Cheatsheet: Difference between revisions
Content added Content deleted
No edit summary |
|||
Line 3: | Line 3: | ||
<br /> |
<br /> |
||
= ARP vs MAC Table = |
|||
<center> |
|||
{| class="wikitable" |
|||
|- |
|||
! ARP Table !! MAC Table (or CAM Table) |
|||
|- |
|||
| Layer3 address to Layer2 address resolution || Layer2 address to Interface binding |
|||
|- |
|||
| Matches IP addresses to MAC addresses || Maps Ports to MAC addresses |
|||
|- |
|||
| Needed to forward packets at layer 3 || Used to Switch frames to the right output interface |
|||
|- |
|||
| Kept by L3 devices || Kept only by L2 devices |
|||
|- |
|||
| No entry for dest IP address, machine will send ARP request || If no entry, switch will flood the frame |
|||
|- |
|||
| Default timeout is 4 hours || Default timeout is 5 minutes |
|||
|- |
|||
| Filled by each ARP reply || Filled by source MAC of each frame passing through switch |
|||
|} |
|||
</center> |
|||
<br /> |
|||
= Fragmentation = |
= Fragmentation = |
||
Line 212: | Line 191: | ||
</div> |
</div> |
||
=VPN Monitor vs DPD vs IKE Heartbeat = |
|||
<br /> |
|||
<center> |
|||
{| class="wikitable" |
|||
|- |
|||
! VPN Monitor !! DPD !! IKE Heartbeat |
|||
|- |
|||
| Juniper Proprietary || RFC Standard || Juniper Proprietary |
|||
|- |
|||
| Work with Non Juniper || Work with Non Juniper || Cannot work with Non Juniper |
|||
|- |
|||
| Uses ICMP || Uses ICMP(encrypted IKE Phase 1 message(R-U-THERE)) || -- |
|||
|- |
|||
| Goes inside the Phase 2 Tunnel || Goes through Phase 1 Tunnel || -- |
|||
|- |
|||
| Implies VPN is UP || Implies peer is up and responding || Enhancement to detect tunnel availability |
|||
|- |
|||
| Works if supported by one peer only || -- || Both ends must support |
|||
|- |
|||
| Configured in Phase 2 || Configured in Phase 1 || Configured in Phase 1 |
|||
|} |
|||
</center> |
|||
<br /> |
|||
=SRX Architecture= |
|||
<div style="column-count:2;-moz-column-count:2;-webkit-column-count:2"> |
|||
;First Path: |
|||
Screens |
|||
Static NAT | Dest NAT |
|||
Route ==> Forwarding Lookup |
|||
Zones |
|||
Policy |
|||
Reverse Static NAT | Source NAT |
|||
Service ALG |
|||
Session |
|||
;Fast Path: |
|||
Screens |
|||
TCP |
|||
NAT |
|||
Service ALG |
|||
</div> |
|||
= ScreenOS = |
|||
<div style="column-count:3;-moz-column-count:3;-webkit-column-count:3"> |
|||
*;ScreenOS Flow order |
|||
Sanity Check |
|||
Screening |
|||
Session lookup |
|||
Route Lookup |
|||
Policy lookup |
|||
Session creation |
|||
ARP lookup |
|||
*;Route preference order |
|||
Policy Based Routing |
|||
Source Interface Based Routing |
|||
Source Routing |
|||
Destination Routing |
|||
*;NAT Preference order |
|||
Mapped IP |
|||
Virtual IP |
|||
Policy Based NAT (NAT-Src & NAT-Dst) |
|||
Interface Based NAT |
|||
</div> |
|||
=SYN Flood Protection= |
|||
Threshold = Proxy connections above this limit |
|||
If Syn-cookie is enabled, no sessions established between client & firewall or firewall & server directly |
|||
Alarm Threshold = Alarm/Alert (to log) |
|||
Queue Size = The number of proxied connections held in queue |
|||
After this the firewall starts rejecting new connection requests |
|||
Timeout Value is maximum time before a half-completed connection is dropped from the queue |
|||
The range is 0–50s; default is 20s |
|||
=HTTP Error Codes= |
=HTTP Error Codes= |
||
Line 433: | Line 328: | ||
<br /> |
<br /> |
||
</div> |
</div> |
||
=VPN Monitor vs DPD vs IKE Heartbeat = |
|||
<br /> |
|||
<center> |
|||
{| class="wikitable" |
|||
|- |
|||
! VPN Monitor !! DPD !! IKE Heartbeat |
|||
|- |
|||
| Juniper Proprietary || RFC Standard || Juniper Proprietary |
|||
|- |
|||
| Work with Non Juniper || Work with Non Juniper || Cannot work with Non Juniper |
|||
|- |
|||
| Uses ICMP || Uses ICMP(encrypted IKE Phase 1 message(R-U-THERE)) || -- |
|||
|- |
|||
| Goes inside the Phase 2 Tunnel || Goes through Phase 1 Tunnel || -- |
|||
|- |
|||
| Implies VPN is UP || Implies peer is up and responding || Enhancement to detect tunnel availability |
|||
|- |
|||
| Works if supported by one peer only || -- || Both ends must support |
|||
|- |
|||
| Configured in Phase 2 || Configured in Phase 1 || Configured in Phase 1 |
|||
|} |
|||
</center> |
|||
<br /> |
|||
=SRX Architecture= |
|||
<div style="column-count:2;-moz-column-count:2;-webkit-column-count:2"> |
|||
;First Path: |
|||
Screens |
|||
Static NAT | Dest NAT |
|||
Route ==> Forwarding Lookup |
|||
Zones |
|||
Policy |
|||
Reverse Static NAT | Source NAT |
|||
Service ALG |
|||
Session |
|||
;Fast Path: |
|||
Screens |
|||
TCP |
|||
NAT |
|||
Service ALG |
|||
</div> |
|||
= ScreenOS = |
|||
<div style="column-count:3;-moz-column-count:3;-webkit-column-count:3"> |
|||
*;ScreenOS Flow order |
|||
Sanity Check |
|||
Screening |
|||
Session lookup |
|||
Route Lookup |
|||
Policy lookup |
|||
Session creation |
|||
ARP lookup |
|||
*;Route preference order |
|||
Policy Based Routing |
|||
Source Interface Based Routing |
|||
Source Routing |
|||
Destination Routing |
|||
*;NAT Preference order |
|||
Mapped IP |
|||
Virtual IP |
|||
Policy Based NAT (NAT-Src & NAT-Dst) |
|||
Interface Based NAT |
|||
</div> |
|||
=SYN Flood Protection= |
|||
Threshold = Proxy connections above this limit |
|||
If Syn-cookie is enabled, no sessions established between client & firewall or firewall & server directly |
|||
Alarm Threshold = Alarm/Alert (to log) |
|||
Queue Size = The number of proxied connections held in queue |
|||
After this the firewall starts rejecting new connection requests |
|||
Timeout Value is maximum time before a half-completed connection is dropped from the queue |
|||
The range is 0–50s; default is 20s |
|||
= ARP vs MAC Table = |
|||
<center> |
|||
{| class="wikitable" |
|||
|- |
|||
! ARP Table !! MAC Table (or CAM Table) |
|||
|- |
|||
| Layer3 address to Layer2 address resolution || Layer2 address to Interface binding |
|||
|- |
|||
| Matches IP addresses to MAC addresses || Maps Ports to MAC addresses |
|||
|- |
|||
| Needed to forward packets at layer 3 || Used to Switch frames to the right output interface |
|||
|- |
|||
| Kept by L3 devices || Kept only by L2 devices |
|||
|- |
|||
| No entry for dest IP address, machine will send ARP request || If no entry, switch will flood the frame |
|||
|- |
|||
| Default timeout is 4 hours || Default timeout is 5 minutes |
|||
|- |
|||
| Filled by each ARP reply || Filled by source MAC of each frame passing through switch |
|||
|} |
|||
</center> |
|||
<br /> |