1(76&5((1;3

,QVWDOOHU·V*XLGH

9HUVLRQ 31 5HY$

Copyright Notice Product License Agreement
Copyright © 2000-2001 NetScreen Technologies, Inc. PLEASE READ THIS LICENSE AGREEMENT
All rights reserved. Printed in USA. (“AGREEMENTS”) CAREFULLY BEFORE USING THIS
PRODUCT. BY INSTALLING AND OPERATING, YOU
NetScreen, the NetScreen logo, NetScreen-5, NetScreen- INDICATE YOUR ACCEPTANCE OF THE TERMS OF
5XP, NetScreen-10, and NetScreen-100 are registered THIS LEGAL AND BINDING AGREEMENT AND ARE
trademarks or trademarks of NetScreen Technologies, Inc. CONSENTING TO BE BOUND BY AND ARE BECOMING
A PART TO THIS AGREEMENT. IF YOU DO NOT AGREE
Netscape Communicator is a registered trademark of TO ALL OF THE TERMS OF THIS AGREEMENT, DO NOT
Netscape in the United States and/or other countries. START THE INSTALLATION PROCESS.
Microsoft, Windows and Windows NT are registered
trademarks of Microsoft Corporation in the U.S.A. and/or 1. License Grant. This is a license, not a sales agreement,
other countries. Hyperterminal is a registered trademarks of between you, the end user, and NetScreen Technologies, Inc.
Hilgaeve Corporation. All other brands and their products (“NetScreen”). The term “Firmware” includes all NetScreen
mentioned in this document are trademarks or registered and third party Firmware and software provided to you with
trademarks of their respective owners. the NetScreen product, and includes any accompanying
documentation, any updates and enhancements of the
The specifications regarding the products in this manual are Firmware and software provided to you by NetScreen, at its
subject to change without notice. All statements, option. NetScreen grants to you a non-transferable (except as
information, and recommendations in this manual are provided in section 3 (“Transfer”) below, non-exclusive
believed to be accurate but are presented without warranty license to use the Firmware and software in accordance with
of any kind, express or implied. Users must take full the terms set forth in this License Agreement. The Firmware
responsibility for their application of any products. This and software are “in use” on the product when they are
document may only be used or copied in accordance with the loaded into temporary memory (i.e. RAM).
terms of such license.
2. Limitation on Use. You may not attempt and if you are a
NetScreen Technologies, Inc. corporation, you will use best efforts to prevent your
350 Oakmead Parkway, Suite 500 employees and contractors from attempting to, (a) modify,
Sunnyvale, CA 94085 U.S.A. translate, reverse engineer decompile, disassemble, create,
www.netscreen.com derivative works based on, sublicense, or distribute the
Firmware or the accompanying documentation; (b) rent or
lease any rights in the Firmware or software or
FCC Statement accompanying documentation in any form to any person; or
(c) remove any proprietary notice, labels, or marks on the
This equipment has been tested and found to comply with Firmware, software, documentation, and containers.
the limits for a Class B digital device, pursuant to part 15 of
the FCC rules. These limits are designed to provide 3. Transfer. You may transfer (not rent or lease) the
reasonable protection against harmful interference in a light Firmware or software to the end user on a permanent basis,
commercial installation. This equipment generates, uses and provided that: (i) the end user receives a copy of this
can radiate radio frequency energy, and, if not installed and Agreement and agrees in writing to be bound by its terms
used in accordance with the instruction, may cause harmful and conditions, and (ii) you at all times comply with all
interference to radio communications. However, there is no applicable United States export control laws and regulations.
guarantee that interference will not occur in a particular
installation. If this equipment does cause harmful 4. Proprietary Rights. All rights, title, interest, and all
interference to radio or television reception, which can be copyrights to the Firmware, software, documentation, and
determined by turning the equipment off and on, the user is any copy made by you remain with NetScreen. You
encouraged to try to correct the interference by one or more acknowledge that no title to the intellectual property in the
of the following measures: Firmware and software is transferred to you and you will not
acquire any rights to the Firmware except for the license as
•Reorient or relocate the receiving antenna. expressly set forth herein.
•Increase the separation between the equipment and 5. Term and Termination. The term of the license is for the
receiver. duration of NetScreen's copyright in the Firmware and
•Consult the dealer or an experienced radio/TV techni- software. NetScreen may terminate this Agreement
immediately without notice if you breach or fail to comply
cian for help. with any of the terms and conditions of this Agreement. You
•Connect the equipment to an outlet on a circuit differ- agree that, upon such termination, you will either destroy all
ent from that to which the receiver is connected. copies of the documentation or return all materials to
NetScreen. The provisions of this Agreement, other than the
Caution: Changes or modifications to this product could license granted in Section 1 (“License Grant”) shall survive
void the user's warranty and authority to operate this device. termination.

LL 1HW6FUHHQ;3

 3URGXFW/LFHQVH$JUHHPHQW

6. Limited Warranty. For a period of one (1) year after FIRMWARE. IN NO EVENT WILL NETSCREEN'S OR ITS
delivery to Customer, NetScreen will repair or replace any LICENSORS' AGGREGATE LIABILITY CLAIM BY YOU,
defective product shipped to Customer, provided it is OR ANYONE CLAIMING THROUGH OR ON BEHALF OF
returned to NetScreen at Customer’s expense within that YOU, EXCEED THE ACTUAL AMOUNT PAID BY YOU TO
period. For a period of ninety (90) days after the initial NETSCREEN FOR FIRMWARE.
delivery of a particular product, NetScreen warrants to
Customer that such product will substantially conform with Some jurisdictions do not allow the exclusions and
NetScreen’s published specifications for that product if limitations of incidental, consequential or special damages,
properly used in accordance with the procedures described in so the above exclusions and limitations may not apply to you.
documentation supplied by NetScreen. NetScreen’s exclusive
obligation with respect to non-conforming product shall be,
8. Export Law Assurance. You understand that the
at NetScreen’s option, to replace the product or use diligent
Firmware is subject to export control laws and regulations.
efforts to provide Customer with a correction of the defect, or
to refund to customer the purchase price paid for the unit.
Defects in the product will be reported to NetScreen in a YOU MAY NOT DOWNLOAD OR OTHERWISE EXPORT
form and with supporting information reasonably requested OR RE-EXPORT THE FIRMWARE OR ANY UNDERLYING
by NetScreen to enable it to verify, diagnose, and correct the INFORMATION OR TECHNOLOGY EXCEPT IN FULL
defect. For returned product, the customer shall notify COMPLIANCE WITH ALL UNITED STATES AND OTHER
NetScreen of any nonconforming product during the APPLICABLE LAWS AND REGULATIONS.
warranty period, obtain a return authorization for the
nonconforming product, from NetScreen, and return the 9. U.S. Government Restricted Rights. If this Product is
nonconforming product to NetScreen’s factory of origin with being acquired by the U.S. Government, the Product and
a statement describing the nonconformance. related documentation is commercial computer Product and
documentation developed exclusively at private expense, and
NOTWITHSTANDING ANYTHING HEREIN TO THE (a) if acquired by or on behalf of civilian agency, shall be
CONTRARY, THE FOREGOING IS CUSTOMER’S SOLE subject to the terms of this computer Firmware, and (b) if
acquired by or on behalf of units of the Department of
AND EXCLUSIVE REMEDY FOR BREACH OF
Defense (“DoD”) shall be subject to terms of this commercial
WARRANTY BY NETSCREEN WITH RESPECT TO THE
computer Firmware license Supplement and its successors.
PRODUCT.

10. Tax Liability. You agree to be responsible for the

The warranties set forth above shall not apply to any payment of any sales or use taxes imposed at any time
Product or Hardware which has been modified, repaired or whatsoever on this transaction.
altered, except by NetScreen, or which has not been
maintained in accordance with any handling or operating
instructions supplied by NetScreen, or which has been 11. General. If any provisions of this Agreement are held
subjected to unusual physical or electrical stress, misuse, invalid, the remainder shall continue in full force and effect.
abuse, negligence or accidents. The laws of the State of California, excluding the application
of its conflicts of law rules shall govern this License
Agreement. This Agreement will not be governed by the
THE FOREGOING WARRANTIES ARE THE SOLE AND United Nations Convention on the Contracts for the
EXCLUSIVE WARRANTIES EXPRESS OR IMPLIED International Sale of Goods. This Agreement is the entire
GIVEN BY NETSCREEN IN CONNECTION WITH THE agreement between the parties as to the subject matter
PRODUCT AND HARDWARE, AND NETSCREEN hereof and supersedes any other Technologies,
DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING advertisements, or understandings with respect to the
IMPLIED WARRANTIES OF MERCHANTABILITY, Firmware and documentation. This Agreement may not be
FITNESS FOR A PARTICULAR PURPOSE AND modified or altered, except by written amendment, which
NONINFRINGEMENT OF THIRD PARTY RIGHTS. expressly refers to this Agreement and which, is duly
NETSCREEN DOES NOT PROMISE THAT THE executed by both parties.
PRODUCT IS ERROR-FREE OR WILL OPERATE
WITHOUT INTERRUPTION. You acknowledge that you have read this Agreement,
understand it, and agree to be bound by its terms and
7. Limitation of Liability. IN NO EVENT SHALL conditions.
NETSCREEN OR ITS LICENSORS BE LIABLE UNDER
ANY THEORY FOR ANY INDIRECT, INCIDENTAL, Hardware, including technical data, is subject to U.S. export
COLLATERAL, EXEMPLARY, CONSEQUENTIAL OR laws, including the U.S. Export Administration Act and its
SPECIAL DAMAGES OR LOSSES SUFFERED BY YOU OR associated regulations, and may be subject to export or
ANY THIRD PARTY, INCLUDING WITHOUT import regulations in other countries. Customer agrees to
LIMITATION LOSS OF USE, PROFITS, GOODWILL, comply strictly with all such regulations and acknowledges
SAVINGS, LOSS OF DATA, DATA FILES OR PROGRAMS that it has the responsibility to obtain licensed to export, re-
THAT MAY HAVE BEEN STORED BY ANY USER OF THE export, or import hardware.

,QVWDOOHU·V*XLGH LLL

LY 1HW6FUHHQ;3

 7DEOHRI&RQWHQWV

7DEOHRI&RQWHQWV
0DQXDO2UJDQL]DWLRQ YLL
5HODWHG3XEOLFDWLRQV  [

&KDSWHU+DUGZDUH'HVFULSWLRQ  

&KDSWHU&RQQHFWLQJWKH1HW6FUHHQ;3WRWKH1HWZRUN  

&KDSWHU,QLWLDO&RQILJXUDWLRQ 
&RQILJXULQJ9LDWKH4XLFN6WDUW3URJUDP  
&RQILJXULQJ9LDWKH:HE8, 
0DNLQJD&RQQHFWLRQ  
/RJJLQJRQDQG6HWWLQJWKH6\VWHP,3$GGUHVV 
6HWWLQJ,QWHUIDFH$GGUHVVHV  
$OORZLQJ2XWERXQG7UDIILF  
&KDQJLQJWKH$GPLQLVWUDWRU/RJLQ1DPHDQG3DVVZRUG  
7HVWLQJWKH&RQILJXUDWLRQ 
&RQILJXUDWLRQ5HVHW 
%DFNXS&RQILJXUDWLRQ6HWWLQJV  
&RQILJXULQJ9LDWKH&/, 
0DNLQJD&RQQHFWLRQ  
/RJJLQJ2QDQG6HWWLQJWKH6\VWHP,3$GGUHVV  
6HWWLQJ,QWHUIDFH$GGUHVVHV  
$OORZLQJ2XWERXQG7UDIILF  
&KDQJLQJWKH$GPLQLVWUDWRU/RJLQ1DPHDQG3DVVZRUG  
7HVWLQJWKH&RQILJXUDWLRQ 
&RQILJXUDWLRQ5HVHW 
%DFNXS&RQILJXUDWLRQ6HWWLQJV  
&RQILJXUDWLRQ5HVHW3LQKROH 

$SSHQGL[$6DIHW\5HFRPPHQGDWLRQVDQG:DUQLQJV $
6DIHW\:DUQLQJV  $
,QVWDOODWLRQ:DUQLQJ  $
3RZHU'LVFRQQHFWLRQ:DUQLQJ $
1R8VHU6HUYLFHDEOH3DUWV:DUQLQJ $
&LUFXLW%UHDNHU $ :DUQLQJ $
6(/9&LUFXLW:DUQLQJ  $
/LJKWQLQJ$FWLYLW\:DUQLQJ  $
/LWKLXP%DWWHU\:DUQLQJ  $
3URGXFW'LVSRVDO:DUQLQJ $

,QVWDOOHU·V*XLGH Y

 *HQHUDO6LWH5HTXLUHPHQWV  $
6LWH(QYLURQPHQW  $
3UHYHQWLYH6LWH3UHFDXWLRQV $
3RZHU6XSSO\&RQVLGHUDWLRQV  $
(QYLURQPHQWDO5HTXLUHPHQWV  $
%60,/DEHOLQJ5HTXLUHPHQW $

,QGH[ ,;

YL 1HW6FUHHQ;3

3UHIDFH

The NetScreen-5XP ™ is a network security device that protects your Ethernet

local area network (LAN) or standalone desktop computer when connecting to the
Internet. Using a NetScreen-5XP as a firewall, you can configure access policies
that control inbound and outbound network and Virtual Private Network (VPN)
traffic.

FIPS Certification Note: For information on NetScreen compliance with

Federal Information Processing Standards (FIPS) and for instructions on setting
a FIPS-compliant NetScreen device in FIPS mode, see the NetScreen-5XP
Cryptographic Module Security Policy on the documentation CD-ROM.

0$18$/25*$1,=$7,21
This manual has three chapters and one appendix.

Chapter 1, Hardware Description, describes the NetScreen-5XP device.

Chapter 2, Connecting the NetScreen-5XP to the Network, describes how to

connect the NetScreen-5XP to a network in single-workstation or
multiple-workstation configurations.

Chapter 3, Initial Configuration, describes 3 ways of configuring the device. You

can use the Quick Start™ disk provided, use the Web UI, or use the Command
Line Interface (CLI).

Appendix A, Safety Recommendations and Warnings, provides general site

requirements, safety warnings, and explains the cautionary procedures you
should observe before installing and operating the NetScreen-5XP unit.

,QVWDOOHU·V*XLGH YLL

3UHIDFH

*(1(5$//$<2872)7+(1(76&5((1;3:(%8,
The Web User Interface (WebUI) contains two main logical sections: the menu
column and the central display area.

• The menu column includes four main functional categories: System,

Network, Lists, and Monitor, each of which contain further sub-functions,
represented by tabs in the central display area. During the configuration
process, you first must select a main functional category before choosing the
various utilities offered within each sub-category.

• The central display area displays the information for each of the categories
in the menu column, in either a tabular or graphical format. These pages
generally contain links to dialog boxes through links such as New Policy,
New Manual Key User, New Entry, Edit, and so forth.

Menu
column

Tab
categories

Links

The NetScreen-5XP Central Display Area

YLLL 1HW6FUHHQ;3

 &200$1'/,1(,17(5)$&( &/, 6<17$;
These conventions apply to all NetScreen commands.

6\QWD[
• A parameter inside [ ] (square brackets) is optional.

• A parameter inside { } (braces) is required.

• Anything inside < > is a variable.

• If there is more than one choice for a parameter inside [ ] and { }, they are
separated by a pipe ( | ). For example, [auth {md5 | sha-1}] means
“choose either MD5 or SHA-1 as your authentication method.”

• IP addresses are represented by <a.b.c.d>, and <a.b.c.d>–<w.x.y.z> if a range

is being specified.

• A subnet mask is represented by <A.B.C.D>.

&RQYHQWLRQV
• To remove a single character, press BACKSPACE or CTRL+H.

• To remove an entire line, press CTRL+U.

• To traverse up to 16 lines forward in the command history buffer, press CTRL+F or the
DOWN ARROW key.

Note: To use the arrow keys for navigating among commands in a Telnet
session on Windows 95, 98, NT, or 2000: On the Terminal menu, click
Preferences…, select the VT100 Arrows check box, and click the OK button.

• To traverse up to 16 lines backward in the command history buffer, press

CTRL+B or the UP ARROW key.

• To see the next available keyword or input, and a brief description of usage,
type a question mark (?).

• The console times out and the connection is broken if no keyboard activity is
detected for 10 minutes.
Items you enter are into the system are in bold text.

,QVWDOOHU·V*XLGH L[
3UHIDFH

For further explanation of NetScreen commands and their syntax, refer to the
NetScreen CLI Reference Guide, which is included on the product CD.

5(/$7('38%/,&$7,216
The following technical publications are shipped with the NetScreen-5XP device:

NetScreen-5XP Getting Started Guide

The following publications are included on the product CD:
NetScreen Concepts and Examples ScreenOS Reference Guide
NetScreen CLI Reference Guide
NetScreen WebUI Reference Guide

[ 1HW6FUHHQ;3

&KDSWHU

+DUGZDUH'HVFULSWLRQ
This chapter provides illustrations and descriptions of the NetScreen-5XP front
and back panel.

Figure 1-1 shows the front view of the NetScreen-5XP.

.

Power Status Trusted and Untrusted

LED LED Link Status LEDs

Figure 1-1 Front Panel of the NetScreen-5XP

• Power LED: glows solid green when power is supplied to the NetScreen-
5XP.
• Status LED: glows solid green when NetScreen-5XP is first powered up and
the unit first performs diagnostics. Then the unit goes into a startup phase,
which takes up to one minute to complete. During startup, the LED blinks
orange, after which the LED blinks green. If an error is detected, then the
LED glows red.
• Trusted and Untrusted Status LEDs: Each Ethernet port has a link
lights or LED. When blinking, it shows traffic activity. When the Ethernet
cables are plugged in properly, they glow green.

,QVWDOOHU·V*XLGH 

&KDSWHU+DUGZDUH'HVFULSWLRQ

Figure 1-2 shows a back view of the NetScreen-5XP.

Untrusted Trusted Console Configuration DC Power

Port Port Port Reset Hole Input

Figure 1-2 Back Panel of the NetScreen-5XP

The back panel of the NetScreen-5XP contains the following features:

• Trusted and Untrusted Ports: See “Connecting the NetScreen-5XP to the

Network” on page 2-1 for cabling guidelines.
• Console Port: DB9 serial port connector for local diagnostics.
• Configuration Reset Pinhole: When the user resets the device, the
NetScreen-5XP will boot up using the original factory default configuration.
Any current existing configuration settings will be lost, and the firewall and
VPN service rendered inoperative. See “Configuration Reset Pinhole” on
page 3-26 for more information.

Warning For complete security, operate the NetScreen-5XP in a “locked room”

environment.

• Power Outlet: Use the universal power supply included with your
NetScreen-5XP unit to connect to the power outlet.

 1HW6FUHHQ;3
&KDSWHU

&RQQHFWLQJWKH
1HW6FUHHQ;3WRWKH1HWZRUN
Follow the instructions in this chapter to connect the NetScreen-5XP device to the
network.

Caution Make sure you have read the Appendix A,“Safety Recommendations and
Warnings” on page A-1, before you begin.

Note: Check your router, hub, or computer documentation to determine if you

should reconfigure the device or if you should switch off the power supply when
connecting new equipment to the LAN.

1. Connect the universal power supply’s DC cable to the power outlet on the
NetScreen-5XP device, and the AC cable to an AC outlet. The NetScreen-5XP
unit is powered when connected. The power specifications are as follows:

Input: 85–264 VAC

Output: 5 VDC @ 1.5 amps

DC Jack: 2.5 mm x 5.5 mm x 11 mm; polarity is center positive

The NetScreen-5XP takes up to one minute to start up. There is no ON/OFF

switch. If you need to reboot at any point, unplug the NetScreen device for 30
seconds and then plug it back in again.
Untrusted Port: Connect the NetScreen-5XP to the router using a twisted
pair cable with RJ45 connectors.
Trusted Port: Connect the NetScreen-5XP to the LAN using a twisted pair
cable with RJ45 connectors.

,QVWDOOHU·V*XLGH 

&KDSWHU&RQQHFWLQJWKH1HW6FUHHQ;3WRWKH1HWZRUN

2. Connect the NetScreen-5XP to the network as shown in one of the following

illustrations:
– Figure 2-1 “Typical Multiple-Workstation Configuration—Router
Connected to the Untrusted Port, LAN Connected to the Trusted Port”
on page 2-2.
– Figure 2-2 “Typical Single-Workstation Configuration—Router
Connected to the Untrusted Port, Workstation Connected to the
Trusted Port” on page 2-3.

Internet

Internet
Router

Untrusted
Trusted

Straight-through cable (white)

NetScreen-5XP Crossover cable (colored)

LAN

Figure 2-1 Typical Multiple-Workstation Configuration—Router Connected to the

Untrusted Port, LAN Connected to the Trusted Port

 1HW6FUHHQ;3
 Internet

Straight-through
cables (white) Internet Router

NetScreen-5XP

Workstation

Figure 2-2 Typical Single-Workstation Configuration—Router Connected to the

Untrusted Port, Workstation Connected to the Trusted Port

Note: Because of the wide variety of available routers, hubs, and switches, the
cabling configuration presented here might not satisfy your network connection
requirements. If the cabling suggested above does not work, try other cable
configurations until a link light is established.

You may have to supply additional cables, depending on your particular

configuration. A DTE (Data Terminal Equipment) device requires a crossover
cable to connect to a DTE port. A DCE (Data Communications Equipment) device
requires a crossover cable to connect to a DCE port.

Table 2-1 Typical NetScreen-5XP Cable Connections

*
For a Device Connected to: Untrusted Port (DTE) Trusted Port (DCE)
Workstation (DTE) crossover straight-through
Switch/Hub (DCE) straight-through crossover
§
Router (DTE) crossover straight-through
*
An Untrusted Ethernet port is not technically a DTE but for cabling purposes, should be
treated as such.
§
Routers with uplink ports may behave in reverse.

,QVWDOOHU·V*XLGH 

&KDSWHU&RQQHFWLQJWKH1HW6FUHHQ;3WRWKH1HWZRUN

3. If you have not already done so, turn on the power supply to the devices you
have connected to the NetScreen-5XP.
If all cables are connected correctly, the link light for each connection glows.

 1HW6FUHHQ;3
&KDSWHU

,QLWLDO&RQILJXUDWLRQ
The NetScreen-5XP device supports three operational modes: Transparent mode,
NAT (Network Address Translation) mode, and Route mode. This section provides
an overview of each mode and the required steps to perform an initial
configuration.

75$163$5(171$7$1'5287(02'(6
7UDQVSDUHQW0RGH
In Transparent mode, the NetScreen device inspects packets traversing the
firewall without modifying any of the source or destination information in the IP
packet header. Because it does not translate addresses, the IP addresses on the
1
protected network must be valid, routable addresses on the Untrusted network ,
which might be the Internet. In Transparent mode, the IP addresses for the
Trusted and Untrusted interfaces are set at 0.0.0.0, making the presence of the
NetScreen device invisible, or “transparent,” to users. The NetScreen device acts
as a Layer 2 bridge.

1HWZRUN$GGUHVV7UDQVODWLRQ 1$7 0RGH

When in NAT mode, the NetScreen device translates two components in the
header of an outgoing IP packet traversing the firewall from the Trusted side: its
source IP address and source port number. The NetScreen device replaces the
source IP address of the host that sent the packet with the IP address of the
Untrusted port2 of the NetScreen device. Also, it replaces the source port number
with another random port number generated by the NetScreen device.

1. If the router on the Untrusted side performs NAT, then the addresses on the Trusted side can be
private IP addresses.

2. If the outbound traffic is destined for the DMZ, then the source IP address is translated to that of
the DMZ port.

,QVWDOOHU·V*XLGH 

&KDSWHU,QLWLDO&RQILJXUDWLRQ

5RXWH0RGH
In Route mode, the NetScreen device routes traffic between different interfaces
without performing NAT; that is, the source address and port number in the IP
packet header remain unchanged as it traverses the NetScreen device. Unlike
NAT, the hosts on the Trusted side must have public IP addresses, and you do not
need to establish Mapped and Virtual IP addresses to allow sessions initiated on
the Untrusted side to reach hosts on the Trusted side. Unlike Transparent mode,
the Trusted and Untrusted interfaces are on different subnets.

For further configuration examples and detail, see the NetScreen Concepts &
Examples ScreenOS Reference Guide.

&RQILJXULQJWKH1HW6FUHHQ;3
There are three ways to configure the NetScreen-5XP for the first time:

• Using the Quick Start Program.

• Using a Web browser running on a workstation connected via a network to
the Trusted port.
• Using CLI via either Telnet or the serial port.

Table 3-1 Administration Configuration Requirements

Configuration Method Requirements
® ® ®
Quick Start Netscape Communicator v4.5 or greater, or Microsoft
Internet Explorer v5.0 or greater

TCP/IP network connection to the NetScreen-5XP

WebUI Netscape Communicator v4.5 or greater, or Microsoft
Internet Explorer v 5.0 Web browser.
TCP/IP network connection to the NetScreen-5XP.

Secure Sockets Layer (SSL) requires that a certificate be

loaded into the NetScreen-5XP. See the NetScreen Concepts
and Examples ScreenOS Reference Guide for further
information.

 1HW6FUHHQ;3
 &RQILJXULQJ9LDWKH4XLFN6WDUW3URJUDP

Table 3-1 Administration Configuration Requirements

Configuration Method Requirements
CLI ® ®
Via the console port, using Hilgraeve Hyperterminal or a
VT100 terminal emulator on the administrator’s
workstation and an RS-232 Console cable

Via Telnet, using a VT100 terminal emulator and TCP/IP

network connection to the NetScreen device.
Secure Shell (SSH) requires that a key be generated in the
NetScreen-5XP. See the NetScreen Concepts and Examples
ScreenOS Reference Guide for further information.

Table 3-2 Important Default Configuration Settings

Default System IP Address: 192.168.1.1

Default Trusted/Untrusted IP Addresses: 0.0.0.0
(transparent mode)
Default Username: netscreen
Default Password: netscreen
Default Policy: source: inside any
destination: outside any
service: any
action: permit

&21),*85,1*9,$7+(48,&.67$57352*5$0
NetScreen-5XP comes with The Quick Start disk for easy configuration.
®
1. Insert the Quick Start disk into the 3 1/2 -inch floppy drive of the Windows
95/98, Windows NT® v4.0 or Win2000 computer from which you will
configure unit on the LAN.
2. On the Windows task bar, click the Start button, and then select Run.
3. At the Command Line, type a:\nsqstart.exe, then select OK.

Note: If the floppy drive of your computer does not use “a,” replace the “a” in
the above command with the drive letter it uses.

The NetScreen Quick Start Welcome window appears as in Figure 3-1 on

page 4.

,QVWDOOHU·V*XLGH 

&KDSWHU,QLWLDO&RQILJXUDWLRQ

Figure 3-1 NetScreen Quick Start Welcome

4. Read the information on the NetScreen Quick Start Welcome screen, then
click the Next button.
If there is more than one network card on the computer, the Quick Start
program displays their IP addresses and prompts you to select the one for
the network on which you are installing the NetScreen-5XP, as shown in
Figure 3-2.

Figure 3-2 Network Card IP Address List

Select the appropriate network card, and then click OK.

Note: The Quick Start program can only find the NetScreen-5XP devices on your
network that still have the factory default configuration.

 1HW6FUHHQ;3
 &RQILJXULQJ9LDWKH4XLFN6WDUW3URJUDP

5. When the NetScreen Quick Start Select Device dialog box displays, select the
NetScreen-5XP you want to configure, as shown in Figure 3-3, then click the
Next button. In the event more than one NetScreen device is found, match
the serial number of the new device to the one found by the Quick Start
program, select it, and click Next.

Figure 3-3 NetScreen Quick Start-Select Device

6. Enter the new System IP address for the NetScreen device you are
configuring, as shown in Figure 3-4 on page 3-6.This value must be an
available address on the Trusted subnet. This is the address that you will
use to further manage the NetScreen-5XP.

Note: Since connectivity is lost when the IP address is moved to a different

subnet, the user must record the IP address.

,QVWDOOHU·V*XLGH 

&KDSWHU,QLWLDO&RQILJXUDWLRQ

Figure 3-4 NetScreen Quick Start-Configuration Dialog Box

6HOHFWLQJ7UDQVSDUHQW0RGH
1. To launch your NetScreen-5XP in Transparent mode, select Transparent
Mode as shown in Figure 3-4.
2. Click Finish.
If you leave the Launch web browser for further configuration check
box selected (the default), Quick Start opens your Web browser and displays
the User name and Password dialog box as shown in Figure 3-7 on page 3-9.
If you clear the Launch web browser for further configuration check
box, you must start your Web browser manually when Quick Start exits.

 1HW6FUHHQ;3
 &RQILJXULQJ9LDWKH4XLFN6WDUW3URJUDP

6HOHFWLQJ1HWZRUN$GGUHVV7UDQVODWLRQRU5RXWH0RGH
1. To launch your NetScreen-5XP in NAT mode, select Network Address
Translation Mode (NAT) as shown in Figure 3-5.

Figure 3-5 NetScreen Quick Start Configuring Screen

2. Click Next. The Configuration (NAT) screen appears, as in Figure 3-6.

Figure 3-6 NetScreen Quick Start Configuration (NAT) Screen

3. Specify either NAT Mode or Route Mode.

4. Enter the IP address, subnet mask of the NetScreen-5XP Trusted interface.

,QVWDOOHU·V*XLGH 

&KDSWHU,QLWLDO&RQILJXUDWLRQ

5. To configure the Untrusted interface, use one of the following three methods:
a. To use Dynamic Host Control Protocol, select DHCP.
b. To use Point-to-Point Protocol over Ethernet, select PPPoE and enter the
User name and Password for the login prompt.
c. To assign an IP address, subnet mask, and gateway IP address manually,
select Manually Assign and then enter the settings in the appropriate
fields.
6. Select Finish.
If you leave the Launch web browser for further configuration check
box selected (the default), Quick Start opens your Web browser and displays
the Username and Password dialog box, as shown in Figure 3-7 on page 3-9.
If you clear the Launch web browser for further configuration check
box, you must start your Web browser manually when Quick Start exits. For
more information on logging in manually, see “Logging on and Setting the
System IP Address” on page 3-9.
To verify that your configuration is correct, follow the steps described in “Testing
the Configuration” on page 3-19.

&21),*85,1*9,$7+(:(%8,
You can also perform the initial configuration through a Web browser without the
NetScreen-5XP Quick Start disk. To do this, you need to change the IP address of
the management workstation to the same subnet as the NetScreen-5XP default
System IP address.

Then after making an Ethernet connection to the NetScreen-5XP, you can log on
through a Web browser. The section “Logging On and Setting the System IP
Address” on page 3-23 details this procedure.

Refer to Table 3-1 for administration requirements. For further

information regarding levels of administration, see the “NetScreen
Concepts and Examples ScreenOS Guide”.

0DNLQJD&RQQHFWLRQ
Before you begin, be sure you connected the NetScreen-5XP hardware to the
network as outlined in “Connecting the NetScreen-5XP to the Network” on page
2-1.

 1HW6FUHHQ;3
 &RQILJXULQJ9LDWKH:HE8,

/RJJLQJRQDQG6HWWLQJWKH6\VWHP,3$GGUHVV
For remote administration of the NetScreen device over a network connection, you
must change the system IP address. The NetScreen-5XP ships from the factory
with a default IP address of 192.168.1.1. To change this to an address on the same
subnet as the other network devices to which the NetScreen-5XP is connected,
perform the following procedure:

1. Record your workstation’s IP address and subnet mask. You must re-enter
them later in this process.

Note: To find your workstation IP address: Start>>Settings>>Control

Panel>>Network>>Configuration, select TCP/IP and then click Properties.

2. Change the IP address of the workstation to 192.168.1.2 and a netmask of

255.255.255.0. (You might have to restart the workstation to enable these
changes to take effect).

Note: For Windows NT users, ensure that you are logged on to the
workstation as an administrator.

3. Start your Web browser.

4. In the URL field of the browser, enter the IP address of the NetScreen-5XP:
http://192.168.1.1.
The Enter Network Password dialog box appears, as shown in Figure 3-7 on
page 3-9.

Figure 3-7 Enter Network Password Dialog Box

,QVWDOOHU·V*XLGH 

&KDSWHU,QLWLDO&RQILJXUDWLRQ

5. In the dialog box, type netscreen for both the Username and Password, and
then click OK.

Note: The Username and Password are case-sensitive. After configuring the
NetScreen device for the first time, change the default Username and
Password.

Warning Since they are easily guessed, it is strongly recommended that the Username
and Password be changed as quickly as possible.

An IP Address Configuration dialog box, as shown in Figure 3-8 on page 3-10

is displayed for first-time configuration.

Figure 3-8 Initial IP Address Configuration

6. Enter a new System IP address and netmask for the NetScreen-5XP, and
then click OK to save your settings.

Note: The IP address must be a valid and available IP address on your local
network, and the subnet mask must be an appropriate value for your local
network.

The Configuring in Progress screen appears, as shown in Figure 3-9 on

page 3-11.

 1HW6FUHHQ;3
 &RQILJXULQJ9LDWKH:HE8,

Figure 3-9 Configuring in Progress Screen

7. Reconfigure your administration workstation IP address to the original

settings that you recorded in the first step. Depending on the operating
system, you might have to restart your workstation.
Once the IP configuration is complete, you must again log on.
8. When the Web browser is activated, enter the newly created IP address of
the NetScreen-5XP.
The User name and Password dialog box displays.
9. In the User name and Password dialog box, type netscreen for both the
Username and Password, and then click OK. (Remember that the Username
and Password are case-sensitive.)

,QVWDOOHU·V*XLGH 

&KDSWHU,QLWLDO&RQILJXUDWLRQ

To change the default administrator login and Password:

1. Select the Admin button in the menu column to view the Admin page, as
shown in Figure 3-10.

Figure 3-10 The Administration Settings Page

2. On the Local Administrator Name click Edit under Options. The Admin
User Configuration Menu appears, as in Figure 3-11 on page 3-13.

 1HW6FUHHQ;3
 &RQILJXULQJ9LDWKH:HE8,

Figure 3-11 Admin User Configuration Menu

3. Type a new Admin Login Name.

Note: The login name and password must be alphanumeric. The login name
and password are case-sensitive.

4. Type the old password (initially netscreen) in the Old Password field. You
must enter the old password to change to the new password.
5. Type the new password in both the New Password field and the Confirm
New Password field.
6. Record the new administrator login name and password in a secure manner.

Warning Make sure that you record your Password. If you forget it, you must reset the
device to the factory settings to regain access to the device. (See
“Configuration Reset Pinhole” on page 3-26.)

7. Leave the other fields at their default entries, and click the Apply button.
The changes require the NetScreen-5XP to reset, which it automatically does
at this point. Figure 3-12 shows the system message that appears.

,QVWDOOHU·V*XLGH 

&KDSWHU,QLWLDO&RQILJXUDWLRQ

Figure 3-12 System Message Display

8. Click the Yes button to confirm your command to reset the system.
The next time you log in, use the new login name and password.

6HWWLQJ,QWHUIDFH$GGUHVVHV
Before configuring the interface addresses, decide whether to use NAT or
Transparent mode. The following procedure provides information for configuring
both modes of operation.

7UXVWHG,QWHUIDFH&RQILJXUDWLRQ
1. Click the Interface button in the menu column.
The Interface pages appear, with the Trusted Interface page displayed.

 1HW6FUHHQ;3
 &RQILJXULQJ9LDWKH:HE8,

2. Click Edit to open the Trusted Interface Configuration dialog box.

Figure 3-13 Trusted Interface Configuration

3. Enter the following, and then click Save:

• IP Address: Type an IP address for the Trusted interface.
• Netmask: Type an appropriate netmask.
• Default Gateway: Type the IP address of the router—if there is one—
that exists between the Trusted network and the NetScreen-5XP.
4. Select either NAT Mode or Route Mode, and then click Save.

,QVWDOOHU·V*XLGH 

&KDSWHU,QLWLDO&RQILJXUDWLRQ

8QWUXVWHG,QWHUIDFH&RQILJXUDWLRQ
1. Click the Untrusted tab, and then Edit to open the Untrusted Interface
Configuration dialog box.

Figure 3-14 Untrusted Interface Configuration

2. For the Untrusted Interface Configuration, select one of the following and
click Save and Reset:
Obtain IP using PPPoE (Point-to-Point Protocol over Ethernet), and enter
the Username and Password.
Obtain IP using DHCP (Dynamic Host Control Protocol).
Static IP, and enter the following:
• IP Address: Type the ISP-assigned Untrusted IP address.
• Netmask: Type an appropriate netmask.
• Default Gateway: Type the IP address of the external router.

 1HW6FUHHQ;3
 &RQILJXULQJ9LDWKH:HE8,

$OORZLQJ2XWERXQG7UDIILF
By default, the NetScreen-5XP does not allow inbound or outbound traffic, nor
does it allow traffic to or from the DMZ. Create access policies to permit specified
kinds of traffic in the direction(s) you want. You can also create access policies to
deny and tunnel traffic.

The following access policy permits all kinds of outbound traffic from any point on
the Trusted network to any point on the Untrusted network. Of course, your
network might require a more restrictive policy. This example is offered only to
illustrate how an access policy is created; it is not presented as a requirement for
an initial configuration.

Figure 3-15 Policy Configuration Menu

Note: For more information on Access Policies, please refer to the NetScreen
Concepts and Examples ScreenOS Reference Guide.

,QVWDOOHU·V*XLGH 

&KDSWHU,QLWLDO&RQILJXUDWLRQ

&KDQJLQJWKH$GPLQLVWUDWRU/RJLQ1DPHDQG3DVVZRUG
To change the default login name and password:

1. Select the Admin button in the menu column to view the Admin page.
2. Click Edit in the Options column for the root level administrator netscreen.
3. The Admin User Configuration screen appears, as in Figure 3-16.

Figure 3-16 The Administration Page

4. In the Name field, type a new login name.

5. Type the old password (initially netscreen) in the Old Password field.
6. Type the new password in the New Password field and in the Confirm New
Password field.

Note: The login name and password must be alphanumeric, and are case-
sensitive

7. Record the new login name and password in a secure manner.

Warning Make sure that you remember your password! If you forget it, you must reset
the device to the factory settings to regain access to the device. (See
“Configuration Reset Pinhole” on page 3-26.)

 1HW6FUHHQ;3
 &RQILJXULQJ9LDWKH:HE8,

8. Leave the other fields at their default entries, and click OK.
The changes require the NetScreen-5XP to reset, which it automatically does
at this point. Figure 3-17 shows the system message that appears.

Figure 3-17 System Message Display

9. Click Yes to confirm your command to reset the system.

The next time you log in, use the new login name and password.

7HVWLQJWKH&RQILJXUDWLRQ
Use a Web browser to access an external Web site (for example,
www.netscreen.com). You should be able to locate the site and access the available
Web pages.

If you cannot access the Web site, check the following:

• Link lights on the NetScreen-5XP, workstations, hubs, and the router are
glowing.
• The workstation IP and Netmask have the correct settings.
• The workstation gateway points to the router.
• The workstation has a valid DNS entry.

,QVWDOOHU·V*XLGH 

&KDSWHU,QLWLDO&RQILJXUDWLRQ

&RQILJXUDWLRQ5HVHW
When the user presses the reset button, the NetScreen-5XP will reset and boot up
using the original factory default configuration. Any current existing
configuration settings will be lost, the firewall and VPN service rendered
inoperative and an “alert SNMP trap” message will be sent to the administrator.
Please refer to “Configuration Reset Pinhole” on page 3-26 for more information.

Note: After successfully resetting and reconfiguring the NetScreen-5XP, it is

strongly advised to backup the new configuration setting, as shown in “Backup
Configuration Settings” on page 3-20.

%DFNXS&RQILJXUDWLRQ6HWWLQJV
Through the WebUI, you can download the configuration settings of the
NetScreen-5XP to any local directory as a backup precaution.

'RZQORDG&RQILJXUDWLRQ
1. Click Admin in the menu column, click the Settings tab, and then click the
Save Current Configuration option, as shown in Figure 3-18.

Figure 3-18 Administration Settings Menu

 1HW6FUHHQ;3
 &RQILJXULQJ9LDWKH:HE8,

The Download File dialog box appears, as shown in Figure 3-19.

2.

Figure 3-19 File Download Dialog Box

3. Click Save and browse to the location where you want to keep the
configuration file.

Note: For further information regarding uploading and downloading of

configuration settings, see the NetScreen Concepts & Examples ScreenOS
Reference Guide.

,QVWDOOHU·V*XLGH 

&KDSWHU,QLWLDO&RQILJXUDWLRQ

&21),*85,1*9,$7+(&/,
The following section provides information on how to configure the device using
the command line interface (CLI).

Note: For further information regarding using the command line interface, see
the NetScreen Command Line Interface Reference Guide.

0DNLQJD&RQQHFWLRQ
You can access the CLI either by connecting directly via a console (or serial) cable
or you can use the network via Telnet. Connection instructions are offered for both
methods.

Refer to Table 3-1 on page 3-2 for administration requirements.

&RQQHFWLQJYLDWKH&RQVROH3RUW
You need direct access to the NetScreen device you want to configure and the
following items before you start:

• An RS-232 male-to-female serial cable

• Microsoft Hyperterminal software on the management workstation (or, if
you are using a different operating system, a VT100 terminal emulator)
Follow these steps to connect the NetScreen device to the workstation:

1. Connect the serial cable from the management workstation to the serial port
on the NetScreen-5XP.
2. Start the terminal emulator on the workstation.
3. To create a new connection, type a name, select an icon, and then click OK.
The Connect To dialog box appears.
4. Select the serial port to which the serial cable is connected to the
workstation, and click OK. The COM1 Properties dialog box appears.
5. Configure the port settings as follows, and then click OK.
– Serial communications 9600 bps
– 8 bit, no parity
– 1 stop bit
– no flow control
6. Press ENTER to see the login prompt.

 1HW6FUHHQ;3
 &RQILJXULQJ9LDWKH&/,

&RQQHFWLQJYLD7HOQHW
Telnet operates over TCP/IP networks. It allows you to configure the device using
the command line interface (CLI).

Before you begin, be sure you connected the NetScreen-5XP to the network as
outlined in“Connecting the NetScreen-5XP to the Network” on page 2-1.

1. Establish a Telnet connection to the NetScreen device.

2. For Host name, type: 192.168.1.1.

Note: Select vt100 for Terminal type.

/RJJLQJ2QDQG6HWWLQJWKH6\VWHP,3$GGUHVV
To manage the NetScreen device over a network connection, you must change the
system IP address from its default (192.168.1.1) to one that is appropriate for your
network. To log on and change the system IP address, enter the following
commands, where <a.b.c.d> is the new system IP address and <A.B.C.D> is the
netmask:

1. At the login prompt, type netscreen.

2. At the Password prompt, type netscreen.
3. At the command line prompt, type set admin sys-ip <a.b.c.d>
The system IP address can be 0.0.0.0, or the same as the trusted interface IP
address.
4. At the command line prompt, type save

Note: The Username and Password are case-sensitive.

6HWWLQJ,QWHUIDFH$GGUHVVHV
The NetScreen-5XP ships with all its interface addresses and netmasks set as
0.0.0.0. If you want to operate the NetScreen-5XP in Transparent mode, leave the
trusted, untrusted, and tunnel interface addresses as they are.

To operate the NetScreen-5XP in NAT mode or Route mode, you must also
configure the trusted and untrusted interface addresses.

,QVWDOOHU·V*XLGH 

&KDSWHU,QLWLDO&RQILJXUDWLRQ

To set the interface addresses, enter the following commands, where <a.b.c.d> are
the interface IP addresses and <A.B.C.D> is the netmask:

1. ns-> set interface trust ip <a.b.c.d> <A.B.C.D>

2. ns-> set interface untrust ip <a.b.c.d> <A.B.C.D>
3. ns-> save

$OORZLQJ2XWERXQG7UDIILF
By default, the NetScreen-5XP does not allow inbound or outbound traffic, nor
does it allow traffic to or from the DMZ. You need to create access policies to
permit specified kinds of traffic in the direction(s) you want. (You can also create
access policies to deny and tunnel traffic.)

The following access policy permits all kinds of outbound traffic from any point on
the trusted network to any point on the untrusted network. Of course, your
network might require a more restrictive policy. The following is offered to
illustrate how an access policy is created; it is not presented as a requirement for
an initial configuration:

1. ns-> set policy outgoing “inside any” “outside any” any

permit
2. ns-> save

&KDQJLQJWKH$GPLQLVWUDWRU/RJLQ1DPHDQG3DVVZRUG
Because all NetScreen-5XP devices come with the same default login name and
password, you should change this information immediately after you install the
device.

Caution The information in this guide has been widely published, and failure to change the
defaults might expose your system to attack.

At the command line enter:

1. ns-> set admin name <name>
2. ns-> set admin password <password>
3. ns-> save
4. Record the new login name and password in a secure manner.

 1HW6FUHHQ;3
 &RQILJXULQJ9LDWKH&/,

Warning Make sure that you remember your password! If you forget it, you must reset the
device to the factory settings to regain access to the device. (See “Configuration
Reset Pinhole” on page 3-26.)

7HVWLQJWKH&RQILJXUDWLRQ
Use a Web browser to access an external Web site (for example,
www.netscreen.com). The browser should be able to locate the site and access the
available Web pages.

If the browser cannot access the Web site, check that:

• The link lights on the NetScreen-5XP, workstations, hubs, and the router are
glowing.
• The workstation IP and Netmask have the correct settings.
• The workstation gateway points to the router.
• The workstation has a valid DNS entry.

&RQILJXUDWLRQ5HVHW
When the user presses the reset button, the NetScreen-5XP will reset and boot up
using the original factory default configuration. Any current existing
configuration settings will be lost, the firewall and VPN service rendered
inoperative and an “alert SNMP trap” message will be sent to the administrator.
For further information, see “Configuration Reset Pinhole” on page 3-26.

Note: After successfully resetting and reconfiguring the NetScreen-5XP, it is

strongly advised to backup the new configuration setting, as shown in “Backup
Configuration Settings” on page 3-20.

%DFNXS&RQILJXUDWLRQ6HWWLQJV
It is good practice to backup your settings after every significant change you
make. Through the CLI, you can download the configuration to any TFTP server.

At the command line, enter the following command:

ns-> save config to {tftp <a.b.c.d>} <filename>

,QVWDOOHU·V*XLGH 

&KDSWHU,QLWLDO&RQILJXUDWLRQ

&21),*85$7,215(6(73,1+2/(
To restore the NetScreen-5XP’s original factory default configuration, the user
resets the device by pressing the configuration reset pinhole.

Warning Resetting the device will delete all existing configuration settings, and the
firewall and VPN service will be rendered inoperative.

Configuration
Reset
Pinhole

Figure 3-20 NetScreen-5XP with Configuration Reset Pinhole

Two pushes of the pinhole are required for the configuration and hardware reset,
with a short delay between the two pushes.

Power LED Status LED

Figure 3-21 NetScreen-5XP Configuration Reset LEDs

To reset the NetScreen-5XP device to its factory settings:

1. Push the reset hole for between four and six seconds.
If the hardware reset switch is sensed, a serial console message states that
the “Configuration Erasure Process has been initiated.” A SNMP/SYSLOG
alert is sent. The status LED blinks amber once every second.

 1HW6FUHHQ;3
 &RQILJXUDWLRQ5HVHW3LQKROH

2. Wait for one-half second to two seconds.

After the first push is accepted, the power LED turns blinking green; this is
to state that the unit is now waiting for the second push. The serial console
message now reads, “Waiting for 2nd confirmation”.
3. Push the reset hole again for four to six seconds.
The following sequence of events occurs:
– The power LED blinks red for at least five seconds. Then the device
resets to its original factory settings.
– When the device resets, the Status LED turns amber for one-half
second and then returns to its normal mode of operation. The serial
console message states, “Configuration Erase sequence accepted, unit
reset”.
– Alerts, SNMP, SYSLOG, and Reset Log messages are generated.

Note: During a reset, there is no guarantee that the final SNMP alert
sent to the receiver before the reset will be received.

– The device reboots.

If the complete sequence is not followed, the reset process cancels without
any configuration change. The serial console message states, “Configuration
Erasure Process aborted”. The status LED returns to blinking green. If the
unit does not reset, an SNMP Alert is sent, confirming the failure.

,QVWDOOHU·V*XLGH 

&KDSWHU,QLWLDO&RQILJXUDWLRQ

 1HW6FUHHQ;3
$SSHQGL[$

$SSHQGL[$
6DIHW\5HFRPPHQGDWLRQV
DQG:DUQLQJV
When using the NetScreen-5XP, follow these safety guidelines:

• Make sure that the work area is dry and without excess humidity.
• Keep the chassis area clear and dust-free during and after installation.
• Disconnect all power supply connections before changing the Ethernet or
serial port connection.
• Never assume that power is disconnected from a circuit. Always check.

%()25(6833/<,1*32:(5
Check these safety items before providing power to the NetScreen-5:

• Look carefully for possible hazards in the work area, such as moist floors,
ungrounded power extension cables, and missing safety grounds.
• Locate the emergency power-off switch for the room where you are working.
Do not perform any action that creates a potential hazard to people or makes the
equipment unsafe. Do not stack or balance the equipment on other devices to
avoid tipping over and to allow air circulation. Make sure the installation is
securely in place.

Ensure you adhere to all safety warnings.

,QVWDOOHU·V*XLGH $

$SSHQGL[$6DIHW\5HFRPPHQGDWLRQVDQG:DUQLQJV

6$)(7<:$51,1*6
Make sure that you adhere to the following set of safety warnings.

,QVWDOODWLRQ:DUQLQJ

Caution Read the cabling instructions before connecting the NetScreen-5XP to its power
source.

3RZHU'LVFRQQHFWLRQ:DUQLQJ

Warning Before working on a device that has an On/Off switch, turn OFF the power and
unplug the power cord.

1R8VHU6HUYLFHDEOH3DUWV:DUQLQJ

Warning The NetScreen-5XP contains no user-serviceable parts and is housed in a tamper-

proof enclosure. Therefore, the chassis should never be opened under any
circumstances. Doing so will also void the warranty.

&LUFXLW%UHDNHU $ :DUQLQJ

Caution The NetScreen-5XP relies on the building’s installation for short-circuit (over-
current) protection. Ensure that a fuse or circuit breaker no larger than 120 VAC,
15A U.S. (240 VAC, 10A international) is used on the phase conductor (all current-
carrying conductors).

6(/9&LUFXLW:DUQLQJ

Warning The Ethernet 10BaseT, 100BaseT, serial, console, and auxiliary ports contain
safety extra-low voltage (SELV) circuits. Do not connect the NetScreen-5XP to a
telephone line or any Telco line (e.g., T-1, T-3, RJ-48 lines).

$ 1HW6FUHHQ;3
 6DIHW\:DUQLQJV

/LJKWQLQJ$FWLYLW\:DUQLQJ

Danger Do not work on the device, specifically, connecting or disconnecting cables during
periods of lightning activity, as the unit can function as a conduit.

/LWKLXP%DWWHU\:DUQLQJ

Warning There is a danger of explosion if the battery is incorrectly replaced. The chassis
should never be opened under any circumstances. Doing so will also void the
warranty. Return the device to the manufacturer for battery replacement.

3URGXFW'LVSRVDO:DUQLQJ

Warning Ultimate disposal of this product should be handled according to all national laws
and regulations.

,QVWDOOHU·V*XLGH $

$SSHQGL[$6DIHW\5HFRPPHQGDWLRQVDQG:DUQLQJV

*(1(5$/6,7(5(48,5(0(176
This section describes the requirements your site must meet for the safe
installation and operation of your system. Ensure that your site is properly
prepared before beginning the hardware installation.

6LWH(QYLURQPHQW
The NetScreen-5XP can be placed on a desktop. Equipment placed too close
together will cause inadequate ventilation, besides rendering areas of the device
inaccessible for system maintenance during any system malfunctions and
shutdowns.

When planning your site layout and equipment locations, follow the precautions
described in the next section to help avoid equipment failures and reduce the
possibility of environmentally caused shutdowns. If you are experiencing
shutdowns or unusually high errors with your existing equipment, these
precautions may help you isolate the cause of the failures and prevent future
problems.

3UHYHQWLYH6LWH3UHFDXWLRQV
The following precautions will help you plan an acceptable operating environment
for your NetScreen-5XP and will help you avoid environmentally caused
equipment failures:

• Electrical equipment generates heat. Natural air temperature might not be

sufficient to cool equipment to acceptable operating temperatures without an
additional circulation system. Ensure that the room in which you operate
your system has adequate air circulation.
• Do not work alone if potentially hazardous conditions exist.
• Never assume that the power supply has been disconnected from a circuit.
Always check.
• Look carefully for possible hazards in your work area, such as moist floors,
ungrounded power extension cables, frayed power cords, and missing safety
grounds.

3RZHU6XSSO\&RQVLGHUDWLRQV
Check the power at your site to ensure that you are receiving “clean” power (free
of spikes and noise). Install a power conditioner if necessary.

$ 1HW6FUHHQ;3
 *HQHUDO6LWH5HTXLUHPHQWV

(QYLURQPHQWDO5HTXLUHPHQWV
The NetScreen-5XP is intended for use in a normal office environment. For more
extreme conditions, verify that temperature, humidity, and power conditions meet
the specifications indicated in the table below:

Environmental Requirements
Item Operating Specification
Temperature 32-122°F, 0- 50°C
Relative humidity 5-90%, non-condensing: for storage
10-90%, non-condensing: for operation
Voltage 90-264 VAC
Input frequency 47-63 Hz
AC input current 1.5A (120VAC), 1.5A (240VAC)
Altitude 0-12,000 feet, 0-3,660 meters

%60,/DEHOLQJ5HTXLUHPHQW
The Bureau of Standards Metrology and Inspection (BSMI) is an agency of the
government of China (Taiwan), which requires the following label on technological
equipment:

,QVWDOOHU·V*XLGH $

$SSHQGL[$6DIHW\5HFRPPHQGDWLRQVDQG:DUQLQJV

$ 1HW6FUHHQ;3
 ,QGH[

,QGH[
$ reset 3-20
Administrator Username Configuring
changing 3-24 CLI 3-22
default 3-24 untrusted interface 3-8
WebUI 3-8
connectivity 3-5
% Console port 1-2, 3-22
Back panel 1-1
Browser requirements 3-2
BSMI labeling requirement A-5
'
data communications equipment 2-3
Data Terminal Equipment
& See DTE
Cables DB9 serial port connector 1-2
console 3-22 DCE 2-3
crossover 2-3 Default
DTE 2-3 administrator login 3-12, 3-18
guidelines 1-2 Default IP address 3-9
RJ45 connectors 2-1 DHCP 3-8
RS-232 console 3-3 DNS entry 3-19, 3-25
serial 3-22 DTE 2-3
cables Dynamic Host Control Protocol
connections 2-3 See DHCP
CLI i-vii, 3-22
Command line interface
(
See CLI
Ethernet
command line interface
LEDs 1-1, 1-2
(CLI) 3-2
port connection A-2
Configuration
PPPoE 3-8
backup (CLI) 3-25
backup (WebUI) 3-20
process i-viii
)
reset 3-25 FIPS i-vii
sample multiple-workstation 2-2 floppy drive 3-3
sample single-workstation 2-3 Front panel 1-1
testing 3-19, 3-25
configuration *
default 3-26 Gateway IP address 3-8

,QVWDOOHU·V*XLGH ,;

,QGH[

, 3
IP address 3-5, 3-7 password
configuration 3-10 case-sensitive 3-10, 3-13, 3-18
management 3-9 changing (CLI) 3-24
manually assign 3-8 changing (WebUI) 3-13
system 3-5, 3-10 default 3-3, 3-24
initial use 3-10, 3-11
Point-to-Point Protocol over Ethernet
/ See PPPoE
LAN i-vii, 2-2
policy
LEDs 2-4, 3-19, 3-25 default 3-3
ethernet 1-1, 1-2 Port
power 1-1 uplink 2-3
status 1-1 Power
Trusted port 1-2 supply considerations A-4
trusted port 1-1 power A-1
Untrusted port 1-2 specifications 2-1
untrusted port 1-1 supply 2-1
Link lights 3-19, 3-25 supply considerations 2-1
link lights 2-4 Power LED 1-1
local area network power outlet 1-2
(LAN) 2-1 DC jack 2-1
Logging on 3-23 input 2-1
output 2-1
PPPoE 3-8
0
Management system IP address 3-9
Multiple-workstation configuration sample 2-2 4
Quick Start i-vii, 3-2, 3-3

1
NAT
5
reboot 2-1
configuration 3-7
Requirements
NAT mode 3-1, 3-7, 3-8, 3-23
administration configuration 3-2
NetScreen Concepts & Examples ScreenOS Refer-
environmental A-5
ence Guide. 3-2
general site A-4
Network card 3-4
web browser 3-2
Network traffic activity 1-1
Reset 3-14, 3-19
RJ45 connector 2-1
2 Route mode 3-2
Operating specifications A-5 router 2-1, 2-3

,; 1HW6FUHHQ;3

 ,QGH[

6 Transparent mode 3-1, 3-6

Safety transparent mode
guidelines A-1 configuration 3-6
recommendations A-1 Trusted
Sample port 2-1, 2-2, 2-3
multiple-workstation configuration 2-2 subnet 3-5
single-workstation configuration 2-3
Secure Shell (SSH) 3-3 8
Serial port connection A-1 Untrusted, port 2-1, 2-2
Shutdowns A-4 Username 3-10
Single-workstation configuration sample 2-3 case-sensitive 3-10
Site default 3-3
environment A-4
precautions A-4
requirements A-4 9
Status LED 1-1 Ventilation A-4
Subnet mask 3-7
manually assign 3-8 :
system IP address Warnings A-1
default 3-3 Web browser 3-2
system IP addresses requirements 3-2
default trusted 3-3 web user interface
default untrusted 3-3 WebUI i-viii
WebUI i-viii, 3-8
7 central display area i-viii
TCP/IP 3-23 menu column i-viii
Telnet 3-2, 3-23 TCP/IP network connection 3-2
terminal emulator 3-3 Workstation’s IP address 3-9

,QVWDOOHU·V*XLGH ,;

,QGH[

,; 1HW6FUHHQ;3