netscreen screenos migration guide - it-ex · pdf filenetscreen-500, netscreen-5200,...

NetScreen ScreenOSMigration Guide

ScreenOS 5.2.0

P/N 093-1595-000

Rev B

Copyright NoticeCopyright © 2005 Juniper Networks, Inc. All rights reserved.

Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, NetScreen-Global Pro, ScreenOS, and GigaScreen are registered trademarks of Juniper Networks, Inc. in the United States and other countries. NetScreen-5GT, NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-5200, NetScreen-5400, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, NetScreen-IDP 1000, IDP 50, IDP 200, IDP 600, IDP 1100, ISG 1000, ISG 2000, NetScreen-Global Pro Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, GigaScreen ASIC, and GigaScreen-II ASIC are trademarks of Juniper Networks, Inc. All other trademarks and registered trademarks are the property of their respective companies.

Information in this document is subject to change without notice.

No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from:

Juniper Networks, Inc.

ATTN: General Counsel

1194 N. Mathilda Ave.

Sunnyvale, CA 94089-1206

FCC StatementThe following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to

cause harmful interference, in which case users will be required to correct the interference at their own expense.

The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with NetScreen’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation.

If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

• Reorient or relocate the receiving antenna.

• Increase the separation between the equipment and receiver.

• Consult the dealer or an experienced radio/TV technician for help.

• Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.

Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.

DisclaimerTHE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.

Contents

ContentsPreface ..........................................................................3

Organization...............................................................4

Conventions ...............................................................5WebUI Navigation Conventions ....................................5

CLI Conventions .........................................................8

NetScreen Publications...............................................8

New Features in ScreenOS 5.2.0....................................1

ADSL Support ..............................................................2

Attack Protection ....................................................... 2

Authentication ............................................................3

Logging ......................................................................4

NetScreen-Hardware Security Client ..........................4

QoS.............................................................................4

Routing .......................................................................5

Services ..................................................................... 5

VPNs............................................................................6

Anti-Virus Enhancements ............................................6

Web Filtering...............................................................7

Multicast IGMP Capacity............................................7

VLAN Capacity ...........................................................8

Traffic Shaping............................................................8

Upgrading and Downgrading Firmware........................9

Requirements to Upgrade and Downgrade Device Firm-ware ........................................................................... 10

Special Boot-ROM or Boot-Loader Requirements ....... 11

NetScreen-500 Boot-ROM .................................... 11

ISG 2000 Boot Loader .......................................... 11

NetScreen-Security Manager Server Connection 13

Downloading the New Firmware ................................ 13

Uploading New Firmware..................................... 16

Upgrading and Downgrading the NetScreen-500 ..... 20

Downgrading the NetScreen-500 ........................ 21

Upgrading the NetScreen-ISG 2000 OS Loader ......... 22

Upgrading NetScreen Devices in an NSRP Configuration24

Upgrading Devices in an NSRP Active/Passive Config-uration.................................................................. 24

Upgrading Devices in an NSRP Active/Active Configu-ration.................................................................... 29

Upgrading from ScreenOS 4.0.1-Multicast to ScreenOS 5.2.0 ........................................................................... 35

Changes in ScreenOS..................................................37

BGP...........................................................................38

High Availability ........................................................39

Sessions ....................................................................39

New, Modified and Deleted CLI Commands ...........40New Commands ........................................................ 40

Modified Commands ................................................. 40

Deleted Commands................................................... 40

Juniper Networks NetScreen ScreenOS Migration Guide 1

Contents


Preface

The purpose of this document is to guide you through the upgrade or the downgrade of a NetScreen device, and provide you with information on new features and changes in functionality between ScreenOS 5.1.0 and ScreenOS 5.2.0.

For more information about ScreenOS features and CLI commands, refer to the following documents:

• NetScreen Concepts & Examples ScreenOS Reference Guide

• NetScreen CLI Reference Guide


Preface Organization

ORGANIZATIONThe guide is organized into the following sections:

• Preface – The Preface explains the purpose of this book, its organization, and the terminology conventions used in all NetScreen documentation.

• New Features in ScreenOS 5.2.0 – This chapter provides brief descriptions of all the new features in ScreenOS 5.2.0.

• Upgrading and Downgrading Firmware – If you are upgrading a NetScreen device from a firmware version that is earlier than ScreenOS 5.0.0, you must upgrade the firmware to ScreenOS 5.0.0 before upgrading it to ScreenOS 5.1.0 or ScreenOS 5.2.0. This chapter provides step-by-step procedures to upgrade a NetScreen device, and also to downgrade from ScreenOS 5.2.0 to ScreenOS 5.0.0.

• Changes in ScreenOS – This chapter describes the functionality changes between ScreenOS 5.1.0 and ScreenOS 5.2.0.


Preface Conventions

CONVENTIONSThis book presents two management methods for configuring a NetScreen device: the Web user interface (WebUI) and the command line interface (CLI). The conventions used for both are introduced below.

WebUI Navigation ConventionsThroughout this book, a chevron ( > ) is used to indicate navigation through the WebUI by clicking menu options and links. For example, the path to the address configuration dialog box is presented as Objects > Addresses > List > New . This navigational sequence is shown below.


Preface Conventions

1. Click Objects in the menu column.The Objects menu option expands to reveal a subset of options for Objects.

2. (Applet menu) Hover the mouse over Addresses .(DHTML menu) Click Addresses .The Addresses option expands to reveal a subset of options for Addresses.

3. Click List .The address book table appears.

4. Click the New link.The new address configuration dialog box appears.

1

2

3

4

To perform a task with the WebUI, you must first navigate to the appropriate dialog box where you can then define objects and set parameters. The set of instructions for each task is divided into two parts: a navigational path and configuration details. For example, the following set of instructions includes the path to the address configuration dialog box and the settings for you to configure:


Preface Conventions

Objects > Addresses > List > New: Enter the following, and then click OK :Address Name: addr_1IP Address/Domain Name:

IP/Netmask: (select), 10.2.2.5/32Zone: Untrust

Zone: Untrust

Click OK .

Address Name: addr_1 Note: Because there are no instructions for the Comment field, leave it as it is.

IP Address Name/Domain Name:

IP/Netmask: (select), 10.2.2.5/32


Preface CLI Conventions

CLI CONVENTIONS

The following conventions are used when presenting the syntax of a command line interface (CLI) command:

• Anything inside square brackets [ ] is optional.

• Anything inside braces { } is required.

• If there is more than one choice, each choice is separated by a pipe ( | ). For example,

set interface { ethernet1 | ethernet2 | ethernet3 } managemeans “set the management options for the ethernet1, ethernet2, or ethernet3 interface”.

• Variables appear in italic. For example:

set admin user name password

When a CLI command appears within the context of a sentence, it is in bold (except for variables, which are always in italic ). For example: “Use the get system command to display the serial number of a NetScreen device.”

NETSCREEN PUBLICATIONS

To obtain technical documentation for any Juniper Networks NetScreen product, visit www.juniper.net/techpubs/.

For technical support, open a support case using the Case Manager link at http://www.juniper.net/support/ or call 1-888-314-JTAC (within the United States) or 1-408-745-9500 (outside the United States).

If you find any errors or omissions in the following content, please contact us at the e-mail address below:

[email protected]

Note: When typing a keyword, you only have to type enough letters to identify the word uniquely. For example, typing set adm u joe j12fmt54 is enough to enter the command set admin user joe j12fmt54 . Although you can use this shortcut when entering commands, all the commands documented here are presented in their entirety.


http://www.juniper.net/techpubs/

http://www.juniper.net/support/

mailto:[email protected]

1Chapter 1

New Features in ScreenOS 5.2.0

This chapter provides brief descriptions of all the new features introduced in this Beta release of ScreenOS 5.2.0. For detailed information on each feature, refer to the NetScreen Concepts & Examples ScreenOS Reference Guide and the NetScreen CLI Reference Guide.

This chapter is organized into the following sections:

• “ADSL Support” on page 2 • “QoS” on page 4

• “Attack Protection” on page 2 • “Routing” on page 5

• “Authentication” on page 3 • “Services” on page 5

• “Logging” on page 4 • “VPNs” on page 6

• “Multicast IGMP Capacity” on page 7 • “Web Filtering” on page 7

• “NetScreen-Hardware Security Client” on page 4 • “VLAN Capacity” on page 8


Chapter 1 New Features in ScreenOS 5.2.0 ADSL Support

ADSL SUPPORTAsymmetric Digital Subscriber Line (ADSL) is a Digital Subscriber Line (DSL) technology that allows existing telephone lines to carry both voice telephone service and high-speed digital transmission. The Juniper Networks NetScreen-5GT ADSL device provides IPSec VPN and firewall services through ADSL. The NetScreen-5GT ADSL device uses the same firewall, VPN, and traffic management technology as NetScreen’s high-end central site products.

Attack ProtectionBrute Force Attack Mitigation – A brute force attack occurs when an attacker attempts to bypass a login check by sending a systematic barrage of username/password combinations with the hope that at least one attempt succeeds, or when he sends a systematic barrage of HTTP-GETs to a large number of IP addresses or URLs with the hope of discovering one or more unprotected network resources. You can configure the NetScreen device to use Deep Inspection (DI) to perform a specific action (called an “IP action”) on traffic matching a set of parameters (called a “target”) for a limited period of time (“timeout”). The device does this whenever the DI module detects a brute force attack. You define brute force attack settings on a per-attack object group, per-policy basis.

CPU Protection – CPU protection thresholds prevent excessive traffic to the flow CPU, thus preventing CPU overload. This feature adds another layer of protection to the device, similar to the SYN-cookie and SYN-proxy screens. In effect, it prevents DoS attacks from overwhelming the flow CPU, and keeps the CPU responsive to critical tasks even under heavy traffic.

CPU protection processes three categories of traffic:

-- Packets that do not use IP protocol.

-- Packets carrying contents other than TCP or UDP.

-- System-critical IP packets, which includes BGP, OSPF, RIP, SNMP, system management, SIP, and H323 traffic.

DI Attack Object Pattern Obfuscation – Some predefined attack object patterns based on Microsoft programs are purposefully not viewable.


Chapter 1 New Features in ScreenOS 5.2.0 Authentication

SYN Cookie – This feature protects the NetScreen device from SYN flood attacks by verifying the legitimacy of a SYN packet before setting up a session and forwarding the SYN on to the server. It determines the validity of a SYN packet by responding to the requester with a cryptographic cookie containing a unique TCP sequence number, then deletes the original SYN packet and the cookie from memory. If there is no response to the packet containing the cookie, the attack is noted as an active SYN attack and is effectively stopped. Because there is no state tracked in this flow, no system resources are used. If the initiator responds with a TCP packet containing the cookie +1 in the TCP sequence field, the NetScreen device sets up a session and forwards the packet to the server.

Zone-Based IP Spoofing Detection – This feature instructs the NetScreen device to base spoofing decisions on zones, instead of on individual interfaces. Enabling this setting allows sessions to continue when the device asymmetrically routes traffic between multiple interfaces in the same zone. Thus, the user can specify spoofing decisions based on either the zone or an exact interface. Note: The default behavior is to base spoofing decisions on individual interfaces. This default behavior is not changed from the previous release.

AUTHENTICATIONRADIUS Accounting – This feature allows any organization that owns or controls a RADIUS server to track RADIUS session information for billing, monitoring, or other purposes. For example, a RADIUS server might need to record information about when authorized sessions begin, when they end, the number of bytes or packets exchanged during each session, and so on. Such tracking is generally referred to as RADIUS accounting. Each RADIUS accounting session begins when the RADIUS server receives an Accounting-Start message, and ends when it receives an Accounting-Stop message.

RADIUS accounting allows the device to monitor and manage authorized sessions. For example, a device might clear out zombie sessions when it receives an Accounting-Stop message from an external RADIUS client. This could prevent misuse of wireless calls if a subsequent user gets a previous user’s assigned IP address, and attempts to use the previous user's session.

Authentication Server Failover – This feature specifies the interval (expressed in seconds) that must pass after an authentication attempt, before the device attempts authentication through backup authentication servers. When an authentication request sent to a primary server fails, the NetScreen device tries the backup servers. If authentication via a backup server is successful, and the revert-interval time interval has elapsed, the device sends subsequent authentication requests to the backup server. Otherwise, it resumes sending the requests to the primary server. The range is 0 seconds (disabled) to 86400 seconds. This feature applies to RADIUS and LDAP servers only.


Chapter 1 New Features in ScreenOS 5.2.0 Logging

Authentication Server User Name Character Stripping – This feature specifies a domain name for a particular auth server, or a portion of a username from which to strip characters. If you specify a domain name for the auth server, it must be present in the username during authentication.

You can specify a separator character to identify where the device strips characters from the domain name. Stripping removes all characters to the right of each instance of the specified character, plus the character itself. The device starts with the right most separator character. If the specified number of separator characters exceeds the actual number of separator characters in the username, the command stops stripping at the last available separator character. Note that the device performs domain-name matching before performing character stripping.

LOGGINGSession Logging at Initialization – You can now configure the NetScreen device to log a session when it starts, when it ends (default), or both when a session starts and ends.

NETSCREEN-HARDWARE SECURITY CLIENTThe NetScreen-Hardware Security Client now provides full WebUI support. It also has two versions:

• The 5-user version which supports up to five users. • The Plus version which supports an unrestricted number of users.

QOSQuality of Service (Qos) Enhancement – This enhancement allows for setting guaranteed bandwidth, maximum bandwidth, priority levels, and Diffserv Codepoint Marking (DSCP) when multiple physical interfaces share the same egress zone. With multiple physical interfaces in the egress zone, guaranteed bandwidth and maximum bandwidth are not strictly policy based, but based on both policy and the total egress physical interface bandwidth available.


Chapter 1 New Features in ScreenOS 5.2.0 Routing

ROUTINGGateway Tracking – Route activation based on gateway tracking is supported. Previously, routes were tracked by interface; now you have a choice of whether to track a route by interface or by active gateway. Another routing enhancement avoids wandering traffic by automatically adding a 32-bit host or network route to the routing table.

OSPF Enhancements – OSPF now supports demand circuits on P2MP interfaces. You can also limit OSPF retransmit packets per neighbor.

BGP Enhancements – BGP enhancements for this release include:

• AS-PATH support for inbound updates

• Ability to strip community attributes for inbound, outbound, and aggregate route updates

• AS-PATH and community attribute support for redistributed and internal routes

• Increased number of BGP instances (128 for the NS-5000 system and 64 for the ISG 2000 system)

Multicast – The maximum number of IGMP groups to 2,400 groups on all devices from the NetScreen 200 and above.

ServicesCustom Service Timeouts and Vsys – This feature allows you to create timeout values for custom services defined on the vsys level. It is no longer necessary to define such timeouts on the root system level first. However, any custom timeout can apply to settings made by the vsys administrator or by the root system administrator.

Custom Service Groups – The number of possible custom service groups is now increased on most platforms.

Junier Platform (Root) ScreenOS 5.1 ScreenOS 5.2

NS-5000 1024 2048

ISG 2000 1024 2048

NS-500 1024 2048

NS-204/208 256 2048


Chapter 1 New Features in ScreenOS 5.2.0 VPNs

The service capacities per vsys are as follows.

Disable ALG for H.323 – This enhancement allows you to disable the H.323 ALG using the unset alg command. To set or unset the H.323 ALG you must set or unset the H.245, Q.931, and RAS ALGs.

VPNSPass-through of IKE and IPSec ESP Packets – This enhancement enables both IKE and IPSec ESP packet to pass through a NetScreen-5GTdevice in NAT mode. Only tunnel mode ESP IPSec packets are supported, and both manual-key and auto-key IPSec is supported. The NetScreen device can also act as a VPN termination device and handle IKE/IPSec packets for this purpose.

ANTI-VIRUS ENHANCEMENTSProtocol and File Type – This enhancement allows you to designate which protocols and which file types to not scan for viruses. This allows greater speed.

NS-50 256 1000

NS-25 256 500

NS 5GT/5XT/HSC 128 128 (No change)

Juniper Platform (per VSYS) Pre-ScreenOS 5.1 ScreenOS 5.2

NS-5000, ISG 2000, NS-500 256 512


Chapter 1 New Features in ScreenOS 5.2.0 Web Filtering

WEB FILTERINGRedirect URL Filtering Enhancement – NetScreen devices with virtual systems that use Websense URL-filtering servers can share all eight Websense URL-filtering servers; not just the server reserved for the root system. Each Websense URL-filtering server can support an unrestricted number of virtual systems, allowing you to balance the traffic load among all eight servers.

Increased WebSense Redirection – In previous release, the NetScreen-5200 supported redirection of 1024 concurrent webfiltering sessions. The limit is now 5120 sessions.

MULTICAST IGMP CAPACITYIncreased IGMP Group Capacity – The following table lists the IGMP group capacites for patforms that run ScreenOS 5.2.

Juniper Platform ScreenOS 5.1 ScreenOS 5.2

NS-5000 4000 10,000

ISG 2000 N/A 10,000

NS-500 1000 2500

NS-208/204 600 1,500

NS-50 300 750

NS-25 200 500

NS-5GT 50 130

NS-5XT 50 130

NS-HSC 50 130


Chapter 1 New Features in ScreenOS 5.2.0 VLAN Capacity

VLAN CAPACITYIncreased VLAN Capacity – The number of VLANS allowable on the NetScreen-25 and NetScreen-50 is 16. The previous limit was 8.

TRAFFIC SHAPINGAddress Traffic Shaping Limitation – The NetScreen-50 allows disablement of VSD0. When this happens, the device does not allow Active/Active failover.

Loopback Interfaces – Traffic shaping is now supported on Loopback interfaces.


2Chapter 2

Upgrading and Downgrading Firmware

If you are upgrading a NetScreen device from a version that is earlier than ScreenOS 5.0.0, you must upgrade it to ScreenOS 5.0.0 first, then to ScreenOS 5.1.0 or ScreenOS 5.2.0. This chapter describes three methods to upgrade a NetScreen device:

• Web User Interface (WebUI)

• Command Line Interface (CLI)

• Boot Loader or ScreenOS Loader

The procedures vary depending on whether you are downloading the firmware on a single device or on devices configured for High Availability.

The section contains the following:

• “Requirements to Upgrade and Downgrade Device Firmware” on page 10

– “NetScreen-Security Manager Server Connection” on page 13

• “Special Boot-ROM or Boot-Loader Requirements” on page 11

– “NetScreen-500 Boot-ROM” on page 11

– “ISG 2000 Boot Loader” on page 11

• “Downloading the New Firmware” on page 13

– “Uploading New Firmware” on page 16

• “Upgrading and Downgrading the NetScreen-500” on page 20

• “Upgrading the NetScreen-ISG 2000 OS Loader” on page 22

• “Upgrading NetScreen Devices in an NSRP Configuration” on page 24

• “Upgrading from ScreenOS 4.0.1-Multicast to ScreenOS 5.2.0” on page 35


Chapter 2 Upgrading and Downgrading Firmware

• “Upgrading NetScreen Devices in an NSRP Configuration” on page 24

– “Upgrading Devices in an NSRP Active/Passive Configuration” on page 24

– “Upgrading Devices in an NSRP Active/Active Configuration” on page 29

Important: Before you begin the process of upgrading a NetScreen device, we strongly recommend that you back up the existing configuration file to avoid losing any data.

Requirements to Upgrade and Downgrade Device FirmwareThis section lists what is required to perform the upgrade or the downgrade of NetScreen device firmware. You can use one of three methods to upgrade a NetScreen device or to downgrade a device from ScreenOS 5.2.0 to ScreenOS 5.1.0: the WebUI, the CLI, or through the Boot Loader or ScreenOS Loader.

To use the WebUI, you must have:

• Root or read-write privileges to the NetScreen device

• Network access to the NetScreen device from your computer

• An Internet browser installed on your computer

• The new ScreenOS firmware (downloaded from the Juniper Networks Web site and saved locally on your computer)

To use the CLI, you must have:


• A console connection or Telnet access to the NetScreen device from your computer

• A TFTP server installed on your computer

• The new ScreenOS firmware (downloaded from the Juniper Networks Web site and saved to the TFTP server directory on your computer)

Note: You can upgrade or downgrade a NetScreen device locally or remotely, but Juniper Networks recommends that you perform the upgrade or downgrade of a NetScreen device at the device location.



To upgrade or downgrade through the boot loader, you must have:


• A TFTP server installed on your computer or on your local network

• An Ethernet connection from your computer to the NetScreen device (to transfer data, namely from the TFTP server on your computer)

• A console connection from your computer to the NetScreen device (to manage the NetScreen device)

• The new ScreenOS firmware saved to the TFTP server directory on your computer

To upgrade or downgrade a NetScreen device, see the step-by-step procedures in the following sections: “Uploading New Firmware” on page 16 or “Upgrading NetScreen Devices in an NSRP Configuration” on page 24.

Special Boot-ROM or Boot-Loader RequirementsSome devices require upgrade of the boot-ROM or boot-loader before or during upgrade.

NetScreen-500 Boot-ROMInstallation of this release on the NetScreen-500 requires the new boot-ROM (ns500.upgrade6M). To do this, you perform the version upgrade twice. The first time installs the boot-ROM, the second time installs the new ScreenOS image.

ISG 2000 Boot LoaderBefore upgrading the ISG 2000 to the ScreenOS 5.2 release, you must upgrade the OS loader to v1.1.5. You can see the OS loader version scroll by during the bootup process or by entering the get envar command.

1. Download the OS loader from the Juniper Networks support site to the root directory of your TFTP server.

a. Visit www.juniper.net/support and log in.

b. In the Download Software section, click ScreenOS Software .

c. Download the latest OS loader and save it to the root directory of your TFTP server.

2. If necessary, start the TFTP server.



3. Make an Ethernet connection from the device hosting the TFTP server to the MGT port on the ISG 2000 and a serial connection from your workstation to the console port on the ISG 2000.

4. Reboot the ISG 2000 by entering the reset command. When prompted to confirm the command— System reset, are you sure? y/[n] —press the Y key.

5. When you see the following prompt, press the X key, and then the A key:NetScreen NS-ISG 2000 BootROM V0.9.0 (Checksum: 8796E2F3)Copyright (c) 1997-2004 NetScreen Technologies, Inc. Total physical memory: 2048MBTest - PassInitialization................ Done Hit key 'X' and 'A' sequentially to update OS Loader.

6. Enter the filename for the OS loader software you want to load (for example, load2000v115.d.S ), the IP address of the ISG 2000, and the IP address of your TFTP server:Serial Number [0079112003000031]: READ ONLYBOM Version [C06]: READ ONLYSelf MAC Address [0010-db58-c900]: READ ONLYOS Loader File Name [boot2000v090.ld.S]: load2000v115.d.SSelf IP Address [10.150.65.152]: TFTP IP Address [10.150.65.151]:

7. Press the Enter key, and the file loads.Save loader config (112 bytes)... Done Loading file "load2000v115.d.S"...rtatatatatata ...Loaded successfully! (size = 383,222 bytes) Ignore image authentication! Program OS Loader to on-board flash memory... ++++++++++++++++++++++++Done! Start loading..........................Done.

You have completed the upgrade of the OS loader.



NetScreen-Security Manager Server ConnectionIf the NetScreen device you want to downgrade is connected to a NetScreen-Security Manager 2004 server, then before you downgrade the device, you must first execute the following CLI commands:

unset nsm enableunset nsm init otpunset nsm init idunset nsm server primarydelete nsm keyssave

Failing to execute these commands before downgrading the device results in the device not being able to connect to the NetScreen-Security Manager server the next time you upgrade it to the latest ScreenOS release.

Downloading the New FirmwareBefore you begin the upgrade of the NetScreen devices, you must have the most recent ScreenOS firmware. You can obtain the firmware from the Juniper Networks Web site. To access firmware downloads, you must be a registered customer with an active user ID and password. If you have not yet registered your NetScreen product, then you must do so before proceeding. You can register your product on the Juniper Networks Web site.



To get the latest ScreenOS firmware, enter http://www.juniper.net/support in your Web browser. Click Support > Customer Support Center, and then follow these steps:

1. Log in by entering your user ID and password, and then click LOGIN.

2. Under My Technical Assistance Center, click Download Software.

Juniper prepares a list of available downloads.

3. Click Continue.

The File Download page appears.

File Download Page

Product Links

4. Click the product link for the firmware you want to download.

The Upgrades page appears.


http://www.juniper.net/support


5. Click the link for the ScreenOS version you want to download.

The Upgrades page appears.

6. Click the upgrade link.

The Download File dialog box appears.

7. Click Save and then navigate to the location where you want to save the firmware Zip file.

You must save the firmware onto the computer from which you want to perform the upgrade.

– If you want to upgrade the NetScreen devices using the WebUI, then save the firmware anywhere on the computer.

– If you want to upgrade the NetScreen devices using the CLI, then save the firmware to the root TFTP server directory on the computer. If you do not have a TFTP server installed on your computer, then you can download one from the Internet. If no TFTP server is available, then you must use the WebUI to load the new firmware onto the NetScreen device.



Uploading New FirmwareFollowing are the procedures to upgrade a single NetScreen device and to downgrade from ScreenOS 5.2.0 to ScreenOS 5.1.0. These procedures are independent of the operating mode of the NetScreen device.

Using the WebUI

Perform the following steps to load firmware with the WebUI:

1. Make sure that you have the new ScreenOS firmware. For information on obtaining the new firmware, see “Downloading the New Firmware” on page 13.

2. Log in to the NetScreen device by opening a Web browser and then entering the Management IP address in the Address field. Log in as the root admin or an admin with read-write privileges.

3. Save the existing configuration:

a. Go to Configuration > Update > Config File, and then click Save to File.

b. In the File Download dialog box, click Save.

c. Navigate to the location where you want to save the configuration file (cfg.txt), and then click Save.

4. Configuration > Update > ScreenOS/Keys > Select Firmware Update.

5. Click Browse to navigate to the location of the new ScreenOS firmware or type the path to its location in the Load File field.

6. Click Apply.

A message box appears with information on the upgrade time.

Note: If you are upgrading a NetScreen device from a firmware version that is earlier than ScreenOS 5.0.0, then you must upgrade the firmware to ScreenOS 5.0.0 before upgrading it to ScreenOS 5.1.0 or ScreenOS 5.2.0. Make sure that you save your existing configuration so previously entered data is not lost when upgrading.



7. Click OK to continue.

The NetScreen device reboots automatically. The upgrade or downgrade is complete when the device displays the login page in the browser.

8. Log in to the NetScreen device. You can verify the version of the NetScreen device ScreenOS firmware in the Device Information section of the WebUI Home page.

Using the CLI

Perform the following steps to load firmware with the CLI:

1. Make sure that you have the new ScreenOS firmware. For information on obtaining the new firmware, see “Downloading the New Firmware” on page 13.

2. Log in to the NetScreen device using an application such as Telnet or Secure Shell (SSH) or HyperTerminal if directly connected through the console port. Log in as the root admin or an admin with read-write privileges.

3. Save the existing configuration by executing the save config to { flash | slot1 | tftp } command.

4. Run the TFTP server on your computer by double-clicking on the TFTP server application.

5. On the NetScreen device, enter save soft from tftp ip_addr filename to flash, where the IP address is that of your computer and the filename is that of the ScreenOS firmware.

6. When the upgrade or downgrade is complete, you must reset the NetScreen device. Execute the reset command and enter y at the prompt to reset the device.

7. Wait a few minutes, and then log in to the Netscreen device again.

8. Use the get system command to verify the version of the NetScreen device ScreenOS firmware.

9. Upload the configuration file that you saved in step 3 with the save config to { flash | slot1 | tftp } command.



Using the Boot/OS Loader

The Boot/OS Loader brings up the hardware system, performs basic and sometimes critical hardware configurations, and loads system software used to run a NetScreen device.

Perform the following steps to load firmware with the Boot/OS Loader:

1. Connect your computer to the NetScreen device:

a. Using a serial cable, connect the serial port on your computer to the console port on the NetScreen device. This connection, in combination with a terminal application, enables you to manage the NetScreen device.

b. Using an Ethernet cable, connect the network port on your computer to port 1 or to the management port on the NetScreen device1. This connection enables the transfer of data between the computer, the TFTP server, and the NetScreen device.

2. Make sure that you have the new ScreenOS firmware stored in the TFTP server directory on your computer. For information on obtaining the new firmware, see “Downloading the New Firmware” on page 13.

3. Run the TFTP server on your computer by double-clicking on the TFTP server application. You can minimize its window but it must be active in the background.

4. Log in to the NetScreen device using a terminal emulator such as HyperTerminal. Log in as the root admin or an admin with read-write privileges.

5. Reboot the NetScreen device.

6. When you see “Hit any key to run loader” or “Hit any key to load new firmware” on the console display, press any key on your computer keyboard to interrupt the bootup process.

Note: If you do not interrupt the NetScreen device in time, it proceeds to load the firmware saved in flash memory.

Note: On the NetScreen-500, you cannot use this process to save ScreenOS 5.1.0 firmware to flash memory. Use the WebUI or CLI to save ScreenOS 5.1.0 firmware to flash memory.

1. Which port you connect to depends on the NetScreen device model.



7. At the Boot File Name prompt, enter the file name of the ScreenOS firmware that you want to load. If you type slot1: before the specified file name, then the loader reads the specified file from the external Compact Flash or memory card. If you do not type slot1: before the filename, then the file is instead downloaded from the TFTP server. If the NetScreen device does not support a Compact Flash card, then an error message is displayed and the console prompts you to retype the filename.

8. At the Self IP Address prompt, enter an IP address that is on the same subnet as the TFTP server.

9. At the TFTP IP Address prompt, enter the IP address of the TFTP server.

Note: The Self IP address and TFTP IP address must be in the same subnet; otherwise, the TFTP loader rejects the Self IP address and then prompts you to re-enter it.

An indication that the firmware is loading successfully is the display of a series of “rtatatatatatata...” running on the terminal emulator screen and a series of symbols running on the TFTP server window. When the firmware installation is complete, a message informs you that the installation was successful.

Saving Multiple Firmware Images with Boot Loader

After firmware is downloaded successfully, the console displays the following question:

Save to on-board flash disk? (y/[n]/m)

Answering y (yes) saves the file as the default firmware. This image runs automatically if you do not interrupt the bootup process.

On some NetScreen devices, you can answer m (multiple) to save multiple firmware. You must select a file name at the following prompt:

Please input multiple firmware file name [BIMINITE.D]: test.d

The name in brackets is the recommended name automatically generated after you input the name in the TFTP server. If you do not enter a name, then the recommended name is used.

Note: You must enter a name that is DOS 8.3 compatible. The maximum length of the boot file name used by the Loader cannot exceed 63 characters.



Upgrading and Downgrading the NetScreen-500 Before the NetScreen 500 can support ScreenOS 5.2.0, you must upgrade the OS boot loader and file system to accommodate the larger image size. The previous OS loader and file system supported a smaller image size.

The NetScreen-500 has 16M of total flash, with 4M reserved for the OS loader and 12M for the file system and system image. In order to load the 5.2.0 image successfully, the file system must not exceed 5.6MB. Do the following to check the size of the file system:

• If you are running ScreenOS 4.X, use the get file extension command to list the files and their sizes. You can add up the individual file sizes to get the total size of the file system.

• If you are running ScreenOS 5.x, use the get file info command to display the total and available number of bytes.

The file system contains the configuration file, certificates, local logs and other files. If the file system is greater than 5.66M, you can reduce its size by reducing the configuration file size and deleting unnecessary files and logs.

Perform the following steps to upgrade the OS loader and file system:

1. Download the upgrade image, ns500.upgrade, onto your computer.

– Visit juniper.net and log in.

– In the Download Software section, download ns500.upgrade from the ScreenOS 5.2 folder.

2. Load the ns500. upgrade software onto the NetScreen-500 through the WebUI, CLI or Boot Loader.

– For information on loading the software, see “Uploading New Firmware” on page 16.

3. If you used the WebUI to upgrade the NetScreen-500, it automatically reboots. If you used the CLI or the Boot Loader, use the reset command to reboot the device.

The NetScreen device reboots, using the ns500.upgrade image. You have completed the upgrade of the OS loader and file system.

4. You can now upgrade the firmware to ScreenOS 5.2.0.

– For information on upgrading the firmware, see “Uploading New Firmware” on page 16.

Note: Before you upgrade the OS loader and file system, we strongly recommend that you back up the configuration files.



Downgrading the NetScreen-500Perform the following steps to downgrade the NetScreen-500 from ScreenOS 5.2.0 to an earlier version of ScreenOS.

Using the CLI

1. Download the firmware from the Juniper Networks web site. You must load the firmware on the NetScreen device using the CLI. Therefore, save the firmware to the root TFTP server directory on the computer.

– For information on downloading the firmware, see “Downloading the New Firmware” on page 13.

2. Load the firmware with the CLI. For information on using the CLI to load firmware, see “Using the CLI” on page 17.

3. Enter the CLI command, exec downgrade.

The NetScreen device automatically reboots with the firmware you loaded.

Using the Boot/OS Loader

1. Download the firmware from the Juniper Networks Web site. You must load the firmware on the NetScreen device using the CLI. Therefore, save the firmware to the root TFTP server directory on the computer.

– For information on downloading the firmware, see “Downloading the New Firmware” on page 13.

2. Enter the CLI command, exec downgrade.

The NetScreen device automatically reboots.

3. Load the firmware using the boot/OS loader. For information on using the boot/OS loader, see “Using the Boot/OS Loader” on page 18.



Upgrading the NetScreen-ISG 2000 OS LoaderBefore the NetScreen-ISG 2000 can support ScreenOS 5.2.0, you must upgrade the OS loader if it is not v1.1.5. You can see the OS loader version scroll by during the bootup process or by entering the get envar command.

1. Download the OS loader from the Juniper Networks support site to the root directory of your TFTP server.

– Visit juniper.net and log in.

– In the Download Software section, download the software from the ScreenOS 5.2 folder.

– Download the latest OS loader and save it to the root directory of your TFTP server.

2. If necessary, start the TFTP server.

3. Make an Ethernet connection from the device hosting the TFTP server to the MGT port on the NetScreen-ISG 2000 and a serial connection from your workstation to the console port on the NetScreen-ISG 2000.

4. Reboot the NetScreen-ISG 2000 by entering the reset command. When prompted to confirm the command—System reset, are you sure? y/[n]—press the Y key.

5. When you see the following prompt, press the X key, and then the A key:NetScreen NS-ISG 2000 BootROM V0.9.0 (Checksum: 8796E2F3)Copyright (c) 1997-2004 NetScreen Technologies, Inc. Total physical memory: 2048MBTest - PassInitialization................ Done Hit key 'X' and 'A' sequentially to update OS Loader.

6. Enter the filename for the OS loader software you want to load (for example, load2000v115.d.S), the IP address of the NetScreen-ISG 2000, and the IP address of your TFTP server:Serial Number [0079112003000031]: READ ONLYBOM Version [C06]: READ ONLYSelf MAC Address [0010-db58-c900]: READ ONLYOS Loader File Name [boot2000v090.ld.S]: load2000v115.d.SSelf IP Address [10.150.65.152]: TFTP IP Address [10.150.65.151]:



7. Press the Enter key, and the file loads.Save loader config (112 bytes)... Done Loading file "load2000v115.d.S"...rtatatatatata ...Loaded successfully! (size = 383,222 bytes) Ignore image authentication! Program OS Loader to on-board flash memory... ++++++++++++++++++++++++Done! Start loading..........................Done.

You have completed the upgrade of the OS loader.



Upgrading NetScreen Devices in an NSRP ConfigurationFor NetScreen devices in an NetScreen Redundancy Protocol (NSRP) configuration, you must upgrade each device individually. This section describes two different upgrade procedures addressing two different NSRP configurations: NSRP active/passive and NSRP active/active.

Upgrading Devices in an NSRP Active/Passive ConfigurationThe following illustrates a basic NSRP active/passive configuration where device A is the master and device B is the backup.

Before you begin, please read the requirements to perform an upgrade (“Requirements to Upgrade and Downgrade Device Firmware” on page 10). Also, make sure that you download the ScreenOS firmware to which you are upgrading each device.

Note: If you are upgrading a NetScreen device from a release that is earlier than ScreenOS 5.0.0, you must upgrade the device to ScreenOS 5.0.0 before upgrading to ScreenOS 5.1.0 or ScreenOS 5.2.0. The procedures in this section describe how to upgrade a NetScreen device from ScreenOS 5.0.0 to ScreenOS 5.1.0.

Warning: Do not power off your NetScreen device while it is upgrading to new firmware. Doing so could result in permanent damage to your device.

NSRP Active/Passive

Device A (master) Device B (backup)

HA Link

VSD Group 0



Upgrade Procedure

To upgrade two devices in an NSRP active/passive configuration, follow these steps (note that for some of these steps you can only use the CLI):

A. Upgrade Device B to ScreenOS 5.2.0

B. Fail Over Device A to Device B (CLI only)

C. Upgrade Device A to ScreenOS 5.2.0

D. Synchronize Device A (CLI only)

E. Fail Over Device B to Device A (CLI only)

A. Upgrade Device B to ScreenOS 5.2.0

WebUI

1. Make sure that you have the ScreenOS 5.2.0 firmware. For information on obtaining the firmware, see “Downloading the New Firmware” on page 13.

2. Log in to device B by opening a Web browser (for example Internet Explorer or Netscape) and entering the Management IP address in the Address field. Log in as the root admin or an admin with read-write privileges.





4. Go to Configuration > Update > ScreenOS/Keys and select Firmware Update.

5. Click Browse to navigate to the location of the ScreenOS 5.2.0 firmware or type the path to its location in the Load File field.

6. Click Apply.





The NetScreen device reboots automatically. The upgrade is complete when the device displays the login page in the browser.

8. Log in to the NetScreen device. You can verify the version of the NetScreen device ScreenOS firmware in the Device Information section of the WebUI Home page.

CLI


2. Log in to device B using an application such as Telnet or Secure Shell (SSH) or HyperTerminal if directly connected through the console port. Log in as the root admin or an admin with read-write privileges.



5. On the NetScreen device, enter save soft from tftp ip_addr filename to flash. Where the IP address is that of your computer and the filename is that of the ScreenOS 5.2.0 firmware.

6. When the upgrade is complete, you must reset the NetScreen device. Execute the reset command and enter y at the prompt to reset the device.


8. Use the get system command to verify the version of the NetScreen device ScreenOS firmware.



B. Fail Over Device A to Device B (CLI only)

Manually fail over the master device to the backup device.

1. Log in to the master device.

2. Issue one of the following CLI commands. The command that you need to execute depends on whether or not the preempt2 option is enabled on the master device.

– If the preempt feature is enabled: exec nsrp vsd-group 0 mode ineligible

– If the preempt option is not enabled: exec nsrp vsd-group 0 mode backup

Either command forces the master device to step down and the backup device to immediately assume mastership.

C. Upgrade Device A to ScreenOS 5.2.0

WebUI


2. Log in to NetScreen device A.







6. Click Apply.


2. For more information on the preempt option and NSRP in general, refer to the NetScreen Concepts & Examples ScreenOS Reference Guide, Volume 8.





8. Log in to the NetScreen device. You can verify the NetScreen device ScreenOS firmware version on the WebUI Home page, in the Device Information section.

CLI








8. You can verify the NetScreen device ScreenOS firmware version by using the get system command.

D. Synchronize Device A (CLI only)

After you complete the upgrade of device A to ScreenOS 5.2.0, manually synchronize the two devices. On device A (backup), issue the exec nsrp sync rto all from peer CLI command to synchronize the RTOs from device B (master).

E. Fail Over Device B to Device A (CLI only)

After synchronizing the devices, manually fail over the master device to the backup device. Follow the same steps as in “B. Fail Over Device A to Device B (CLI only)” on page 27 except that you log in to device B and fail over device B instead of failing over device A.



Upgrading Devices in an NSRP Active/Active ConfigurationThis upgrade section applies to an NSRP configuration where you paired two NetScreen devices into two Virtual Security Devices (VSD) groups, with each physical device being the master in one group and the backup in the other. To upgrade, you first have to fail over one of the devices so that only one physical device is master of both VSD groups. You then upgrade the backup device first and the master device second.

The following illustrates a typical NSRP active/active configuration where device A is master of VSD 0 and backup for VSD 1, and device B is master of VSD 1 and backup for VSD 0.

Before you begin, please read the requirements to perform an upgrade (“Requirements to Upgrade and Downgrade Device Firmware” on page 10). Also, make sure that you download the ScreenOS 5.2.0 firmware.

Warning: Do not power off your NetScreen device while it is upgrading to new firmware. Doing so could result in permanent damage to your device.

HA Link

NSRP Active/Active

Device A

Device B

VSD Group: 0 VSD Group: 1

(backup)

(backup)

(master)

(master)



Upgrade Procedure

To upgrade two devices in an NSRP active/active configuration, follow these steps (note that for some of these steps you can only use the CLI):

A. Fail Over Device B in VSD 1 to Device A in VSD 1 (CLI only)

B. Upgrade Device B to ScreenOS 5.2.0

C. Fail Over Device A to Device B (CLI only)

D. Upgrade Device A to ScreenOS 5.2.0

E. Synchronize Device A (CLI only)

F. Fail Over Device B in VSD 0 to Device A in VSD 0 (CLI only)

A. Fail Over Device B in VSD 1 to Device A in VSD 1 (CLI only)

Manually fail over the master device B in VSD group 1 to the backup device A in VSD group 1.

1. Log in to device B using an application such as Telnet or Secure Shell (SSH) or HyperTerminal if directly connected through the console port. Log in as the root admin or an admin with read-write privileges.

2. Issue one of the following CLI commands. The command you need to execute depends on whether or not the preempt3 option is enabled on the master device.



Either command forces device B to step down and device A to immediately assume mastership of VSD 1. At this point, device A is master of both VSD 0 and 1 and device B is backup for both VSD 0 and 1.

3. For more information on the preempt option and NSRP in general, refer to the NetScreen Concepts & Examples ScreenOS Reference Guide, Volume 8.



B. Upgrade Device B to ScreenOS 5.2.0

WebUI


2. Log in to NetScreen device B by opening a Web browser (for example Internet Explorer or Netscape) and entering the Management IP address in the Address field. Log in as the root admin or an admin with read-write privileges.







6. Click Apply.





CLI


2. Log in to device B.









C. Fail Over Device A to Device B (CLI only)

Manually fail over device A completely to device B.

1. Log in to device A.

2. Fail over master device A in VSD 0 to backup device B in VSD 0 by issuing one of the following CLI commands. The command you need to execute depends on whether or not the preempt option is enabled on the master device.



3. Fail over master device A in VSD 1 to backup device B in VSD 1 by issuing one of the following CLI commands. The command you need to execute depends on whether or not the preempt option is enabled on the master device.



At this point, device B is master of both VSD 0 and 1 and device A is backup for both VSD 0 and 1.



D. Upgrade Device A to ScreenOS 5.2.0

WebUI









6. Click Apply.





CLI











E. Synchronize Device A (CLI only)

After you complete the upgrade of device A to ScreenOS 5.2.0, manually synchronize the two devices. On device A, issue the exec nsrp sync rto all from peer CLI command to synchronize the RTOs from device B.

F. Fail Over Device B in VSD 0 to Device A in VSD 0 (CLI only)

As the final step, you have to reinstate the two NetScreen devices in an NSRP active/active configuration.


2. Fail over master device B in VSD 0 to backup device A in VSD 0 by issuing one of the following CLI commands. The command you need to execute depends on whether or not the preempt option is enabled on the master device.



At this point, device A is master of VSD 0 and backup for VSD 1, and device B is master of VSD 1 and backup for VSD 0.



Upgrading from ScreenOS 4.0.1-Multicast to ScreenOS 5.2.0If your device currently runs ScreenOS 4.0.1-Multicast, you need to perform the following steps to upgrade it to ScreenOS 5.2.0.

1. Log in to the NetScreen device using a terminal emulator such as HyperTerminal. Log in as the root admin or an admin with read-write privileges.

2. Before loading the 5.2.0 image, set one of the interfaces to the TFTP subnet IP address from which you will load the image.

3. Use the save software command to load the ScreenOS 5.2.0 image.

4. Reset the device. Ignore all the warnings about unsupported commands that appear on the console. (These commands are restored after successful loading of ScreenOS 5.2.0.)

Note that the interface vr configs settings do not exist. Ignore this.

5. Use the save software command to load 5.2.0 image again, and restart the device. While the device resets, select N to save config.

When the device is up with the ScreenOS 5.2.0 image running, both interface and vr configs are restored.


3Chapter 3

Changes in ScreenOS

This chapter lists the functionality changes between ScreenOS 5.1.0 and ScreenOS 5.2.0. It describes each functionality as it was in a previous release and as it is now in the current release.

This chapter contains the following sections:

• “BGP” on page 38

• “High Availability” on page 39

• “Sessions” on page 39

• “New, Modified and Deleted CLI Commands” on page 40

Note: For more information on ScreenOS functionality and features, refer to the NetScreen Concepts & Examples ScreenOS Reference Guide and the NetScreen CLI Reference Guide.


Chapter 3 Changes in ScreenOS BGP

Prior Release

You could set static and OSPF routes to be distributed to BGP by setting the tag (for static routes) or route-type (for OSPF routes) and then creating a route-map applied to the outbound side. These static and OSPF-specific route properties were propagated into BGP.

Current Release

Static and OSPF-specific route properties are no longer propagated and kept in BGP. The tag and route-type of redistributed routes can’t be used in BGP with match clauses of outbound route-maps applied on a BGP neighbor to filter routes or to set BGP attributes. Use BGP communities; the redistributed static or OSPF route in BGP requires a BGP community. You can continue to use the tag or route-type within redistribution route-map match clauses, but you must map the tag or route-type to a unique BGP community. This enables BGP neighbors to use an outbound route-map with match clauses set to the unique community name to filter or set BGP attributes. In addition, you must specify the set community none command in the outbound route-map of the BGP neighbors. The community settings added during redistribution are stripped off for the routes that are not filtered. This allows BGP neighbors to receive the routes the same way as in previous versions. Refer to the BGP chapter of the Routing volume of the NetScreen Concepts & Examples ScreenOS Reference Guide for more information and examples of route map and BGP community use.

Prior Release

The number of BGP instances was limited to 8 for both the NS-5000 and ISG 2000 systems.

Current Release

The number of BGP instances increases to 128 for the NS-5000 system and to 64 for the ISG 2000 system.

BGP


Chapter 3 Changes in ScreenOS High Availability

Prior Release

The number of BGP peers was limited to 64 for the NS-5000 system and to 32 for the ISG 2000 system.

Current Release

The number of BGP peers increases to 256 for the NS-5000 and to 128 for the ISG 2000.

HIGH AVAILABILITY

Prior Release

The PKI configuration objects are automatically synchronized to the peer device.

Current Release

The PKI configuration objects are not automatically synchronized to the peer device. To synchronize the PKI commands, you must issue the following command: exec nsrp sync pki.

SESSIONS

Prior Release

Previously, on NetScreen devices with hardware support for handling sessions, if a hardware session could not be created, all the traffic destined for that session was handled by a software session.

Current Release

Starting with this release, if the NetScreen device cannot create a hardware session for any reason, it drops the traffic and does not create a corresponding software session.

Prior Release

IPSec Pass-through is supported.

Current Release

IPSec Pass-through is supported, and IKE Pass-through is accomplished by IKE-NAT as a pre-defined service.


Chapter 3 Changes in ScreenOS New, Modified and Deleted CLI Commands

NEW, MODIFIED AND DELETED CLI COMMANDSThis section lists the CLI commands that are new, modified, and deleted in this release. For information on these commands, refer to the NetScreen CLI Reference Guide.

New CommandsThe following commands are new in this release.

alg

pppoa

Modified CommandsThe following commands were modified in this release.

Deleted CommandsThere are no deleted commands in this release.

auth firewall policy

auth-server flow session

BGP Commands ippool url

community-list OSPF Commands vrouter

neighbor retransmit zone

config config


netscreen screenos migration guide - it-ex · pdf filenetscreen-500, netscreen-5200,...

Documents