This document describes some things you need to know before doing any maintenance on the CSCF Netscreen Firewalls.
The firewalls support two types of administrators. There are Read-Write administrators, who can make configuration changes, and Read-Only administrators, that can only view changes. Although the firewalls have a local admin user database, it's configured to use a RADIUS server for account information. The RADIUS server in turn points to UWDir for authentication, but not authorization.
To add an administrative user, logon to watcher204.cscf as root and add the user to /etc/raddb/users. There are examples in the file to help you. Please note that watcher204.cscf is not the permanent home for the Radius server.
Make sure you read
before making any policy changes.
Firewall rulesets are based on Source/Destination Zone pairs.
Firewall rules (aka policies) are made up of:
It's essential that you consider traffic between zones when adding policies to the firewall. For example, if you want to "allow SSH into Zone2", you need to think about from what zone(s) you will allow SSH. You may refine the statement to "allow SSH into Zone2 from anywhere". For this to happen, you need to make N new policies, one for "Untrust -> Zone2", then N-1 policies for "ZoneX -> Zone2", where X =1...N, X ≠ 2.
You should take a look at the Layer 3 routing diagram then read the document on moving a subnet.
2005/08/25 - jatestar