Table of Contents

1. Overview

1.1. Features

1.2. System Architecture

2. System Management

2.1. Management Access

2.1.1. Overview

2.1.2. The Local User Database

2.1.3. The CLI

2.1.4. CLI Scripting

2.1.5. Secure Copy

2.1.6. RADIUS Management Authentication

2.1.7. SNMP Monitoring

2.1.8. SNMPv3 Polling

2.2. Date and Time

2.2.1. Overview

2.2.2. Time Servers

2.3. Licensing

2.4. Backup and Restore

2.5. Upgrading Software

2.6. Crashdumps

2.7. Statistics

2.8. Diagnostic Tools

2.8.1. The Ping Command

2.8.2. Dconsole

2.8.3. Pcapdump

2.8.4. The techsupport Command

2.9. Hardware Monitoring

2.9.1. User Hardware Monitoring

2.9.2. System Hardware Monitoring

2.9.3. Sensors for Clavister Products

3. Interfaces

3.1. Ethernet Interfaces

3.2. VLAN

3.3. Service VLANs

3.4. Interface Groups

3.5. Zones

3.6. Security/Transport Equivalence

3.7. Link Aggregation

3.8. GRE Tunnels

3.9. Using Jumbo Frames

4. ARP

4.1. Overview

4.2. The ARP Cache

4.3. Creating ARP Entries

5. IP Address Management

5.1. The Address Book

5.2. Address Types

5.3. Auto-generated Address Objects

5.4. IPv6 Support

5.5. IPv6 With Embedded IPv4

5.6. FQDN Address Objects

6. Routing

6.1. Principles of Routing

6.2. Static Routing

6.3. Route Failover

6.3.1. Overview

6.3.2. Gateway Monitoring

6.3.3. Host Monitoring

6.3.4. Route Monitoring Issues

6.4. Virtual Routing

6.4.1. Overview

6.4.2. A Simple Virtual Routing Scenario

6.4.3. IPsec Virtual Routing

6.4.4. Troubleshooting

6.5. Policy-based Routing

6.6. OSPF

6.6.1. Dynamic Routing

6.6.2. OSPF Concepts

6.6.3. OSPF Configuration Objects

6.6.4. Dynamic Routing Rules

6.6.5. Setting Up OSPF

6.6.6. An OSPF Example

6.6.7. OSPF Troubleshooting

6.7. BGP

6.8. Traceroute

7. IP Rules

7.1. Security Policies

7.2. IP Rule Evaluation

7.3. IP Rule Actions

7.4. Geolocation

8. Services

8.1. Overview

8.2. SCTP

8.2.1. The SCTP Service

8.2.2. Multi-Homing Redundancy

8.2.3. Node Only Routes with Multi-Homing Redundancy

8.3. ICMP

8.4. ServiceIPProto Services

8.5. Service Groups

9. Address Translation

9.1. Overview

9.2. NAT

9.3. NAT Pools

9.4. Deterministic NAT

9.5. SAT

9.5.1. One-to-One Translation (1:1)

9.5.2. Many-to-Many Translation (M:N)

9.5.3. Many-to-One Translation (N:1)

9.5.4. Port Translation with SAT

9.5.5. Combining SAT with NAT in the Same Rule

9.6. Protocols Not Handled by SAT

9.7. NAT64 Address Translation

9.7.1. Stateful NAT64

9.7.2. Stateful NAT64 with DNS64

9.7.3. Stateful NAT64 Hairpinning

9.7.4. Stateless NAT64 (SIIT)

9.8. CGNAT

10. ALGs

10.1. Overview

10.2. FTP ALG

10.3. SIP ALG

10.4. DNS ALG

10.5. Syslog ALG

11. Internet Access

12. DNS

13. IPsec VPN

13.1. Overview

13.1.1. IPsec VPN Usage

13.1.2. IPsec VPN Encryption

13.1.3. IPsec VPN Planning

13.1.4. The SSL VPN Alternative

13.2. IPsec Components

13.2.1. Overview

13.2.2. Internet Key Exchange (IKE)

13.2.3. IKE Authentication

13.2.4. IPsec Protocols (ESP/AH)

13.2.5. Creating and Using Proposal Lists

13.2.6. Pre-shared Keys

13.2.7. Certificates with IPsec

13.2.8. IPsec Tunnels

13.2.9. Manually Keyed IPsec Tunnels

13.3. Setting Up IPsec Tunnels

13.3.1. IPsec LAN to LAN with Pre-shared Keys

13.3.2. IPsec LAN to LAN with Certificates

13.3.3. IKE Config Mode

13.3.4. IPsec Roaming Clients

13.4. NAT Traversal

13.5. DiffServ with IPsec

13.6. IPsec Troubleshooting

13.6.1. General Troubleshooting

13.6.2. Troubleshooting Certificate Problems

13.6.3. IPsec Troubleshooting Commands

13.6.4. Using ike -snoop

13.6.5. Management Interface Failure with VPN

13.6.6. Specific Error Messages

13.6.7. Specific Symptoms

14. SSL VPN

15. SSL Inspection

16. Certificate Management

16.1. Configuring Certificates

16.2. CA Server Access

16.3. CRL Distribution Point Lists

16.4. Management with CMP

17. Authentication

17.1. Authentication Profiles

17.2. RADIUS Authentication

17.3. The radiussnoop Command

17.4. Multi-Factor Authentication

18. Access Rules

18.1. Overview

18.2. Creating Access Rules

19. GTP Inspection

20. Events and Logging

20.1. Overview

20.2. Using the log Command

20.3. Logging to Syslog Servers

20.4. Filtering Log Messages

20.5. SNMP Traps

21. DHCP

21.1. Overview

21.2. DHCP Servers

21.2.1. Defining DHCP Servers

21.2.2. Static DHCP Hosts

21.2.3. DHCP Server Custom Options

21.2.4. DHCP Server Advanced Settings

21.3. DHCP Client

22. High Availability

22.1. Overview

22.2. HA Mechanisms

22.3. Setting Up HA

22.3.1. Configuring Monitor Targets

22.3.2. Activating HA and Verifying Synchronization

22.4. Upgrading an HA Cluster

22.5. HA Issues

23. Traffic Shaping

23.1. Overview

23.1.1. Traffic Shaping Objectives

23.1.2. Traffic Shaping Implementation

23.2. Use Case Examples

23.2.1. Simple Bandwidth Limiting

23.2.2. Limiting Bandwidth in Both Directions

23.2.3. Creating Differentiated Limits Using Chains

23.3. Using Precedences

23.4. Grouping Users

23.5. Summary

23.5.1. Traffic Shaping Principles

23.5.2. Setup Recommendations

24. Threshold Rules

25. Black/Whitelists

25.1. Blacklisting

25.2. Whitelisting

26. Application Control

27. IPS

27.1. Overview

27.2. Setting Up IPS

27.3. IPS Signature Management

27.4. Snort File Usage

27.5. Best Practice Deployment

28. Advanced Settings

28.1. Flow Timeout Settings

28.2. Length Limit Settings

28.3. Fragmentation Settings

28.4. Local Fragment Reassembly Settings

28.5. Path MTU Discovery