Driver Support Document

Juniper (formerly NetScreen) firewalls & VPNs, OS version 2.6.1, 5.x, 6.x

Show Tested Devices Grid

SYSOID Mapping
SYSOID MODEL OS VERSION
 1.3.6.1.4.1.3224.1.1 Generic 2.6.1, 5.x, 6.x
 1.3.6.1.4.1.3224.1.2 Ns5 2.6.1, 5.x, 6.x
 1.3.6.1.4.1.3224.1.3 Ns10 2.6.1, 5.x, 6.x
 1.3.6.1.4.1.3224.1.4 Ns100 2.6.1, 5.x, 6.x
 1.3.6.1.4.1.3224.1.5 Ns1000 2.6.1, 5.x, 6.x
 1.3.6.1.4.1.3224.1.6 Ns500 2.6.1, 5.x, 6.x
 1.3.6.1.4.1.3224.1.7 Ns50 2.6.1, 5.x, 6.x
 1.3.6.1.4.1.3224.1.8 Ns25 2.6.1, 5.x, 6.x
 1.3.6.1.4.1.3224.1.9 Ns204 2.6.1, 5.x, 6.x
 1.3.6.1.4.1.3224.1.10 Ns208 2.6.1, 5.x, 6.x
 1.3.6.1.4.1.3224.1.11 Ns5XT 2.6.1, 5.x, 6.x
 1.3.6.1.4.1.3224.1.12 Ns5XP 2.6.1, 5.x, 6.x
 1.3.6.1.4.1.3224.1.13 Ns5000 2.6.1, 5.x, 6.x
 1.3.6.1.4.1.3224.1.14 Ns5GT 2.6.1, 5.x, 6.x
 1.3.6.1.4.1.3224.1.15 HardwareSecurityClient 2.6.1, 5.x, 6.x
 1.3.6.1.4.1.3224.1.16 ISG-2000 6.2, 6.3
 1.3.6.1.4.1.3224.1.28 ISG-1000 6.1.0r6a.0
 1.3.6.1.4.1.3224.1.29 SSG5 6.2.0r5.0
 1.3.6.1.4.1.3224.1.35 SSG20 6.2.0r1.0
 1.3.6.1.4.1.3224.1.50 SSG520 6.3.0r5.0
 1.3.6.1.4.1.3224.1.51 SSG550 2.6.1, 5.x, 6.x
 1.3.6.1.4.1.3224.1.52 SSG140 6.2.0r6.0
 1.3.6.1.4.1.3224.1.54 SSG320 6.2.0r1.0
 1.3.6.1.4.1.3224.1.55 SSG350M 6.2.0r4.0

Driver Features Support Grid

Driver FeaturesAccess Methods
(X signifies feature support)CLISNMPTFTPCLI+TFTPSNMP+TFTPFTPCLI+FTPSNMP+FTPCLI+SFTPSCPCLI+SCPSNMP+SCPHTTP/HTTPS
X Driver Discovery   X X                      
X General Access release notes
(CLI protocols: telnet, ssh1, ssh2, console)
X     X                  
Configuration
X Retrieve Running Configuration release notes X     X                  
X Retrieve Startup Configuration   X     X                  
  Retrieve Binary Configuration                            
X Device information parsing  
X Enhanced Layer2 Basic IP information parsing  
X Configuration Deployment to Running release notes X     X                  
X Configuration Deployment to Startup (with reboot)         X                  
  Binary Configuration Deployment                            
Diagnostics
X Routing Table   X                        
  OSPF Neighbors                            
X Interfaces   X                        
X Modules and Inventory   X                        
  Flash Storage Space                            
X File System   X                        
X Uptime     X                      
X ICMP Test   X                        
X Topology Parsing   X                        
X Duplex Parsing   X                        
  Enhanced VLAN Parsing  
Features
X Software Center release notes       X                  
X Software Image Synchronization release notes       X                  
X Password Management release notes
(Can modify: full username, full password, read-only community strings, read/write community strings)
X                        
X Syslog Configuration and Change Detection   Syslog patterns X                        
X Custom Scripts and Diagnostics release notes
Bulk deploy available
X                        
X ACL Parsing  
X ACL Provisioning   X                        
  VLAN Provisioning                            
X Configlet Parsing  
  QoS Parsing  
  VRF Parsing  
  Context Management                            

General Access

Release Notes

NAS may fail to connect if maximum logins exceeded

Netscreen devices allow a maximum of three terminal sessions. If NAS tries to log in when the maximum number of sessions are already established, then it will fail to log in to the device. All tasks requiring CLI access - including snapshost, password changes, and configuration deployments - will fail in this case.

SSH connection may fail if additional command is set

On the Netscreen devices it is possible to turn off "SSH Password Authentication" for a user. To disable this feature, enter in the CLI the "set admin scs password enable username $user" command (where $user is the desired username). By default this option is not active.

SSH versions

On the Netscreen you can enable SSH v1 or SSH v2 protocol, but not simultaneously.

Device console timeout value

The device console times out and automatically terminates sessions after 10 minutes of idle time. To prevent the device form closing the CLI session during Software Upgrade tasks, the console timeout should be set to a higher value.

Workaround:

If you want to modify the console timeout to a custom value, you must define the following custom variable:

1. Login to the system. 2. On the menu bar, select Devices and click Inventory. 3. On the Inventory page, locate the Juniper device 4. In the Actions column for the Juniper device, click the Edit option. 5. On the Edit Device page, scroll down to the Device Access Settings field. 6. Add the following Custom Setting variable: console_timeout 7. Set the Value: desired timeout in minutes 8. Click the Save Device button.

return to top

Custom Scripts and Diagnostics

Release Notes

Command scripts with multiple line banners

Command scripts that set a multiple line banner should be deployed as bulk using TFTP, rather than line-by-line using the CLI. In addition, configuration deployments that have multiple line banners should be executed using TFTP.

return to top

Password Management

Release Notes

Managing SNMP Community Strings

The system is able to add, remove and modify SNMP community strings, however, they will not become active on the device, until the user associate them with a host or a network. The command used for this purpose has the following format:
"set snmp host 'community_name' 'IP_Address/Netmask'"

Managing SNMP Community Strings

When Removing all SNMP community strings and then adding SNMP community strings that exceed the maximum number that is configurable on the device, the fall back mechanism will fail to restore the old SNMP community strings as the maximum number of SNMP community strings has already been reached.

return to top

Retrieve Running Configuration

Release Notes

TFTP Interface specification

The NetScreen allows for specification of the interface used for TFTP transmissions. Some device configurations may require this specification to use TFTP. In such cases, the TFTPInterface access variable should be set to "from <interface>" where <interface> denotes the interface from which the NA TFTP server address can be reached.

Configuraton generation failures are not detected

The device uses a redirect operator to transmit the result of "get config" by TFTP, but does not indicate any errors in the command itself, choosing instead to just send the error mesage as the data relayed by TFTP. Because of this, the error condition is not detectable by NA and will be stored as the configuration. If the device issue is corrected, the snapshot will work as expected.

return to top

Software Center

Release Notes

TFTP Interface specification

The NetScreen allows for specification of the interface used for TFTP transmissions. Some device configurations may require this specification to use TFTP. In such cases, the TFTPInterface access variable should be set to "from <interface>" where <interface> denotes the interface from which the NA TFTP server address can be reached.

return to top

Configuration Deployment to Running

Release Notes

Certain configuration commands cannot be used in deployment

The NetScreen does not accept certain commands when deploying configurations to the device. For example, the device does not allow the user to modify the command "set admin sys-location" via Deploy Configuration.

Also, the NetScreen occasionally has difficulty merging new configuration commands with the existing configuration. Opsware recommends that you verify the NetScreen configuration after you deploy it from NAS.

To veryify that your changes were correctly deployed to the running configuration, use the Compare to Previous link provided in the task details of a successful Deploy Configuration task.

TFTP Interface specification

The NetScreen allows for specification of the interface used for TFTP transmissions. Some device configurations may require this specification to use TFTP. In such cases, the TFTPInterface access variable should be set to "from <interface>" where <interface> denotes the interface from which the NA TFTP server address can be reached.

return to top

Syslog Triggering

return to top