To start this discussion, lets review what the network will be that surrounds the firewall, and what it will be securing. 

We have three security zones setup on the firewall out of the box; the trust, untrust, and dmz.  We will also be creating three other security zones, mail, finance, and eng.

1. Create the Zones:

To create the three new zones, we would use the set zone command.

2. Configure the Virtual Routers:

Netscreens have virtual routers within the firewall that allow us to setup different routers with different route tables in different security zones.  (think if hacked, the outside router would only know about the outside networks, and not the inside.)

By default, all newly created zones are connected to the trusted router, so we should reconfirm what zones should be bound to the untrusted router.


We enable the virtual router on the outside of the firewall called untrust-vr and we bind it to the DMZ, untrusted and Mail zones.

3. Configure Interfaces with IPs and Zones:

The next step is to configure the interfaces.  In doing this, we will bind the zones to the interfaces, give them IP addresses and masks, and enable what services are allowed on them.

A few items to point out on this would be:

• For eth3/2, we will allow a users to connect to the firewall via ssh, telnet, and webui.
• For eth3/2.1 we will enable as a subinterface of eth 3/2 and have it us the .1q tag of "1".
• make sure that duplex/port speeds are hard coded to 100/Full
  

4. Enable Routing:

All the basic routing is already taken care of with the virtual routing. In this step, we need to tell the trusted router to default traffic to the untrusted one, and then to tell the untrusted router to default to the device 1.1.1.254 on the [1/2] interface.
 

5. Set the Policies or Service Groups:

Next we need to create groups which are collections of services or ports that are allowed, and then include these in ACL statements which are called "polices".  

We will first create two groups, one allowing mail and pop traffic to pass, and the other to allow web and ftp traffic:

• First we will create a service called "mail-pop3" and enable mail and pop3 services to it
• Next we will create a group called "http-ftpget" and allow http and ftp-get flows through it.
  

Next we will define the ACL's, or the policy's, and to make them more condense, we will use groups to collect multiple services together.  (in other words, rather then needing to make a policy for mail, and one for pop3, I can just use the group mail-pop3 in a policy, and they will both be included.)

6. Extra Configuration Settings

There are a few other items that probably should be included in a default setup, and in this section we will note them.

Define the firewall's host name, and how the console will output (for serial or ssh access)


Have the firewall send all syslog data to a remote syslog server


Allow snmp access to the firewall.


Define the admin accounts and password


Create a login banner to tell others to go away.


Set what the IP's are who can ssh or connect to the firewall management interface


Enable NTP time syncing