Quantcast
Channel: ScreenOS Firewalls (NOT SRX) topics
Viewing all 763 articles
Browse latest View live

Disable Interface? (Reposted in right topic)

August 11, 2016, 9:02 am
$
0
0

Accidentally posted this in the JunOS thread... firewall in question is running ScreenOS,

 

I have a bit of an odd issue.

 

I have a firewall with two VPN tunnels up to two different VPN hubs.

 

I need the VPN to Hub2 disabled/off if the VPN to Hub1 is up.

 

Is this possible, and if so how?

 

Note: the 'spoke' firewall does not have an 0.0.0.0/0 route. I went as far as making a non permenant roue for the public IP of hub2 via tunnel1 (to hub1) with a lesser priority route via the spokes wan gateway. this didn't solve the issue.

 

Thanks,

Z

Search

When upgrading screenOS, I encounter something problem...

August 11, 2016, 5:51 pm
$
0
0

Hello all,
I have 5 SSG-5.
Among them, only 2 SSG-5 can operate properly about upgrading screenOS


Others cannot operate when I upgrade ScreenOS...


The steps I progress are below.
1. Deleting crypto imagekey(old one)
2. Upgrading boot loader
3. Upgrading screenOS
4. Upgrading crypto imagekey(new one)


And
the issues on devices are below.

Issue 1)
ssg5-isdn-> save software from tftp 192.168.10.99 Loadssg5ssg20v132.d to flash
software major version is not same, accept this firmware? y/[n] y
cksum :a69dbc size :407692
Incorrect firmware data, please check it.
Done

software major version is not same, accept this firmware? y/[n] n
Wrong software, ignore it.
Done

 

Issue 2)
ssg5-isdn-> save software from tftp 192.168.10.99 Loadssg5ssg20v132.d to flash

Load software from TFTP 192.168.10.99 (file: Loadssg5ssg20v132.d).
!rcv tftp error(1)tftp wait error, instance was freed!
TFTP read file failed

 

I think the steps I progress are correct.
Why this issues are coming and how can I deal with it?

Please tell me advice experts!!

Regards,
SK.

ssg140 vpn throughtput.

August 15, 2016, 10:59 pm
$
0
0

ssg140 vpn is 100Mb. Is this shared between tunnels. So if I have 4 tunnels and 1 is doing high traffic it will affect other tunnels

as 100mb is shared ?

Protection on the number of connection

August 19, 2016, 8:03 am
$
0
0

Is there any way to put limitation on the number of the connection on netscreen coming from internet on the single destination IP.

I am aware of one feature Scree option where i can put screening on the packet coming from any specific zone and limit the number of session on the dst or source. But can i do it on some specific Ip as well?

Policy ID's

August 23, 2016, 8:23 pm
$
0
0

Hi friends,

 

If i have deleted a rule from the policy, is it possible that the same policy ID could be assigned to a new rule in the future? We are hoping the same policy ID will never get re-used, is this the case?

EOL ScreenOS firmware download?

August 24, 2016, 6:32 am
$
0
0

Hello.

 

We have a failed Firewall in our HA pair.  We are sourcing a replacement, but we need the ScreenOS to match the primary firewall.

 

I need to find a copy of  ScreenOS 6.1.0R6.  The model firewall is SSG-550M-SH.  We will update after we can sync the pair.

 

Anyone have a copy?

 

Thanks!

srx210 connect to IP camera auto disconnect after 3 mins

August 26, 2016, 2:18 am

mutiple untrust adsl , from trust to untrust only Translated Source Address through first one adsl

August 29, 2016, 3:45 am
$
0
0

We have 3 adsl on ssg350M 

Trust Zone: ethernet0/3 192.168.7.254/24

Untrust Zone: ethernet0/1 (1.1.1.254/24 ) & ethernet0/2 (2.2.2.254/24)  & ethernet1/0 (3.3.3.254/24)
ethernet1/0 has one MIP  3.3.3.253 --> 192.168.7.144

 

Untrust --> Trust Policy :   Any --> MIP 3.3.3.253   SMTP Port

Trust --> Untrust Policy:    192.168.7.144 --> Any  SMTP Port 

  

  Our problem is  from  trust:192.168.7.144 send mail to untrust: Any , it show Translated Source Address 1.1.1.254 not 3.3.3.253.

  Is there anyone can help me ? Thanks a lot.

 

 

Search

MIP VPN

August 29, 2016, 6:53 am
$
0
0

 Hello all,

 

maybe it's a too simple question. I've to setup a SSG-5 with two VPN tunnels. I'm completely new to Juniper devices and only have an example config and the documentation.

 

My question is: how do I setup MIP with the same IPs for the two tunnels? They are configured for redundancy and so I need to map the IPs on both. Or do I've to configure it in a complete different way?

 

Kind regards,

Funny

Dial-up VPN to SSG-350 (site to site VPN)

September 1, 2016, 12:41 am
$
0
0

Hello, A dialup VPN client want to access some services in one of the VPN sites.

 

Dialup VPN Client <----------> Site A <----------> Site B

172.31.99.63                 192.168.135.0/24        192.168.96.0/20

 

Site A and Site B is forming site to site VPN Dialup

VPN can access the services in Site A

 

I have changed site A firewall policy proxy ID (untrust VPN client to trust)

after this modification, I ping to 192.168.99.109 and got below result.

 

2016-09-01 12:51:19 172.31.99.63:1103 192.168.99.109:1 0.0.0.0:0 0.0.0.0:0 ICMP 0 sec. 0 0 Traffic Denied

2016-09-01 12:51:09 172.31.99.63:1101 192.168.99.109:1 0.0.0.0:0 0.0.0.0:0 ICMP 0 sec. 0 0 Traffic Denied

2016-09-01 12:51:04 172.31.99.63:1100 192.168.99.109:1 0.0.0.0:0 0.0.0.0:0 ICMP 0 sec. 0 0 Traffic Denied

 

Refer to one of the topic, I should add firewall policy 172.31.99.xx/24 to 192.168.96.0/20. http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/Dial-up-VPN-to-SSG-20-multiple-zones/td-p/1946

 

However, this topic is showing route based VPN. Both site A and site B firewall are using policy based.

Could anyone show me what I should config in order to make Dialup VPN client can access site B services?

 

Many Thanks =)

Route Sync in ISG

September 2, 2016, 11:55 am
$
0
0

For the command - "set nsrp rto-mirror route", if we are using VSD-ID 1 (one VSD only). Can i go ahead with this command Or the VSD-ID have to have be 0. If so, is there any other way to sync the routing table for dynamic protocols on the standby firewalls.

Multicast HB exchange

September 12, 2016, 8:51 am
$
0
0

I have a set up in which 2 HP servers are connected to netscreen firewall via an L2 switches. So as per the design, heartbeat probes are to be initiated from the Server1 goes to the layer 2 switch1 and from there needs to go to the layer 2 switch2 and from there communicates with Server2.  

These HB probes are to exchange over the Multicast range. So, for this do i need to enable the multicasting on the firewall (L3 interface) or on the L2 interface i can pass the traffic if the servers are in same vlans.

 

Thanks! 

ISG 2000 SFP module

September 12, 2016, 10:46 pm
$
0
0

I have an ISG2000 and i need sfp module with part number FG-TRAN-LX and FG-TRAN-SX. my question is that can i temporarily use SRX-SFP-1GE-LX and SRX-SFP-1GE-SX instead until the order is delivered?

How to enable Skype services to go through SSG Juniper

September 15, 2016, 12:56 pm
$
0
0

Hi everyone,

I have some machines in my LAN and I need to enable Skype (application) for those.

I made the following policy:

Source:
192.168.0.25
Destination:
www.skype.com
Service:
HTTP
HTTP-EXT
HTTPS
TCP-ANY
VOIP

However, does not work!.
Please, how to do to enable this service?

Thanks,

SSG140 Site to Site VPN with ASA Multiple Subnets

September 22, 2016, 9:31 pm
$
0
0

Hi;

 

Here is my cases.

Site A : SSG 140 firmware 6.2 (subnet: 192.168.70.x)

Site B : ASA (subnet 192.168.50.x)

Site C: HQ (subnet 10.10.x.x)

 

Site A <--- site to site VPN --> Site B   (SSG140 and ASA)

Site B <---- T1 link ---> Site C  (Router B1 to Router C1 via T1)

 

Currently, my computer at Site A communicate with Site B no problem.

What configuration is required to allow the traffic for Site C from Site A traverse the existing site to site VPN tunnel.

 

Please see my network diagram example file.

Search

SSG act as L2TP / PPTP Client

September 23, 2016, 12:30 am
$
0
0

Hi everyone,

 

I was wondering if with the latest releases it was now possible to have an SSG20 act as a PPTP/L2TP client.. dialing out to a vpn provider, and then able to reroute certain subnets over that connection...

 

( so its not clients dialing into the device, its the device dialing out.. and having a "virtual" interface available for routing)

 

R

Upgrade from 6.2 to 6.3 latest firmware

September 23, 2016, 11:07 pm
$
0
0

Hi;

 

I am planning to upgrade my firmware from 6.2 to 6.3 (the latest version), do I need any intermediate upgrade first?  Or, I can upgrade to 6.3 release 22 directly?

 

How can I find do I need upgrade my boot loader?

Restrict SNMP V3 requests from certain devices - CVE-2008-0960

September 26, 2016, 11:47 pm
$
0
0

Hi

I am trying to mitigate CVE-2008-0960 as it says that the screenos software is vulnerable. They suggest to restrict snmp v3 requests to the SSG firewall to only be allowed from certain devices but I cannot find any commands to do this.

Can anyone assist?

Thanks

Richard

Creating a New Interface Port - SSG140

September 29, 2016, 10:18 am
$
0
0

First off, please forgive my lack of knowledge as we used to have a Network Admin that handled all this however he has since left the company and hasn't been replaced yet... so sadly it falls on me. As far as my knowledge level goes, I can handle the basics including policies and such, however I am struggling hard to wrap my head around why this isn't working.

 

We have a Juniper SSG-140 firewall device that has a number of Interface ports configured:

 

All addresses prefix with "192.168.":

0/0 - Trust

0/1 - DMZ

0/3 - Shared DMZ

0/6 - VOIP\VOICE

0/7 - ***NEW INTERFACE***

0/9 - Untrust\Internet

 

Basically what I am wanting to do is create a new VLAN on our 192.168 network for Interfact 0/7 which will provide a gateway address of 192.168.55.254 (all other addresses are in the 192.168.x.x range). I have created the interface port as the attached screenshot and gone to what will be the new domain controller and setup a static IP on it as 192.168.55.200 with 55.254 as the gateway and I cannot get any conenctions externally. I have tried pinging Google's 8.8.8.8 IP but get no reply. I also setup 2 policies to allow HTTP, HTTPS and PING between the new zone and the untrust as well, being unsure if that was how it "routed" or knows it's ok to let the traffic out.

 

Thanks much for any help!!!

Technical information required: multiple interfaces on SSG550M

September 29, 2016, 11:22 am
$
0
0

Hello Community,

 

Thi sis my first message here and l hope somebody can share thoughts. We are trying to run an Algosec scan of our SSG firewall from a remote site on a different network.
The issue is that we have an SRX between the 2 endpoints that cannot cope (we believe) with an ssh connection to the NATed address of the SSG.

TP.PNG

The red route would be the theoretical current means of getting to the 139.166.x.x firewall from the NERC link, but NAT on the SRX prevents the Algosec from SSHing direct to anything behind the SRX.
What we were thinking was to cable on a different interface on the SSG to the WAN switch, or to a switch on the LAN, giving this a different subnet address to 139.166.x.x (red dashed line), circumventing the SRX completely and then limiting the interface on the SSG to only allow access from the Algosec IP address.

 

Thx,

Myky

Viewing all 763 articles
Browse latest View live
Search
<script src="https://jsc.adskeeper.com/r/s/rssing.com.1596347.js" async> </script>