comparing and contrasting check point ngx with juniper screenos firewalls yasushi kono
DESCRIPTION
Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono (ComputerLinks Frankfurt). The Magic Quadrants of the Gartner Group The fundamental architecture of Juniper ScreenOS Configuration of Zone, Interfaces, Policies - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/1.jpg)
Comparing and ContrastingComparing and Contrasting
Check Point NGX with Check Point NGX with Juniper ScreenOS FirewallsJuniper ScreenOS Firewalls
Yasushi Kono Yasushi Kono
(ComputerLinks Frankfurt)(ComputerLinks Frankfurt)
![Page 2: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/2.jpg)
AgendaAgenda
The Magic Quadrants of the Gartner GroupThe Magic Quadrants of the Gartner GroupThe fundamental architecture of Juniper The fundamental architecture of Juniper
ScreenOSScreenOSConfiguration of Zone, Interfaces, PoliciesConfiguration of Zone, Interfaces, PoliciesThe features of ScreenOS compared to The features of ScreenOS compared to
Check PointCheck Point ConclusionConclusion
![Page 3: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/3.jpg)
![Page 4: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/4.jpg)
• Ability to Execute:– Product/Service– Overall Viability– Sales Execution/Pricing– Market Responsiveness– Market Execution– Customer Experience
![Page 5: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/5.jpg)
• Completeness of Vision– Market Understanding– Marketing Strategy– Sales Strategy– Business Model– Innovation– Geographic Strategy
![Page 6: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/6.jpg)
Now, let‘s have a look at theNow, let‘s have a look at the
FundamentalsFundamentals
of the Juniper ScreenOS Architecture:of the Juniper ScreenOS Architecture:
![Page 7: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/7.jpg)
• The Framework Configuration:The Framework Configuration:
» Virtual Router
![Page 8: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/8.jpg)
•The Framework Configuration:The Framework Configuration:
Security ZoneVirtual Router
![Page 9: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/9.jpg)
• The Framework Configuration:The Framework Configuration:
»
Interface
Security ZoneVirtual Router
![Page 10: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/10.jpg)
• The Framework Configuration:The Framework Configuration:
IP Address»
Interface»
Security Zone
» Virtual Router
![Page 11: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/11.jpg)
Of course, you will have Of course, you will have multiple multiple
• IP Addresses, IP Addresses, • Interfaces, Interfaces, •Security Zones Security Zones
within a Juniper Netscreen within a Juniper Netscreen Security Device…. Security Device….
![Page 12: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/12.jpg)
• The Framework Configuration:The Framework Configuration:
IP Addresses
Interfaces Security
Zones Virtual
Router
![Page 13: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/13.jpg)
The virtual router acts as a parent container The virtual router acts as a parent container which holds the elements of the hierarchical which holds the elements of the hierarchical structure.structure.
The next layer consists of the so-called Security Zone.The next layer consists of the so-called Security Zone.
The purpose of that Security Zone is to configure Security The purpose of that Security Zone is to configure Security Policies based on the Security Zone as Source Zone and Policies based on the Security Zone as Source Zone and Destination Zone, respectively.Destination Zone, respectively.
The Security Zone holds the Interface(s)The Security Zone holds the Interface(s)
Finally, you can configure the IP address on that interface.Finally, you can configure the IP address on that interface.
![Page 14: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/14.jpg)
The Configuration Order is crucial in ScreenOS.The Configuration Order is crucial in ScreenOS.• First, create one or more Security Zones on top of
the existing Virtual Router (namely trust-vr).
This can be easily done via the CLI of the Security Device:
set zone name salesset zone name sales
set zone name internetset zone name internet
![Page 15: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/15.jpg)
Then, you have to associate Then, you have to associate Interfaces to these Security Zones:Interfaces to these Security Zones:
set interface eth0 zone salesset interface eth0 zone sales
set interface eth1 zone internetset interface eth1 zone internet
![Page 16: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/16.jpg)
And now, you can bind IP And now, you can bind IP addresses to Interfaces:addresses to Interfaces:
set interface eth0 ip 10.20.30.1/24set interface eth0 ip 10.20.30.1/24
set interface eth1 dhcp client enableset interface eth1 dhcp client enable
oror
set interface eth1 ip 195.1.1.1/24set interface eth1 ip 195.1.1.1/24
![Page 17: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/17.jpg)
• Then, you have to configure your Then, you have to configure your Default Gateway:Default Gateway:
set vrouter trust-vr route 0.0.0.0/0 set vrouter trust-vr route 0.0.0.0/0 gateway 195.1.1.254gateway 195.1.1.254
![Page 18: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/18.jpg)
• Now, you a ready to configure a Now, you a ready to configure a Security Policy…Security Policy…
![Page 19: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/19.jpg)
• A Security Policy regulates the A Security Policy regulates the traffic between zones:traffic between zones:
set policy from sales to internet any any any permitset policy from sales to internet any any any permit
Should you need Dynamic NAT:Should you need Dynamic NAT:
set pol from sales to internet any any any nat src permit set pol from sales to internet any any any nat src permit
![Page 20: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/20.jpg)
• Should you miss granularity:Should you miss granularity:
set address sales PC_Sales01 10.1.1.20/32set address sales PC_Sales01 10.1.1.20/32
set policy from sales to internet PC_Sales01 set policy from sales to internet PC_Sales01 any dns nat src permit logany dns nat src permit log
![Page 21: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/21.jpg)
How to manage Security in How to manage Security in ScreenOS?ScreenOS?
![Page 22: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/22.jpg)
There are three ways of managing a There are three ways of managing a ScreenOS infrastructure:ScreenOS infrastructure:
• Configuration via CLI• Configuration via WebUI• Configuation via NSM (Network and Security
Manager)
![Page 23: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/23.jpg)
Benefits of Configuring via CLI:Benefits of Configuring via CLI:
• Easy to understandEasy to understand• You can prepare the commands with an editor You can prepare the commands with an editor
and paste it onto your production environmentand paste it onto your production environment• No need of MS Internet ExplorerNo need of MS Internet Explorer
![Page 24: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/24.jpg)
Benefits of Configuring via WebUI:Benefits of Configuring via WebUI:
• No need to memorize CLI commandsNo need to memorize CLI commands• IntuitiveIntuitive• Some people love to use Internet ExplorerSome people love to use Internet Explorer
![Page 25: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/25.jpg)
Benefits of Configuring via NSM:Benefits of Configuring via NSM:
• Manage multiple Security Devices centrallyManage multiple Security Devices centrally• No need to memorize CLI commandsNo need to memorize CLI commands• Analyzing log entries centrallyAnalyzing log entries centrally
![Page 26: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/26.jpg)
Possible Drawbacks with CLIPossible Drawbacks with CLI
• Management of Security on a per Device BasisManagement of Security on a per Device Basis• Analyzing Logging per Device is not Analyzing Logging per Device is not
appropriate in Enterprise Environmentsappropriate in Enterprise Environments• You have to memorize lots of commandsYou have to memorize lots of commands
![Page 27: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/27.jpg)
Possible Drawbacks with WebUIPossible Drawbacks with WebUI
• Management of Security on a per Device BasisManagement of Security on a per Device Basis• Analyzing Logging per Device is not Analyzing Logging per Device is not
appropriate in Enterprise Environmentsappropriate in Enterprise Environments• Some people hate mice!Some people hate mice!
![Page 28: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/28.jpg)
Possible Drawbacks with NSMPossible Drawbacks with NSM
• Limitation of a maximum number of Devices, Limitation of a maximum number of Devices, when using the NSMXpress Appliance!when using the NSMXpress Appliance!
• Only Red Hat Linux is supported as NSM Host Only Red Hat Linux is supported as NSM Host Operating SystemOperating System
• You have to have in depth Linux expertiseYou have to have in depth Linux expertise• You still need a mouse!You still need a mouse!
![Page 29: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/29.jpg)
Introducing some Features offered Introducing some Features offered by Juniper Netscreen:by Juniper Netscreen:
Policy-based RoutingPolicy-based Routing
Source-based RoutingSource-based Routing
Source-interface based RoutingSource-interface based Routing
Configuring Dynamic Routing ProtocolsConfiguring Dynamic Routing Protocols
Desaster RecoveryDesaster Recovery
Virtual System (VSYS)Virtual System (VSYS)
NSRP (NetScreen Redundancy Protocol)NSRP (NetScreen Redundancy Protocol)
![Page 30: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/30.jpg)
Policy-Based Routing:Policy-Based Routing:PBR enables you to implement policies that PBR enables you to implement policies that selectively cause packets to take different selectively cause packets to take different paths. You use the following building blocks paths. You use the following building blocks to create a PBR policy:to create a PBR policy:
• Extended Access ListExtended Access List• Match GroupMatch Group• Action GroupAction Group
![Page 31: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/31.jpg)
Extended Access List:Extended Access List:Lists the match criteria you define for PBR Lists the match criteria you define for PBR policies. Match criteria include:policies. Match criteria include:
• Source IPSource IP• Destination IPDestination IP• Source PortSource Port• Destination PortDestination Port• ProtocolProtocol• QoS PriorityQoS Priority
![Page 32: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/32.jpg)
Match Group:Match Group:Match Groups provide a way to organize extended Match Groups provide a way to organize extended access lists. It associates an extended ACL ID number access lists. It associates an extended ACL ID number with a unique match group name and a match-group ID with a unique match group name and a match-group ID number.number.
![Page 33: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/33.jpg)
Action Group:Action Group:An Action Group specifies the route that you want a An Action Group specifies the route that you want a packet to take. You specify the action for the route by packet to take. You specify the action for the route by defining the next interface, the next hop, or bothdefining the next interface, the next hop, or both
![Page 34: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/34.jpg)
PBR Policy:PBR Policy:After configuring the Extended Access List, the Match After configuring the Extended Access List, the Match Group, and the Action Group, you have to configure the Group, and the Action Group, you have to configure the PBR Policy which is done within the virtual router PBR Policy which is done within the virtual router context.context.
![Page 35: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/35.jpg)
Source-Based Routing:Source-Based Routing:With Source-Based Routing, you are able to specify the With Source-Based Routing, you are able to specify the route to a destination based on the Source IP of the route to a destination based on the Source IP of the client.client.
![Page 36: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/36.jpg)
Source Interface-based Routing:Source Interface-based Routing:With Source Interface-Based Routing, you are able to With Source Interface-Based Routing, you are able to specify the route to a destination based on the Ingress specify the route to a destination based on the Ingress Interface of the Security Device used by a client.Interface of the Security Device used by a client.
![Page 37: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/37.jpg)
Dynamic Routing:Dynamic Routing:On a Juniper Netscreen Security Device, you can use On a Juniper Netscreen Security Device, you can use Dynamic Routing Protocols without the necessity of Dynamic Routing Protocols without the necessity of configuring VPN or VTIs. It is much easier to configure configuring VPN or VTIs. It is much easier to configure OSPF as the routing protocol (a matter of minutes).OSPF as the routing protocol (a matter of minutes).
![Page 38: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/38.jpg)
Sample OSPF Configuration:Sample OSPF Configuration:Juniper->set vrouter trust-vrJuniper->set vrouter trust-vr
Juniper(trust-vr)->set router-id 172.23.103.11Juniper(trust-vr)->set router-id 172.23.103.11
Juniper(trust-vr)-> set protocol ospf Juniper(trust-vr)-> set protocol ospf
Juniper(trust-vr/ospf)-> set enableJuniper(trust-vr/ospf)-> set enable
Juniper(trust-vr/ospf)-> set area 10.0.0.0Juniper(trust-vr/ospf)-> set area 10.0.0.0
Juniper(trust-vr/ospf)->exitJuniper(trust-vr/ospf)->exit
Juniper(trust-vr)->exitJuniper(trust-vr)->exit
Juniper->set interface eth0 protocol ospf area 0.0.0.0Juniper->set interface eth0 protocol ospf area 0.0.0.0
Juniper->set interface eth0 protocol ospf enableJuniper->set interface eth0 protocol ospf enable
Juniper->set interface bgroup0 protocol ospf area 10.0.0.0Juniper->set interface bgroup0 protocol ospf area 10.0.0.0
Juniper->set interface bgroup0 protocol ospf enableJuniper->set interface bgroup0 protocol ospf enable
![Page 39: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/39.jpg)
Desaster Recovery:Desaster Recovery:On some of the Juniper Security Devices, you can save the On some of the Juniper Security Devices, you can save the
running configuration to an USB stick.running configuration to an USB stick.save config from flash to usb juniperconfig.txt
Should you run into trouble, just plug the USB stick and Should you run into trouble, just plug the USB stick and copy the configuration back to the device.copy the configuration back to the device.
save config from usb to flash juniperconfig.txtsave config from usb to flash juniperconfig.txt
On other devices (without USB support) use a TFTP server On other devices (without USB support) use a TFTP server instead.instead.
save config from flash to tftp 10.20.30.1 juniperconfig.txtsave config from flash to tftp 10.20.30.1 juniperconfig.txt
Per CLI, you can also copy and paste a saved configuration Per CLI, you can also copy and paste a saved configuration from your editor to the Terminal window.from your editor to the Terminal window.
![Page 40: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/40.jpg)
So, Desaster Recovery is a matter So, Desaster Recovery is a matter of seconds rather than minutes.of seconds rather than minutes.
![Page 41: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/41.jpg)
Virtual Systems (VSYS)Virtual Systems (VSYS)The high-end security devices in the The high-end security devices in the
ScreenOS family provide the ability to ScreenOS family provide the ability to create Virtual Systems.create Virtual Systems.
A Virtual System is a logical instance of a A Virtual System is a logical instance of a security device with its own routing security device with its own routing table, administrators, zones, policies, table, administrators, zones, policies, and VPN.and VPN.
![Page 42: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/42.jpg)
How to configure a VSYS?How to configure a VSYS?root->set vsys salesroot->set vsys sales
root(sales)->set admin name salesadminroot(sales)->set admin name salesadmin
root(sales)->set admin password juniper1root(sales)->set admin password juniper1
root(sales)->set zone name salesroot(sales)->set zone name sales
root(sales)->set int eth2.11 tag 11 zone salesroot(sales)->set int eth2.11 tag 11 zone sales
root(sales)->set vrouter trust-vr route 10.51.1.0/24 vr sales-vrroot(sales)->set vrouter trust-vr route 10.51.1.0/24 vr sales-vr
root(sales)->set address sales webserver 10.51.1.22/32root(sales)->set address sales webserver 10.51.1.22/32
root(sales)->set pol from untrust to sales any webserver http permit root(sales)->set pol from untrust to sales any webserver http permit loglog
root(sales)->set pol from sales to untrust any any any nat src root(sales)->set pol from sales to untrust any any any nat src permit logpermit log
root(sales)->save configroot(sales)->save config
root(sales)->exitroot(sales)->exit
![Page 43: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/43.jpg)
Basically, to configure a VSYS you will Basically, to configure a VSYS you will use the commands used for configuring use the commands used for configuring non-VSYS systems! non-VSYS systems!
It is that easy!It is that easy!
No need to configure virtual switches or No need to configure virtual switches or virtual routersvirtual routers
„„What in the hell are Warp What in the hell are Warp Interfaces???“ Interfaces???“
![Page 44: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/44.jpg)
NSRP (NetScreen Remote NSRP (NetScreen Remote Protocol)Protocol)Juniper‘s HA Solution for Gateway High Juniper‘s HA Solution for Gateway High Availability.Availability.Quite similar in functionality to Nokia VRRP.Quite similar in functionality to Nokia VRRP.Difference: No unique IP addresses to be Difference: No unique IP addresses to be configured on cluster interfaces.configured on cluster interfaces.No IP addresses assigned to Sync InterfaceNo IP addresses assigned to Sync InterfaceOnly two nodes supported per Cluster!Only two nodes supported per Cluster!
![Page 45: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/45.jpg)
NSRP Configuration Example:NSRP Configuration Example:1. Setting up the HA Link:1. Setting up the HA Link:set interface eth2 zone haset interface eth2 zone ha2. Configuring Cluster Settings:2. Configuring Cluster Settings:set nsrp cluster id 0set nsrp cluster id 0set nsrp cluster name ISG_HAset nsrp cluster name ISG_HAset nsrp arp 4set nsrp arp 43. Setting Interfaces for Monitoring:3. Setting Interfaces for Monitoring:set nsrp monitor interface eth0set nsrp monitor interface eth0set nsrp monitor interface bgroup0set nsrp monitor interface bgroup04. Adjusting VSD Settings:4. Adjusting VSD Settings:set nsrp vsd id 0 priority 80set nsrp vsd id 0 priority 80set nsrp vsd id 0 preemptset nsrp vsd id 0 preemptset nsrp vds id 0 preempt hold-down 5set nsrp vds id 0 preempt hold-down 55. Enabling RTO Synchronization:5. Enabling RTO Synchronization:set nsrp rto-mirror syncset nsrp rto-mirror sync
![Page 46: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/46.jpg)
ConclusionConclusionSome features (Policy-based Routing, Source-based Some features (Policy-based Routing, Source-based Routing, Interface-based Routing, …) are offered by Routing, Interface-based Routing, …) are offered by Juniper without counterpart at Check Point.Juniper without counterpart at Check Point.
It it easy to get started with Juniper and you can It it easy to get started with Juniper and you can immediately configure interfaces, security zone, routing, immediately configure interfaces, security zone, routing, address book entries and security policies.address book entries and security policies.
It is easy to confgure VSYS since you are not forced to It is easy to confgure VSYS since you are not forced to learn new commands.learn new commands.
![Page 47: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/47.jpg)
Some Features of Check Point on the Some Features of Check Point on the other hand:other hand:You can use IKE Main Mode with VPN Clients with Dynamic IP You can use IKE Main Mode with VPN Clients with Dynamic IP Addresses.Addresses.The Check Point SecureClient is the better solution compared to The Check Point SecureClient is the better solution compared to Juniper‘s Netscreen Remote Client (more feature, more security, Juniper‘s Netscreen Remote Client (more feature, more security, more usability)!more usability)!
SMART is smart! SMART is smart! With SmartView Tracker, you can see the log information of the With SmartView Tracker, you can see the log information of the whole Enterprise at a glance!whole Enterprise at a glance!With SmartView Monitor, you can see all Status information of all With SmartView Monitor, you can see all Status information of all firewalls within your infrastructure at a glance!firewalls within your infrastructure at a glance!With SmartUpdate, you can manage licenses centrally!With SmartUpdate, you can manage licenses centrally!
![Page 48: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/48.jpg)
Some Features of Check Point on the Some Features of Check Point on the other hand (cont.):other hand (cont.):
Before Check Point compiles the Rule Base, it does a syntax Before Check Point compiles the Rule Base, it does a syntax checking!checking!
ClusterXL, Nokia IP Clustering or Nokia VRRP is supporting ClusterXL, Nokia IP Clustering or Nokia VRRP is supporting more than two cluster nodes!more than two cluster nodes!
![Page 49: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/49.jpg)
So, who is the winner of the So, who is the winner of the Enterprise Firewall Enterprise Firewall Functionality Contest?Functionality Contest?
![Page 50: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/50.jpg)
No Winner!No Winner!
![Page 51: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/51.jpg)
![Page 52: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/52.jpg)
![Page 53: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/53.jpg)
Any Questions?Any Questions?
![Page 54: Comparing and Contrasting Check Point NGX with Juniper ScreenOS Firewalls Yasushi Kono](https://reader035.vdocuments.us/reader035/viewer/2022062309/56813a30550346895da21a23/html5/thumbnails/54.jpg)
Thanks a lot for Thanks a lot for your attention!your attention!
Should you have questions:Should you have questions:
[email protected]@computerlinks.de