0r9-FIPS P/N 093-1638-000, Rev. A Page 42 of 42[...]