Jump to content

Cheatsheet: Difference between revisions

Cheatsheet (view source)

Revision as of 01:07, 12 October 2017

4 bytes added ,  6 years ago
no edit summary
No edit summary
Line 3:
<br />
 
 
= ARP vs MAC Table =
<center>
{| class="wikitable"
|-
! ARP Table !! MAC Table (or CAM Table)
|-
| Layer3 address to Layer2 address resolution || Layer2 address to Interface binding
|-
| Matches IP addresses to MAC addresses || Maps Ports to MAC addresses
|-
| Needed to forward packets at layer 3 || Used to Switch frames to the right output interface
|-
| Kept by L3 devices || Kept only by L2 devices
|-
| No entry for dest IP address, machine will send ARP request || If no entry, switch will flood the frame
|-
| Default timeout is 4 hours || Default timeout is 5 minutes
|-
| Filled by each ARP reply || Filled by source MAC of each frame passing through switch
|}
</center>
<br />
 
= Fragmentation =
Line 212 ⟶ 191:
</div>
 
=VPN Monitor vs DPD vs IKE Heartbeat =
<br />
<center>
{| class="wikitable"
|-
! VPN Monitor !! DPD !! IKE Heartbeat
|-
| Juniper Proprietary || RFC Standard || Juniper Proprietary
|-
| Work with Non Juniper || Work with Non Juniper || Cannot work with Non Juniper
|-
| Uses ICMP || Uses ICMP(encrypted IKE Phase 1 message(R-U-THERE)) || --
|-
| Goes inside the Phase 2 Tunnel || Goes through Phase 1 Tunnel || --
|-
| Implies VPN is UP || Implies peer is up and responding || Enhancement to detect tunnel availability
|-
| Works if supported by one peer only || -- || Both ends must support
|-
| Configured in Phase 2 || Configured in Phase 1 || Configured in Phase 1
|}
</center>
<br />
 
=SRX Architecture=
<div style="column-count:2;-moz-column-count:2;-webkit-column-count:2">
;First Path:
Screens
Static NAT | Dest NAT
Route ==> Forwarding Lookup
Zones
Policy
Reverse Static NAT | Source NAT
Service ALG
Session
 
;Fast Path:
Screens
TCP
NAT
Service ALG
</div>
 
= ScreenOS =
<div style="column-count:3;-moz-column-count:3;-webkit-column-count:3">
*;ScreenOS Flow order
Sanity Check
Screening
Session lookup
Route Lookup
Policy lookup
Session creation
ARP lookup
 
*;Route preference order
Policy Based Routing
Source Interface Based Routing
Source Routing
Destination Routing
*;NAT Preference order
Mapped IP
Virtual IP
Policy Based NAT (NAT-Src & NAT-Dst)
Interface Based NAT
</div>
 
=SYN Flood Protection=
Threshold = Proxy connections above this limit
If Syn-cookie is enabled, no sessions established between client & firewall or firewall & server directly
Alarm Threshold = Alarm/Alert (to log)
Queue Size = The number of proxied connections held in queue
After this the firewall starts rejecting new connection requests
Timeout Value is maximum time before a half-completed connection is dropped from the queue
The range is 0–50s; default is 20s
 
=HTTP Error Codes=
Line 433 ⟶ 328:
<br />
</div>
 
 
=VPN Monitor vs DPD vs IKE Heartbeat =
<br />
<center>
{| class="wikitable"
|-
! VPN Monitor !! DPD !! IKE Heartbeat
|-
| Juniper Proprietary || RFC Standard || Juniper Proprietary
|-
| Work with Non Juniper || Work with Non Juniper || Cannot work with Non Juniper
|-
| Uses ICMP || Uses ICMP(encrypted IKE Phase 1 message(R-U-THERE)) || --
|-
| Goes inside the Phase 2 Tunnel || Goes through Phase 1 Tunnel || --
|-
| Implies VPN is UP || Implies peer is up and responding || Enhancement to detect tunnel availability
|-
| Works if supported by one peer only || -- || Both ends must support
|-
| Configured in Phase 2 || Configured in Phase 1 || Configured in Phase 1
|}
</center>
<br />
 
=SRX Architecture=
<div style="column-count:2;-moz-column-count:2;-webkit-column-count:2">
;First Path:
Screens
Static NAT | Dest NAT
Route ==> Forwarding Lookup
Zones
Policy
Reverse Static NAT | Source NAT
Service ALG
Session
 
;Fast Path:
Screens
TCP
NAT
Service ALG
</div>
 
= ScreenOS =
<div style="column-count:3;-moz-column-count:3;-webkit-column-count:3">
*;ScreenOS Flow order
Sanity Check
Screening
Session lookup
Route Lookup
Policy lookup
Session creation
ARP lookup
 
*;Route preference order
Policy Based Routing
Source Interface Based Routing
Source Routing
Destination Routing
*;NAT Preference order
Mapped IP
Virtual IP
Policy Based NAT (NAT-Src & NAT-Dst)
Interface Based NAT
</div>
 
=SYN Flood Protection=
Threshold = Proxy connections above this limit
If Syn-cookie is enabled, no sessions established between client & firewall or firewall & server directly
Alarm Threshold = Alarm/Alert (to log)
Queue Size = The number of proxied connections held in queue
After this the firewall starts rejecting new connection requests
Timeout Value is maximum time before a half-completed connection is dropped from the queue
The range is 0–50s; default is 20s
 
= ARP vs MAC Table =
<center>
{| class="wikitable"
|-
! ARP Table !! MAC Table (or CAM Table)
|-
| Layer3 address to Layer2 address resolution || Layer2 address to Interface binding
|-
| Matches IP addresses to MAC addresses || Maps Ports to MAC addresses
|-
| Needed to forward packets at layer 3 || Used to Switch frames to the right output interface
|-
| Kept by L3 devices || Kept only by L2 devices
|-
| No entry for dest IP address, machine will send ARP request || If no entry, switch will flood the frame
|-
| Default timeout is 4 hours || Default timeout is 5 minutes
|-
| Filled by each ARP reply || Filled by source MAC of each frame passing through switch
|}
</center>
<br />
Retrieved from "https://aman.awiki.org/wiki/Special:MobileDiff/1864"
Cookies help us deliver our services. By using our services, you agree to our use of cookies.
More information