Screen OS

Dear All

 

would any body explain the comparision between the following

 

1) root administrator VS VSYS Administrator 

2)  PCMCIA Card
     Internal Flash
     Compact Flash Card
     NVRAM

Hi,

 

I am not quite sure what you are looking for here but if I guess it right the following should help:

 

1) root administrator VS VSYS Administrator

 

A NetScreen device can only have one root user. However, it is possible to create the following types of user:

 

Root System Read/Write User

 

An administrator with Read/Write privileges has the same level of privilege as root, but cannot add, modify or remove other administrative users

 

Root System Read Only User

 

The Read-Only administrator has only view privileges using the WebUI, and can only issue the get and ping CLI commands.

 

Virtual System Read/Write Users 

 

Virtual system administrators  manage independent virtual systems (through the CLI or WebUI) and have the following privileges on each virtual system they administer:

Creates and edits auth, IKE, L2TP, XAuth, and Manual Key users
Creates and edits services
Creates and edits policie

Modifies the virtual system administrator login password
Creates and manages security zones
Adds and removes virtual system read-only administrators

Creates and edits addresses
Creates and edits VPNs

 

Virtual System Read Only Users

 

A virtual system read-only administrator has the same privileges as a read-only administrator, but only within a specific virtual system. 

 

2)  PCMCIA Card
     Internal Flash
     Compact Flash Card
     NVRAM

 

Juniper firewalls have longterm storage stored into flash memory.

 

Flash memory is a non-volatile emory that retains information after the system is turned off. Some devices have a compact Flash (CF), Secure Digital Memory (SD) card slot, or a universal serial bus (USB) port for external storage which is flash memory, but removable.

 

The internal flash is not removable. They also contain random access memory (RAM) a volatile type that is cleared whenever the system is powered off, or reset. When the Juniper device powers on, and after the power on self test (POST) is completed, the ScreenOS
image is loaded into RAM.

 

After ScreenOS is up and functional, it loads the saved configuration file from it's flash memory. Any configuration stored in RAM is called the running configuration. Whenever a change is made to the configuration, it is always saved to the running configuration. If you make changes but fail to save it, the file would revert to the last saved configuration whenever you reset or reboot.

 

When using the CLI, your configuration must be manually saved.This is done by using the save command.

 

Regards

 

Gavrilo 

 

 

Hi Gavrilo

 

Thanks for your explaination, i am very much clear about memories concept but i am still confused with root administrator and VSYS administrator. if i have one and only root user in my firewall that has authority of creating the users, reseting the device to factory default that the other read/write users dont have. so how we can distinguish between root admin and VSYS admin. If i cite the configuration for my firewall, i have the following login

 

root user

Awan      read/write

Alfered    read/write

John       read only

 

so how we can distinguish between these

 

 

Thanks

 

A VSYS admin is an administrator for a virtual system. A virtual system is a concept on high end firewalls whereby you can separate the system into multiple virtual systems each with its own administrative domain. So a VSYS admin can only manage whatever is within his virtual system. The root admin on the other hand can manage the device at root level including VSYS level.

 

Hope this is more clear.

-Richard

Hi

 

so from the above users configured on my side, can we say that root user is "root Admin" while the other users "Awan,John,Alfered" are VSYS admin users?

Not from what you have printed here.

 

A VSYS is a bit like a VMWare Server in that it is a single box running multiple Firewalls sharing the same Firewall Interfaces. What you have, by the look of it, is as follows:

 

root user

Awan      read/write           Root System Read/Write User

Alfered    read/write           Root System Read/Write User

John       read only             Root System Read Only User  

 

I would guess you are either not running VSYS on your Firewall or have not included the details here.

 

Regards

 

Gavrilo 

Hi,

 

You need to be aware you have to have the right license and appliance to run a VSYS as some don't support it.

 

A VSYS allows you to partition or split a device into several virtual systems. Each virtual system can have a completely separate management domain to provide a virtual firewall. It's a very like Check Point VSX running on Crossbeams and tends to be used at Enterprise level e.g.... An ISP who has many customers each wanting to manage their own Firewall. The ISP then buys a Crossbeam or Juniper runs VSX or ScreenOS with VSYS and creates multiple Firewalls on the box. This saves a hell of a lot of money on hardware costs although you get a big initial cost and increased complexity, hence only the "big boys" seem to use it.

 

Finally, if you are taking the JNCIS-FWV I would recommend getting  Jason Ha's Study Guide even though it is a bit out of date and also a copy of Syngress - Juniper Networks, Netscreen and SSG Firewalls which you will find invaluable for the exam and your job. The exam is not that bad if you give your self time to think i.e. mark the longer and more complex questions for later in the exam, it was certainly not as hard as CCSA and a lot easier than CCSE.

 

f you get stuck for copies email me.

 

Regards

 

Gavrilo 

Hi Gavrilo

 

Thanks for the help. yes you are right, right now i am using only one root as "VSYS". Could you please brief me under which condition/circumstances we creat or use VSYS on firewall. Thanks

Hi,

 

You use virtual systems when you want to create multiple firewall instances on one physical device, like having lots of seperate firewalls in one. Example might be that your a hosting company with one internet connection but lots of different customer networks sitting behind the one firewall. Each customer wants to be able to have access to the firewall to create their own policies and vpns. This would not be good if you had just one physical firewall that wasn't virtualized as each customer would be able to see every other customers policies and change them.

 

By creating VSYS on the firewall you can have one physical devices but have a seperate virtual firewall for each customer, so they only see their, policies, vpns, routing and so on.

 

Hope this explains it a bit better. There is lots more uses for it, but that is the general concept.

 

Regards

 

Andy

Hi Andy

 

Thank you so much for your expalination. I have JNCIA-FWV with 90% and now i am prepairing for JNCIS-FWV. I shall come up with some questions, if i get confused with those concept. I am using single root VSYS in my organization but i have a couple of spare devices, so i will use them for test purposes by creating multiple VSYS. Thanks once again.

 

 

 

Hi

 

Thanks for the guidance. I have Syngress Book and i am studing and getting help from it but i dont have the other sugested book. If you have its soft copy, please send me or guide me from where can i get this book.

 

 

regards,