NetScreen Technologies ISG 2000 Installation and operation manual
1
ISG 2000 Field Upgrade Guide
October 2005
Part No.
093-1444-000,
Revision C
With increased memory and one or more security modules, an ISG 2000 security
system running ScreenOS 5.0.0-IDP1 can support Intrusion Detection and
Prevention (IDP). To enable IDP, the device must also have both an Advanced
license key and an IDP license key installed. To configure IDP, you must use
NetScreen-Security Manager 2004 FP3-IDP or later.
With this upgrade kit, you can expand memory capacity and install up to three
security modules (purchased separately) in an ISG 2000 device. If you have not
already purchased one or more security modules, contact your value added reseller
(VAR) or contact Juniper Networks Customer Care directly.
The kit includes these instructions and the following items:
1-GB SIMM DRAM modules (2)
Phillips-head screwdriver (1)
Antistatic mat (1)
Antistatic wrist strap (1)
The procedure for upgrading the ISG 2000 to support IDP involves the following
steps:
1. Registering the ISG 2000
2. Upgrading the OS Loader
3. Upgrading to ScreenOS 5.0.0-IDP1
4. Installing License Keys
5. Opening the Chassis
6. Replacing Memory Modules
7. Adding Security Modules
8. Closing the Chassis
NOTE: Installing the IDP license key disables Deep Inspection (DI).
NOTE: You also need the OS loader upgrade and ScreenOS 5.0.0-IDP1 image (or
later), both of which are available for download from www.juniper.net/support.
NOTE: If your ISG 2000 is already running ScreenOS 5.0.0-IDP1 or later and you
simply want to add more security modules, refer just to steps 4, 6, and 7.
ISG 2000 Field Upgrade Guide
2Registering the ISG 2000
1 Registering the ISG 2000
To be able to access customer support and download new ScreenOS releases, create
a customer account and register your ISG 2000. If you have already done this,
proceed to the next section.
1. Sign up for a customer account by following the online instructions that begin
at http://www.juniper.net/entitlement/
2. Log in to the Juniper Networks Customer Support Center (CSC) at
http://www.juniper.net/support/.
3. Click Register New Product in the Contract and Product Management section.
4. Follow the online instructions to register your ISG 2000 device.
2 Upgrading the OS Loader
Because the ISG 2000 needs additional memory to support IDP, you must upgrade
the OS loader if it is not v1.1.5 or later so that it can recognize the added memory.
You can see the OS loader version scroll by during the bootup process or by
entering the get envar command.
1. Download the OS loader from the Juniper Networks support site to the root
directory of your TFTP server.
a. Visit www.juniper.net/support and log in.
b. In the Download Software section, click ScreenOS Software.
c. Download the latest OS loader and save it to the root directory of your TFTP
server.
2. If necessary, start the TFTP server.
3. Make an Ethernet connection from the device hosting the TFTP server to the
MGT port on the ISG 2000 and a serial connection from your workstation to the
console port on the ISG 2000.
4. Reboot the ISG 2000 by entering the
reset command. When prompted to
confirm the command—
System reset, are you sure? y/[n]—press the Y key.
5. When you see the following prompt, press the Xkey, and then the A key:
NetScreen NS-ISG 2000 BootROM V0.9.0 (Checksum: 8796E2F3)
Copyright (c) 1997-2004 NetScreen Technologies, Inc.
Total physical memory: 2048MB
Test - Pa s s
Initialization................ Done
Hit key 'X' and 'A' sequentially to update OS Loader.
Upgrading to ScreenOS 5.0.0-IDP1 3
ISG 2000 Field Upgrade Guide
6. Enter the filename for the OS loader software you want to load (for example,
load2000v115.d.S), the IP address of the ISG 2000, and the IP address of your
TFTP server:
Serial Number [0079112003000031]: READ ONLY
BOM Version [C06]: READ ONLY
Self MAC Address [0010-db58-c900]: READ ONLY
OS Loader File Name [boot2000v090.ld.S]: load2000v115.d.S
Self IP Address [10.150.65.152]:
TFTP IP Address [10.150.65.151]:
7. Press the Enter key, and the file loads.
Save loader config (112 bytes)... Done
Loading file "load2000v115.d.S"...
rtatatatatata ...
Loaded successfully! (size = 383,222 bytes)
Ignore image authentication!
Program OS Loader to on-board flash memory...
++++++++++++++++++++++++Done!
Start loading...
.......................
Done.
You have completed the upgrade of the OS loader.
3 Upgrading to ScreenOS 5.0.0-IDP1
The ISG 2000 is now ready to support ScreenOS 5.0.0-IDP1 or later. You can copy
this ScreenOS image to the root directory of your TFTP server, and then save it to
the ISG 2000.
1. Download the latest version of ScreenOS 5.0.0-IDP from the Juniper Networks
support site to the root directory of your TFTP server.
a. Visit www.juniper.net/support and log in.
b. In the Download Software section, click ScreenOS Software.
c. Download the latest version of ScreenOS 5.0.0-IDP and save it to the root
directory of your TFTP server.
2. If necessary, start the TFTP server.
3. Make a console, Telnet, or SSH connection to the ISG 2000, and then log in.
4. Enter the following CLI command:
save software from tftp ip_addr filename to flash
in which ip_addr is the address of the TFTP server and filename is the name of
the firmware file.
5. Reboot the ISG 2000 by entering the
reset command.
Next, you need to open the top panel of the chassis, upgrade the memory modules,
add one or more security modules, and then close the top panel. These steps are
explained in the following sections.
ISG 2000 Field Upgrade Guide
4Installing License Keys
4 Installing License Keys
If you have not already done so, purchase and activate an Advanced license key and
an IDP license key.
1. Contact the value-added reseller (VAR) who sold you the ISG 2000 or contact
Juniper Networks Customer Care directly:
(+1) 888-314-5822 (US and Canada)
(+1) 408-745-9500 (International)
2. Provide the serial number of your device and state that you want the Advanced
and IDP license keys. Juniper Networks generates the license keys and sends
them to you through e-mail.
3. Load the license keys on the ISG 2000 device. You can load a license key by
copying the alphanumeric license key sent in the e-mail, entering the following
CLI command, and pasting the content you copied in place of the variable
string shown below:
exec license-key string
For example, if you receive the following advanced license key vie e-mail, copy
everything from “2E1…” to “…g==”
advanced_key=2E1gQaBVzOxBkQTowf0VZ3pw8j/nY/xqCZFkHkIUWs7sLZvXkX
2DxF/CoIh76JSnNVeIDorA6mY0nUby6lnbDXw8JMkxz2ECGA4lT6nSonsag/etk
atpFiz/aPp8AHbIBCh+fmHeEACuxb+YgtmY8O3H16ZNmGNXLS07kb0KoMOCN
ql79XLM5q7UU6c4p6vP9fDPST7oZE8dWA5OMIhOI/2Cz5UbCAvebYYNa3uzD
qnXux3rqyFvLNzcIEtXuCndDY6DidZu9+3BjTijVONpw3aQsZ8+k5ACwQ6TwhsiA7
CoQ8lpMT20hakn2sC9ue4Ss2deG9xaZvU3nsBSEjdb4lg==
and paste it after exec license-key:
exec license-key 2E1gQaBVzOxBkQTowf0VZ3pw8j/nY/xqCZFkHkIUWs7
sLZvXkX2DxF/CoIh76JSnNVeIDorA6mY0nUby6lnbDXw8JMkxz2ECGA4lT6n
Sonsag/etkatpFiz/aPp8AHbIBCh+fmHeEACuxb+YgtmY8O3H16ZNmGNXLS
07kb0KoMOCNql79XLM5q7UU6c4p6vP9fDPST7oZE8dWA5OMIhOI/2Cz5U
bCAvebYYNa3uzDqnXux3rqyFvLNzcIEtXuCndDY6DidZu9+3BjTijVONpw3aQs
Z8+k5ACwQ6TwhsiA7CoQ8lpMT20hakn2sC9ue4Ss2deG9xaZvU3nsBSEjdb
4lg==
4. Reboot the ISG 2000 by entering the reset command. When prompted to
confirm the command—
System reset, are you sure? y/[n]—press the Y key.
5. After the ISG 2000 reboots, you can confirm that the key or keys are now
loaded by entering the
get license-key command:
get license-key
advanced_key:
2E1gQaBVzOxBkQTowf0VZ3pw8j/nY/xqCZFkHkIUWs7sLZv
XkX2DxF/CoIh76JSnNVeIDorA6mY0nUby6lnbDXw8JMkxz2ECGA4lT6nSons
ag/etkatpFiz/aPp8AHbIBCh+fmHeEACuxb+YgtmY8O3H16ZNmGNXLS07kb
0KoMOCNql79XLM5q7UU6c4p6vP9fDPST7oZE8dWA5OMIhOI/2Cz5UbCAv
ebYYNa3uzDqnXux3rqyFvLNzcIEtXuCndDY6DidZu9+3BjTijVONpw3aQsZ8+k
5ACwQ6TwhsiA7CoQ8lpMT20hakn2sC9ue4Ss2deG9xaZvU3nsBSEjdb4lg==
idp_sm_key:
2jPLIvNPTB7Sl0AXNQQPpqxkeJmi0c47KQ9JhZTC77AJnqTvJDtGxhl3A4pdR
gYq6pnZeS2X69Q0jQ73jROSGo73LvXq/xVJvXKzx3Z3jzfb2NiEPZIje/oGhAN
Opening the Chassis 5
ISG 2000 Field Upgrade Guide
zVxyDJnloQTVzFwCmmQ4xmtCHP/dXPhLGcXhrfbRPEelHHDjNuL0Ymg6TczU
F0jFGdCXiDNJeONwTwlL4hnP8C0nrdEcjoCNdCVVXWJgqPW/XJSvBFDBzK+
pH3PvrwgiiA2vYQBjJwTbHkBG9e+d4q2bZGijmBpUjUlvvJEVdleOycFr7IVuFup
6F2MfcoJCOoyk3C2/2Di8IK/yQuPIFbBrOSXw==
Model: Advanced
…
5 Opening the Chassis
1. Turn off the power for the ISG 2000 and disconnect the power cable. Spread out
the antistatic mat and ground it. Set the ISG 2000 on the mat. Then connect the
grounding wire from the antistatic wrist strap to the terminal on the antistatic
mat, and put the strap on your wrist.
ISG 2000 Device
Connect grounding wire from wrist strap
to terminal on mat. Put strap on your wrist.
Antistatic Mat
Connect grounding wire
from mat to grounded object.
Antistatic Wrist Strap
Terminal
ISG 2000 Field Upgrade Guide
6Opening the Chassis
2. Use the Phillips-head screwdriver to remove three screws from the top panel of
the chassis. The screws are located near the rear of the panel. (Keep the screws
nearby for use when closing the chassis later.)
3. Grip the rear edge of the top panel, lift it up, and then remove it.
Remove screws from top panel.
(Front)
3a. Lift top panel. 3b. Then remove it.
Replacing Memory Modules 7
ISG 2000 Field Upgrade Guide
6 Replacing Memory Modules
Before adding one or more security modules, you must first replace the two 512-MB
SIMM DRAM memory modules with two 1-GB modules.
1. Use the Phillips-head screwdriver to remove the two retaining screws from the
left and right top edges of the management module.
Management Module
Remove retaining screws.
ASIC Module
(Front)
Note: The management
module is seated in slot 4
in the backplane.
ISG 2000 Field Upgrade Guide
8Replacing Memory Modules
2. Swivel the release levers at each end of the management module up and then
slide the module up and out of the chassis.
3. Set the management module on the antistatic mat. The two 512-MB SIMM
DRAM memory modules are nested in partially overlapping layers.
Management
Module
Swivel release levers up.
Slide management module up and out of chassis.
Management
Module
Management Module
SIMM DRAM
Memory Modules
Locking Tabs Locking Tabs
Replacing Memory Modules 9
ISG 2000 Field Upgrade Guide
4. Release the uppermost 512-MB SIMM DRAM memory module by pressing your
left and right thumbs downward on the locking tabs on each side of the module
so that the tabs swivel away from it.
5. Grip the long edge of the uppermost memory module and slide it out. Set it
aside.
6. Repeat steps 4 and 5 to remove the lowermost 512-MB SIMM DRAM memory
module.
Press downward with both
thumbs on locking tabs.
Locking tabs swivel
away from module.
Grip corners of memory
module and slide out.
ISG 2000 Field Upgrade Guide
10 Replacing Memory Modules
7. Insert a 1-GB SIMM DRAM memory module in the lowermost slot. Exerting
even pressure with both thumbs upon the upper edge of the module, press the
it downward until the locking tabs click into position.
8. Repeat step 7 to insert the uppermost 1-GB SIMM DRAM memory module.
9. Align the management module with the guidance tracks on the inner walls of
the chassis next to “Slot 4” on the backplane, and then press it into position.
Swivel the release levers downward until the module is fully seated.
Press downward with both
thumbs on edge of module.
Locking tabs click into position.
Management
Module
9b. Press release levers down until
management module is fully seated.
9a. Align management module with
guides and slide into chassis.
Align with
guidance
track for
slot 4.
Slide into
position.
Adding Security Modules 11
ISG 2000 Field Upgrade Guide
10. Use the Phillips-head screwdriver to tighten the two retaining screws to the left
and right top edges of the management module, securing it to the chassis.
7 Adding Security Modules
You can add one, two, or three security modules to the ISG 2000. For optimum
performance, Juniper Networks recommends putting the security modules in the
numbered slots—indicated on the backplane—as explained below:
Tighten retaining screws.
If you are adding then put
one security module, it in slot 3, leaving slots 2 and 1 empty.
two security modules, the first one in slot 3 and the second one in slot 2, leaving
slot 1 empty.
three security modules, the first in slot 3, the second in slot 2, and the third in slot 1.
Interface
Modules
Power
Supplies
Fans
Slots
Slot 4: Management Module
Slot 3: Security Module
Slot 2: Security Module
Slot 1: Security Module
Slot 0: GigaScreen ASIC Module
(Front)
4 3 2 1 0
ISG 2000 Field Upgrade Guide
12 Adding Security Modules
1. Align the security module with the guidance tracks on the inner walls of the
chassis next to “Slot 3” on the backplane, and then slide it into position. Press
the release levers downward until the module is fully seated.
2. Use the Phillips-head screwdriver to tighten the two retaining screws to the left
and right top edges of the security module, securing it to the chassis.
3. If you are adding more than one security module, repeat steps 1 and 2, putting
the second security module in slot 2 and the third in slot 1.
Tighten retaining screws.
Security Module in
slot 3
Management Module
in slot 4
ISG 2000 with three Security Modules Installed
(Front)
Slot 4: Management Module
Slot 3: Security Module
Slot 2: Security Module
Slot 1: Security Module
Slot 0: ASIC Module
Interface
Modules
Power
Supplies
Closing the Chassis 13
ISG 2000 Field Upgrade Guide
8 Closing the Chassis
After you have replaced the memory modules and added one or more security
modules, you can replace the top panel on the chassis.
1. Set the front edge of the top panel into the groove that runs along the top front
edge of the chassis. Then lower the top panel onto the chassis.
2. Use the Phillips-head screwdriver to tighten the three screws you removed
earlier, securing the top panel to the chassis.
1b. Lower top panel.
1a. Set front edge of top panel into groove near front of chassis.
Groove near front edge
Tighten screws to secure top panel to chassis.
(Front)
ISG 2000 Field Upgrade Guide
14 Juniper Networks Documentation
At this point the ISG 2000 is able to support Intrusion Detection and Prevention
(IDP).
Juniper Networks Documentation
To obtain technical documentation for any Juniper Networks NetScreen product,
visit www.juniper.net/techpubs/.
If you find any errors or omissions in thepreceding content, please contact us at
the following e-mail address: techpubs-comments@juniper.net.
NOTE: To configure IDP, you must use NetScreen-Security Manager 2004 FP3-IDP
or later.
Table of contents
