Service Description

Firewall Migration
The Juniper Networks Firewall/VPN solution helps you to reduce the total cost of ownership, increase scalability and enhance
the stability of their networks. To take full advantage of these benefits, the customer needs to migrate quickly and effectively.

Juniper Networks Professional Services has the skills, processes, and tools to reduce the risk and ensure a rapid migration in as
little time as possible. Our proprietary tools help reduce the tedious tasks and minimize errors, thus reducing the time and cost
to migrate. However, the value of our Firewall Migration service is in the people. The biggest challenge is analyzing a given
network and system to determine the best way to migrate and the best tools to use, and then designing a solution. The tools do
not eliminate the need for follow-on analysis and are just a portion of the total solution.

Service Overview
The primary benefits of the Juniper Firewall Migration Service include:

¾ Speed of Conversion. Juniper’s proven methodology converts legacy firewall configurations more rapidly than if done manually
and with fewer errors.

¾ Minimal Configuration Errors. Juniper Networks Professional Services thoroughly checks each configuration that it created
from a legacy configuration. Juniper procedures avoid the errors that can be introduced by manual conversions.

¾ Custom Tools. Juniper has invested in creating tools and procedures that have been tested by Juniper PS and hardened by
numerous previous migrations in customer networks.

¾ Experience. Juniper understands the NetScreen Firewalls and its capabilities better than anyone and uses this knowledge to
provide the best implementation possible. Not only do we know what needs to be considered in doing a migration, but we
understand where problems may be encountered and how to resolve these problems.

¾ Cost. The cost of manual conversion or developing similar migration capabilities can be cost prohibitive. Utilizing the Firewall
Migration Service:

ƒ Eliminates the time and effort to develop the migration process

ƒ Reduces the time and effort required to create the ScreenOS configuration files
ƒ Reduces or eliminates the cost of debugging and fixing errors introduced in the configuration files during the migration
ƒ Provides your staff with valuable knowledge transfer related to the migration to NetScreen firewalls – significantly lowering
the learning curve in the process

Project Summary

Object & Migration &

Audit Analyze Policy Testing Production
Conversion Cutover

Knowledge
wKnowledge
Transfer
Transfer

Juniper has developed a proven methodology to migrate legacy firewall gateways to Juniper Networks NetScreen
Firewall/VPN systems and devices. This methodology consists of the following process steps:
 Service Description

Step 1: Audit
The Juniper consultant works with you to understand the present firewall design and its configuration. An initial firewall
policy and configuration review is performed to identify any security issues with the configuration, and to identify areas where
policy clean-up can be performed.

Step 2: Analyze
The Juniper consultant analyzes the policy to determine the optimum design given your security requirements while effectively
utilizing ScreenOS features. Feature differences are identified, policy and object grouping issues are examined, and a zone-
based policy migration is planned. In addition, design issues such as Network Address Translation (NAT), High Availability
(HA) and user authentication are explored.

Step 3: Network and Workstation Object, Service Object and Policy Conversion
Using the results from the prior step, the Juniper consultant works onsite using automated and manual methods to convert the
firewall policy and configuration to a ScreenOS configuration. The ScreenOS configuration includes:

¾ A custom service book and service group configuration

¾ A custom zone-classified address book and address group configuration
¾ A zone-classified set of ScreenOS policies

Additionally, if utilized in the firewall configuration:

¾ A local database of user and group authorizations

¾ NAT configuration
¾ User authentication policies

The new configuration is imported into the ScreenOS device(s) and preliminary testing is performed. If the NetScreen
Security Manager (NSM) is being used for centralized device management, the device(s) will be imported. The configuration
may be changed and optimized based upon the results of this initial testing.

Step 4: Function and Other Testing

Based upon test requirements identified in the prior steps, additional tests are planned and executed. These may include
function tests that verify routing and policy sets. We also perform HA testing in this step if it applies, in order to verify the
HA design and its configuration.

Step 5: Migration and Production Cutover

A migration plan is developed and the Juniper consultant will work onsite to execute the cutover to production, monitor the
function of the NetScreen devices after the cutover, and fine tune the configuration if needed.

Deliverables
As part of these activities, the following deliverables are provided:

¾ High Level security design

¾ Detailed migration plan
¾ Functional and implementation test plan
¾ Finalized ScreenOS configuration files for each firewall migrated

Copyright © 2005 Juniper Networks, Inc. All rights reserved. Juniper Networks, the Juniper Networks logo, NetScreen, NetScreen Technologies, the NetScreen logo, NetScreen-Global Pro, ScreenOS, and
GigaScreen are registered trademarks of Juniper Networks, Inc. in the United States and other countries.

The following are trademarks of Juniper Networks, Inc.: ERX, ESP, E-series, Instant Virtual Extranet, Internet Processor, J2300, J4300, J6300, J-Protect, J-series, J-Web, JUNOS, JUNOScope, JUNOScript,
JUNOSe, M5, M7i, M10, M10i, M20, M40, M40e, M160, M320, M-series, MMD, NetScreen-5GT, NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-204, NetScreen-208, NetScreen-500,
NetScreen-5200, NetScreen-5400, NetScreen-IDP 10, NetScreen-IDP 100, NetScreen-IDP 500, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-SA 1000 Series, NetScreen-SA 3000
Series, NetScreen-SA 5000 Series, NetScreen-SA Central Manager, NetScreen Secure Access, NetScreen-SM 3000, NetScreen-Security Manager, NMC-RX, SDX, Stateful Signature, T320, T640, and T-series.
All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. All specifications are subject to change without notice.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
September 2005