Configuring NetScreen Firewalls
This book offers novice users a complete opportunity to learn the NetScreen firewall appliance, covering all of the aspects of the NetScreen product line from the SOHO devices to the Enterprise NetScreen firewalls.
TABLE OF CONTENTS Configuring NetScreen Firewalls
Using NSRP-Lite on Mid-range Appliances
With all that theory under our belt it is time to see how we can implement a highly available network by using the NSRP-Lite feature available on some of the mid-range NetScreen appliances. NSRP-Lite is a slimmed-down variant of NSRP that does not support the full feature-set of NSRP. All of the features discussed so far are available, however, which makes NSRP-Lite a very formidable feature in and of itself.
The two main things that NSRP-Lite cannot do are the Active/Active setup and synchronization of Run-Time Objects (RTOs). The lack of RTO synchronization means that in case of a failover, any existing sessions and VPNs will be lost and must be re-established. If you are using VPNs with NSRP-Lite, remember to enable VPN monitoring with the rekey option to ensure that the VPNs are reestablished after a failover.
Since the mid-range NetScreen appliances are targeted towards small and medium enterprises (SMEs), we go through example setups fitting for that category. We start off with a simple but still fully usable example, followed by a more advanced setup where we make good use of local interfaces to provide redundant outgoing paths.
| Note | By default, the NetScreen firewalls do not inspect TCP packets to verify that they are part of an existing TCP session; only source and destination information is matched against the policies. This is very helpful if you have asymmetric routing or are using NSRP-Lite, as it allows sessions to survive asymmetric routing as... |
Copyright Syngress Publishing, Inc. 2005 under license agreement with Books24x7
