Quantcast
Channel: ScreenOS Firewalls (NOT SRX) topics
Viewing all 763 articles
Browse latest View live

route based vpn - internal servers not reachable from outside

April 27, 2018, 4:03 pm
$
0
0

Hi All,

 

I have a route based vpn. My peer IP is 198.1.1.1.

Below is the configuration extracted from the firewall.

tunnel.1 is associated with eth3/0 (wan).

From remote network i can access firewall using 136.1.29.1, but none of the 10.0.4.0 network is accessible.

I'm suspecting that it could be due to the NAtting configured on the interface eth3/3, and i suspect that natting should be configured for manage-ip 10.0.4.8 only. Attached is the debug flow basic with sources and destination ffilter as 136.1.1.1.

Can you please suggest on this. This was working earlier where I had not configured Natting and Peer was also different.

I tried pinging from outside to form interesting traffic.

 

set interface ethernet3/0 ip 132.1.1.10/26
set interface ethernet3/0 route
set interface ethernet3/0 manage-ip 132.1.1.11
set interface ethernet3/0 ip manageable

set interface ethernet3/3 ip 10.0.4.7/28
set interface ethernet3/3 route
set interface ethernet3/3 manage-ip 10.0.4.8

set interface "tunnel.1" mip 136.1.29.1 host 10.0.4.7 netmask 255.255.255.255 vr "trust-vr"

 

Regards

Rajesh

 

Search

Moving away from SSG (ScreenOS) to SRX (JunOS): best way to proceed?

May 2, 2018, 6:30 am
$
0
0

Our SSG install base is going EoL and we are planning moving to JunOS.

 

I am in a typical small business environment with a large number of IPSec VPNs (~100).

The SSGs are used to filter incoming Internet traffic and establish IPSec VPNs to branches and business partners.

 

What is the best way to introduce a JunOS firewall/router (SRX 340) to the mix, and progressively rebuild all IPSec VPNs onto the SRX?

 

I looked into the ScreenOS-to-JunOS config translation tool, and it doesn't decrypt the IPSec keys, otherwise I would attempt a device swap.

 

My guess is that I'll have to setup the new SRX as an alternate gateway on the LAN side, and start moving the VPNs.

 

Looking for inputs.

 

SSG550 VIP: TCP connection all Reset.

May 2, 2018, 9:02 pm
$
0
0

We setup new server(192.168.53.47) in "Trust" zone with VIP to port 443 but all TCP connection(Untrust to Trust) was reset due to sequence number error (I analyzed from Wireshark), TCP connection was reset from client to server after [SYN, ACK] from Server. But we have other servers(HTTPS service) in the "Trust" zone with same subnet, using MIP is working fine. I found an article about the Bug in Juniper kb, I also tried the workaround but failed.

Juniper KB

 

From this screenshot, I can see the traffice successfully translated to Server but connection was Closed. When I moved the server to DMZ zone, its working fine..

VIP.jpg

Juniper OS Firmware 6.1.0r2.0

Any help appreciated.

ISG2000 Login LDAP admin user issue

May 10, 2018, 11:44 pm
$
0
0
HI Friends,
we have two ISG2000 firewalls in active/passive mode installed, Yesterday by mistake while creating a new user, we changed the admin user from NetScreen to new user jams, and this is only admin user on firewall now i.e. jams.
as our firewall authentication mode is tacaces/LDAP, and jams name is same as LDAP and local, so when we try to authenticate firewall, it tries to authenticate from AAA instead of a local password. when we enter LDAP password it works but that user is not the admin.
 
if someone faced this issue, kindly assist how to force firewall to authenticate locally with user jams instead of LDAP, we are afraid if change tacaces conifguration, if will force to logout and no one will be able to login again if local user not worked Smiley Sad
 
below are the conguration before and after change.
 
----------------------------before change------------
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth-server "aruba-tacacs" id 1
set auth-server "aruba-tacacs" server-name "10.XX.XX.XX"
set auth-server "aruba-tacacs" backup1 "10.XX.XX.XX"
set auth-server "aruba-tacacs" account-type admin 
set auth-server "aruba-tacacs" fail-over revert-interval 5
set auth-server "aruba-tacacs" type tacacs
set auth-server "aruba-tacacs" tacacs secret "abc-xyz"
set auth-server "aruba-tacacs" tacacs port 49
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "abc-xyz"
set admin auth web timeout 0
set admin auth server "aruba-tacacs"
set admin auth remote root
set admin privilege get-external
set admin format dos
set user "netscreen" uid 2
set user "netscreen" type auth
set user "netscreen" remote ipaddr "10.xx.xx.xx"
set user "netscreen" hash-password "0abc-xyz"
----------------------------after change-------------------
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth-server "aruba-tacacs" id 1
set auth-server "aruba-tacacs" server-name "10.XX.XX.XX"
set auth-server "aruba-tacacs" backup1 "10.XX.XX.XX"
set auth-server "aruba-tacacs" account-type admin 
set auth-server "aruba-tacacs" fail-over revert-interval 5
set auth-server "aruba-tacacs" type tacacs
set auth-server "aruba-tacacs" tacacs secret "abc-xyz"
set auth-server "aruba-tacacs" tacacs port 49
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "jams"
set admin password "abc-xyz"
set admin auth web timeout 0
set admin auth server "aruba-tacacs"
set admin auth remote root
set admin privilege get-external
set admin format dos
set user "netscreen" uid 2
set user "netscreen" type auth
set user "netscreen" remote ipaddr "10.xx.xx.xx"
set user "netscreen" hash-password "0abc-xyz"
set  user "jams" uid 3
set user "jams" type auth
set user "jams" remote ipaddr "10.xx.xx.xx"
set user "jams" hash-password "0abc-xyz"
 

[HELP] - Firmware pdate SSG140

May 11, 2018, 12:15 am
$
0
0

Good morning y'all,

I've been entitled the management of our company server room and I'm now in the middle of reorgaanizing policies inside our firewall.

It's a Juniper SSG140 and I just found out that the software revision is ancient... 6.3.0r10... I don't even see it listed in the download page and that goes back to 2014... I saw that firmware version 6.3.0r25 is available for download but I cannot access it...

Is there a reason? Someone maybe has t and can share/download it for me? Firewall is so old it's not even worth buying a support program for just a firmware update... it's been working great for many years now...

 

Thanks in advance! Smiley Happy

Dst IP session limit

May 15, 2018, 10:57 pm
$
0
0

Dst IP session limit

The log is full of this, where XXX.XXX.XX.XX is external DNS server, YY.YYY.YYY.YYY is my external ip, what happen? how to fix it? thanks.

2018-05-14 11:15:44 crit Dst IP session limit! From XXX.XXX.XX.XX:53 to YY.YYY.YYY.YYY:1222, proto UDP (zone Untrust, int ethernet0/6). Occurred 1 times.
2018-05-14 11:15:44 crit Dst IP session limit! From XXX.XXX.XX.XX:53 to YY.YYY.YYY.YYY:2287, proto UDP (zone Untrust, int ethernet0/6). Occurred 1 times.
2018-05-14 11:15:44 crit Dst IP session limit! From XXX.XXX.XX.XX:53 to YY.YYY.YYY.YYY:1640, proto UDP (zone Untrust, int ethernet0/6). Occurred 1 times.
2018-05-14 11:15:44 crit Dst IP session limit! From XXX.XXX.XX.XX:53 to YY.YYY.YYY.YYY:2936, proto UDP (zone Untrust, int ethernet0/6). Occurred 1 times.

Netscreen SSG140 and TACACS.net Authorization

May 22, 2018, 1:18 am
$
0
0

Hello Guys,

 

I am setting up TACACS for admin login but having some issue to get pass through the authorization via TACACS server. I dont have any idea how to configure the "authorization.xml" in the TACACS.net server. I've tried some configurations but failed. Attached is the configuration file and log file from TACACS.net server. Appreciate if you guys could assists me on this, thanks.

 

SSG140 v6.1.0r2.0

 

 

SSG320 Interfaces inaccessable

May 22, 2018, 8:50 pm
$
0
0

Hello - I have a SSG320 running version 6.3.0 r25. A few months ago the device stopped passing traffic. I was unable to ping interfaces and the console port was frozen. Lights looked normal with the exception of the alarm light and the port lights were showing actvity. Seeing as I could not use the console port I powercycled the device. It restarted as expected and was back up and running. This happened 3 times over a 24 hour period at which point the device functioned normally. The issue happened again this morning and I had to power cycle twice over the day.

 

From what I have read the power cycle is purging all of the logs so I have nothing to look at once the device is back online. My question is one does anyone have any ideas what may be happening with ports not passing traffic and the console port not being accessible and two are there any suggestions to record whats happening at the time the ports lock up so I can try to troubleshoot and resolve.

 

Thank you

Search

high cpu - ip spoofing on mgmt int

May 24, 2018, 4:26 pm
$
0
0

I have high cpu on a netscreen isg-2000. Juniper is saying it could be due to ipspoofing that is on the mgmt interface. Im not sure as the ipspoofing events have been happening for a while now.. but lately the CPU is very high.  I guess my question is, how do I troubleshoot the ipv6 spoofing?

 

get performance cpu all detail
Average System Utilization: 82% (flow 92 task 77)
Last 60 seconds:
59: 88(98 84)*** 58: 87(97 75)*** 57: 88(98 87)*** 56: 86(96 83)***
55: 85(95 82)** 54: 84(94 76)** 53: 86(96 85)*** 52: 89(99 88)***
51: 88(98 79)*** 50: 89(99 81)*** 49: 89(99 82)*** 48: 89(99 79)***
47: 88(98 85)*** 46: 87(97 77)*** 45: 87(97 90)*** 44: 85(89 95)**
43: 87(97 90)*** 42: 88(98 86)*** 41: 87(97 78)*** 40: 86(96 79)***
39: 88(98 77)*** 38: 85(95 71)** 37: 86(96 73)*** 36: 88(98 87)***
35: 88(98 74)*** 34: 87(97 86)*** 33: 82(92 62)** 32: 86(96 75)***
31: 87(97 70)*** 30: 88(98 80)*** 29: 88(98 69)*** 28: 88(98 80)***
27: 86(96 75)*** 26: 88(98 89)*** 25: 85(95 71)** 24: 86(96 80)***
23: 85(95 66)** 22: 88(98 92)*** 21: 85(95 63)** 20: 87(97 73)***
19: 88(98 75)*** 18: 89(99 85)*** 17: 87(97 83)*** 16: 87(97 76)***
15: 85(95 78)** 14: 85(95 72)** 13: 85(95 81)** 12: 85(95 71)**
11: 85(95 76)** 10: 86(96 64)*** 9: 86(96 73)*** 8: 89(99 85)***
7: 89(99 91)*** 6: 84(94 76)** 5: 81(91 72)** 4: 79(89 59)**
3: 85(95 79)** 2: 83(93 75)** 1: 88(98 88)*** 0: 87(97 88)***

Last 60 minutes:
59: 86(96 79)*** 58: 84(94 73)** 57: 83(93 76)** 56: 84(94 77)**
55: 86(96 79)*** 54: 86(96 79)*** 53: 86(96 78)*** 52: 86(96 79)***

 

get event example:

IP spoofing! From 8006:6c8e:a82:283f:
a82:28f7:50:ab77 to ff02::1, proto 58
(zone MGT, int mgt). Occurred 1 times.

 

There is a lot of these events. 

 

Any information would be great. 

 

Thanks

UTM - Content Filter not working

May 30, 2018, 7:26 pm

Help Updating and Securing a SSG 5

June 2, 2018, 1:53 pm
$
0
0

I have been using a Netscreen SSG-5 firewall for my home office since 2009. It has been a few years since I updated the firmware or configuration and I need some advice/help. I recently received an email from Lifelock warning me about VPNFilter malware that is targeting routers. This made me think that I should make sure my SSG5 is as secure as possible.  I plan on using this firewall until support ends in 2020.

Note: For admin purposes, I never access the firewall OS externally, I only access it on the 192.168 internal subnet.

The first hint of problems came when I tried connecting to it at https://192.168.X.XX/ using Firefox.  I get an error message that the Secure Connection Failed with this specific error message: Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP.  I then tried using Chrome and IE and had similar errors.  I finally gained access by creating a new Firefox profile and installing Firefox 33.  

Here is my current config:

ScreenOS: Currently running 6.1.0r2.0.  
 - I downloaded 6.3.0r.25
 - Would like advice on safest steps to install this
 
 Certificate: Current certificate is Default System Self Signed Certificate. It expired 7+ years ago in December 2010. When I view the certificate from my server, it has a common name but the Organization and Organization Unit fields are blank - they say <Not Part of Certificate>.  The fingerprints are SHA-256 and SHA-1
  - How do I create a new certificate that is valid for several years?
  - Is there a way to have the Orgaization field filled in?
  - How do I install the new certificate and get rid of the old?
  - What are the best Fingerprints to use?  Is having SHA1 a security risk?
  - I'm confused that I have SHA-256 because I read it was added in 6.2.0 and I am using 6.1.2

Other config settings:
HTTP port is 80 but redirect HTTP to HTTPS automatically is checked
HTTPS/SSL port is 443
Cipher: currently set to RC4_MD5.  Other options include RC4_40_MD5, DES_SHA-1, and 3DES_SHA-1.
 - Are HTTP and HTTPS settings correct?
 - What Cipher(s) should I use? Out of the above choices, is 3DES_SHA-1 the safest?
 - Is there anyway to get AES on this firewall?  I read it is the most secure?
 - How do I make sure that old, unsecure Ciphers are not supported in any way?

 

Finally, once I implement your suggested changes, is there anything I have to do on my servers and PCs (install new certificates, change settings)?


I know there are a lot of questions.  I great appreciate any help.  Thanks!

Chassis Environment ssg 550

June 12, 2018, 7:37 am
$
0
0

Hello,
in our network we have over 100 firewalls, divided between SSG-320M and SSG-550M, with ScreenOS and Software Version: 6.3.0r21.0.
These firewalls are clustered in pairs and having to change one of these devices, has been replaced with an SSG-550.
We have found that when we run the GET CHASSIS command on the new device, we no longer have information on the status of the fans.

On the Firewall Master (550M):

XXXXXXXXX-01 (M) -> get chassis
Chassis Environment:
  Power Supply: Good
  Fan1 Status: Good
  Fan2 Status: Good
  Fan3 Status: Good
  CPU Temperature: 140'F (60'C)
  System Temperature: 82'F (28'C)

Alarm Control Information:
  Power failure audible alarm: enabled
  Fan failure audible alarm: enabled
  Temperature audible alarm: enabled
    CPU alarm temperature is 158'F (70'C)
    System alarm temperature is 140'F (60'C)
.....

XXXXXXXXX-01 (M) -> get system
Product Name: SSG-550M

_________________________________________-

On the Backup Firewall (550):

XXXXXXXXX-02 (B) -> get chassis
Chassis Environment:
  Power Supply: Good
  CPU Temperature: 122'F (50'C)
  System Temperature: 77'F (25'C)

Alarm Control Information:
  Power failure audible alarm: enabled
  Fan failure audible alarm: enabled
  Temperature audible alarm: enabled
    CPU alarm temperature is 158'F (70'C)
    System alarm temperature is 140'F (60'C)

Slot Information:
Name Status Slot Asm-id Serial Number Version
 0 mgt Online 01bf 0158072007000055 REV 29
 1 Empty
 2 Empty
 3 4-fe-tx-s Online 0711 PG4022 REV 15
 4 Empty
 5 Empty
 6 Empty
XXXXXXXX-02 (B) -> get system
Product Name: SSG-550

Is this information on the SSG-550 not expected to be there?

 

Acalisti77

Netscreen route based vpn phase 1

June 14, 2018, 10:05 pm
$
0
0

Hi,

I am trying to setup a new VPN, without giving complete segments in the routes.

My goal is to first make the phase 1 up, but it tries to establish for 40 secs and then it goes idel for 10 secs.

I executed debug ike details and results are attached.

Here is the config.

 

#####

set interface redundant2 ip 195.69.8.222/30
set interface ethernet0/6 group redundant2
set interface "tunnel.3" zone "Trust"
set interface tunnel.3 ip 136.157.34.1/24

set ike gateway "BOS-MSP-ISG" address 198.153.3.4 Main outgoing-interface "redundant2" preshare Pwd@123 proposal "pre-g2-aes128-sha"
set vpn "BOS-MSP-ISG" gateway "BOS-MSP-ISG" no-replay tunnel idletime 0 proposal "g2-esp-aes128-sha"
set vpn "BOS-MSP-ISG" id 0xf bind interface tunnel.3
set route 198.153.3.4/32 interface redundant2 gateway 195.69.8.221

########

 

I have not added the remote network under the tunnel.3, before that i want to make sure that phase 1 should comeup

 

Can some one point me to the root cause of the issue.

 

regards

Rajesh

ssg debug explanation

June 18, 2018, 5:00 am
$
0
0

Hi,
I am able to ping to this destination over VPN and VPN is configured in my SSG firewall.
I would like to know the debug analysis like after the packet goes to eth3/3 i do not see the message which says reply has come on the same interface and goes out. Could some one give me debug analysis.
This would be one time explanation which can be used for furture reference.

Thank you.

source > 171.74.126.8 >
destination > 146.147.28.46 (Nat IP 10.154.8.125)

I ran the below debug to understand the packet flow in netscreen.


set console dbuf
set db size 4096
get ffilter
set ffilter dst-ip 146.147.28.46
clear dbuf
debug flow basic

SSG550(M)-> get ffilter
Flow filter based on:
id:0 dst ip 146.147.28.46
id:1 src ip 146.147.28.46


This is the simple setup we have.
servers----------inside------|-------outside--------
--------------------eth3/3-<FW>-eth3/0--------------
---10.0.4.1------10.0.4.7----|-----132.190.53.10----

 

I always get the below log, not seeing the packet coming from kind of... Smiley Happy

packet send out to 001b17000111 through ethernet3/3

 

regards

Rajesh

Multiple VPNs ( to Azure)

June 18, 2018, 10:05 am
$
0
0

Hello,

We have existing site-to-site IPsec tunnel from our on-prem gateway (Juniper SSG320) to Azure cloud gateway, it is a policy-based VPN.

 

We would like to create a new VPN tunnel, this time a route-based VPN,  while keeping the existing tunnel. So the new tunnel is for development environment, it will be from the same existing on-prem gateway (Juniper SSG 320)  to the new gateway and virtual network in Azure. Anyone knows if this is doable or if this Juniper supports multiple VPNs, for this one it will be a two VPNs (one is policy-based, other is route-based)? Will I need a new external IP address? The two tunnels wouldn't need to talk with each other.

 

Thanks,

Hubble

 

Search

policy traffic shaping not working

July 5, 2018, 12:36 am
$
0
0

I want to slow down the connection to youtube.com by using policy traffic shaping from Untrust to Trust zone. 

What I set:

 

From Untrust 172.217.194.136/32 (youtube) to Trust any gbw 512 policy bandwidth 512   - webUI

logging enabled, but i don see any traffice logged and access to youtube still like normal.

Traffic Shaping mode is Auto.

 

Did i missing something?

 

Port forwarding failing despite following KB4740 and three-step guide

July 11, 2018, 11:37 am
$
0
0

Hello all,

 

I've tried setting up port forwarding through my SSG5 which I just acquired.

I'm not an IT-er by trade, but an educator/teacher of mathematics & entry-level IT. I managed to set up port forwarding on my network succesfully without the SSG5, but after adding the device between my router and PC acting as server, I can't seem to get it to work.

 

I set up custom services for the ports I need open and forwarded under 'Policies > Policy elements > Services > Custom', added policies to allow traffic from modem's IP through SSG5 client IP to the PC, with specified services/ports specified.

Under DHCP, SSG5 has Untrust IP set to DHCP client (I've reserved the IP in modem) and I've set the client IP of the PC as reserved.

Under interfaces, for Untrust I've added a VIP (using untrust client IP) forwarding the ports to the PC's client IP.

 

However when I check if the ports are open (with open port checker/portforward), they stay closed.

I've added my config file to this post, hoping someone can guide me to the solution.

 

I followed the steps given here:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB4740

http://www.howtonetworking.com/Routers/ssgportforward0.htm

 

 

SSH Key Size-NS5200

July 30, 2018, 3:49 pm
$
0
0

I am looking for info on changing the ssh key size on a NS52000 to 2048, or is this even possible.

Thanks

Multiple IPSEC VPN to Azure with ssg 140

August 5, 2018, 7:05 am
$
0
0

I currently have a site-to-site IPsec vpn tunnel configured and working to Azure.  I need to create a second site-to-site IPsec VPN tunnel to a different Azure gateway.  I only have one public interface so I assume it sharing the same public gateway IP.

I have created a secondary IF Tunnel for the second Azure gateway created the vpn gateway pointing to the Azure gateway, IKE2 placed the same sharekey on both sides. binded the vpn gateway to use the same public facing interface and new IF tunnel created the untrust to turst policy and turst to untrust.

in the vpn monitoring status SA is inactive and link is inactive.  the IF tunnel status is set to Ready.

Address Objects in different Zones

August 7, 2018, 7:25 pm
$
0
0

Hi,

Based on the below configuration, the address object "cms01" is referred in different zones.

So my question is the address object is significant to the respective zones only or is it global ?

 

set address "Trust" "cms01" 172.16.0.99 255.255.255.255
set address "InterDC" "cms01" 172.16.0.73 255.255.255.255 "CMS"

 

regards

Rajesh

Viewing all 763 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>